|
截获最新的AV终结者,该变种采用ring3级hook技术直接删除杀毒软件,劫持众多网站,阻止杀毒软件更新。专杀程序紧张制作中,测试通过会及时发布,老版本AV终结者专杀运行后会自动升级。 $ @% z2 x0 q( A; K
9 B5 [1 ?) ^9 S) u( `' Z
以下是详细分析报告: / s$ q8 m$ F2 B+ g. h R# }
病毒名:Win32.Troj.AvKiller.hd.212992
- M( x9 n+ w7 z7 T病毒利用WH_CALLWNDPROC类型的挂钩将自身注入其他进程 . |" t/ h( h% G& p( F3 k4 Z& R
**释放文件**
( {; ]* P+ \' y# x4 LC:\WINDOWS\system32\nfxphzn.jbt 该文件为kernel32.dll的拷贝 0 W& p8 Y5 ]5 N' C$ B
c:\WINDOWS\system32\yqia.btl 该文件为病毒自身的拷贝 * Y3 m% [6 Y1 e6 k' P5 S# O
**下载文件**
& _. C/ `0 y5 j5 ow3.hao5555.com/v3/pic.bmp
0 ~. Z; I5 O( l0 R9 `$ L2 @w3.hao5555.com/v3/Riched32.dll & l4 S! q6 e$ F
w3.hao5555.com/v3/search.asp
: F$ e. k( l% `$ o. a7 Fw3.hao5555.com/bd.dll , X) y- u* e) X
**修改的注册表** 3 _2 D0 c. I6 s% t. x
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] ! @7 I7 l: o9 x, |# l2 E3 l
"xphz"="{1b5f93d7-93d7-0a4e-4e82-93d71b5f93d7}"
0 Q& \. i7 z' ?$ `[HKEY_CLASSES_ROOT\CLSID\{1b5f93d7-93d7-0a4e-4e82-93d71b5f93d7}\InprocServer32] , z( Q- S: u& d* R6 N `) ]
@="C:\\WINDOWS\\system32\\yqia.btl""ThreadingModel"="Apartment" ; \& W. |+ |7 @5 x/ l2 f ^1 t
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
' u- V0 O' n+ [/ X, ~5 `. n8 @0 i"DisableCMD"=dword:00000001
: o- h6 I6 |# o**挂接函数**
* S; U% A6 C# ^$ O6 ~+ jRegEnumValueA ; Y* m8 S1 ?2 q3 U3 y5 ^4 R% s6 {" i8 e
RegEnumValueW -- 目的为隐藏病毒添加的注册表键值 & h6 y' H2 B* y/ u$ M
5 v; y+ h7 @; U) KCreateFileA % X4 X3 ~. @# D ~
CreateFileW -- 目的为保护病毒释放的文件 1 [; O1 V3 l, G; h' `9 Y( g
6 w" b0 F+ j0 R9 z+ s* C6 I& f! d% L
**卸载组件**
4 W" k8 A1 p' G3 D A4 pregsvr32.exe /u /s wshom.ocx
4 x1 \" B1 q8 g- e' C. E2 T" ?
8 E: ~/ S/ e+ _6 h6 {
: P0 z/ a* F4 e5 |8 j9 b" @% j病毒自身通过nfxphzn.jbt来调用CreateFileA和CreateFileW函数,病毒注入系统的其他进程后 4 d R8 v, K# O6 }2 l9 j
; x- J5 u6 F6 q4 x1 C0 g4 t
(1)创建一个线程来保护其添加的注册表键值不被删除;
8 L, T9 }7 B, P
9 E$ {1 I8 B$ M# a( D(2)结束杀毒软件进程;
' |0 W; e: `& Z$ C2 x/ U5 |& D. a& R* B. x$ k5 ]; k" r
(3)通过将ZwCreateFile的前两个字节填0加以破坏; s, S/ I+ d& l. T* Y" L& [7 }
8 Q3 z! E& `9 T% d8 c4 B. ~(4)并试图删除以下文件,(主要是杀毒软件和流氓软件清除工具的驱动、程序文件) 8 ]1 Q, H# o; }0 b6 E
4 X7 t# I& F0 z9 \9 ~" m
, z" a' [1 F, N9 o5 H. E2 \8 L
"mmskskin.dll" - S9 U1 P9 C% A3 U' f
"KKClean.dll" 8 ?/ M9 ?6 g t' F
"VirUnk.def"
3 G0 [- U$ U4 W$ {"AntiActi.dll"
5 }$ _; `* _+ q"Rsaupd.exe" s+ N3 h' L! o' Y3 K
"Iereset.dll" , y; I# x2 N5 R
"Libclsid.dat"
5 k' g& G8 p& P5 R' W"KNetWch.SYS"
