|
|
截获最新的AV终结者,该变种采用ring3级hook技术直接删除杀毒软件,劫持众多网站,阻止杀毒软件更新。专杀程序紧张制作中,测试通过会及时发布,老版本AV终结者专杀运行后会自动升级。 - w8 t8 T3 ?$ m- O0 T Y
. m" x' S2 p* R" b! c
以下是详细分析报告: " n% K5 T$ o: ?. A
病毒名:Win32.Troj.AvKiller.hd.212992
# ^' p/ _5 }% J3 v- ?病毒利用WH_CALLWNDPROC类型的挂钩将自身注入其他进程
" H* I) M* H, p+ M1 l**释放文件** # q! b) q/ ?" r5 C$ s5 v+ E
C:\WINDOWS\system32\nfxphzn.jbt 该文件为kernel32.dll的拷贝
6 @$ y9 i6 a) Y* ~0 Kc:\WINDOWS\system32\yqia.btl 该文件为病毒自身的拷贝 1 o) o2 ^; b. y) E) D
**下载文件**
" i* `: P. q" |* V, `w3.hao5555.com/v3/pic.bmp
+ _7 r/ o6 h; U Tw3.hao5555.com/v3/Riched32.dll " y; p! O0 \# Q; _
w3.hao5555.com/v3/search.asp
) ]- U' t# Q! v3 Z1 c$ z! Tw3.hao5555.com/bd.dll
& o+ d3 W1 H. T; p a. x9 ^1 F**修改的注册表**
! m1 k. ^; Z; Q2 v# k4 b[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] . G! a8 p% z, D1 d) R' Y
"xphz"="{1b5f93d7-93d7-0a4e-4e82-93d71b5f93d7}" # R5 h" T" x T% h& S( d' _! G
[HKEY_CLASSES_ROOT\CLSID\{1b5f93d7-93d7-0a4e-4e82-93d71b5f93d7}\InprocServer32] 3 X4 e5 L5 L T* Q/ i0 R8 e
@="C:\\WINDOWS\\system32\\yqia.btl""ThreadingModel"="Apartment" - S5 z; Q1 M9 O) ~1 v6 K7 K7 _3 f
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
1 E7 h" Y' b5 ^8 l& n/ x"DisableCMD"=dword:00000001 ; Z4 m8 ?. U3 z5 e9 s
**挂接函数**
) v- M- M# T$ T+ C' {0 @/ KRegEnumValueA
7 p+ R% X6 A1 \9 x2 O# C' gRegEnumValueW -- 目的为隐藏病毒添加的注册表键值
4 I' I" X; Q: ~3 n$ K5 s: K3 @2 ~3 T
CreateFileA % ^, S% o# V! A* |& g* z; N! V
CreateFileW -- 目的为保护病毒释放的文件
/ y! _& i ^* g+ J: R0 h, b; l, V9 c+ G' y7 z. z# [: G* r
**卸载组件**
" Y' V, A& ]9 Z0 Vregsvr32.exe /u /s wshom.ocx 9 |. ?* z! @* ]2 Q* g
: G8 s; O( T% M$ I8 b5 h
( I& S) L2 Z% _, D: ?) U( X; O; S病毒自身通过nfxphzn.jbt来调用CreateFileA和CreateFileW函数,病毒注入系统的其他进程后 # I! Y. G8 D. b# N5 S
8 j& _" X# J8 N0 x(1)创建一个线程来保护其添加的注册表键值不被删除;
) W3 k# e0 V( Y) z* \% u! p" T9 E0 w( c; S9 X: q r# `0 c2 A
(2)结束杀毒软件进程;
: O+ C3 e5 z" a" N* S. s L9 A3 M! L8 M4 d! j' G/ b
(3)通过将ZwCreateFile的前两个字节填0加以破坏;
: {7 l5 p7 k1 I' A, V) [8 I3 R. Z3 Z! J |" y
(4)并试图删除以下文件,(主要是杀毒软件和流氓软件清除工具的驱动、程序文件)
' y" k3 o+ i" e, ]+ X
; S$ g, s2 K2 h& g6 B
# }" J0 [; m! S' `5 |& A) V"mmskskin.dll"
K9 o, {* J3 q5 g3 \. a"KKClean.dll" # o7 N) u) V8 o+ h
"VirUnk.def"
7 w% y$ d) f7 p"AntiActi.dll"
; z0 n4 ]4 K# s9 o7 b6 B: e' K"Rsaupd.exe"
+ m5 s! U3 l8 t"Iereset.dll"
1 A3 K( o4 d: U8 y"Libclsid.dat" ) R7 j- L/ \& W3 s3 _: E. @
"KNetWch.SYS"
8 s6 k6 Y& v1 e2 Q"CleanHis.dll"
* U$ i1 B- v+ b"WoptiClean.sys"
- g) d* F3 B z2 m4 ~( U"kakalib.def" 1 {. L7 K, \& G' b0 n# G1 _
"libdll.dat" ' C# i$ x: ^5 _. W* K; S. r
"kkinst.ini" 9 I+ Q Q% V# v0 n/ o
"KASearch.DLL"
) z4 W3 c& l( ~( d9 w8 S"KAVBootC.sys"
6 X' \* K8 Z- B+ ]"Ras.exe"
+ A4 ~9 w' q( U9 A: L' Y; @"iehelp.exe" ! I T* l/ _9 o% H( x, q, B( f
"trojandetector.exe"
3 ^# D1 c, W8 B( x"KAConfig.DLL"
( ]9 R9 D# b9 O4 E4 o* z"KAVPassp.DLL" 7 H# H3 q% S0 F& f B
"hsfw.dll"
) l6 R4 [) c7 z: u* N; o0 ` **修改hosts文件为** 3 O. t" l B# N$ Z! u+ y
hosts文件被修改后,会影响很多杀毒软件和反流氓软件的升级,影响访问相关网站
0 B- s. B; S% l: a; @* z(注意一下61.152.244.167这个IP,下面发现众多流量很高的站点被劫持到61.152.244.167,可以尝试一下在IE地址栏中输入这个IP,你发现去了cn.yahoo.com)
' o/ O. l% n# u, x1 l127.0.0.1 localhost
/ R& I# j1 O0 y61.152.244.167 search.114.vnet.cn * k- o6 u; z+ D, ~
61.152.244.167 auto.search.msn.com
8 x- [3 }' I/ U. L; T) F1 p, b61.152.244.167 search.msn.com ; |: p+ w/ y& Z% ]) I
