惡意軟體-TnPUI.dll_Error_Repair_Tool-WinThruster

显示全部楼层 · 发表于 2015-3-19 19:49:13

http://pan.baidu.com/s/1ycb1O 提取密码 jqa8

infected

[mw_shl_code=css,true]已隔離 WinFixer.BMS(Argon) 已隔離; C:\Users\lan\Downloads\TnPUI.dll_Error_Repair_Tool-WinThruster.exe[/mw_shl_code]

显示全部楼层 · 发表于 2015-3-19 19:58:22

SUD to BAV
和MT的样本包里面一个样本hash一致

显示全部楼层 · 发表于 2015-3-19 20:06:22

本帖最后由诸葛亮于 2015-3-19 20:08 编辑

红伞miss

显示全部楼层 · 发表于 2015-3-19 20:09:13

ESET繁中版报到：Win32/Systwak潜在的不被需要的应用程式。

显示全部楼层 · 发表于 2015-3-19 20:13:16

上报百度

显示全部楼层 · 发表于 2015-3-19 20:41:28

Q管未报已上报

显示全部楼层 · 发表于 2015-3-19 20:51:41

腾讯哈勃分析

文件名称：
TnPUI.dll_Error_Repair_Tool-WinThruster.exe
MD5：    c7969516d87176867bd5ae772967006f
文件类型：    EXE
上传时间：    2015-03-19 20:47:56
出品公司：    solvusoft Corporation
版本：    1.79.0.0---WinThruster
壳或编译器信息：    COMPILER:Borland Delphi 6.0 - 7.0 [Overlay]
关键行为
行为描述：    隐藏指定窗口
详情信息：
[Window,Class] = [安装程序,TApplication]
[Window,Class] = [,ComboLBox]
[Window,Class] = [安装程序 - WinThruster,TWizardForm]
[Window,Class] = [,Button]
[Window,Class] = [Submit Feedback,Button]
[Window,Class] = [,#32770]
[Window,Class] = [语言设置,#32770]
[Window,Class] = [Stop Cleaning,Button]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [WinThruster,#32770]
行为描述：    探测 Virtual PC 是否存在
详情信息：
N/A
行为描述：    在桌面创建快捷方式
详情信息：
C:\Documents and Settings\All Users\桌面\WinThruster.lnk
行为描述：    获取文件属性探测VMware
详情信息：
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.exe
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.ex
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.e
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretra
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretr
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaret
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmware
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwar
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwa
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmw
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vm
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\v
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\
行为描述：    设置特殊文件夹属性
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述：    查找反病毒常用工具窗口
详情信息：
NtUserFindWindowEx: [Class,Window] = [FileMonClass,]
NtUserFindWindowEx: [Class,Window] = [RegMonClass,]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]
行为描述：    修改注册表_启动项
详情信息：
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Run\WinThrusterReminder
进程行为
行为描述：    创建新文件进程
详情信息：
ImagePath = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-G6VET.tmp\sample.tmp, CmdLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-G6VET.tmp\sample.tmp" /SL5="$1034C,3416180,143360,c:\%temp%\1426769347.993443.exe"
ImagePath = C:\Program Files\WinThruster\WinThruster.exe, CmdLine = "C:\Program Files\WinThruster\WinThruster.exe"
文件行为
行为描述：    在系统敏感位置（如开始菜单等)释放链接或快捷方式
详情信息：
C:\Documents and Settings\All Users\「开始」菜单\程序\WinThruster\WinThruster.lnk
C:\Documents and Settings\All Users\「开始」菜单\程序\WinThruster\卸载 WinThruster.lnk
行为描述：    添加计划任务
详情信息：
C:\WINDOWS\Tasks\WinThruster_UPDATES.job
C:\WINDOWS\Tasks\WinThruster_DEFAULT.job
行为描述：    创建可执行文件
详情信息：
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-G6VET.tmp\sample.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-SR504.tmp\_isetup\_shfoldr.dll
C:\Program Files\WinThruster\is-SVTQ1.tmp
C:\Program Files\WinThruster\is-8219R.tmp
C:\Program Files\WinThruster\is-EO3JU.tmp
C:\Program Files\WinThruster\is-26GC5.tmp
C:\Program Files\WinThruster\is-KUTFH.tmp
C:\Program Files\WinThruster\is-DI676.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-SR504.tmp\roboot.exe
C:\WINDOWS\system32\roboot.exe
行为描述：    在桌面创建快捷方式
详情信息：
C:\Documents and Settings\All Users\桌面\WinThruster.lnk
行为描述：    写权限映射文件
详情信息：
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.IJK..MLEGF
MSCTF.MarshalInterface.FileMap.IJK.B.MMEGF
MSCTF.MarshalInterface.FileMap.IJK.C.MMEGF
MSCTF.MarshalInterface.FileMap.IJK.D.MMEGF
MSCTF.MarshalInterface.FileMap.IJK.E.MMEGF
MSCTF.MarshalInterface.FileMap.IJK.F.MMEGF
MSCTF.MarshalInterface.FileMap.IJK.G.MMEGF
\WINDOWS\system32\zh-cn\ieframe.dll.mui
Local\!PrivacIE!SharedMem!Counter
LSI-00239F2F
FFDD4A01::SharedIndexInfo
Local\UrlZonesSM_Administrator
MSCTF.MarshalInterface.FileMap.IP..JOOIF
\WINDOWS\system32\zh-cn\jscript.dll.mui
行为描述：    重命名文件
详情信息：
C:\Program Files\WinThruster\is-SVTQ1.tmp ---> C:\Program Files\WinThruster\unins000.exe
C:\Program Files\WinThruster\is-8219R.tmp ---> C:\Program Files\WinThruster\WinThruster.exe
C:\Program Files\WinThruster\is-CM005.tmp ---> C:\Program Files\WinThruster\install_left_image.bmp
C:\Program Files\WinThruster\is-EO3JU.tmp ---> C:\Program Files\WinThruster\RegCleanPro.dll
C:\Program Files\WinThruster\is-26GC5.tmp ---> C:\Program Files\WinThruster\isxdl.dll
C:\Program Files\WinThruster\is-KUTFH.tmp ---> C:\Program Files\WinThruster\CleanSchedule.exe
C:\Program Files\WinThruster\is-5T9JH.tmp ---> C:\Program Files\WinThruster\Chinese_rcp.ini
C:\Program Files\WinThruster\is-C637T.tmp ---> C:\Program Files\WinThruster\Danish_rcp.ini
C:\Program Files\WinThruster\is-4ESF0.tmp ---> C:\Program Files\WinThruster\Dutch_rcp.ini
C:\Program Files\WinThruster\is-8JVON.tmp ---> C:\Program Files\WinThruster\eng_rcp.ini
C:\Program Files\WinThruster\is-2PI8H.tmp ---> C:\Program Files\WinThruster\French_rcp.ini
C:\Program Files\WinThruster\is-LP0JP.tmp ---> C:\Program Files\WinThruster\German_rcp.ini
C:\Program Files\WinThruster\is-NC9PA.tmp ---> C:\Program Files\WinThruster\Italian_rcp.ini
C:\Program Files\WinThruster\is-FG6N6.tmp ---> C:\Program Files\WinThruster\Japanese_rcp.ini
C:\Program Files\WinThruster\is-DVANQ.tmp ---> C:\Program Files\WinThruster\Norwegian_rcp.ini
行为描述：    设置特殊文件夹属性
详情信息：
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述：    修改文件内容
详情信息：
C:\Program Files\WinThruster\is-CM005.tmp---> Offset = 0
C:\Program Files\WinThruster\is-5T9JH.tmp---> Offset = 0
C:\Program Files\WinThruster\is-C637T.tmp---> Offset = 0
C:\Program Files\WinThruster\is-4ESF0.tmp---> Offset = 0
C:\Program Files\WinThruster\is-8JVON.tmp---> Offset = 0
C:\Program Files\WinThruster\is-2PI8H.tmp---> Offset = 0
C:\Program Files\WinThruster\is-LP0JP.tmp---> Offset = 0
C:\Program Files\WinThruster\is-NC9PA.tmp---> Offset = 0
C:\Program Files\WinThruster\is-FG6N6.tmp---> Offset = 0
C:\Program Files\WinThruster\is-DVANQ.tmp---> Offset = 0
C:\Program Files\WinThruster\is-M87J9.tmp---> Offset = 0
C:\Program Files\WinThruster\is-K7BLP.tmp---> Offset = 0
C:\Program Files\WinThruster\is-I1B0L.tmp---> Offset = 0
C:\Program Files\WinThruster\is-S16E6.tmp---> Offset = 0
C:\Program Files\WinThruster\is-0LH65.tmp---> Offset = 0
注册表行为
行为描述：    修改注册表
详情信息：
\REGISTRY\MACHINE\SOFTWARE\Solvusoft\WinThruster\utm_source
\REGISTRY\MACHINE\SOFTWARE\Solvusoft\WinThruster\utm_campaign
\REGISTRY\MACHINE\SOFTWARE\Solvusoft\WinThruster\utm_medium
\REGISTRY\MACHINE\SOFTWARE\Solvusoft\WinThruster\RCPURL
\REGISTRY\MACHINE\SOFTWARE\Solvusoft\WinThruster\RENEWALURL
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Solvusoft\WinThruster\StartAutoScanPMUI
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Solvusoft\WinThruster\StartAutoScanOnLaunch
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Solvusoft\WinThruster\StartAutoTutorial
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Solvusoft\WinThruster\TrialType
\REGISTRY\MACHINE\SOFTWARE\Solvusoft\WinThruster\MaxFixLimit
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1\Inno Setup: Setup Version
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1\Inno Setup: App Path
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1\InstallLocation
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1\Inno Setup: Icon Group
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinThruster_is1\Inno Setup: User
行为描述：    删除注册表键值
