|
|
截获最新的AV终结者,该变种采用ring3级hook技术直接删除杀毒软件,劫持众多网站,阻止杀毒软件更新。专杀程序紧张制作中,测试通过会及时发布,老版本AV终结者专杀运行后会自动升级。
: z4 H1 ~5 }& c( s; i; A; s5 { ]
1 F1 @/ y- {1 P e$ B6 H) A以下是详细分析报告: 7 h- J; C$ L6 d. `% m+ n6 M
病毒名:Win32.Troj.AvKiller.hd.212992
8 F3 I. X1 d! |, K病毒利用WH_CALLWNDPROC类型的挂钩将自身注入其他进程 $ w- _% p/ d* X% V4 K. `
**释放文件** + j w5 o8 G/ g, Y; b( u: @
C:\WINDOWS\system32\nfxphzn.jbt 该文件为kernel32.dll的拷贝
5 @2 d- L2 d" O4 }3 T4 }c:\WINDOWS\system32\yqia.btl 该文件为病毒自身的拷贝
! H1 @6 M( w, F# @; q8 f**下载文件** 0 e( ^# A1 z+ r! y' \' R/ c7 K
w3.hao5555.com/v3/pic.bmp
, D2 q9 V, N# t3 p) @w3.hao5555.com/v3/Riched32.dll
; w. ], D1 ], f- B# W) F/ Xw3.hao5555.com/v3/search.asp
( Y3 g2 T5 u% E: [6 D3 {3 {9 gw3.hao5555.com/bd.dll
% e' N% \/ d/ J& u/ w**修改的注册表** , e% F+ R, K* U2 G
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
' D8 i5 Y$ f: N+ g"xphz"="{1b5f93d7-93d7-0a4e-4e82-93d71b5f93d7}" * j- L0 M/ v4 l! Z3 F# g! [1 @
[HKEY_CLASSES_ROOT\CLSID\{1b5f93d7-93d7-0a4e-4e82-93d71b5f93d7}\InprocServer32]
6 b3 c7 w' B! G' {1 ]@="C:\\WINDOWS\\system32\\yqia.btl""ThreadingModel"="Apartment"
3 ~/ a% v& i+ x! k[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
) c& H8 N5 i+ d"DisableCMD"=dword:00000001 4 V: j# c6 O6 V! M2 h( a) w
**挂接函数** 0 v. W, l5 ~2 R- k$ v
RegEnumValueA ) Q6 c9 c% P% a) X- p; e# R
RegEnumValueW -- 目的为隐藏病毒添加的注册表键值 * O3 e8 D; \& f1 N; a8 ?
9 N* @$ \. L. B, W" R- ^: `8 d4 A& R7 G
CreateFileA
$ l0 m! E2 C# |8 lCreateFileW -- 目的为保护病毒释放的文件 ; \: ^5 N4 k, W, J. C6 J3 ]3 V
+ B! x* Z! F2 _1 p# H& ~: ~
**卸载组件**
) l0 g( V& Y& d6 h, dregsvr32.exe /u /s wshom.ocx 7 [" {8 s1 A2 W
2 c0 X0 @; f) Y5 Z/ m
% d2 w! c7 w: l
病毒自身通过nfxphzn.jbt来调用CreateFileA和CreateFileW函数,病毒注入系统的其他进程后 1 V O+ h8 w! {
; {% N* m* a) f7 q(1)创建一个线程来保护其添加的注册表键值不被删除;
5 }) F" p! A) y+ m g% [2 h4 I8 c6 s: z4 U+ j. e
(2)结束杀毒软件进程;
2 Y% U3 j. y* o
' U6 u* a7 a0 s0 Z8 J(3)通过将ZwCreateFile的前两个字节填0加以破坏; 0 H! `6 A. f" f" ?; G
$ ]* J5 Y8 } h: o5 w1 ?
