木马下载者
trojan-downloader.win32.agent.d
捕获时间
2010-3-10
危害等级
高
病毒症状
该样本是使用“vc ”编写的蠕虫下载类病毒,由微点主动防御软件自动捕获,长度为“249,344字节”,图标为“
”,病毒扩展名为“exe”,主要通过“文件捆绑”、“下载器下载”、“网页挂马”、“移动存储介质”等方式传播,病毒主要目的为下载安装木马程序。
用户中毒后,会出现安全软件无故关闭,网络运行缓慢,无法进入安全模式,windows系统无故报错等现象。
感染对象
windows 2000/windows xp/windows 2003/windows vista
传播途径
网页挂马、文件捆绑、下载器下载
防范措施
已安装使用微点主动防御软件的用户,无须任何设置,微点主动防御将自动保护您的系统免受该病毒的入侵和破坏。无论您是否已经升级到最新版本,微点主动防御都能够有效清除该病毒。如果您没有将微点主动防御软件升级到最新版,微点主动防御软件在发现该病毒后将报警提示您发现“未知后门程序“,请直接选择删除处理(如图1);
图1 微点主动防御软件自动捕获未知病毒(未升级)
如果您已经将微点主动防御软件升级到最新版本,微点将报警提示您发现木马"trojan-downloader.win32.agent.d”,请直接选择删除(如图2)。
图2 微点主动防御软件升级后截获已知病毒
未安装微点主动防御软件的手动解决办法:
1、手动删除以下文件:
%temp%\forter.sys
%systemroot%\system32\x.dll (x为被感染文件名)
2、手动恢复以下注册表值:
hkey_local_machine\system\currentcontrolset\control\safeboot\minimal
hkey_local_machine\system\currentcontrolset\control\safeboot\network
3、用正常系统文件替换%systemroot%\system32\x.dll(x为被感染文件名)
4、手动修复被感染rar,htm,html,asp,aspx,exe格式文件
5、手动删除以下注册表值:
hklm\system\currentcontrolset\services\forter\
hklm\software\microsoft\windows nt\currentversion\image file execution options\safeboxtray.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\360se.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360rp.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360sd.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\zhudongfangyu.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\krnl360svc.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360safebox.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360safe.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360rpt.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360hotfix.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\修复工具.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360softmgrsvc.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360speedld.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ast.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\vsserv.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\seccenter.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\livesrv.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\bdagent.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\qutmserv.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360softmgrsvc.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\tmproxy.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\sfctlcom.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\tmbmsrv.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ufseagnt.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avcenter.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avguard.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\sched.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avgnt.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avwebgrd.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avmailc.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avguard.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\sched.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\msksrver.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcsacore.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mpfsrv.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcvsshld.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcsysmon.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcshield.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcproxy.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcods.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcnasvc.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcmscsvc.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcagent.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ccsvchst.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ccsvchst.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ccsvchst.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ekrn.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\egui.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kmailmon.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kwatch.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kswebshield.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kpfwsvc.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kpfw32.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kissvc.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kavstart.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ccenter.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\scanfrm.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\rstray.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\rsnetsvr.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\rsagent.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ravtask.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ravmond.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avp.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avp.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avp.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kvsrvxp.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kvmonxp.kxp
变量声明:
%systemdriver% 系统所在分区,通常为“c:\”
%systemroot% windodws所在目录,通常为“c:\windows”
%documents and settings% 用户文档目录,通常为“c:\documents and settings”
%temp% 临时文件夹,通常为“c:\documents and settings\当前用户名称\local settings\temp”
%programfiles% 系统程序默认安装目录,通常为:“c:\programfiles”
病毒分析
(1)比较自身是否作为服务运行,如果不是则试图打开管道“96dba249-e88e-4c47-98dc-e18e6e3e3e5a”执行命令。并遍历svchost.exe进程的服务项,判断服务是否正在使用,如果有没有使用的服务则读取该服务的dll文件,加载sfc_os.dll以去除windows文件保护。将自身数据全部写入该dll中,创建文件%systemdriver%\delinfo.bin记录自身路径等信息,开启该服务,将被感染的服务文件载入运行。退出主进程。
(2)如果自身是作为服务运行则创建线程,读取delinfo.bin中的信息,删除病毒源文件并删除delinfo.bin。遍历进程,如果发现kav.exe或bdagent.exe则运行相关代码试图躲避杀毒软件查杀。并始终检自身运行状态,监视安全软件运行状态,解密出自身数据。释放驱动程序%temp%\forter.sys 并创建名为“forter”的服务加载驱动程序,执行成功后删除驱动文件以及键值
(3)与驱动交互,计算内核态函数地址,计算ssdt地址并恢复ssdt,将自身启动信息发送给驱动创建注册表启动,创建注册表劫持大量安全软件。遍历进程,查找大量杀毒软件进程,如果找到则传入驱动,关闭安全软件进程。
(4)创建线程,从指定网址下载病毒木马运行,创建管道“\\.\pipe\96dba249-e88e-4c47-98dc-e18e6e3e3e5a”,听取命令。
(5)删除安全模式相关注册表键值,破坏安全模式。
(6)清除host,创建线程,搜索并感染文件rar,htm,html,asp,aspx,exe格式文件。
(7)感染移动介质,移动介质中创建autorun.inf以及“recycle.{645ff040-5081-101b-9f08-00aa002f954e}\setup.exe”
(8)查找局域网计算机,并尝试弱口令攻击,如果入侵成功,则在c盘释放config.exe,并使用at命令计划执行病毒文件。
病毒创建文件:
%temp%\forter.sys
%systemroot%\system32\x.dll (x为被感染文件名)
病毒删除文件:
%temp%\forter.sys
病毒创建注册表:
hklm\software\microsoft\windows nt\currentversion\image file execution options\safeboxtray.exe
hklm\software\microsoft\windows nt\currentversion\image file execution options\360se.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360rp.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360sd.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\zhudongfangyu.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\krnl360svc.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360safebox.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360safe.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360rpt.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360hotfix.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\修复工具.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360softmgrsvc.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360speedld.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ast.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\vsserv.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\seccenter.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\livesrv.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\bdagent.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\qutmserv.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360tray.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\360softmgrsvc.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\tmproxy.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\sfctlcom.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\tmbmsrv.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ufseagnt.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avcenter.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avguard.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\sched.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avgnt.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avwebgrd.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avmailc.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avguard.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\sched.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\msksrver.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcsacore.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mpfsrv.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcvsshld.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcsysmon.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcshield.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcproxy.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcods.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcnasvc.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcmscsvc.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\mcagent.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ccsvchst.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ccsvchst.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ccsvchst.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ekrn.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\egui.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kmailmon.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kwatch.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kswebshield.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kpfwsvc.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kpfw32.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kissvc.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kavstart.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ccenter.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\scanfrm.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\rstray.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\rsnetsvr.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\rsagent.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ravtask.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\ravmond.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avp.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avp.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\avp.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kvsrvxp.exe\
hklm\software\microsoft\windows nt\currentversion\image file execution options\kvmonxp.kxp
病毒删除注册表:
hkey_local_machine\system\currentcontrolset\control\safeboot\minimal
hkey_local_machine\system\currentcontrolset\control\safeboot\network
病毒访问网络:
http://a.nb***01.com:6969/announce
http://b.nb***01.com:6969/announce
http://c.nb***01.com:6969/announce
http://d.nb***01.com:6969/announce
http://e.nb***01.com:6969/announce
http://f.nb***01.com:6969/announce
http://g.nb***01.com:6969/announce
http://up.nb***01.com/down/33.rar |
