MMPC 之蠕虫（Worm:Win32/Esfury）分析，篇幅太长，你有耐心看完吗？

显示全部楼层 · 发表于 2014-8-25 02:18:50

本帖最后由 ELOHIM 于 2014-8-25 02:21 编辑

此蠕虫依靠可移动存储设备传播。

Threat behavior

In subkey: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile

Sets value: "EnableFirewall"

With data: "0"

Disable the command prompt:

In subkey: HKCU\Software\Policies\Microsoft\Windows\System
Sets value: "DisableCMD"
With data: "1"

Disable automatic restart after downloading Windows updates:

In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Sets value: "NoAutoRebootWithLoggedOnUsers"
With data: "1"

Disable the Window Script Host:

In subkey: HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings
In subkey: HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings
Sets value: "Enabled”
With data: "0"

Attempt to prevent the system from booting into Safe Mode by deleting the following registry key, and any subkeys it contains:

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot

Changes Internet Explorer start page
The malware attempts to change Internet Explorer’s start page and other default pages by making registry modifications similar to the following examples:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://g-3-a-k-0-x-8-6-e-n-d-p-4-s-d-x-g-6-9-v-9-n-v-2-3-2-8.-6-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info"
Sets value: "Local Page"
With data: "http://h.-x-.u-l-c-6-e-p-a-a-0-z-m-s-m-00-v-2-i-7-5-f-l-7-7-l-t-j-h-h-9.info"
Sets value: "Search Page"
With data: "http://9.-.u-l-c-6-e-p-a-a-0-z-m-s-m-00-v-2-i-7-5-f-l-7-7-l-t-j-h-h-9.info"
Sets value: "Default_Search_URL"
With data: "http://4-1-6-f-k-g-d-n-8-9-a-k-f-f-h-y-4-9-n-1.-6-y-r-.a-l-v-d-z-o0-n-x-6-v-0-q-q-m-7-g-d-z-7-7-o-b-m-7-z-4-a-q-0.info"
Sets value: "Default_Page_URL"
With data: "http://4-1-x-.s-4-2-0-x-o-8-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info"

In subkey: HKLM\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://b-q-h.-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info"
Sets value: "Local Page"
With data: "http://t-1-6-0-0-9-.k-8-.a-l-v-d-z-o0-n-x-6-v-0-q-q-m-7-g-d-z-7-7-o-b-m-7-z-4-a-q-0.info"
Sets value: "Search Page"
With data: "http://o-u-.1-7-g-5-f-z-s-9-.i-k-r-g-1-0-u-5-1-f-3-g-li-9-p-1-x-t-6-g-l-8-m-q-y-s-k-6-l.info"
Sets value: "Default_Search_URL"
With data: "http://d-e-g-4-8-g-8-3-9-c-j-4-8-9-m-i-e-0-3.-a-8-1-i-g-9-1-.u-l-c-6-e-p-a-a-0-z-m-s-m-00-v-2-i-7-5-f-l-7-7-l-t-j-h-h-9.info"
Sets value: "Default_Page_URL"
With data: "http://0-u-5-3-s-b-7-3.-2-t-9-j-j-.5-b-e-n-t-f-p-p-7-1-1-0-7-c-q-0-3-00-6-u-7-t-1-n-y-q-u-f-u.info"

URLs such as these are randomly chosen from a short list contained within the malware.

Closes windows
The malware monitors open windows and attempts to close them if their title contains a string from a specified list. This list may include the following:

error
hosts
AdSense
AdWords
seguri
gusano
actuali
Settings
aware
boot
pajina
advanced
reg
agnitum
amon
anti
lock
Caballo
Troya
Terminat
Arovax
Sweeper
ants
Destroy
eset
Malware
blackice
centinel
command
deerfield
dvpinit
etrust
bot
File
scan
gis
HijackThis
IniRem
inoculate
updat
intercheck
security
odc
kerio
kill
luke
Memor
moosoft

murphy
nai_vs_stat
neowatch
nod
nvc
Tray
outpost
pcinternet
pestpatrol
rav
rtvr
schscnt
secureup
Winspector
superdat
surfsecret
sygate
system
monitor
sistema
tcactive
tds
running
clea
trojan
troyan
TuneUp
Detective
WinPatrol
spy
firewall
Trend
elimina
viru
espia
saco
cambiar
homepage
pagina
spiware
change
trollano
quitar
quito
kitar
bloquear
blokear
deja

infec
borrar
restaurar
Kaspersky
Active
ZoneAlarm
F-Secure
Defender
BullGuard
Ashampoo
CyberScrub
Avast
AVG
F-Prot
McAfee
Panda
Norman
ArcaVir
Norton
Rising
DrWeb
Dr.Web
Cillin
Iolo
VBA32
Sophos
matar
Zondex
Vexira
V3
Comodo
Squared
Ikarus
ClamWin
Quick
Protector
Guard
Hunter
VirIT
E-Trust
User Account
Remove
Hack
jack
Abacre
Filterbit
folder
carpeta

Terminates and blocks access to processes
The malware may create a semaphore of "MSConfigRunning" in an attempt to prevent the startup of the MSConfig configuration tool.

