Rootkit 3X-麻辣香锅MLXG病毒最新变种

wwwab

恶意URLs：jhgj.njxwang.com、win.xzhyl.top
火绒报告：https://bbs.huorong.cn/thread-87756-1-1.html
和以往不同的是，该版本的病毒除了劫持用户流量以外，还会劫持安全厂商提供的专杀工具的下载地址（如火绒的专杀工具），从而能够长久驻留用户电脑中。

微云：https://share.weiyun.com/JYb6ssoX
文叔叔：https://ws28.cn/f/5z93k6n7zxs 复制链接到浏览器打开

hsks

https://bbs.kafan.cn/thread-2213207-1-1.html

wwwab

hsks 发表于 2021-7-24 09:33
https://bbs.kafan.cn/thread-2213207-1-1.html

他那个样本不全，是根据报告下面的哈希值下载的，火绒只是以一例样本进行分析的，所以就只有暴风版本与其衍生物和一堆sys驱动文件

我这是从病毒网站上面下载的，暴风小马kms版本几例的的样本全都有的，只不过没提取出来与其衍生物以及sys驱动文件而已

所以，是不一样的哦

救命稻草

1. Virus check with G DATA INTERNET SECURITY
   
2. Version 25.5.11.112 (2021/3/25)
   
3. Virus signature dated 2021/7/24
   
4. Start time: 2021/7/24 9:35:54
   
5. Engine(s): Engine A (AVA 25.30375), Engine B (GD 27.23830)
   
6. Heuristics: On
   
7. Archives: On
   
8. System areas: Off
   
9. Check rootkits: Off
   
10. 
    
11. Check the following directories and files:
    
12.   C:\Users\Jkc\Desktop\virus\归档\
    
13. 
    
14. Analysis performed in full: 2021/7/24 9:36:06
    
15.     3 files checked
    
16.     3 infected files detected
    
17.     0 suspicious files found
    
18. 
    
19. 
    
20. Object: xiaoma.exe
    
21.         Path: C:\Users\Jkc\Desktop\virus\归档
    
22.         Status: Junkware (PUP) found
    
23.         Junkware (PUP): Dropped:Application.Hacktool.DisableDefender.E (Engine A)
    
24. 
    
25. Object: baofeng.exe
    
26.         Path: C:\Users\Jkc\Desktop\virus\归档
    
27.         Status: Junkware (PUP) found
    
28.         Junkware (PUP): Dropped:Application.Hacktool.DisableDefender.E (Engine A)
    
29. 
    
30. Archive: HEU_KMS.exe
    
31.         Path: C:\Users\Jkc\Desktop\virus\归档
    
32.         Status: Virus detected
    
33.         Virus: Application.Hacktool.AFJ (3x), Application.Hacktool.APE (3x), Application.Hacktool.APF (3x), Application.Hacktool.DisableDefender.E, Application.Hacktool.KMSActivator.AR (3x), Application.Hacktool.KMSActivator.FU (3x), Application.Hacktool.KMSActivator.FV (3x), Trojan.GenericKD.37275870 (Engine A)
    
34.         ----------------------------------------------------------------
    
35.         Object: (NSIS o)=>dControl.exe
    
36.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
    
37.                 Status: Junkware (PUP) found
    
38.                 Junkware (PUP): Application.Hacktool.DisableDefender.E
    
39.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(Dropped 6)=>HEU_KMS.exe=>KMSmini.7z=>HEU_KMS_Service.exe
    
40.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
    
41.                 Status: Junkware (PUP) found
    
42.                 Junkware (PUP): Application.Hacktool.KMSActivator.AR
    
43.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(Dropped 6)=>HEU_KMS.exe=>KMSmini.7z=>KMSClient.exe
    
44.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
    
45.                 Status: Junkware (PUP) found
    
46.                 Junkware (PUP): Application.Hacktool.KMSActivator.FU
    
47.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(Dropped 6)=>HEU_KMS.exe=>KMSmini.7z=>KMSServer.exe
    
48.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
    
49.                 Status: Junkware (PUP) found
    
50.                 Junkware (PUP): Application.Hacktool.KMSActivator.FV
    
51.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(Dropped 6)=>HEU_KMS.exe=>KMSmini.7z=>x64/SppExtComObj.Exe
    
52.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
    
53.                 Status: Junkware (PUP) found
    
54.                 Junkware (PUP): Application.Hacktool.AFJ
    
55.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(Dropped 6)=>HEU_KMS.exe=>KMSmini.7z=>x64/SppExtComObjHook.dll
    
56.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
    
57.                 Status: Junkware (PUP) found
    
58.                 Junkware (PUP): Application.Hacktool.APE
    
59.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(Dropped 6)=>HEU_KMS.exe=>KMSmini.7z=>x86/SppExtComObjHook.dll
    
60.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
    
61.                 Status: Junkware (PUP) found
    
62.                 Junkware (PUP): Application.Hacktool.APF
    
63.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(NSIS o)=>Play15.dat=>HEU_KMS.exe=>(AutoIT o)=>KMSmini.7z=>HEU_KMS_Service.exe
    
64.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
    
65.                 Status: Junkware (PUP) found
    
66.                 Junkware (PUP): Application.Hacktool.KMSActivator.AR
    
67.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(NSIS o)=>Play15.dat=>HEU_KMS.exe=>(AutoIT o)=>KMSmini.7z=>KMSClient.exe
    