61.152.244.167 cnweb.search.live.com 6 n8 k7 J" `' X
61.152.244.167 search.live.com
& h5 t* ]' P$ g7 j61.152.244.167 www.hao123.com
! r$ M* @& R8 D, J3 N; u1 K61.152.244.167 hao123.com
3 q A+ t6 s) @& a* E: C61.152.244.167 www.360safe.com
- M; \; U8 w' s61.152.244.167 360safe.com * p5 C- I! ?$ Q/ v9 r2 u
222.73.126.115 update.360safe.com
; @! R) r* o9 k# Q5 D61.152.244.167 dl.360safe.com 4 h5 D- T7 c' _; k% x
61.152.244.167 bbs.360safe.com " F: E7 G. I. Q
61.152.244.167 www.btbaicai.com " Z1 Y; p: x! i( _
61.152.244.167 btbaicai.com
4 r2 F m" C- E! ^$ f/ Y" n7 V5 Y61.152.244.167 www.pctutu.com
J& p2 _% C* c8 `$ M61.152.244.167 www.7322.com 1 M8 i+ Z6 y8 Y+ K
61.152.244.167 www.5566.net ) m& H; m- L7 K' E# w
61.152.244.167 www.9991.com
- Y1 Y7 J$ Z. Y3 J) N61.152.244.167 9991.com
3 G- \, r, I( p61.152.244.167 forum.ikaka.com ' Q4 ]6 }, S+ M1 @6 }$ ?
61.152.244.167 www.ikaka.com " y7 J* ?. l, N: `+ b
222.73.126.115 update.ikaka.com
8 y7 p6 |. ], u. C5 Q' B61.152.244.167 forum.jiangmin.com D; ?- K5 j& c8 o
222.73.126.115 update.jiangmin.com
* t- _8 V: I% b/ [, b61.152.244.167 post.baidu.com ' S: ?* @$ s, ~5 f
222.73.126.115 update.rising.com.cn : a' G$ j9 A b# _* ^
61.152.244.167 online.rising.com.cn
- f0 ?6 A% Z$ w. M/ u222.73.126.115 center.rising.com.cn % x) P& Q0 I( T( q/ n. X# q# g0 P
61.152.244.167 up.duba.net
4 |5 Z3 h3 b: h0 D0 H l61.152.244.167 shadu.baidu.com ; U; H" q, H, W9 B
61.152.244.167 security.symantec.com
# G- ^' X$ r; }8 a5 S! K1 [61.152.244.167 shadu.duba.net 3 q9 H3 ]6 i% ~3 C$ G: `
61.152.244.167 online.jiangmin.com
" M5 ~4 U; j. w+ l61.152.244.167 cn.mcafee.com
' T9 S, n& k( u0 [ R3 N61.152.244.167 www.ahn.com.cn % [3 M, u( G5 R5 H
61.152.244.167 www.kaspersky.com.cn
3 j7 ^" r+ s7 {3 n) y0 e+ `61.152.244.167 www.pcav.cn ! f# ]& Q4 s Y
61.152.244.167 mopery.hits.io
+ N% F2 f) U* d0 w# o! K6 r61.152.244.167 www.luosoft.com
5 V) g( ^3 }1 m, A61.152.244.167 luosoft.com % k. \+ e6 ~" j I a# |
61.152.244.167 www.im286.com
& C/ I* T# p8 w% Y2 x8 \) h \61.152.244.167 bbs.htmlman.net
3 `! K3 @& t9 i) E& F- d4 ]61.152.244.167 10000.286er.com ' k2 n6 o3 y: G4 s
61.152.244.167 im286.net 0 v. [) a+ D% r
61.152.244.167 cool.47555.com
- J1 R, T$ ~- ?- b: ]) w61.152.244.167 ju.qihoo.com 4 j$ v4 |. L" q; T4 n
61.152.244.167 bbs.chinaz.com
