可疑的加密软件(极速隐藏)fasthide

纷飞

样本上传分析记录：

http://virscan.org/report/252014c10d2cf7b1b5674e5695b7a1b1.html

不清楚软件的加密原理，貌似有不少杀软会报毒。

密码忘记就很难清理干净的软件 没找到卸载程序

双击运行就会加入N多注册表项和右键选项

建议不要实机运行

08红伞威点

Starting the file scan:
Begin scan in 'C:\Documents and Settings\***\桌面\fasthide.rar'
C:\Documents and Settings\***\桌面\fasthide.rar
    [0] Archive type: RAR
    --> FastHide.exe
      [DETECTION] Is the TR/Agent.329216.A Trojan
    [NOTE]      A backup was created as '4977afee.qua'  ( QUARANTINE )
    [NOTE]      The file was deleted!

qwerasdf123

sbie＋kis2009
高受限
没啥东西

纷飞

暂时只知道这软件很难完全卸载

只要运行就不经同意自动添加注册表等信息 甚至system32文件夹添加一个exe文件

不提供卸载程序

可能是这些导致杀软判定为危险软件？

加密文件夹原理不了解 丢了密码就打不开了

ALEXBLAIR

1. 
   
2. [HKEY_LOCAL_MACHINE\software\Classes\*\shell\【极速隐藏】\command]
   
3. @="C:\\WINDOWS\\system32\\fe.exe %1"
   

复制代码

注册右键菜单（文件）

1. 
   
2. [HKEY_LOCAL_MACHINE\software\Classes\.FE]
   
3. @="FEfile"
   

复制代码

注册文件类型

1. 
   
2. [HKEY_LOCAL_MACHINE\software\Classes\Directory\shell\【极速隐藏】\command]
   
3. @="C:\\WINDOWS\\system32\\fe.exe %1"
   

复制代码

注册右键（文件夹）

1. 
   
2. [HKEY_LOCAL_MACHINE\software\Classes\FEfile]
   
3. @="使用【极速隐藏】加密的文件"
   
4. "NeverShowExt"=""
   
5. 
   
6. [HKEY_LOCAL_MACHINE\software\Classes\FEfile\DefaultIcon]
   
7. @="C:\\WINDOWS\\system32\\fe.exe,0"
   
8. 
   
9. [HKEY_LOCAL_MACHINE\software\Classes\FEfile\shell\还原此文件\command]
   
10. @="C:\\WINDOWS\\system32\\fe.exe %1"
    

复制代码

1. 
   
2. 
   
3. [HKEY_LOCAL_MACHINE\software\第六天工作室\极速隐藏]
   
4. "Ver"="4.0.0.0"
   

复制代码

注册软件信息

1. 
   
2. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FileMon]
   
3. "ErrorControl"=dword:00000001
   
4. "Start"=dword:00000003
   
5. "Type"=dword:00000001
   

复制代码

晕死！竟然注册和微软名字一样的驱动！！怪不得启动的时候提示我已经安装有旧版本！！使用filemon的用户记得手动清楚这个驱动！

ALEXBLAIR

ＧＵＩ截图

[ 本帖最后由 ALEXBLAIR 于 2008-10-27 11:14 编辑 ]

ALEXBLAIR

自己写了一个卸载的脚本，用这个运行后就可以卸载了，如果运行的时候有hips的提示，全部允许。

纷飞

以前也见过一个批处理 是这样写的 似乎都有效果吧

@echo off
reg delete "HKEY_USERS\S-1-5-21-329068152-507921405-842925246-500\Software\Microsoft\Windows\ShellNoRoam\MUICache" /f
reg delete "HKEY_USERS\S-1-5-21-329068152-507921405-842925246-500\第六天工作室" /f
reg delete "HKLM\SOFTWARE\Classes\*\shell\【极速隐藏】" /f
reg delete "HKLM\SOFTWARE\Classes\Directory\shell\【极速隐藏】" /f
reg delete "HKLM\SOFTWARE\Classes\FEfile" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\FileMon" /f
reg delete "HKCR\FEfile\shell\还原此文件\command" /f
reg delete "HKEY_CLASSES_ROOT\*\shell\【极速隐藏】" /f
reg delete "HKEY_CLASSES_ROOT\Directory\shell\【极速隐藏】" /f
reg delete "HKEY_CLASSES_ROOT\FEfile" /f
reg delete "HKEY_CLASSES_ROOT\.FE" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache" /f
reg delete "HKEY_CURRENT_USER\第六天工作室" /f
reg delete "HKLM\SOFTWARE\第六天工作室" /f
del C:\WINDOWS\system32\fe.exe /f /q
del C:\WINDOWS\system32hider.dll /f /q
echo. & pause

aerbeisi

• Submission details:
  • Submission received: 27 October 2008, 15:14:30
  • Processing time: 5 min 59 sec
  • Submitted sample:
    • File MD5: 0x3E96109B2388CE0FB2EB4B46DD3A6E7C
    • Filesize: 329,216 bytes
    • Alias: Backdoor.Graybird [Symantec], Mal/Packer [Sophos]

• Summary of the findings:

What's been found	Severity Level
Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection).
Contains characteristics of an identified security risk.

Technical Details:

• The new window was created, as shown below:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

Possible Security Risk

• Attention! The following threat category was identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system

File System Modifications

• The following file was created in the system:

#	Filename(s)	File Size	File MD5	Alias
1	%System%\fe.exe [file and pathname of the sample #1]	329,216 bytes	0x3E96109B2388CE0FB2EB4B46DD3A6E7C	Backdoor.Graybird [Symantec] Mal/Packer [Sophos]

• Note:
  • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

• There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	1,548,288 bytes

Registry Modifications

• The following Registry Keys were created:
  • HKEY_LOCAL_MACHINE\SOFTWARE\�����칤����
  • HKEY_LOCAL_MACHINE\SOFTWARE\�����칤����\��������
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FileMon
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FileMon
  • HKEY_CURRENT_USER\�����칤����
  • HKEY_CURRENT_USER\�����칤����\��������

• The newly created Registry Values are:
  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FileMon]
    • ErrorControl = 0x00000001
    • Start = 0x00000003
    • Type = 0x00000001
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FileMon]
    • ErrorControl = 0x00000001
    • Start = 0x00000003
    • Type = 0x00000001

Other details

• Analysis of the file resources indicate the following possible country of origin:

China

ALEXBLAIR

原帖由 纷飞 于 2008-10-27 12:19 发表
以前也见过一个批处理 是这样写的 似乎都有效果吧

reg delete "HKEY_USERS\S-1-5-21-329068152-507921405-842925246-500\Software\Microsoft\Windows\ShellNoRoam\MUICache" /f
reg delete "HKEY_USERS\S-1-5-21-329068152-507921405-842925246-500\第六天工作室" /f


这两条不通用，SID每个人是不一样的，另外，HKEY_USERS\S-1-5-21-329068152-507921405-842925246-500\Software\Microsoft\Windows\ShellNoRoam\MUICache
这条不能算是这个软件的，是windows的GUI缓存列表，没必要清理。