68.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
    
69.                 Status: Junkware (PUP) found
    
70.                 Junkware (PUP): Application.Hacktool.KMSActivator.FU
    
71.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(NSIS o)=>Play15.dat=>HEU_KMS.exe=>(AutoIT o)=>KMSmini.7z=>KMSServer.exe
    
72.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
    
73.                 Status: Junkware (PUP) found
    
74.                 Junkware (PUP): Application.Hacktool.KMSActivator.FV
    
75.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(NSIS o)=>Play15.dat=>HEU_KMS.exe=>(AutoIT o)=>KMSmini.7z=>x64/SppExtComObj.Exe
    
76.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
    
77.                 Status: Junkware (PUP) found
    
78.                 Junkware (PUP): Application.Hacktool.AFJ
    
79.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(NSIS o)=>Play15.dat=>HEU_KMS.exe=>(AutoIT o)=>KMSmini.7z=>x64/SppExtComObjHook.dll
    
80.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
    
81.                 Status: Junkware (PUP) found
    
82.                 Junkware (PUP): Application.Hacktool.APE
    
83.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(NSIS o)=>Play15.dat=>HEU_KMS.exe=>(AutoIT o)=>KMSmini.7z=>x86/SppExtComObjHook.dll
    
84.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
    
85.                 Status: Junkware (PUP) found
    
86.                 Junkware (PUP): Application.Hacktool.APF
    
87.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(NSIS o)=>Play15.dat=>HEU_KMS.exe=>KMSmini.7z=>HEU_KMS_Service.exe
    
88.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
    
89.                 Status: Junkware (PUP) found
    
90.                 Junkware (PUP): Application.Hacktool.KMSActivator.AR
    
91.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(NSIS o)=>Play15.dat=>HEU_KMS.exe=>KMSmini.7z=>KMSClient.exe
    
92.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
    
93.                 Status: Junkware (PUP) found
    
94.                 Junkware (PUP): Application.Hacktool.KMSActivator.FU
    
95.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(NSIS o)=>Play15.dat=>HEU_KMS.exe=>KMSmini.7z=>KMSServer.exe
    
96.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
    
97.                 Status: Junkware (PUP) found
    
98.                 Junkware (PUP): Application.Hacktool.KMSActivator.FV
    
99.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(NSIS o)=>Play15.dat=>HEU_KMS.exe=>KMSmini.7z=>x64/SppExtComObj.Exe
    
100.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
     
101.                 Status: Junkware (PUP) found
     
102.                 Junkware (PUP): Application.Hacktool.AFJ
     
103.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(NSIS o)=>Play15.dat=>HEU_KMS.exe=>KMSmini.7z=>x64/SppExtComObjHook.dll
     
104.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
     
105.                 Status: Junkware (PUP) found
     
106.                 Junkware (PUP): Application.Hacktool.APE
     
107.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(NSIS o)=>Play15.dat=>HEU_KMS.exe=>KMSmini.7z=>x86/SppExtComObjHook.dll
     
108.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
     
109.                 Status: Junkware (PUP) found
     
110.                 Junkware (PUP): Application.Hacktool.APF
     
111.         Object: (NSIS o)=>HEU.dat=>HEU.exe=>(NSIS o)=>Play64.dat=>UfdsvtIopuy.sys
     
112.                 In archive: C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
     
113.                 Status: Virus detected
     
114.                 Virus: Trojan.GenericKD.37275870
     
115.         ----------------------------------------------------------------
     
116. 
     
117. The following files are password-protected:
     
118.         ----------------------------------------------------------------
     
119.         C:\Users\Jkc\Desktop\virus\归档\HEU_KMS.exe
     
120.         ----------------------------------------------------------------
     

复制代码

windows11BigSur

卡巴 kill all

狂欢...

C:\360极速浏览器下载\归档.zip=>HEU_KMS.exe        感染型病毒(Win32/HackTool.Generic.HgIASYUA)        已删除
C:\360极速浏览器下载\归档.zip=>baofeng.exe        感染型病毒(Win32/HackTool.Generic.HgIASYUA)        已删除
C:\360极速浏览器下载\归档.zip=>xiaoma.exe                感染型病毒(Win32/HackTool.Generic.HyoDjDoA)        已删除

wwwab

报hackdoor的我说什么好呢，完全就说不过去了，你哪怕报adware也倒还说得过去，这种就应该报trojan

zay365

wwwab 发表于 2021-7-24 10:20
报hackdoor的我说什么好呢，完全就说不过去了，你哪怕报adware也倒还说得过去，这种就应该报trojan

报HackTool估计报的是工具本体

a27573

ESET


刚刚还 miss all，瞬间拉黑可还行

Jerry.Lin

WD
3/3

1. Filename        Threat Name        Severity        Initial Detect Time        Threat ID        Detect Source Type        Category       
   
2. baofeng.exe        HackTool:Win32/DefenderControl        High (4)        7/23/2021 10:09:00 PM        2147746246        Real Time        Tool       
   
3. xiaoma.exe        HackTool:Win32/DefenderControl        High (4)        7/23/2021 10:07:15 PM        2147746246        System        Tool       
   
4. baofeng.exe        HackTool:Win32/DefenderControl        High (4)        7/23/2021 10:07:12 PM        2147746246        Real Time        Tool       

复制代码