|
|
截获最新的AV终结者,该变种采用ring3级hook技术直接删除杀毒软件,劫持众多网站,阻止杀毒软件更新。专杀程序紧张制作中,测试通过会及时发布,老版本AV终结者专杀运行后会自动升级。 6 M0 R+ r* C3 J# r8 f5 d
, S9 O; ~& |- G5 y2 L3 `6 m
以下是详细分析报告: # d7 T. i% ?, X' k. ?4 T
病毒名:Win32.Troj.AvKiller.hd.212992 / w/ H& x, {! E/ ^6 P. O" ~
病毒利用WH_CALLWNDPROC类型的挂钩将自身注入其他进程
: w' U7 [6 m! k- X* f, I**释放文件**
, y$ t# {1 \: H. h8 w% GC:\WINDOWS\system32\nfxphzn.jbt 该文件为kernel32.dll的拷贝 ! ]: ]. m( F& R
c:\WINDOWS\system32\yqia.btl 该文件为病毒自身的拷贝
1 N5 n& X: x1 a- L P**下载文件**
& n2 V- v$ Z5 Y0 ^, z1 z; Uw3.hao5555.com/v3/pic.bmp ) Q4 g# J. y1 v
w3.hao5555.com/v3/Riched32.dll ' w0 }+ ^( Z# |. T+ K* q& s4 D
w3.hao5555.com/v3/search.asp $ ?- F- i W) ^6 {
w3.hao5555.com/bd.dll
j9 R6 q- y5 }8 a* t$ m& F**修改的注册表** # G+ o) W! W# @- x+ f' K
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
: Z5 A) C2 J: {3 ?: M$ u g4 X"xphz"="{1b5f93d7-93d7-0a4e-4e82-93d71b5f93d7}"
8 q7 P9 w" _3 n+ f5 z* i; ?[HKEY_CLASSES_ROOT\CLSID\{1b5f93d7-93d7-0a4e-4e82-93d71b5f93d7}\InprocServer32]
, i+ O* k+ h2 ^2 d@="C:\\WINDOWS\\system32\\yqia.btl""ThreadingModel"="Apartment"
" J, I( @3 y) r' n9 a[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System] ' I" G2 u ?0 P9 p4 |! \
"DisableCMD"=dword:00000001 - T# Q8 D+ o9 L9 Y% t5 x
**挂接函数** 0 L: B9 F9 m6 Y
RegEnumValueA
) A. @* k- z& L" XRegEnumValueW -- 目的为隐藏病毒添加的注册表键值
+ c6 x! I+ C- {' h% s" D) t
; F! F9 I( f' k1 bCreateFileA 5 L G1 z- J# m [9 T- W/ Q$ Z3 ?$ k
CreateFileW -- 目的为保护病毒释放的文件
9 z( B& l6 q3 _" A) J
9 V- Y# W# r* Y) p**卸载组件** U" e+ i: ~5 }5 l' Y: I) q
regsvr32.exe /u /s wshom.ocx
5 U1 Q6 o1 k% O! V4 l" X3 A. A% v - ?2 q3 F& Q8 M( o9 F
6 O* _/ K$ n# S/ h% J. ?' ~7 l病毒自身通过nfxphzn.jbt来调用CreateFileA和CreateFileW函数,病毒注入系统的其他进程后
& v3 I9 j" T- j+ d* h" l: ^2 ]7 ?& f+ E' f/ `
(1)创建一个线程来保护其添加的注册表键值不被删除;
8 x: n3 t! F4 h" `( [1 D/ U" O6 K- B* J3 W( t
(2)结束杀毒软件进程;
3 i+ ?" d; o o$ Z2 m, ?. }0 D
9 n5 U/ t4 I6 T/ Z, |) L; Q7 `. K" I2 u(3)通过将ZwCreateFile的前两个字节填0加以破坏;
, o2 W" f# H/ c4 }: q. n1 K/ X6 X6 ^, F* f) j9 c* v
(4)并试图删除以下文件,(主要是杀毒软件和流氓软件清除工具的驱动、程序文件) 0 `- d v, Y- L( b+ M" t; ~: K
+ }, t% g' N; ~ H3 U' L3 ]
1 Y( F1 g$ S/ q0 \! u( x
"mmskskin.dll" - f3 n- _! k @; @
"KKClean.dll" ; y& j* q a& ]3 b! h
"VirUnk.def"
% M; I; i( D) T) Z"AntiActi.dll" ( [* _% p. J) ]. s( F
"Rsaupd.exe"
9 D* t% B; F) t5 A" p: }7 n"Iereset.dll"
5 f4 y+ w% @/ Z, P"Libclsid.dat" " e, l: h, [( [0 V1 J9 a w
"KNetWch.SYS"
$ F9 ]" ]' ]9 M% F) H( p7 z"CleanHis.dll"
2 D- g) }+ `3 l" Q( e9 @( [4 A"WoptiClean.sys"
' d/ U5 f6 O) w8 ~"kakalib.def"
+ L. z3 t v+ N' j9 U* n"libdll.dat" 6 j" Y2 U' A' F8 \
"kkinst.ini"
0 m. u. z6 k7 d6 q d4 p"KASearch.DLL"
