|
截获最新的AV终结者,该变种采用ring3级hook技术直接删除杀毒软件,劫持众多网站,阻止杀毒软件更新。专杀程序紧张制作中,测试通过会及时发布,老版本AV终结者专杀运行后会自动升级。
1 x y, K" Q" Q' F$ J3 ?' i
; j- [ b& {* d7 |, a; c; ]以下是详细分析报告: . f& E4 k2 l7 _! M1 g' `5 S
病毒名:Win32.Troj.AvKiller.hd.212992
+ u5 W+ h- ^# n病毒利用WH_CALLWNDPROC类型的挂钩将自身注入其他进程 , t. c: Y" W0 C% M4 b0 u
**释放文件**
9 z! I, L+ X: {* n4 NC:\WINDOWS\system32\nfxphzn.jbt 该文件为kernel32.dll的拷贝
: c/ W2 N {; m6 f Hc:\WINDOWS\system32\yqia.btl 该文件为病毒自身的拷贝
- E" }+ e2 C# U4 C**下载文件**
+ r) M& \% v* |. _ Cw3.hao5555.com/v3/pic.bmp
/ h \% r' Q$ Zw3.hao5555.com/v3/Riched32.dll
* P( P8 \ \# q) D( ^w3.hao5555.com/v3/search.asp
# ^; z7 w5 o8 O# A3 N$ G Xw3.hao5555.com/bd.dll
. m1 X0 S- b- m6 u) d**修改的注册表** . L6 ?/ c+ c" K- C; T
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
8 [+ c! p1 |' |"xphz"="{1b5f93d7-93d7-0a4e-4e82-93d71b5f93d7}" 7 D( F }( N% V" X
[HKEY_CLASSES_ROOT\CLSID\{1b5f93d7-93d7-0a4e-4e82-93d71b5f93d7}\InprocServer32] ; _# a( e6 N) @. R* |5 i
@="C:\\WINDOWS\\system32\\yqia.btl""ThreadingModel"="Apartment" 4 z. B7 q, Y. @ H3 f+ {/ G
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System] + Z0 W0 H. j: ?: `, @
"DisableCMD"=dword:00000001 # |8 s5 N6 ^9 A J2 [" M3 C
**挂接函数**
6 ^. N2 |$ p: m5 r1 q9 IRegEnumValueA
! W$ Q t/ E5 h4 `, |RegEnumValueW -- 目的为隐藏病毒添加的注册表键值
u _0 ~ K% ?2 y$ ~
3 Z8 N! y3 f* U5 U a' fCreateFileA ! {! r$ t F( W, Z8 J
CreateFileW -- 目的为保护病毒释放的文件
8 h9 i& C, V8 L, \0 ^3 k, x/ Q7 `5 h# W: E
**卸载组件**
+ Z: X& X" |% xregsvr32.exe /u /s wshom.ocx
7 G$ N- E1 z1 o) B8 D" B6 D8 K
( a" s u! a: x; v" d( X8 ?7 X1 E7 H* {" F. l
病毒自身通过nfxphzn.jbt来调用CreateFileA和CreateFileW函数,病毒注入系统的其他进程后 h$ t( |3 X v& w
+ p2 i1 A" A0 ] z2 D9 x(1)创建一个线程来保护其添加的注册表键值不被删除; ( n* w6 ^8 }7 X* X( \$ C
3 M; l9 ~1 L/ M1 ^, ~7 j; Z2 Y(2)结束杀毒软件进程;
4 m z9 |! p' P: P+ m: K- @
- K" f2 e+ \5 J0 m ^(3)通过将ZwCreateFile的前两个字节填0加以破坏;
( j% ^3 E0 s( _% V% L3 ^3 c8 ^/ K5 W/ P6 F x$ B
(4)并试图删除以下文件,(主要是杀毒软件和流氓软件清除工具的驱动、程序文件) - B6 C9 [. g7 r6 I! [
2 x! x+ ^4 f5 L# j" w& E6 @; u& S) ]
"mmskskin.dll" * X7 R g* o, F9 q- \" d8 s
"KKClean.dll" 6 A6 b" ~; L$ S0 X7 C9 i- w* L
"VirUnk.def" 7 C9 `5 q. O }9 {4 t8 Q2 N0 s
"AntiActi.dll" 0 K" P4 A( @- ^7 s j# F& G
"Rsaupd.exe"
' K; V! j: ]+ @0 Q8 G' B"Iereset.dll"
0 [% `, A, v# m1 v) ?"Libclsid.dat" ) u, q4 w( w% B
"KNetWch.SYS"
: ^3 j1 N* T- j8 }$ y' L8 B"CleanHis.dll"
8 q5 p4 w! c% ~( l"WoptiClean.sys"
9 w1 X6 Z6 p# t$ A"kakalib.def" / F" m9 b! k' {+ o4 J
"libdll.dat"
) g# o% u* G: r5 \7 x% w9 L"kkinst.ini" / g2 l0 e. r7 Y3 Q# B1 d
"KASearch.DLL"
9 y S8 W! N7 ?9 f Y/ C"KAVBootC.sys" " m; z* T6 W) |3 T+ _- R) V: a
