|
|
截获最新的AV终结者,该变种采用ring3级hook技术直接删除杀毒软件,劫持众多网站,阻止杀毒软件更新。专杀程序紧张制作中,测试通过会及时发布,老版本AV终结者专杀运行后会自动升级。 5 s4 {) P4 ~( L/ Q) v" G, E6 f
% d5 U! [# b1 Q+ F: `5 k以下是详细分析报告:
. M6 F" e4 O# D病毒名:Win32.Troj.AvKiller.hd.212992
& E( |# o2 Q7 u5 S( Z病毒利用WH_CALLWNDPROC类型的挂钩将自身注入其他进程 6 U. u) _4 s$ ~
**释放文件**
% T9 g, |' T) b2 G6 M3 zC:\WINDOWS\system32\nfxphzn.jbt 该文件为kernel32.dll的拷贝
0 z3 }! S: B. y6 e1 ]) gc:\WINDOWS\system32\yqia.btl 该文件为病毒自身的拷贝
) N9 @# B1 D$ j**下载文件** . C" h% a4 P+ G2 H; ]' g v5 C
w3.hao5555.com/v3/pic.bmp
+ g, ?9 j; ^; M; T9 e9 j7 _w3.hao5555.com/v3/Riched32.dll $ N! Z$ q) k7 u+ l7 B$ j& }
w3.hao5555.com/v3/search.asp
0 ~/ _: `+ P, i" ?w3.hao5555.com/bd.dll
' _+ d$ F$ q d# s- s0 u* L**修改的注册表** 5 m @3 o9 g- V+ Q, Y/ T
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] 0 c# v6 Q6 c: ^- {& @, R/ C
"xphz"="{1b5f93d7-93d7-0a4e-4e82-93d71b5f93d7}"
$ o9 F/ s: f! P& ?7 y[HKEY_CLASSES_ROOT\CLSID\{1b5f93d7-93d7-0a4e-4e82-93d71b5f93d7}\InprocServer32] ! k- s* B4 w( L( X! m* K( J
@="C:\\WINDOWS\\system32\\yqia.btl""ThreadingModel"="Apartment" 1 j0 c0 y. u6 ]
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System] * S1 t+ G6 m! V
"DisableCMD"=dword:00000001
3 m- {8 @, F9 w**挂接函数** 3 N9 r* A3 r& b" ^! |- P0 C, R
RegEnumValueA , l/ h" x+ S. s
RegEnumValueW -- 目的为隐藏病毒添加的注册表键值
/ T0 y% N' g. L# T' k
1 ?- L- a6 b% N: b- S: p% L! w0 G3 bCreateFileA & D' ]( f M! y7 k8 _
CreateFileW -- 目的为保护病毒释放的文件 4 l4 S( H, u' d
* R* {; z1 K3 y G
**卸载组件**
7 y/ |' L/ P4 S+ pregsvr32.exe /u /s wshom.ocx ) x& C; [+ i. `
+ R) _9 `# x, q- d! g( p3 k4 d
4 @5 v" _9 _- k; D
病毒自身通过nfxphzn.jbt来调用CreateFileA和CreateFileW函数,病毒注入系统的其他进程后
, [& V/ K: A) f/ l: }' O
: Q# T( v( M1 }; T6 c5 e U; M' A(1)创建一个线程来保护其添加的注册表键值不被删除; ) m* E t3 N& q5 o" @
. Q8 c: e/ [, ` b4 \
(2)结束杀毒软件进程;
0 ^; |+ P* K7 r8 D& Z2 f1 u- o
$ ^$ }; D1 f m ^(3)通过将ZwCreateFile的前两个字节填0加以破坏;
# k7 b4 H4 [4 W
, U5 f5 n, I* _( o. i(4)并试图删除以下文件,(主要是杀毒软件和流氓软件清除工具的驱动、程序文件) 8 G& D1 B% H8 b2 e' Z T
, J3 J: `3 Q% n+ B8 ~# y0 m6 E+ B5 Y( l( T' Z e2 O' K7 |
"mmskskin.dll" * Q: B! n2 A& w/ h0 H6 c
"KKClean.dll" 4 t% w$ H& \3 _4 ~5 E
"VirUnk.def" * w/ E% u9 C3 o" K4 [/ Y$ d
"AntiActi.dll" # h) g' k. K! t! L' J
"Rsaupd.exe" * u- g6 @ R& M, C/ X3 N
"Iereset.dll"
* }& S R7 O6 [" W! u! i"Libclsid.dat" . ~9 @; ?6 t1 U$ s; e
"KNetWch.SYS"
2 W) z+ o9 Q1 B# o# k"CleanHis.dll" / i% P- U9 l3 N! W t4 F
"WoptiClean.sys"
; y; h* |! Z# _4 a0 H$ q4 y"kakalib.def" ) c h2 H( \2 [$ E. }5 x
"libdll.dat" 6 \4 J, P y( l, I
"kkinst.ini" 8 k) _9 m! V- z" Y- r
"KASearch.DLL"
