5/23 21:00上传，还是svchost！（可能流行的样本）

allenhippo

看来作者是和杀毒软件卯上了，更新速度很快，半小时前下载到的

顺便说一句，红伞报“壳”，楼下想说“壳”的我替你们说了，就不要口水了，赶快上报给自己杀软厂家吧。

召唤刺猬更新此毒下载的生成物，估计也是免杀一片。



附带两个相关js文件，加密的，22点上传


感谢刺猬，又搞到一个ani


下载的病毒：看时间是22号晚上更新的，我保留了服务器上文件时间



刺猬的blog里有详细介绍的，大家可以参看。
顺便pf下刺猬

[ 本帖最后由 allenhippo 于 2007-5-23 23:14 编辑 ]

scottxzt

Starting the file scan:

Begin scan in 'D:\Documents and Settings\dell\桌面\svchost.rar'
D:\Documents and Settings\dell\桌面\
D:\Documents and Settings\dell\桌面\svchost.rar
  [0] Archive type: RAR
  --> svchost.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [WARNING]   Infected files in archives cannot be repaired!
      [INFO]      The file was successfully wiped!
      [INFO]      The file was deleted!

allenhippo

顺便说一下，铁壳能够监测到这个病毒了，22号刚入的库，定名为W32.Drom

以下是铁壳的分析，非常详细：

总揽：
Discovered: May 22, 2007
Updated: May 23, 2007 8:38:06 AM
Type: Worm
Infection Length: 23,602 bytes（好像每次都是这个大小，作者大概是高手吧）
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

W32.Drom is a worm that downloads and executes malicious files on the compromised computer and spreads through removable storage devices.
（感染移动设备，具备传播性）
Protection

• Virus Definitions (LiveUpdate™ Daily) May 22, 2007
• Virus Definitions (LiveUpdate™ Weekly) May 23, 2007
• Virus Definitions (Intelligent Updater) May 22, 2007
• Virus Definitions (LiveUpdate™ Plus) May 22, 2007

Threat AssessmentWild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Medium
• Payload: Downloads and executes potentially malicious files
• Deletes Files: Deletes numerous files from the %Temp% directory

Distribution

• Distribution Level: Medium

Writeup By: Tomasz Smolarek

详细资料（大家可以看到，明显针对卡巴）
Discovered: May 22, 2007
Updated: May 23, 2007 8:38:06 AM
Type: Worm
Infection Length: 23,602 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When the worm executes, it copies itself as the following file:
%ProgramFiles%\Internet Explorer\romdrivers.bak

Note: The %ProgramFiles%\Internet Explorer directory path is obtained from the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE

If it doesn't exist, the path is assumed to be C:\Program Files\Internet Explorer.

The worm then tries to determine if Kaspersky antivirus applications are installed by checking the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\AVP6\environment\ProductName

If present, the worm changes the system date to 1996.

It deletes the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\"{AEB6717E-7E19-11d0-97EE-00C04FD91972}" = ""
HKEY_CLASSES_ROOT\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32\"@" = "shell32.dll"
HKEY_CLASSES_ROOT\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32\"ThreadingModel" = "Apartment"

Then the worm creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\"{09B68AD9-FF66-3E63-636B-B693E62F6236}" = ""
HKEY_CLASSES_ROOT\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\"@" = "%ProgramFiles%\Internet Explorer\romdrivers.dll"
HKEY_CLASSES_ROOT\CLSID\{09B68AD9-FF66-3E63-636B-B693E62F6236}\InProcServer32\"ThreadingModel" = "Apartment"

Next, the worm drops and executes the following file:
%ProgramFiles%\Internet Explorer\romdrivers.dll

If the file is in use, it will be replaced when the computer restarts.

The file then tries to delete the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{754FB7D8-B8FE-4810-B363-A788CD060F1F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{A6011F8F-A7F8-49AA-9ADA-49127D43138F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06A68AD9-FF56-6E73-937B-B893E72F6226}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{AEB6717E-7E19-11d0-97EE-00C04FD91972}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{99F1D023-7CEB-4586-80F7-BB1A98DB7602}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{FEB94F5A-69F3-4645-8C2B-9E71D270AF2E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{42A612A4-4334-4424-4234-42261A31A236}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{DE35052A-9E37-4827-A1EC-79BF400D27A4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{DD7D4640-4464-48C0-82FD-21338366D2D2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{B8A170A8-7AD3-4678-B2FE-F2D7381CC1B5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{131AB311-16F1-F13B-1E43-11A24B51AFD1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{274B93C2-A6DF-485F-8576-AB0653134A76}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{01F6EB6F-AB5C-1FDD-6E5B-FB6EE3CC6CD6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}

The threat attempts to delete files referenced under the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

It then tries to delete following files:

• %Temp%\fyso.exe
• %Temp%\jtso.exe
• %Temp%\mhso.exe
• %Temp%\qjso.exe
• %Temp%\qqso.exe
• %Temp%\wgso.exe
• %Temp%\wlso.exe
• %Temp%\wmso.exe
• %Temp%\woso.exe
• %Temp%\ztso.exe
• %Temp%\daso.exe
• %Temp%\tlso.exe
• %Temp%\rxso.exe
• %Temp%\svchost.exe
• %Temp%\IEXPLORE.EXE
• %Temp%\svchost32.exe
• %Temp%\srogm.exe
• %Temp%\csrss.exe
• %Temp%\conime.exe
• %Temp%\mmc.exe
• %Temp%\spglsdr.exe
• %Temp%\services.exe
• %Temp%\copypfh.exe
• %Temp%\smss.exe
• %Temp%\fyso0.dll
• %Temp%\jtso0.dll
• %Temp%\mhso0.dll
• %Temp%\qjso0.dll
• %Temp%\qqso0.dll
• %Temp%\wgso0.dll
• %Temp%\wlso0.dll
• %Temp%\wmso0.dll`
• %Temp%\woso0.dll
• %Temp%\ztso0.dll
• %Temp%\tlso0.dll
• %Temp%\daso0.dll
• %Temp%\rxso0.dll
• %SystemDrive%\Program Files\Internet Explorer\PLUGINS\BinNice.dll
• %SystemDrive%\Program Files\Internet Explorer\PLUGINS\BinNice.bak
• %SystemDrive%\Program Files\Internet Explorer\PLUGINS\BinNice.bkk
• %SystemDrive%\Program Files\Internet Explorer\PLUGINS\System64.sys
• %SystemDrive%\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.bmp
• %SystemDir%\drivers\etc\hosts
• %ProgramFiles%\Internet Explorer\HiJack.dll
• %ProgramFiles%\Internet Explorer\HiJack.bak
• %ProgramFiles%\Internet Explorer\HiJack.bkk
• %ProgramFiles%\Internet Explorer\romdrivers.dll
• %ProgramFiles%\Internet Explorer\romdrivers.bak
• %ProgramFiles%\Internet Explorer\romdrivers.bkk
• %ProgramFiles%\Internet Explorer\Autorun.inf

It then attempts to close windows with the following properties:
Name: whboy（武汉男生？熊猫烧香？）
Class Name: WebDown

Next, the worm creates a window with the name "orse1re" and then scans all drives from A through Z and creates the following file:
[DRIVE LETTER]:\autorun.inf

The file contains the following text:
[autorun]
open=Ghost.pif
shellexecute=Ghost.pif
shell\Auto\command=Ghost.pif
shell=Auto

It then copies itself as the following file:
[DRIVE LETTER]:\Ghost.pif

It then downloads a file from the following URL:
www.nice8.org/GetVer/Ver.txt

The downloaded file then in turn downloads and executes files from the following links:
[http://]16a.us/oK/svcho[REMOVED]
[http://]16a.us/Sign/csrs[REMOVED]
[http://]16a.us/Sign/svchos[REMOVED]
[http://]16a.us/Sign/smss[REMOVED]
[http://]16a.us/Sign/servic[REMOVED]
[http://]16a.us/Sign/svcho[REMOVED]
[http://]16a.us/Sign/conim[REMOVED]
[http://]16a.us/Sign/ctfmo[REMOVED]
[http://]16a.us/Sign/mmc[REMOVED]
[http://]16a.us/Sign/IEXPLO[REMOVED]
[http://]16a.us/Sign/stpgl[REMOVED]
[http://]16a.us/Sign/srog[REMOVED]
[http://]16a.us/Sign/spgls[REMOVED]
[http://]16a.us/Sign/copyp[REMOVED]

Note: The downloaded files are saved to %Temp% as their original filenames and are also dropped on all drives from A to Z as Ghost.pif.

The threat creates the following registry subkey that contains a list of the downloaded files:
HKEY_CURRENT_USER\Software\SetVer\ver RecommendationsSymantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

Writeup By: Tomasz Smolarek

[ 本帖最后由 allenhippo 于 2007-5-23 21:59 编辑 ]

scottxzt

微点发现未知间谍

wangjay1980

卡巴真是承载了太多的东西

moonsilver

上报

yzt1004

那个js是什么？卡巴报了这个
Kaspersky Anti-Virus 7.0

The requested URL http://bbs.kafan.cn/attachment.php?aid=74849 is infected with Trojan-Downloader.JS.Agent.gd virus
又要给AVG AntiSpyware7.5一份了

dikex

上面的分析不是有了下载地址吗？只是格式变了，并去掉了.exe

http://16a.us/oK/svchost.exe
http://16a.us/Sign/csrss.exe
http://16a.us/Sign/svchost32.exe
http://16a.us/Sign/smss.exe
http://16a.us/Sign/services.exe
http://16a.us/Sign/svchost.exe
http://16a.us/Sign/conime.exe
http://16a.us/Sign/ctfmon.exe
http://16a.us/Sign/mmc.exe
http://16a.us/Sign/IEXPLORE.EXE
http://16a.us/Sign/stpgldk.exe
http://16a.us/Sign/srogm.exe
http://16a.us/Sign/spglsdr.exe
http://16a.us/Sign/copypfh.exe

P.S.今天上课忙死了，从早上8点一直到晚上10点

allenhippo

后来发现铁壳报的才看见的啦

js文件就辛苦你了

[ 本帖最后由 allenhippo 于 2007-5-23 22:32 编辑 ]

zzh161

趋势杀了第二个