|
|
截获最新的AV终结者,该变种采用ring3级hook技术直接删除杀毒软件,劫持众多网站,阻止杀毒软件更新。专杀程序紧张制作中,测试通过会及时发布,老版本AV终结者专杀运行后会自动升级。
1 O- B! K3 @4 ^+ V4 q& F& ]# s! M& S
以下是详细分析报告: 4 S' e% d. j8 a9 @ r
病毒名:Win32.Troj.AvKiller.hd.212992
6 E2 i/ @. C W8 v& d" ~病毒利用WH_CALLWNDPROC类型的挂钩将自身注入其他进程
4 w# S0 ~7 Z: @0 H2 b**释放文件**
+ r: A' W: K( L1 }; E+ }C:\WINDOWS\system32\nfxphzn.jbt 该文件为kernel32.dll的拷贝
$ Y" h4 \( G v( B) wc:\WINDOWS\system32\yqia.btl 该文件为病毒自身的拷贝 9 {' }, d" B9 y0 c2 K# ~& n$ @4 |9 U
**下载文件** 7 U* Q6 e1 i" K+ N# L
w3.hao5555.com/v3/pic.bmp 6 z+ I" J: s: c6 a) g3 |4 r
w3.hao5555.com/v3/Riched32.dll
" p/ @6 V1 t/ A" k. Zw3.hao5555.com/v3/search.asp
/ }& n) _7 v$ `' X; sw3.hao5555.com/bd.dll 0 Q I; f6 Z; S* p' I5 u
**修改的注册表**
6 G; y0 H; o; W8 }. i' d( a[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
9 M, j! [* B5 e( O+ X" @"xphz"="{1b5f93d7-93d7-0a4e-4e82-93d71b5f93d7}"
% E/ {+ U# n$ H- C[HKEY_CLASSES_ROOT\CLSID\{1b5f93d7-93d7-0a4e-4e82-93d71b5f93d7}\InprocServer32] 7 P- _5 j6 G0 i+ B# y! F' x
@="C:\\WINDOWS\\system32\\yqia.btl""ThreadingModel"="Apartment"
% [9 g; t5 o( I6 b2 l( H# c2 G[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
$ F v# l: U; E: t"DisableCMD"=dword:00000001 3 t' k X6 P; u7 g8 n
**挂接函数**
: i8 o: F& `; ]% |2 w" [ l8 }RegEnumValueA + i7 K: W3 x9 Q6 t
RegEnumValueW -- 目的为隐藏病毒添加的注册表键值
1 v( E3 P! p- h( w; }/ N6 e. \) y
' t( ?9 k: m0 J6 K/ I/ M) tCreateFileA + m5 m1 [4 Z9 T
CreateFileW -- 目的为保护病毒释放的文件
* A3 {+ V. N* V
& H- w) D9 W% V; `**卸载组件** " W+ O2 t: k! p1 _( T
regsvr32.exe /u /s wshom.ocx 3 k% ?7 B; ?+ ]' \
+ \/ ]1 ~( K2 W- h& X9 g
* h1 ? x# ~" n4 }; H病毒自身通过nfxphzn.jbt来调用CreateFileA和CreateFileW函数,病毒注入系统的其他进程后
2 f" S+ @6 I+ X% s' V' Q1 g0 P! m, N
(1)创建一个线程来保护其添加的注册表键值不被删除; & a% b& ^( H- B# _6 N
0 i" x0 r. K% ~0 m(2)结束杀毒软件进程; * @" B! @( j; W" ]# i/ A7 j# `+ J
$ E' K. T u4 U: j1 q/ E+ {
(3)通过将ZwCreateFile的前两个字节填0加以破坏; , F9 Q* G: r( e. X6 i$ f
+ Y8 O9 f8 W" a* j! L. u/ P% d(4)并试图删除以下文件,(主要是杀毒软件和流氓软件清除工具的驱动、程序文件)
9 i% O6 N7 f: p# ~/ W. k9 J; h# p- {8 ?" T
! J$ ~8 W6 T" f"mmskskin.dll" ; Z X4 h9 j/ z1 r" s z
"KKClean.dll" * v8 @! N- D* F# d5 \) W% ?
