联合网报-安全中心: Backdoor.Win32.Hupigon.aj/Trojan-Downloader.Win32.Agent.bpp病毒分析报告

Backdoor.Win32.Hupigon.aj分析报告

一、病毒标签：

病毒名称： Backdoor.Win32.Hupigon.aj

病毒类型：后门类

文件 MD5： 7BAA195BE639E62C6DB4DA4B8C133A4E

公开范围：完全公开

危害等级： 4

文件长度： 344,197 字节

感染系统： windows 98以上版本

加壳类型： nSPack 2.1 - 2.5

二、病毒描述：

该病毒为灰鸽子的变种，病毒运行后，复制自身到系统目录下，衍生病毒文件，并删除自身；病毒运行时病毒文件在系统文件夹下不可见。创建服务，并以服务的方式达到随机启动的目的。在执行时将windows_rerver.DLL插入到IEXPLORER.EXE进程；将windows_rerver_Hook.DLL插入到IEXPLORER.EXE进程和其它相关进程中。记录键盘信息，访问网络下载相关病毒文件；同时等待病毒控制端连接，连接成功后中毒机器会受到远程控制。

三、行为分析：

1、病毒运行后，复制自身到系统目录下，衍生病毒文件，并删除自身；病毒运行时病毒文件在系统文件夹下不可见：

%WINDIR%\windows_rerver.exe.

%WINDIR%\windows_rerver.DLL.

%WINDIR%\windows_rerver_Hook.DLL.

2、修改注册表值，改变Internet默认设置：

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory

新: 字符串: "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

旧: 字符串: "C:\Documents and Settings\commander\Local Settings\Temporary Internet Files\Content.IE5"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath

新: 字符串: "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

旧: 字符串: "C:\Documents and Settings\commander\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath

新: 字符串: "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

旧: 字符串: "C:\Documents and Settings\commander\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath

新: 字符串: "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

旧: 字符串: "C:\Documents and Settings\commander\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath

新: 字符串: "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

旧: 字符串: "C:\Documents and Settings\commander\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

3、创建服务，并以服务的方式达到随机启动的目的：

服务名称： windows_rerver

显示名称： windows_rerver

描述：系统必须服务，如果禁止则开机就自动重起

可执行文件的路径： C:\WINDOWS\windows_rerver.exe

启动方式：自动

4、查找IEXPLORER.EXE和其它相关进程信息；设置远程线程来执行windows_rerver.DLL和windows_rerver_Hook.DLL, 在执行时将windows_rerver.DLL插入到IEXPLORER.EXE进程；将windows_rerver_Hook.DLL插入到IEXPLORER.EXE进程和其它相关进程中。

5、windows_rerver.DLL以IEXPLORER.EXE进程记录键盘信息，访问网络xiangnii.10mb.cn (219.153.45.148：80) 下载相关病毒文件；等待病毒服务端连接，连接成功后中毒机器会受到远程控制。

注：%System32%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。Windows2000/NT中默认的安装路径是C:\Winnt\System32，windows95/98/me中默认的安装路径是C:\Windows\System，windowsXP中默认的安装路径是C:\Windows\System32。

%Temp% = C:\Documents and Settings\AAAAA\Local Settings\Temp 当前用户TEMP缓存变量

%Windir%\ WINDODWS所在目录

%DriveLetter%\ 逻辑驱动器根目录

%ProgramFiles%\ 系统程序默认安装目录

%HomeDrive% = C:\ 当前启动的系统的所在分区

%Documents and Settings%\ 当前用户文档根目录

四、清除方案：

1、使用安天木马防线可彻底清除此病毒(推荐)。

2、手工清除请按照行为分析删除对应文件，恢复相关系统设置。

(1) 使用安天木马防线“进程管理”关闭病毒进程

(2) 删除病毒文件

%WINDIR%\windows_rerver.exe.

%WINDIR%\windows_rerver.DLL.

%WINDIR%\windows_rerver_Hook.DLL.

