一个病毒卡巴6.0未报（1月16日）

显示全部楼层 · 发表于 2007-1-16 22:01:35

原帖由野马于 2007-1-16 12:31 发表
运行了N次都没发现问题？！电脑里也搜不到PQXWV.SYS。

看家狗记录如下：

1、修改注册表值：
Param 1 = HKLM\SOFTWARE\Microsoft\Cryptography\RNG
Param 2 = Seed

2、在系统目录生成sys文件
C:\WINDOWS\system32\drivers\ubwii.sys

BTW：你在电脑里找不到PQXWV.SYS的原因可能是它会随机生成一个SYS文件。

显示全部楼层 · 发表于 2007-1-16 22:17:21

江民没报

显示全部楼层 · 发表于 2007-1-16 23:04:32

不够毒？？？

显示全部楼层 · 发表于 2007-1-17 08:42:55

f2.exe

病毒名称：N\A
大小：44.1 KB
加壳方式：Microsoft Visual C++ 7.0 Method2
样本MD5：c642c45ee76f8f0b6a5ee29998feaece

17日7：17病毒库的kaspersky 16日病毒库的Dr.web 均未报病毒。

病毒分析
＝＝＝＝＝＝

病毒运行后，会生成以下2个文件。其中在drivers目录下的SYS文件名为随机生成的5位字母。
{随机5位字母}.SYS

C:\WINDOWS\system32\etcan.dll                            58,624 字节
C:\WINDOWS\system32\drivers\abfpp.sys             9,152 字节

修改以下注册表

以Adobe为名添加以下注册表键值
[HKEY_LOCAL_MACHINE\SOFTWARE\Adobe]
"Adobe"=dword:0002911a

新建
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ABFPP]
"NextInstance"=dword:00000001

新建
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ABFPP\0000]
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"ConfigFlags"=dword:00000000
"DeviceDesc"="abfpp"
"Legacy"=dword:00000001
"Service"="abfpp"

新建
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ABFPP\0000\Control]
"*NewlyCreated*"=dword:00000000
"ActiveService"="abfpp"

新建
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abfpp]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"ImagePath"=System32\DRIVERS\abfpp.sys
"Start"=dword:00000000
"Type"=dword:00000001

新建
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abfpp\Enum]
"0"="Root\\LEGACY_ABFPP\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

新建
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abfpp\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

安装以下服务与设备
abfpp

手动删除步骤
＝＝＝＝＝＝＝＝＝
（WIN XP SP2 DEEPIN精简版  虚拟机  清除通过）

1、使用Unlocker删除病毒文件
C:\WINDOWS\system32\etcan.dll
C:\WINDOWS\system32\drivers\abfpp.sys

2、使用MSCONFIG删除病毒启动信息

3、删除以上标出注册表即可

ps.在用反汇编软件打开f2.exe的时候，发现了这个

[ 本帖最后由没注册于 2007-1-17 08:53 编辑 ]

显示全部楼层 · 发表于 2007-1-17 14:28:32

今天到17号了还没报。。。。。。。小红伞

显示全部楼层 · 发表于 2007-1-17 16:00:08

解压缩时，dr.web报警；17日的库
D:\f2.exe - is an AdWare program Adware.QQHelp

显示全部楼层 · 发表于 2007-1-17 18:17:41

驱逐舰报Adware.QQHelp.稍后送上沙盘报告。

显示全部楼层 · 发表于 2007-1-17 18:32:14

Analysis Summary:
Analysis Date 1/3/2007 1:58:35 AM
Sandbox Version 1.97
Filename c642c45ee76f8f0b6a5ee29998feaece.exe

Technical Details:
Analysis Number 1
Parent ID 0
Process ID 976
Filename c:\temp\c642c45ee76f8f0b6a5ee29998feaece.exe
Filesize 45248 bytes
MD5 c642c45ee76f8f0b6a5ee29998feaece
Start Reason AnalysisTarget
Termination Reason NormalTermination
Start Time 00:00.078
Stop Time 00:01.938
DLL-Handling
Loaded DLLs
c:\temp\c642c45ee76f8f0b6a5ee29998feaece.exe
C:\WINDOWS\System32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\imagehlp.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\OLE32.DLL
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\System32\wsock32.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\WS2HELP.dll
C:\WINDOWS\System32\pstorec.dll
C:\WINDOWS\System32\ATL.DLL
C:\WINDOWS\System32\Wship6.dll
C:\WINDOWS\System32\iphlpapi.dll
C:\WINDOWS\System32\Secur32.dll
USER32.dll