) F. Y9 C! f6 F) @"CleanHis.dll" & ~- U& {! }, B8 A# L
"WoptiClean.sys" 9 b1 \/ s6 j5 k5 Z
"kakalib.def" 2 L8 O3 S# v/ k' X
"libdll.dat" - l( ?$ J* G* ~- ?3 J8 u
"kkinst.ini" 4 f. D8 ?* u/ T* K
"KASearch.DLL" ' Y5 G" G3 X6 n' k2 R3 ^. r
"KAVBootC.sys"
3 }# K8 ?* j% b9 T8 V"Ras.exe"
) K# z7 ~' E# l! F. x1 E"iehelp.exe" 4 b) `) `8 T7 S
"trojandetector.exe"
" [4 X/ k1 p Z6 ^+ ~"KAConfig.DLL"
( h6 Q) k8 K4 K2 v x"KAVPassp.DLL"
! j2 `* J) W8 U! L6 m9 F) ?; i"hsfw.dll" 5 o+ ]* L8 B# S6 v6 n0 z
**修改hosts文件为** C1 j3 }+ G8 S) @) ] S
hosts文件被修改后,会影响很多杀毒软件和反流氓软件的升级,影响访问相关网站
. j K0 T: K$ X1 \(注意一下61.152.244.167这个IP,下面发现众多流量很高的站点被劫持到61.152.244.167,可以尝试一下在IE地址栏中输入这个IP,你发现去了cn.yahoo.com)
/ ?9 [+ l7 N5 X! f+ g127.0.0.1 localhost % j/ ]5 ]8 W8 Q6 M; E% g% S
61.152.244.167 search.114.vnet.cn ; S- {9 Y- ?% X1 c+ v* {" i" }
61.152.244.167 auto.search.msn.com , Q1 P! }; A/ j0 A/ a1 C
61.152.244.167 search.msn.com
' Z1 ]3 D9 A) o6 Y61.152.244.167 cnweb.search.live.com ; ?8 O) e# I1 ?
61.152.244.167 search.live.com
6 v! Y2 `; n+ q! f. R, h61.152.244.167 www.hao123.com . c' g. q) T" D1 X- R6 o& K: U
61.152.244.167 hao123.com ; d9 p9 m; {5 W+ y
61.152.244.167 www.360safe.com ! U4 c5 S4 c- Q
61.152.244.167 360safe.com ' m! B! B7 @; E) v7 j- t3 z. K5 `& g8 t
222.73.126.115 update.360safe.com
! C0 L- B# n6 t61.152.244.167 dl.360safe.com
) G4 Y8 u* c3 d2 L( Z! z- P61.152.244.167 bbs.360safe.com
* I2 {# t7 t& n+ h. o% t# X61.152.244.167 www.btbaicai.com
3 ?+ a0 O: q4 m, m8 g4 D; G' x61.152.244.167 btbaicai.com 6 V; M1 u: Y( x& T
61.152.244.167 www.pctutu.com " V5 q6 L+ \/ Q1 v$ h# E( f3 K
61.152.244.167 www.7322.com
$ o2 V. V$ x3 @; ]61.152.244.167 www.5566.net
0 h8 [2 F6 A5 A3 w) K% {' \61.152.244.167 www.9991.com
* Q \, s: @, r* U61.152.244.167 9991.com
7 i# R) Q9 W7 g' s. e, R0 Z61.152.244.167 forum.ikaka.com : ^5 [: N3 Z+ R# N" m5 T
61.152.244.167 www.ikaka.com 9 ~9 Y& }: V1 z4 `
222.73.126.115 update.ikaka.com
8 R% P6 [- G" M( B61.152.244.167 forum.jiangmin.com
, _+ S+ a4 ^ O& t& P3 w* U222.73.126.115 update.jiangmin.com
- U9 `3 c) N' K+ n61.152.244.167 post.baidu.com ) o; H0 j* |& Y! t$ I
222.73.126.115 update.rising.com.cn # }0 b. }# Y' Y1 o0 u( Y* ?4 K
61.152.244.167 online.rising.com.cn
+ I6 p* i: |$ G: Y; z3 h+ ]5 q222.73.126.115 center.rising.com.cn 1 x: q0 e. `+ B8 D2 [
