Trojan.Multi.Mediyes

显示全部楼层 · 发表于 2012-3-16 10:44:48

本帖最后由 360Tencent 于 2012-3-16 10:53 编辑

http://www.securelist.com/en/blo ... h_a_valid_signature

https://www.virustotal.com/file/ ... nalysis/1331865493/

主流的目前除了卡巴，只有COMODO,Panda 好像知道了消息，卡巴已通知Versign 注销该公司的证书

文件有合法的数字签名，是一家瑞士公司的，描述如下

The 32-bit dropper stores its own 32-bit driver – whose name begins with ‘HID’ – to the system drivers directory. The dropper then deletes itself from the system. The driver itself is not signed, though this doesn’t prevent it from functioning properly on a 32-bit Windows operating system. The driver contains a DLL which is copied to a system folder beginning with the letters ‘PNG’. The main function of the driver is to inject a DLL into an Internet browser process. The driver also conceals the Mediyes components on the disk.

The 64-bit dropper does not contain a driver and injects a DLL directly into the browser.

The malicious DLL is detected by Kaspersky Lab as Trojan.Win32.Mediyes, and the driver is detected as Rootkit.Win32.Mediyes.

After the DLL is launched, it checks which browser it is running in and then starts intercepting browser requests sent to the Google, Yahoo! and Bing search engines. It duplicates all requests on the server of the malicious users which is located in Germany. The search queries are used by the criminals to earn money as part of the Search 123 partner program that works on a pay-per-click (PPC) basis. The server responds to the users’ requests with links from the Search123 system that are clicked without the user knowing about it. This results in the bad guys making money from fake clicks.

显示全部楼层 · 发表于 2012-3-16 10:46:03

金山报谨慎。过AVG扫描

显示全部楼层 · 发表于 2012-3-16 10:47:18

完整路径: c:\users\yw\desktop\03.exe
威胁: Trojan.ADH.2
____________________________
____________________________
在电脑上的创建时间 2012/3/16 ( 10:47:05 )
上次使用时间 2012/3/16 ( 10:47:05 )
启动项目否
已启动否
____________________________
____________________________
未知
诺顿社区中使用此文件的用户数量: 未知
____________________________
未知
此文件版本当前未知。
____________________________
高
此文件具有高风险。
____________________________
威胁详细信息
威胁类型: 病毒。将自身插入或附加到其他程序、文件或电脑区域以感染这些媒介的程序。
____________________________

____________________________
文件操作
文件: c:\users\yw\desktop\03.exe
已阻止
____________________________
文件指纹 - SHA:
60eb36d979e948f1de82ae61fce5f5b44878c34320f8ef8e56588f4f1028f64c
____________________________
文件指纹 - MD5:
6b5cbc39d5aa4a350193c40d4f69ad12
____________________________

显示全部楼层 · 发表于 2012-3-16 10:48:26

本帖最后由 360Tencent 于 2012-3-16 10:50 编辑

ywsuda 发表于 2012-3-16 10:47
完整路径: c:\users\yw\desktop\03.exe
威胁: Trojan.ADH.2
____________________________

另一个呢01

显示全部楼层 · 发表于 2012-3-16 10:52:48

360Tencent 发表于 2012-3-16 10:48
另一个呢01

另一个没反应

显示全部楼层 · 发表于 2012-3-16 10:55:09

微点主防悲剧啊

显示全部楼层 · 发表于 2012-3-16 10:55:30

创建驱动
调用cmd
两个样本的行为都是一样，所以图片就不重复了

显示全部楼层 · 发表于 2012-3-16 10:58:58

360卫士报木马

显示全部楼层 · 发表于 2012-3-16 11:00:23

毒霸转人工。。

显示全部楼层 · 发表于 2012-3-16 11:10:12

2个运行毛豆和GD都报

[病毒样本] Trojan.Multi.Mediyes

本帖子中包含更多资源

评分

本帖子中包含更多资源