# r% d& l6 V7 B* z$ O3 Y( A- ]8 W! H; C222.73.126.115 dnl-cn1.kaspersky-labs.com
* a# K$ N5 y( i3 X/ S222.73.126.115 dnl-cn2.kaspersky-labs.com : N: g2 f2 m. h* ]# c2 a
222.73.126.115 dnl-cn3.kaspersky-labs.com
; F) r; [" i+ ?222.73.126.115 dnl-cn4.kaspersky-labs.com
7 a9 X, \% |4 p3 ~9 |- N222.73.126.115 dnl-cn5.kaspersky-labs.com
# \# @* O0 g7 L; |& C222.73.126.115 dnl-cn6.kaspersky-labs.com
6 [! c5 c" G; S2 r4 P222.73.126.115 dnl-cn7.kaspersky-labs.com
- D- O! y. ]$ A# Z D3 \222.73.126.115 dnl-cn8.kaspersky-labs.com
! P( L) e$ W: \; G222.73.126.115 dnl-cn9.kaspersky-labs.com 5 j0 x/ G4 I- b/ l9 }8 L' z
222.73.126.115 dnl-cn10.kaspersky-labs.com
6 T; l, I# m! n( o- T222.73.126.115 dnl-cn11.kaspersky-labs.com
7 O3 U( T' H& _0 R* n8 X# Q222.73.126.115 dnl-cn12.kaspersky-labs.com 8 B- J- }! y1 H+ ^% c
222.73.126.115 dnl-cn13.kaspersky-labs.com
4 d) ]8 J, Y2 |# I$ }% J, P222.73.126.115 dnl-cn14.kaspersky-labs.com
5 e# b! x% C3 y2 M; L( }- j8 s222.73.126.115 dnl-cn15.kaspersky-labs.com
& N d& i1 \3 W222.73.126.115 dnl-eu1.kaspersky-labs.com : g$ z) G0 s- d; Y% q& V
222.73.126.115 dnl-eu2.kaspersky-labs.com % {1 W; q0 y+ C% {# F3 m' e
222.73.126.115 dnl-eu3.kaspersky-labs.com ' J7 i3 m/ P- S3 `7 Q/ S% m" [
222.73.126.115 dnl-eu4.kaspersky-labs.com 1 l4 h% _4 I0 F( k% T4 F
222.73.126.115 dnl-eu5.kaspersky-labs.com
1 j& f* j6 l$ Y2 B222.73.126.115 dnl-eu6.kaspersky-labs.com
! x7 a" O o$ h& Y222.73.126.115 dnl-eu7.kaspersky-labs.com ) Z P- F' D. D/ _+ q, v% Y2 g5 R
222.73.126.115 dnl-eu8.kaspersky-labs.com
' t8 [/ L, R" R4 X/ u' Z222.73.126.115 dnl-eu9.kaspersky-labs.com
# O& y5 b# D: r222.73.126.115 dnl-eu10.kaspersky-labs.com
9 I* { x0 {5 G* G2 L' L2 [222.73.126.115 dnl-eu11.kaspersky-labs.com
, o% H6 M9 x6 k6 @222.73.126.115 dnl-eu12.kaspersky-labs.com
/ S1 c D) p0 ~8 L; Z% H4 D/ `& e; G$ K222.73.126.115 dnl-eu13.kaspersky-labs.com 2 o7 @: G# k5 l5 B! a
222.73.126.115 dnl-eu14.kaspersky-labs.com " H" K4 W, r# b7 S, N% F J z9 A
222.73.126.115 dnl-eu15.kaspersky-labs.com . g: s: C7 t( p w4 J, ]3 O
222.73.126.115 dnl-us1.kaspersky-labs.com : j* ~* z2 u; B
222.73.126.115 dnl-us2.kaspersky-labs.com $ p8 G7 A. n2 \0 p6 u
222.73.126.115 dnl-us3.kaspersky-labs.com 5 ]3 o) v) k/ a0 F
222.73.126.115 dnl-us4.kaspersky-labs.com ; \7 z" I+ q8 E. ~% M2 c
222.73.126.115 dnl-us5.kaspersky-labs.com & Y0 n* q% C0 C4 z u0 `
