Trojan-PSW.Win32.Nilage.bcw

王朝百科·作者佚名  2010-02-19  
宽屏版  字体: |||超大  

病毒简介病毒名称: Trojan-PSW.Win32.Nilage.bcw

病毒类型: 木马类

文件 MD5: 48ABEEBC0D32069184C46A86A4C363D9

公开范围: 完全公开

危害等级: 3

文件长度: 33,363 字节,脱壳后120,832 字节

感染系统: windows 98以上版本

开发工具: Borland Delphi 6.0 - 7.0

加壳类型: UPX 0.89.6 - 1.02 / 1.05 - 1.22

病毒描述:

该病毒通过移动存储介质、 恶意网站、其它病毒 /木马下载大面积传播;由于 该病毒查杀和劫持杀毒软件、防火墙、病毒查杀工具软件,且插入其它进程的“随机 8位数字与字母组合.dll”

对注册表和病毒文件有监视和保护功能,则对其查杀该病毒有一定难度,更增加了其生存的空间。该木马可以通过插入的“随机8位数字与字母组合.dll”来记录用户的操作,从而达到盗取用户的

敏感信息目的。该木马运行后连接网络,更新文件,下载其它病毒文件,进行信息盗取、 arp 欺

骗、远程控制等。

行为分析1 、病毒被激活后,复制自身到系统目录和各个驱动器下,衍生病毒文件:

自身副本文件:

%Program Files%Common FilesMicrosoft Shared

MSInfo随机8位数字与字母组合.dat

%WINDIR%Help随机8位数字与字母组合.chm

衍生病毒文件:

%Program Files%Common FilesMicrosoft Shared

MSInfo随机8位数字与字母组合.dll

%WINDIR%随机8位数字与字母组合.hlp

%system%verclsid.exe.bak(删除原verclsid.exe文件,

并建立副本verclsid.exe.bak)

各个驱动器下释放自身副本:

[DRIVE LETTER]: AutoRun.inf

[DRIVE LETTER]: 随机8位数字与字母组合.exe

注:随机 8位数字与字母组合, 本次感染为:80C88D28

2 、启动项目:

(1)、修改注册表,在ShellExecuteHooks添加键值,以钩子挂接文件的打开操作,以达

到启动的目的:

HKLMSOFTWAREClassesCLSID{88D280C8-80C8-8D28-C88D-0C8D2 0C88D28}

键值 : 字串: " 默认 " = ""

HKLMSOFTWAREClassesCLSID{88D280C8-80C8-8D28-C88D-

0C8D20C88D28}InProcServer32

HKLMSOFTWAREClassesCLSID{88D280C8-80C8-8D28-C88D-

0C8D20C88D28}InProcServer32

键值 :字串:"默认"=" %ProgramFiles%CommonFilesMicrosoftShared

MSInfo 随机 8位数字与字母组合.dll "

HKLMSOFTWAREClassesCLSID{88D280C8-80C8-8D28-C88D-

0C8D20C88D28}InProcServer32

键值 : 字串: " ThreadingModel " = "Apartment"

HKLMSOFTWAREMicrosoftWindowsCurrentVersion

ExplorerShellExecuteHooks

键值 : 字串: " " = ""

(2)、修改注册表恢复硬盘或光驱的 AutoRun功能:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer

HKLMSOFTWAREMicrosoftWindowsCurrentVersionpolicies

ExplorerNoDriveTypeAutoRun

键值 : DWORD: 145 (0x91)

在 各个驱动器下释放 AutoRun.inf文件,从而在打开驱动器时运行同目录下的

“随机8位数字与字母组合.exe”文件, AutoRun代码如下:

[AutoRun]

open=80C88D28.exe

shellopen=打开(&O)

shellopenCommand= 随机 8位数字与字母组合.exe

shellopenDefault=1

shellexplore=资源管理器(&X)

shellexploreCommand= 随机 8位数字与字母组合.exe

3 、“随机 8位数字与字母组合.dll”插入到Explorer.exe进程中,以Explorer.exe进程监视其

写入的注册表键值,如删除则恢复; 尝试通过钩子挂接使“随机8位数字与字母组合.dll”插入

到IEXPLORER.EXE进程和应用程序进程中。

4 、监视并关闭众多杀毒软件、防火墙、病毒查杀工具软件的进程与窗口及和杀毒相关网站,甚

至带有病毒等关键字的窗口:

AntiVirus TrojanFirewall

Kaspersky

JiangMin

KV200

Kxp

Rising

RAV

RFW

KAV200

KAV6

McAfe

Network Associates

TrustPort

NortonSymantec SYMANT~1

Norton SystemWorks

ESET

Grisoft

F-Pro

Alwil Software

ALWILS~1

F-Secure

ArcaBit

Softwin

ClamWin

DrWe

Fortineanda Software

Vba3

Trend Micro

QUICKH~1

TRENDM~1

Quick Heal

eSafewido

Prevx1

Ers

Avg

Ikarus

SophoSunbeltPC-cilli

ZoneAlar

Agnitum

WinAntiVirus

AhnLab

Normasurfsecret

BullguardBlac

360safe

SkyNet

Micropoint

Iparmor

Ftc

mmjk2007

Antiy Labs

LinDirMicro Lab

Filseclab

Ast

System Safety Monitor

ProcessGuard

FengYun

Lavasoft

Spy Cleaner Gold

CounterSpy

EagleEyeOS

Webroot

BufferZ

Avp

AgentSvr

CCenter

Rav

RavMonD

RavStub

RavTask

Rfwcfg

Rfwsrv

RsAgent

Rsaupd

Runiep

SmartUp

FileDsty

RegClean

360tray

360Safe

360rpt

Kabaload

Safelive

Ras

KASMain

KASTask

KAV32

KAVDX

KAVStart

KISLnchr

KMailMon

KMFilter

KPFW32

KPFW32X

KPFWSvc

KWatch9x

KWatch

KWatchX

TrojanDetector

UpLive.EXE

KVSrvXP

KvDetect

KRegEx

Kvol

Kvolself

Kvupload

Kvwsc

UIHost

IceSword

iparmo

mmsk

adam

MagicSet

PFWLiveUpdate

SREng

WoptiClean

scan32

QHSET

zxsweep.

AvMonitor

UmxCfg

UmxFwHlp

UmxPol

UmxAgent

UmxAttachment

KPFW32

KPFW32X

KvXP_1

KVMonXP_1

KvReport

KVScan

KVStub

KvXP

KVMonXP

KVCenter

TrojDie

avp.com.

krepair.COM

KaScrScn.SCR

Trojan

Virus

kaspersky

jiangmin

rising

ikaka

duba

kingsoft

360safe

木马

木马

病毒

杀毒

杀毒

查毒

防毒

反病毒

专杀

专杀

卡巴斯基

江民

瑞星

卡卡社区

金山毒霸

毒霸

金山社区

360安全

恶意软件

流氓软件

举报

报警

杀软

杀软

防骇

微点

MSInfo

winRAR

IceSword

HijackThis

Killbox

Procexp

Magicset

EQSysSecureProSecurity

Yahoo!

Google

Baidu

P4P

Sogou PXP

Ardsys

超级兔子木马

KSysFiltsys

KSysCallsys

KsLoader

KvfwMcl

autoruns

AppSvc32

ccSvcHst

isPwdSvc

symlcsvcnod32kui

avgrssvc

RfwMain

KAVPFW

Iparmor

nod32krn

AVK

K7

Zondex

Blcorp

Tiny Firewall Pro

Jetico

HAURI

CA

Kmx

PCClear_Plus

Novatix

Ashampoo

WinPatrol

PFW

Mmsk

The Cleaner

Defendio

kis6Beheadsreng

Trojanwall

FTCleanerShell

loaddll

rfwProxy

mcconsol

HijackThis

Mmqczj

RavMon

KAVSetup

NAVSetup

SysSafe

hcfg32

NOD3

5 、破坏注册表安全模式,删除下列注册表项:

HKLMSYSTEMControlSet001ControlSafeBootMinimal

HKLMSYSTEMControlSet001ControlSafeBootNetwork

HKLMSYSTEMCurrentControlSetControlSafeBootMinimal

HKLMSYSTEMCurrentControlSetControlSafeBootNetwork

6、改变注册表值使隐藏文件不可见,达到病毒体隐藏目的:

HKLMSOFTWAREMicrosoftWindowsCurrentVersion

ExplorerAdvancedFolderHiddenSHOWALL

键值 : dword:"CheckedValue"=dword:00000001

改为:键值 : dword:"CheckedValue"=dword:00000000

7、在注册表的映像劫持中添加多个劫持项,劫持多个杀毒软件、防火墙、病毒查杀工具等相关

软件:

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsavp.com

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsavp.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsCCenter.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsccSvcHst.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsFileDsty.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsFTCleanerShell.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsHijackThis.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsIceSword.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options360rpt.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options360Safe.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options360tray.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsadam.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsAgentSvr.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsAppSvc32.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsautoruns.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsavgrssvc.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsAvMonitor.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsiparmo.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsIparmor.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsisPwdSvc.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionskabaload.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKaScrScn.SCR