8 w, ~% T: T/ ?0 W* p" I. J# }"KAVBootC.sys" # t. l" H% E! x8 R4 }" ~$ J
"Ras.exe" % n; N2 c5 N. {: h: W+ F. C
"iehelp.exe"
2 n0 E/ z2 x/ d2 t7 ]6 {4 I E"trojandetector.exe" 6 ^0 m) v$ B7 P' B
"KAConfig.DLL" 3 k$ B% S9 ]! } W! G) b$ Y4 h
"KAVPassp.DLL" + ^3 ~. e% l5 E
"hsfw.dll" ( v9 B/ M3 V# w$ q6 B
**修改hosts文件为**
8 a0 \* d, x' c5 Y5 Jhosts文件被修改后,会影响很多杀毒软件和反流氓软件的升级,影响访问相关网站 4 U4 {4 L) ?+ j/ \0 i
(注意一下61.152.244.167这个IP,下面发现众多流量很高的站点被劫持到61.152.244.167,可以尝试一下在IE地址栏中输入这个IP,你发现去了cn.yahoo.com): J) }! }1 i4 q$ z" c
127.0.0.1 localhost
! p& @- \# ?6 h# ?* e9 P. M61.152.244.167 search.114.vnet.cn 4 `: N/ U& r6 t x: m8 `$ k1 H
61.152.244.167 auto.search.msn.com : m" u8 s! F( Q# B5 b
61.152.244.167 search.msn.com , H A( a/ Z7 `
61.152.244.167 cnweb.search.live.com
0 r: ^0 s0 M) j7 p9 I# e) D61.152.244.167 search.live.com
" N* C7 h1 t ^) @- p) U61.152.244.167 www.hao123.com : ]# U& c2 b6 _2 C5 A* r
61.152.244.167 hao123.com * L0 `0 t# M' d$ {0 ~
61.152.244.167 www.360safe.com
. J7 r8 B$ h6 a61.152.244.167 360safe.com
+ @/ i, d7 m' W, F6 e/ r- |1 g222.73.126.115 update.360safe.com * C( E' C5 ]* E9 n2 _
61.152.244.167 dl.360safe.com
8 ^5 B1 F; K8 y$ D( b- a& r: O w61.152.244.167 bbs.360safe.com 3 U5 s0 A7 s- P/ F7 C9 G
61.152.244.167 www.btbaicai.com
6 q# z$ g/ s2 ]; I x/ ^61.152.244.167 btbaicai.com ( c% \; q/ ?" M) ~. e E" S
61.152.244.167 www.pctutu.com 1 f; O- k6 L& r+ L& r, g
61.152.244.167 www.7322.com
" C; h0 u, O4 z; ^; @' e61.152.244.167 www.5566.net + g, F1 q4 n0 ]4 A/ w
61.152.244.167 www.9991.com - J) w; w" V b2 F: G1 B9 G) m" F
61.152.244.167 9991.com ' f" D: |) ^4 J
61.152.244.167 forum.ikaka.com & L+ l" D; K9 j6 y `
61.152.244.167 www.ikaka.com
" T' } }% m8 g222.73.126.115 update.ikaka.com
4 b. A0 r' @ ^& K s: P61.152.244.167 forum.jiangmin.com
. M' k5 d W1 S$ |222.73.126.115 update.jiangmin.com : C/ a* Q0 _; W6 y
61.152.244.167 post.baidu.com
. Z. E5 G/ Q" s$ U2 o( _ T2 ^; k222.73.126.115 update.rising.com.cn
# j8 t7 g0 y3 {5 X# y61.152.244.167 online.rising.com.cn
- M9 o4 x# k P; B222.73.126.115 center.rising.com.cn 0 \/ c: \; U/ Z
61.152.244.167 up.duba.net ! O) j" }7 l5 E) A6 F1 X/ q( w
61.152.244.167 shadu.baidu.com
4 G0 P7 X" J" U6 v4 ]: i61.152.244.167 security.symantec.com
5 R0 m& N4 G, t6 X61.152.244.167 shadu.duba.net
; g2 @4 c5 i: Z61.152.244.167 online.jiangmin.com % Y* p0 P! g! N
61.152.244.167 cn.mcafee.com 1 @/ @& q F6 L, m
61.152.244.167 www.ahn.com.cn
7 I; B# f, o- q61.152.244.167 www.kaspersky.com.cn 2 j6 }$ ^. f! O! f) @4 k
61.152.244.167 www.pcav.cn