/ x% ?9 a* \& K3 t"KAVBootC.sys"
: j. ^) G2 U+ m) h"Ras.exe"
% _6 {1 X% N i6 a8 j2 ]"iehelp.exe" 1 o' d" S( |& O" }$ H- j4 A
"trojandetector.exe" + o: l7 O8 w X% p6 a" e6 b
"KAConfig.DLL" ) z% Q, |! Q4 P' [5 Y- O; G0 p
"KAVPassp.DLL"
; t3 y- _) d" A, j% {"hsfw.dll" % i0 V) n# l' E! R0 ]6 k
**修改hosts文件为** + D* |2 M2 Y; m- d- T" f
hosts文件被修改后,会影响很多杀毒软件和反流氓软件的升级,影响访问相关网站 + l% k* ~% Z3 U' b! F
(注意一下61.152.244.167这个IP,下面发现众多流量很高的站点被劫持到61.152.244.167,可以尝试一下在IE地址栏中输入这个IP,你发现去了cn.yahoo.com)6 A& w1 M* m9 u+ E& }2 R% \
127.0.0.1 localhost 3 c& n& z. w+ n& K5 ~
61.152.244.167 search.114.vnet.cn + Q9 m( Z# u/ {6 q' F4 O
61.152.244.167 auto.search.msn.com 3 ?& V: _* m7 y. U
61.152.244.167 search.msn.com
! t9 M! t& J: y" t61.152.244.167 cnweb.search.live.com
% @# d( y" ~+ w, ~61.152.244.167 search.live.com . [/ k& h6 N/ C* k
61.152.244.167 www.hao123.com
( x1 o0 m5 c& }! b# ?/ R8 x61.152.244.167 hao123.com
1 ~2 r% j s0 H! r61.152.244.167 www.360safe.com 7 Z+ R |4 A3 p* a' n5 ^( I- z
61.152.244.167 360safe.com
) V P* n5 ~; O& l222.73.126.115 update.360safe.com ! e# l& |0 ^2 X6 ^) z
61.152.244.167 dl.360safe.com 1 O& V7 b7 Y6 ~/ X
61.152.244.167 bbs.360safe.com V( R' t! {( p* U: G% E
61.152.244.167 www.btbaicai.com
. d8 ^- S- f+ `+ J61.152.244.167 btbaicai.com
3 K* k/ a4 ~! b, u7 Y61.152.244.167 www.pctutu.com . Y; {* d! I1 p8 o G+ q
61.152.244.167 www.7322.com
& m' {5 ~7 C# y) P$ J1 j61.152.244.167 www.5566.net # m4 x: p! Y" s$ A2 I
61.152.244.167 www.9991.com
- d% q; [# t1 z7 I: Q2 ^61.152.244.167 9991.com
1 i) q3 Q/ \" G. X* @61.152.244.167 forum.ikaka.com
7 c( ^0 F" V9 E61.152.244.167 www.ikaka.com
( P' d, S o6 E% v9 S222.73.126.115 update.ikaka.com / i, }; h) q9 f
61.152.244.167 forum.jiangmin.com
' d3 o, p: T" z4 S" S3 Y222.73.126.115 update.jiangmin.com
- M+ @4 P$ _. ` q" w61.152.244.167 post.baidu.com 6 l8 q5 g- q6 F2 S$ [% n
222.73.126.115 update.rising.com.cn 1 S8 j1 u, H. h/ A
61.152.244.167 online.rising.com.cn # Y3 z* Y$ F5 O/ L- j2 }
222.73.126.115 center.rising.com.cn 2 R% e" v7 W5 t8 L9 @4 R a3 p
61.152.244.167 up.duba.net
* y2 ]6 z h$ M8 w61.152.244.167 shadu.baidu.com
6 ~, o* a6 I$ S* `+ i+ G61.152.244.167 security.symantec.com
+ Y( @( U- Q1 K, j1 d0 O+ k4 T61.152.244.167 shadu.duba.net , R3 ^/ c; F5 `3 @4 _5 v
61.152.244.167 online.jiangmin.com
% ?4 q$ B; L3 {: { s1 V61.152.244.167 cn.mcafee.com 5 ?! z, ]$ q2 |9 J) g
61.152.244.167 www.ahn.com.cn 2 @# Y3 ]+ W; y% I. h# y. O
61.152.244.167 www.kaspersky.com.cn
$ K) C1 o% h% c/ n3 Q( A61.152.244.167 www.pcav.cn 2 O( B F9 ~1 I( l) {$ `/ n
