Win32.Troj.Downloader.ab.36864

王朝system·作者佚名  2008-08-14
窄屏简体版  字體: |||超大  

病毒名称(中文):

木马下载器36864

病毒别名:

威胁级别:

★★☆☆☆

病毒类型:

木马下载器

病毒长度:

36864

影响系统:

Win9xWinMeWinNTWin2000WinXPWin2003

病毒行为:

该木马为一个下载者木马,运行后会将自身改名为1sass.exe并复制到系统的system目录,然后删除自身。1sass.exe会将自己添加为系统服务,然后以服务的方式运行。该服务运行之后会首先从指定网址下载一个病毒列表的文本,然后对照该文本中的网址下载木马并运行,跟踪发现该木马下载的为一个远程控制软件,当该软件安装并运行之后,黑客可以完全控制用户的电脑。

将自身复制到%systemRoot%\system\1sass.exe

在该木马所在目录下创建一个名为afc9fe2f418b00a0.bat的批处理文件,通过命令行调用该批处理来删除木马自身以及该批处理文件

1sass.exe行为分析

将自身注册为系统服务,并以服务的方式启动

添加的相关注册表项为:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERS_MANAGEMENT\0000]

"Service"="DriversManagement"

"Legacy"=dword:00000001

"ConfigFlags"=dword:00000000

"Class"="LegacyDriver"

"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"

"DeviceDesc"="ManageDriversinstalled"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DRIVERS_MANAGEMENT\0000\Control]

"*NewlyCreated*"=dword:00000000

"ActiveService"="DriversManagement"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DriversManagement]

"Type"=dword:00000110

"Start"=dword:00000002

"ErrorControl"=dword:00000000

"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,5c,00,31,00,73,00,61,00,73,00,73,00,2e,00,65,00,78,00,65,00,00,00

"DisplayName"="ManageDriversinstalled"

"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DriversManagement\Security]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DriversManagement\Enum]

"0"="Root\\LEGACY_DRIVERS_MANAGEMENT\\0000"

"Count"=dword:00000001

"NextInstance"=dword:00000001

该服务启动后首先会连接黑客网站http://nb.******.com/list.txt下载一个病毒列表的文本文件,

然后根据该列表中的网址下载其他的木马并运行,分析其下载的文件,发现为一个远程控制软件。

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
© 2005- 王朝網路 版權所有 導航