Filesystem
New Files
C:\WINDOWS\System32\drivers\iwwzk.sys
C:\WINDOWS\System32\cdpid.dll
Opened Files
C:\WINDOWS\System32\drivers\iwwzk.sys
C:\WINDOWS\System32\cdpid.dll
Chronological order
Create File: C:\WINDOWS\System32\drivers\iwwzk.sys
Get File Attributes: C:\WINDOWS\System32\msvcrt.dll Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\System32\drivers\iwwzk.sys (OPEN_EXISTING)
Set File Time: C:\WINDOWS\system32\drivers\iwwzk.sys
Create File: C:\WINDOWS\System32\cdpid.dll
Open File: C:\WINDOWS\System32\cdpid.dll (OPEN_EXISTING)
Set File Time: C:\WINDOWS\system32\cdpid.dll
Process Management Creates Process - Filename () CommandLine: (C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\System32\cdpid",DllUnregisterServer) As User: () Creation Flags: ()
Kill Process - Filename () CommandLine: () Target PID: (976) As User: () Creation Flags: ()
Service Management Open Service Manager - Name: "SCM"
Open Service - Name: "iwwzk"
Create Service - Name: (iwwzk) Display Name: (iwwzk) File Name: (C:\WINDOWS\System32\drivers\iwwzk.sys) Control: () Start Type: (SERVICE_AUTO_START)
System Info Get System Directory

Analysis Number 2
Parent ID 0
Process ID 704
Filename
Filesize -1 bytes
MD5
Start Reason SCM
Termination Reason Unknown
Start Time 00:01.547
Stop Time 00:00.000

The following process was started by process: 1
Analysis Number 3
Parent ID 1
Process ID 1020
Filename C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\cdpid,DllUnregisterServer
Filesize 31744 bytes
MD5 0fb22dd37c17f80ad71316049f725170
Start Reason CreateProcess
Termination Reason NormalTermination
Start Time 00:01.578
Stop Time 00:04.953
Detection - (Authentium Command Antivirus - EngVer: 4.92.123.35 - SigVer: 20061222 35)
- (BitDefender Antivirus - EngVer: 7.0.0.2311 - SigVer: 7.10647)
Known good file - (CounterSpy - EngVer: 2.1.628.0 - SigVer: 469)
- (Microsoft Malware Protection - EngVer: 1.1.1904.0 - SigVer: Tue Dec 26 01:26:26 2006)
- (Norton AntiVirus - EngVer: 20061.3.0.12 - SigVer: 20061226 13:19:02)
DLL-Handling
Loaded DLLs
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\IMAGEHLP.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\OLE32.DLL
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\System32\wsock32.dll
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\WS2HELP.dll
C:\WINDOWS\System32\pstorec.dll
C:\WINDOWS\System32\ATL.DLL
C:\WINDOWS\System32\Wship6.dll
C:\WINDOWS\System32\iphlpapi.dll
C:\WINDOWS\System32\Secur32.dll
advapi32.dll
kernel32.dll
comctl32.dll
C:\WINDOWS\System32\cdpid
.\UxTheme.dll
user32.dll
USER32.dll
Filesystem
Opened Files
\\.\PIPE\lsarpc
Chronological order
Get File Attributes: C:\WINDOWS\System32\cdpid Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\System32\cdpid.manifest Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Registry
Process Management Kill Process - Filename () CommandLine: () Target PID: (1020) As User: () Creation Flags: ()
Enum Processes
Enum Modules - Target PID: (4)
Enum Modules - Target PID: (588)
Enum Modules - Target PID: (660)
Enum Modules - Target PID: (704)
Enum Modules - Target PID: (716)
Enum Modules - Target PID: (724)
Enum Modules - Target PID: (876)
Enum Modules - Target PID: (940)
Enum Modules - Target PID: (1052)
Enum Modules - Target PID: (1400)
Open Process - Filename () Target PID: (4)
Open Process - Filename (\SystemRoot\System32\smss.exe) Target PID: (588)
Open Process - Filename () Target PID: (636)
Open Process - Filename (C:\WINDOWS\system32\winlogon.exe) Target PID: (660)
Open Process - Filename (C:\WINDOWS\system32\services.exe) Target PID: (704)
Open Process - Filename (C:\WINDOWS\system32\savedump.exe) Target PID: (716)
Open Process - Filename (C:\WINDOWS\system32\lsass.exe) Target PID: (724)
Open Process - Filename (C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe) Target PID: (876)
Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (940)
Open Process - Filename (C:\WINDOWS\System32\svchost.exe) Target PID: (1052)
Open Process - Filename () Target PID: (1112)
Open Process - Filename () Target PID: (1136)
Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1400)
Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1400)
Threads Create Remote Thread - Target PID (1400) Thread ID ($0430) Thread ID ($01430000) Parameter Address ($01240000) Creation Flags (CREATE_SUSPENDED)
Virtual Memory VM Allocate - Target: (1400) Address: ($01240000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1400) Address: ($01430000) Size: (16384) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Allocate - Target: (1400) Address: ($01440000) Size: (262144) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (1400) Address: ($01473000) Size: (53248) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Protect - Target: (1400) Address: ($01240000) Size: (4096) Protect: (PAGE_READWRITE)
VM Protect - Target: (1400) Address: ($01240000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1400) Address: ($01430000) Size: (16384) Protect: (PAGE_READWRITE)
VM Protect - Target: (1400) Address: ($01430000) Size: (16384) Protect: (PAGE_EXECUTE_READWRITE)
VM Protect - Target: (1400) Address: ($01473000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD)
VM Write - Target: (1400) Address: ($01240000) Size: (372)
VM Write - Target: (1400) Address: ($01430000) Size: (16384)
Window Enum Windows
Destroy Window - Class Name (RunDLL) Window Name ()

