|
|
截获最新的AV终结者,该变种采用ring3级hook技术直接删除杀毒软件,劫持众多网站,阻止杀毒软件更新。专杀程序紧张制作中,测试通过会及时发布,老版本AV终结者专杀运行后会自动升级。 & x( V# }: e* E: U1 m3 O8 V+ O. U
. K+ Q& i2 D* _+ h! b
以下是详细分析报告:
0 C$ c( k" @0 U# B; h8 g/ k病毒名:Win32.Troj.AvKiller.hd.212992 + y) |7 Q" i. ]1 C
病毒利用WH_CALLWNDPROC类型的挂钩将自身注入其他进程 9 G( K" P! |8 L' v
**释放文件** % W, B8 ?0 P2 {! @8 M& j, ^
C:\WINDOWS\system32\nfxphzn.jbt 该文件为kernel32.dll的拷贝 - {- B/ s, q( T2 x
c:\WINDOWS\system32\yqia.btl 该文件为病毒自身的拷贝
( _# T- w- X) k7 {- B+ c; e**下载文件** ) y( d4 f' g4 H( @$ m( M$ t/ p/ P
w3.hao5555.com/v3/pic.bmp 5 f9 F4 }' j( E, F
w3.hao5555.com/v3/Riched32.dll 8 P" k, c' M: B R% V$ t' w T- x- k
w3.hao5555.com/v3/search.asp % R/ Z3 c/ i7 X' h. D$ E9 r
w3.hao5555.com/bd.dll
' w0 q# H6 `0 N3 ?' l4 N6 }**修改的注册表**
- z( G! y/ \$ v3 y[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
% ?4 R' n" R6 x# U* {0 G6 P"xphz"="{1b5f93d7-93d7-0a4e-4e82-93d71b5f93d7}" 9 Y0 w/ h% U1 a& w4 D4 V
[HKEY_CLASSES_ROOT\CLSID\{1b5f93d7-93d7-0a4e-4e82-93d71b5f93d7}\InprocServer32]
9 B+ F8 L. `6 B5 e( T5 B@="C:\\WINDOWS\\system32\\yqia.btl""ThreadingModel"="Apartment" 4 M- |4 S _5 g, W
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
4 P; S! C' A. n; N3 X# i. Q"DisableCMD"=dword:00000001
, Z3 P9 l: ~% W5 X6 \; u0 G) y**挂接函数** $ J/ o2 B, n% T5 q, Y9 x) V7 Y
RegEnumValueA 5 \. a1 E4 v! G' ^6 e) |/ ]
RegEnumValueW -- 目的为隐藏病毒添加的注册表键值 . `# B: _% h7 w3 ^ A; O0 \ Z3 p
2 Z t, N- k- L9 w2 TCreateFileA : ], ?6 v. m2 H ^" | P8 F$ Z+ T
CreateFileW -- 目的为保护病毒释放的文件 ' w0 l% q5 |/ c, [- r! x
* \" D; V T& G& Q5 w) _
**卸载组件** " {. _( R; Z( {. I& W% |
regsvr32.exe /u /s wshom.ocx
# k5 K8 m) t7 C; Q 1 f$ q" H& x% i1 I2 m9 O
' ]# ?, Z) k+ L
病毒自身通过nfxphzn.jbt来调用CreateFileA和CreateFileW函数,病毒注入系统的其他进程后
+ \% ~. `( \0 R
. Z9 F# {, _* H1 {# D, f6 G2 g" G# l* T(1)创建一个线程来保护其添加的注册表键值不被删除;
4 W- }2 w ~% I+ \/ z9 R- o: c9 e9 x' R9 Z: V4 j% h
(2)结束杀毒软件进程; 1 V( M$ @1 R4 C' @' e
/ J2 |3 |8 z8 Y, P(3)通过将ZwCreateFile的前两个字节填0加以破坏;
' }5 ?. P, L4 Q* j$ H/ q$ C1 p8 G7 m7 T* m, K3 H0 L* U# O' w3 o
(4)并试图删除以下文件,(主要是杀毒软件和流氓软件清除工具的驱动、程序文件) 8 K4 l2 O5 \) h# W; N
6 f2 c$ c: o4 {
