信息来源:邪恶八进制信息安全团队(
www.eviloctal.com)
文章作者:Krazaf - a Malware Enthusiast
http://bbs.crsky.com/read.php?tid=235272&keyword=
通过MSN传播的BOT类蠕虫分析
http://58.215.75.56/1128632304/Fid_64/64_96567.png
MSN 传来的信息
Doesn‘t this kind of look like you? (这长的不就是你吗?)
hXXp://www.countryroadpets.com/pics.php/?id=345&pic=4565.jpg
当点击网址,就会自动下载一个scr文件(是一个NSIS安装程序)
如果使用者执行了,就会自动释放出hidden32.exe,pwn.bat到% Temp% 并执行命令hidden32.exe pwn.bat
hidden32.exe---->not-a-virus:Tool.HideRun,详细资料可看
http://www.pandasoftware.com/vir ... .aspx?idvirus=40839
pwn.bat--> 是一个Trojan Downloader的BAT文件
pwn.bat会透过Windows中的ftp.exe,连到一个FTP,自动下载并运行aimpwned.exe程序
当执行aimpwned.exe
1。先释放出SVKP.sys到% System% 并安装成服务SVKP.sys是用来对aimpwned.exe的SVK-Protector加密壳进行解密的。
解密完就正式运行。
2。复制自身到%System%,并命名为mssvcnes.exe(属性:系统,隐藏,只读)
3。修改注册表键值
-hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon中的Shell中的Shell数值由Explorer.exe修改为Explorer.exe mssvcnes.exe
以确保每次开机都会自动执行木马程序
- 修改hkey_local_machine\system\ControlSet001\control\lsa中的
a. restrictanonymous
b. Authentication Packages
c. Bounds
d. Security Packages
e. fullprivilegeauditing
f. Notification Packages
降低系统安全性
4。连接到一个IRC Server 202.71.102.83
5。从另一个网站下载nites.exe
nites.exe应该是一只MSN 蠕虫,透过电脑中的MSN帐户继续传播
========================================
hidden32.exe
Size: 4,694 bytes (Packed)
MD5: eeabffd4e9f7e175b6997f0ce6896211
pwn.bat
Size: 550 bytes
MD5: 30fde62423263b1d63f3ed7f8f7595ee
aimpwned.exe
Size: 210,737 bytes (Encrypted/Protected)
MD5: 0d595332a2a66f6298ecdce73c0dff57
nites.exe
Size: 18,432 bytes (Packed)
MD5: 8551afd77335af97abc0c6393051f5ac
==========================================
手动移除方法(只供参考)
1。关闭系统还原(强烈建议)
a。点选" 控制面板| 系统".
b。选取" 系统还原".
c。请勾选" 关闭还原系统".
2。按" Alt + Ctrl + Delete" 执行Windows任务管理器,结束以下程序
mssvcnes.exe
nites.exe
3。作出以下设定
a)控制面板--> 文件夹选项--> 查看
b)不要选 "隐藏保护的操作系统档案"
c)选" 显示所有档案和资料夹"
d) "确定" 即可
4。删除以下文件
C:\Windows\System32\mssvcnes.exe
C:\nites.exe
5。按" 开始" -->"执行" --> 输入regedit
6。到hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon右面,见到一个名为Shell的键值,双击后,将Explorer.exe mssvcnes.exe修改做Explorer.exe
===================================
ive placed this picture of you online, oke? :$ hXXp://www.baukalo.com/UglyPeopleDatabase.php?email=wongon6@hotmail.com
这是近期MSN病毒的另一种传播信息,网址内的多数是bot类的病毒,
用户应该提高警觉!
VirusTotal掃瞄結果
This is a report processed by VirusTotal on 06/26/2005 at 19:32:09 (CET) after scanning the file "DCSN4565.scr" file.