222.73.126.115 dnl-us6.kaspersky-labs.com . m3 V& u0 X- s) k
222.73.126.115 dnl-us7.kaspersky-labs.com
0 F' O* _, O: A( W0 ~8 r& z222.73.126.115 dnl-us8.kaspersky-labs.com ! }5 K- \' p+ U j2 _" I- X
222.73.126.115 dnl-us9.kaspersky-labs.com
$ O" r0 {, Y: f Y! n4 K222.73.126.115 dnl-us10.kaspersky-labs.com
3 `: n; I6 R! P222.73.126.115 dnl-us11.kaspersky-labs.com
' x+ @, u: j0 i X222.73.126.115 dnl-us12.kaspersky-labs.com
5 `6 b7 M" r4 ~+ `) ]" K4 y222.73.126.115 dnl-us13.kaspersky-labs.com
/ z( f. x$ G( G4 r% x. q, N222.73.126.115 dnl-us14.kaspersky-labs.com ; X5 G; o/ B; ~
222.73.126.115 dnl-us15.kaspersky-labs.com / O8 o( j( q4 w. E) ^
222.73.126.115 dnl-ru1.kaspersky-labs.com
: o: b* e) Q7 |: l! {222.73.126.115 dnl-ru2.kaspersky-labs.com
9 q" v/ ]5 \; b L I, W6 g3 |222.73.126.115 dnl-ru3.kaspersky-labs.com
2 D( i# e( h7 [' x; e% i222.73.126.115 dnl-ru4.kaspersky-labs.com 9 L `- i: P; I# q S& \
222.73.126.115 dnl-ru5.kaspersky-labs.com
$ r6 Y, ~- Z7 l% A A222.73.126.115 dnl-ru6.kaspersky-labs.com
$ i/ V! S% c, ~) c222.73.126.115 dnl-ru7.kaspersky-labs.com & p' P, H# _2 e* W4 T& _8 s+ ]
222.73.126.115 dnl-ru8.kaspersky-labs.com . r7 J# V5 T# f* U6 _$ S; x7 w
222.73.126.115 dnl-ru9.kaspersky-labs.com 2 {! b: B; C. n/ B
222.73.126.115 dnl-ru10.kaspersky-labs.com
5 R% d. a8 ?6 x- X8 s* Y+ w222.73.126.115 dnl-ru11.kaspersky-labs.com
* Z) Y. |/ A8 s9 A" {222.73.126.115 dnl-ru12.kaspersky-labs.com 4 G. ?! h1 L( N: [6 b" U/ m4 V
222.73.126.115 dnl-ru13.kaspersky-labs.com " L9 n' g2 @" \8 K& s
222.73.126.115 dnl-ru14.kaspersky-labs.com + k. {5 R' d1 ]$ q' j# h4 C
222.73.126.115 dnl-ru15.kaspersky-labs.com
6 Z- q0 r; R2 f, [222.73.126.115 dnl-jp1.kaspersky-labs.com
" P/ D, ^1 S- x: ^5 j2 r! n222.73.126.115 dnl-jp2.kaspersky-labs.com $ @/ T8 X" X/ l! T
222.73.126.115 dnl-jp3.kaspersky-labs.com 4 t% s: r' A m8 K& C1 j% F1 Y5 O* E
222.73.126.115 dnl-jp4.kaspersky-labs.com 2 N, [0 v3 u" R$ _$ Z
222.73.126.115 dnl-jp5.kaspersky-labs.com 1 `3 o$ l' s7 a4 S1 P
222.73.126.115 dnl-jp6.kaspersky-labs.com 7 \/ h( K# ?2 ?" l8 A& m
222.73.126.115 dnl-jp7.kaspersky-labs.com
4 [: @ H( f$ O0 d2 c, a222.73.126.115 dnl-jp8.kaspersky-labs.com 5 X" T- ]# L( X- k! Q
222.73.126.115 dnl-jp9.kaspersky-labs.com
2 {; J( l7 w2 Z4 z( j222.73.126.115 dnl-jp10.kaspersky-labs.com / }$ Y, @# i! y0 B
222.73.126.115 dnl-jp11.kaspersky-labs.com
