簡介
病毒名稱: Trojan-Dropper.Win32.Agent.bdo
中文名稱: 下載者變種
病毒類型: 木馬類
檔案 MD5: 85EC8DB377E6849DBDA9A1321C049AAA
公開範圍: 完全公開
危害等級: 4
檔案長度: 加殼後 83,456 位元組,脫殼後120,832 位元組
感染系統: Win9X以上系統
開發工具: Microsoft Visual C++ 6.0
加殼類型: UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
行為分析
1 、衍生下列副本與檔案:
%WinDir%\sclgntfys.dll
%WinDir%\winamps.dll
%WinDir%\SysSun1\Ghook.dll
%WinDir%\SysSun1\svchost.exe
%WinDir%\cmdbcs.exe
%WinDir%\gv.dll
%WinDir%\mppds.exe
%WinDir%\javhavm.exe
%WinDir%\msccrt.exe
%WinDir%\shualai.exe
%WinDir%\winform.exe
%System32%\upnpsvc.exe
%System32%\systemt.exe
%System32%\systemm.exe
%System32%\SMSSS.exe
%System32%\servet.exe
%System32%\MSTCS.exe
%System32%\alg32.exe
%System32%\8.exe
%System32%\system\.setupq\*.*
%System32%\system\sysbacks\*.*
%Documents and settings%\ 當前用戶名 \local settings\temp\*.*
……………
2 、新建註冊表鍵值:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UMWdfmgr\Description
Value: String: " 啟用 windows 用戶模式驅動程式。 "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UMWdfmgr\DisplayName
Value: String: "Windows User Mode Driver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UMWdfmgr\ImagePath
Value: Type: REG_EXPAND_SZ Length: 46 (0x2e) bytes
rundll32.exe C:\WINDOWS\winamps. dll _start@16.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\msupdate
Value: String: "%WINDOWS%\AntiAdwa.exe other"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
Winlogon\Notify\sclgntfys\DllName
Value: String: "%\WINDOWS%\sclgntfys.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0c4
Value: String: "%WINDOWS%\AntiAdwa.exe other"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cmdbcs
Value: String: "%WINDOWS%\cmdbcs.exe "
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cmdbs
Value: String: "%WINDOWS%\cmds.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\javhavm
Value: String: "%WINDOWS%\javhavm.exer"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Run\KernelFaultcheck
Value: String: "%WINDOWS%\system32\dumprep.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mppds
Value: String: "%WINDOWS%\mppds.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pxdnd
Value: String: "%Documents and settings%\ 當前用戶名 \
local settings\temp\win4.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\shualai
Value: String: "%WINDOWS%\shualai.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\testrun
Value: String: "%WINDOWS%\testexe.exer"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\upxdndq
Value: String: "%Documents and settings%\ 當前用戶名 \
local settings\temp\upxdnd.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer\Run\sun
Value: String: "%WINDOWS%\syssun1\svchost.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer\Run\wm
Value: String: "%WINDOWS%\syswm7\svchost.exe"
4 、下載的病毒體
novel.exe會發起ARP 欺騙
註: % System% 是一個可變路徑。病毒通過查詢作業系統來決定當前 System 資料夾的位置。 Windows2000/NT 中默認的安裝路徑是 C:\Winnt\System32 , windows95/98/me 中默認的安裝路徑是 C:\Windows\System , windowsXP 中默認的安裝路徑是 C:\Windows\System32
清除方案
1 、 使用安天木馬防線可徹底清除此病毒 ( 推薦 )
2 、 手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
(1) 使用安天木馬防線斷開網路,結束病毒進程:
IEXPLORE.EXE
novel.exe
upnpsvc.exe
(2) 刪除並恢復病毒添加與修改的註冊表鍵值:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UMWdfmgr\Description
Value: String: " 啟用 windows 用戶模式驅動程式。 "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UMWdfmgr\DisplayName
Value: String: "Windows User Mode Driver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\UMWdfmgr\ImagePath
Value: Type: REG_EXPAND_SZ Length: 46 (0x2e) bytes
rundll32.exe C:\WINDOWS\winamps. dll _start@16.
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\msupdate
Value: String: "%WINDOWS%\AntiAdwa.exe other"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\
CurrentVersion\Winlogon\Notify\sclgntfys\DllName
Value: String: "%\WINDOWS%\sclgntfys.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\0c4
Value: String: "%WINDOWS%\AntiAdwa.exe other"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\cmdbcs
Value: String: "%WINDOWS%\cmdbcs.exe "
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\cmdbs
Value: String: "%WINDOWS%\cmds.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\javhavm
Value: String: "%WINDOWS%\javhavm.exer"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\KernelFaultcheck
Value: String: "%WINDOWS%\system32\dumprep.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\mppds
Value: String: "%WINDOWS%\mppds.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\pxdnd
Value: String: "%Documents and settings%\ 當前用戶 \
localsettings\temp\win4.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\shualai
Value: String: "%WINDOWS%\shualai.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\testrun
Value: String: "%WINDOWS%\testexe.exer"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run\upxdndq
Value: String: "%Documents and settings%\
當前用戶名 \local settings\temp\upxdnd.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer\Run\sun
Value: String: "%WINDOWS%\syssun1\svchost.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer\Run\wm
Value: String: "%WINDOWS%\syswm7\svchost.exe"
(3) 刪除病毒釋放檔案:
%WinDir%\sclgntfys.dll
%WinDir%\winamps.dll
%WinDir%\SysSun1\Ghook.dll
%WinDir%\SysSun1\svchost.exe
%WinDir%\cmdbcs.exe
%WinDir%\gv.dll
%WinDir%\mppds.exe
%WinDir%\javhavm.exe
%WinDir%\msccrt.exe
%WinDir%\rising390.exe
%WinDir%\shualai.exe
%WinDir%\winform.exe
%System32%\upnpsvc.exe
%System32%\systemt.exe
%System32%\systemm.exe
%System32%\SMSSS.exe
%System32%\servet.exe
%System32%\MSTCS.exe
%System32%\alg32.exe
%System32%\8.exe
%WINDOWS%\syssun1\*.*
%System32%\syswm7\*.*
%System32%\system\.setupq\*.*
%System32%\system\sysbacks\*.*
%Documents and settings%\ 當前用戶名 \
local settings\temp\*.*
……………
