收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 请大家帮忙分析一个新发现的病毒的行为
12
返回列表 发新帖
楼主: drmctchr
 收起左侧

[病毒样本] 请大家帮忙分析一个新发现的病毒的行为

[复制链接]
z2665
发表于 2009-11-8 09:43:39 | 显示全部楼层
分析结果 http://camas.comodo.com/cgi-bin/ ... cfe5f7bb1804cc487df
• File Info
NameValue
Size100616
MD5be049e75bfea8fa1e194e656d6831757
SHA1b7e26a7381ae982cb8f46c34b1f36260885ed194
SHA256cd6dc594e3ebd6eebaca067812961b1f599ee8d58dc0bcfe5f7bb1804cc487df
ProcessActive
• Keys Created• Keys Changed• Keys Deleted• Values Created• Values Changed
NameTypeSizeValue
CU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HiddenREG_DWORD/REG_DWORD4/40x1/0x2
CU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExtREG_DWORD/REG_DWORD4/40x0/0x1
CU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHiddenREG_DWORD/REG_DWORD4/40x1/0x0
CU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebViewBarricadeREG_DWORD/REG_DWORD4/40x1/0x0
CU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\StartupREG_SZ/REG_SZ118/138"C:\Documentsand Settings\User\Start Menu\Programs\Startup"/"C:\Documents andSettings\User\Local Settings\Application Data\Start"
CU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\StartupREG_EXPAND_SZ/REG_SZ84/138"%USERPROFILE%\Start Menu\Programs\Startup"/"C:\Documents and Settings\User\Local Settings\Application Data\Start"
• Values Deleted• Directories Created
NameLast Write TimeCreation TimeLast Access TimeAttr
C:\Documents and Settings\User\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-3202008.10.31 11:22:48.0002007.07.27 12:00:00.0002008.09.11 09:02:36.2500x17
C:\Documents and Settings\User\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\dmc2008.10.31 11:22:48.0002007.07.27 12:00:00.0002008.09.11 09:02:36.2500x17
C:\Documents and Settings\User\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\Rotinom2008.10.31 11:22:48.0002007.07.27 12:00:00.0002008.09.11 09:02:36.2500x17
C:\Documents and Settings\User\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr2008.10.31 11:22:48.0002007.07.27 12:00:00.0002008.09.11 09:02:36.2500x17
C:\Documents and Settings\User\Local Settings\Application Data\Start2009.01.12 14:47:59.5152009.01.12 14:47:59.5152009.01.12 14:47:59.5150x17
C:\TEST\sample2009.01.12 14:48:00.8592009.01.12 14:48:00.8592009.01.12 14:48:00.8590x17
• Directories Changed• Directories Deleted• Files Created
NameSizeLast Write TimeCreation TimeLast Access TimeAttr
C:\Documents and Settings\User\Local Settings\Application Data\Start\update.exe1006162008.10.31 11:22:48.0002007.07.27 12:00:00.0002008.09.11 09:02:36.2500x20
• Files Changed• Files Deleted• Directories Hidden• Files Hidden• Drivers Loaded• Drivers Unloaded• Processes Created• Processes Terminated• Threads Created
PIdProcess NameTIdStartStart MemWin32 StartWin32 Start Mem
0x344svchost.exe0x1700x7c810856MEM_IMAGE0x7c910760MEM_IMAGE
• Modules Loaded• Windows Api Calls
PIdImage NameAddressFunction ( Parameters ) | Return Value
0x358C:\TEST\sample.exe0x40287aCopyFileW(lpExistingFileName:"C:\TEST\sample.exe", lpNewFileName: "C:\Documents andSettings\User\Local Settings\Application Data\Start\update.exe",bFailIfExists: 0x0)|0x1
• DNS Queries• HTTP Queries• Verdict
Auto Analysis Verdict
Suspicious
• Description
Suspicious Actions Detected
Copies self to other locations
• Mutexes  Created or Opened
PIdImage NameAddressMutex Name
0x358C:\TEST\sample.exe0x4035aaLDLLMAIN
回复

举报

schumi小粉
发表于 2009-11-8 09:57:53 | 显示全部楼层
2009-11-08 09:57:02    创建注册表值      操作:阻止
进程路径:C:\Documents and Settings\Administrator\桌面\新建文件夹\form\2009年海淀区企业知识产权保护体系专项专家评审表.exe
注册表路径:HKEY_CURRENT_USER\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
注册表名称:Local AppData
触发规则:所有程序规则->A07…系统和软件操作(黑白)->*\Software\Microsoft\Windows*\*


2009-11-08 09:57:02    创建注册表值      操作:阻止
进程路径:C:\Documents and Settings\Administrator\桌面\新建文件夹\form\2009年海淀区企业知识产权保护体系专项专家评审表.exe
注册表路径:HKEY_CURRENT_USER\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
注册表名称:Local AppData
触发规则:所有程序规则->A07…系统和软件操作(黑白)->*\Software\Microsoft\Windows*\*


