病毒名称:snpmw.dll
病毒大小:385,024 字节
加壳方式:无
编写语言:Microsoft Visual C++ 6.0 DLL
病毒指纹:
SHA-160 : 57642C013347E1FCD6590C188F7A612DC847357C
MD5 : 056A372F5469FCB41721F6A952C9AAAD
RIPEMD-160 : 29ED912E067ADA17AEE7CBBB2D1A134C0500D484
CRC-32 : 2157E25C
一旦该dll程序被安装到系统中,将自动下载:
.data:1000D228 off_1000D228 dd offset s_HttpDownload_ ; DATA XREF: sub_10001F9E+8B r
.data:1000D228 ; "http://download.3721.com/download/wmpns..."
cdnprot.dat'/cdnprot.vxd'/cdnprot.sys'/cdntran.dat'/cdntran.vxd'/cdntran.sys'到%systemroot%system32drivers目录下,下载'cdnns.dll'/'cdn.dll'到%systemroot%system32目录下,下载snpmw.cab到%systemroot%system32目录下解压运行:
.data:1000C120 s_Cdn_dll db 'cdn.dll',0 ; DATA XREF: sub_10001000+18E o
.data:1000C120 ; .data:1000C108 o
.data:1000C128 s_DriversCdnp_1 db 'driverscdnprot.dat',0 ; DATA XREF: .data:1000C104 o
.data:1000C13C s_DriversCdnp_0 db 'driverscdnprot.vxd',0 ; DATA XREF: .data:1000C100 o
.data:1000C13C ; .data:1000C114 o
.data:1000C150 s_DriversCdnpro db 'driverscdnprot.sys',0 ; DATA XREF: .data:1000C0FC o
.data:1000C150 ; .data:1000C110 o
.data:1000C164 s_DriversCdnt_1 db 'driverscdntran.dat',0 ; DATA XREF: .data:1000C0F8 o
.data:1000C178 s_Cdnns_dll db 'cdnns.dll',0 ; DATA XREF: .data:1000C0F4 o
.data:1000C178 ; .data:1000C10C o
.data:1000C182 align 4
.data:1000C184 s_DriversCdnt_0 db 'driverscdntran.vxd',0 ; DATA XREF: .data:1000C0F0 o
.data:1000C184 ; .data:1000C11C o
.data:1000C198 s_DriversCdntra db 'driverscdntran.sys',0 ; DATA XREF: .data:off_1000C0EC o
.data:1000D230 ; "wmpns.dll"
.data:1000D234 ; "snpmw.dll"
.data:1000D238 ; "wmpns.ini"
.data:1000D23C ; LPCSTR lpszFile
.data:1000D23C lpszFile dd offset s_Wmpns_cab ; DATA XREF: sub_10001ED8+33 r
.data:1000D23C ; "wmpns.cab"
写注册表注册服务、IE钩子;
.data:1000C1AC s_SystemCurre_3 db 'SYSTEMCurrentControlSetServicescdntran',0
.data:1000C1D8 s_SystemCurrent db 'SYSTEMCurrentControlSetServicescdnprot',0
.data:1000C294 s_SoftwareMi_32 db 'SOFTWAREMicrosoftWindowsCurrentVersionRunCdnCtr',0
.data:1000C2CC s_SoftwareMi_31 db 'SOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{35980F6E-A137-4E50-953D-813BB8556899}',0
.data:1000C340 s_SoftwareMi_30 db 'SOFTWAREMicrosoftWindowsCurrentVersionApp ManagementARPCache{B53D42E8-872B-430E-82D4'
.data:1000C3AC s_SoftwareMi_29 db 'SOFTWAREMicrosoftWindowsCurrentVersionApp ManagementARPCacheCdnClient',0
.data:1000C3F8 s_SoftwareMi_28 db 'SOFTWAREMicrosoftInternet ExplorerExtensions{35980F6E-A137-4E50-953D-813BB8556899}',0
.data:1000C450 s_OftwareMicros db 'OFTWAREMicrosoftInternet ExplorerAdvancedOptionsCDNCLIENT',0
.data:1000C490 s_SoftwareCnn_0 db 'SOFTWARECNNIC',0 ;
.data:1000C4A0 s_SoftwareCl_14 db 'SOFTWAREClassesTypeLib{C24A5A5C-0874-4386-85C7-E669F90997A9}',0
.
.data:1000C4E0 s_SoftwareCl_13 db 'SOFTWAREClassesTypeLib{B7DB519E-7131-47B1-A9F5-DA8D061C2611}',0
.
.data:1000C520 s_SoftwareCl_12 db 'SOFTWAREClassesTypeLib{01833110-7C51-4D41-A09F-69EF74606E5B}',0
.
.data:1000C560 s_SoftwareCl_11 db 'SOFTWAREClassesInterface{BF0A2EB3-0704-45C6-90F4-9EBB1DEB57FD}',0
.