(4)并试图删除以下文件,(主要是杀毒软件和流氓软件清除工具的驱动、程序文件)
* X( K5 C+ p" g# Y! K t7 H! \9 `: R- {$ a, ]
; w- f! U; ]. U$ R+ g"mmskskin.dll"
2 l" z+ K. ] ^& o/ }7 P"KKClean.dll" * v# K! w) h2 u% N+ l9 k6 l
"VirUnk.def" 4 Z+ i7 D; s5 L9 b/ m9 ~6 r. S
"AntiActi.dll" ; ?% I$ t) b0 `0 C9 j/ I& o" X& v
"Rsaupd.exe" . O9 {* E* B; E7 F. u
"Iereset.dll" ' P0 F3 ^* A$ ^9 K8 J
"Libclsid.dat" 9 ^. S' I0 P2 D( z2 K/ n6 L
"KNetWch.SYS" + x2 o0 O1 W, m% [
"CleanHis.dll"
. V4 ~) n1 C: Y8 e: L( Y6 t% ^"WoptiClean.sys"
4 C9 y# H+ S/ K- c) E+ ?1 ["kakalib.def"
6 M8 `/ l; I! o6 p' o3 p"libdll.dat"
' [" A! H0 ]4 T1 a9 i"kkinst.ini" 9 C! G; x+ j, _+ Z# o# L' N
"KASearch.DLL" ! N1 ~" D% C" a d& J8 j
"KAVBootC.sys" ! @9 B$ \1 m: \- |8 v. ~) D
"Ras.exe" 5 E, H1 J) h" d: E2 x# S+ V
"iehelp.exe" / w% \& `6 F$ J1 s+ A b) ], x
"trojandetector.exe"
, o) d6 O1 w$ z- ?# r, V"KAConfig.DLL"
3 L9 p6 `5 S! Q& q% l. q7 R"KAVPassp.DLL"
4 u" | d6 \" x1 h( d' s9 r"hsfw.dll"
a; m6 H" _+ h! p+ b n* e **修改hosts文件为** + ^6 w1 J' v7 H0 q
hosts文件被修改后,会影响很多杀毒软件和反流氓软件的升级,影响访问相关网站 Z$ t: D5 X9 u
(注意一下61.152.244.167这个IP,下面发现众多流量很高的站点被劫持到61.152.244.167,可以尝试一下在IE地址栏中输入这个IP,你发现去了cn.yahoo.com)% h; Q1 i5 ~+ z8 B: t& J K
127.0.0.1 localhost , r$ r- C2 V8 R: f
61.152.244.167 search.114.vnet.cn * M, N* t) h( i% n6 B% ?# L4 Q
61.152.244.167 auto.search.msn.com
`3 P* r) ?! V% t" _9 q( x61.152.244.167 search.msn.com * U5 X% D2 P7 W' w1 ]* t
61.152.244.167 cnweb.search.live.com
* m5 p# L/ X8 [8 t0 J( v61.152.244.167 search.live.com
& U" o9 z( e3 S1 z61.152.244.167 www.hao123.com
- z x5 u5 a. r: @9 \61.152.244.167 hao123.com 8 v; I% X" X. j2 V4 z& V
61.152.244.167 www.360safe.com
% S$ z; G3 f1 i% c* C1 i5 F61.152.244.167 360safe.com
, w7 T' o9 e$ F2 l222.73.126.115 update.360safe.com
$ ^ o& W) o7 O. K7 L+ `, ~; h- ?61.152.244.167 dl.360safe.com ) x1 R3 G7 H8 _" ?! c/ L! G
61.152.244.167 bbs.360safe.com
: {% _" {5 N. R& L& b7 o5 B61.152.244.167 www.btbaicai.com 3 |8 r: Q$ c# c. n
61.152.244.167 btbaicai.com
1 |/ x5 K, h3 t61.152.244.167 www.pctutu.com
. X, h) E- {! u, B61.152.244.167 www.7322.com + j' N H- E3 P9 o% {
61.152.244.167 www.5566.net % W; v9 o: n6 h
61.152.244.167 www.9991.com
! a+ c4 `2 Z4 [4 G! I: U- H* S% r61.152.244.167 9991.com
1 d" i' |) [" ~1 Z+ ^. ?61.152.244.167 forum.ikaka.com
- J j9 P6 O/ W61.152.244.167 www.ikaka.com 9 ^) D& F+ q4 e7 m/ }$ G4 A+ N
222.73.126.115 update.ikaka.com 6 V. |3 | j8 s& M* b* L! a5 B, k
61.152.244.167 forum.jiangmin.com
7 _" y) d- ~- r2 b- I222.73.126.115 update.jiangmin.com
1 |- B3 h. M5 {+ ^& a! j61.152.244.167 post.baidu.com * a9 R+ m4 [! O: r+ }1 ^9 F
222.73.126.115 update.rising.com.cn
7 ]7 i4 w4 a9 @' o: D9 P7 E! S! G# i7 R1 w61.152.244.167 online.rising.com.cn % O" e4 E% e/ e/ i* |4 Z1 d6 n" e
222.73.126.115 center.rising.com.cn 2 X h* f% K2 ]
61.152.244.167 up.duba.net & f$ `1 X" y5 x$ g" I6 f
61.152.244.167 shadu.baidu.com 5 _+ ?' S; C' s7 J" g% v/ u
61.152.244.167 security.symantec.com 0 v* w! n) B9 p, {& u
61.152.244.167 shadu.duba.net
' k: \" L; j9 ^% b9 l3 j- S61.152.244.167 online.jiangmin.com
: }( M' h1 I/ M6 T# x7 r( u61.152.244.167 cn.mcafee.com 1 E( Y0 W3 r' f8 I& Y) l
61.152.244.167 www.ahn.com.cn / }1 B! @3 z( I; V; D, t6 L3 u
61.152.244.167 www.kaspersky.com.cn * v3 H$ z8 j% t4 V) ^% e- K. N* W
61.152.244.167 www.pcav.cn 8 n, V3 N2 O3 ^7 S
61.152.244.167 mopery.hits.io $ f; r( C h! V4 d( i( y- r
61.152.244.167 www.luosoft.com
/ k/ Z1 E& n6 w0 O6 V0 v61.152.244.167 luosoft.com
/ D. Y- H4 t& t0 }( A61.152.244.167 www.im286.com
( |- d; [& l! ~: B61.152.244.167 bbs.htmlman.net
' f9 z: @- ?3 e61.152.244.167 10000.286er.com 7 T% l3 ?* V m3 A5 M$ _3 Q4 w
61.152.244.167 im286.net
5 r1 i3 H2 g0 [61.152.244.167 cool.47555.com : n! S8 E+ G, z# j5 U. S" H
61.152.244.167 ju.qihoo.com
8 |& `+ D2 d9 U0 l61.152.244.167 bbs.chinaz.com
2 n1 a' ~# ?) Y4 F+ g+ g6 I222.73.126.115 dnl-cn1.kaspersky-labs.com
" d' L7 K, z: [# d* M# J222.73.126.115 dnl-cn2.kaspersky-labs.com 5 r& N( y# J' L5 }# _! J4 i
222.73.126.115 dnl-cn3.kaspersky-labs.com
: V) _0 @# {& t$ ]: M( {222.73.126.115 dnl-cn4.kaspersky-labs.com
& M# s0 U6 N% W% D* G0 i" H+ D222.73.126.115 dnl-cn5.kaspersky-labs.com
' N# P; [: e. t) }( z; d* I: q$ C222.73.126.115 dnl-cn6.kaspersky-labs.com
( w0 E% {) J' `0 a9 N) q9 ~8 t222.73.126.115 dnl-cn7.kaspersky-labs.com
) _% y: p9 B6 g222.73.126.115 dnl-cn8.kaspersky-labs.com / [; n& p4 A" d
222.73.126.115 dnl-cn9.kaspersky-labs.com 3 t$ Y, X' F }5 W9 M1 p
222.73.126.115 dnl-cn10.kaspersky-labs.com
A7 Z% L9 }$ d" V8 J2 B7 l222.73.126.115 dnl-cn11.kaspersky-labs.com
7 v* S/ p3 @1 j( h$ y5 U222.73.126.115 dnl-cn12.kaspersky-labs.com
/ P; y4 j, `+ I9 I7 E222.73.126.115 dnl-cn13.kaspersky-labs.com * ?! x! r1 J9 }# t) S
222.73.126.115 dnl-cn14.kaspersky-labs.com * F' `/ z8 l+ h0 B3 Q1 a1 i
222.73.126.115 dnl-cn15.kaspersky-labs.com
" Q0 D I; M2 \9 g- `8 k$ i" z222.73.126.115 dnl-eu1.kaspersky-labs.com
0 \( N/ z- x" S' R& A- {+ B222.73.126.115 dnl-eu2.kaspersky-labs.com
- f2 q' i. i* `5 O% R- A222.73.126.115 dnl-eu3.kaspersky-labs.com
% K7 O+ W* }) S7 k0 ^222.73.126.115 dnl-eu4.kaspersky-labs.com
; X) {# k, a5 v) N3 f7 B R. B222.73.126.115 dnl-eu5.kaspersky-labs.com
3 o4 t% r4 |; y- f J222.73.126.115 dnl-eu6.kaspersky-labs.com
# V; j/ f, f/ Q, F222.73.126.115 dnl-eu7.kaspersky-labs.com % _# \5 }" c/ O5 z$ a+ Y# R4 N
222.73.126.115 dnl-eu8.kaspersky-labs.com
+ Q; r( @1 c) J7 }7 }3 @222.73.126.115 dnl-eu9.kaspersky-labs.com
( C) T V+ g6 S. Y8 f- m, {9 k" D4 n222.73.126.115 dnl-eu10.kaspersky-labs.com
$ r8 `4 y! t; `* [& E. E' _3 s222.73.126.115 dnl-eu11.kaspersky-labs.com
( ~& {4 W2 u6 V: F$ w% P$ W222.73.126.115 dnl-eu12.kaspersky-labs.com
# c e1 {5 V) e( ]/ J+ \222.73.126.115 dnl-eu13.kaspersky-labs.com
+ ~# n! F( N! V J222.73.126.115 dnl-eu14.kaspersky-labs.com : A0 t' j* C9 M1 j7 a" n; T7 E! z2 k
222.73.126.115 dnl-eu15.kaspersky-labs.com
# w1 M8 s- X$ H, Q222.73.126.115 dnl-us1.kaspersky-labs.com $ K! s, e5 g! T% q2 D( `
222.73.126.115 dnl-us2.kaspersky-labs.com ) w+ H. ~0 c# [: N
222.73.126.115 dnl-us3.kaspersky-labs.com
. A" w& p4 r7 P% i& [6 ~0 Z! b" y+ v222.73.126.115 dnl-us4.kaspersky-labs.com
; c1 E3 K- q* _4 F. U% ]8 @222.73.126.115 dnl-us5.kaspersky-labs.com
/ `# f: x2 S# B# A222.73.126.115 dnl-us6.kaspersky-labs.com
~8 q( B6 D/ n+ @' q; L! }3 M: R222.73.126.115 dnl-us7.kaspersky-labs.com " n8 T3 a$ w8 [
222.73.126.115 dnl-us8.kaspersky-labs.com # f5 w, ]% O9 n6 ?
222.73.126.115 dnl-us9.kaspersky-labs.com " _' ]4 Y, L) b; L% d. `( M
222.73.126.115 dnl-us10.kaspersky-labs.com
+ P, n& k& `# L5 y c" H% [* S222.73.126.115 dnl-us11.kaspersky-labs.com
. h S' d) b' E222.73.126.115 dnl-us12.kaspersky-labs.com % Z+ G1 Z7 i2 ?; T: K; b
222.73.126.115 dnl-us13.kaspersky-labs.com
7 Y) T" |$ m3 b6 l# X0 s222.73.126.115 dnl-us14.kaspersky-labs.com
3 u- U' g! _+ ~% R8 l% e222.73.126.115 dnl-us15.kaspersky-labs.com
% V# `' G3 r3 e+ z3 k222.73.126.115 dnl-ru1.kaspersky-labs.com ) \+ `; z/ R( m' p8 J
222.73.126.115 dnl-ru2.kaspersky-labs.com : Q+ [% F3 w$ E8 w2 ~
222.73.126.115 dnl-ru3.kaspersky-labs.com 0 Q/ I$ g( `2 l$ Q
222.73.126.115 dnl-ru4.kaspersky-labs.com
. s, t) {' L0 o& F* V) b# h- q222.73.126.115 dnl-ru5.kaspersky-labs.com 9 n' p$ x" Z9 }/ l) u
222.73.126.115 dnl-ru6.kaspersky-labs.com
7 z: }4 F6 s: E. n4 {$ o222.73.126.115 dnl-ru7.kaspersky-labs.com
( |# q: t' R- }( h4 F2 s. ^% o222.73.126.115 dnl-ru8.kaspersky-labs.com # Y# q2 Z( C& k. u$ K; h5 n' E+ V
222.73.126.115 dnl-ru9.kaspersky-labs.com
( j+ A D7 `2 Y222.73.126.115 dnl-ru10.kaspersky-labs.com
0 x6 |5 K/ ~& | e' I- p222.73.126.115 dnl-ru11.kaspersky-labs.com
7 F) l+ ~4 n/ J- M* n! s222.73.126.115 dnl-ru12.kaspersky-labs.com , V) a4 `1 p E5 L
222.73.126.115 dnl-ru13.kaspersky-labs.com $ p) @3 b7 {. m
222.73.126.115 dnl-ru14.kaspersky-labs.com
' `# Z6 e2 i% _5 _- \& l2 h222.73.126.115 dnl-ru15.kaspersky-labs.com
9 ~ P& b# }, Y( X' c) G222.73.126.115 dnl-jp1.kaspersky-labs.com ; d( R/ ?6 }: ~7 `) [. g" M) E
222.73.126.115 dnl-jp2.kaspersky-labs.com / U" O' |- Q; N$ L
222.73.126.115 dnl-jp3.kaspersky-labs.com
, [1 V2 ?. m0 [3 u d222.73.126.115 dnl-jp4.kaspersky-labs.com
' o) o" v: J6 i" X, i222.73.126.115 dnl-jp5.kaspersky-labs.com ' P9 {- G$ I9 m5 K. ^9 U5 z( f
222.73.126.115 dnl-jp6.kaspersky-labs.com $ n1 J3 {% l# b5 e3 {9 ?
222.73.126.115 dnl-jp7.kaspersky-labs.com
6 ^+ k* `6 ?% l6 u7 x, Z222.73.126.115 dnl-jp8.kaspersky-labs.com
$ ^5 d5 L" U- x# i/ `6 M( O222.73.126.115 dnl-jp9.kaspersky-labs.com
$ {0 y, S) @. x% f2 X! c+ i* H" Y222.73.126.115 dnl-jp10.kaspersky-labs.com ' L4 ~. c+ n; o, e, I. ~
222.73.126.115 dnl-jp11.kaspersky-labs.com ! w2 B: U) b2 i( }$ ^, G0 A4 {; @
222.73.126.115 dnl-jp12.kaspersky-labs.com
$ s( O7 z5 `4 l# Y0 Y2 P4 z222.73.126.115 dnl-jp13.kaspersky-labs.com
+ s3 A5 w4 i G1 o. q: t222.73.126.115 dnl-jp14.kaspersky-labs.com
Q& p/ I% C/ o& c9 ^ v1 D3 C' C; |222.73.126.115 dnl-jp15.kaspersky-labs.com 2 t( a. e7 g( Z7 A v+ M; B8 ] W/ v
222.73.126.115 dnl-kr1.kaspersky-labs.com 2 r- o) O- N3 G6 O
222.73.126.115 dnl-kr2.kaspersky-labs.com 3 J8 B# {6 T# ?& t4 |' d
222.73.126.115 dnl-kr3.kaspersky-labs.com ! D/ o; v& a. q) ~# K
222.73.126.115 dnl-kr4.kaspersky-labs.com + L% d! C1 C* h8 b+ p, L; h2 Q
222.73.126.115 dnl-kr5.kaspersky-labs.com . \' L6 {, Y0 R' M% D, W) @
222.73.126.115 dnl-kr6.kaspersky-labs.com
. s0 d+ S1 m' V7 B222.73.126.115 dnl-kr7.kaspersky-labs.com 0 p6 }3 x" I) g* k' M; D
222.73.126.115 dnl-kr8.kaspersky-labs.com
5 |5 c( f0 S! O7 ~222.73.126.115 dnl-kr9.kaspersky-labs.com 5 V7 t& _: A8 d6 [8 n
222.73.126.115 dnl-kr10.kaspersky-labs.com
2 B A) L5 K, k& u) ^+ P: B222.73.126.115 dnl-kr11.kaspersky-labs.com $ ~- r4 w. H" _0 r! t. A
222.73.126.115 dnl-kr12.kaspersky-labs.com 3 C; n0 D6 w' X2 `8 c
222.73.126.115 dnl-kr13.kaspersky-labs.com
& G3 L1 `, ]( f222.73.126.115 dnl-kr14.kaspersky-labs.com
: \/ o P7 l$ M R" A2 h5 r222.73.126.115 dnl-kr15.kaspersky-labs.com
- P# R- r# v* Y. }* K) C222.73.126.115 dnl-cd1.kaspersky-labs.com n6 Z& w8 v+ {( }8 ~8 [% u7 \. c
222.73.126.115 dnl-cd2.kaspersky-labs.com ) W. N5 I% B- w" e2 f# L
222.73.126.115 dnl-cd3.kaspersky-labs.com
3 _" x' u; e9 B8 J4 h; s% n# O222.73.126.115 dnl-cd4.kaspersky-labs.com
" P- K6 s: W' Z; a' D222.73.126.115 dnl-cd10.kaspersky-labs.com
& _1 Y3 U7 Y0 b% \; _0 R5 X61.152.244.167 search.cn.yahoo.com # ], S. t% S9 A4 u7 y
61.152.244.167 www.google.com
% `8 ^( r" p; t: l4 N2 P! d61.152.244.167 google.com
. G4 {" w# _5 @' B9 v* z# _' F61.152.244.167 www.google.cn
4 O: i2 y: h: b* }9 ?' K4 ~61.152.244.167 www.sogou.com ) T$ U% y$ I4 C
61.152.244.167 www.yahoo.com.cn + \0 w# _3 N8 H3 X9 s6 |
61.152.244.167 cn.yahoo.com
Q) Y" a+ S7 o7 O222.73.210.148 www.comewz.com
; ?4 L6 P2 k+ X- z61.152.244.167 search.tom.com , L; K6 `0 p7 i1 y( b
61.152.244.167 sou.china.com 1 B M& {* g1 g& I: [
61.152.244.167 toolsbar.kuaiso.com
/ g( P$ F- D, F61.152.244.167 www.kuaiso.com |
|
IP卡
狗仔卡
发表于 2007-9-21 19:33:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