|
该病毒是个木马下载器。它通过还原系统的ssdt表来解除部分杀软的“主动防御”,然后劫持安全软件,使其失效。最后下载大量的木马程序。
1.GlobalFindAtomA搜索AtomName = "jfei.z.jieww.fjeigejh3JFE.ajfei_jfei"原子,若存在自己退出,否则添加此原子.
2.通过ring3下的方法来关卡巴
3.查找进程中是否有DrvAnti.exe进程,有的话通过TerminateProcess和 "ntsd -c q -p PID"两种方式结束,并删除该文件
4.镜像劫持
"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
DrvAnti.exe avp.com avp.exe runiep.exe PFW.exe FYFireWall.exe rfwmain.exe rfwsrv.exe KAVPF.exe KPFW32.exe nod32kui.exe
nod32.exe Navapsvc.exe Navapw32.exe avconsol.exe webscanx.exe drwebscd.exe NPFMntor.exe vsstat.exe KPfwSvc.exe Ras.exe
RavMonD.exe mmsk.exe WoptiClean.exe QQKav.exe spiderui.exe QQDoctor.exe EGHOST.exe 360Safe.exe iparmo.exe adam.exe
IceSword.exe 360rpt.exe 360tray.exe AgentSvr.exe AppSvc32.exe autoruns.exe avgrssvc.exe AvMonitor.exe CCenter.exe
ccSvcHst.exe drwadins.exe FileDsty.exe FTCleanerShell.exe HijackThis.exe Iparmor.exe isPwdSvc.exe kabaload.exe
drwebscd.exe spiderml.exe KaScrScn.SCR KASMain.exe KASTask.exe KAVDX.exe KAVPFW.exe KAVSetu.exe KAVStart.exe drwebuw.exe
spidernt.exe KISLnchr.exe KMailMon.exe KMFilter.exe KPFW32.exe KPFW32X.exe KPFWSvc.exe KRegEx.exe spml_set.exe KRepair.com
KsLoader.exe KVCenter.kxp KvDetect.exe KvfwMcl.exe KVMonXP.kxp KVMonXP_1.kxp kvol.exe kvolself.exe KvReport.kxp KVScan.kxp
KVSrvXP.exe KVStub.kxp kvuload.exe nod32krn.exe kvwsc.exe KvXP.kxp KvXP_1.kxp KWatch.exe KWatch9x.exe KWatchX.exe
MagicSet.exe mcconsol.exe mmqczj.exe KAV32.exe nod32krn.exe PFWLiveUpdate.exe QHSET.exe RavMon.exe RavStub.exe RegClean.exe
rfwcfg.exe RfwMain.exe rfwsrv.exe RsAgent.exe Rsaud.exe safelive.exe scan32.exe shcfg32.exe SmartUp.exe SREng.EXE symlcsvc.exe
SysSafe.exe TrojanDetector.exe Trojanwall.exe TrojDie.kxp UIHost.exe UmxAgent.exe UmxAttachment.exe UmxCfg.exe UmxFwHlp.exe
UmxPol.exe UpLive.exe procexp.exe OllyDBG.EXE OllyICE.EXE rfwstub.exe RegTool.exe rfwProxy.exe RawCopy.exe CCenter.exe
regedit.exe filemon.exe regmon.exe AntiArp.exe taskmgar.exe GFUpd.exe GFRing3.exe GuardField.exe RavTask.exe RavCopy.exe
RavXP.exe CCenter.exe ravstub.exe ravcopy.exe rsaud.exe sunesnk.exe
镜像劫持为"ntsd -d"
5.获取当前系统启动到现在的时间,对应下面的列表去文件名A
"abopcxyzqrdgjklmnophistuefvwefg"
%sys32dir%\drivers下释放一个A.exe
6.按照上面方法得到文件名B,创建在%sys32dir%\B.tmp,创建服务启动,来还原SSDT。
7.在0x404e48的地方大小为0x14856,异或0x28
释放后,运行创建标示原子"aSP_SINA_BEOF_AJFEIZFEQJIFEJlBABY_2008.8.5"和"29VGHY305_0F__JFJfDOWN_LGLFFHFH.2008.8.5"
8.搜索"29VGHY305_0F__JFJfDOWN_LGLFFHFH.2008.8.5"有的话结束自己
9.通过URLDownloadToFileA下载"http://www.m***40ibn.com/praasd.txt"和http://www.d***fg4650.com/pradaq.txt到%sys32dir%下的一个ini
读取文件下载文件列表中的文件到并命名运行,退出自己
10.新版http://www.d***g4650.com/infor.txt
更新地址http://www.5***ghib.com/max1.exe
|
免责声明:本网转载内容均注明出处,转载是出于传递更多信息之目的,并不代表我们立场。 |
| 
添加到百度搜藏