pagefile(磁碟机)-Virus.Win32.Xorer.ek

swchost.exe[Trojan-PSW.Win32.OnLineGames.fxk]

远离骚扰:中移动公布垃圾短信举报途径

大 | 中 | 小

[

2008-3-19 21:31 | by viphjw]

有点上瘾,我总是这样,一阵上瘾起来就没完 question

这个是08-02-29的磁碟机样本,最近蛮流行的东东,距现在来算应该相当古老,无聊分析一下,但是性质一样,样本够BT

File: pagefile.pif
Size: 93696 bytes
Modified: 2008年2月29日, 22:11:10
MD5: 425C04014B084D762BBCA217277643F0
SHA1: 490540C6D0485E61AD9AA1E798D8FB332E2262E5
CRC32: DC9C2889
Shell:UPX

引用

运行后创建文件

c:\037589.log
c:\pagefile.pif
%System%\118766.log
%System%\Com\lsass.exe 93,696 bytes [425C04014B084D762BBCA217277643F0][Virus.Win32.Xorer.ek]
c:\AUTORUN.INF 172 bytes [106B537598BCE8003D787F4C47E6ECB9][Downloader.inf]
%System%\Com\netcfg.000
%System%\Com\netcfg.dll 16,384 bytes [D1F6B9273CBB2E23AEED11346D0072C5][Virus.Win32.Xorer.ee]
%System%\Com\smss.exe 40,960 bytes [AE1CD1D740C265B7F18F827F9E37AFAB][Virus.Win32.Xorer.dt]
%System%\dnsq.dll 32,256 bytes [43AFC709415B0DFB297DAB1209D993B4][Virus.Win32.Xorer.ee][注入常规进程]

后台创建

%System%\com\lsass.exe 180,224 bytes
%System%\com\smss.exe 49,152 bytes

注册表项建立

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID

注册表项删除

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}

注册表值建立:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32]
(Default) = "%System%\com\netcfg.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}]
(Default) = "IfObj Property Page"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1]
(Default) = "131473"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Version]
(Default) = "1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib]
(Default) = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32]
(Default) = "%System%\com\netcfg.dll, 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID]
(Default) = "IFOBJ.IfObjCtrl.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus]
(Default) = "0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32]
(Default) = "%System%\com\netcfg.dll"
ThreadingModel = "Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control]
(Default) = ""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}]
(Default) = "IfObj Control"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib]
(Default) = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"
Version = "1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32]
(Default) = "{00020420-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid]
(Default) = "{00020420-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}]
(Default) = "_DIfObjEvents"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib]
(Default) = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"
Version = "1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32]
(Default) = "{00020420-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid]
(Default) = "{00020420-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}]
(Default) = "_DIfObj"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32]
(Default) = "%System%\com\netcfg.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR]
(Default) = "%System%\com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS]
(Default) = "2"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0]
(Default) = "ifObj ActiveX Control module"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID]
(Default) = "{D9901239-34A2-448D-A000-3705544ECE9D}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1]
(Default) = "IfObj Control"

注册表值删除

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}]
Description = "Stop the download of this file"
FriendlyName = "msadc11.cab"
SaferFlags = 0x00000000
HashAlg = 0x00008003
ItemData = 38 6B 08 5F 84 EC F6 69 D3 6B 95 6A 22 C0 1E 80
LastModified = 40 B2 40 DC 19 A2 C2 01
ItemSize = 72 01 00 00 00 00 00 00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}]
Description = "Stop the download of this file"
FriendlyName = "_msadc10.cab"
SaferFlags = 0x00000000
HashAlg = 0x00008003
ItemData = BD 9A 2A DB 42 EB D8 56 0E 25 0E 4D F8 16 2F 67
LastModified = 81 4F 3E DC 19 A2 C2 01
ItemSize = E5 00 00 00 00 00 00 00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}]
Description = "Stop the download of this file"
FriendlyName = "mdac20_a.cab"
SaferFlags = 0x00000000
HashAlg = 0x00008003
ItemData = 32 78 02 DC FE F8 C8 93 DC 8A B0 06 DD 84 7D 1D
LastModified = BE 77 45 DC 19 A2 C2 01
ItemSize = 96 03 00 00 00 00 00 00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}]
Description = "Stop the download of this file"
FriendlyName = "mdac20.cab"
SaferFlags = 0x00000000
HashAlg = 0x00008003
ItemData = 67 B0 D4 8B 34 3A 3F D3 BC E9 DC 64 67 04 F3 94
LastModified = 03 8A 39 DC 19 A2 C2 01
ItemSize = 05 02 00 00 00 00 00 00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}]
Description = "Stop the download of this file"
FriendlyName = "Mdac11.cab"
SaferFlags = 0x00000000
HashAlg = 0x00008003
ItemData = 5E AB 30 4F 95 7A 49 89 6A 00 6C 1C 31 15 40 15
LastModified = 85 C4 34 DC 19 A2 C2 01
ItemSize = 0B 03 00 00 00 00 00 00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}]
Description = ""
SaferFlags = 0x00000000
ItemData = "%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*"
LastModified = 78 8B C2 4D 00 CE C6 01
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
ExecutableTypes = "ADE ADP BAS BAT CHM CMD COM CPL CRT EXE HLP HTA INF INS ISP LNK MDB MDE MSC MSI MSP MST OCX PCD PIF REG SCR SHS URL VB WSC"
TransparentEnabled = 0x00000001
DefaultLevel = 0x00040000
AuthenticodeEnabled = 0x00000000
PolicyScope = 0x00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
(Default) = "DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
(Default) = "DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
(Default) = "DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
(Default) = "DiskDrive"

以下键值被修改

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
409 = "Controls safely scriptable!"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
409 = "Controls safely initializable from persistent data!"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
Type = "radio"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs = "%System%\dnsq.dll"