# v8 f! e( E8 X7 I- F61.152.244.167 mopery.hits.io
4 c- f3 s5 W( c7 y( ^61.152.244.167 www.luosoft.com
: U2 d. C4 f& ]; q- Z% U61.152.244.167 luosoft.com
' z4 ?$ y: @; L! T0 T61.152.244.167 www.im286.com ) p E( b8 R' ]1 O1 X/ x z
61.152.244.167 bbs.htmlman.net : z5 Q+ R) ^& K& O! M! T- m
61.152.244.167 10000.286er.com
, m! I1 |- s% p4 D7 Q/ j7 o: m) ]61.152.244.167 im286.net 4 \$ E9 A0 z p) M
61.152.244.167 cool.47555.com 8 k) b" A9 h& ?: L3 A6 |6 i& Z
61.152.244.167 ju.qihoo.com % G8 O" s8 x( j& [ O# D4 W8 l- R! Z4 r
61.152.244.167 bbs.chinaz.com ) p3 F# p8 U6 K5 X
222.73.126.115 dnl-cn1.kaspersky-labs.com ' P1 Q1 y# C: x
222.73.126.115 dnl-cn2.kaspersky-labs.com * c% q7 L' r o' ~
222.73.126.115 dnl-cn3.kaspersky-labs.com ( E, |% Y6 C2 [5 R5 r/ Y$ u: g4 B
222.73.126.115 dnl-cn4.kaspersky-labs.com 8 A r) P4 M* I! s# U" j
222.73.126.115 dnl-cn5.kaspersky-labs.com
/ E( x% y+ n9 b0 J5 `222.73.126.115 dnl-cn6.kaspersky-labs.com
3 b) U- G6 ]: w4 e1 w222.73.126.115 dnl-cn7.kaspersky-labs.com
$ P+ o5 w3 O2 X/ x1 \# J: E& {222.73.126.115 dnl-cn8.kaspersky-labs.com 6 a9 y" c" q3 U1 |; b
222.73.126.115 dnl-cn9.kaspersky-labs.com
8 T0 E) v1 X; ], b* D1 c$ ^222.73.126.115 dnl-cn10.kaspersky-labs.com ' N8 i+ `+ G6 p; U0 _, n' X% O
222.73.126.115 dnl-cn11.kaspersky-labs.com 6 F# @( p2 m F- `
222.73.126.115 dnl-cn12.kaspersky-labs.com + F" I3 K" I# H5 P1 q
222.73.126.115 dnl-cn13.kaspersky-labs.com
( P) N" L) Y0 |4 A' Q! r1 }222.73.126.115 dnl-cn14.kaspersky-labs.com # m6 K0 N+ C: a
222.73.126.115 dnl-cn15.kaspersky-labs.com
' b7 w2 L k4 e: x. o+ h8 v1 K: j* {222.73.126.115 dnl-eu1.kaspersky-labs.com : q: p2 T4 {; q9 {8 O
222.73.126.115 dnl-eu2.kaspersky-labs.com
$ X( f& v9 Y; y" u7 V* G222.73.126.115 dnl-eu3.kaspersky-labs.com 7 B3 v! z0 u4 i7 @6 K
222.73.126.115 dnl-eu4.kaspersky-labs.com . M% j/ _- i% @8 W
222.73.126.115 dnl-eu5.kaspersky-labs.com " ]/ g4 B- W$ y4 r1 ?! x
222.73.126.115 dnl-eu6.kaspersky-labs.com
$ D8 ?2 A/ e( |, ^0 D9 J222.73.126.115 dnl-eu7.kaspersky-labs.com ; q' s) @( w. }& j' a8 p6 ~: A$ B3 W
222.73.126.115 dnl-eu8.kaspersky-labs.com
6 L6 W) [+ D% v- n" V' q222.73.126.115 dnl-eu9.kaspersky-labs.com
4 Z& ]7 H* @) K q4 z' \222.73.126.115 dnl-eu10.kaspersky-labs.com
8 o6 P& F* e. N3 E% {) r222.73.126.115 dnl-eu11.kaspersky-labs.com
2 N( v& \& J1 G3 a8 k* b) V0 J222.73.126.115 dnl-eu12.kaspersky-labs.com 8 f) F/ I9 A% c
222.73.126.115 dnl-eu13.kaspersky-labs.com T3 |8 L. F3 k! j
222.73.126.115 dnl-eu14.kaspersky-labs.com
5 M9 Q; `2 ]0 _2 e, v, c222.73.126.115 dnl-eu15.kaspersky-labs.com
9 _8 v5 u7 P) T* g& ]222.73.126.115 dnl-us1.kaspersky-labs.com