It also creates a large number of registry entries similar to the following:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<file name of blocked file>
Sets value: "Debugger"
With data: "%USERPROFILE%\<username>1\winlogon.exe"

For example:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp.exe
Sets value: "Debugger"
With data: "c:\documents and settings\bob\bob1\winlogon.exe"

The registry keys may contain any of the file names listed below. This has the effect of ensuring that when an attempt is made to run any of the files in question, a copy of the malware is run instead.

The malware also attempts to terminate processes with these file names if they are already running.

Processes targeted by the malware may include the following:

BullGuard.exe
ChromeSetup.exe
Diskmon.exe
EHttpSrv.exe
FPAVServer.exe
Filemon.exe
FirewallControlPanel.exe
FirewallSettings.exe
GenericRenosFix.exe
GoogleToolbarInstaller_download_signed.exe
HJTInstall.exe
HostsChk.exe
IEDFix.exe
MSASCui.exe
Netscape.exe
Opera_964_int_Setup.exe
Process.exe
Procmon.exe
Regmon.exe
Restart.exe
Safari.exe
SmitfraudFix.exe
SrchSTS.exe
UCCLSID.exe
UserAccountControlSettings.exe
VACFix.exe
WS2Fix.exe
_avp.exe
_avp32.exe
_avpcc.exe
_avpm.exe
_findviru.exe
a2servic.exe
ackwin32.exe
acs.exe
advxdwin.exe
agentsvr.exe
agentw.exe
ahnsd.exe
alerter.exe
alertsvc.exe
alogserv.exe
amon.exe
amon9x.exe
anti-trojan.exe
antigen.exe
antivirus.exe
ants.exe
apimonitor.exe
aplica32.exe
apvxdwin.exe
ashWebSv.exe
atcon.exe
atguard.exe
atro55en.exe
atupdater.exe
atwatch.exe
aupdate.exe
autodown.exe
autotrace.exe
autoupdate.exe
avcenter.exe
avconfig.exe
avconsol.exe
ave32.exe
avgcc32.exe
avgctrl.exe
avgemc.exe
avgnt.exe
avgserv.exe
avgserv9.exe
avguard.exe
avgw.exe
avkpop.exe
avkserv.exe
avkservice.exe
avkwcl9.exe
avkwctl9.exe
avnotify.exe
avnt.exe
avp.exe
avp32.exe
avpcc.exe
avpdos32.exe
avpexec.exe
avpinst.exe
avpm.exe
avpmon.exe
avpnt.exe
avptc32.exe
avpupd.exe
avrescue.exe
avscan
avsched32.exe
avshadow.exe
avsynmgr.exe
avupgsvc.exe
avwebloader.exe
avwin95.exe
avwinnt.exe
avwsc.exe
avwupd32.exe
avxmonitor9x.exe
avxmonitornt.exe
avxquar.exe
avxw.exe
azonealarm.exe
bd_professional.exe
bidef.exe
bidserver.exe
bipcp.exe
bipcpevalsetup.exe
bisp.exe
blackd.exe
blackice.exe
boot.exe
bootwarn.exe
borg2.exe
bs120.exe
callmsi.exe
ccapp.exe
ccevtmgr.exe
cclaw.exe
ccpxysvc.exe
ccsetmgr.exe
ccshtdwn.exe
cdp.exe
cfgwiz.exe
cfiadmin.exe
cfiaudit.exe
cfind.exe
cfinet.exe
cfinet32.exe
chrome.exe
clamauto.exe
claw95.exe
claw95cf.exe
claw95ct.exe
clean.exe
cleaner.exe
cleaner3.exe
cleanpc.exe
cmd.exe
cmgrdian.exe
cmon016.exe
connectionmonitor.exe
consent.exe
cpd.exe
cpdclnt.exe
cpf.exe
cpf9x206.exe
cpfnt206.exe
crashreporter.exe
csinject.exe
csinsm32.exe
css1631.exe
ctrl.exe
cv.exe
cwnb181.exe
cwntdwmo.exe
defalert.exe
defscangui.exe
defwatch.exe
deputy.exe
doors.exe
dpf.exe
drvins32.exe
drwatson.exe
drweb32.exe
dumphive.exe
dv95.exe
dv95_o.exe
dvp95.exe
dvp95_0.exe
earthagent.exe
ecengine.exe
ecls.exe
ecmd.exe
edi.exe
efinet32.exe
efpeadm.exe
egui.exe
ekrn.exe
ent.exe
esafe.exe
escanh95.exe
escanhnt.exe
escanv95.exe
espwatch.exe
etrustcipe.exe
evpn.exe
ewido.exe
exantivirus-cnet.exe
exit.exe
expert.exe
explored.exe
f-agnt95.exe
f-prot.exe
f-prot95.exe
f-stopw.exe
fa-setup.exe
fact.exe
fameh32.exe
fast.exe
fch32.exe
fih32.exe
findviru.exe
firefox.exe
firewall.exe
fix-it.exe
flowprotector.exe
fnrb32.exe
fp-win.exe
fp-win_trial.exe
fprot.exe
fprot95.exe
frw.exe
fsaa.exe
fsav.exe
fsav32.exe
fsav530stbyb.exe
fsav530wtbyb.exe
fsav95.exe
fsave32.exe
fsgk32.exe
fslaunch.exe
fsm32.exe
fsma32.exe
fsmb32.exe
fssm32.exe
fwenc.exe
fwinstall.exe
gbmenu.exe
gbpoll.exe
generics.exe
gibe.exe
gpedit.exe
guard.exe
guarddog.exe
guardgui.exe
guardhlp.exe
hacktracersetup.exe
helper.exe
htlog.exe
hwpe.exe
iamapp.exe
iamserv.exe
iamstats.exe
ibmasn.exe
ibmavsp.exe
icload95.exe
icloadnt.exe
icmon.exe
icmoon.exe
icssuppnt.exe
icsupp.exe
icsupp95.exe
icsuppnt.exe
iface.exe
ifw2000.exe
iomon98.exe
iparmor.exe
iris.exe
isrv95.exe
jammer.exe
jed.exe
jedi.exe
kav8.0.0.357es.exe
kavlite40eng.exe
kavpers40eng.exe
kavsvc.exe
kerio-pf-213-en-win.exe
kerio-wrl-421-en-win.exe
kerio-wrp-421-en-win.exe
killprocesssetup161.exe
kis8.0.0.506latam.exe
kpf.exe
kpfw32.exe
ldnetmon.exe
ldpro.exe
ldpromenu.exe
ldscan.exe
licmgr.exe
localnet.exe
lockdown.exe
lockdown2000.exe
lookout.exe
lsetup.exe
luall.exe
luau.exe
lucomserver.exe
luinit.exe
luspt.exe
mcagent.exe
mcmnhdlr.exe
mcshield.exe
mctool.exe
mcuimgr.exe
mcupdate.exe
mcvsrte.exe
mcvsshld.exe
mdll.exe
mfw2en.exe
mfweng3.02d30.exe
mgavrtcl.exe
mgavrte.exe
mghtml.exe
mgui.exe
minilog.exe