2009-11-08 09:57:02    创建注册表值      操作:阻止
进程路径:C:\Documents and Settings\Administrator\桌面\新建文件夹\form\2009年海淀区企业知识产权保护体系专项专家评审表.exe
注册表路径:HKEY_CURRENT_USER\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
注册表名称:Hidden
触发规则:所有程序规则->A07…系统和软件操作(黑白)->*\Software\Microsoft\Windows*\*


2009-11-08 09:57:02    创建注册表值      操作:阻止
进程路径:C:\Documents and Settings\Administrator\桌面\新建文件夹\form\2009年海淀区企业知识产权保护体系专项专家评审表.exe
注册表路径:HKEY_CURRENT_USER\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
注册表名称:Hidden
触发规则:所有程序规则->A07…系统和软件操作(黑白)->*\Software\Microsoft\Windows*\*


2009-11-08 09:57:02    创建注册表值      操作:阻止
进程路径:C:\Documents and Settings\Administrator\桌面\新建文件夹\form\2009年海淀区企业知识产权保护体系专项专家评审表.exe
注册表路径:HKEY_CURRENT_USER\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
注册表名称:Startup
触发规则:所有程序规则->A07…系统和软件操作(黑白)->*\Software\Microsoft\Windows*\*


2009-11-08 09:57:02    创建注册表值      操作:阻止
进程路径:C:\Documents and Settings\Administrator\桌面\新建文件夹\form\2009年海淀区企业知识产权保护体系专项专家评审表.exe
注册表路径:HKEY_CURRENT_USER\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
注册表名称:Startup
触发规则:所有程序规则->A07…系统和软件操作(黑白)->*\Software\Microsoft\Windows*\*


2009-11-08 09:57:02    创建注册表值      操作:阻止
进程路径:C:\Documents and Settings\Administrator\桌面\新建文件夹\form\2009年海淀区企业知识产权保护体系专项专家评审表.exe
注册表路径:HKEY_CURRENT_USER\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
注册表名称:Startup
触发规则:所有程序规则->A07…系统和软件操作(黑白)->*\Software\Microsoft\Windows*\*


2009-11-08 09:57:02    创建注册表值      操作:阻止
进程路径:C:\Documents and Settings\Administrator\桌面\新建文件夹\form\2009年海淀区企业知识产权保护体系专项专家评审表.exe
注册表路径:HKEY_CURRENT_USER\user\current\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
注册表名称:Startup
触发规则:所有程序规则->A07…系统和软件操作(黑白)->*\Software\Microsoft\Windows*\*

