好友
阅读权限25
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
今天发现U盘里有2个文件。奇怪。就分析了下行为……无法用OD载入。 这玩意运行了就 关闭OD运行。没办法。就手动的分析了下
将自身复制到全盘,并运行。并且生成一个autorun.inf 和 system.dll 文件 感染后 双击硬盘就会中毒
自动复制 病毒在U盘或任何可移动磁盘
该木马试图关闭:
mportREC.exe C32Asm.exe LordPE.exe PEditor.exe OllyICE.exe OllyDbg.exe GetCurrentProcessId k e r n e l 3 2 . d l l IsDebuggerPresent kernel32.dll Sleep o l e 3 2 . d l l CoInitializeEx NSDownLoader26AVip20081206 svchost.exe explorer.exe SeDebugPrivilege %s%d %s%d.txt U r l m o n . d l l URLDownloadToFileA ZwOpenSection RtlInitUnicodeString n t d l l . d l l CURRENT_USER \ D e v i c e \ P h y s i c a l M e m o r y SeSecurityPrivilege pccguide.exe ZONEALARM.exe zonealarm.exe XDelbox.exe wink.exe windows优化大师.exe WFINDV32.exe webtrap.exe WEBSCANX.exe WEBSCAN.exe vsstat.exe VSSCAN40 VSHWIN32.exe vshwin32.exe VSECOMR.exe VPC32.exe vir.exe VETTRAY.exe VET95.exe vavrunr.exe UlibCfg.exe TSC.exe tmupdito.exe tmproxy.exe TMOAgent.exe Tmntsrv.exe TDS2-NT.exe TDS2-98.exe TCA.exe TBSCAN.exe symproxysvc.exe SWEEP95.exe sreng.exe spy.exe SPHINX.exe smtpsvc.exe SMC.exe sirc32.exe SERV95.exe secu.exe SCRSCAN.exe scon.exe SCANPM.exe SCAN32.exe scan.exe scam32.exe safeweb.exe safeboxTray.exe rn.exe Rfw.exe rescue32.exe regedit.exe RavTask.exe RavStub.exe RavMonD.exe RavMon.exe rav7win.exe RAV7.exe Rav.exe ras.exe pview95.exe prot.exe program.exe PpPpWallRun.exe PERSFW.exe PCFWALLICON.exe pccwin98.exe pccmain.exe pcciomon.exe PCCClient.exe pcc.exe PAVCL.exe PADMIN.exe OUTPOST.exe NVC95.exe NUPGRADE.exe norton.exe NORMIST.exe NMAIN.exe nisum.exe nisserv.exe NAVWNT.exe navwnt.exe NAVW32.exe NAVW.exe NAVSCHED.exe navrunr.exe NAVNT.exe NAVLU32.exe navapw32.exe navapsvc.exe N32ACAN.exe ms.exe MPFTRAY.exe MOOLIVE.exe moniker.exe mon.exe microsoft.exe mcafee.exe LUCOMSERVER.exe luall.exe LOOKOUT.exe lockdown2000.exe lamapp.exe kwatch.exe KVPreScan.exe KVMonXP.exe KRF.exe KPPMain.exe kpfwsvc.exe kpfw32.exe KPFW32.exe kissvc.exe kavstart.exe kav32.exe Kasmain.exe Kabackreport.exe JED.exe iomon98.exe iom.exe ICSSUPPNT.exe ICMOON.exe ICLOADNT.exe ICLOAD95.exe IceSword.exe ice.exe IBMAVSP.exe IBMASN.exe IAMSERV.exe IAMAPP.exe F-STOPW.exe f-stopw.exe FRW.exe FP-WIN.exe fp-win.exe f-prot95.exe F-PROT.exe fir.exe FINDVIRU.exe F-AGNT95.exe explorewclass.exe ESPWATCH.exe ESAFE.exe EFINET32.exe ECENGINE.exe DVP95.exe DV95_O.exe DV95.exe debu.exe dbg.exe DAVPFW.exe CLEANER3.exe CLEANER.exe CLAW95CT.exe CLAW95.exe cfinet32.exe cfinet.exe CFIND.exe CFIAUDIT.exe CFIADMIN.exe CCenter.exe BLACKICE.exe BLACKD.exe avxonsol.exe AVWIN95.exe avsynmgr.exe AVSCHED32.exe AVPUPD.exe AVKSERV.exe avk.exe AVGCTRL.exe AVE32.exe AVCONSOL.exe AUTODOWN.exe ATRACK.exe atrack.exe antivir.exe ANTI-TROJAN.exe anti.exe ACKWIN32.exe 360tray.exe 360safebox.exe 360safe.exe Debugger avp.exe
劫持hosts文件并屏蔽下列网站:
360.qihoo.com tool.ikaka.com www.virustotal.com bbs.sucop.com www.dswlab.com www.nod32club.com www.lanniao.org www.cnnod32.cn www.kaspersky.com virustotal.com kaspersky.com.cn www.kaspersky.com.cn union.kingsoft.com shadu.duba.net www.nod32.com www.eset.com.cn www.duba.net www.jiangmin.com jiangmin.com dl.jiangmin.com rising.com.cn www.rising.com.cn www.chinakv.com www.360safe.com www.360safe.cn www.360.cn
在host中写入:
127.0.0.1 www.360.cn
127.0.0.1 www.360safe.cn
127.0.0.1 www.360safe.com
127.0.0.1 www.chinakv.com
127.0.0.1 www.rising.com.cn
127.0.0.1 rising.com.cn
127.0.0.1 dl.jiangmin.com
127.0.0.1 jiangmin.com
127.0.0.1 www.jiangmin.com
127.0.0.1 www.duba.net
127.0.0.1 www.eset.com.cn
127.0.0.1 www.nod32.com
127.0.0.1 shadu.duba.net
127.0.0.1 union.kingsoft.com
127.0.0.1 www.kaspersky.com.cn
127.0.0.1 kaspersky.com.cn
127.0.0.1 virustotal.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.cnnod32.cn
127.0.0.1 www.lanniao.org
127.0.0.1 www.nod32club.com
127.0.0.1 www.dswlab.com
127.0.0.1 bbs.sucop.com
127.0.0.1 www.virustotal.com
127.0.0.1 tool.ikaka.com
127.0.0.1 360.qihoo.com
写入 注册表 :SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
注入进程:svchost.exe
关闭有以下关键字的程序:
瑞星卡卡 奇虎 超级巡警 McAfee 瑞星 金山毒霸 卡巴斯基 NOD32 下载者 360安全卫士 专杀 杀毒 江民 木马 SRENG Sreng sreng
能力有限。只能分析在这了。 送上病毒样本。一个DLL样本(该病毒属性为隐藏) 无法修改。需要在RAR或显示隐藏文件里操作…… |
免费评分
-
查看全部评分
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
发表于 2009-11-6 12:14
发表于 2009-11-8 03:32
发表于 2009-11-6 12:49
IsDebuggerPrevent啊,去下个原版OD+StrongOD就能调试了