/ B+ y% C6 S, J& Z2 M. o, H) p"mmskskin.dll" 3 m2 ~2 w5 r; H9 \# C% x# D0 Q
"KKClean.dll" 1 l5 e! ?7 k- d* R5 p7 g! N. H
"VirUnk.def"
7 K& y% } d6 L* R"AntiActi.dll"
% Y; J1 |* x5 |"Rsaupd.exe" 0 [% ?7 _; a! @1 S2 X
"Iereset.dll"
& a6 g2 x( w) I K6 t( f7 j. S1 |& ~4 y"Libclsid.dat"
# j8 l5 i6 u+ I$ G. P"KNetWch.SYS"
. R% D: u/ Z* n: @3 f"CleanHis.dll" 0 X; H8 l d7 ?+ i
"WoptiClean.sys"
9 U3 T, I+ I/ i& Q' g"kakalib.def" ; g9 z# J5 S8 ]+ ]& }# d1 H# e' q
"libdll.dat" $ Y) v- V/ T0 o$ K; v/ o$ l$ t. Q
"kkinst.ini" 9 {1 R5 Q' g, w+ I+ w3 i; r
"KASearch.DLL"
# w0 T# z: n& }, Q; s* |* o* B' S"KAVBootC.sys" 0 z9 S) N ?3 Y8 h& e' w$ r
"Ras.exe" 6 n6 N; m1 U- _: k3 |
"iehelp.exe"
1 n" O" W5 u6 w" A: _ z, P% Y"trojandetector.exe" + X8 N# s* X7 J# }9 a _2 i; D
"KAConfig.DLL" 2 }- {7 H. }8 r0 x& L
"KAVPassp.DLL"
9 x9 t5 K4 X# x"hsfw.dll" $ P2 w' Y+ u* m! U" V
**修改hosts文件为** * m" c# |" Y. l) E4 H
hosts文件被修改后,会影响很多杀毒软件和反流氓软件的升级,影响访问相关网站 3 U X, T. k6 {
(注意一下61.152.244.167这个IP,下面发现众多流量很高的站点被劫持到61.152.244.167,可以尝试一下在IE地址栏中输入这个IP,你发现去了cn.yahoo.com)
/ g! Z$ _& p3 k1 A2 c4 z8 i+ {127.0.0.1 localhost 7 G' q' V' J$ c- g0 U" J$ ?! S
61.152.244.167 search.114.vnet.cn 7 [; S" Q" B: |9 ~& c
61.152.244.167 auto.search.msn.com
+ w# s6 I1 Y: j8 g& w0 z61.152.244.167 search.msn.com
4 V+ b& l0 d8 L4 h5 r61.152.244.167 cnweb.search.live.com
" R5 K: z8 Q ^$ Q) A61.152.244.167 search.live.com
0 `2 z4 ]/ d( z: j61.152.244.167 www.hao123.com p4 }3 d: \+ q& `$ Z' M" P1 b
61.152.244.167 hao123.com / h- j- t& B; E8 V# \* a8 ~
61.152.244.167 www.360safe.com
! R5 E/ P# y+ C9 R$ m! @/ t% |: C0 Q- n61.152.244.167 360safe.com
5 ]: W5 |( ^6 y' }222.73.126.115 update.360safe.com # p' E- W( V$ M3 U: p& n
61.152.244.167 dl.360safe.com 9 ]1 o8 n+ y. T* @
61.152.244.167 bbs.360safe.com % h# k% R! u2 w# F% _9 s; @
61.152.244.167 www.btbaicai.com
$ n8 O) A! s1 @' n( ~& [61.152.244.167 btbaicai.com
5 ?+ M% Q& y7 M. H P& @# E61.152.244.167 www.pctutu.com
) m% H/ X* h( v9 N& v61.152.244.167 www.7322.com 8 L* t0 r* t) [7 H; ~
61.152.244.167 www.5566.net " p, d. y" u& l* i1 @0 ?