monitor.exe
monsys32.exe
monsysnt.exe
monwow.exe
moolive.exe
mpfagent.exe
mpfservice.exe
mpftray.exe
mrflux.exe
msblast.exe
msconfig.exe
msinfo32.exe
msn.exe
mspatch.exe
mssmmc32.exe
mu0311ad.exe
mwatch.exe
mxtask.exe
n32scan.exe
n32scanw.exe
nai_vs_stat.exe
nav32_loader.exe
nav80try.exe
navap.exe
navapsvc.exe
navapw32.exe
navauto-protect.exe
navdx.exe
naveng.exe
navengnavex15.exe
navex15.exe
navlu32.exe
navnt.exe
navrunr.exe
navsched.exe
navstub.exe
navw.exe
navw32.exe
navwnt.exe
nc2000.exe
ncinst4.exe
nd98spst.exe
ndd32.exe
ndntspst.exe
neomonitor.exe
neowatchlog.exe
netarmor.exe
netcfg.exe
netinfo.exe
netmon.exe
netscanpro.exe
netspyhunter-1.2.exe
netstat.exe
netutils.exe
nisserv.exe
nisum.exe
nmain.exe
nod32.exe
normist.exe
norton_internet_secu_3.0_407.exe
notstart.exe
npf40_tw_98_nt_me_2k.exe
npfmessenger.exe
nprotect.exe
npscheck.exe
npssvc.exe
nsched32.exe
ntdetect.exe
ntrtscan.exe
ntxconfig.exe
nui.exe
nupdate.exe
nupgrade.exe
nvapsvc.exe
nvarch16.exe
nvc95.exe
nvlaunch.exe
nvsvc32.exe
nwinst4.exe
nwservice.exe
nwtool16.exe
offguard.exe
ogrc.exe
opera.exe
ostronet.exe
outpost.exe
outpostinstall.exe
outpostproinstall.exe
padmin.exe
panixk.exe
pathping.exe
pavcl.exe
pavproxy.exe
pavsched.exe
pavw.exe
pcc2002s902.exe
pcc2k_76_1436.exe
pccclient.exe
pccguide.exe
pcciomon.exe
pccmain.exe
pccntmon.exe
pccpfw.exe
pccwin97.exe
pccwin98.exe
pcdsetup.exe
pcfwallicon.exe
pcip10117_0.exe
pcscan.exe
pcscanpdsetup.exe
penis32.exe
periscope.exe
persfw.exe
perswf.exe
pf2.exe
pfwadmin.exe
ping.exe
pingscan.exe
platin.exe
pop3trap.exe
poproxy.exe
popscan.exe
portdetective.exe
portmon.exe
portmonitor.exe
ppinupdt.exe
pptbc.exe
ppvstop.exe
prckiller.exe
processmonitor.exe
procexp.exe
procexplorerv1.0.exe
programauditor.exe
proport.exe
protectx.exe
pspf.exe
purge.exe
pview.exe
pview95.exe
qconsole.exe
qserver.exe
rapapp.exe
rav.exe
rav7.exe
rav7win.exe
rav8win32eng.exe
realmon.exe
regedit.exe
regedt32.exe
rescue.exe
rescue32.exe
route.exe
routemon.exe
rrguard.exe
rshell.exe
rstrui.exe
rtvscn95.exe
rulaunch.exe
safeweb.exe
sbserv.exe
scan32.exe
scan95.exe
scanpm.exe
sched.exe
schedapp.exe
scrscan.exe
scvhosl.exe
sd.exe
sdclt.exe
serv95.exe
setup_flowprotector_us.exe
setupvameeval.exe
sgssfw32.exe
sh.exe
sharedaccess.exe
shellspyinstall.exe
shn.exe
smc.exe
sofi.exe
spf.exe
sphinx.exe
spider.exe
spysweeper.exe
spyxx.exe
srwatch.exe
ss3edit.exe
st2.exe
supftrl.exe
supporter5.exe
sweep.exe
sweep95.exe
sweepnet.exe
sweepsrv.sys.exe
swnetsup.exe
swsc.exe
swxcacls.exe
symproxysvc.exe
symtray.exe
sysdoc32.exe
syshelp.exe
taskkill.exe
tasklist.exe
taskmgr.exe
taskmon.exe
taumon.exe
tauscan.exe
tbscan.exe
tc.exe
tca.exe
tcm.exe
tcpsvs32.exe
tds-3.exe
tds2-98.exe
tds2-nt.exe
tds2.exe
tfak.exe
tfak5.exe
tftpd.exe
tgbob.exe
titanin.exe
titaninxp.exe
tmlisten.exe
tmntsrv.exe
tracerpt.exe
tracert.exe
trjscan.exe
trjsetup.exe
trojantrap3.exe
undoboot.exe
unzip.exe
update.exe
update.exe
updater.exe
vbcmserv.exe
vbcons.exe
vbust.exe
vbwin9x.exe
vbwinntw.exe
vccmserv.exe
vcleaner.exe
vcontrol.exe
vcsetup.exe
vet32.exe
vet95.exe
vet98.exe
vettray.exe
vfsetup.exe
vir-help.exe
virusmdpersonalfirewall.exe
vmsrvc.exe
vnlan300.exe
vnpc3000.exe
vpc32.exe
vpc42.exe
vpcmap.exe
vpfw30s.exe
vptray.exe
vscan.exe
vscan40.exe
vscenu6.02d30.exe
vsched.exe
vsecomr.exe
vshwin32.exe
vsisetup.exe
vsmain.exe
vsmon.exe
vsscan40.exe
vsstat.exe
vswin9xe.exe
vswinntse.exe
vswinperse.exe
vvstat.exe
w32dsm89.exe
w9x.exe
watchdog.exe
webscan.exe
webscanx.exe
webtrap.exe
wfindv32.exe
wgfe95.exe
whoswatchingme.exe
wimmun32.exe
wingate.exe
winhlpp32.exe
wink.exe
winmgm32.exe
winppr32.exe
winrecon.exe
winroute.exe
winservices.exe
winsfcm.exe
wmias.exe
wmiav.exe
wnt.exe
wradmin.exe
wrctrl.exe
wsbgate.exe
wyvernworksfirewall.exe
xpf202en.exe
xscan.exe
zapro.exe
zapsetup3001.exe
zatutor.exe
zatutorzauinst.exe
zauinst.exe
zlh.exe
zonalarm.exe
zonalm2601.exe
zonealarm.exe