61.152.244.167 up.duba.net
! D) b! q+ A9 v9 K9 o61.152.244.167 shadu.baidu.com - `. k2 Q5 ]; L# I. T( z0 S, q
61.152.244.167 security.symantec.com ' I8 b+ g+ H4 S/ p- t! i% ^
61.152.244.167 shadu.duba.net % m$ g3 m8 x( r: S+ Q7 Q- @0 U
61.152.244.167 online.jiangmin.com 2 [3 a1 c# R ~
61.152.244.167 cn.mcafee.com
5 a7 J L! _; ~* {* W) L0 g9 _( E61.152.244.167 www.ahn.com.cn
; `2 A9 T0 z3 h% @- N& v5 \0 j61.152.244.167 www.kaspersky.com.cn
! Q, u; K/ n' w }61.152.244.167 www.pcav.cn 3 _5 v3 ~* e6 f( c# i: v2 N" B
61.152.244.167 mopery.hits.io 1 V% l. F- E$ V" z3 V `
61.152.244.167 www.luosoft.com 4 @1 O K2 i2 G( T
61.152.244.167 luosoft.com * ]$ M2 y e3 X
61.152.244.167 www.im286.com
9 S# V' s9 w6 D7 @61.152.244.167 bbs.htmlman.net $ I" a0 @$ L0 f6 F$ j I% n
61.152.244.167 10000.286er.com
' V' z' }5 @1 D/ Y* n61.152.244.167 im286.net . C; N& A+ O# l! Y) P1 g4 ?" a
61.152.244.167 cool.47555.com
6 {8 i' Y' F0 D, q+ m- P/ \' ~61.152.244.167 ju.qihoo.com * \( I/ [) O6 A/ q, }
61.152.244.167 bbs.chinaz.com
* N& L# e4 l, n' l4 W222.73.126.115 dnl-cn1.kaspersky-labs.com - N) O, x* I1 o! f- s; Y7 G
222.73.126.115 dnl-cn2.kaspersky-labs.com
+ C7 `; @- M- ~; I, p/ f$ U222.73.126.115 dnl-cn3.kaspersky-labs.com % M; h4 \. E# e0 G5 e: J9 N: s
222.73.126.115 dnl-cn4.kaspersky-labs.com
2 n Y. _, ~0 `1 x222.73.126.115 dnl-cn5.kaspersky-labs.com 8 H( M4 X6 ^9 o j5 R% ~- f/ _, l$ g
222.73.126.115 dnl-cn6.kaspersky-labs.com 3 h" r& ^" f; p3 [! c
222.73.126.115 dnl-cn7.kaspersky-labs.com ( T0 E4 H ]! Z: c- a' r& s
222.73.126.115 dnl-cn8.kaspersky-labs.com & h& w; ?- \/ U/ a# p4 z
222.73.126.115 dnl-cn9.kaspersky-labs.com
i" z" y# a0 {! s, l1 ]% o222.73.126.115 dnl-cn10.kaspersky-labs.com , A2 V2 G6 v9 Q
222.73.126.115 dnl-cn11.kaspersky-labs.com
' P) c" j# A) d. r( J222.73.126.115 dnl-cn12.kaspersky-labs.com `# z# ~2 d1 g. Z
222.73.126.115 dnl-cn13.kaspersky-labs.com - [7 ?+ \& D- m# \2 v
222.73.126.115 dnl-cn14.kaspersky-labs.com
1 u( Y3 i0 a4 U( [; H, J% ^222.73.126.115 dnl-cn15.kaspersky-labs.com
9 j) s/ \7 h5 R" r% {* _+ u- H222.73.126.115 dnl-eu1.kaspersky-labs.com
. r; K/ o [$ v, s222.73.126.115 dnl-eu2.kaspersky-labs.com 6 d0 S1 d, H1 P1 `- ~' P8 r
222.73.126.115 dnl-eu3.kaspersky-labs.com 0 M, _# m2 i. h* }. a; r* _
222.73.126.115 dnl-eu4.kaspersky-labs.com # E- R/ n2 P7 r z# p% U
