dodolook.exe-AdWare.Win32.Cinmus.ckl
最近连续几天处理机器经常碰见这个文件,看了有点不爽,于是抓时间没事简单分析一下,不是什么厉害的东东
Size: 165369 bytes
MD5: 6B1A8B7922FF015A0A2DBA8871BFD91F
SHA1: 2966AA8230CA251860AF906B4110BB92B0CA68A0
CRC32: D52344DD
Shell:NSIS V2.1X
此文件启动时释放体内文件后台静默安装,信息如下
Size: 128523 bytes
MD5: 341404B1A8E883619039918DAA5FC8A2
SHA1: 0A0B89A4B224AE06BF994D253BFAC0E3B015216F
CRC32: 7DABC565
Shell:NSIS V2.1X
作者用了2层安装嵌套,运行后产生如下文件:
%System%\mscpx32r.det
%System%\drivers\acpidisk.sys
%temp%\DoSSSetup.dll
创建注册表
HKLM\SOFTWARE\Microsoft\IDSCNP
修改注册表
HKLM\SOFTWARE\Microsoft\IDSCNP d 1960724367
HKLM\SOFTWARE\Microsoft\IDSCNP p 0
HKLM\SOFTWARE\Microsoft\IDSCNP t 0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Sicrosoft\Windows\CurrentVersion\Explorer\MountPoints2\{D14d83ce-7d74-11dc-97e2-806d6172696f}\BaseClass Drive
创建服务acpidisk,类型:自动启动,指向%System%\drivers\acpidisk.sys
HKLM\System\CurrentControlSet\Services\acpidisk
HKLM\System\CurrentControlSet\Services\acpidisk\Security
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control ActiveService TapiSrv
HKLM\System\CurrentControlSet\Services\acpidisk DisplayName acpidisk
HKLM\System\CurrentControlSet\Services\acpidisk ErrorControl 1
HKLM\System\CurrentControlSet\Services\acpidisk ImagePath \??\C:\WINDOWS\system32\Drivers\acpidisk.sys
HKLM\System\CurrentControlSet\Services\acpidisk Start 2
HKLM\System\CurrentControlSet\Services\acpidisk Type 1
HKLM\System\CurrentControlSet\Services\acpidisk\Security Security 0x01001480900000009c000000140000003000000002001c00010000000280
%System%\drivers\acpidisk.sys
%temp%\DoSSSetup.dll
创建注册表
HKLM\SOFTWARE\Microsoft\IDSCNP
修改注册表
HKLM\SOFTWARE\Microsoft\IDSCNP d 1960724367
HKLM\SOFTWARE\Microsoft\IDSCNP p 0
HKLM\SOFTWARE\Microsoft\IDSCNP t 0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Sicrosoft\Windows\CurrentVersion\Explorer\MountPoints2\{D14d83ce-7d74-11dc-97e2-806d6172696f}\BaseClass Drive
创建服务acpidisk,类型:自动启动,指向%System%\drivers\acpidisk.sys
HKLM\System\CurrentControlSet\Services\acpidisk
HKLM\System\CurrentControlSet\Services\acpidisk\Security
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control ActiveService TapiSrv
HKLM\System\CurrentControlSet\Services\acpidisk DisplayName acpidisk
HKLM\System\CurrentControlSet\Services\acpidisk ErrorControl 1
HKLM\System\CurrentControlSet\Services\acpidisk ImagePath \??\C:\WINDOWS\system32\Drivers\acpidisk.sys
HKLM\System\CurrentControlSet\Services\acpidisk Start 2
HKLM\System\CurrentControlSet\Services\acpidisk Type 1
HKLM\System\CurrentControlSet\Services\acpidisk\Security Security 0x01001480900000009c000000140000003000000002001c00010000000280
发表评论
| Trackback