"VirUnk.def" & F0 k- G/ A3 t# p. g# `
"AntiActi.dll" " t4 a: ]7 |3 _ c6 P
"Rsaupd.exe"
. K. P) F8 k* R3 R"Iereset.dll" / a7 e# Y! u4 G2 w
"Libclsid.dat" 3 V T) ?, Q9 T, J; m
"KNetWch.SYS" . l/ D! L% M, w' `8 K& y
"CleanHis.dll"
9 d. C: S: d; o/ a# |/ e1 Z"WoptiClean.sys"
: L& Z( j( R2 n5 z"kakalib.def" 5 E! Y- b `5 F$ T
"libdll.dat" 9 V2 @3 ~4 c: d/ x- N
"kkinst.ini" ; |# F# i! }8 ]$ }: v( S
"KASearch.DLL" ! _% w# G* \. h# v, G
"KAVBootC.sys" - X5 M" e/ }8 X2 x
"Ras.exe"
6 g0 C# \- |- A5 l- v"iehelp.exe" * `# p1 q. f) L4 ^5 L
"trojandetector.exe"
' [& N* v: r. B2 w5 x( q" I"KAConfig.DLL" ( I1 W' s- w) b1 o7 K; a
"KAVPassp.DLL"
1 j. `/ Z) O9 s6 F1 _% T"hsfw.dll" ! |8 B% X/ L+ Z4 D5 U
**修改hosts文件为**
& S2 {$ u; x; yhosts文件被修改后,会影响很多杀毒软件和反流氓软件的升级,影响访问相关网站 6 ~2 s' h' H( N; J- p$ ^! {' _" ?
(注意一下61.152.244.167这个IP,下面发现众多流量很高的站点被劫持到61.152.244.167,可以尝试一下在IE地址栏中输入这个IP,你发现去了cn.yahoo.com)
: @; M. v' g! b127.0.0.1 localhost
% B6 K. ]+ ^+ t" z61.152.244.167 search.114.vnet.cn 2 l1 s% U( K8 H
61.152.244.167 auto.search.msn.com
' z8 P8 P- ]. |$ I; }61.152.244.167 search.msn.com
0 L; M8 o6 Q# Q+ \0 W% V1 o2 h( E61.152.244.167 cnweb.search.live.com , ?( K" o6 T3 p0 E' z
61.152.244.167 search.live.com 0 n6 R0 }! ]5 p2 ]- b& h) ?
61.152.244.167 www.hao123.com
% [1 A# v9 y0 ~/ g* J61.152.244.167 hao123.com $ _% W5 H. R/ P) G. s
61.152.244.167 www.360safe.com
! o" C( S* {: O, ^! ?8 l; i& e9 u61.152.244.167 360safe.com
3 r+ G, F9 R0 Q222.73.126.115 update.360safe.com 2 z* H* z( Z3 c. Q2 j3 C) f
61.152.244.167 dl.360safe.com
4 _1 N1 X7 F- ~9 o61.152.244.167 bbs.360safe.com
+ T0 B8 Y# r- B z& ?1 t61.152.244.167 www.btbaicai.com 8 D. Q, a4 Z# `( M5 @2 k6 i
61.152.244.167 btbaicai.com
) u- a& M9 n% w) n; i3 X' Y) o0 K; _61.152.244.167 www.pctutu.com 4 T! R' H- X# M( A3 z
61.152.244.167 www.7322.com
) [6 A. `, ^- m; @1 o61.152.244.167 www.5566.net e$ K. p; C/ p; W- h
61.152.244.167 www.9991.com
2 g7 X" H; a1 a7 k) N# i% d61.152.244.167 9991.com
, z& l, E7 |' f i# I61.152.244.167 forum.ikaka.com
" E7 k" V* ~0 @. m61.152.244.167 www.ikaka.com ( d" b8 X& o; K9 [( \3 E7 W# o$ y
222.73.126.115 update.ikaka.com 5 `7 @: c7 O$ N
61.152.244.167 forum.jiangmin.com
$ u# ]1 N# k$ Y% l0 ^1 U222.73.126.115 update.jiangmin.com
" {! J6 D* @6 \- b1 }( \61.152.244.167 post.baidu.com
3 Q& j! M3 M+ s$ a$ M2 P222.73.126.115 update.rising.com.cn
' Y+ F2 h; O# c! n. c, V61.152.244.167 online.rising.com.cn " Z) G w; a* x1 a1 H
222.73.126.115 center.rising.com.cn
! a8 F: w1 G) U% ]) Q9 @5 b- [( i. T1 i- H61.152.244.167 up.duba.net
3 i% B9 a3 V6 u1 G, z61.152.244.167 shadu.baidu.com ) w" r J- K* D
61.152.244.167 security.symantec.com 0 @1 l1 C) y; ~( [( T8 ^1 {