The following process was started by process: 3
Analysis Number 4
Parent ID 3
Process ID 1400
Filename C:\WINDOWS\Explorer.EXE
Filesize 1004032 bytes
MD5 a82b28bfc2e4455fe43022a498c0ef0a
Start Reason InjectedCode
Termination Reason Timeout
Start Time 00:03.156
Stop Time 01:00.563
DLL-Handling
Loaded DLLs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\SHLWAPI.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\System32\BROWSEUI.dll
C:\WINDOWS\System32\SHDOCVW.dll
C:\WINDOWS\System32\UxTheme.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1612_x-ww_7c379b08\
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\appHelp.dll
C:\WINDOWS\System32\CLBCATQ.DLL
C:\WINDOWS\System32\COMRes.dll
C:\WINDOWS\system32\VERSION.dll
C:\WINDOWS\System32\cscui.dll
C:\WINDOWS\System32\CSCDLL.dll
C:\WINDOWS\System32\themeui.dll
C:\WINDOWS\System32\Secur32.dll
C:\WINDOWS\System32\MSIMG32.dll
C:\WINDOWS\system32\USERENV.dll
C:\WINDOWS\System32\actxprxy.dll
C:\WINDOWS\System32\LINKINFO.dll
C:\WINDOWS\System32\ntshrui.dll
C:\WINDOWS\System32\ATL.DLL
C:\WINDOWS\System32\NETAPI32.dll
C:\WINDOWS\System32\SAMLIB.dll
C:\WINDOWS\System32\SETUPAPI.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\NETSHELL.dll
C:\WINDOWS\system32\credui.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\iphlpapi.dll
C:\WINDOWS\System32\WINSTA.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\System32\BatMeter.dll
C:\WINDOWS\System32\POWRPROF.dll
C:\WINDOWS\System32\WTSAPI32.dll
C:\WINDOWS\System32\WINMM.dll
C:\WINDOWS\System32\msi.dll
C:\WINDOWS\System32\printui.dll
C:\WINDOWS\System32\WINSPOOL.DRV
C:\WINDOWS\System32\ACTIVEDS.dll
C:\WINDOWS\System32\adsldpc.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\System32\CFGMGR32.dll
C:\WINDOWS\system32\MPR.dll
C:\WINDOWS\System32\wsock32.dll
C:\WINDOWS\System32\pstorec.dll
C:\WINDOWS\System32\Wship6.dll
advapi32.dll
kernel32.dll
comctl32.dll
printui.dll
shfolder.dll
shell32.dll
Filesystem
New Files
\Dfs
Opened Files
\\.\PIPE\wkssvc
Chronological order
Get File Attributes: C:\analysis\cwsandbox.exe Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Create/Open File: \Dfs (OPEN_ALWAYS)
Find File: C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware
INI Files
Read INI File
NTNET.INI [Shared Parameters] Sort Hyphens =
Mutexes Creates Mutex: HGFSMUTEX
Registry
Reads
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider "Name"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider "Name"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider "Name"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hgfs\parameters "ServerName"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hgfs\parameters "ShareName"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\hgfs\NetworkProvider "name"
Process Management Open Process - Filename (C:\WINDOWS\System32\wuauclt.exe) Target PID: (1276)
Service Management Open Service Manager - Name: "SCM"
System Info Get System Time
Virtual Memory VM Read - Target: (1276) Address: ($7FFDF008) Size: (4)
VM Read - Target: (1276) Address: ($7FFDF00C) Size: (4)
VM Read - Target: (1276) Address: ($00191EA4) Size: (4)
VM Read - Target: (1276) Address: ($00191EC0) Size: (76)
VM Read - Target: (1276) Address: ($00020598) Size: (64)
Window Enum Windows
Destroy Window - Class Name (PrintTray_Notify_WndClass) Window Name ()
Destroy Window - Class Name (PrintUI_QueueCreate) Window Name (PrintUI_QueueCreate)