i1 g5 P' l) k6 k222.73.126.115 dnl-jp12.kaspersky-labs.com
* M8 A+ n |# K3 }) b: ^8 Y222.73.126.115 dnl-jp13.kaspersky-labs.com
+ U' ]; X8 L0 u5 p3 U222.73.126.115 dnl-jp14.kaspersky-labs.com , `) K* S6 ?1 c$ [4 ]
222.73.126.115 dnl-jp15.kaspersky-labs.com 9 _. j7 `; U, J; Z
222.73.126.115 dnl-kr1.kaspersky-labs.com
# q: w6 v# p7 _$ a5 i222.73.126.115 dnl-kr2.kaspersky-labs.com : |' V. r7 r( B# r3 X
222.73.126.115 dnl-kr3.kaspersky-labs.com ; E* c/ g$ o. `! i
222.73.126.115 dnl-kr4.kaspersky-labs.com
# @1 Y" u5 ~0 b% l) N E, [1 Y222.73.126.115 dnl-kr5.kaspersky-labs.com
C7 V* B4 t1 V2 n& @" A1 B$ r2 U2 s222.73.126.115 dnl-kr6.kaspersky-labs.com ' w1 H- l* F! |- m+ D
222.73.126.115 dnl-kr7.kaspersky-labs.com . c/ }& m( c8 n" q
222.73.126.115 dnl-kr8.kaspersky-labs.com
5 G5 S( W2 E% }% _) {7 B) Y j222.73.126.115 dnl-kr9.kaspersky-labs.com
# d }( C* o) m% Q1 N& R222.73.126.115 dnl-kr10.kaspersky-labs.com - o# \ |' n. K) e3 f0 E: ]
222.73.126.115 dnl-kr11.kaspersky-labs.com
' R: J4 x$ X' k0 A, B222.73.126.115 dnl-kr12.kaspersky-labs.com
: f- U/ o5 ?; S, c, o222.73.126.115 dnl-kr13.kaspersky-labs.com : D# r [+ K* X! @8 }6 I8 e
222.73.126.115 dnl-kr14.kaspersky-labs.com
% X) U" Q+ N3 B2 B& u222.73.126.115 dnl-kr15.kaspersky-labs.com $ R& w- i) v: o2 b: g6 ^. A7 A& ?7 M
222.73.126.115 dnl-cd1.kaspersky-labs.com / k2 I2 J1 G: M1 i: U' H0 d
222.73.126.115 dnl-cd2.kaspersky-labs.com
5 H+ | Q+ b' F1 j7 [( t' V222.73.126.115 dnl-cd3.kaspersky-labs.com
+ Z# q- Q/ W' d* x/ Q6 i222.73.126.115 dnl-cd4.kaspersky-labs.com - O, @7 N2 ]" ?+ e5 ~6 Z) _
222.73.126.115 dnl-cd10.kaspersky-labs.com ; f/ d8 X" W2 n# t: G) f' v
61.152.244.167 search.cn.yahoo.com * w; f% E2 {& k
61.152.244.167 www.google.com - \% i+ u6 ~2 L5 B6 X' s3 f
61.152.244.167 google.com * M/ T s1 W# z; a& U
61.152.244.167 www.google.cn
U: z' l' E* Y2 ]. k- ~61.152.244.167 www.sogou.com ; K, K; t' s' n, q1 _
61.152.244.167 www.yahoo.com.cn # E; \- y8 T5 o0 q# h/ O$ o
61.152.244.167 cn.yahoo.com 0 v7 h$ |3 \. c
222.73.210.148 www.comewz.com
' F; S/ |+ B( v- J+ V6 S+ U61.152.244.167 search.tom.com ; S7 {/ s' V! P2 E
61.152.244.167 sou.china.com 9 \3 Q+ C; Y; n9 R
61.152.244.167 toolsbar.kuaiso.com . }7 D# O1 Q b) x0 m. F7 ~
61.152.244.167 www.kuaiso.com |
|
IP卡
狗仔卡
发表于 2007-9-21 19:33:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