详情信息：
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{53E92080-F0A9-E162-CA8B-E9948C8D19A4}\0
行为描述：    修改注册表_启动项
详情信息：
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Run\WinThrusterReminder
其他行为
行为描述：    创建互斥体
详情信息：
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.Shared.MUTEX.AEH
_SHuassist.mtx
Local\!PrivacIE!SharedMemory!Mutex
RAL00239F2F
00239F2F::WK
Local\WINTHRUSTER_6617C292-CE6F-4959-9B56-94CB9C072E57
Local\ZonesCounterMutex
Local\ZoneAttributeCacheCounterMutex
Local\ZonesCacheCounterMutex
行为描述：    隐藏指定窗口
详情信息：
[Window,Class] = [安装程序,TApplication]
[Window,Class] = [,ComboLBox]
[Window,Class] = [安装程序 - WinThruster,TWizardForm]
[Window,Class] = [,Button]
[Window,Class] = [Submit Feedback,Button]
[Window,Class] = [,#32770]
[Window,Class] = [语言设置,#32770]
[Window,Class] = [Stop Cleaning,Button]
[Window,Class] = [,msctls_progress32]
[Window,Class] = [WinThruster,#32770]
行为描述：    直接操作物理设备
详情信息：
\??\PHYSICALDRIVE0
行为描述：    查找指定窗口
详情信息：
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [MS_AutodialMonitor,]
NtUserFindWindowEx: [Class,Window] = [MS_WebCheckMonitor,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述：    探测 Virtual PC 是否存在
详情信息：
N/A
行为描述：    枚举窗口
详情信息：
N/A
行为描述：    获取系统权限
详情信息：
SE_LOAD_DRIVER_PRIVILEGE
SE_INC_BASE_PRIORITY_PRIVILEGE
行为描述：    窗口信息
详情信息：
Pid = 2708, Hwnd=0x10386, Text = 单击以下的“下一步”按钮表示您同意《最终用户许可协议》 , ClassName = TNewStaticText.
Pid = 2708, Hwnd=0x10384, Text = 《最终用户许可协议》, ClassName = TNewStaticText.
Pid = 2708, Hwnd=0x10382, Text = 欢迎安装 WinThruster , ClassName = TNewStaticText.
Pid = 2708, Hwnd=0x10380, Text = 即将在您的计算机上安装 WinThruster。建议您关闭所有的运行程序后继续。点击下一步继续，点击取消取消安装。, ClassName = TNewStaticText.
Pid = 2708, Hwnd=0x10368, Text = C:\Program Files\WinThruster, ClassName = TEdit.
Pid = 2708, Hwnd=0x1037c, Text = 下一步(&N) >, ClassName = TNewButton.
Pid = 2708, Hwnd=0x1037a, Text = 取消, ClassName = TNewButton.
Pid = 2708, Hwnd=0x2035e, Text = 安装程序 - WinThruster, ClassName = TWizardForm.
Pid = 476, Hwnd=0x4034e, Text = WinThruster, ClassName = #32770.
Pid = 476, Hwnd=0x103e8, Text = Home - 0, ClassName = Button.
Pid = 476, Hwnd=0x103e6, Text = Scan Registry - 0, ClassName = Button.
Pid = 476, Hwnd=0x103e4, Text = Optimize Registry - 0, ClassName = Button.
Pid = 476, Hwnd=0x103e2, Text = Backup Registry - 0, ClassName = Button.
Pid = 476, Hwnd=0x103e0, Text = Settings - 0, ClassName = Button.
Pid = 476, Hwnd=0x103de, Text = Buy Now - 0, ClassName = Button.
行为描述：    获取文件属性探测VMware
详情信息：
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.exe
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.ex
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.e
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray.
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretray
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretra
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaretr
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwaret
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmware
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwar
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmwa
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vmw
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\vm
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\v
GetFileAttributes: FileName = c:\program files\vmware\vmware tools\
行为描述：    打开图片文件
详情信息：
\Program Files\WinThruster\install_left_image.bmp
行为描述：    查找反病毒常用工具窗口
详情信息：
NtUserFindWindowEx: [Class,Window] = [FileMonClass,]
NtUserFindWindowEx: [Class,Window] = [RegMonClass,]
NtUserFindWindowEx: [Class,Window] = [PROCMON_WINDOW_CLASS,]

显示全部楼层 · 发表于 2015-3-19 20:52:26

本帖最后由 230f4 于 2015-3-19 23:53 编辑

KIS未解压扫描，不再测试

显示全部楼层 · 发表于 2015-3-19 21:17:55

上报卡巴！！！

显示全部楼层 · 发表于 2015-3-19 21:58:05

230f4 发表于 2015-3-19 20:52
KIS扫描安全

n22

[病毒样本] 惡意軟體-TnPUI.dll_Error_Repair_Tool-WinThruster

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

浏览过的版块