61.152.244.167 shadu.duba.net 1 z# V5 b( E [: l/ q6 o S8 ]. p9 j! q
61.152.244.167 online.jiangmin.com 9 a/ Z; M+ E* k! j" [1 R0 Q# k) Y
61.152.244.167 cn.mcafee.com
& b6 D" N7 I% ?61.152.244.167 www.ahn.com.cn
8 Q5 B' R* m' I% F61.152.244.167 www.kaspersky.com.cn
! h0 K# ?( b9 D9 J" V0 B61.152.244.167 www.pcav.cn 6 B8 T& l1 w5 ?! U/ D" M5 g
61.152.244.167 mopery.hits.io
% L" g; L9 P! F: z9 z) K( S61.152.244.167 www.luosoft.com * ]5 V3 N" \& d, B: @
61.152.244.167 luosoft.com
0 q1 Z. _/ }: X- N5 k8 `61.152.244.167 www.im286.com
6 G( m! `+ f( z2 g* n61.152.244.167 bbs.htmlman.net
! {( d( N. C0 [ d, }0 B" o/ i61.152.244.167 10000.286er.com
! R8 R, M7 G, Y0 {+ ?/ G61.152.244.167 im286.net
, \9 g- n' G* @$ R( W, r& P61.152.244.167 cool.47555.com # \2 C- K/ |' G8 ~( S
61.152.244.167 ju.qihoo.com
* m& y7 S$ Y8 l: R1 c/ }) e- v61.152.244.167 bbs.chinaz.com / W, S: X c2 q7 A
222.73.126.115 dnl-cn1.kaspersky-labs.com + H$ u! P% S- G$ h
222.73.126.115 dnl-cn2.kaspersky-labs.com
9 r0 n7 ?' X8 h7 X \222.73.126.115 dnl-cn3.kaspersky-labs.com
0 z2 {2 a; ?5 x- t222.73.126.115 dnl-cn4.kaspersky-labs.com $ f3 _0 L4 W' B
222.73.126.115 dnl-cn5.kaspersky-labs.com
" z/ Z7 G9 P" ^- \5 p* t222.73.126.115 dnl-cn6.kaspersky-labs.com 0 J! r8 l' g' j3 n; C& t$ x& v
222.73.126.115 dnl-cn7.kaspersky-labs.com . O) b; Y/ C0 h3 [8 z
222.73.126.115 dnl-cn8.kaspersky-labs.com 6 D& o5 ?) Y1 Q% [6 e
222.73.126.115 dnl-cn9.kaspersky-labs.com 1 C+ I1 ~ }2 z6 ^1 T
222.73.126.115 dnl-cn10.kaspersky-labs.com
! A* x2 v: n. N# Y222.73.126.115 dnl-cn11.kaspersky-labs.com
: u: D) `) M* X3 r222.73.126.115 dnl-cn12.kaspersky-labs.com 9 d9 Q6 i I, S& y
222.73.126.115 dnl-cn13.kaspersky-labs.com
$ \3 C5 ^8 A6 Y6 X' n. f222.73.126.115 dnl-cn14.kaspersky-labs.com
0 e: c2 [/ F5 R0 r5 D: l' w$ e222.73.126.115 dnl-cn15.kaspersky-labs.com 4 I# O$ x, @5 X: b5 U/ Z) }& h
222.73.126.115 dnl-eu1.kaspersky-labs.com & s7 F" M9 J$ U- B
222.73.126.115 dnl-eu2.kaspersky-labs.com
5 A' H& D9 f) | l. D! I0 X0 z+ ]222.73.126.115 dnl-eu3.kaspersky-labs.com
. W& [6 {: \6 i1 y" L% j- X1 A222.73.126.115 dnl-eu4.kaspersky-labs.com : [( X# H, F- ?7 v i+ R
222.73.126.115 dnl-eu5.kaspersky-labs.com 5 U" ?+ r$ l0 X
222.73.126.115 dnl-eu6.kaspersky-labs.com ( s# Q8 F) X- `' q, ~% y
222.73.126.115 dnl-eu7.kaspersky-labs.com 7 T9 D1 _ E$ ^& [/ e' @+ f' N) o
222.73.126.115 dnl-eu8.kaspersky-labs.com : U3 O1 p2 x1 D! m( A
222.73.126.115 dnl-eu9.kaspersky-labs.com
8 B( `( H: Y4 H; Q2 ~ N222.73.126.115 dnl-eu10.kaspersky-labs.com
; k4 T/ R# v3 S! c+ d4 i222.73.126.115 dnl-eu11.kaspersky-labs.com
