一个小东西大家来分析一下

显示全部楼层 · 发表于 2008-8-26 21:50:05

特别是hips的朋友，看看有什么动作
触犯了什么规则

密码：virus

显示全部楼层 · 发表于 2008-8-26 22:10:55

连接网络+加入自启动，然后自己退掉了……

显示全部楼层 · 发表于 2008-8-26 22:16:14

2008-08-26 21:58:57 启动进程 F:\病毒样本\dllhost\dllhost.exe
2008-08-26 21:59:03 自动运行
2008-08-26 21:59:17 读取 C:\WINDOWS\SYSTEM32\NTDLL.DLL
2008-08-26 21:59:17 读取 C:\WINDOWS\SYSTEM32\KERNEL32.DLL
2008-08-26 21:59:17 读取 C:\WINDOWS\SYSTEM32\USER32.DLL
2008-08-26 21:59:17 读取 C:\WINDOWS\SYSTEM32\GDI32.DLL
2008-08-26 21:59:17 读取 C:\WINDOWS\SYSTEM32\ADVAPI32.DLL
2008-08-26 21:59:17 读取 C:\WINDOWS\SYSTEM32\RPCRT4.DLL
2008-08-26 21:59:17 读取 C:\WINDOWS\SYSTEM32\SECUR32.DLL
2008-08-26 21:59:17 读取 C:\WINDOWS\SYSTEM32\OLE32.DLL
2008-08-26 21:59:17 读取 C:\WINDOWS\SYSTEM32\MSVCRT.DLL
2008-08-26 21:59:17 读取 C:\WINDOWS\SYSTEM32\OLEAUT32.DLL
2008-08-26 21:59:17 读取 C:\WINDOWS\SYSTEM32\IMM32.DLL
2008-08-26 21:59:17 读取 C:\WINDOWS\SYSTEM32\LPK.DLL
2008-08-26 21:59:17 读取 C:\WINDOWS\SYSTEM32\USP10.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\PSAPI.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\SHLWAPI.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\VB6CHS.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\RPCSS.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\UXTHEME.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\MSCTF.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\SXS.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\VERSION.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\CLBCATQ.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\COMRES.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\CRYPT32.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\MSASN1.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\CRYPTUI.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\NETAPI32.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\WININET.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\WINTRUST.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\IMAGEHLP.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\WLDAP32.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83\COMCTL32.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\RICHED20.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\SHELL32.DLL
2008-08-26 21:59:18 读取 C:\WINDOWS\SYSTEM32\COMCTL32.DLL
2008-08-26 21:59:24 读取 hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
2008-08-26 21:59:24 读取 hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
2008-08-26 21:59:24 读取 hklm\SOFTWARE\Classes\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32
2008-08-26 21:59:24 读取 hklm\SOFTWARE\Classes\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32
2008-08-26 21:59:24 读取 hklm\SOFTWARE\Classes\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}
2008-08-26 21:59:30 读取 hklm\SOFTWARE\Classes\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32
2008-08-26 21:59:30 读取 C:\WINDOWS\SYSTEM32\WININET.DLL
2008-08-26 21:59:30 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
2008-08-26 21:59:30 读取 C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
2008-08-26 21:59:30 读取 C:\WINDOWS\SYSTEM32\SHELL32.DLL
2008-08-26 21:59:30 读取 C:\WINDOWS\SYSTEM32\COMCTL32.DLL
2008-08-26 21:59:35 创建 C:\Documents and Settings\GWH\Cookies\index.dat
2008-08-26 21:59:35 读取 C:\Documents and Settings\GWH\Local Settings\History\History.IE5
2008-08-26 21:59:35 创建 C:\Documents and Settings\GWH\Local Settings\History\History.IE5\index.dat
2008-08-26 21:59:35 读取 hklm\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}
2008-08-26 21:59:35 读取 hklm\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32
2008-08-26 21:59:35 修改 hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
2008-08-26 21:59:35 创建 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run/dllhost
2008-08-26 21:59:35 读取 hklm\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32
2008-08-26 21:59:45 访问其它进程内存 c:\windows\system32\ctfmon.exe
2008-08-26 21:59:51 退出进程 c:\windows\system32\ctfmon.exe
2008-08-26 22:00:05 读取 C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
2008-08-26 22:00:05 读取 hklm\SOFTWARE\Microsoft\Internet Explorer\Extensions\{09BA8F6D-CB54-424B-839C-C2A6C8E6B436}
2008-08-26 22:00:05 读取 C:\WINDOWS\SYSTEM32\urlmon.dll
2008-08-26 22:00:06 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
2008-08-26 22:00:06 读取 hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
2008-08-26 22:00:06 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
2008-08-26 22:00:06 读取 hklm\SOFTWARE\Classes\PROTOCOLS\Handler\res
2008-08-26 22:00:06 读取 hklm\SOFTWARE\Classes\CLSID\{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
2008-08-26 22:00:06 读取 hklm\SOFTWARE\Classes\CLSID\{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}\InProcServer32
2008-08-26 22:00:06 读取 hklm\SOFTWARE\Classes\PROTOCOLS\Handler\about
2008-08-26 22:00:06 读取 hklm\SOFTWARE\Classes\CLSID\{3050F406-98B5-11CF-BB82-00AA00BDCE0B}\InProcServer32
2008-08-26 22:00:06 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
2008-08-26 22:00:06 读取 hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
2008-08-26 22:00:06 读取 hklm\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\ProgID
2008-08-26 22:00:06 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Internet Explorer\Styles
2008-08-26 22:00:06 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\"添加到反横幅广告"
2008-08-26 22:00:13 读取 C:\WINDOWS\SYSTEM32\mlang.dll
2008-08-26 22:00:14 读取 hklm\SOFTWARE\Classes\PROTOCOLS\Handler\res
2008-08-26 22:00:14 读取 hklm\SOFTWARE\Classes\CLSID\{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}\InProcServer32
2008-08-26 22:00:14 读取 hklm\SOFTWARE\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32
2008-08-26 22:00:20 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
2008-08-26 22:00:20 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
2008-08-26 22:00:20 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\NameSpace_Catalog5
2008-08-26 22:00:21 读取 hklm\SYSTEM\ControlSet003\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
2008-08-26 22:00:22 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
2008-08-26 22:00:22 读取 hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
2008-08-26 22:00:22 读取 C:\WINDOWS\SYSTEM32\TAPI32.dll
2008-08-26 22:00:22 读取 C:\autoexec.bat
2008-08-26 22:00:22 读取 C:\autoexec.bat
2008-08-26 22:00:22 修改 HKEY_USERS\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections/SavedLegacySettings
2008-08-26 22:00:22 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
2008-08-26 22:00:23 读取 C:\WINDOWS\SYSTEM32\drivers\etc\hosts
2008-08-26 22:00:23 读取 C:\WINDOWS\SYSTEM32\rsaenh.dll
2008-08-26 22:00:40 读取 C:\WINDOWS\SYSTEM32\drivers\etc\hosts
2008-08-26 22:01:21 读取 hkey_users\S-1-5-21-2025429265-308236825-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
2008-08-26 22:01:21 读取 C:\WINDOWS\SYSTEM32\drivers\etc\hosts