"Ras.exe"
! {3 K* d% E, N7 g. T7 T9 t"iehelp.exe" , u! H6 U2 n: V' Y
"trojandetector.exe" ( J" G4 K: g' s- H A) M
"KAConfig.DLL"
7 Y" U4 L& T/ p2 ~"KAVPassp.DLL" 6 [3 t( |2 z/ v0 H- o
"hsfw.dll"
& A3 f3 p8 I7 @5 t: J( M **修改hosts文件为**
' m- h4 C, E# F: c( v6 p7 |hosts文件被修改后,会影响很多杀毒软件和反流氓软件的升级,影响访问相关网站
% v) p# _# j$ O% ^9 n5 ~2 ?9 V(注意一下61.152.244.167这个IP,下面发现众多流量很高的站点被劫持到61.152.244.167,可以尝试一下在IE地址栏中输入这个IP,你发现去了cn.yahoo.com); k+ ]5 a& g; E
127.0.0.1 localhost ; f: @6 |/ q! y. Q+ p
61.152.244.167 search.114.vnet.cn x4 j0 h8 w. z+ {* u- l: i
61.152.244.167 auto.search.msn.com
: `* n0 e; q8 \- f61.152.244.167 search.msn.com
: N; K5 I3 L4 d+ w' k61.152.244.167 cnweb.search.live.com
/ o8 Q0 @3 w* h+ G61.152.244.167 search.live.com
* u* ~6 K, _, j; `0 l61.152.244.167 www.hao123.com : }* v6 L! Q2 n% _' T5 X( n
61.152.244.167 hao123.com
' r. h: u, Y* x3 S61.152.244.167 www.360safe.com
8 }5 K* k' s/ u }61.152.244.167 360safe.com
' D3 A+ o8 h) J7 N1 F) c222.73.126.115 update.360safe.com / S1 c: S/ B' ]: R$ ?( _& u" M
61.152.244.167 dl.360safe.com
2 o& Y" H) M! _% Y- b' A61.152.244.167 bbs.360safe.com 1 W& E% |6 j5 ?5 f5 [
61.152.244.167 www.btbaicai.com 8 ^6 n% S" f' r) g2 X* s
61.152.244.167 btbaicai.com
5 N2 _! `. H8 t# S+ ~61.152.244.167 www.pctutu.com
& M9 x1 k$ t$ h4 n( Q61.152.244.167 www.7322.com
: X# ?. O$ Z* I. M- @61.152.244.167 www.5566.net 0 _9 M, |+ r2 N
61.152.244.167 www.9991.com * S- t4 @" l8 ^2 p6 m4 ?
61.152.244.167 9991.com ! j5 v4 r- w, W
61.152.244.167 forum.ikaka.com + h5 T e: ]) @; R
61.152.244.167 www.ikaka.com
7 Y- k0 t7 K2 ^& |/ n3 X222.73.126.115 update.ikaka.com 5 ?* J- ~& N$ g* L1 K0 Y6 B- |
61.152.244.167 forum.jiangmin.com
( E' R$ p6 l6 y( p222.73.126.115 update.jiangmin.com 2 D0 H4 z8 e. T! o
61.152.244.167 post.baidu.com 6 r* P8 E9 J7 u
222.73.126.115 update.rising.com.cn 6 J2 h y# b" M) X T \
61.152.244.167 online.rising.com.cn : p" _0 N1 V' {5 J4 P- \
222.73.126.115 center.rising.com.cn - G) |! o7 S& Z# P& D |8 q
61.152.244.167 up.duba.net ; z6 f1 \9 `& t: f0 h) P. U
61.152.244.167 shadu.baidu.com
+ E- ?4 J+ p5 ?" J' a61.152.244.167 security.symantec.com
4 y1 c! Q8 x' N5 m+ _/ k1 k61.152.244.167 shadu.duba.net
" R0 k# \2 w, s; Z# G6 ^61.152.244.167 online.jiangmin.com e# J1 k8 `& A! Y3 y7 P
61.152.244.167 cn.mcafee.com
6 Y* H8 F8 E {4 j2 L- Y: l61.152.244.167 www.ahn.com.cn . [9 }5 f& @; G& o/ f# _% y0 O
61.152.244.167 www.kaspersky.com.cn
0 ?+ a8 b+ {! D' u( _& s$ c7 A61.152.244.167 www.pcav.cn