61.152.244.167 mopery.hits.io
) _$ j0 |( F( ~0 |6 c0 [* j61.152.244.167 www.luosoft.com
; B: q5 S$ Z c1 |: D5 b* T/ Y1 Y9 k61.152.244.167 luosoft.com
& o' m& ~* I( e9 U) v, Q3 [61.152.244.167 www.im286.com
0 l( p' s" w- _( l61.152.244.167 bbs.htmlman.net ' a$ e3 j0 ]" M9 R5 {
61.152.244.167 10000.286er.com
- U/ ~5 W0 L2 L2 o61.152.244.167 im286.net
! F3 C' ~; _- }) k# s: {61.152.244.167 cool.47555.com
* r# L1 _$ ^+ x- i61.152.244.167 ju.qihoo.com
7 Y# g1 C* ~$ i# z& p61.152.244.167 bbs.chinaz.com
& D- r! v n" p222.73.126.115 dnl-cn1.kaspersky-labs.com . W# a% o/ A4 T4 P
222.73.126.115 dnl-cn2.kaspersky-labs.com 2 d5 @/ l; x6 e' c* a
222.73.126.115 dnl-cn3.kaspersky-labs.com
0 v% @& u* D, R# U+ |222.73.126.115 dnl-cn4.kaspersky-labs.com 6 M/ r$ ~% C( K! {5 B& W) O
222.73.126.115 dnl-cn5.kaspersky-labs.com
! B' P" C4 W) Q& B222.73.126.115 dnl-cn6.kaspersky-labs.com 1 H8 ~' b/ P$ Q2 P8 Y
222.73.126.115 dnl-cn7.kaspersky-labs.com & q, Z' Y6 `2 V4 F! G
222.73.126.115 dnl-cn8.kaspersky-labs.com
R1 U( ]+ Z% Q222.73.126.115 dnl-cn9.kaspersky-labs.com / S3 F/ \9 `& f; p4 z! J: F6 V
222.73.126.115 dnl-cn10.kaspersky-labs.com 9 m) m7 s, N3 A9 R& w: R3 o$ c5 C
222.73.126.115 dnl-cn11.kaspersky-labs.com . Q) `) ~( W5 z+ @: i
222.73.126.115 dnl-cn12.kaspersky-labs.com - Q* p: F; j5 v
222.73.126.115 dnl-cn13.kaspersky-labs.com
6 G. q! l3 s* s# U* j222.73.126.115 dnl-cn14.kaspersky-labs.com 6 o% i, l' j4 c" o
222.73.126.115 dnl-cn15.kaspersky-labs.com 5 M* u8 a$ v4 a7 [: {1 C$ |8 t
222.73.126.115 dnl-eu1.kaspersky-labs.com 2 | A, D3 }6 }* }9 l# b. i
222.73.126.115 dnl-eu2.kaspersky-labs.com / H9 J4 t' ?! n) b+ w1 F
222.73.126.115 dnl-eu3.kaspersky-labs.com 7 N9 a& [9 f# t/ A" H
222.73.126.115 dnl-eu4.kaspersky-labs.com " O T3 Q$ F) K+ \6 c
222.73.126.115 dnl-eu5.kaspersky-labs.com
. s; }1 D5 H- c5 x }. I222.73.126.115 dnl-eu6.kaspersky-labs.com
' D; T4 F( D; D7 D( f9 u- Y. {/ F222.73.126.115 dnl-eu7.kaspersky-labs.com
4 ]8 r) h' y1 F/ G222.73.126.115 dnl-eu8.kaspersky-labs.com / H6 B1 @9 g! a4 T* Z* k! w
222.73.126.115 dnl-eu9.kaspersky-labs.com 9 I1 ^- m" ~- ?- k7 }
222.73.126.115 dnl-eu10.kaspersky-labs.com 8 ?4 J0 s+ r: ?* w" g7 j
222.73.126.115 dnl-eu11.kaspersky-labs.com
& O* O' Z8 {% Q3 B) c" k! J; M' P222.73.126.115 dnl-eu12.kaspersky-labs.com
) E v2 A. r K+ f% ?222.73.126.115 dnl-eu13.kaspersky-labs.com 5 \3 e# X# w' n; d
222.73.126.115 dnl-eu14.kaspersky-labs.com 6 f: d8 ]* H' w: S9 h. E
222.73.126.115 dnl-eu15.kaspersky-labs.com ' T. _! L. ]; t3 \