Antivirus Version Update Result
AntiVir 6.31.0.7 06.24.2005 no virus found
Avira 6.31.0.7 06.24.2005 no virus found
BitDefender 7.0 06.26.2005 GenPack:Virtool.HiddenRun.C
ClamAV devel-20050501 06.25.2005 no virus found
DrWeb 4.32b 06.26.2005 no virus found
eTrust-Iris 7.1.194.0 06.26.2005 no virus found
eTrust-Vet 11.9.1.0 06.24.2005 no virus found
Fortinet 2.36.0.0 06.25.2005 no virus found
Ikarus 2.32 06.24.2005 no virus found
Kaspersky 4.0.2.24 06.26.2005 no virus found
McAfee 4521 06.24.2005 no virus found
NOD32v2 1.1154 06.25.2005 no virus found
Norman 5.70.10 06.23.2005 no virus found
Panda 8.02.00 06.26.2005 no virus found
Sybari 7.5.1314 06.26.2005 no virus found
Symantec 8.0 06.25.2005 no virus found
TheHacker 5.8.2.059 06.25.2005 no virus found
VBA32 3.10.4 06.26.2005 no virus found
ArcaVir: no virus found
===============================================
This is a report processed by VirusTotal on 06/26/2005 at 19:33:49 (CET) after scanning the file "pwn.bat" file.
Antivirus Version Update Result
AntiVir 6.31.0.7 06.24.2005 no virus found
Avira 6.31.0.7 06.24.2005 no virus found
BitDefender 7.0 06.26.2005 no virus found
ClamAV devel-20050501 06.25.2005 no virus found
DrWeb 4.32b 06.26.2005 no virus found
eTrust-Iris 7.1.194.0 06.26.2005 no virus found
eTrust-Vet 11.9.1.0 06.24.2005 no virus found
Fortinet 2.36.0.0 06.25.2005 no virus found
Ikarus 2.32 06.24.2005 no virus found
Kaspersky 4.0.2.24 06.26.2005 no virus found
McAfee 4521 06.24.2005 no virus found
NOD32v2 1.1154 06.25.2005 no virus found
Norman 5.70.10 06.23.2005 no virus found
Panda 8.02.00 06.26.2005 no virus found
Sybari 7.5.1314 06.26.2005 no virus found
Symantec 8.0 06.25.2005 no virus found
TheHacker 5.8.2.059 06.25.2005 no virus found
VBA32 3.10.4 06.26.2005 no virus found
ArcaVir: no virus found
===============================================
This is a report processed by VirusTotal on 06/26/2005 at 19:30:31 (CET) after scanning the file "aimpwned.exe" file.
Antivirus Version Update Result
AntiVir 6.31.0.7 06.24.2005 no virus found
Avira 6.31.0.7 06.24.2005 no virus found
BitDefender 7.0 06.26.2005 no virus found
ClamAV devel-20050501 06.25.2005 no virus found
DrWeb 4.32b 06.26.2005 no virus found
eTrust-Iris 7.1.194.0 06.26.2005 no virus found
eTrust-Vet 11.9.1.0 06.24.2005 no virus found
Fortinet 2.36.0.0 06.25.2005 suspicious
Ikarus 2.32 06.24.2005 no virus found
Kaspersky 4.0.2.24 06.26.2005 no virus found
McAfee 4521 06.24.2005 no virus found
NOD32v2 1.1154 06.25.2005 no virus found
Norman 5.70.10 06.23.2005 no virus found
Panda 8.02.00 06.26.2005 no virus found
Sybari 7.5.1314 06.26.2005 no virus found
Symantec 8.0 06.25.2005 no virus found
TheHacker 5.8.2.059 06.25.2005 no virus found
VBA32 3.10.4 06.26.2005 no virus found
ArcaVir: no virus found
==================================================
This is a report processed by VirusTotal on 06/26/2005 at 19:34:25 (CET) after scanning the file "nites.exe" file.
Antivirus Version Update Result
AntiVir 6.31.0.7 06.24.2005 no virus found
Avira 6.31.0.7 06.24.2005 no virus found
BitDefender 7.0 06.26.2005 no virus found
ClamAV devel-20050501 06.25.2005 no virus found
DrWeb 4.32b 06.26.2005 no virus found
eTrust-Iris 7.1.194.0 06.26.2005 no virus found
eTrust-Vet 11.9.1.0 06.24.2005 no virus found
Fortinet 2.36.0.0 06.25.2005 suspicious
Ikarus 2.32 06.24.2005 Net-Worm.Win32.Mytob.AU
Kaspersky 4.0.2.24 06.26.2005 no virus found
McAfee 4521 06.24.2005 no virus found
NOD32v2 1.1154 06.25.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 06.23.2005 no virus found
Panda 8.02.00 06.26.2005 no virus found
Sybari 7.5.1314 06.26.2005 W32/Sdbot-Fam
Symantec 8.0 06.25.2005 no virus found
TheHacker 5.8.2.059 06.25.2005 no virus found
VBA32 3.10.4 06.26.2005 no virus found
ArcaVir: Heur.W32.Generic
