Trojan-Dropper.Win32.Agent.env(explorer.exe,netsrv.dll)病毒分析
[font=宋体][size=9pt]出处:超级巡警团队[/size][/font][font=ˎ̥][size=9pt][font=Times New Roman] [/font][/size][/font][font=宋体][size=9pt]时间:[/size][/font][font=ˎ̥][size=9pt][font=Times New Roman]2008[/font][/size][/font][font=宋体][size=9pt]年[/size][/font][font=ˎ̥][size=9pt][font=Times New Roman]3[/font][/size][/font][font=宋体][size=9pt]月[/size][/font][font=ˎ̥][size=9pt][font=Times New Roman]14[/font][/size][/font][font=宋体][size=9pt]日[/size][/font][font=ˎ̥][size=9pt][/size][/font][font=Times New Roman][size=3] [/size][/font]
[size=3][font=Times New Roman]Trojan-Dropper.Win32.Agent.env[/font][font=宋体]伪装为[/font][font=Times New Roman]explorer.exe[/font][font=宋体]隐藏在[/font][font=Times New Roman]system32[/font][font=宋体]文件夹下,而系统正常的[/font][font=Times New Roman]explorer.exe[/font][font=宋体]文件是在[/font][font=Times New Roman]windows[/font][font=宋体]目录下的。此恶意程序会下载并运行近[/font][font=Times New Roman]30[/font][font=宋体]个恶意程序,这些程序会盗取用户的敏感信息,占用系统资源。超级巡警团队提醒广大用户,要经常使用超级巡警进行全盘扫描,以保证系统不受恶意程序困扰。[/font][/size]
[font=Times New Roman][size=3] [/size][/font]
[font=宋体][size=3]一病毒相关分析[/size][/font]
[font=宋体][size=3]病毒标签:[/size][/font]
[font=Times New Roman][size=3] [/size][/font][font=宋体][size=3]病毒名称:[/size][/font][size=3][font=Times New Roman]Trojan-Dropper.Win32.Agent.env
[/font][font=宋体]病毒类型:木马下载者[/font][/size]
[font=Times New Roman][size=3] [/size][/font][font=宋体][size=3]危害级别:[/size][/font][size=3][font=Times New Roman]3
[/font][font=宋体]感染平台:[/font][/size][size=3][font=Times New Roman]Windows
[/font][font=宋体]病毒大小:[/font][font=Times New Roman]4,248([/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
SHA1[/font][font=宋体] :[/font][/size][size=3][font=Times New Roman]87e7729f887a1142514fcc4541d705658e281421
[/font][font=宋体]加壳类型:[/font][/size][size=3][font=Times New Roman]Upack
[/font][font=宋体]开发工具:[/font][font=Times New Roman]VC[/font][/size]
[font=宋体][size=3]病毒行为:[/size][/font]
[size=3][font=Times New Roman] 1[/font][font=宋体]、自制自身到[/font][/size][size=3][font=Times New Roman]%System%\explorer.exe
[/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体]释放文件[/font][/size][size=3][font=Times New Roman]%System%\netsrv.dll
2[/font][font=宋体]、试图注入[/font][font=Times New Roman]netsrv.dll[/font][font=宋体]系统进程,监控发送到消息队列的消息。[/font][/size]
[font=Times New Roman][size=3] 3[/size][/font][size=3][font=宋体]、生成配置文件[/font][font=Times New Roman]%System%\BOLE.INI[/font][font=宋体]和[/font][/size][size=3][font=Times New Roman]%System%\WIN.INI
[/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体]并根据配置文件下载以下文件:[/font][/size]
[size=3][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/1.exe (20,268 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/2.exe (19,583 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/3.exe (18,336 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/4.exe (19,213 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/5.exe (12,208 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/6.exe (12,708 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/7.exe (17,268 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/8.exe (12,568 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/9.exe (15,288 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/10.exe (20,268 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/11.exe (12,184 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/12.exe (17,963 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/13.exe (12,668 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/14.exe (17,436 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/15.exe (18,373 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/16.exe (17,519 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/17.exe (18,829 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/18.exe (17,914 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/19.exe (20,015 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/20.exe (18,483 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/21.exe (11,736 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/22.exe (11,889 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/23.exe (13,192 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/24.exe (12,335 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/25.exe (12,964 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/26.exe (18,280 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/27.exe (20,332 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/28.exe (33,897 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
