作者:孤独更可靠
文件名称:dms.exe
文件大小:303106 byte
AV命名:
Backdoor.Win32.Agent.dcx(卡巴斯基)
Backdoor.Agent.ZAQ(BitDefende)
BackDoor.Agent.PWJ(AVG)
加壳方式:UPX
编写语言:Delphi
文件MD5:770c0b8a580d766f3fc62a6fa8e1398e
行为分析:
1、 释放病毒副本:
C:\WINDOWS\w3333.dll
C:\WINDOWS\system32\dms.exe
2、 注册系统服务,开机启动:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTPDate Service]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,77,00,69,00,6e,00,64,00,6f,00,77,00,73,00,\
5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,6d,00,73,\
00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="NTPDate Service"
"ObjectName"="LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTPDate Service\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTPDate Service\Enum]
"0"="Root\\LEGACY_NTPDATE_SERVICE\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
3、 w3333.dll尝试注入Explorer.exe,不过没有实现。
4、 定时在后台刷网站流量,占用宽带资源。
5、 可能从http://www.our****.cn下载其他文件,并使用SSL加密协议通信。
解决方法:
1、下载SREng,直接放桌面。http://secure.itdigger.com/tool
2、重启计算机,按F8进入安全模式,用SREng删除这个服务项:
NTPDate Service
|
IP卡
狗仔卡
发表于 2008-1-16 00:28:04
提升卡
置顶卡
喧嚣卡
变色卡
抢沙发
显身卡