Modifies Hosts file
Worm:Win32/Esfury modifies the Windows Hosts file, which may be located at <system folder> /drivers/etc/hosts. The local Hosts file overrides the DNS resolution of a TCP domain to a particular IP address. The malware modifies the file in order to redirect specified domains to different IP addresses.

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

It redirects domains, such as the following in order to display content of its own choosing, should the user attempt to visit URLs hosted by these domains:

viabcp.com
www.viabcp.com
bcpzonasegura.viabcp.com
www.produbanco.com
produbanco.com
www.pichincha.com
pichincha.com
wwwp1.pichincha.com
wwwp2.pichincha.com
wwwp3.pichincha.com
wwwp4.pichincha.com
wwww01.pichincha.com
wwww02.pichincha.com
wwww03.pichincha.com
wwww04.pichincha.com
bn.com.pe
www.bn.com.pe
zonasegura1.bn.com.pe
www.zonasegura1.bn.com.pe
peliculasid.com
www.peliculasid.com

It also redirects a number of mostly security-related domains, such as the following to a non-existent IP address, in an attempt to prevent the user from accessing content hosted by the domains:

iniciorapido.info
www.iniciorapido.info
buscalo.in
www.buscalo.in
buscafacil.com
www.buscafacil.com
emsisoft.com
ahnlab.com
antivir.es
antiy.net
authentium.com
avast.com
avg.com
bitdefender.com
quickheal.com
clamav.net
comodo.com
drweb.com
aladdin.com
ca.com
f-prot.com
f-secure.com
fortinet.com
gdata.es
ikarus.at
jiangmin.com
kaspersky.com
mcafee.com
microsoft.com
eset.es
norman.com
nprotect.com
pandasecurity.com
pctools.com
prevx.com
rising-global.com
sophos.com
sunbeltsoftware.com
symantec.com
hacksoft.com.pe
trendmicro.com
anti-virus.by
hauri.net
virusbuster.hu
www.emsisoft.com
www.ahnlab.com
www.antivir.es
www.antiy.net
www.authentium.com
www.avast.com
www.avg.com
www.bitdefender.com
www.quickheal.com
www.clamav.net
www.comodo.com
www.drweb.com
www.aladdin.com
www.ca.com
www.f-prot.com
www.f-secure.com
www.fortinet.com
www.gdata.es
www.ikarus.at
www.jiangmin.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.eset.es
www.norman.com
www.nprotect.com
www.pandasecurity.com
www.pctools.com
www.prevx.com
www.rising-global.com
www.sophos.com
www.sunbeltsoftware.com
www.symantec.com
www.hacksoft.com.pe
www.trendmicro.com
www.anti-virus.by
www.hauri.net
www.virusbuster.hu
www.emsisoft.com
www.anti-trojan.net
malwarescan.emsisoft.com
forum.emsisoft.com
www.emsisoft.net
www.emsisoft.it
www.emsisoft.de
www.anti-trojan-software.net
mamutu.com
www.emsisoft.es
malwarescan.emsisoft.de
ww.emsisoft.com
www.emsisoft.fr
www.emsisoft.nl
onlinecheck.emsisoft.com
onlinecheck.emsisoft.de
www.emsisoft.org
scan.anti-trojan.net
www.trojaner.info
onlinecheck.emsisoft.org
onlinecheck.emsisoft.net
blitzblank.com
www.emsisoft.at
www.emsisoft.jp
www.mamutu.com
malwarescan.emsisoft.es
www.mamutu.de
download5.emsisoft.com
download1.emsisoft.com
download4.emsisoft.com
global.ahnlab.com
www.hackshields.com
www.internationalservicecheck.com
www.irangoals.com
ixomodels.com
www.indielisboa.com
www.latin-mass-society.org
www.arpia.be
www.owen.org
www.prdouglas.co.uk
www.zarya.info
www.willsee.com
halmapr.com
karuna-shechen.org
www.barder.com
www.antivir.es
www.buraka.tv
www.dr-bull.com
www.manchester-offices.co.uk
saverssite.com
canada.karuna-shechen.org
developmentdrums.org
www.imddomains.co.uk
cutlines.org
elblogdemanu.com
ruben.bzin.net
welkam.co.jp
www.cambridge-steiner-school.co.uk
naturesimages.net
www.1stavenuelimousines.co.uk
www.mtr-design.com
