BaiDuHi文件作用分析
dodolook.exe-AdWare.Win32.Cinmus.ckl
2008-3-27 14:58 | by File: INFO.EXE
Size: 189692 bytes
File Version: 3.608.0433
Modified: 2008年3月27日, 14:50:14
MD5: F2D9E278BFCA9E93578A8EA9536DA93A
SHA1: CF4F2E03673413C8203566EA255411B4B5230B9B
CRC32: 63F8FE2B
Size: 189692 bytes
File Version: 3.608.0433
Modified: 2008年3月27日, 14:50:14
MD5: F2D9E278BFCA9E93578A8EA9536DA93A
SHA1: CF4F2E03673413C8203566EA255411B4B5230B9B
CRC32: 63F8FE2B
引用
运行后创建文件
%Temp%\136320.exe 189,692 bytes 0xF2D9E278BFCA9E93578A8EA9536DA93A
%System%\odbcasvc.exe
%System%\uha.exe 111,104 bytes 0x664D356C8C4B32F1ED0E889180DDD19D
建立以下目录
%Windir%\Microsoft.Net
%Windir%\Microsoft.Net\Debug
%Windir%\Microsoft.Net\Debug\History
%Windir%\Microsoft.Net\Debug\Temp
后台运行
odbcasvc.exe %System%\odbcasvc.exe 569,344 bytes
136320.exe %Temp%\136320.exe 569,344 bytes
添加服务
odbcasvc ODBC Administration Service "Running" %System%\odbcasvc.EXE
注册表创建
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ODBCASVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ODBCASVC\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ODBCASVC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\odbcasvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\odbcasvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\odbcasvc\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc\Enum
注册表创建值
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ODBCASVC\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "odbcasvc"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ODBCASVC\0000]
Service = "odbcasvc"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "ODBC Administration Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ODBCASVC]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\odbcasvc\Enum]
0 = "Root\LEGACY_ODBCASVC\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\odbcasvc\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\odbcasvc]
Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\odbcasvc.EXE"
DisplayName = "ODBC Administration Service"
ObjectName = "LocalSystem"
Description = "Microsoft Data Access - ODBC Administration Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "odbcasvc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC\0000]
Service = "odbcasvc"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "ODBC Administration Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc\Enum]
0 = "Root\LEGACY_ODBCASVC\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc]
Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\odbcasvc.EXE"
DisplayName = "ODBC Administration Service"
ObjectName = "LocalSystem"
Description = "Microsoft Data Access - ODBC Administration Service"
以下值被修改
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
(Default) = 0x0000000B
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
(Default) = 0x0000000B
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoDriveTypeAutoRun = 0x0000009D
%System%\odbcasvc.exe
%System%\uha.exe 111,104 bytes 0x664D356C8C4B32F1ED0E889180DDD19D
建立以下目录
%Windir%\Microsoft.Net
%Windir%\Microsoft.Net\Debug
%Windir%\Microsoft.Net\Debug\History
%Windir%\Microsoft.Net\Debug\Temp
后台运行
odbcasvc.exe %System%\odbcasvc.exe 569,344 bytes
136320.exe %Temp%\136320.exe 569,344 bytes
添加服务
odbcasvc ODBC Administration Service "Running" %System%\odbcasvc.EXE
注册表创建
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ODBCASVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ODBCASVC\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ODBCASVC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\odbcasvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\odbcasvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\odbcasvc\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc\Enum
注册表创建值
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ODBCASVC\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "odbcasvc"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ODBCASVC\0000]
Service = "odbcasvc"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "ODBC Administration Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ODBCASVC]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\odbcasvc\Enum]
0 = "Root\LEGACY_ODBCASVC\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\odbcasvc\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\odbcasvc]
Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\odbcasvc.EXE"
DisplayName = "ODBC Administration Service"
ObjectName = "LocalSystem"
Description = "Microsoft Data Access - ODBC Administration Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "odbcasvc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC\0000]
Service = "odbcasvc"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "ODBC Administration Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc\Enum]
0 = "Root\LEGACY_ODBCASVC\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odbcasvc]
Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000001
ImagePath = "%System%\odbcasvc.EXE"
DisplayName = "ODBC Administration Service"
ObjectName = "LocalSystem"
Description = "Microsoft Data Access - ODBC Administration Service"
以下值被修改
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
(Default) = 0x0000000B
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
(Default) = 0x0000000B
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoDriveTypeAutoRun = 0x0000009D
