今天帮一个朋友处理了电脑病毒,用某个国产的杀毒软件竟然无法清除,就带了样本分析了一小下子。下面把自己的成果与大家分享一下,望多多指教。这个病毒有的人说是熊猫烧香的变种。从源码来看没有发现什么竹丝马迹,其主要有以下行为:
病毒基本信息
============
档案编号:CISRT2007027
病毒名称:Trojan-PSW.Win32.QQPass.jh(Kaspersky)
病毒别名:Worm.Pabug.co(瑞星)
Win32.Troj.QQPass.nw.48436(毒霸)
病毒大小:48,436 字节
加壳方式:BeRo
样本MD5: 3093c27faaaf59effa8cc095d9217f6d
样本SHA1:27c81076d02992d35643f8668939a832c1cca5fe
发现时间:2007.1
更新时间:2007.2.3
关联病毒:
传播方式:恶意网页、其它病毒下载,还可通过U盘等移动设备传播
分析环境及工具
VM5.4、IDA、OD、PEID
技术分析
==========
变种:【CISRT2007007】盗Q木马 随机文件名的exe/dlll sxs.exe autorun.inf 解决方案
木马程序为文本文件图标,运行后复制多个自身副本到系统目录下并运行,进程互相保护:
%System%\{6位随机字母1}.exe(例如:jusodl.exe)
%System%\severe.exe
%System%\drivers\{6位随机字母2}.exe(例如:pnvifj.exe) 本内容来源于电脑硬件网
%System%\drivers\conime.exe
释放dll文件注入进程:
%System%\{6位随机字母1}.dll(例如:jusodl.dll)
向各分区根目录复制副本:
X:\autorun.inf
X:\OSO.exe
autorun.inf内容:
($('code0'));">[Copy to clipboard]:[AutoRun]
open=OSO.exe
shellexecute=OSO.exe
shell\Auto\command=OSO.exe
创建启动项有:
($('code1'));">[Copy to clipboard]:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{6位随机字母2}"="%System%\{6位随机字母1}.exe"
"{6位随机字母1}"="%System%\severe.exe"
(例如:
"pnvifj"="%System%\jusodl.exe"
"jusodl"="%System%\severe.exe")
($('code2'));">[Copy to clipboard]:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe %System%\drivers\conime.exe"
修改注册表,破坏“显示所有文件和文件夹”设置:
($('code3'));">[Copy to clipboard]:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"="0"
木马释放%System%\hx1.bat:
($('code4'));">[Copy to clipboard]:@echo off
set date=2004-1-22
ping ** localhost > nul
date %date%
del %0
通过命令cmd /c %System%\hx1.bat执行,尝试修改系统日期为2004年1月22日。
释放%System%\noruns.reg:
($('code5'));">[Copy to clipboard]:Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:b5
通过命令%System%\drivers\{6位随机字母2}.exe regedit.exe /s noruns.reg执行,修改当前帐户“自动播放”设置。
(例如:%System%\drivers\pnvifj.exe regedit.exe /s noruns.reg)
使用命令停止并禁用安全相关服务:
net stop srservice
sc config srcervice start= disabled
net stop sharedaccess 54pe.com
net stop kvwsc
sc config kvwsc start= disabled
net stop kvsrvxp
sc config kvsrvxp start= disabled
net stop kavsvc
sc config kavsvc start= disabled
sc config rsravmon start= disabled
net stop rsccenter
sc config rsccenter start= disabled
net stop rsravmon
结束安全相关进程:
sc.exe
cmd.exe
net.exe
sc1.exe
net1.exe
PFW.exe
Kav.exe
KVOL.exe
KVFW.exe
adam.exe
qqav.exe
qqkav.exe
TBMon.exe
kav32.exe
kvwsc.exe
CCAPP.exe
KRegEx.exe
kavsvc.exe
VPTray.exe
RAVMON.exe
EGHOST.exe
KavPFW.exe
SHSTAT.exe
RavTask.exe
TrojDie.kxp
Iparmor.exe
MAILMON.exe
MCAGENT.exe
KAVPLUS.exe
RavMonD.exe
Rtvscan.exe
Nvsvc32.exe
KVMonXP.exe
Kvsrvxp.exe
CCenter.exe
KpopMon.exe
RfwMain.exe
KWATCHUI.exe
MCVSESCN.exe
MSKAGENT.exe
kvolself.exe
KVCenter.kxp
kavstart.exe
RAVTIMER.exe
RRfwMain.exe
FireTray.exe
UpdaterUI.exe
KVSrvXp_1.exe
RavService.exe
删除卡卡文件:
%System%\kakatool.dll
增加Image File Execution Options项目,当运行指定的安全相关程序时自动指向病毒文件%System%\drivers\{6位随机字母2}.exe(例如:%System%\drivers\pnvifj.exe):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe] www.54pe.com