222.73.126.115 dnl-us1.kaspersky-labs.com
& f# W( a. E/ |, j# z3 S222.73.126.115 dnl-us2.kaspersky-labs.com & W; `4 }8 u X# T; ^
222.73.126.115 dnl-us3.kaspersky-labs.com , W2 a N. a4 k2 K' R7 W$ Q
222.73.126.115 dnl-us4.kaspersky-labs.com - [) a. m- m4 [
222.73.126.115 dnl-us5.kaspersky-labs.com & @ U! X& T& m& Z' [
222.73.126.115 dnl-us6.kaspersky-labs.com
, q9 h1 Q5 V' v( n, Q2 X7 O222.73.126.115 dnl-us7.kaspersky-labs.com
* o( Q' p& ^3 U; J) U* _$ w222.73.126.115 dnl-us8.kaspersky-labs.com
3 a* D9 m/ K$ F. @: m: ^! F' |) B222.73.126.115 dnl-us9.kaspersky-labs.com
, U* O @7 j3 v+ l, O/ B. F222.73.126.115 dnl-us10.kaspersky-labs.com , _! [ R" m" c8 ?( i. H% Q$ S
222.73.126.115 dnl-us11.kaspersky-labs.com
+ `$ A. Y$ B7 C' r7 i* Y/ }222.73.126.115 dnl-us12.kaspersky-labs.com 4 F' P: Y- j, R& I/ l9 P. L1 d
222.73.126.115 dnl-us13.kaspersky-labs.com
& w% P4 Z+ a5 @ |% A222.73.126.115 dnl-us14.kaspersky-labs.com
8 {/ L) R$ c! u8 J3 q1 f3 P: v222.73.126.115 dnl-us15.kaspersky-labs.com 8 y2 }# y1 J7 P4 m8 ]
222.73.126.115 dnl-ru1.kaspersky-labs.com
5 u2 U% o4 h: ~0 m$ u# ?222.73.126.115 dnl-ru2.kaspersky-labs.com
% W* Y5 s- c% c; E222.73.126.115 dnl-ru3.kaspersky-labs.com 2 {4 U, Y( w7 A1 ]7 B9 ^1 f6 f7 k
222.73.126.115 dnl-ru4.kaspersky-labs.com
+ o& m8 k8 U+ b7 ]222.73.126.115 dnl-ru5.kaspersky-labs.com # u- |3 N" ?, m/ F, g8 }/ J
222.73.126.115 dnl-ru6.kaspersky-labs.com
; O6 n1 @- U" \) u9 P/ \222.73.126.115 dnl-ru7.kaspersky-labs.com 5 k- W3 E% r: d/ `; R* ]' K! S
222.73.126.115 dnl-ru8.kaspersky-labs.com
( ?( M& ?1 z1 O6 ]" a5 E, W7 ]222.73.126.115 dnl-ru9.kaspersky-labs.com ' e4 |0 c r+ P+ i5 M6 l- \
222.73.126.115 dnl-ru10.kaspersky-labs.com ; [4 a' r+ l5 [% R
222.73.126.115 dnl-ru11.kaspersky-labs.com
7 `: P7 O* ~! Y: q& D222.73.126.115 dnl-ru12.kaspersky-labs.com
0 F4 o- H7 z& P, |1 k0 P5 ~222.73.126.115 dnl-ru13.kaspersky-labs.com : a. ^9 I6 F5 s( r5 }
222.73.126.115 dnl-ru14.kaspersky-labs.com $ O: n6 O5 o/ Y
222.73.126.115 dnl-ru15.kaspersky-labs.com
@; b1 p& g& s# c8 u4 D. \8 e: ?, v222.73.126.115 dnl-jp1.kaspersky-labs.com
9 m; d2 _$ J* ^ A# F222.73.126.115 dnl-jp2.kaspersky-labs.com ; T: O4 Y$ b0 X" T2 w
222.73.126.115 dnl-jp3.kaspersky-labs.com
! ]- e9 G6 X& e" ?$ m: z; \222.73.126.115 dnl-jp4.kaspersky-labs.com
) [7 } @, `& l/ W# N# D! J% n222.73.126.115 dnl-jp5.kaspersky-labs.com
% ^; N2 z9 ]& w$ k2 D222.73.126.115 dnl-jp6.kaspersky-labs.com 4 G3 U* }; A0 Y
222.73.126.115 dnl-jp7.kaspersky-labs.com ' w; W, S' i& Y; M2 F$ g
222.73.126.115 dnl-jp8.kaspersky-labs.com
