360Safe.exe-Backdoor.Win32.Hupigon.bhvb

2008年3月20日 | 分类: 病毒分析 | 标签: , ,

自从偶的Virtual machine坏了后懒的重装也就很少去分析了,平时只是收集和测试样本而已,今无意在某群中发现一个好东东,随解决我心头之痒grin用今天上午抓的昨天产新鸽子来做试验,好戏来了
File: 360Safe.exe
Size: 305664 bytes
Modified: 2008年3月14日, 16:47:38
MD5: 2452434E6B009BC27F51D7F8FEC1CD1A
SHA1: C73F3645C1AFC96F73A8942C7F9628D0DEBAB3D6
CRC32: B1B5BE0C
Shell:N/A

运行样本,动作如下
%Temp%\WER4dcf.dir00
%Temp%\WER4dcf.dir00\manifest.txt  1,332 bytes [280B33C3A19C6E86C927BED4895B16B5]
%Temp%\WER4dcf.dir00\sysdata.xml  112,448 bytes [68AD1FB3CC26B0504046E1BB9AB2DBD8]
建立如下注册表键值
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_360SAFE.EXE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_360SAFE.EXE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360Safe.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360Safe.exe\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_360SAFE.EXE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_360SAFE.EXE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\360Safe.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\360Safe.exe\Security
新增如下键值
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_360SAFE.EXE\0000]
Service = “360Safe.exe”
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = “LegacyDriver”
ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
DeviceDesc = “360Safe.exe”
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_360SAFE.EXE]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360Safe.exe\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\360Safe.exe]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = “%ProgramFiles%\360Safe.exe”
DisplayName = “360Safe.exe”
ObjectName = “LocalSystem”
Description = “360XX”
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_360SAFE.EXE\0000]
Service = “360Safe.exe”
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = “LegacyDriver”
ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
DeviceDesc = “360Safe.exe”
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_360SAFE.EXE]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\360Safe.exe\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\360Safe.exe]
Type = 0x00000110
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = “%ProgramFiles%\360Safe.exe”
DisplayName = “360Safe.exe”
ObjectName = “LocalSystem”
Description = “360XX”
目前还没有任何评论.