Trojan.Win32.Agent.uc

該病毒是一個壓縮檔案,病毒運行後會打開一個圖片,達到欺騙用戶的目的,其中含有兩個可執行的病毒檔案和相關動態程式庫。病毒運行後,會將自身相關檔案複製到%system32%下,刪除註冊表項,終止相關服務,使防毒軟體失效,新建Internet服務,終止相關進程,並上網下載檔案。

基本介紹

  • 中文名:Trojan.Win32.Agent.uc
  • 公開範圍: 完全公開
  • 病毒類型:木馬
  • 檔案長度:353,532 位元組
  • 加殼類型:未知殼
病毒標籤,命名對照,病毒危害,行為分析,清除方案,注,

病毒標籤

08
公開範圍: 完全公開
檔案長度:353,532 位元組
開發工具: Microsoft Visual C++ 6.0 - 7.0
加殼類型: 未知殼

命名對照

Symentec[無]
Mcafee[無]

病毒危害

危害等級: 中
感染系統: Windows98以上版本

行為分析

1、該病毒是一個檔案,其中含有兩個可執行的病毒檔案:HLP.exe、SYN.exe。病毒運行後將自身檔案複製到%system32%下:
%system32%\mypic.jpg
%system32%\packet.dll
%system32%\wanpacket.dll
%system32%\wpcap.dll
%system32%\drivers\npf.sys
2、刪除註冊表項
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\Description
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\Enum\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\Enum\0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\Enum\Count
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\Enum\NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\FailureActions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\Parameters\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\Security\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\Security\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
\Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Description
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Enum\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Enum\0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Enum\Count
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Enum\NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Epoch\Epoch
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\Firewall Policy\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\Firewall Policy\DomainProfile\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\Firewall Policy\DomainProfile
\AuthorizedApplications\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\Firewall Policy\DomainProfile
\AuthorizedApplications\List\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\Firewall Policy\DomainProfile
\AuthorizedApplications\List\%windir%\system32\sessmgr.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\Firewall Policy\StandardProfile\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\Firewall Policy\StandardProfile
\AuthorizedApplications\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\Firewall Policy\StandardProfile
\AuthorizedApplications\List\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
\Parameters\Firewall Policy\StandardProfile\AuthorizedApplications
\List\%windir%\system32\sessmgr.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\FirewallPolicy\StandardProfile
\AuthorizedApplications\List\C:\Program Files\ThunderNetwork
\Thunder\Thunder.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\Firewall Policy\StandardProfile
\EnableFirewall
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Setup\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\All
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Setup\ServiceUpgrade
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\SharedAccess\Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\Description
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\Enum\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\Enum\0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\Enum\Count
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\Enum\NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\Parameters\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\Security\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\Security\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\srservice\Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\Description
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\Enum\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\Enum\0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\Enum\Count
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\Enum\NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\Parameters\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\Security\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\Security\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wscsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wuauserv\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wuauserv\Description
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wuauserv\DisplayName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wuauserv\Enum\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wuauserv\Enum\0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wuauserv\Enum\Count
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wuauserv\Enum\NextInstance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wuauserv\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wuauserv\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wuauserv\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wuauserv\Parameters\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wuauserv\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wuauserv\Security\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wuauserv\Security\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wuauserv\Start
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\wuauserv\Type
3、終止以下服務:
Windows Firewall/Internet Connection Sharing(ICS)
Background Intelligent Transfer Service
System Restore Service
SecurityCenter
Automatic Updates
4、新建註冊表項
HKEY_CURRENT_USER\Software\Microsoft\Windows
\ShellNoRoam\MUICache\
鍵值:字串:(原病毒所在路徑)= "MyPic"
HKEY_CURRENT_USER\Software\Microsoft\Windows
\ShellNoRoam\MUICache\
鍵值:字串:"C:\WINDOWS\HLP.exe"= "HLP"
HKEY_CURRENT_USER\Software\Microsoft\Windows
\ShellNoRoam\MUICache
鍵值:字串:"C:\WINDOWS\system32\shimgvw.dll
"= "Windows 圖片和傳真查看器"
HKEY_CURRENT_USER\Software\WinRAR SFX\
鍵值:字串:"C%WINDOWS%"="C:\WINDOWS"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Internet\
鍵值:字串:"Description "="為 Internet 連線提供基礎服務
,如果此服務被停止,多數 Internet 軟體將無法正常運行。如果此服務被
禁用,任何依賴它的服務將無法啟動。"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Internet\
鍵值:字串:"DisplayName"="Internet"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Internet\
鍵值:字串:"ImagePath "=""C:\Program Files\Windows NT
\lsass.exe" ServiceStart"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Internet\
鍵值:字串:"ObjectName "="LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Internet\
鍵值:字串:"Description"="為 Internet 連線提供基礎服務,如果此
服務被停止,多數 Internet 軟體將無法正常運行。如果此服務被禁用,
任何依賴它的服務將無法啟動。"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Internet\
鍵值:字串:"DisplayName"="Internet"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Internet\
鍵值:字串:"ImagePath "=""C:\Program Files\Windows NT
\lsass.exe" ServiceStart"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Internet\
鍵值:字串:"ObjectName"= "LocalSystem"
5、新建服務:
HKEY_LOCAL_MATHIN\SYSTEM\CurrentControlSet\Services\Internet。
(為 Internet 連線提供基礎服務E,如果此服務被停止,多數 Internet 軟體將無法正常運行。如果此服務被禁用,任何依賴它的服務將無法啟動)
6、嘗試關閉反病毒進程,如:
kav.exe
kavsvc.exe
Rav.exe
RavMon.exe
……
7、嘗試下載:
http://goowy.box.*****static/e6efh1kgde.jpg
http://notidgbwds*****ewebspace.com/not_v1/not_ini_v1.jpg
http://notidgbwd*****rfreewebspace.com/
http://notidgbwdsg.5****.com/not_v1/not_ini_v1.jpg
……

清除方案

1、使用安天木馬防線可徹底清除此病毒(推薦)。
2、手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
(1) 使用安天木馬防線進程管理”關閉病毒進程
(2) 刪除病毒檔案
%system32%mypic.jpg
packet.dll
wanpacket.dll
wpcap.dll
%system32%\driversnpf.sys
(3) 恢復病毒修改的註冊表項目,刪除病毒添加的註冊表項
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012006052220060529\
鍵值:字串:”CachePath”= "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012006052220060529”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012006060120060602\
鍵值:字串:“CachePrefix”= ":2006060120060602: "
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\
鍵值:字串:” C:\Clean.bat”= "Clean"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\
鍵值:字串:"C:\Documents and Settings\commander\桌面\MyPic.exe"= "MyPic"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\
鍵值:字串:"C:\WINDOWS\HLP.exe"= "HLP"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
鍵值:字串:"C:\WINDOWS\system32\shimgvw.dll"= "Windows 圖片和傳真查看器"
HKEY_CURRENT_USER\Software\WinRAR SFX\
鍵值:字串: "C%WINDOWS%"="C:\WINDOWS"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Internet\
鍵值:字串:"Description "="為 Internet 連線提供基礎服務,如果此服務被停止,多數 Internet 軟體將無法正常運行。如果此服務被
用,任何依賴它的服務將無法啟動。"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Internet\
鍵值:字串:"DisplayName"="Internet"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Internet\
鍵值:字串:"ImagePath "=""C:\Program Files\Windows NT\lsass.exe" ServiceStart"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Internet\
鍵值:字串:"ObjectName "="LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Internet\
鍵值:字串:"Description"="為 Internet 連線提供基礎服務,如果此服務被停止,多數 Internet 軟體將無法正常運行。如果此服務被
用,任何依賴它的服務將無法啟動。"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Internet\
鍵值:字串:"DisplayName"="Internet"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Internet\
鍵值:字串:"ImagePath "=""C:\Program Files\Windows NT\lsass.exe" ServiceStart"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Internet\
鍵值:字串:"ObjectName"= "LocalSystem"

% System%是一個可變路徑。病毒通過查詢作業系統來決定當前System資料夾的位置。Windows2000/NT中默認的安裝路徑是C:\Winnt\System32,windows95/98/me中默認的安裝路徑是C:\Windows\System,windowsXP中默認的安裝路徑是C:\Windows\System32。

相關詞條

熱門詞條

聯絡我們