9 i8 w1 [( E4 n% I8 |( z222.73.126.115 dnl-jp9.kaspersky-labs.com
2 o6 q5 z/ y4 z9 P: I! j+ G+ T# ]222.73.126.115 dnl-jp10.kaspersky-labs.com % @; Y) r' A) Z; Y. v
222.73.126.115 dnl-jp11.kaspersky-labs.com
' A, u0 K0 _$ y. n% v222.73.126.115 dnl-jp12.kaspersky-labs.com
+ R: \& _9 `1 q3 C5 z222.73.126.115 dnl-jp13.kaspersky-labs.com
+ n8 B m4 [, @3 ~# s6 |- |222.73.126.115 dnl-jp14.kaspersky-labs.com 8 D) G5 H- R+ }) r
222.73.126.115 dnl-jp15.kaspersky-labs.com 0 e4 [% \4 P# `, q4 d; |! v
222.73.126.115 dnl-kr1.kaspersky-labs.com
8 h# i" y. O! M% E' I4 I, ~1 N222.73.126.115 dnl-kr2.kaspersky-labs.com
8 ]( m8 m$ N6 i, ?. z222.73.126.115 dnl-kr3.kaspersky-labs.com
3 T C1 f' L; s( s222.73.126.115 dnl-kr4.kaspersky-labs.com
9 O9 q1 _' o6 `+ K( h222.73.126.115 dnl-kr5.kaspersky-labs.com - P/ N& H5 q+ T8 P% M
222.73.126.115 dnl-kr6.kaspersky-labs.com # b) k3 c2 }; r0 f) ?
222.73.126.115 dnl-kr7.kaspersky-labs.com 1 ^, H5 \' W- Q" t1 {" m
222.73.126.115 dnl-kr8.kaspersky-labs.com : e0 o. e# b: \
222.73.126.115 dnl-kr9.kaspersky-labs.com + _7 U4 w6 V- o% R
222.73.126.115 dnl-kr10.kaspersky-labs.com - x& N ]+ U8 z( n
222.73.126.115 dnl-kr11.kaspersky-labs.com
7 N3 k% F* Z$ w* P222.73.126.115 dnl-kr12.kaspersky-labs.com
* Q2 I3 E4 U3 e& m1 C0 e222.73.126.115 dnl-kr13.kaspersky-labs.com
6 I Y! ]" s8 U. w, p" u( c222.73.126.115 dnl-kr14.kaspersky-labs.com 8 Q5 a8 V& D$ {8 s: f4 \
222.73.126.115 dnl-kr15.kaspersky-labs.com ! C, Z1 Y }. ?" `* o
222.73.126.115 dnl-cd1.kaspersky-labs.com $ X$ u/ k( U: g; R/ {, L" [
222.73.126.115 dnl-cd2.kaspersky-labs.com & _1 a y* R; t" J% m# P; t) j
222.73.126.115 dnl-cd3.kaspersky-labs.com 0 t( k6 B: x5 t; g. k
222.73.126.115 dnl-cd4.kaspersky-labs.com % l$ d+ k# ]* q
222.73.126.115 dnl-cd10.kaspersky-labs.com 6 w/ L; U# `' ^7 b- G M
61.152.244.167 search.cn.yahoo.com
: B+ r9 t8 ^8 \8 T: u6 m$ y61.152.244.167 www.google.com
+ }4 K9 v5 I, D, o* H61.152.244.167 google.com
" S4 s3 |5 d" s7 J# Q' e+ |+ c61.152.244.167 www.google.cn - U1 x$ g1 {* S9 ^
61.152.244.167 www.sogou.com 6 a# Y& n$ w" j, G# c
61.152.244.167 www.yahoo.com.cn 8 ^( n- I% X' {& @' x& V9 {
61.152.244.167 cn.yahoo.com ! x/ [9 c+ C5 {, F" M& E
222.73.210.148 www.comewz.com 1 I3 R2 w2 r* `' ?( K
61.152.244.167 search.tom.com
6 t# Y# e4 H( j7 s! w61.152.244.167 sou.china.com + M( B2 ~8 a1 e$ G! u5 A
61.152.244.167 toolsbar.kuaiso.com
4 W& V. @3 Q: q; F. b7 b: e: ?61.152.244.167 www.kuaiso.com |
|
IP卡
狗仔卡
发表于 2007-9-21 19:33:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