(3) 恢复病毒修改的注册表项目，删除病毒添加的注册表项

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory

新: 字符串: "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

旧: 字符串: "C:\Documents and Settings\commander\Local Settings\Temporary Internet Files\Content.IE5"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath

新: 字符串: "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

旧: 字符串: "C:\Documents and Settings\commander\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath

新: 字符串: "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

旧: 字符串: "C:\Documents and Settings\commander\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath

新: 字符串: "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

旧: 字符串: "C:\Documents and Settings\commander\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath

新: 字符串: "C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

旧: 字符串: "C:\Documents and Settings\commander\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

(4) 禁用服务windows_rerver

Trojan-Downloader.Win32.Agent.bpp分析报告

一、病毒标签：

病毒名称： Trojan-Downloader.Win32.Agent.bpp

病毒类型：木马类

文件 MD5： AAE683231628C36A13713B9AEBEC6BFC

文件 SHA1: F06A86EB127E985DF25BE4F1A55EED3C70819098

公开范围：完全公开

危害等级： 4

文件长度： 25144 bytes

感染系统： windows 98以上版本

开发工具： Borland Delphi 6.0 - 7.0

加壳类型： FSG 2.0

二、病毒描述：

该病毒为木马类，病毒运行后复制自身到系统目录，并删除自身。修改注册表，添加启动项，以达到随机启动的目的。在各个驱动器下创建 autorun.inf文件，从而在打开驱动器时运行同目录下的对应可执行病毒文件。该病毒在各个驱动器下创建autorun.inf前，首先判断驱动器的根目录下是否存在autorun.inf文件或文件夹，如果存在则先尝试删除，如果删除未成功则对其更改文件名或文件夹名，然后创建autorun.inf文件和对应可执行病毒文件。通常的建立autorun.inf文件来进行磁盘免疫方法在该病毒下已不起作用。

三、行为分析：

1、病毒运行后，复制自身到系统目录下，并删除自身：

%Program Files%\Common Files\Microsoft Shared\cilpnoi.exe

%Program Files%\Common Files\System\duvadvm.exe

%Program Files%\meex.exe

%Program Files%\ssebyly.inf

[DRIVE LETTER]:\ autorun.inf

[DRIVE LETTER]:\ sxulolg.exe

%system%\verclsids.exe（删除原verclsid.exe文件，并建立副本verclsids.exe）

2、在各个驱动器下释放 autorun.inf文件，从而在打开驱动器时运行同目录下的sxulolg.exe　文件， autorun.inf代码如下：

　　[Auto Run]

open=sxulolg.exe

shell\open=打开(&O)

shell\open\Command=sxulolg.exe

shell\open\Default=1

shell\explore=资源管理器(&X)

shell\explore\Command=sxulolg.exe

3、修改注册表，添加启动项，以达到随机启动的目的：

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

键值: 字串: "ssebyly" = "%Program Files%\Common Files\System\duvadvm.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

键值:字串:"sxulolg"="%Program Files%\Common Files\Microsoft Shared\cilpnoi.exe"

4、删除Internet Settings中的信息，目的为删除用户的历史纪录：

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007052120070528\CacheLimit

键值: DWORD: 8192 (0x2000)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007052120070528\CacheOptions

键值: DWORD: 11 (0xb)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007052120070528\CachePrefix

键值: 字符串: ":2007052120070528: "

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007052120070528\CacheRepair

键值: DWORD: 0 (0)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007052820070529\CacheLimit

键值: DWORD: 8192 (0x2000)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007052820070529\CacheOptions

键值: DWORD: 11 (0xb)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007052820070529\CachePrefix

键值: 字符串: ":2007052820070529: "

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007052820070529\CacheRepair

键值: DWORD: 0 (0)

5、删除注册表安全模式的有关信息，当开机时不能启动安全模式：

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\@

键值: 字符串: "DiskDrive"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\@

键值: 字符串: "DiskDrive"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\@

键值: 字符串: "DiskDrive"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\@

键值: 字符串: "DiskDrive"

6、改变注册表值使隐藏文件不可见，达到病毒体隐藏目的：

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue

新: DWORD: 0 (0)

旧: DWORD: 1 (0x1)

7、禁用此计算机上的帮助与支持中心服务：

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Start

新: DWORD: 4 (0x4)

旧: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc\Start

新: DWORD: 4 (0x4)

旧: DWORD: 2 (0x2)

8、禁用网络地址转换、寻址、名称解析、和入侵保护服务：

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Start

新: DWORD: 4 (0x4)

旧: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start

新: DWORD: 4 (0x4)

旧: DWORD: 2 (0x2)

9、禁用监视系统安全设置和配置服务：

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start

新: DWORD: 4 (0x4)

旧: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

新: DWORD: 4 (0x4)

旧: DWORD: 2 (0x2)

10、禁用下载和安装Windows更新服务：

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start

新: DWORD: 4 (0x4)

旧: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Start

新: DWORD: 4 (0x4)

旧: DWORD: 2 (0x2)

11、在注册表的映像劫持项中添加多个劫持项：

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe\

12、主动连接网络，下载相关病毒文件信息:

http://qq.520sf.org/81/11.exe

http://qq.520sf.org/81/12.exe

http://qq.520sf.org/81/13.exe

http://qq.520sf.org/81/14.exe

http://qq.520sf.org/81/15.exe

http://qq.520sf.org/81/16.exe

http://qq.520sf.org/81/17.exe

http://qq.520sf.org/81/18.exe

http://qq.520sf.org/81/19.exe

http://qq.520sf.org/81/20.exe

http://qq.520sf.org/yj/yj0609.txt

http://www.5460w.cn/xzz/0603.exe

http://www.5460w.cn/71/11.exe

http://www.5460w.cn/71/12.exe

http://www.5460w.cn/71/13.exe

http://www.5460w.cn/71/14.exe

http://www.5460w.cn/71/15.exe

http://123.5460w.cn/71/16.exe

http://123.5460w.cn/71/17.exe

http://123.5460w.cn/71/18.exe

http://123.5460w.cn/71/19.exe

13、该病毒在各个驱动器下创建autorun.inf前，首先判断驱动器的根目录下是否存在autorun.inf文件或文件夹，如果存在则先尝试删除，如果删除未成功则对其更改文件名或文件夹名，名子为随机7位字母组合，然后创建autorun.inf文件和对应可执行病毒文件。

所以通常的建立autorun.inf文件来进行磁盘免疫方法在该病毒下已不起作用。

　

注：%System%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。Windows2000/NT中默认的安装路径是C:\Winnt\System32，windows95/98/me中默认的安装路径是C:\Windows\System，windowsXP中默认的安装路径是C:\Windows\System32。

四、清除方案：

1、使用安天木马防线可彻底清除此病毒(推荐)。

2、手工清除请按照行为分析删除对应文件，恢复相关系统设置。

(1) 使用安天木马防线“进程管理”关闭病毒进程

(2) 删除病毒文件

%Program Files%\Common Files\Microsoft Shared\cilpnoi.exe

%Program Files%\Common Files\System\duvadvm.exe

%Program Files%\meex.exe

%Program Files%\ssebyly.inf

[DRIVE LETTER]:\ autorun.inf

[DRIVE LETTER]:\ sxulolg.exe

%system%\verclsids.exe

网络下载的文件，这里不再全部列出

(3)删除病毒添加的注册表自启动项

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

键值: 字串: "ssebyly" = "%Program Files%\Common Files\System\duvadvm.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

键值:字串:"sxulolg"="%Program Files%\Common Files\Microsoft Shared\cilpnoi.exe"

(4) 在注册表的映像劫持项中删除添加的劫持项，具体位置为：

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

(5) 恢复注册表安全模式的相关信息

(6) 显示隐藏文件：

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue

DWORD: 1 (0x1)

(7) 开启病毒关闭服务项：

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Start

DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc\Start

DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Start

DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start

DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start

DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start

旧: DWORD: 2 (0x2)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Start

旧: DWORD: 2 (0x2)

(8)将病毒建立的副本verclsids.exe改名为verclsid.exe

联合网报-安全中心

星期三, 九月 05, 2007

Backdoor.Win32.Hupigon.aj/Trojan-Downloader.Win32.Agent.bpp病毒分析报告

没有评论:

推广链接

赞助商链接

赞助商链接

订阅RSS

联系方式

我的简介

标签

博客归档

㊣№联合网报

杭州学车信息网

月饼-自言自语生生不息

LOGO

来访统计

联合网报-安全中心

星期三, 九月 05, 2007

Backdoor.Win32.Hupigon.aj/Trojan-Downloader.Win32.Agent.bpp病毒分析报告

没有评论:

推广链接

赞助商链接

赞助商链接

订阅RSS

联系方式

我的简介

标签

博客归档

㊣№联合网报

杭州学车信息网

月饼-自言自语 生生不息

LOGO

来访统计

月饼-自言自语生生不息