: T$ D# m; H5 s" e }5 j8 D- o61.152.244.167 mopery.hits.io
/ H R% q* F, L2 o0 W( r$ b; u61.152.244.167 www.luosoft.com
" Q3 s7 h/ ?) _6 S* Y5 t61.152.244.167 luosoft.com 7 p& Q4 g, G" M* O
61.152.244.167 www.im286.com 5 s* y4 f& R5 P, h& Y
61.152.244.167 bbs.htmlman.net
# l) {) ? v8 f* i. L8 I1 W7 \61.152.244.167 10000.286er.com + d9 T7 t! d% h$ ?$ }% N! T
61.152.244.167 im286.net
8 r+ t ^% b, O9 x6 a' T# D61.152.244.167 cool.47555.com 9 [, o' k0 p1 z( J% w
61.152.244.167 ju.qihoo.com 4 E1 \4 C0 ]: m, u
61.152.244.167 bbs.chinaz.com 0 X& c: }9 V4 `6 v8 |
222.73.126.115 dnl-cn1.kaspersky-labs.com 8 L" ^* j8 v# Z9 ]
222.73.126.115 dnl-cn2.kaspersky-labs.com
6 I9 W7 E6 M) I9 T7 k222.73.126.115 dnl-cn3.kaspersky-labs.com 5 Z+ s6 l6 O+ L$ ]8 r
222.73.126.115 dnl-cn4.kaspersky-labs.com
- K2 J6 h$ t# L: D5 R8 V0 W222.73.126.115 dnl-cn5.kaspersky-labs.com
! G. H f/ f! f) b" t7 J222.73.126.115 dnl-cn6.kaspersky-labs.com % d, d7 f L% N h
222.73.126.115 dnl-cn7.kaspersky-labs.com
4 A [" _7 a- _+ H" M; v) Y222.73.126.115 dnl-cn8.kaspersky-labs.com
1 X! R! S. N8 r/ L222.73.126.115 dnl-cn9.kaspersky-labs.com
1 I/ a3 l& M- ^9 C' j8 ]: L222.73.126.115 dnl-cn10.kaspersky-labs.com
% h+ D4 ?+ j) t( P# s8 T# z222.73.126.115 dnl-cn11.kaspersky-labs.com
2 O- ?2 _. ]" }& m& C* P, L+ R222.73.126.115 dnl-cn12.kaspersky-labs.com + k4 k& g2 Z& e/ J# u J
222.73.126.115 dnl-cn13.kaspersky-labs.com / h+ ~& I: d- m: \6 L- a8 J
222.73.126.115 dnl-cn14.kaspersky-labs.com
! l3 ?5 A0 R, Y5 C; ]222.73.126.115 dnl-cn15.kaspersky-labs.com 6 Q# y3 }2 y; p
222.73.126.115 dnl-eu1.kaspersky-labs.com ) m- j1 _& x4 e9 Y0 }& _
222.73.126.115 dnl-eu2.kaspersky-labs.com
. ^0 S- H, p; W( ~222.73.126.115 dnl-eu3.kaspersky-labs.com / q: p' p; P5 h) u
222.73.126.115 dnl-eu4.kaspersky-labs.com
5 I( }* J1 l) b4 T" ~* Y+ h222.73.126.115 dnl-eu5.kaspersky-labs.com 9 i( `! K7 w9 j2 b& q' R' U4 b- Q1 [
222.73.126.115 dnl-eu6.kaspersky-labs.com 3 t# k; U6 g- }9 Y4 d) g8 n
222.73.126.115 dnl-eu7.kaspersky-labs.com
* b( _, y r7 G8 ~/ c2 M7 |222.73.126.115 dnl-eu8.kaspersky-labs.com
- p' J: p6 {- Z* Z0 ~4 G- c, E222.73.126.115 dnl-eu9.kaspersky-labs.com 7 J2 ?" p( M% W1 k3 E! Z ~
222.73.126.115 dnl-eu10.kaspersky-labs.com + R$ K( l/ K9 \2 Y. ~' ~) o
222.73.126.115 dnl-eu11.kaspersky-labs.com 4 L+ e1 R1 X6 b) V# k
222.73.126.115 dnl-eu12.kaspersky-labs.com
4 n+ I( t) g( ~5 ~1 H- \222.73.126.115 dnl-eu13.kaspersky-labs.com
6 o+ q, \4 k6 i, K222.73.126.115 dnl-eu14.kaspersky-labs.com
$ s( b; h @2 A. X! |( ?4 a- f222.73.126.115 dnl-eu15.kaspersky-labs.com ( Q9 W; r# ~) Y7 ~7 I