! b( n2 ]) o& d& F) g/ K* b3 F- M222.73.126.115 dnl-us2.kaspersky-labs.com
. S& b5 Y) t. v! d% n222.73.126.115 dnl-us3.kaspersky-labs.com ! _) V$ `% a$ C7 i3 V
222.73.126.115 dnl-us4.kaspersky-labs.com
7 l0 s) ?! a2 y* |: G' C6 g222.73.126.115 dnl-us5.kaspersky-labs.com
1 Y! h; Y: y& F7 V. j' q6 i* j222.73.126.115 dnl-us6.kaspersky-labs.com % v' L# X* k9 V7 t ]% o
222.73.126.115 dnl-us7.kaspersky-labs.com $ Y( W5 x/ W4 y
222.73.126.115 dnl-us8.kaspersky-labs.com
' Z- p) k2 W+ c# o; B& f222.73.126.115 dnl-us9.kaspersky-labs.com 7 f2 N: V1 }% n- E# E; \/ q
222.73.126.115 dnl-us10.kaspersky-labs.com ' ^5 t3 K8 j+ n1 i7 R
222.73.126.115 dnl-us11.kaspersky-labs.com
. n5 `% s' d3 R% U4 ~& Z& r222.73.126.115 dnl-us12.kaspersky-labs.com
6 x) e3 i' `- i' B$ V! S. e222.73.126.115 dnl-us13.kaspersky-labs.com
. X3 l8 Q6 c' ~, l" S. s" {222.73.126.115 dnl-us14.kaspersky-labs.com
& P+ `! l8 g& I8 l% w222.73.126.115 dnl-us15.kaspersky-labs.com / S, H" z' x; v; W2 R; W& {$ U( S
222.73.126.115 dnl-ru1.kaspersky-labs.com
5 z8 y2 h( {! M/ @: u# u222.73.126.115 dnl-ru2.kaspersky-labs.com
0 R2 h# c7 x6 k. s+ R8 \, p222.73.126.115 dnl-ru3.kaspersky-labs.com
/ @# a1 X7 f' r1 S" f7 D222.73.126.115 dnl-ru4.kaspersky-labs.com
4 [( x$ _% u+ E: q) J. h222.73.126.115 dnl-ru5.kaspersky-labs.com $ R3 Q9 b$ w3 _& V- e4 X5 P7 _
222.73.126.115 dnl-ru6.kaspersky-labs.com * Y3 \/ n/ T" I$ ^
222.73.126.115 dnl-ru7.kaspersky-labs.com 6 P4 D( y# y8 |( l- `5 P
222.73.126.115 dnl-ru8.kaspersky-labs.com
- C! \ }* B6 P4 W( m222.73.126.115 dnl-ru9.kaspersky-labs.com # x, z R8 m. K' t; I
222.73.126.115 dnl-ru10.kaspersky-labs.com
" r9 Z; Y! F, R" _/ y9 S5 s222.73.126.115 dnl-ru11.kaspersky-labs.com
9 E: G% c! C4 j2 @. n* z222.73.126.115 dnl-ru12.kaspersky-labs.com
9 E, ^1 \! {2 d6 E222.73.126.115 dnl-ru13.kaspersky-labs.com
8 m! r9 X3 G3 a: i222.73.126.115 dnl-ru14.kaspersky-labs.com 6 }# i; K+ q; o/ \2 H
222.73.126.115 dnl-ru15.kaspersky-labs.com 3 i9 M @9 m \* y
222.73.126.115 dnl-jp1.kaspersky-labs.com / R, U1 V) [4 v7 D' ]
222.73.126.115 dnl-jp2.kaspersky-labs.com
5 L: k) a% z- d- U0 I, z1 ]3 A$ _1 z222.73.126.115 dnl-jp3.kaspersky-labs.com
; X( x7 F/ e: j$ n) T$ a L222.73.126.115 dnl-jp4.kaspersky-labs.com
9 G8 C( \1 t; u" }% {* F222.73.126.115 dnl-jp5.kaspersky-labs.com
1 }) n3 ~! l! o0 _* z% R* N4 C3 o222.73.126.115 dnl-jp6.kaspersky-labs.com
" p. O' J; D$ g/ G2 T- @; ~& G7 j222.73.126.115 dnl-jp7.kaspersky-labs.com " L* l* s5 j- P* o( l! C% E
222.73.126.115 dnl-jp8.kaspersky-labs.com / w. @# O7 v* W6 ]3 r- }$ }
222.73.126.115 dnl-jp9.kaspersky-labs.com % ~) N% U. O+ s4 ?
222.73.126.115 dnl-jp10.kaspersky-labs.com
; O5 @1 s- x; x: T# ?1 t. V' u& Y222.73.126.115 dnl-jp11.kaspersky-labs.com * [% [& }: P9 b
222.73.126.115 dnl-jp12.kaspersky-labs.com . I3 W/ K; r: A' O/ x3 y: `
222.73.126.115 dnl-jp13.kaspersky-labs.com ! Y8 s( x$ y4 ^& ^
222.73.126.115 dnl-jp14.kaspersky-labs.com ( u+ R" N8 U& f/ c
222.73.126.115 dnl-jp15.kaspersky-labs.com + J1 ]$ n2 ~! _; q, a
222.73.126.115 dnl-kr1.kaspersky-labs.com
' a5 x) j8 p4 S# z2 r5 H/ K222.73.126.115 dnl-kr2.kaspersky-labs.com
3 l2 Z9 i0 [2 n222.73.126.115 dnl-kr3.kaspersky-labs.com ; \: n; K% @# B) s/ r6 |, @$ v
222.73.126.115 dnl-kr4.kaspersky-labs.com
6 V" g! V& w% U222.73.126.115 dnl-kr5.kaspersky-labs.com 3 V. h( O y2 j1 B h" P
222.73.126.115 dnl-kr6.kaspersky-labs.com
2 Q# z- \& a3 U2 O- a222.73.126.115 dnl-kr7.kaspersky-labs.com , N8 f0 s, }" k$ I
222.73.126.115 dnl-kr8.kaspersky-labs.com
9 p7 L% Y7 F6 h n* ~. Y7 s222.73.126.115 dnl-kr9.kaspersky-labs.com
, `3 ?/ K6 @# k6 R222.73.126.115 dnl-kr10.kaspersky-labs.com ! o g. O2 z7 N+ }
222.73.126.115 dnl-kr11.kaspersky-labs.com . [2 Q) ?! y: j: i" ^3 h6 x& A
222.73.126.115 dnl-kr12.kaspersky-labs.com ! E% Q6 c1 Y6 `8 w7 n
222.73.126.115 dnl-kr13.kaspersky-labs.com 0 }5 W. `+ \1 q5 N' q3 j
222.73.126.115 dnl-kr14.kaspersky-labs.com 6 t2 C. [! X+ n
222.73.126.115 dnl-kr15.kaspersky-labs.com
1 p, a- `% S( Q% \. e6 V222.73.126.115 dnl-cd1.kaspersky-labs.com . v A6 D7 x S- P4 [# u: b/ m
222.73.126.115 dnl-cd2.kaspersky-labs.com
& L/ K0 Z' L5 |$ g5 v: \( ?222.73.126.115 dnl-cd3.kaspersky-labs.com 7 Q" q9 k+ S; c1 t" R7 N
222.73.126.115 dnl-cd4.kaspersky-labs.com 0 b) ^ e; ^% H/ h7 i: @" P
222.73.126.115 dnl-cd10.kaspersky-labs.com
' y! I% q. c6 x61.152.244.167 search.cn.yahoo.com 3 D/ O g% i0 Y, Y+ J6 \6 b% [
61.152.244.167 www.google.com $ u! e+ X3 @2 R- R% q" M, f$ S5 z
61.152.244.167 google.com % @4 y' b( ]- R* ?3 L" f
61.152.244.167 www.google.cn - j: S3 G5 W# v; y
61.152.244.167 www.sogou.com
# S% X; L8 O9 k- ^0 m E* U0 C61.152.244.167 www.yahoo.com.cn . j: z/ k1 ?9 b; F
61.152.244.167 cn.yahoo.com
+ S. [, v: }6 C+ n1 R2 Z6 b' [) L222.73.210.148 www.comewz.com
* s( s9 ]5 r; }) h) j; R. g( R% ]61.152.244.167 search.tom.com . n5 {! T1 W( s, T
61.152.244.167 sou.china.com
' Y3 |) u4 p4 F. T61.152.244.167 toolsbar.kuaiso.com
- ^" [5 O6 Q3 q0 Y. c1 _61.152.244.167 www.kuaiso.com |
|
IP卡
狗仔卡
发表于 2007-9-21 19:33:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