Email-Worm.Win32.LovGate.ae
Email-Worm.Win32.LovGate.ae分析
前言:这应该是比较老的病毒了,如果没记错,应该是出现在2004年左右吧。今天在剑盟下到了样本,这类邮件类的蠕虫我只分析过Warezov,这个爱情后门还是写的不错的,我花了4个多小时去看,中间查了些资料,还有些不懂的,挺累的。要不断学习进步才行!本人是菜鸟,难免会有遗漏的地方。
字串3
病毒名称:Email-Worm.Win32.LovGate.ae(Kaspersky)
病毒大小:192000 bytes
加壳方式:多层ASPACK,JDPACK
样本MD5:42ab20ee5f4757a44edff753bc508840
样本SHA1:cc2df80aea902bec125601cd3202a3e5e9010613
编写语言:Microsoft Visual C++ 6.0
病毒类型:后门、蠕虫
传播方式:邮件、网络
字串2
行为分析:
字串6
病毒运行后,会释放自身拷贝和后门组件到:
%Windows%SVCHOST.EXE
%Windows%SYSTRA.EXE
%System32%HXDEF.EXE
%System32%IEXPLORE.EXE
%System32%KERNEL66.DLL
%System32%RAVMOND.EXE
%System32%TKBELLEXE.EXE
%System32%UPDATE_OB.EXE
%System32%LMMIB20.DLL
%System32%MSJDBC11.DLL
%System32%MSSIGN30.DLL
%System32%NETMEETING.EXE
%System32%ODBC16.DLL
%System32%SPOLLSV.EXE
字串2
病毒会在各分区根目录复制副本,创建autorun.inf:
AUTORUN.INF
COMMAND.EXE 字串2
AUTORUN.INF内容:
[AUTORUN]
Open="c:COMMAND.EXE" /StartExplorer
字串9
病毒创建启动项,以达到随机自启动的目的:
[HKEY_CURRENT_USERSoftwareMicrosoftWindows
字串4
NTCurrentVersionWindows]
run = "RAVMOND.exe"
字串5
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
字串1
CurrentVersionRun]
WinHelp = "C:WindowsSystem32TkBellExe.exe" 字串7
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
字串5
CurrentVersionRun]
Hardware Profile = "C:WindowsSystem32hxdef.exe"
字串6
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows 字串3
CurrentVersionRun]
VFW Encoder/Decoder Settings = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
字串3
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
字串1
CurrentVersionRun]
Microsoft NetMeeting Associates, Inc. = "NetMeeting.exe 字串3
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows 字串2
CurrentVersionRun]
Program In Windows = "C:WindowsSystem32IEXPLORE.EXE" 字串5
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows 字串8
CurrentVersionRun]
Shell Extension = "C:WindowsSystem32spollsv.exe"
字串6
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
字串5
CurrentVersionRun]
Protected Storage = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"
字串9
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows 字串3
CurrentVersionRunServices]
SystemTra = "C:WindowsSysTra.EXE" 字串7
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
字串8
CurrentVersionRunServices]
COM++ System = "svchost.exe"
字串5
病毒会注册为系统服务:
[HKEY_LOCAL_MACHINESystemCurrentControlSet
字串9
ServicesWindows Management Protocol v.0 (experimental)]
显示名:Windows Management Protocol v.0 (experimental)
描述:Windows Advanced Server Performs Scheduled scans for LANguard
可执行文件的路径:%System32%MSJDBC11.DLL 字串2
[HKEY_LOCAL_MACHINESystemCurrentControlSetServices\_reg]
显示名:_reg
描述:
可执行文件的路径:%System32%MSJDBC11.DLL 字串1
病毒修改如下注册表项目,使用户在点击.TXT文件时运行病毒拷贝:
[HKEY_CLASSES_ROOTxtfileshellopencommand]
default = "Update_OB.exe %1"
字串9
[HKEY_LOCAL_MACHINESoftwareClassesxtfileshell
字串8
opencommand]
default = "Update_OB.exe %1" 字串8
该病毒可使用MAPI进行传播。病毒搜索系统邮箱,找到后会给收到的邮件回信以实现邮件传播。