dev.depeuter.org
www.emeraldclassic.co.uk
www.peterhearnwaste.co.uk
etrr.co.uk
www.avoncourt.com
sarahmcconnellphotography.net
www.ixomodels.com
natsko.com
www.nottinghampoetryseries.com
www.sheffieldmind.co.uk
ixostore.ixomodels.com
www.flairweddings.co.uk
www.fimasys.com
cohartuk.com
qqjkw.net
vivo-austin.com
www.freeality.com
bestofewan.com
www.handwritingforkids.com
cowsmo.com
www.2xlgames.com
kimzimmer.net
basetendencies.com
trackingtheworld.com
www.reviewsofbooks.com
www.collectedcurios.com
www.renningers.com
ccslaughterspdx.com
www.briarhurst.com
www.smf.org
ribbonwarehouse.com
www.garryowen.com
45pounds.com
isotopecomics.com
roysephotos.com
www.stadiumpage.com
www.elvis-express.com
www.tomorrowsedge.net
www.beautybar.com
pineleafboys.com
www.mountainlakeslodge.com
pvtc.org
bhsbees.com
baristamagazine.com
www.gokidding.com
defalcos.com
www.celticmerchant.com
www.hxproduction.com
www.wellgousa.com
blog.titanium-jewelry.com
www.brightoctober.com
hishomeforchildren.com
www.phoenixtrikeworks.com
www.professorbeyer.com
www.secondchanceboxer.com
www.residentphotography.com
woottonfootball.com
www.deborahshelton.net
bobbondart.com
www.authentium.com
asap.authentium.com
www.authentium.com.au
avast.com
www.avast.com
files.avast.com
download535.avast.com
avg.com
www.avg.com
grisoft.com
www.grisoft.com
antivirus-tools.com
archive.bitdefender.com
avx.rob-have.net
b-have.orgbitdefender-ar.com
bitdefender.com
bitdefender.org
bitdefenderchina.com
bitdefenderguatemala.com
bitdefendermalaysia.com
bitdefendertaiwan.com
bitdefenderuruguay.com
bitdefenderusa.com
buy.bitdefender-es.com
buy.bitdefender.com
buy.bitdefender.de
de.bitdefender.com
fr.bitdefender.com
futurenow.bitdefender.com
it.bitdefender.com
jobs.bitdefender.com
kb.bitdefender.com
kb.bitdefender.de
kb.bitdefender.us
latin.bitdefender.com
linux.bitdefender.com
malwarecity.com
malwarecity.netmalwarecity.org
malwarepedia.com
neunet.orgnews.bitdefender.com
nl.bitdefender.com
renewals.bitdefender.com
sales.bitdefender.com
square.bitdefender.com
store.bitdefender.com
store.de.bitdefender.com
us.bitdefender.com
virusscanonline.net
wedoantivirus.com
www.antivirus-tools.com
www.avx.ro
www.bit-defender.de
www.bitdefende.de
www.bitdefender-es.com
www.bitdefender.be
www.bitdefender.cl
www.bitdefender.co.uk
www.bitdefender.com
www.bitdefender.com.au
www.bitdefender.com.sg
www.bitdefender.com.tw
www.bitdefender.com.vn
www.bitdefender.de
www.bitdefender.es
www.bitdefender.fr
www.bitdefender.hk
www.bitdefender.us
www.bitdefenderme.com
www.malwarecity.com
www.malwarecity.fr
quickheal.com
www.quickheal.com
www.clamav.net
cgi.clamav.net
lurker.clamav.net
wwws.clamav.net
lists.clamav.net
bugs.clamav.net
system-cleaner.comodo.com
backup.comodo.com
www.comodoantispam.com
easy-vpn.comodo.com
www.trustlogo.com
ztl.comodo.com
www.livepcsupport.com
www.whichssl.com
www.trustix.com
disk-encryption.comodo.com
speedtest.comodo.com
www.contentverification.com
idauthority.com
www.comodo.tv
online-backup.comodo.com
www.testmypcsecurity.com
www.ccssforum.org
i-vault.comodo.com
internetsecurity.comodo.com
www.comodopartners.com
timestamp.comodoca.com
secure-email.comodo.com
timestamp.wosign.com
rover800.gaima.co.uk
www.nsclean.com
www.contentverification.com
new-estore.drweb.com
support.drweb.com
pda.drweb.com
updates.drweb.com
drweb.com
vms.drweb.com
solutions.drweb.com
news.drweb.com
my.drweb.com
buy.drweb.com
products.drweb.com
new-support.drweb.com
promotions.drweb.com
network.drweb.com

customers.drweb.com
store.drweb.com
company.drweb.com
training.drweb.com
license.drweb.com
cureit.ru
free.drweb.com
info.drweb.com
new-partners.drweb.com
drweb.net
new-company.drweb.com
new-beta.drweb.com
new-forum.drweb.com
secure.av-desk.com
www.av-desk.com
new-solutions.drweb.com
new-www.drweb.com
www.freedrweb.ru
daniloff.net
drweb-inside.com
drwebinside.com
aladdin.com
alladdin.ru
chickensroamfree.com
ealaddin.net
ealaddin.orgeshop.aladdin.com
secureme.com
www.aks.com
www.aladdin.com
www.ealaddin.com
www.ealaddin.com
auwww.ealaddin.nl
www.esafe.com
www.hasp.se
www.safenet-inc.com
www3.safenet-inc.com
www.ca.com
cacomvip.ca.com
www.netegrity.com
search.ca.com
cai.com
www.f-prot.com
frisk-software.com
www.frisk.is
www.frisk-software.com
f-secure.com
f-secure.frf-secure.hk
f-secure.nlfsecure.com
fsecure.nlwebyard.com
www.f-secure.com
www.fsecure.com
www.virus.fi
fortihero.com
fortilog.com
fortinet.co.at
fortinet.com
fortiprotect.com
fortiwifi.com
www.apsecure.com
www.fortifed.com
www.fortiid.com
www.fortimail.com
www.fortinet-apac.com
www.fortinet.ch
www.fortinet.co.il
www.fortinet.com
www.fortinet.com
arwww.fortinet.cz
www.fortinet.net
www.fortinet.nl
www.fortinet.sg
www.fortinetuk.com
www.secure-elements.com
gdata.es
www.gdata.es
ikarus.at
www.ikarus.at
global.jiangmin.com
jiangmin.com.cn
jiangmin.com
www.jiangmin.com.cn
www.kaspersky.com
forum.kaspersky.com
support.kaspersky.co
usa.kaspersky.com
brazil.kaspersky.com
latam.kaspersky.com
kaspersky.com
me.kaspersky.com
images.kaspersky.com
www.mcafee.com
support.mcafee.com
msr.mcafee.com
home.mcafee.com
networkassociates.com
us.mcafee.com
tr.mcafee.com
au.mcafee.com
mx.mcafee.com
networkassociates.nai.com
go.mcafee.com
fr.mcafee.com
uk.mcafee.com
de.mcafee.com
obscgi.mcafee.com
nai.com
www.entercept.com
jp.mcafee.com
mcafeeb2b.com
cn.mcafee.com
service.mcafee.com
br.mcafee.com
www.mcafee.at
mcafeeretail.com
it.mcafee.com
tw.mcafee.com
privacy.microsoft.com
tempuri.org
schemas.xmlsoap.org
www.microsoft.com
specs.xmlsoap.org
www.eugrantsadvisor.ie
schemas.microsoft.com
encarta.msn.com
www.sysinternals.com
grv.microsoft.com
www.xmlsoap.org
www.eugrantsadvisor.se
www.eugrantsadvisor.com
research.microsoft.com
www.engyro.com
www.exchangeyourcareer.com
www.eugrantsadvisor.de
exchangeyourcareer.net
eugrantsadvisor.de
eugrantsadvisor.cz
www.eset.es
demos.eset.es
descargas.eset.es
blogs.protegerse.com
eos.eset.es
pedidos.protegerse.com
reg-int.nod32-es.com
reg.eset.es
vicentevirtual.com
cou85.com
www.norman.com
fsc.norman.com
nprobeta.norman.com
register.norman.com
webadmin.norman.no
sandbox.norman.com
www.nprotect.com
global.nprotect.com
www.nprotect.co.kr
www.npin.co.kr
siren24.nprotect.com
15660808.co.kr
biz.nprotect.com
nprotect.net
www.nprotect.com.br
liveprotect.net
nprotect.seoul.go.kr
chollian.nprotect.co.kr
www.pandasecurity.com
research.pandasecurity.com
support.pandasecurity.com
pandalabs.pandasecurity.com
pandasecurity.com
mop.pandasecurity.com
timeforyourbusi.pandasecurity.com
cybercrime.pandasecurity.com
free.pandasecurity.com
cloudprotection.pandasecurity.com
shop.pandasecurity.com
soporte.pandasecurity.com
together.pctools.com
www.prevx.com
info.prevx.com
free.prevx.com
spywarefiles.prevx.com
spywaredlls.prevx.com
shield.prevx.com
www.prevx1.com
howsafeismypc.com
www.retento.com
www.freerav.com
www.rising-global.com
www.risingav.com.au
support.rising-global.com
superboy2010.com.au
www.sophos.com
feeds.sophos.com
esp.sophos.com
cn.sophos.com
tw.sophos.com
kr.sophos.com
sophos.com
podcasts.sophos.com
www.sunbeltsoftware.com
go.sunbeltsoftware.com
oem.sunbeltsoftware.com
antispam.sunbeltsoftware.com
antispyware.sunbeltsoftware.com
antivirus.sunbeltsoftware.com
sunbeltsoftware.com
shop.sunbeltsoftware.com
live.sunbeltsoftware.com
firewall.sunbeltsoftware.com
www.symantec.com
security.symantec.com
securityrespons.symantec.com
service1.symantec.com
enterprisesecur.symantec.com
eval.symantec.com
symantec.com
definitions.symantec.com
investor.symantec.com
et.symantec.com
sfdoccentral.symantec.com
servicenews.symantec.com
securityrespons.symantec.com
sea.symantec.com
go.symantec.com
dell.symantec.com
sun.symantec.com
marian.symantec.com
tms.symantec.com
securitycheck.symantec.com
smallbiz.symantec.com
www.symantec.com
visualtracking.symantec.com
search.symantec.com
liveupdate.symantec.com
sitedirector.symantec.com
edm.symantec.com
hostedmailsecur.symantec.com
www4.symantec.com
education.symantec.com
vos.symantec.com
www.hacksoft.com.pe
hacksoft.pe
www.hacksoft.pe
housecall.trendmicro.com
www.trendmicro.com
housecall65.trendmicro.com
us.trendmicro.com
blog.trendmicro.com
emea.trendmicro.com
housecall60.trendmicro.com
jp.trendmicro.com
de.trendmicro.com
it.trendmicro.com
itw.trendmicro.com
esupport.trendmicro.com
es.trendmicro.com
br.trendmicro.com
tw.trendmicro.com
la.trendmicro.com
uk.trendmicro.com
ru.trendmicro.com
smbstore.trendmicro.com
apac.trendmicro.com
store.trendmicro.com
training.trendmicro.com
trial.trendmicro.com
ushousecall02.trendmicro.com
subwiz.trendmicro.com
go.trendmicro.com
feeds.trendmicro.com
channelpartner.trendmicro.com
wtc.trendmicro.com
shop.trendmicro.com
fr.trendmicro.com
threatinfo.trendmicro.com
newsletters.trendmicro.com
www.anti-virus.by
bg.virusblokada.com
www.vba.com.by
beta.anti-virus.by
www.bg.virusblokada.com
www.hauri.net
www.hauri.co.kr
company.hauri.net
www.globalhauri.com
shop.hauri.co.kr
hauri.co.kr
pg.hauri.net
esecurity.livecall.co.kr
mall.hauri.co.kr
company.hauri.co.kr
haurijapan.com
virobot.co.kr
www.virusbuster.hu
virusbuster.hu
scanner.novirusthanks.org
scanner2.novirusthanks.or
novirusthanks.org
www.novirusthanks.org
virustotal.com
www.virustotal.com
virscan.org
www.virscan.org
virusscan.jotti.org
jotti.org
www.jotti.org
viruschief.com
www.viruschief.com
scanner.virus.org
virus.org
www.virus.org
scan4you.net
www.scan4you.net
avhide.com
www.avhide.com
anubis.iseclab.org
iseclab.org
www.iseclab.org
threatexpert.com
www.threatexpert.com