222.73.126.115 dnl-eu5.kaspersky-labs.com
. ?& P9 }$ w, T$ e, [8 B! g4 h$ G222.73.126.115 dnl-eu6.kaspersky-labs.com , q _3 Z4 b& C
222.73.126.115 dnl-eu7.kaspersky-labs.com
9 I$ ?* k) Y, |: ~8 a222.73.126.115 dnl-eu8.kaspersky-labs.com ( |0 D' ^- b& ?% h. ]/ A
222.73.126.115 dnl-eu9.kaspersky-labs.com
: d& H A1 a$ b% ~222.73.126.115 dnl-eu10.kaspersky-labs.com
, b% z6 s0 I8 h, \, g. D222.73.126.115 dnl-eu11.kaspersky-labs.com
! ~8 V0 a. X0 {9 k2 ^! W2 |222.73.126.115 dnl-eu12.kaspersky-labs.com
# l- N6 v. \9 @. E- i& ^ J222.73.126.115 dnl-eu13.kaspersky-labs.com * ~6 O" ]0 ]+ D, V: B
222.73.126.115 dnl-eu14.kaspersky-labs.com * T- M+ K0 B% Y! y- Y
222.73.126.115 dnl-eu15.kaspersky-labs.com
' A- j3 C. H& C" ?: r1 d9 D222.73.126.115 dnl-us1.kaspersky-labs.com ; u5 ?2 {- W: K
222.73.126.115 dnl-us2.kaspersky-labs.com 6 q: ]2 a8 ]" j8 C; V
222.73.126.115 dnl-us3.kaspersky-labs.com ) l4 f K ]- V: Y, V
222.73.126.115 dnl-us4.kaspersky-labs.com
C' N. V( H! s* W/ k0 H222.73.126.115 dnl-us5.kaspersky-labs.com % i& Z$ {& g$ p; T! F/ `9 U4 |
222.73.126.115 dnl-us6.kaspersky-labs.com
$ t* U7 ?& l- B) `. {222.73.126.115 dnl-us7.kaspersky-labs.com ; `: n0 E4 c5 K' v7 [- |
222.73.126.115 dnl-us8.kaspersky-labs.com " W9 _: i; h& {8 Y
222.73.126.115 dnl-us9.kaspersky-labs.com ; z, F7 s: ^8 N' N# a% f3 R# i
222.73.126.115 dnl-us10.kaspersky-labs.com
5 [/ k' Q) l* ^# k2 V, `9 |- {222.73.126.115 dnl-us11.kaspersky-labs.com " z! `0 U% [# k$ U' J
222.73.126.115 dnl-us12.kaspersky-labs.com : E; `& K7 f. }' I0 [: S! B$ r
222.73.126.115 dnl-us13.kaspersky-labs.com 4 Z' ^2 J) W1 P$ f9 i2 D8 |- G ^
222.73.126.115 dnl-us14.kaspersky-labs.com
3 o; T+ J$ M8 k222.73.126.115 dnl-us15.kaspersky-labs.com
' ~/ W* D; Z9 }: g) L8 C222.73.126.115 dnl-ru1.kaspersky-labs.com
5 o& O2 x4 E5 A% M- O222.73.126.115 dnl-ru2.kaspersky-labs.com
' d) l* h _. T N) N) q3 @222.73.126.115 dnl-ru3.kaspersky-labs.com
8 _, o8 i# v7 Z% j% [7 m0 J% x222.73.126.115 dnl-ru4.kaspersky-labs.com 1 m3 F) X# q' A! w+ _. F$ L% A
222.73.126.115 dnl-ru5.kaspersky-labs.com
# J1 _/ M6 ~1 j4 F* f& C; y" c& J/ I222.73.126.115 dnl-ru6.kaspersky-labs.com
4 ^8 d5 R" k9 D8 E& ]0 C( `! m( Z222.73.126.115 dnl-ru7.kaspersky-labs.com
; q2 c! v X5 m; `5 }: w222.73.126.115 dnl-ru8.kaspersky-labs.com * N- b: U# B% o$ G# }1 Y3 ?