字串5
病毒发送的邮件有如下细节特征: 字串2
标题:Re: <原始主题> 字串6
正文:
字串6
<原始正文>
<域名> auto-reply:
wrote:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don''''''''''''''''t deal in lies,
Or, being hated, don''''''''''''''''t give way to hating,
And yet don''''''''''''''''t look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE now! <
字串6
附件:
the hardcore game-.pif 字串1
Sex in Office.rm.scr
字串2
Deutsch BloodPatch!.exe
字串9
s3msong.MP3.pif 字串9
Me_nude.AVI.pif
字串4
How to Crack all gamez.exe
字串1
Macromedia Flash.scr
字串9
SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
CloneAttack.rm.scr
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe
字串7
除了使用MAPI传播外,病毒还会使用自带的SMTP引擎进行传播 字串2
病毒从含有如下扩展名的文件中收集邮件地址:
adb
asp
dbx
htm
php
sht
tbb 字串7
发件人:
{随机人名}.yahoo.com
随机人名包括:
john
alex
michael
james
mike
kevin
david
george
sam
andrew
jose
leo
maria
jim
brian
serg
mary
ray
tom
peter
robert
bob
jane
joe
dan
dave
matt
steve
smith
stan
bill
bob
jack
fred
ted
adam
brent
alice
anna
brenda
claudia
debby
helen
jerry
jimmy
julie
linda
sandra 字串7
正文: (其中之一)
It''''''''''''''''s the long-awaited film version of the Broadway hit. 字串2
The message sent as a binary attachment.
Mail failed. For further assistance, please contact!
The message contains Unicode characters and has been 字串8
sent as a binary attachment.
字串4
病毒避免向含有如下字符串的邮件地址发送邮件:
.gov
.mil
avp
borlan
example
foo.
gov.
hotmail
icrosof
inpris
msn.
mydomai
nodomai
panda
ruslis
sopho
syma
字串7
病毒在Windows文件夹下创建一个名为“Media”的共享文件夹,并在其中生成如下自身拷贝:
AUTOEXEC.BAT
CAIN.PIF
CLIENT.EXE
documents and settings.txt.exe
FINDPASS.EXE
I386.EXE
internet explorer.bat
microsoft office.exe
MMC.EXE
MSDN.ZIP.PIF
SUPPORT TOOLS.EXE
WINDOWUPDATE.PIF
windows media player.zip.exe
WINHLP32.EXE
WINRAR.EXE
XCOPY.EXE
字串4
病毒还尝试使用以下用户名和密码访问局域网内其它计算机,并试图利用系统默认开启的ipc$和admin$进入到“Admin$”共享进行传播:
Guest 字串7
Administrator
zxcv
yxcv
test123 字串3
test
temp123
temp
sybase
super
secret
pw123
Password
owner
oracle
mypc123
mypc
mypass123
mypass
love
login
字串1
Login
Internet
home
godblessyou
enable
database
computer
alpha
admin123
Admin
abcd
88888888
2004
2600
2003
123asd
123abc
123456789
1234567
123123
121212
11111111
00000000
000000
pass
54321
12345
password
passwd
server
!@#$%^&*
!@#$%^&
!@#$%^
!@#$%
asdfgh
asdf
!@#$
1234
root
abc123
12345678
abcdefg
abcdef
888888
666666
111111
admin
administrator
guest
654321
123456 字串4
如果登录成功,病毒会在远程机器的“Admin$System32”文件夹中生成名为“NETMANAGER.EXE”的自身拷贝。 字串7
病毒会开启Windows Management NetWork Service Extensions(Windows管理网络服务扩展)服务。
字串2
病毒利用Net Stop命令尝试关闭安全软件的服务:
Symantec AntiVirus Client
Symantec AntiVirus Server
Rising Realtime Monitor Service
字串8
病毒还会终止与安全和防病毒相关的进程:
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising 字串2
病毒收集计算机存储信息和密码记录在C:Netlog.txt,每隔一段时间发到
字串9
hello_zyx@163.com 字串7
病毒还会在在E、F盘下生成压缩包文件并发送:
setup.ZIP
setup.RAR
WORK.RAR
WORK.ZIP
install.ZIP
install.RAR
bak.RAR
bak.ZIP
letter.RAR
letter.ZIP
字串5