222.73.126.115 dnl-us1.kaspersky-labs.com 2 R5 i. F0 I& m6 l6 i( b8 Q
222.73.126.115 dnl-us2.kaspersky-labs.com F5 r( l5 k; W. k$ Z' H' F
222.73.126.115 dnl-us3.kaspersky-labs.com
- i$ `1 U3 O% a( e7 Z+ O222.73.126.115 dnl-us4.kaspersky-labs.com
" E0 ^; }, z2 x. w5 p/ c- g! y: k222.73.126.115 dnl-us5.kaspersky-labs.com 1 T# i k, r1 \+ b3 |, W
222.73.126.115 dnl-us6.kaspersky-labs.com
& D9 ?& D, K3 W( R! A# w222.73.126.115 dnl-us7.kaspersky-labs.com
8 @% j3 c B: ?5 s222.73.126.115 dnl-us8.kaspersky-labs.com
v" V6 ?/ J" G2 B1 V222.73.126.115 dnl-us9.kaspersky-labs.com " h3 }' }: j% B# ?: b
222.73.126.115 dnl-us10.kaspersky-labs.com ' s/ v" ~% x9 F5 H. K) Z
222.73.126.115 dnl-us11.kaspersky-labs.com * @- _& y/ s7 N! X; y# g
222.73.126.115 dnl-us12.kaspersky-labs.com
/ d' U2 o9 h6 E* t ^222.73.126.115 dnl-us13.kaspersky-labs.com
2 J4 [3 h2 P& d, l( [222.73.126.115 dnl-us14.kaspersky-labs.com { a2 U; Q1 W
222.73.126.115 dnl-us15.kaspersky-labs.com : x7 V5 z6 {" Q# w
222.73.126.115 dnl-ru1.kaspersky-labs.com % m. V! p0 l. C$ ~. }; O( }8 k! u
222.73.126.115 dnl-ru2.kaspersky-labs.com
' k5 L* [. @7 O M: x222.73.126.115 dnl-ru3.kaspersky-labs.com
8 l4 a( h; s2 @ w' l222.73.126.115 dnl-ru4.kaspersky-labs.com % H8 x+ E# O# a ^; O L: O# k
222.73.126.115 dnl-ru5.kaspersky-labs.com
/ D7 \1 E9 d; U8 r222.73.126.115 dnl-ru6.kaspersky-labs.com ) K+ T2 j' O; y) O1 L
222.73.126.115 dnl-ru7.kaspersky-labs.com " [8 B# w( m$ T4 K8 v
222.73.126.115 dnl-ru8.kaspersky-labs.com
: o& [ O8 m& E7 i) r! ^) M8 j: ^$ W2 a222.73.126.115 dnl-ru9.kaspersky-labs.com % E8 n% X; X, ?7 I k
222.73.126.115 dnl-ru10.kaspersky-labs.com
% ?, J. s" _8 F1 w: w1 C- X% S Y222.73.126.115 dnl-ru11.kaspersky-labs.com
6 v0 E! i" K, c0 B" B1 W t, l222.73.126.115 dnl-ru12.kaspersky-labs.com
+ g) K1 n; Q* ^* k+ V222.73.126.115 dnl-ru13.kaspersky-labs.com
4 l( N8 f$ J/ Q" f% o4 t( F222.73.126.115 dnl-ru14.kaspersky-labs.com 7 @6 w. W+ ^5 r+ Q: _4 m2 M
222.73.126.115 dnl-ru15.kaspersky-labs.com
8 _6 v: T( h+ i8 `. j# n222.73.126.115 dnl-jp1.kaspersky-labs.com 1 f, x& G3 P( v8 p( F8 A- l' j3 z% `
222.73.126.115 dnl-jp2.kaspersky-labs.com 1 V( H. j6 ?: |" f
222.73.126.115 dnl-jp3.kaspersky-labs.com ' H% G; Z: y9 b
222.73.126.115 dnl-jp4.kaspersky-labs.com
* H1 e$ `- F3 b6 v. r5 s e222.73.126.115 dnl-jp5.kaspersky-labs.com
6 z: }3 `1 }$ H" g" ^3 o/ `" w222.73.126.115 dnl-jp6.kaspersky-labs.com
% F' X! ] [0 B5 ]; Z& k222.73.126.115 dnl-jp7.kaspersky-labs.com : Z. T' O. d, M5 T1 ~
222.73.126.115 dnl-jp8.kaspersky-labs.com