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKASMain.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKASTask.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKAV32.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKAVDX.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKAVPFW.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKAVSetup.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKAVStart.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKISLnchr.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKMailMon.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKMFilter.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKPFW32.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKPFW32X.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKPFWSvc.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKRegEx.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionskrepair.COM

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKsLoader.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKVCenter.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKvDetect.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKvfwMcl.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKVMonXP.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKVMonXP_1.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionskvol.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionskvolself.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKvReport.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKVScan.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKVSrvXP.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKVStub.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionskvupload.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionskvwsc.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKvXP.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKvXP_1.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKWatch.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKWatch9x.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsKWatchX.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsloaddll.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsMagicSet.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsmcconsol.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsmmqczj.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsmmsk.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsNAVSetup.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options

od32krn.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options

od32kui.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsPFW.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsPFWLiveUpdate.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsQHSET.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRas.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRav.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRavMon.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRavMonD.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRavStub.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRavTask.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRegClean.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options

fwcfg.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRfwMain.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options

fwProxy.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options

fwsrv.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRsAgent.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsRsaupd.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Options

uniep.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionssafelive.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsscan32.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionsshcfg32.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsSmartUp.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsSREng.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionssymlcsvc.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsSysSafe.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsTrojanDetector.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsTrojanwall.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsTrojDie.kxp

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsWoptiClean.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution Optionszxsweep.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsUIHost.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsUmxAgent.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsUmxAttachment.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsUmxCfg.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsUmxFwHlp.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsUmxPol.exe

HKLMSOFTWAREMicrosoftWindows NTCurrentVersion

Image File Execution OptionsUpLive.EXE.exe

被劫持到 C:Program FilesCommon FilesMicrosoft SharedMSInfo

下面的那个dat文件

8、在注册表中改变键值,以禁用特定杀毒软件服务项,禁用自动更新功能:

HKLMSYSTEMControlSet001Services杀毒软件服务名Start

HKLMSYSTEMCurrentControlSetServiceswuauservStart

HKLMSYSTEMCurrentControlSetServiceswscsvcstart

9、该木马运行后连接网络,更新文件,下载其它病毒文件,进行信息盗取、arp欺骗、远程

控制等。

注:随机 8位数字与字母组合, 本次感染为:80C88D28 .

%System%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。Windows2000/NT中默认的安装路径是C:WinntSystem32,windows95/98/me中默认的安装路径是C:WindowsSystem,windowsXP中默认的安装路径是C:WindowsSystem32。

清除方案1 、 使用安天木马防线可彻底清除此病毒 ( 推荐 )

2 、 手工清除请按照行为分析删除对应文件,恢复相关系统设置。

(1)使用 安天木马防线 “进程管理”关闭病毒进程:

mstsc.exe

(2)强行删除病毒文件:

%Program Files%Common FilesMicrosoft Shared

MSInfoXXXXXXXX.dat

%Program Files%Common FilesMicrosoft Shared

MSInfoXXXXXXXX.dll

%WINDIR%Help XXXXXXXX.chm

%WINDIR%XXXXXXXX.hlp

[DRIVE LETTER]: AutoRun.inf

[DRIVE LETTER]: XXXXXXXX.exe

(3)恢复病毒修改的注册表项目,删除病毒添加的注册表项:

HKLMSOFTWAREClassesCLSID

键值 : 字串: " 默认 " = ""

HKLMSOFTWAREClassesCLSID

InProcServer32

HKLMSOFTWAREClassesCLSID

InProcServer32

键值 :字串:"默认"="%ProgramFiles%CommonFiles

MicrosoftSharedMSInfoXXXXXXXX.dll"

HKLMSOFTWAREClassesCLSID

InProcServer32

键值 : 字串: " ThreadingModel " = "Apartment"

HKLMSOFTWAREMicrosoftWindowsCurrentVersion

ExplorerShellExecuteHooks

键值 : 字串: " " = ""

(4)将%system%verclsid.exe.bak中的.bak后缀去掉,改为:

%system%verclsid.exe

(5)显示隐藏文件:

HKLMSOFTWAREMicrosoftWindowsCurrentVersion

ExplorerAdvancedFolderHiddenSHOWALL

键值 : dword:"CheckedValue"=dword:00000000

改为:键值 : dword:"CheckedValue"=dword:00000001

(6)将映像劫项中添加多个劫持项删除,路径为:

HKLMSoftwareMicrosoftWindows NTCurrentVersion

Image File Execution Options

(7)恢复注册表安全模式,开启特定杀毒软件服务项,自动更新功能,删除

其下载病毒文件。

(8)进行免疫设置,在各个驱动器根目录下新建autorun.ini与autorun.inf

文件,文件属性设为不可删,不可写。

 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
© 2005- 王朝百科 版权所有