61.152.244.167 www.9991.com / a3 S+ { @9 w: s1 M! f
61.152.244.167 9991.com
! G+ L7 y9 Y& F: x9 J: U61.152.244.167 forum.ikaka.com ) g# X6 b0 j; Q7 l
61.152.244.167 www.ikaka.com q% P2 |+ g" [
222.73.126.115 update.ikaka.com # }! c" M, v- u
61.152.244.167 forum.jiangmin.com
3 d. {& Q* @0 p9 G3 l" r222.73.126.115 update.jiangmin.com % S& b0 y: c/ R+ d0 w+ ]
61.152.244.167 post.baidu.com ! H' h) x `. u! R/ c
222.73.126.115 update.rising.com.cn
1 e# b8 }- b; |61.152.244.167 online.rising.com.cn
# ], ^: T" }! K. _# s222.73.126.115 center.rising.com.cn
) @/ U/ ]( _. j3 H61.152.244.167 up.duba.net
. m, h+ R; ^. n; y% m5 x61.152.244.167 shadu.baidu.com
+ \9 p/ G! R; v61.152.244.167 security.symantec.com
+ z. A8 ^0 U: K: g. `. J61.152.244.167 shadu.duba.net
8 \% k& g) ~ `3 p61.152.244.167 online.jiangmin.com
( j+ q0 H, C( ?6 p61.152.244.167 cn.mcafee.com
9 l" b f; }- {/ q$ S61.152.244.167 www.ahn.com.cn / B! e8 c! |9 c: b
61.152.244.167 www.kaspersky.com.cn ; M% J& D! K. a) f7 m
61.152.244.167 www.pcav.cn : s" u% `. D" q; J7 O5 r0 T. s
61.152.244.167 mopery.hits.io / W1 f8 _* I! i8 R
61.152.244.167 www.luosoft.com 6 H( a5 B% j6 b9 f4 u
61.152.244.167 luosoft.com - h& u! x* I x; e* H m
61.152.244.167 www.im286.com
3 D5 s8 j8 k9 \, G61.152.244.167 bbs.htmlman.net
8 _* n2 _$ Q9 T: f K# W61.152.244.167 10000.286er.com & f6 }4 [6 D$ M0 I/ Z0 f, B
61.152.244.167 im286.net
; b, c4 [. F3 N9 H% O* T) K- W61.152.244.167 cool.47555.com " _; O3 V, ]" p2 S
61.152.244.167 ju.qihoo.com . {+ L, {' m9 V
61.152.244.167 bbs.chinaz.com
6 O/ Y* z" h$ n! }8 c$ j. {) f222.73.126.115 dnl-cn1.kaspersky-labs.com 5 g0 P4 a/ w7 a7 r) _
222.73.126.115 dnl-cn2.kaspersky-labs.com 9 D9 S! h7 a# u, s* c
222.73.126.115 dnl-cn3.kaspersky-labs.com ! k2 [1 k1 h# I8 `) R& v* s
222.73.126.115 dnl-cn4.kaspersky-labs.com * e2 C2 c$ G# m; L2 T$ h q) K
222.73.126.115 dnl-cn5.kaspersky-labs.com
/ P0 f1 r1 `: c, L; V222.73.126.115 dnl-cn6.kaspersky-labs.com - V+ P. R! m# C! m, Y' N
222.73.126.115 dnl-cn7.kaspersky-labs.com 7 H) Q" I2 s- k9 w
222.73.126.115 dnl-cn8.kaspersky-labs.com
, ]4 n; @, r' u/ q222.73.126.115 dnl-cn9.kaspersky-labs.com
k9 d+ j% {# e2 [1 Y: j/ d8 n. _222.73.126.115 dnl-cn10.kaspersky-labs.com
- b% j$ N, B. y4 j2 D; i222.73.126.115 dnl-cn11.kaspersky-labs.com
$ e% N& V1 R9 b222.73.126.115 dnl-cn12.kaspersky-labs.com
! y Z) L: ^3 ?! ^% L( D222.73.126.115 dnl-cn13.kaspersky-labs.com 5 T% `# l! A9 {5 L1 C* K
222.73.126.115 dnl-cn14.kaspersky-labs.com u7 l! z1 n M9 {
222.73.126.115 dnl-cn15.kaspersky-labs.com ; z$ x3 X: g" z- c9 w
222.73.126.115 dnl-eu1.kaspersky-labs.com
# a Q V8 Y4 S5 E1 m8 u. b222.73.126.115 dnl-eu2.kaspersky-labs.com 6 I3 h1 Y* {/ o9 ^2 `9 ?, |" Q
222.73.126.115 dnl-eu3.kaspersky-labs.com ! _0 c7 ]* Z8 R# u e4 R
222.73.126.115 dnl-eu4.kaspersky-labs.com
) i4 {7 Y5 ]: k222.73.126.115 dnl-eu5.kaspersky-labs.com
) M, ~# z& T: |( a4 m222.73.126.115 dnl-eu6.kaspersky-labs.com
0 f; r( }' d5 D$ |222.73.126.115 dnl-eu7.kaspersky-labs.com
: ]7 j( q* u9 H" B1 B5 k- K( Y* f1 M( T222.73.126.115 dnl-eu8.kaspersky-labs.com
( [! ~. I+ c9 k+ G8 b# _- ^222.73.126.115 dnl-eu9.kaspersky-labs.com
& p+ W# }+ @0 Q) i, r# n222.73.126.115 dnl-eu10.kaspersky-labs.com ; V; \9 z0 N- _" J& l2 s# K
222.73.126.115 dnl-eu11.kaspersky-labs.com
# P! b! P! v! J222.73.126.115 dnl-eu12.kaspersky-labs.com 8 B- I& {' B! f% ~- Q2 D5 b9 J
222.73.126.115 dnl-eu13.kaspersky-labs.com 7 g" y5 s4 x& S2 H/ f
222.73.126.115 dnl-eu14.kaspersky-labs.com " t, a7 A. A- \( U
222.73.126.115 dnl-eu15.kaspersky-labs.com - z, z3 @/ x# o- e6 V) A, B
222.73.126.115 dnl-us1.kaspersky-labs.com
7 B4 i- ?4 d _, t$ N9 C222.73.126.115 dnl-us2.kaspersky-labs.com
1 r& Y$ D2 n" q$ ^& M3 k" d( m222.73.126.115 dnl-us3.kaspersky-labs.com 6 ?2 X- A4 |+ ?