[/font][font=宋体] [/font][font=Times New Roman] http://iii.*****.com/wm/29.exe (78,919 [/font][font=宋体]字节[/font][/size][size=3][font=Times New Roman])
4[/font][font=宋体]、以上文件运行添加以下启动项,如图:[/font][/size]
[size=3][font=宋体][attach]6816[/attach][/font][/size]
[font=宋体][size=3]二解决方案[/size][/font]
[font=宋体][size=3]推荐方案:删除病毒的启动项并安装超级巡警进行全面病毒查杀。超级巡警用户请升级到最新病毒库,并进行全盘扫描。[/size][/font]
[size=3][font=宋体] [/font][font=Times New Roman] [/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体]超级巡警下载地址:[/font][/size][url=http://www.dswlab.com/d1.html][font=ˎ̥][size=9pt][font=Times New Roman][color=#800080]http://www.dswlab.com/d1.html[/color][/font][/size][/font][/url]
[font=宋体][size=3]三安全建议[/size][/font]
[size=3][font=Times New Roman]1[/font][font=宋体]、立即安装或更新防病毒软件并对内存和硬盘全面扫描[/font][font=Times New Roman]([/font][font=宋体]推荐安装超级巡警[/font][font=Times New Roman])[/font][font=宋体]。[/font][/size]
[size=3][font=宋体] [/font][font=Times New Roman] 2[/font][font=宋体]、根据实际安全级别需要适当考虑选用防火墙,并进行正确的设置。[/font][/size]
[size=3][font=宋体] [/font][font=Times New Roman] 3[/font][font=宋体]、使用超级巡警的补丁检查功能,及时安装系统补丁。[/font][/size][size=3][font=Times New Roman]
[/font][font=宋体] [/font][font=Times New Roman] 4[/font][font=宋体]、不要随意共享文件或文件夹,共享前应先设置好权限,另外建议共享文件不要设置为可写或可控制。[/font][/size][size=3][font=Times New Roman]
[/font][font=宋体] [/font][font=Times New Roman] 5[/font][font=宋体]、禁用或删除不必要的的帐号,对管理员帐号设置一个强壮的密码。[/font][/size][size=3][font=Times New Roman]
[/font][font=宋体] [/font][font=Times New Roman] 6[/font][font=宋体]、禁用不必要的服务。[/font][/size]
[size=3][font=宋体] [/font][font=Times New Roman] 7[/font][font=宋体]、及时更新常用软件,尤其是聊天工具。[/font][/size][size=3][font=Times New Roman]
[/font][font=宋体] [/font][font=Times New Roman] 8[/font][font=宋体]、不要随便打开不明来历的电子邮件,尤其是邮件附件。[/font][/size]
[font=Times New Roman][size=3] [/size][/font]
[size=3][font=宋体]注:[/font][font=Times New Roman] %System% [/font][font=宋体]是一个可变路径,在[/font][font=Times New Roman]windows95/98/me[/font][font=宋体]中该变量是指[/font][font=Times New Roman]%Windir%\System[/font][font=宋体],在[/font][font=Times New Roman]WindowsNT/2000/XP/2003/VISTA[/font][font=宋体]中该变[/font][/size]
[size=3][font=宋体] [/font][font=Times New Roman] [/font][font=宋体]量指[/font][font=Times New Roman]%Windir%\System32[/font][font=宋体]。其它:[/font][/size]
[size=3][font=Times New Roman]%SystemDrive% [/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体]系统安装的磁盘分区[/font][/size]
[size=3][font=宋体] [/font][font=Times New Roman] %SystemRoot% = %Windir% [/font][font=宋体] [/font][font=Times New Roman]WINDODWS[/font][font=宋体]系统目录[/font][/size]
[size=3][font=宋体] [/font][font=Times New Roman] %ProgramFiles%[/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体] 应用程序默认安装目录[/font][/size]
[size=3][font=宋体] [/font][font=Times New Roman] %AppData% [/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体]应用程序数据目录[/font][/size]
[size=3][font=宋体] [/font][font=Times New Roman] %CommonProgramFiles%[/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体]公用文件目录[/font][/size]
[size=3][font=宋体] [/font][font=Times New Roman] %HomePath% [/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体]当前活动用户目录[/font][/size]
[size=3][font=宋体] [/font][font=Times New Roman] %Temp% =%Tmp% [/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体]当前活动用户临时目录[/font][/size]
[size=3][font=宋体] [/font][font=Times New Roman] %DriveLetter% [/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体]逻辑驱动器分区[/font][/size]
[size=3][font=宋体] [/font][font=Times New Roman] %HomeDrive% [/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体] [/font][font=Times New Roman] [/font][font=宋体]当前用户系统所在分区[/font][/size] :) :) :) :) :) :) 顶你!
页:
[1]