Worm.Win32.Wogue.o蠕虫样本详细分析
作者: 高喜宝, 出处:IT专家网, 责任编辑: 张帅,
2007-11-27 09:43
Worm.Win32.Wogue.o蠕虫运行后衍生病毒文件到系统根目录下,并复制自身到文件夹%ProgramFiles%\Common Files\Services下,重命名为svchost.exe;下载大量木马到本机运行……
【IT专家网独家】病毒名称: Worm.Win32.Wogue.o
病毒类型: 蠕虫
文件 MD5: 90C509FA6A6C2FA798DBE1CFD7F0E4F1
文件长度: 19,456 字节
感染系统: Windows98以上版本
开发工具: Borland Delphi 5.0
加壳类型: PECompact 2.x
病毒描述:
该病毒属蠕虫类,病毒运行后衍生病毒文件到系统驱动器根目录下,并复制自身到文件夹%ProgramFiles%\Common Files\Services下,重命名为svchost.exe;联接网络,下载大量木马到本机运行;修改注册表,添加启动项,以达到随机启动的目的;关闭系统自动升级功能,并禁止修改其状态;在每个驱动器根目录下生成autorun.inf和IO.pif文件,以达到双击驱动器再次运行病毒的目的,并可以此通过U盘进行传播;通过CMD关闭部分杀毒软件的服务,结束部分反病毒软件的进程;检查指定列表中文件名在注册表中的键值,并将其启动,再将病毒衍生的文件DirectX10.dll插入到其进程中;病毒衍生的文件注入到系统进程explorer.exe中;该病毒通过系统盘共享文件进行传播;该蠕虫下载的木马为盗号类病毒,可以盗取用户网络游戏的账号与密码。
行为分析:
1、 病毒运行后衍生病毒文件:
| %DriveLetter%\IO.pif %DriveLetter%\autorun.inf %system32%\DirectX10.dll %ProgramFiles%\Common Files\Services\svchost.exe |
2、病毒联接网络下载病毒到本机运行:
| %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\CHUFWD67\1[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\CHUFWD67\2[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\CHUFWD67\3[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\GHAR4PU3\4[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\GHAR4PU3\5[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\GHAR4PU3\6[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\L2B9958U\7[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\L2B9958U\8[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\L2B9958U\9[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\REFBTNJN\10[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\REFBTNJN\11[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\REFBTNJN\12[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\REFBTNJN\13[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\REFBTNJN\14[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\REFBTNJN\15[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\REFBTNJN\16[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\REFBTNJN\17[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\REFBTNJN\18[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\REFBTNJN\19[1].exe %Documents and Settings%\(用户名)\Local Settings\Temporary Internet Files\Content.IE5\REFBTNJN\20[1].exe |
3、下载的病毒运行后衍生病毒文件:
| %Windir%\upxdnd.exe %Windir%\192896MM.DLL %Windir%\192896WL.DLL %Windir%\IGM.exe %Windir%\swchost.exe %System32%\avwlcin.dll %System32%\avwlcmn.dll %System32%\avwlcst.exe %System32%\avzxein.dll %System32%\avzxemn.dll %System32%\avzxest.exe %System32%\DirectX10.dll %System32%\kaqhfaz.exe %System32%\kaqhfcs.dll %System32%\kaqhfzy.dll %System32%\kawdcaz.exe %System32%\kawdccs.dll %System32%\kawdczy.dll %System32%\kvdxfcf.dll %System32%\kvdxfis.exe %System32%\kvdxfma.dll %System32%\LYLOADER.EXE %System32%\LYMANGR.DLL %System32%\msatl.dll %System32%\MSDEG32.DLL %System32%\ratbani.dll %System32%\ratbfpi.dll %System32%\ratbftl.exe %System32%\rsmyafg.dll %System32%\rsmyfpm.dll %System32%\rsmyfsp.exe %System32%\sidjaaz.exe %System32%\sidjacs.dll %System32%\sidjazy.dll %System32%\sqmapi32.dll %System32%\upxdnd.dll%ProgramFiles%\Internet Explorer\PLUGINS\bt6daK3k.exe %ProgramFiles%\Internet Explorer\PLUGINS\eeFY7m1N.exe %ProgramFiles%\Internet Explorer\PLUGINS\GI5B2YEE.exe %ProgramFiles%\Internet Explorer\PLUGINS\SysWin7s.Jmp %ProgramFiles%\Internet Explorer\PLUGINS\WinSys8s.Sys %Temp%\LYLOADER.EXE %Temp%\LYMANGR.DLL %Temp%\MSDEG32.DLL %DriveLetter%\RECYCLER\kulionrx.dll %DriveLetter%\RECYCLER\kulionrx.exe %DriveLetter%\RECYCLER\video.dll %DriveLetter%\RECYCLER\wmsj.exe |
4、修改注册表,添加启动项,以达到随机启动的目的:
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 值: 字符串: "kawdczy.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18847374-8323-FADC-B443-4732ABCD3781}\InprocServer32\@ 值: 字符串: "C:\WINDOWS\system32\sidjazy.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38907901-1416-3389-9981-372178569983}\InprocServer32\@ 值: 字符串: "C:\WINDOWS\system32\kawdczy.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3960356A-458E-DE24-BD50-268F589A56A3}\InprocServer32\@ 值: 字符串: "C:\WINDOWS\system32\avwlcmn.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67D81718-1314-5200-2597-587901018076}\InprocServer32\@ 值: 字符串: "C:\WINDOWS\system32\kaqhfzy.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C87A354-ABC3-DEDE-FF33-3213FD7447C6}\InprocServer32\@ 值: 字符串: "C:\WINDOWS\system32\kvdxfma.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E32FA58-3453-FA2D-BC49-F340348ACCE6}\InprocServer32\@ 值: 字符串: "C:\WINDOWS\system32\rsmyfpm.dll" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7671889D-CC99-4335-BAC8-48088F1045A4}\InProcServer32\@ 值: 字符串: "C:\Program Files\Internet Explorer\PLUGINS\WinSys8s.Sys" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\MSDCG32 值: 字符串: "LYLeador.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\MSDEG32 值: 字符串: "LYLoader.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\MSDHG32 值: 字符串: "LYLoadhr.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\MSDMG32 值: 字符串: "LYLoadmr.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\MSDOG32 值: 字符串: "LYLoador.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\MSDQG32 值: 字符串: "LYLoadqr.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\MSDSG32 值: 字符串: "LYLoadar.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\MSDWG32 值: 字符串: "LYLoadbr.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\@ 值: 字符串: "C:\Program Files\Common Files\Services\svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upxdnd 值: 字符串: "C:\WINDOWS\upxdnd.exe" |
5、修改注册表,关闭系统自动升级功能,并禁止修改其状态:
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions 值: DWORD: 1 (0x1) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate 值: DWORD: 1 (0x1) |
6、在每个驱动器根目录下生成autorun.inf和IO.pif文件,以达到双击驱动器再次运行病毒的目的,并可以此通过U盘进行传播。
| [AutoRun] open=IO.pif shellexecute=IO.pif shell\\Auto\\command=IO.pif |
7、通过CMD关闭部分杀毒软件的服务:
| Net Stop Norton Antivirus Auto Protect Service Net Stop mcshield net stop "Windows Firewall/Internet Connection Sharing (ICS)" net stop System Restore Service |
8、结束指定列表中的进程:
| avp.exe regedit.exe msconfig.exe taskgmr.exe 360tray.exe 360safe.exe 噬菌体 木马克星 WoptiClean.exe EGHOST.EXE Iparmor.exe MAILMON.EXE KAVPFW.EXE RogueCleaner.exe |
9、检查以下文件名在注册表中的键值,并将其启动,再将病毒衍生的文件DirectX10.dll插入到其进程中:
| QQ.EXE MSMSGS.EXE FLASHGET.EXE THUNDER5.EXE IEXPLORE.EXE |
10、病毒通过系统盘共享文件进行传播:
| C$\Setup.exe C$\AutoExec.bat C$\AutoExec.bat |
11、病毒将衍生的文件插入到系统进行explorer.exe中:
| %System32%DirectX10.dll %System32%rsmyfpm.dll %System32%kvdxfma.dll %System32%upxdnd.dll %DriveLetter%\RECYCLER\video.dll %Program Files%\Internet Explorer\PLUGINS\WinSys8s.Sys %System32%avzxemn.dll %System32%ratbfpi.dll %System32%avwlcmn.dll %System32%kaqhfzy.dll %System32%sidjazy.dll %System32%sqmapi32.dll %System32%kawdczy.dll %DriveLetter%\RECYCLER\kulionrx.dll |
12、病毒联接网络:
域名:www.webye163.cn
IP: 218.83.161.16
下载地址:
webye163.cn/hz/1.exe
webye163.cn/hz/2.exe
… …
Webye163.cn/hz/20.exe
13、该蠕虫下载的木马为盗号类病毒,可以盗取用户网络游戏的账号与密码。
注:%System32%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。Windows2000/NT中默认的安装路径是C:\Winnt\System32,windows95/98/me中默认的安装路径是C:\Windows\System,windowsXP中默认的安装路径是C:\Windows\System32。
%Temp% = C:\Documents and Settings\AAAAA\Local Settings\Temp 当前用户TEMP缓存变量
%Windir%\ WINDODWS所在目录
%DriveLetter%\ 逻辑驱动器根目录
%ProgramFiles%\ 系统程序默认安装目录
%HomeDrive% = C:\ 当前启动的系统的所在分区
%Documents and Settings%\ 当前用户文档根目录
下页IT专家网将对病毒代码做详细分析
- 本文关键词:
