KIS missed
Have sent to KL.
HOB分析结果:
[mw_shl_code=css,true]基本信息
文件名称:
远程.exe
MD5: 57a563590aca93ce3ebc0dc8b667baff
文件类型: EXE
上传时间: 2015-08-01 18:17:28
出品公司: TeamViewer GmbH
版本: 4.1.6080.0---4.1.6080.0
壳或编译器信息: N/A
关键行为
行为描述: 写权限映射文件
详情信息:
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.IBI..GGJIG
MSCTF.MarshalInterface.FileMap.IBI.B.FIJIG
MSCTF.MarshalInterface.FileMap.IBI.C.FIJIG
MSCTF.MarshalInterface.FileMap.IBI.D.FIJIG
MSCTF.MarshalInterface.FileMap.IBI.E.FJJIG
MSCTF.MarshalInterface.FileMap.IBI.F.FJJIG
MSCTF.MarshalInterface.FileMap.IBI.G.FJJIG
MSCTF.Shared.SFM.IBI
MSCTF.MarshalInterface.FileMap.IBI.H.BAOMG
MSCTF.MarshalInterface.FileMap.IBI.I.BAOMG
MSCTF.MarshalInterface.FileMap.IBI.J.BAOMG
MSCTF.MarshalInterface.FileMap.IBI.K.BAOMG
MSCTF.MarshalInterface.FileMap.IBI.L.BAOMG
MSCTF.MarshalInterface.FileMap.IBI.M.BAOMG
行为描述: 设置特殊文件夹属性
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
行为描述: 隐藏指定窗口
详情信息:
[Window,Class] = [,ComboLBox]
[Window,Class] = [,ComboBox]
[Window,Class] = [邀请邮件,Static]
[Window,Class] = [登录伙伴,Static]
[Window,Class] = [http://go.teamviewer.com,Static]
[Window,Class] = [,ATL:00788210]
[Window,Class] = [,tooltips_class32]
[Window,Class] = [,BuddyList]
[Window,Class] = [,Static]
[Window,Class] = [取消连接,Button]
[Window,Class] = [4,Button]
行为描述: 按名称获取主机地址
详情信息:
ping3.dyngate.com
master4.teamviewer.com
master1.teamviewer.com
master2.teamviewer.com
master3.teamviewer.com
master5.teamviewer.com
master6.teamviewer.com
master7.teamviewer.com
master8.teamviewer.com
master9.teamviewer.com
master10.teamviewer.com
master11.teamviewer.com
master12.teamviewer.com
master13.teamviewer.com
master14.teamviewer.com
文件行为
行为描述: 写权限映射文件
详情信息:
CiceroSharedMemDefaultS-1-5-21-1482476501-1645522239-1417001333-500
MSCTF.MarshalInterface.FileMap.IBI..GGJIG
MSCTF.MarshalInterface.FileMap.IBI.B.FIJIG
MSCTF.MarshalInterface.FileMap.IBI.C.FIJIG
MSCTF.MarshalInterface.FileMap.IBI.D.FIJIG
MSCTF.MarshalInterface.FileMap.IBI.E.FJJIG
MSCTF.MarshalInterface.FileMap.IBI.F.FJJIG
MSCTF.MarshalInterface.FileMap.IBI.G.FJJIG
MSCTF.Shared.SFM.IBI
MSCTF.MarshalInterface.FileMap.IBI.H.BAOMG
MSCTF.MarshalInterface.FileMap.IBI.I.BAOMG
MSCTF.MarshalInterface.FileMap.IBI.J.BAOMG
MSCTF.MarshalInterface.FileMap.IBI.K.BAOMG
MSCTF.MarshalInterface.FileMap.IBI.L.BAOMG
MSCTF.MarshalInterface.FileMap.IBI.M.BAOMG
行为描述: 设置特殊文件夹属性
详情信息:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\Administrator\Local Settings\History
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5
C:\Documents and Settings\Administrator\Cookies
网络行为
行为描述: 连接指定站点
详情信息:
InternetConnectA: ServerName = master4.teamviewer.com, PORT = 0
InternetConnectA: ServerName = master.dyngate.com, PORT = 0
InternetConnectA: ServerName = master6.teamviewer.com, PORT = 0
InternetConnectA: ServerName = master15.teamviewer.com, PORT = 0
InternetConnectA: ServerName = master8.teamviewer.com, PORT = 0
行为描述: 建立到一个指定的套接字连接
详情信息:
219.133.40.1:5938
行为描述: 枚举网络共享资源
详情信息:
N/A
行为描述: 打开HTTP请求
详情信息:
HttpOpenRequestA: master4.teamviewer.com:0/din.aspx?s=00000000&id=0&client=dyngate&rnd=540593031&p=10000001, hConnect = 0x00000548
HttpOpenRequestA: master4.teamviewer.com:0/din.aspx?s=00000000&id=0&client=dyngate&rnd=540593031&p=10000002, hConnect = 0x00000548
HttpOpenRequestA: master.dyngate.com:0/din.aspx?s=00000000&id=0&client=dyngate&rnd=540593031&p=10000001, hConnect = 0x00000550
HttpOpenRequestA: master.dyngate.com:0/din.aspx?s=00000000&id=0&client=dyngate&rnd=540593031&p=10000002, hConnect = 0x00000550
HttpOpenRequestA: master6.teamviewer.com:0/din.aspx?s=00000000&id=0&client=dyngate&rnd=540593031&p=10000001, hConnect = 0x00000530
HttpOpenRequestA: master6.teamviewer.com:0/din.aspx?s=00000000&id=0&client=dyngate&rnd=540593031&p=10000002, hConnect = 0x00000530
HttpOpenRequestA: master.dyngate.com:0/din.aspx?s=00000000&id=0&client=dyngate&rnd=540593031&p=10000001, hConnect = 0x00000534
HttpOpenRequestA: master.dyngate.com:0/din.aspx?s=00000000&id=0&client=dyngate&rnd=540593031&p=10000002, hConnect = 0x00000534
HttpOpenRequestA: master15.teamviewer.com:0/din.aspx?s=00000000&id=0&client=dyngate&rnd=540593031&p=10000001, hConnect = 0x00000524
HttpOpenRequestA: master15.teamviewer.com:0/din.aspx?s=00000000&id=0&client=dyngate&rnd=540593031&p=10000002, hConnect = 0x00000524
HttpOpenRequestA: master.dyngate.com:0/din.aspx?s=00000000&id=0&client=dyngate&rnd=220644690&p=10000001, hConnect = 0x000004fc
HttpOpenRequestA: master.dyngate.com:0/din.aspx?s=00000000&id=0&client=dyngate&rnd=220644690&p=10000002, hConnect = 0x000004fc
HttpOpenRequestA: master8.teamviewer.com:0/din.aspx?s=00000000&id=0&client=dyngate&rnd=220644690&p=10000001, hConnect = 0x000004f8
HttpOpenRequestA: master8.teamviewer.com:0/din.aspx?s=00000000&id=0&client=dyngate&rnd=220644690&p=10000002, hConnect = 0x000004f8
HttpOpenRequestA: master.dyngate.com:0/din.aspx?s=00000000&id=0&client=dyngate&rnd=220644690&p=10000001, hConnect = 0x000004ec
行为描述: 按名称获取主机地址
详情信息:
ping3.dyngate.com
master4.teamviewer.com
master1.teamviewer.com
master2.teamviewer.com
master3.teamviewer.com
master5.teamviewer.com
master6.teamviewer.com
master7.teamviewer.com
master8.teamviewer.com
master9.teamviewer.com
master10.teamviewer.com
master11.teamviewer.com
master12.teamviewer.com
master13.teamviewer.com
master14.teamviewer.com
注册表行为
行为描述: 修改注册表
详情信息:
\REGISTRY\MACHINE\SOFTWARE\TeamViewer\Version4\ManualStop
\REGISTRY\MACHINE\SOFTWARE\TeamViewer\Version4\Version
\REGISTRY\MACHINE\SOFTWARE\TeamViewer\Version4\ClientID
\REGISTRY\MACHINE\SOFTWARE\TeamViewer\Version4\ClientIC
\REGISTRY\MACHINE\SOFTWARE\TeamViewer\Version4\LicenseType
\REGISTRY\MACHINE\SOFTWARE\TeamViewer\Version4\GatewayAllowed
\REGISTRY\MACHINE\SOFTWARE\TeamViewer\Version4\ListenHttp
\REGISTRY\MACHINE\SOFTWARE\TeamViewer\Version4\useUDP
\REGISTRY\MACHINE\SOFTWARE\TeamViewer\Version4\Gatewayname
\REGISTRY\MACHINE\SOFTWARE\TeamViewer\Version4\CustomRouter
\REGISTRY\MACHINE\SOFTWARE\TeamViewer\Version4\LastRouterPerformance
\REGISTRY\MACHINE\SOFTWARE\TeamViewer\Version4\LastKeepalivePerformance
\REGISTRY\MACHINE\SOFTWARE\TeamViewer\Version4\VpnIP
\REGISTRY\MACHINE\SOFTWARE\TeamViewer\Version4\MinimizeToTray
\REGISTRY\MACHINE\SOFTWARE\TeamViewer\Version4\TotalSessions
其他行为
行为描述: 查找指定窗口
详情信息:
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [TrayNotifyWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述: 窗口信息
详情信息:
Pid = 2068, Hwnd=0x20350, Text = 取消(&C), ClassName = Button.
Pid = 2068, Hwnd=0x2034c, Text = 4, ClassName = Button.
Pid = 2068, Hwnd=0x20316, Text = 代{过}{滤}理设置, ClassName = Button.
Pid = 2068, Hwnd=0x20318, Text = 重试(&T) (29), ClassName = Button.
Pid = 2068, Hwnd=0x20320, Text = 请检查您的 Internet 连接。 您可能正在使用代{过}{滤}理服务器,您必须在选项对话框中输入正确的信息。, ClassName = Static.
Pid = 2068, Hwnd=0x2031a, Text = 不再显示此对话框, ClassName = Button(CheckBox).
Pid = 2068, Hwnd=0x2034e, Text = 未接连到 TeamViewer 服务器, ClassName = #32770.
Pid = 2068, Hwnd=0x40246, Text = 请输入伙伴的 ID 以创建连接。, ClassName = Static.
Pid = 2068, Hwnd=0x50216, Text = ID, ClassName = Static.
Pid = 2068, Hwnd=0x60214, Text = 远程支持, ClassName = Button(RadioButton).
Pid = 2068, Hwnd=0x5020a, Text = 演示, ClassName = Button(RadioButton).
Pid = 2068, Hwnd=0x50208, Text = 文件传输, ClassName = Button(RadioButton).
Pid = 2068, Hwnd=0x60212, Text = VPN, ClassName = Button(RadioButton).
Pid = 2068, Hwnd=0x301f0, Text = 连接至伙伴, ClassName = Button.
Pid = 2068, Hwnd=0x301ec, Text = ID, ClassName = Static.
行为描述: 隐藏指定窗口
详情信息:
[Window,Class] = [,ComboLBox]
[Window,Class] = [,ComboBox]
[Window,Class] = [邀请邮件,Static]
[Window,Class] = [登录伙伴,Static]
[Window,Class] = [http://go.teamviewer.com,Static]
[Window,Class] = [,ATL:00788210]
[Window,Class] = [,tooltips_class32]
[Window,Class] = [,BuddyList]
[Window,Class] = [,Static]
[Window,Class] = [取消连接,Button]
[Window,Class] = [4,Button]
行为描述: 创建互斥体
详情信息:
CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500
TeamViewer3_Win32_Instance_Mutex
TeamViewer_Win32_Instance_Mutex
DynGateInstanceMutex
MSCTF.Shared.MUTEX.AEH
MSCTF.Shared.MUTEX.IBI
行为描述: 获取系统权限
详情信息:
SE_LOAD_DRIVER_PRIVILEGE[/mw_shl_code]
运行截图
最后简单地分析一下,这个虽然是远程,但是是通过ID注册并要控制机允许才能进行远程的软件。有些类似oray的向日葵和windows的远程协助,所以说不是病毒,你的安软误报了,上报为误报文件即可。 |
发表于 2015-8-1 10:18:25