显示全部楼层 · 发表于 2008-8-26 22:18:30

2008-08-26 22:01:52 已被拒绝 DCOM DLL Host UDP 127.0.0.1 1587 61.177.7.1 53 公共网络
2008-08-26 22:01:52 已被拒绝 DCOM DLL Host UDP 127.0.0.1 1587 221.228.255.1 53 公共网络
2008-08-26 22:01:52 已被拒绝 DCOM DLL Host UDP 127.0.0.1 1587 10.0.0.138 53 本地网络
2008-08-26 22:01:52 已被拒绝 DCOM DLL Host UDP 127.0.0.1 1307 61.177.7.1 53 公共网络
2008-08-26 22:01:52 已被拒绝 DCOM DLL Host UDP 127.0.0.1 1307 221.228.255.1 53 公共网络
2008-08-26 22:01:52 已被拒绝 DCOM DLL Host UDP 127.0.0.1 1307 10.0.0.138 53 本地网络
2008-08-26 22:01:52 已被拒绝 DCOM DLL Host UDP 127.0.0.1 1178 61.177.7.1 53 公共网络
2008-08-26 22:01:52 已被拒绝 DCOM DLL Host UDP 127.0.0.1 1178 221.228.255.1 53 公共网络
2008-08-26 22:01:52 已被拒绝 DCOM DLL Host UDP 127.0.0.1 1178 10.0.0.138 53 本地网络

显示全部楼层 · 发表于 2008-8-26 22:25:25

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
dllhost = "%System%\dllhost.exe"

显示全部楼层 · 发表于 2008-8-26 23:21:12

The file 'dllhost.exe' has been determined to be 'UNDER ANALYSIS'.

显示全部楼层 · 发表于 2008-8-27 08:32:13

感觉动作还是比较可疑。
Kaspersky miss
TO KL

显示全部楼层 · 发表于 2008-8-27 08:59:22

这是啥玩意儿...

显示全部楼层 · 发表于 2008-8-27 09:30:30

Hello,

dllhost.exe_ - Trojan.Win32.VB.est

New malicious software was found in this file. It's detection will be included in the next update. Thank you for your help.

Please quote all when answering.

--
Best regards, Namestnikov Yury
Virus analyst, Kaspersky Lab.
e-mail: newvirus@kaspersky.com
http://www.kaspersky.com/

http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.

> Attachment: dllhost.rar

[病毒样本] 一个小东西大家来分析一下

回复 4楼浪滔天的帖子

[病毒样本] 一个小东西 大家来分析一下

回复 4楼 浪滔天 的帖子

[病毒样本] 一个小东西大家来分析一下

回复 4楼浪滔天的帖子