2 h/ _* n9 \3 x" s! p, j$ ]% \& X222.73.126.115 dnl-jp9.kaspersky-labs.com 2 `* b9 o( W5 Y! w7 L* A
222.73.126.115 dnl-jp10.kaspersky-labs.com : I8 u& O! Q% l& q0 S- Z/ v
222.73.126.115 dnl-jp11.kaspersky-labs.com , F& @5 K/ n8 T
222.73.126.115 dnl-jp12.kaspersky-labs.com / g' H+ k* n# }5 Z z* V
222.73.126.115 dnl-jp13.kaspersky-labs.com
3 f% d$ [& `, C# q, |9 b. R. A222.73.126.115 dnl-jp14.kaspersky-labs.com
3 q$ k# u! e2 J3 L0 Z k222.73.126.115 dnl-jp15.kaspersky-labs.com
H6 s' O C: Y/ I! g0 b3 g' O222.73.126.115 dnl-kr1.kaspersky-labs.com
% v5 t" |# K' e* {7 V m222.73.126.115 dnl-kr2.kaspersky-labs.com
+ ^( A0 g! ]: `3 ]# _222.73.126.115 dnl-kr3.kaspersky-labs.com
* N. X4 A$ N. f7 E2 B) T" y6 k222.73.126.115 dnl-kr4.kaspersky-labs.com 5 W; n# ~4 M% w% H- n! C
222.73.126.115 dnl-kr5.kaspersky-labs.com 2 \4 @7 h/ |/ H- h& i8 T
222.73.126.115 dnl-kr6.kaspersky-labs.com ; e2 w7 ]( v% D# { W9 y! w! }6 U; h
222.73.126.115 dnl-kr7.kaspersky-labs.com
3 r6 d- S6 n* j5 I' m; Y222.73.126.115 dnl-kr8.kaspersky-labs.com
0 j! f# N. S, {# e222.73.126.115 dnl-kr9.kaspersky-labs.com
0 `# ]8 [0 ]% T# Q3 S( o# F+ [5 f222.73.126.115 dnl-kr10.kaspersky-labs.com ; E2 u2 h9 [2 `
222.73.126.115 dnl-kr11.kaspersky-labs.com
1 |* t/ y$ G* n+ t! Y% l222.73.126.115 dnl-kr12.kaspersky-labs.com 9 q. _9 K6 V- w+ l# N4 `: s3 \) Z
222.73.126.115 dnl-kr13.kaspersky-labs.com ; {# U; `* @ M4 v% ~: F0 k
222.73.126.115 dnl-kr14.kaspersky-labs.com
: f0 o- y6 `6 Y222.73.126.115 dnl-kr15.kaspersky-labs.com 2 O, g3 r0 t6 t/ Z4 ?: s% n# m- _, U
222.73.126.115 dnl-cd1.kaspersky-labs.com 5 ]: e1 k/ j* P$ c# h* }% T% C
222.73.126.115 dnl-cd2.kaspersky-labs.com & O& v# P9 B1 Q$ f$ @6 I; r
222.73.126.115 dnl-cd3.kaspersky-labs.com 3 s/ g! `% B0 Q7 N$ } c: N
222.73.126.115 dnl-cd4.kaspersky-labs.com 4 n, o% ^) V4 j
222.73.126.115 dnl-cd10.kaspersky-labs.com 3 g: w6 u! m* }
61.152.244.167 search.cn.yahoo.com ) e$ {7 M5 U) k5 p# H
61.152.244.167 www.google.com ; v/ F" t3 \2 W9 M9 h8 [* s) b
61.152.244.167 google.com
p6 [ Q7 b, i6 |9 [# p61.152.244.167 www.google.cn # Y F7 u& |3 o$ @6 H6 H3 u
61.152.244.167 www.sogou.com
. F5 X& I3 o/ i; ?& u0 K61.152.244.167 www.yahoo.com.cn
, b& h: f; H% E" G61.152.244.167 cn.yahoo.com
: |9 A; H1 g X& {4 s1 C222.73.210.148 www.comewz.com * @ }: T& [( k U8 G
61.152.244.167 search.tom.com ' L# G7 U3 V0 }7 a: D+ O
61.152.244.167 sou.china.com " {( l7 n7 p; }& R; I% L9 e1 t1 M
61.152.244.167 toolsbar.kuaiso.com
' f/ c8 c& O% |4 z! c5 V7 k61.152.244.167 www.kuaiso.com |
|