222.73.126.115 dnl-us4.kaspersky-labs.com 5 R" _3 [$ N% A N7 y# j
222.73.126.115 dnl-us5.kaspersky-labs.com ; K# f; ?+ b3 @9 t4 K& b( I+ C
222.73.126.115 dnl-us6.kaspersky-labs.com & s4 }6 s2 V8 B) p3 [, I+ q4 {2 \
222.73.126.115 dnl-us7.kaspersky-labs.com 3 T8 W. w; } f! | f" ]0 d
222.73.126.115 dnl-us8.kaspersky-labs.com
( L+ V. x* t! t- K/ X# e: C222.73.126.115 dnl-us9.kaspersky-labs.com & I1 \& q. |* Y: Q. Z) e
222.73.126.115 dnl-us10.kaspersky-labs.com 4 m5 ?" p# c. p
222.73.126.115 dnl-us11.kaspersky-labs.com ( o n F0 u4 N, L
222.73.126.115 dnl-us12.kaspersky-labs.com 7 T" c2 t& ?* o2 H; b: t: O
222.73.126.115 dnl-us13.kaspersky-labs.com 2 K! r9 b, [. _% [% @
222.73.126.115 dnl-us14.kaspersky-labs.com & V. n& N4 S, D) R
222.73.126.115 dnl-us15.kaspersky-labs.com 1 j @* w% g/ r2 D! i, I& m) a/ n
222.73.126.115 dnl-ru1.kaspersky-labs.com ) b% f: J# T9 O# x8 n
222.73.126.115 dnl-ru2.kaspersky-labs.com ! T3 b' _2 e+ z2 ]3 c8 i7 m
222.73.126.115 dnl-ru3.kaspersky-labs.com 9 ]1 o! u* g9 _7 U8 u: C' x
222.73.126.115 dnl-ru4.kaspersky-labs.com & X% Q6 O; J# L. {
222.73.126.115 dnl-ru5.kaspersky-labs.com
0 Y+ \: k9 K, v1 ]+ H% k222.73.126.115 dnl-ru6.kaspersky-labs.com
: J6 e& y2 G2 ?$ N( ?222.73.126.115 dnl-ru7.kaspersky-labs.com - c/ a7 F5 P) c7 W* _
222.73.126.115 dnl-ru8.kaspersky-labs.com : ^5 q% Y2 [( R- c
222.73.126.115 dnl-ru9.kaspersky-labs.com * \% U# ?; {, z/ ?7 a/ a
222.73.126.115 dnl-ru10.kaspersky-labs.com
( [& R% y9 S! q4 j3 N& H222.73.126.115 dnl-ru11.kaspersky-labs.com r, B8 e" \$ e D: z* c' ?
222.73.126.115 dnl-ru12.kaspersky-labs.com
9 C$ c& W# Z( u1 o, e, [; x222.73.126.115 dnl-ru13.kaspersky-labs.com
( m$ N1 q1 y+ ~0 b' t5 D2 E222.73.126.115 dnl-ru14.kaspersky-labs.com 1 B. B: `! }; j9 ^
222.73.126.115 dnl-ru15.kaspersky-labs.com , n$ `. t- g% _* l
222.73.126.115 dnl-jp1.kaspersky-labs.com # p6 P$ _) @3 Z% L4 y$ L
222.73.126.115 dnl-jp2.kaspersky-labs.com
1 w" m6 B+ i Z+ y3 V; O' ?! S0 `222.73.126.115 dnl-jp3.kaspersky-labs.com M0 ^* J1 m: {: p
222.73.126.115 dnl-jp4.kaspersky-labs.com
4 z; @, Z T5 P& B" ~! s222.73.126.115 dnl-jp5.kaspersky-labs.com
0 |, T0 ]; [2 r222.73.126.115 dnl-jp6.kaspersky-labs.com : T2 d, U! V' N2 v( [
222.73.126.115 dnl-jp7.kaspersky-labs.com * Z, U4 ~. v( ^
222.73.126.115 dnl-jp8.kaspersky-labs.com
+ S5 O$ T) J& `+ X7 s222.73.126.115 dnl-jp9.kaspersky-labs.com $ o9 N, N% ]- m6 ^9 h! n
222.73.126.115 dnl-jp10.kaspersky-labs.com 7 D& h ^2 L" ^0 S, L. ?
