局域网共享软件

pal家族

vm001 发表于 2015-3-28 21:44
360拦截net没有验证命令行而已，只不过本软件是用net开启了来宾账户，被360误认为实在修改登录密码

所以说应该是安全的。

神迹般存在

————————————————————
MISS
已经上报，附图：



————————————————————
轻度风险
[mw_shl_code=css,true]基本信息
文件名称：       
局域网共享软件.exe
MD5：        891f426f3631f024d7fcbf51056fef0b
文件类型：        EXE
上传时间：        2015-03-29 11:55:11
出品公司：        N/A
版本：        N/A
壳或编译器信息：        COMPILER:Elan
关键行为
行为描述：        设置特殊文件夹属性
详情信息：       
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述：        隐藏指定窗口
详情信息：       
[Window,Class] = [完全控制,Button]
[Window,Class] = [只读模式,Button]
[Window,Class] = [读、写,Button]
[Window,Class] = [打开卤中仙网站,Button]
[Window,Class] = [如果您有朋友或者是自己想开一家熟食店，请点击联系我们,Afx:400000:b:10391:1900015:0]
[Window,Class] = [超级按钮,Button]
[Window,Class] = [,SysListView32]
[Window,Class] = [第三步：权限设置：,Afx:400000:b:10011:1900015:0]
[Window,Class] = [ 您的文件夹（磁盘）已经共享，对方电脑可通过：开始-运行-“\\您的IP地址”就可以访问到本机。如果你要共享打印机，请点击共享打印机图标，右击你要共享的打印机，你就可以
[Window,Class] = [恭喜，已完成共享！,Afx:400000:b:10011:1900015:0]
[Window,Class] = [不设置权限,Button]
[Window,Class] = [,Afx:400000:b:10011:1900015:0]
[Window,Class] = [开启共享中。。。,Afx:400000:b:10011:1900015:0]
[Window,Class] = [第一步：选择共享方式：,Afx:400000:b:10011:1900015:0]
[Window,Class] = [开启局域网共享(对方访问本机要填用户名和密码),Button]
进程行为
行为描述：        隐藏窗口创建进程
详情信息：       
ImagePath = , CmdLine = c:\monitor\works.bat
ImagePath = , CmdLine = c:\monitor\开启共享.bat
行为描述：        创建进程
详情信息：       
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c c:\monitor\works.bat
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net config workstation
ImagePath = C:\WINDOWS\system32\find.exe, CmdLine = find "工作站域"
ImagePath = C:\WINDOWS\system32\find.exe, CmdLine = find /V "DNS"
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 config workstation
ImagePath = C:\WINDOWS\system32\cmd.exe, CmdLine = cmd /c c:\monitor\开启共享.bat
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = NET USER Guest /active:yes
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 USER Guest /active:yes
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = NET USER Guest /passwordreq:no
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 USER Guest /passwordreq:no
ImagePath = C:\WINDOWS\system32\secedit.exe, CmdLine = Secedit /configure /cfg "security.inf" /db secsetup.sdb /areas USER_RIGHTS /verbose
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net user guest /active:yes
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 user guest /active:yes
ImagePath = C:\WINDOWS\system32\net.exe, CmdLine = net user guest ""
ImagePath = C:\WINDOWS\system32\net1.exe, CmdLine = net1 user guest ""
文件行为
行为描述：        写权限映射文件
详情信息：       
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.EOJ..GMIFF
MSCTF.MarshalInterface.FileMap.EOJ.B.GMIFF
MSCTF.MarshalInterface.FileMap.EOJ.C.GMIFF
MSCTF.MarshalInterface.FileMap.EOJ.D.GMIFF
MSCTF.MarshalInterface.FileMap.EOJ.E.GMIFF
MSCTF.MarshalInterface.FileMap.EOJ.F.GMIFF
MSCTF.MarshalInterface.FileMap.EOJ.G.GMIFF
MSCTF.Shared.SFM.EOJ
行为描述：        设置特殊文件夹属性
详情信息：       
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述：        修改文件内容
详情信息：       
C:\monitor\works.bat---> Offset = 0
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\不通时.txt---> Offset = 0
C:\monitor\开启共享.reg---> Offset = 0
C:\monitor\security.inf---> Offset = 0
C:\monitor\开启共享.bat---> Offset = 0
网络行为
行为描述：        连接指定站点
详情信息：       
InternetConnectA: ServerName = www.hrcygs.com, PORT = 80
行为描述：        枚举网络共享资源
详情信息：       
N/A
行为描述：        读取网络文件
详情信息：       
hFile = 0x00000604, BytesToRead =10240, BytesRead = 10240.
行为描述：        打开HTTP请求
详情信息：       
HttpOpenRequestA: www.hrcygs.com:80/gg/jyw.gif, hConnect = 0x00000608
HttpOpenRequestA: www.hrcygs.com:80/tj, hConnect = 0x000005f8
注册表行为
行为描述：        修改注册表
详情信息：       
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\445:TCP
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\137:UDP
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\138:UDP
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\139:TCP
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Epoch\Epoch
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Providers\LogonTime
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\445:TCP
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\137:UDP
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\138:UDP
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\139:TCP
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch
其他行为
行为描述：        创建互斥体
详情信息：       
RasPbFile
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.Shared.MUTEX.AEH
SHIMLIB_LOG_MUTEX
MSCTF.Shared.MUTEX.EOJ
行为描述：        查找指定窗口
详情信息：       
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
NtUserFindWindowEx: [Class,Window] = [RegEdit_RegEdit,]
行为描述：        隐藏指定窗口
详情信息：       
[Window,Class] = [完全控制,Button]
[Window,Class] = [只读模式,Button]
[Window,Class] = [读、写,Button]
[Window,Class] = [打开卤中仙网站,Button]
[Window,Class] = [如果您有朋友或者是自己想开一家熟食店，请点击联系我们,Afx:400000:b:10391:1900015:0]
[Window,Class] = [超级按钮,Button]
[Window,Class] = [,SysListView32]
[Window,Class] = [第三步：权限设置：,Afx:400000:b:10011:1900015:0]
[Window,Class] = [ 您的文件夹（磁盘）已经共享，对方电脑可通过：开始-运行-“\\您的IP地址”就可以访问到本机。如果你要共享打印机，请点击共享打印机图标，右击你要共享的打印机，你就可以
[Window,Class] = [恭喜，已完成共享！,Afx:400000:b:10011:1900015:0]
[Window,Class] = [不设置权限,Button]
[Window,Class] = [,Afx:400000:b:10011:1900015:0]
[Window,Class] = [开启共享中。。。,Afx:400000:b:10011:1900015:0]
[Window,Class] = [第一步：选择共享方式：,Afx:400000:b:10011:1900015:0]
[Window,Class] = [开启局域网共享(对方访问本机要填用户名和密码),Button]
行为描述：        窗口信息
详情信息：       
Pid = 2528, Hwnd=0x1036c, Text = 下一步, ClassName = Button.
Pid = 2528, Hwnd=0x1036a, Text = 上一步, ClassName = Button.
Pid = 2528, Hwnd=0x10368, Text = 不再显示设置向导, ClassName = Button(CheckBox).
Pid = 2528, Hwnd=0x10390, Text = 不设置权限, ClassName = Button(RadioButton).
Pid = 2528, Hwnd=0x1038c, Text = 恭喜，已完成共享！, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2528, Hwnd=0x1038a, Text = 您的文件夹（磁盘）已经共享，对方电脑可通过：开始-运行-“\\您的IP地址”就可以访问到本机。如果你要共享打印机，请点击共享打印机图, ClassName = Afx:400000:b:10011:19000
Pid = 2528, Hwnd=0x10388, Text = 第三步：权限设置：, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2528, Hwnd=0x10380, Text = 超级按钮, ClassName = Button.
Pid = 2528, Hwnd=0x1037e, Text = 第一步：选择共享方式：, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 2528, Hwnd=0x1037c, Text = 如果您有朋友或者是自己想开一家熟食店，请点击联系我们, ClassName = Afx:400000:b:10391:1900015:0.
Pid = 2528, Hwnd=0x1037a, Text = 打开卤中仙网站, ClassName = Button(CheckBox).
Pid = 2528, Hwnd=0x10378, Text = 读、写, ClassName = Button(RadioButton).
Pid = 2528, Hwnd=0x10376, Text = 只读模式, ClassName = Button(RadioButton).
Pid = 2528, Hwnd=0x10374, Text = 完全控制, ClassName = Button(RadioButton).
Pid = 2528, Hwnd=0x10372, Text = 开启局域网共享(对方访问本机要填用户名和密码), ClassName = Button(RadioButton).[/mw_shl_code]
运行截图


P.S.@pal家族 有风险的。看分析：点击以转到分析结果

神迹般存在

Hello,

局域网共享软件.exe - not-a-virus:RiskTool.Win32.FlyStudio.bzk

New malicious software was found in the attached file. Its detection will be included in the next update.
Thank you for your help.

Best Regards, Cobber Tuo
Malware Analyst, Kaspersky Lab.

39A/3 Leningradskoe Shosse, Moscow, 125212, Russia  Tel./Fax: + 7 (495) 797 8700  http://www.kaspersky.com http://www.viruslist.com

@阿童木来了 @pal家族