3 G3 J5 I5 p( v222.73.126.115 dnl-eu12.kaspersky-labs.com , O" U6 q2 t: j' U% W' K; J
222.73.126.115 dnl-eu13.kaspersky-labs.com $ O' l4 z1 h" U1 P/ D
222.73.126.115 dnl-eu14.kaspersky-labs.com ' S% A! j' Y4 H: W7 d- P
222.73.126.115 dnl-eu15.kaspersky-labs.com
5 _$ s/ n/ ]* X2 h222.73.126.115 dnl-us1.kaspersky-labs.com
# q4 v c6 s+ j9 h/ d) O0 G5 n+ d! x# u222.73.126.115 dnl-us2.kaspersky-labs.com ' ~& _+ H& T" S( Y( n
222.73.126.115 dnl-us3.kaspersky-labs.com , @, s% ^1 @, q' [3 s0 K. z; f4 q
222.73.126.115 dnl-us4.kaspersky-labs.com / S1 K. \5 y- l% F) M
222.73.126.115 dnl-us5.kaspersky-labs.com
9 G/ Q. i1 n6 Q2 |# A P$ l$ A222.73.126.115 dnl-us6.kaspersky-labs.com
% s* `! L: V( l b& F! j222.73.126.115 dnl-us7.kaspersky-labs.com
2 n0 P/ h) ? G+ |" G O222.73.126.115 dnl-us8.kaspersky-labs.com 1 S- | ^$ O# R8 F9 p, r
222.73.126.115 dnl-us9.kaspersky-labs.com ' p$ D! Z' a' n0 y
222.73.126.115 dnl-us10.kaspersky-labs.com ; X! L$ Q4 s6 F
222.73.126.115 dnl-us11.kaspersky-labs.com & A8 B* J" Q! q% I1 Z
222.73.126.115 dnl-us12.kaspersky-labs.com
% o$ f' p4 A1 V& U# d R+ L- n8 d5 {222.73.126.115 dnl-us13.kaspersky-labs.com
* l9 d! Y$ }0 K1 e Y& E5 f+ O6 J222.73.126.115 dnl-us14.kaspersky-labs.com " j; ?3 V" M( Y
222.73.126.115 dnl-us15.kaspersky-labs.com
' {- i: e4 l# y) z# b222.73.126.115 dnl-ru1.kaspersky-labs.com [2 x+ t) F1 Y7 s/ a
222.73.126.115 dnl-ru2.kaspersky-labs.com + W+ |3 H, Z: g1 w4 N& b
222.73.126.115 dnl-ru3.kaspersky-labs.com
% |# c0 L) s* j) W5 l) u* \222.73.126.115 dnl-ru4.kaspersky-labs.com 0 B* s7 D: P6 B- _+ t# U
222.73.126.115 dnl-ru5.kaspersky-labs.com v. w& d. j1 M0 r
222.73.126.115 dnl-ru6.kaspersky-labs.com 6 C, X2 |5 E c2 c. p- A: \
222.73.126.115 dnl-ru7.kaspersky-labs.com
( G5 t! R2 M% y' t3 m1 M/ g222.73.126.115 dnl-ru8.kaspersky-labs.com
m; D' T, i9 c% o( a3 M2 q222.73.126.115 dnl-ru9.kaspersky-labs.com " w w1 ?$ [: V6 z, s$ j
222.73.126.115 dnl-ru10.kaspersky-labs.com * [( V+ `8 T8 F. F# U
222.73.126.115 dnl-ru11.kaspersky-labs.com
6 W! T% p9 D1 x222.73.126.115 dnl-ru12.kaspersky-labs.com
7 p3 c1 G1 W; c9 i# X) S222.73.126.115 dnl-ru13.kaspersky-labs.com 8 g% A C% X2 c
222.73.126.115 dnl-ru14.kaspersky-labs.com - J+ h+ w q$ e7 V5 s
222.73.126.115 dnl-ru15.kaspersky-labs.com 3 P( {' }! H. C- q) w
222.73.126.115 dnl-jp1.kaspersky-labs.com
! v1 ?" }) N" @222.73.126.115 dnl-jp2.kaspersky-labs.com / j( R3 I. K1 Q( A1 A/ N' K& C
222.73.126.115 dnl-jp3.kaspersky-labs.com 4 S6 B' p: k6 p- [$ X
222.73.126.115 dnl-jp4.kaspersky-labs.com ! L% S7 Q4 \2 ^
222.73.126.115 dnl-jp5.kaspersky-labs.com + P& ~. b& _3 R3 r; i2 z: f1 c% Y
222.73.126.115 dnl-jp6.kaspersky-labs.com
