瑞星卡卡安全论坛

首页 » 综合娱乐区 » 活动专区 » 历史活动 » 论坛9周年活动专区 » [帮新郎找新娘]第四关闯关
ch_builder - 2010-3-28 18:28:00
文件: 1.exe
大小: 57962 字节
文件版本: 3.02
MD5: A4DF3BCC1B7493CAE823AE69381A8B0C
SHA1: E0466D5F8E222C764F6652A0D2AEA14AD3D1636B
CRC32: F4A4A9F2
分析环境:虚拟机XP SP3+IE6+EQ3.41默认规则

行为分析:
本地文件行为:
创建文件:


引用:
%DriveLetter%\autorun.inf
%DriveLetter%\SDGames.exe
%DriveLetter%\Recycleds.url                   
%DriveLetter%\Windows.url
%DriveLetter%\新建文件夹.url
%SystemRoot%\system32\AUTORUN.INF
%SystemRoot%\system32\Avpser.cmd
%SystemRoot%\system32\netshare.cmd
%SystemRoot%\system32\SDGames.exe             
%SystemRoot%\system32\Taskeep.vbs
%HomePath%\Local Settings\Temp\~DFD2B5.tmp

其中三个.url文件链接全部指向%DriveLetter%\SDGames.exe
修改文件%SystemRoot%\system.ini,添加以下内容:


引用:
[windows]
shell=explorer.exe & C:\WINDOWS\system32\SDGames.exe
load=C:\WINDOWS\system32\SDGames.exe

跳过系统分区,感染其他分区上的下列各式的文件:


引用:
.exe
.hta
.html
.htm
.php
.asp
.jsp


本地注册表行为:
添加注册表启动项:


引用:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Winstary
值:%SystemRoot%\system32\SDGames.exe


修改注册表启动项:


引用:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\\load
值:%SystemRoot%\system32\SDGames.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\\run
值:%SystemRoot%\system32\SDGames.exe


修改注册表,修改.txt和.reg的文件关联:


引用:
HKCR\regfile\shell\open\command
值:%SystemRoot%\system32\SDGames.exe
HKCR\txtfile\shell\open\command
值:%SystemRoot%\system32\SDGames.exe


修改注册表达到修改主页目的:


引用:
HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page
值:http://www.zhidaobaidu.10mb.cn/
HKCU\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL
值:wangma
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\start page
值:wangma
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL
值:wangma


修改注册表禁用“文件夹选项”:


引用:
HKCU\software\microsoft\windows\currentversion\policies\explorer\nofolderoptions
值:00000001


修改注册表破坏显示隐藏文件:


引用:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
值:0x00000000
HKCU\software\microsoft\windows\currentversion\explorer\advanced\hidden
值:00000002
HKCU\software\microsoft\windows\currentversion\explorer\advanced\hidefileext
值:00000001


修改注册表禁用控制面板:


引用:
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\NoControlpanel
值:00000001


修改注册表禁止修改任务栏:


引用:
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\nosettaskbar
值:00000001


修改注册表允许匿名登录:


引用:
hkey_local_machine\system\currentcontrolset\control\lsa\restrictanonymous
00000000


修改一下注册表值改变服务启动方式从而达到开启共享和开启远程协助的目的:


引用:
HKLM\SYSTEM\ControlSet001\Control\Terminal Server\fDenyTSConnections: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\CryptSvc\Start: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\AutoShareWks: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\AutoShareServer: 0x00000001 
HKLM\SYSTEM\ControlSet001\Services\TermDD\Start: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\TermService\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections: 0x00000000


修改注册表中服务的start的值为4,禁止 Windows自动更新服务和Windows防火墙/Internet共享服务:


引用:
hkey_local_machine\system\currentcontrolset\services\wuauserv\\start
值:00000004
hkey_local_machine\system\currentcontrolset\services\sharedaccess\\start
值:00000004


添加注册表禁止注册表编辑工具、禁止任务管理器和cmd:


引用:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableRegistrytools
值:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr
值:00000001
hkey_current_user\software\policies\microsoft\windows\system\disablecmd
值:00000000


删除注册表破坏安全模式:


引用:
hkey_current_user\system\currentcontrolset\control\safeboot\minimal\{4d36e967-e325-11ce-bfc1-08002be10318}
hkey_current_user\system\controlset001\control\safeboot\minimal\{4d36e967-e325-11ce-bfc1-08002be10318}
HKLM\System\controlset001\control\safeboot\minimal\{4d36e967-e325-11ce-bfc1-08002be10318}
HKLM\System\controlset001\control\safeboot\network\{4d36e967-e325-11ce-bfc1-08002be10318}
HKLM\System\CurrentControlSet\Control\safeboot\minimal\{4d36e967-e325-11ce-bfc1-08002be10318}
HKLM\System\CurrentControlSet\Control\safeboot\network\{4d36e967-e325-11ce-bfc1-08002be10318}


修改注册表破坏鼠标右键:


引用:
hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\checkedvalue
值:00000000


修改注册表修改键盘输入法热键:


引用:
HKU\.DEFAULT\Keyboard Layout\Toggle\Hotkey
值:0x00000001


创建注册表键添加IFEO映像劫持试图劫持大部分安全软件进程:


引用:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger: "360rpt.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger: "360Safe.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE\Debugger: "360tray.EXE"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\Debugger: "adam.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe\Debugger: "AgentSvr.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\Debugger: "AppSvc32.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger: "autoruns.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe\Debugger: "avgrssvc.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe\Debugger: "AvMonitor.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\Debugger: "avp.com"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger: "avp.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\Debugger: "CCenter.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\Debugger: "ccSvcHst.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe\Debugger: "FileDsty.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe\Debugger: "FTCleanerShell.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\Debugger: "HijackThis.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\Debugger: "IceSword.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\Debugger: "iparmo.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe\Debugger: "Iparmor.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\Debugger: "isPwdSvc.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\Debugger: "kabaload.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR\Debugger: "KaScrScn.SCR"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe\Debugger: "KASMain.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe\Debugger: "KASTask.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe\Debugger: "KAV32.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe\Debugger: "KAVDX.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe\Debugger: "KAVPFW.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe\Debugger: "KAVSetup.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe\Debugger: "KAVStart.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe\Debugger: "KISLnchr.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe\Debugger: "KMailMon.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe\Debugger: "KMFilter.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Knod32kui.exe\Debugger: "nod32kui.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe\Debugger: "KPFW32.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe\Debugger: "KPFW32X.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFWSvc.exe\Debugger: "KPFWSvc.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\Debugger: "KRegEx.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.COM\Debugger: "KRepair.COM"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe\Debugger: "KsLoader.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp\Debugger: "KVCenter.kxp"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\Debugger: "KvDetect.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe\Debugger: "KvfwMcl.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger: "KVMonXP.kxp"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp\Debugger: "KVMonXP_1.kxp"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe\Debugger: "kvol.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe\Debugger: "kvolself.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp\Debugger: "KvReport.kxp"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp\Debugger: "KVScan.kxp"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\Debugger: "KVSrvXP.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp\Debugger: "KVStub.kxp"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe\Debugger: "kvupload.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe\Debugger: "kvwsc.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger: "KvXP.kxp"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp\Debugger: "KvXP_1.kxp"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe\Debugger: "KWatch.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe\Debugger: "KWatch9x.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe\Debugger: "KWatchX.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe\Debugger: "loaddll.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\Debugger: "MagicSet.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MainCon.exe\Debugger: "MainCon.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\Debugger: "mcconsol.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe\Debugger: "mmqczj.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger: "mmsk.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger: "msconfig.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe\Debugger: "NAVSetup.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\Debugger: "nod32krn.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\Debugger: "PFW.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\Debugger: "PFWLiveUpdate.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe\Debugger: "QHSET.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQ.exe\Debugger: "QQ.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\Debugger: "Ras.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger: "Rav.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger: "RavMon.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\Debugger: "RavMonD.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\Debugger: "RavStub.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\Debugger: "RavTask.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe\Debugger: "RegClean.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe\Debugger: "rfwcfg.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe\Debugger: "RfwMain.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe\Debugger: "rfwProxy.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger: "rfwsrv.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\Debugger: "Rsaupd.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger: "runiep.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe\Debugger: "safelive.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger: "scan32.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Shadowservice.exe\Debugger: "Shadowservice.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe\Debugger: "shcfg32.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe\Debugger: "SmartUp.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe\Debugger: "SREng.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srgui.exe\Debugger: "srgui.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe\Debugger: "symlcsvc.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe\Debugger: "SysSafe.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe\Debugger: "TrojanDetector.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe\Debugger: "Trojanwall.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger: "TrojDie.kxp"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe\Debugger: "UIHost.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe\Debugger: "UmxAgent.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe\Debugger: "UmxAttachment.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe\Debugger: "UmxCfg.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe\Debugger: "UmxFwHlp.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe\Debugger: "UmxPol.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE.exe\Debugger: "UpLive.EXE.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\Debugger: "WoptiClean.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe\Debugger: "zxsweep.exe"


