SpamTool.Win32.Agent.u

王朝百科·作者佚名 2010-02-19

宽屏版字体: 小|中|大|超大

病毒标签：

病毒名称： SpamTool.Win32.Agent.u

中文名称：派送器

病毒类型：蠕虫类

文件 MD5： F86E61CCF7A06C67736F4B108CE0D1C0

公开范围：完全公开

危害等级： 5

文件长度：加壳后 102,916 字节，脱壳后49,664 字节

感染系统： Win95 以上系统

开发工具： Microsoft Visual C++ 6.0

加壳类型： UPX 变形壳

病毒描述：

该病毒运行后，从某互联网地址下载病毒病毒体到本机运行，并添加注册表自动运行项与系统服务项、修改 LSP ，以达到随系统启动的目的。通过内建的 SMTP 蠕虫程序连接到互联网 SMTP 服务器，获得需要伪造的邮件信息，进而大量发送垃圾邮件，严重占用网络资源。

行为分析：

1 、衍生下列副本与文件：

%System32%mfolpnzbz.dll

2 、修改下列驱动文件：

%System32%mfolpnzbz.dll

%System32%dirvers

dis.sys

3 、新建注册表键值：

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices

tldr.sysDisplayName

Value: Type: REG_EXPAND_SZ Length: 10 (0xa) bytes ntldr.sys.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices

tldr.sysImagePath

Value: Type: REG_EXPAND_SZ Length: 17 (0x11) bytes C:

tldr.sys .

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWS2IFSLDisplayName

Value: String: "Windows 套接字 2 .0 Non-IFS 服务提供程序支持环境 "

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWS2IFSLImagePath

Value: Type: REG_EXPAND_SZ Length: 41 (0x29) bytes

SystemRootSystem32driversws2ifsl.sys.

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000012

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000012PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000013

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000013PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000014

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000014PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000015

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000015PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32

svpsp.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000016

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000016PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32

svpsp.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000017

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000017PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000018

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000018PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000019

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000019PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000020

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000020PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000021

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000021PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000022

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000022PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000023

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000023PackedCatalogItem

Value: Type: REG_BINARY Length: 888 (0x378) bytes

C:WINDOWSSystem32mfolpnzbz.dll

4 、修改下列注册表键值，破坏 LSP 。并可实现检测网络启动自身与搜集用户信息：

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000001PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

C:WINDOWSSystem32mfolpnzbz.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000002PackedCatalogItem

C:WINDOWSSystem32mfolpnzbz.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000003PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

C:WINDOWSSystem32mfolpnzbz.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000004PackedCatalogItem

C:WINDOWSSystem32mfolpnzbz.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32

svpsp.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000005PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

C:WINDOWSSystem32mfolpnzbz.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32

svpsp.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000006PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

C:WINDOWSSystem32mfolpnzbz.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000007PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

C:WINDOWSSystem32mfolpnzbz.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000008PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

C:WINDOWSSystem32mfolpnzbz.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000009PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

C:WINDOWSSystem32mfolpnzbz.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000010PackedCatalogItem

C:WINDOWSSystem32mfolpnzbz.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2Parameters

Protocol_Catalog9Catalog_Entries00000000011PackedCatalogItem

New: Type: REG_BINARY Length: 888 (0x378) bytes

C:WINDOWSSystem32mfolpnzbz.dll

Old: Type: REG_BINARY Length: 888 (0x378) bytes

%SystemRoot%system32mswsock.dll

5 、邮件包含一张带有链接的图片，诱使用户点击：链接地址为某男性药品网站首页：

http://h*x.hz*nn*nj*8mbchhs4zzsmzzz.secamonecj.com/?ljlrh

6 、病毒可能发送带有附件的邮件：

7 、向下列搜索引擎地址提交查询信息，从而获得相关邮件信息，进而伪造邮件：

www.g**g*e.com (208.7*.1*8.1*0)/bn/comgate.xhtml?name=78 TCP DstPort:7712

注： % System% 是一个可变路径。病毒通过查询操作系统来决定当前 System 文件夹的位置。 Windows2000/NT 中默认的安装路径是 C:WinntSystem32 ， windows95/98/me 中默认的安装路径是 C:WindowsSystem ， windowsXP 中默认的安装路径是 C:WindowsSystem32 。

清除方案：

1 、使用安天木马防线可彻底清除此病毒 ( 推荐 )

2 、手工清除请按照行为分析删除对应文件，恢复相关系统设置。

(1) 使用安天木马防线 “进程管理”关闭病毒进程

删除下列新建项：

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices

ntldr.sys

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWS2IFSL

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2

ParametersProtocol_Catalog9Catalog_Entries00000000012

…………..

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2

ParametersProtocol_Catalog9Catalog_Entries00000000023

恢复下列修改项：

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2

ParametersProtocol_Catalog9Catalog_Entries00000000001

PackedCatalogItem

…………..

HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWinSock2

ParametersProtocol_Catalog9Catalog_Entries000000000011

PackedCatalogItem

恢复键值为：

%SystemRoot%system32mswsock.dll

(2) 重新启动计算机

(3) 删除病毒衍生文件：

%System32%mfolpnzbz.dll

%System32%dirvers

dis.sys