.data:1000C5A4 s_SoftwareCl_10 db 'SOFTWAREClassesInterface{951A869A-1003-4897-948F-D55E570871DB}',0
.data:1000C5E8 s_SoftwareCla_9 db 'SOFTWAREClassesInterface{475ABCC3-D4CF-45D2-938A-A434FDC95B67}',0
.data:1000C62C s_SoftwareCla_8 db 'SOFTWAREClassesInterface{446761D5-3AC9-40CC-9DCD-CDE23E2CE31A}',0
.data:1000C670 s_SoftwareCla_7 db 'SOFTWAREClassesCndnIEHelper.CndnIEHlprObj',0
.data:1000C69C s_SoftwareCla_6 db 'SOFTWAREClassesCndnIEHelper.CndnIEHlprObj.1',0
.data:1000C6CC s_SoftwareCla_5 db 'SOFTWAREClassesCLSID{D449EB58-55AF-4695-B216-895D546AED89}',0
.data:1000C70C s_SoftwareCla_4 db 'SOFTWAREClassesCLSID{9A578C98-3C2F-4630-890B-FC04196EF420}',0
.data:1000C74C s_SoftwareCla_3 db 'SOFTWAREClassesCLSID{461A86F7-A29D-460A-80D5-52979AA6C46D}',0
.data:1000C78C s_SoftwareCla_2 db 'SOFTWAREClassesCLSID{35980F6E-A137-4E50-953D-813BB8556899}',0
.data:1000C7CC s_SoftwareCla_1 db 'SOFTWAREClassesCdn.CdnObj',0
.data:1000C7E8 s_SoftwareCla_0 db 'SOFTWAREClassesCdn.CdnObj.1',0
.调用Rundll32命令执行被下载的AutoLive.dll,写注册表
.data:1000CFCC s_Sautoliveinst db '%sAutoLiveInst.cab',0 ; DATA XREF: ekfs+2C9 o
.data:1000CF08 s_Rundll32SRund db 'Rundll32 %s,Rundll32',0 ; DATA XREF: DllMain(x,x,x)+DB o
.data:1000CFB8 s_Sautolive_dll db '%sAutoLive.dll',0 ; DATA XREF: ekfs+329 o
添加流氓程序启动项:
.data:1000D198 s_SoftwareMic_1 db 'SOFTWAREMicrosoftWindowsCurrentVersionRun',0
.data:1000D18C s_Exfilter db 'ExFilter',0 ; DATA XREF: ekfs+5C o
怀疑是最新的3721流氓,因为时间是20070423:
.data:1000D308 s_D20070423EkEk db 'D:20070423EKEKEKWrap.cpp',0
修改host文件:
.data:1000F348 s_Hosts db 'hosts',0 ; DATA XREF: sub_100056B5:loc_10005724 o
.data:1000F34E align 10h
.data:1000F350 s_System32Drive db 'system32driversetchosts',0
.data:1000F350 ; DATA XREF: sub_100056B5+68 o
.data:1000F36B align 4
.data:1000F36C ; char s__3721_net[]
.data:1000F36C s__3721_net db '.3721.net',0 ; DATA XREF: sub_100057C4:loc_100058DA o
.data:1000F376 align 4
.data:1000F378 ; char s__3721_com[]
.data:1000F378 s__3721_com db '.3721.com',0 ; DATA XREF: sub_100057C4:loc_100058B6 o
注册驱动:
.data:1000F5AC s_DriversAnfad_ db 'driversAnfad.sys',0 ; DATA XREF: sub_10005B0D+10A o
.data:1000F5BF align 10h
.data:1000F5C0 ; char s_SystemCurre_2[]
.data:1000F5C0 s_SystemCurre_2 db 'SYSTEMCurrentControlSetServicesAnfad',0
.data:1000F5C0 ; DATA XREF: sub_10005B0D+DB o
.data:1000F5E8 ; char s_DriversHcalwa[]
.data:1000F5E8 s_DriversHcalwa db 'drivershcalway.sys',0 ; DATA XREF: sub_10005B0D+96 o
.data:1000F5FD align 10h
.data:1000F600 ; char s_SystemCurre_1[]
.data:1000F600 s_SystemCurre_1 db 'SYSTEMCurrentControlSetServiceshcalway',0
.data:1000F600 ; DATA XREF: sub_10005B0D+50 o
.data:1000F62A align 4
.data:1000F62C ; char s_DriversFad_sy[]
.data:1000F62C s_DriversFad_sy db 'driversfad.sys',0 ; DATA XREF: sub_1000610D+CB o
.data:1000F63D align 10h
.data:1000F640 ; char s_SystemCurre_0[]
.data:1000F640 s_SystemCurre_0 db 'SYSTEMCurrentControlSetServicesFAD',0
通过该网址自动确认运行以上操作:
.data:1000F720 s_HttpLogs_soft db 'http://logs.soft.cn.yahoo.com/cns/qruoafj.htm',0