222.73.126.115 dnl-ru9.kaspersky-labs.com
4 [5 Y8 \# ^, m) G4 H, q5 Y222.73.126.115 dnl-ru10.kaspersky-labs.com - Q7 s" M/ ?7 B
222.73.126.115 dnl-ru11.kaspersky-labs.com
& C2 D3 |' {- _" [2 {222.73.126.115 dnl-ru12.kaspersky-labs.com & E J! @4 C. s! T" l( K
222.73.126.115 dnl-ru13.kaspersky-labs.com
1 ^: s+ h P0 M222.73.126.115 dnl-ru14.kaspersky-labs.com # |4 V1 H9 l2 p' g
222.73.126.115 dnl-ru15.kaspersky-labs.com
7 y) g. P9 v) Y O222.73.126.115 dnl-jp1.kaspersky-labs.com
2 o6 L- x( Z5 f8 ~3 H' U6 k222.73.126.115 dnl-jp2.kaspersky-labs.com
% w* o; a6 w2 P1 G3 b# q N222.73.126.115 dnl-jp3.kaspersky-labs.com : q7 G9 t; T% o' m" v6 a9 Q) f, C3 P
222.73.126.115 dnl-jp4.kaspersky-labs.com
F5 n. w- N! |: V ?& _& H, \222.73.126.115 dnl-jp5.kaspersky-labs.com ! S. j# T8 F8 ]7 u- A
222.73.126.115 dnl-jp6.kaspersky-labs.com
- y- y8 l2 E) s) r222.73.126.115 dnl-jp7.kaspersky-labs.com
9 S9 ^3 D0 n( O6 ?7 D7 |5 { @$ O222.73.126.115 dnl-jp8.kaspersky-labs.com ' W! |* G6 i: o) [4 Z+ Y/ {
222.73.126.115 dnl-jp9.kaspersky-labs.com
! k9 b5 X; C/ `: @% m+ Y222.73.126.115 dnl-jp10.kaspersky-labs.com " A$ Z# f9 j* D; i: j, y) {! k& |
222.73.126.115 dnl-jp11.kaspersky-labs.com
: L( g' b/ Q7 O3 o3 ]* Q( y222.73.126.115 dnl-jp12.kaspersky-labs.com
4 Y/ P4 M, M P" c5 K: ^0 Y222.73.126.115 dnl-jp13.kaspersky-labs.com 1 L* x) T" v, r, [. A6 o! M
222.73.126.115 dnl-jp14.kaspersky-labs.com
l7 t; h- Y* {& E222.73.126.115 dnl-jp15.kaspersky-labs.com ! ^ O8 f2 Q' n: C& R% B5 b
222.73.126.115 dnl-kr1.kaspersky-labs.com - ~4 k$ a G0 N, a# c
222.73.126.115 dnl-kr2.kaspersky-labs.com
% i0 c# O/ a4 r7 r222.73.126.115 dnl-kr3.kaspersky-labs.com - [: D% Z/ p; h4 n
222.73.126.115 dnl-kr4.kaspersky-labs.com " C v N6 s( C6 {- E
222.73.126.115 dnl-kr5.kaspersky-labs.com
, ^( l+ o6 n, ~5 M) c* c$ A9 }222.73.126.115 dnl-kr6.kaspersky-labs.com
% y1 I, E0 M2 i222.73.126.115 dnl-kr7.kaspersky-labs.com
* t; e X0 O9 c( e2 I222.73.126.115 dnl-kr8.kaspersky-labs.com ' \8 x. o* |4 I5 U
222.73.126.115 dnl-kr9.kaspersky-labs.com
* r! f8 \% D# O! e222.73.126.115 dnl-kr10.kaspersky-labs.com 5 J7 x& y2 k: }+ d/ i
222.73.126.115 dnl-kr11.kaspersky-labs.com
) g* v# `2 w6 d) u222.73.126.115 dnl-kr12.kaspersky-labs.com
6 |$ m- M" Y5 y& L1 g/ h222.73.126.115 dnl-kr13.kaspersky-labs.com
& r) C1 \) U5 j, l/ p. {" R8 P222.73.126.115 dnl-kr14.kaspersky-labs.com 4 k s1 N7 _( m
222.73.126.115 dnl-kr15.kaspersky-labs.com 7 ? |/ Z4 U! { H: h
222.73.126.115 dnl-cd1.kaspersky-labs.com
# h( j5 ?- x' }9 h222.73.126.115 dnl-cd2.kaspersky-labs.com ) x, |. ^& M& b8 L
222.73.126.115 dnl-cd3.kaspersky-labs.com 5 U7 _2 n( ? M2 Y T# c
222.73.126.115 dnl-cd4.kaspersky-labs.com ( H. h v1 S. U8 }, i
222.73.126.115 dnl-cd10.kaspersky-labs.com 3 @/ \! v. |6 H
61.152.244.167 search.cn.yahoo.com 6 s3 h/ ?" c% W2 b L/ @
61.152.244.167 www.google.com
: a! E* }" g+ C61.152.244.167 google.com
3 Y8 [9 P( [6 A: l. T61.152.244.167 www.google.cn " J7 ?/ h& ?8 U) Q& R
61.152.244.167 www.sogou.com , q; ^5 U4 ?, O
61.152.244.167 www.yahoo.com.cn
4 o) J& Q( F' ]61.152.244.167 cn.yahoo.com
" V, h- j/ O/ |* y222.73.210.148 www.comewz.com ) Q w: y6 y/ s" `! x& ]8 I6 k! o
61.152.244.167 search.tom.com
8 O. ?" e& Y* B) N3 ~6 [" B. B61.152.244.167 sou.china.com
- a; ]% G% j0 Q. ^61.152.244.167 toolsbar.kuaiso.com
" q- l" p; c& l ^0 Y61.152.244.167 www.kuaiso.com |
|