Trojan-PSW.Win32.Maran.cx

該病毒運行後,衍生病毒檔案到系統目錄下。添加註冊表系統服務項以隨系統引導病毒體。 修改註冊表 LSP項,當用戶連線網路時,即掛載病毒體。將病毒DLL檔案注入IE與系統進程中, 當用戶訪問指定頁面時,即獲取用戶遊戲帳號信息。

基本介紹

  • 中文名:Trojan-PSW.Win32.Maran.cx
  • 病毒類型:木馬類
  • 檔案 MD5:6F57803D1B0C2F772D72CEA6D0523754
  • 危害等級:3
簡介,行為分析,衍生下列副本與檔案,新建註冊表鍵值,修改下列註冊表鍵值,刪除下列註冊表鍵值,自動生成 bat 檔案,用來刪除自身,清除方案,

簡介

病毒名稱: Trojan-PSW.Win32.
中文名稱: 馬瑞恩
病毒類型: 木馬類
檔案 MD5: 6F57803D1B0C2F772D72CEA6D0523754
公開範圍: 完全公開
危害等級: 3
檔案長度: 加殼後 110,592 位元組,脫殼後 258,048 位元組
感染系統: Win9X 以上系統
開發工具: Borland Delphi 6.0 - 7.0
加殼類型 : Upack 0.3.9 beta2s -> Dwing
命名對照: BitDefender [ Generic.Malware.FB.F6352C32 ]

行為分析

衍生下列副本與檔案

%WinDir%\lsass.exe
%System32%\md6media.dll  Size: 210,944
%System32%\drivers\ws2ifsl.sys

新建註冊表鍵值

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\DisplayName
Value: String: "Windows 套接字 2 .0 Non-IFS 服務提供程式支持環境 "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\ImagePath
Value: Type: REG_EXPAND_SZ Length: 41 (0x29) bytes
\SystemRoot\System32\drivers\ws2ifsl.sys.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VGADown\DisplayName
Value: String: "Vedio Adapter"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VGADown\ImagePath
Value: Type: REG_EXPAND_SZ Length: 21 (0x15) bytes
%WinDir\lsass .exe.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
C:\WINDOWS\System32\md6media.dll

修改下列註冊表鍵值

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
%WinDir%\System32\md6media.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\rsvpsp.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\rsvpsp.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll

刪除下列註冊表鍵值

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ShellHWDetection\DisplayName
Value: String: "Shell Hardware Detection"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ShellHWDetection\ImagePath
Value: Type: REG_EXPAND_SZ Length: 45 (0x2d) bytes
%SystemRoot%\System32\svchost.exe -k netsvcs.

自動生成 bat 檔案,用來刪除自身

它本身會生成bat檔案,在必要時刪除自身。
當用戶訪問下列 URL 時, md6media.dll 盜取帳號與密碼信息:
[url=http://tw.g*m*ni*.com]http://tw.g*m*ni*.com
[url=https://tw.gash.g*m*ni*.com/memberindex.aspx]https://tw.gash.g*m*ni*.com/memberindex.aspx
[url=https://tw.gash.g*m*ni*.com/gashlogin.aspx]https://tw.gash.g*m*ni*.com/gashlogin.aspx
[url=https://tw.gash.g*m*ni*.com/updatemainaccountpassword.aspx]https://tw.gash.g*m*ni*.com/updatemainaccountpassword.aspx
[url=https://tw.gash.g*m*ni*.com/updateserviceaccountpassword.aspx]https://tw.gash.g*m*ni*.com/updateserviceaccountpassword.aspx
[url=http://tw.gashcard.g*m*ni*.com]http://tw.gashcard.g*m*ni*.com
[url=https://tw.login.g*m*ni*.com]https://tw.login.g*m*ni*.com
註: % System% 是一個可變路徑。病毒通過查詢作業系統來決定當前 System 資料夾的位置。 Windows2000/NT 中默認的安裝路徑是 C:\Winnt\System32 , windows95/98/me 中默認的安裝路徑是 C:\Windows\System , windowsXP 中默認的安裝路徑是 C:\Windows\System32 。

清除方案

1 、 使用安天木馬防線可徹底清除此病毒 ( 推薦 )
2 、 手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
(1) 使用 安天木馬防線進程管理”關閉病毒進程:
lsass.exe
(2) 刪除並恢復病毒添加與修改的註冊表鍵值
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WS2IFSL\DisplayName
Value: String: "Windows 套接字 2 .0 Non-IFS 服務提供
程式支持環境 "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WS2IFSL\ImagePath
Value: Type: REG_EXPAND_SZ Length: 41 (0x29) bytes
\SystemRoot\System32\drivers\ws2ifsl.sys.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
VGADown\DisplayName
Value: String: "Vedio Adapter"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
VGADown\ImagePath
Value: Type: REG_EXPAND_SZ Length: 21 (0x15) bytes
%WinDir\lsass .exe.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000012\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000013\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
C:\WINDOWS\System32\md6media.dll0)
恢復下列註冊表鍵值為 old 值:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000001\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
%WinDir%\System32\md6media.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\ Protocol_Catalog9\Catalog_Entries\
000000000004\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\rsvpsp.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\
000000000006\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\rsvpsp.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
(3) 刪除病毒釋放檔案:
%WinDir%\lsass.exe
%System32%\md6media.dll  Size: 210,944
%System32%\drivers\ws2ifsl.sys

熱門詞條

聯絡我們