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe] 本内容来源于站长之家
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe]
"Debugger"="%System%\drivers\{6位随机字母2}.exe"
(例如:"Debugger"="%System%\drivers\pnvifj.exe")
修改hosts,阻止访问安全网站:
($('code6'));">[Copy to clipboard]:127.0.0.1 localhost
127.0.0.1 mmsk.cn
127.0.0.1 ikaka.com
127.0.0.1 safe.qq.com
127.0.0.1 360safe.com
127.0.0.1 www.mmsk.cn
127.0.0.1 www.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 www.360safe.com
127.0.0.1 zs.kingsoft.com
127.0.0.1 forum.ikaka.com
127.0.0.1 up.rising.com.cn
127.0.0.1 scan.kingsoft.com
127.0.0.1 kvup.jiangmin.com
127.0.0.1 reg.rising.com.cn
127.0.0.1 update.rising.com.cn
127.0.0.1 update7.jiangmin.com
127.0.0.1 download.rising.com.cn
127.0.0.1 dnl-us1.kaspersky-labs.com
127.0.0.1 dnl-us2.kaspersky-labs.com
127.0.0.1 dnl-us3.kaspersky-labs.com
127.0.0.1 dnl-us4.kaspersky-labs.com
127.0.0.1 dnl-us5.kaspersky-labs.com
127.0.0.1 dnl-us6.kaspersky-labs.com
127.0.0.1 dnl-us7.kaspersky-labs.com 本内容来源于www.54pe.com
127.0.0.1 dnl-us8.kaspersky-labs.com
127.0.0.1 dnl-us9.kaspersky-labs.com
127.0.0.1 dnl-us10.kaspersky-labs.com
127.0.0.1 dnl-eu1.kaspersky-labs.com
127.0.0.1 dnl-eu2.kaspersky-labs.com
127.0.0.1 dnl-eu3.kaspersky-labs.com
127.0.0.1 dnl-eu4.kaspersky-labs.com
127.0.0.1 dnl-eu5.kaspersky-labs.com
127.0.0.1 dnl-eu6.kaspersky-labs.com
127.0.0.1 dnl-eu7.kaspersky-labs.com
127.0.0.1 dnl-eu8.kaspersky-labs.com
127.0.0.1 dnl-eu9.kaspersky-labs.com
127.0.0.1 dnl-eu10.kaspersky-labs.com
Mutex:
AntiTrojan3721
ASSISTSHELLMUTEX
SKYNET_PERSONAL_FIREWALL
KingsoftAntivirusScanProgram7Mutex
清除步骤
==========
1. 结束病毒进程,可以使用ProceXP等工具:
首先结束进程树:
%System%\{6位随机字母1}.exe(例如:jusodl.exe)
再次结束进程树:
%System%\severe.exe
此时,病毒进程{6位随机字母1}.exe(例如:jusodl.exe)/severe.exe/conime.exe都将被结束
2. 删除病毒文件:
%System%\{6位随机字母1}.exe(例如:jusodl.exe)
%System%\{6位随机字母1}.dll(例如:jusodl.dll,如果无法删除可以先重命名或移动)
%System%\severe.exe
%System%\drivers\{6位随机字母2}.exe(例如:pnvifj.exe)
%System%\drivers\conime.exe
%System%\hx1.bat
%System%\noruns.reg(如果存在)
3. 右键点击分区盘符,点击右键菜单中的“打开”进入到分区根目录,删除病毒文件:
X:\OSO.exe
X:\autorun.inf
4. 重新启动计算机
5. 删除病毒启动项:
删除:
($('code7'));">[Copy to clipboard]:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
本内容来源于电脑硬件
"{6位随机字母2}"="%System%\{6位随机字母1}.exe"
"{6位随机字母1}"="%System%\severe.exe"
(例如:
"pnvifj"="%System%\jusodl.exe"
"jusodl"="%System%\severe.exe")
编辑Shell的数值数据:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe %System%\drivers\conime.exe"
修改为:"Shell"="Explorer.exe"
删除“Explorer.exe”后的“ %System%\drivers\conime.exe”
6. 修改注册表恢复“显示所有文件和文件夹”选项:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
删除右边病毒创建的字符串值:"CheckedValue"="0"
新建DWORD值,名称:CheckedValue,数据:1
7. 删除病毒添加的项目:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOD32.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.com]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe]
8. 修改%System%\drivers\hosts文件:
删除第一行“127.0.0.1 localhost”下的所有内容。
9. 恢复被禁用的安全相关服务启动方式,修复安装或者卸载后重新安装被破坏的安全软件