222.73.126.115 dnl-jp11.kaspersky-labs.com 4 |$ k* i, ?6 z% x- o' d& z) f
222.73.126.115 dnl-jp12.kaspersky-labs.com
% @: k8 h! C: C222.73.126.115 dnl-jp13.kaspersky-labs.com & ]7 N1 j. x& M0 {/ b
222.73.126.115 dnl-jp14.kaspersky-labs.com
' d) a7 W# D* A8 Y, N222.73.126.115 dnl-jp15.kaspersky-labs.com
1 Q; n9 f+ }: i. N% y5 Z222.73.126.115 dnl-kr1.kaspersky-labs.com 3 ~# C# j' D8 }3 G! b& t
222.73.126.115 dnl-kr2.kaspersky-labs.com ) V( W q$ q4 @
222.73.126.115 dnl-kr3.kaspersky-labs.com - e: x0 k2 f2 d$ t! g* u. B- k
222.73.126.115 dnl-kr4.kaspersky-labs.com
) J. q2 W6 ? @222.73.126.115 dnl-kr5.kaspersky-labs.com
8 b( ]. F; i# N( J5 u222.73.126.115 dnl-kr6.kaspersky-labs.com
; j! e/ d( w. |' k1 E s% o222.73.126.115 dnl-kr7.kaspersky-labs.com , N- V7 |: Y" S; \
222.73.126.115 dnl-kr8.kaspersky-labs.com
- u) x1 h& l6 {: j `8 `# x4 t222.73.126.115 dnl-kr9.kaspersky-labs.com % t/ F2 _) g7 c! j! M% F( f+ R/ T8 w
222.73.126.115 dnl-kr10.kaspersky-labs.com 7 J3 p( J& {2 j E o8 C8 o& {2 F
222.73.126.115 dnl-kr11.kaspersky-labs.com
3 }! c1 \8 X0 d& l) ^0 ?4 Q- a222.73.126.115 dnl-kr12.kaspersky-labs.com ; Q( h: X$ v/ {) H! Q* b: r5 [
222.73.126.115 dnl-kr13.kaspersky-labs.com
3 @0 u! z, ^7 i: i3 {, B# T222.73.126.115 dnl-kr14.kaspersky-labs.com , j7 V7 U8 p" P
222.73.126.115 dnl-kr15.kaspersky-labs.com j- I! Y. P6 V, e( }
222.73.126.115 dnl-cd1.kaspersky-labs.com , K8 C3 \* p0 {4 h+ V
222.73.126.115 dnl-cd2.kaspersky-labs.com
$ N7 y4 _: u6 P222.73.126.115 dnl-cd3.kaspersky-labs.com
) A) S. K" m/ L4 L5 z0 H4 T" ^222.73.126.115 dnl-cd4.kaspersky-labs.com * i' i: k1 i ^9 t4 m1 x
222.73.126.115 dnl-cd10.kaspersky-labs.com
! G/ ~( l* `2 r4 R6 j61.152.244.167 search.cn.yahoo.com
1 E* _" ]8 q" J4 A61.152.244.167 www.google.com
. Q+ F) {0 i% r! x# \/ Y% t& I61.152.244.167 google.com
6 A5 [& K6 m3 B5 P6 P4 Y5 v0 L61.152.244.167 www.google.cn 7 H1 c( A( o/ }0 H$ ]4 C. K8 @0 P
61.152.244.167 www.sogou.com ( S j) u$ l2 i' D! A
61.152.244.167 www.yahoo.com.cn 8 j2 b0 s4 s$ T0 z2 C: ^) s/ W
61.152.244.167 cn.yahoo.com 8 ^: ~9 t* w; R$ Z# G
222.73.210.148 www.comewz.com # n9 O1 Y9 @4 _
61.152.244.167 search.tom.com
4 l/ z+ _5 [6 D* D4 n$ ]61.152.244.167 sou.china.com
5 _6 L8 n+ V! E; n i, l8 a4 z61.152.244.167 toolsbar.kuaiso.com ; E% Y4 F8 |6 h: H9 T
61.152.244.167 www.kuaiso.com |
|
IP卡
狗仔卡
发表于 2007-9-21 19:33:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