其他行为:
1.调用外壳程序explorer.exe打开自身目录;
2.修改系统时间为2030年,隐藏%SystemRoot%\system32\文件夹;
3.调用cmd.exe执行命令行:
cmd /c sc config winmgmt start= AUTO & net start winmgmt & quit
cmd /c sc config lanmanserver start= AUTO & net start lanmanserver & quit
cmd /c sc config Alg Start= disabled & net stop Alg
cmd /c sc config sharedaccess start= disabled & net stop sharedaccess
4.通过启动rundll32.exe调用wscript.exe执行Taskeep.vbs脚本文件
5.通过cmd.exe执行命令行"taskkill /f /im /t" 试图结束下列安全软件进程(以下进程名列表写入到创建的文件%SystemRoot%\system32\Avpser.cmd中):


引用:

RavMonD.exe
RavStub.exe
Anti*
AgentSvr*
CCenter*
Rsaupd*
SmartUp*
FileDsty*
RegClean*
360tray*
360safe*
kabaload*
safelive*
KASTask*
kpFW32*
kpFW32X*
KvXP_1*
KVMonXP_1*
KvReport*
KvXP*
KVMonXP*
nter*
TrojDie*
avp.com
KRepair.COM
Trojan*
KvNative*
Virus*
Filewall*
Kaspersky*
JiangMin*
RavMonD*
RavStub*
RavTask*
adam*
cSet*
PFWliveUpdate*
mmqczj*
Trojanwall*
Ras.exe
runiep.exe
avp.exe
PFW.exe
rising*
ikaka*
.duba*
kingsoft*
木马*
社区*
aswBoot*
MainCon*
Regs*
AVP*
Task*
regedit*
Ras*
srgui*
norton*
avp*
fire*
spy*
bullguard*
PersFw*
KAV*
ZONEALARM*
SAFEWEB*
OUTPOST*
ESAFE*
clear*
BLACKICE*
360safe.exe
Shadowservice.exe
v3webnt.exe
v3sd32.exe
v3monsvc.exe
sysmonnt.exe
hkcmd.exe
DNTUS26.EXE
AhnSD.exe
CTFMON.EXE
MonsysNT.exe
awrem32.exe
WINAW32.EXE
PNTIOMON.exe
avgw.exe
avgcc32.exe
PROmon.exe
PNTIOMON.exe
MagicSet.exe
MainCon.exe
TrCleaner.exe
WmNetPro.exe
修复*
保护*




用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
ch_builder - 2010-3-28 18:36:00
文件: C:\Documents and Settings\Administrator\桌面\3个\2.exe
大小: 19112 字节
修改时间: 2010年3月26日, 10:32:42
MD5: 72EBBB42E081741544736F531EF13113
SHA1: D76319EFB541F41EF1BE3B88B7F302FAA09D7813
CRC32: 0F7B36C7
分析环境:虚拟机XP SP3+IE6+EQ3.41默认规则

行为分析:
本地文件分析:
创建文件:
%SystemRoot%\Fonts\4c2037053725bd0763c9727d8b8e67c2\system\svchost.exe
自身目录下创建P处理并执行以删除自身和P处理本身
写入P处理内容:


引用:
:try
attrib -s -h -a "C:\Documents and Settings\Administrator\桌面\2.exe"
del "C:\Documents and Settings\Administrator\桌面\2.exe"
if exist "C:\Documents and Settings\Administrator\桌面\2.exe" goto try
del "C:\Documents and Settings\Administrator\桌面\2.exe.bat"

感染非系统分区部分可执行文件(如何判断感染未知)

本地注册表分析:
添加注册表启动项:


引用:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TBMExe
值:%SystemRoot%\Fonts\4c2037053725bd0763c9727d8b8e67c2\system\svchost.exe
添加注册表创建IFEO映像劫持劫持大部分安全软件进程:
[quote]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACKWIN32.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTI-TROJAN.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\APVXDWIN.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AUTODOWN.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVE32.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGCTRL.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKSERV.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVNT.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPCC.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPDOS32.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPM.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPTC32.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVPUPD.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCHED32.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWIN95.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWUPD32.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKD.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BLACKICE.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIADMIN.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFIAUDIT.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFINET.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CFINET32.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAW95.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLAW95CF.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLEANER3.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DVP95.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DVP95_0.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ECENGINE.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ESAFE.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXPWATCH.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-AGNT95.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-PROT.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-PROT95.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\F-STOPW.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FESCUE.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FINDVIRU.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FP-WIN.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPROT.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FRW.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMAPP.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IAMSERV.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IBMASN.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IBMAVSP.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICLOAD95.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICLOADNT.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICMON.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICSUPP95.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICSUPPNT.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IFACE.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IOMON98.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JEDI.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVsvc.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSvcUI.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVwsc.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchUI.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LOCKDOWN2000.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Logo1_.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Logo_1.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LOOKOUT.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LUALL.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MAILMON.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MOOLIVE.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPFTRAY.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\N32SCANW.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVLU32.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NISUM.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NMain.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NORMIST.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NUPGRADE.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NVC95.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAVCL.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAVSCHED.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAVW.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCCWIN98.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCFWALLICON.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PERSFW.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV7.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAV7WIN.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmon.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVmonD.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAVtimer.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rising.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SAFEWEB.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN95.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANPM.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCRSCAN.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SERV95.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMC.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SPHINX.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SWEEP95.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TBSCAN.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TCA.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TDS2-98.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TDS2-NT.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\THGUARD.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanHunter.exe\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VET95.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VETTRAY.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSCAN40.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSECOMR.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSHWIN32.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSTAT.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WEBSCANX.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WFINDV32.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_AVP32.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_AVPCC.EXE\Debugger: "c:\\xue.exe"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_AVPM.EXE\Debugger: "c:\\xue.exe"


网络行为分析:
联网,但地址失效

其他行为:
驻留进程,强制结束带某些字眼的窗口运行


因分析环境各异,其他代码分析可见行为未能在本次实际测试中显现。
ch_builder - 2010-3-28 18:43:00
文件: 3.vbs
大小: 10034 字节
MD5: 3D4F703478918537FEF82C7194E7BC91
SHA1: 40ECE7AF4BB8FBD73458ABBC6FBA0FA1CD9FE613
CRC32: C2D1B20E
注:内容太长,一贴发不下,以附件形式上传,详见附件!谢谢!

附件: 3分析.txt
ch_builder - 2010-3-30 9:25:00
这个队名,我也写错了:kaka4:
正确的应该是:帮新郎找新娘
辛达星郁 - 2010-4-5 20:32:00
膜拜学习来了
辛达星郁 - 2010-4-5 20:37:00
:kaka12: 这个还行,我可以看的懂
辛达星郁 - 2010-4-5 20:39:00
我最想看第三个样本,我看不了。

附件的权限还没有改呢??:kaka4:
是昔流芳 - 2010-4-5 20:39:00
来看一看
jks_风 - 2010-4-6 10:13:00
刚才看了技术团队大牛的分析,直接就明白了什么叫差距:kaka16:

加油啊~
1
查看完整版本: [帮新郎找新娘]第四关闯关
© 2000 - 2024 Rising Corp. Ltd.