Analysis Number 5
Parent ID 0
Process ID 704
Filename
Filesize -1 bytes
MD5
Start Reason SCM
Termination Reason Unknown
Start Time 00:20.563
Stop Time 00:00.000

显示全部楼层 · 发表于 2007-1-17 22:16:33

原帖由 sharkvv 于 2007-1-17 14:28 发表
今天到17号了还没报。。。。。。。小红伞

17日已可查杀，病毒库6.37.00.178。

Begin scan in 'E:\TOOLS\Virus-TEST\New\f2'
E:\TOOLS\Virus-TEST\New\f2\f2.exe
   [DETECTION] Is the Trojan horse TR/Drop.Agen.E500.A
   [INFO]    A backup was created as '45dc2ec1.qua'  ( QUARANTINE )
   [INFO]    The file was renamed to 'f2.exe.VIR'!

上报后小红伞的回复：

Dear Sir or Madam,

Thank you for your recent inquiry.
We found a new virus in the attachment you have sent us.
The pattern recognition will be integrated in one of our next updates.
The pattern recognition of the virus will be detected as
"TR/Drop.Agent.E500".
We thank you for your assistance.
Attachment(s) you sent:
- f2.rar
--
Freundliche Gruesse / Best regards
Avira GmbH
Andreas Pohl
First Level Support
Avira GmbH
Lindauer Str. 21, D-88069 Tettnang, Germany
Internet: http://www.avira.com

[ 本帖最后由 ttdown 于 2007-1-17 22:20 编辑 ]

显示全部楼层 · 发表于 2007-1-17 22:25:55

原帖由 没注册 于 2007-1-17 08:42 发表
f2.exe

病毒名称：N\A
大小：44.1 KB
加壳方式：Microsoft Visual C++ 7.0 Method2
样本MD5：c642c45ee76f8f0b6a5ee29998feaece

17日7：17病毒库的kaspersky 16日病毒库的Dr.web 均未报病毒 ...

很祥细的分析！谢谢啦！

BTW：你说的要删除system.ini中“woafont=app936.FON”这一项应该是正常的字体加载吧。

[ 本帖最后由 ttdown 于 2007-1-17 23:54 编辑 ]

[病毒样本] 一个病毒卡巴6.0未报（1月16日）

回复 #1 hsjj2005 的帖子

本帖子中包含更多资源

[病毒样本] 一个病毒 卡巴6.0未报（1月16日）

回复 #1 hsjj2005 的帖子

本帖子中包含更多资源

[病毒样本] 一个病毒卡巴6.0未报（1月16日）