) ?+ F/ B, }5 E6 J, M222.73.126.115 dnl-jp7.kaspersky-labs.com ' K# y1 @- C' ^/ i: a" o5 I
222.73.126.115 dnl-jp8.kaspersky-labs.com
! @( H# x( A# z3 N0 A222.73.126.115 dnl-jp9.kaspersky-labs.com
7 @' F L& z$ W7 a222.73.126.115 dnl-jp10.kaspersky-labs.com
9 o7 j4 b" r6 T! c$ A, f8 ^7 e/ f222.73.126.115 dnl-jp11.kaspersky-labs.com " R% Z! V1 V5 [. V) A% Z5 u
222.73.126.115 dnl-jp12.kaspersky-labs.com 1 ~5 d, F% V/ f: ^0 Q1 n3 ^; u
222.73.126.115 dnl-jp13.kaspersky-labs.com
) O" `: r8 y4 A. A" u222.73.126.115 dnl-jp14.kaspersky-labs.com ! ~: h# p0 M7 q- R- ]
222.73.126.115 dnl-jp15.kaspersky-labs.com , b$ g' K1 U# ?/ w1 f* }
222.73.126.115 dnl-kr1.kaspersky-labs.com
) p; p5 n" \' M8 D4 `4 b5 a- a222.73.126.115 dnl-kr2.kaspersky-labs.com , H" F$ i6 V# H" K5 P
222.73.126.115 dnl-kr3.kaspersky-labs.com 9 J% \, P7 C0 _ ?- s
222.73.126.115 dnl-kr4.kaspersky-labs.com : F* v5 _: x1 E( N* w: j, A) n
222.73.126.115 dnl-kr5.kaspersky-labs.com . I$ ]: D5 v% W C
222.73.126.115 dnl-kr6.kaspersky-labs.com
+ g1 P& ^ Y/ A( E7 P: W; |222.73.126.115 dnl-kr7.kaspersky-labs.com
3 f/ M* N% j' T- `222.73.126.115 dnl-kr8.kaspersky-labs.com . y- \3 E9 R" _) X" d' O9 Z
222.73.126.115 dnl-kr9.kaspersky-labs.com 2 |- d5 A* h* |) S; g2 j! i' o1 D
222.73.126.115 dnl-kr10.kaspersky-labs.com / T: G! [0 A" v% o
222.73.126.115 dnl-kr11.kaspersky-labs.com
# r0 X0 g; { h- C: W8 k, ^ Z222.73.126.115 dnl-kr12.kaspersky-labs.com 6 R$ r+ G. L/ Y
222.73.126.115 dnl-kr13.kaspersky-labs.com
/ a, r* S) m: b4 O. o, g222.73.126.115 dnl-kr14.kaspersky-labs.com U' {0 m: K( j9 e* M1 c
222.73.126.115 dnl-kr15.kaspersky-labs.com 9 \ `3 P6 H8 z0 t+ H! f0 d
222.73.126.115 dnl-cd1.kaspersky-labs.com % W5 c1 \' D% h7 A& z
222.73.126.115 dnl-cd2.kaspersky-labs.com
f' n6 |, k9 b$ k D0 Y) c222.73.126.115 dnl-cd3.kaspersky-labs.com ; N) Z! Y- N$ u0 ~& D
222.73.126.115 dnl-cd4.kaspersky-labs.com
% {- _6 ?3 ?* e0 l* t. |222.73.126.115 dnl-cd10.kaspersky-labs.com ( d& W- V$ o8 y8 g
61.152.244.167 search.cn.yahoo.com
' U5 d% P2 A- h: `61.152.244.167 www.google.com
. S; m+ j2 O. B4 P C5 {6 |7 O61.152.244.167 google.com ! e: \+ ^+ G. f5 U1 U1 [
61.152.244.167 www.google.cn 1 C+ N! g& c" J% ~" A _
61.152.244.167 www.sogou.com * ` G) w4 W0 A
61.152.244.167 www.yahoo.com.cn
: z |. R: d2 u! T6 A$ c61.152.244.167 cn.yahoo.com ) h: ~3 X% O' D: S* J4 |
222.73.210.148 www.comewz.com 5 E N9 o6 M% ?* w0 w- ^
61.152.244.167 search.tom.com
( o8 j9 J# f9 [) G61.152.244.167 sou.china.com
% R1 e+ o) E$ r$ s( a; V ]1 u' \- E61.152.244.167 toolsbar.kuaiso.com n* J$ U' Q- J2 |3 w
61.152.244.167 www.kuaiso.com |
|
IP卡
狗仔卡
发表于 2007-9-21 19:33:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