Analysis by David Wood

In subkey: HKCU\Software\Policies\Microsoft\Windows\System

Sets value: "DisableCMD"

With data: "1"

In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

Sets value: "NoAutoRebootWithLoggedOnUsers"

With data: "1"

In subkey: HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings

In subkey: HKCU\SOFTWARE\Microsoft\Windows Script Host\Settings

Sets value: "Enabled”

With data: "0"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot

In subkey: HKCU\Software\Microsoft\Internet Explorer\Main

Sets value: "Start Page"

With data: "http://g-3-a-k-0-x-8-6-e-n-d-p-4-s-d-x-g-6-9-v-9-n-v-2-3-2-8.-6-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info"

Sets value: "Local Page"

With data: "http://h.-x-.u-l-c-6-e-p-a-a-0-z-m-s-m-00-v-2-i-7-5-f-l-7-7-l-t-j-h-h-9.info"

Sets value: "Search Page"

With data: "http://9.-.u-l-c-6-e-p-a-a-0-z-m-s-m-00-v-2-i-7-5-f-l-7-7-l-t-j-h-h-9.info"

Sets value: "Default_Search_URL"

With data: "http://4-1-6-f-k-g-d-n-8-9-a-k-f-f-h-y-4-9-n-1.-6-y-r-.a-l-v-d-z-o0-n-x-6-v-0-q-q-m-7-g-d-z-7-7-o-b-m-7-z-4-a-q-0.info"

Sets value: "Default_Page_URL"

With data: "http://4-1-x-.s-4-2-0-x-o-8-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info"

In subkey: HKLM\Software\Microsoft\Internet Explorer\Main

Sets value: "Start Page"

With data: "http://b-q-h.-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info"

Sets value: "Local Page"

With data: "http://t-1-6-0-0-9-.k-8-.a-l-v-d-z-o0-n-x-6-v-0-q-q-m-7-g-d-z-7-7-o-b-m-7-z-4-a-q-0.info"

Sets value: "Search Page"

With data: "http://o-u-.1-7-g-5-f-z-s-9-.i-k-r-g-1-0-u-5-1-f-3-g-li-9-p-1-x-t-6-g-l-8-m-q-y-s-k-6-l.info"

Sets value: "Default_Search_URL"

With data: "http://d-e-g-4-8-g-8-3-9-c-j-4-8-9-m-i-e-0-3.-a-8-1-i-g-9-1-.u-l-c-6-e-p-a-a-0-z-m-s-m-00-v-2-i-7-5-f-l-7-7-l-t-j-h-h-9.info"

Sets value: "Default_Page_URL"

With data: "http://0-u-5-3-s-b-7-3.-2-t-9-j-j-.5-b-e-n-t-f-p-p-7-1-1-0-7-c-q-0-3-00-6-u-7-t-1-n-y-q-u-f-u.info"

The display of the following messages:

Escucha Musica Online de Tus Generos Favoritos

Hola!! En http://www.nueva*****.fm podrás encontrar: letras de canciones, vídeos de música, wallpapers  música, foros de música

Nueva*****.FM es el sitio de musica a la carta con mayor cantidad de canciones musicas y lyrics para escuchar en diferentes generos

Escucha música gratis online, Internet radio y disfruta de los los últimos videos. Entérate de todas las novedades de la música en español

Lo mejor de la música, tus artistas favoritos, fotos, videos gratis, radio, fotos, ultimas noticias.

Musica del Recuerdo, portal dedicado exclusivamente a la musica del recuerdo, musica romantica, musica gratis y video clips.

Ingresa ahora a http://nueva*****.fm

Los videos mas Calientes de la Red! a un solo Click!

Visitame en http://nueva*****.fm
再次提示，此蠕虫依靠可移动存储设备传播。

显示全部楼层 · 发表于 2014-8-25 10:03:20

看不懂啊

显示全部楼层 · 发表于 2014-8-25 14:01:10

菊部地区有血发表于 2014-8-25 10:03
看不懂啊

那，用翻译引擎来翻译一下吧。。

显示全部楼层 · 发表于 2014-8-25 18:35:08

直接拉到底了，不想看啊，谁能给个翻译？

显示全部楼层 · 发表于 2014-8-25 20:20:51

woys123 发表于 2014-8-25 18:35
直接拉到底了，不想看啊，谁能给个翻译？

支持你，我就是这样的。

我使用傲游云浏览器

显示全部楼层 · 发表于 2014-8-25 23:38:27

woys123 发表于 2014-8-25 18:35
直接拉到底了，不想看啊，谁能给个翻译？

这个蠕虫，其实不说也都知道，是被观察了很久以后才发布的更新。

蠕虫发作以后，会进行大量的外链，阻止用户打开绝大多数的安全软件和安全类网站，更改浏览器主页等等多个行为。

不是简单的拉黑处理。WD 现在没有那么强大……

显示全部楼层 · 发表于 2014-8-25 23:39:22

玉米包粟发表于 2014-8-25 20:20
支持你，我就是这样的。

走马观花不好啊。。哈哈

好好看看，也了解一下微软针对一个恶意程序进行了怎样的观测和结果收集补充。

[新手上路] MMPC 之蠕虫（Worm:Win32/Esfury）分析，篇幅太长，你有耐心看完吗？