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

dl123100
发表于 2009-11-8 10:09:59 | 显示全部楼层
某工具记录得还行
PID: 1768, 0x7D5BF51A: RegCreateKeyExW(key: HKEY_CURRENT_USER, subkey: Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders) -> SUCCESS
PID: 1768, --- handle: 0000076C
PID: 1768, 0x7D5F9C96: GetFileAttributesW(C:\Documents and Settings\Administrator\Local Settings\Application Data)
PID: 1768, 0x7D5BF51A: RegCreateKeyExW(key: HKEY_CURRENT_USER, subkey: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) -> SUCCESS
PID: 1768, --- handle: 0000076C
PID: 1768, 0x7D5F9CFF: RegSetValueExW(keyHandle: 0000076C, valueName: Local AppData, data: C:\Documents and Settings\Administrator\Local Settings\Application Data) -> SUCCESS
PID: 1768, 0x00402ACF: CreateFileW(file: C:\Documents and Settings\Administrator\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320, OPEN_EXISTING)
PID: 1768, -- CreateFileW result - fHandle: FFFFFFFF
PID: 1768, 0x00402B0A: SetFileAttributesW(file: C:\Documents and Settings\Administrator\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320, attrs: 00000007)
PID: 1768, 0x00402B87: CreateFileW(file: C:\WINDOWS\system32\KERNEL32.DLL, OPEN_EXISTING)
PID: 1768, -- CreateFileW result - fHandle: 00000768
PID: 1768, 0x00402BC4: SetFileTime(h: 0000076C)
PID: 1768, 0x00402ACF: CreateFileW(file: C:\Documents and Settings\Administrator\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\dmc, OPEN_EXISTING)
PID: 1768, -- CreateFileW result - fHandle: FFFFFFFF
PID: 1768, 0x00402B0A: SetFileAttributesW(file: C:\Documents and Settings\Administrator\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\dmc, attrs: 00000007)
PID: 1768, 0x00402B87: CreateFileW(file: C:\WINDOWS\system32\KERNEL32.DLL, OPEN_EXISTING)
PID: 1768, -- CreateFileW result - fHandle: 00000768
PID: 1768, 0x00402BC4: SetFileTime(h: 0000076C)
PID: 1768, 0x00402ACF: CreateFileW(file: C:\Documents and Settings\Administrator\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr, OPEN_EXISTING)
PID: 1768, -- CreateFileW result - fHandle: FFFFFFFF
PID: 1768, 0x00402B0A: SetFileAttributesW(file: C:\Documents and Settings\Administrator\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\tlsr, attrs: 00000007)
PID: 1768, 0x00402B87: CreateFileW(file: C:\WINDOWS\system32\KERNEL32.DLL, OPEN_EXISTING)
PID: 1768, -- CreateFileW result - fHandle: 00000768
PID: 1768, 0x00402BC4: SetFileTime(h: 0000076C)
PID: 1768, 0x00402ACF: CreateFileW(file: C:\Documents and Settings\Administrator\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\Rotinom, OPEN_EXISTING)
PID: 1768, -- CreateFileW result - fHandle: FFFFFFFF
PID: 1768, 0x00402B0A: SetFileAttributesW(file: C:\Documents and Settings\Administrator\Local Settings\Application Data\S-1-5-31-1286970278978-5713669491-166975984-320\Rotinom, attrs: 00000007)
PID: 1768, 0x00402B87: CreateFileW(file: C:\WINDOWS\system32\KERNEL32.DLL, OPEN_EXISTING)
PID: 1768, -- CreateFileW result - fHandle: 00000768
PID: 1768, 0x00402BC4: SetFileTime(h: 0000076C)
PID: 1768, 0x004022B5: RegOpenKeyExW(key: HKEY_CURRENT_USER, subkey: Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced) -> SUCCESS
PID: 1768, --- handle: 0000076C
PID: 1768, 0x00402319: RegSetValueExW(keyHandle: 0000076C, valueName: Hidden, data: ) -> SUCCESS
PID: 1768, 0x00402373: RegSetValueExW(keyHandle: 0000076C, valueName: HideFileExt, data: ) -> SUCCESS
PID: 1768, 0x004023E3: RegSetValueExW(keyHandle: 0000076C, valueName: ShowSuperHidden, data: ) -> SUCCESS
PID: 1768, 0x00402443: RegSetValueExW(keyHandle: 0000076C, valueName: WebViewBarricade, data: ) -> SUCCESS
PID: 1768, 0x004027F3: SetFileAttributesW(file: C:\Documents and Settings\Administrator\Local Settings\Application Data\Start, attrs: 00000007)
PID: 1768, 0x0040280D: CreateFileW(file: C:\Documents and Settings\Administrator\Local Settings\Application Data\Start, OPEN_EXISTING)
PID: 1768, -- CreateFileW result - fHandle: FFFFFFFF
PID: 1768,
PID: 1768, 0x00402896: CreateFileW(file: C:\Documents and Settings\Administrator\Local Settings\Application Data\Start\update.exe, OPEN_EXISTING)
PID: 1768, -- CreateFileW result - fHandle: 00000768
PID: 1768, 0x004028B6: SetFileTime(h: 00000768)
PID: 1768, 0x004028DA: RegOpenKeyExW(key: HKEY_CURRENT_USER, subkey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders) -> SUCCESS
PID: 1768, --- handle: 00000768
PID: 1768, 0x0040298F: RegSetValueExW(keyHandle: 00000768, valueName: Startup, data: C:\Documents and Settings\Administrator\Local Settings\Application Data\Start) -> SUCCESS
PID: 1768, 0x004029B1: RegOpenKeyExW(key: HKEY_CURRENT_USER, subkey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders) -> SUCCESS
PID: 1768, --- handle: 00000768
PID: 1768, 0x00402A4F: RegSetValueExW(keyHandle: 00000768, valueName: Startup, data: C:\Documents and Settings\Administrator\Local Settings\Application Data\Start) -> SUCCESS
PID: 1768, 0x00402CB3: CreateFileW(file: \\.\C:, OPEN_EXISTING)
PID: 1768, -- CreateFileW result - fHandle: 00000768
PID: 1768,
PID: 1768,
PID: 1768, 0x00402CB3: CreateFileW(file: \\.\C:, OPEN_EXISTING)
PID: 1768, -- CreateFileW result - fHandle: 000006F4
PID: 1768, 0x004035AA: CreateMutexW(name: LDLLMAIN, owner: 00000000)
PID: 1768, 0x00403B17: RegOpenKeyExW(key: HKEY_LOCAL_MACHINE, subkey: SYSTEM\CurrentControlSet\Services\USBSTOR\Enum) -> FAIL
PID: 1768, 0x00403B17: RegOpenKeyExW(key: HKEY_LOCAL_MACHINE, subkey: SYSTEM\CurrentControlSet\Services\USBSTOR\Enum) -> FAIL
PID: 1768, 0x00403B17: RegOpenKeyExW(key: HKEY_LOCAL_MACHINE, subkey: SYSTEM\CurrentControlSet\Services\USBSTOR\Enum) -> FAIL
回复

举报

xwings
发表于 2009-11-8 11:11:35 | 显示全部楼层
动态分析.

有图看 : http://xandora.security.net.my/?p=657
回复

举报

12
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2026-4-20 00:51 , Processed in 0.074548 second(s), 3 queries , Redis On.

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表