哪个大神帮忙看看这病毒都有那些行为。。

sosoppp · 发表于 2014-12-1 14:03

                     火眼点评
                           修改系统中的文件，感染型病毒;利用全局消息钩子注入指定文件到其他进程;inline Hook 函数入口代码;搜索指定窗口;疑似捆绑多个文件，警惕流氓软件捆绑推广或病毒捆绑传播（需与正常安装包区分开）;设置文件属性;查找文件;创建进程;创建互斥体;在其他进程中申请内存;校验自身进程名;遍历磁盘类型;隐藏指定窗口;绑定监听端口


                                                                     [url=http://cd001.www.duba.net/duba/install/2011/ever/kavsetup_10_180.exe][/url]新毒霸点评
                        经新毒霸云安全中心分析，该文件存在病毒，请及时删除！


                                                                                                                                                                                                            危险行为监控

行为描述：利用全局消息钩子注入指定文件到其他进程
附加信息：
%temp%\aen1B.tmp
[Hook Module]aen1b.tmp
[Hook Type]0x00000004
[Target Process]explorer.exe
行为描述：修改系统中的文件，感染型病毒
附加信息：
行为描述：inline Hook 函数入口代码
附加信息：
Process：2.0.exe
   GDI32.dll!ExtTextOutA Ordinal: 222 HookType: InlineHook
   GDI32.dll!ExtTextOutW Ordinal: 223 HookType: InlineHook
   USER32.dll!BeginPaint Ordinal: 14 HookType: InlineHook
   USER32.dll!EnableScrollBar Ordinal: 196 HookType: InlineHook
   USER32.dll!EndPaint Ordinal: 201 HookType: InlineHook
   USER32.dll!GetDC Ordinal: 269 HookType: InlineHook
   USER32.dll!GetScrollBarInfo Ordinal: 341 HookType: InlineHook
   USER32.dll!GetScrollInfo Ordinal: 342 HookType: InlineHook
   USER32.dll!GetScrollPos Ordinal: 343 HookType: InlineHook
   USER32.dll!GetScrollRange Ordinal: 344 HookType: InlineHook
   USER32.dll!GetWindowDC Ordinal: 365 HookType: InlineHook
   USER32.dll!GetWindowLongA Ordinal: 367 HookType: InlineHook
   USER32.dll!GetWindowLongW Ordinal: 368 HookType: InlineHook
   USER32.dll!ReleaseDC Ordinal: 555 HookType: InlineHook
   USER32.dll!SetScrollInfo Ordinal: 623 HookType: InlineHook
   USER32.dll!SetScrollPos Ordinal: 624 HookType: InlineHook
   USER32.dll!SetScrollRange Ordinal: 625 HookType: InlineHook
   USER32.dll!SetWindowLongA Ordinal: 641 HookType: InlineHook
   USER32.dll!SetWindowLongW Ordinal: 642 HookType: InlineHook
   USER32.dll!SetWindowRgn Ordinal: 645 HookType: InlineHook
   USER32.dll!WindowFromDC Ordinal: 725 HookType: InlineHook
   jedata.dll!SkinH_Attach Ordinal: 3 HookType: InlineHook
   jedata.dll!SkinH_Detach Ordinal: 8 HookType: InlineHook
   jedata.dll!SkinH_VerifySign Ordinal: 23 HookType: InlineHook

                                          其他行为监控

行为描述：疑似捆绑多个文件，警惕流氓软件捆绑推广或病毒捆绑传播（需与正常安装包区分开）
附加信息：
2.0.exe
server.exe
行为描述：搜索指定窗口
附加信息：
["Afx:400000:8:10011:1900015:0" , ""]
["Afx:400000:b:10011:1900015:0" , "20+好友数：0"]
["Afx:400000:b:10011:1900015:0" , "定时"]
["Afx:400000:b:10011:1900015:0" , "循环：0"]
["Afx:400000:b:10011:1900015:0" , "秒"]
["Afx:400000:b:10011:1900015:0" , "运行时间："]
["Afx:400000:b:10011:1900015:0" , "运行线程数："]
["Afx:400000:b:10011:1900015:0" , "验证超时(秒)："]
["Button" , ""]
["Button" , "API获取"]
["Button" , "API设置"]
["Button" , "导入代{过}{滤}理"]
["Button" , "导入号码"]
["Button" , "导出未完成"]
["Button" , "开始验证"]
["Button" , "暂停验证"]
["Button" , "本地Ip"]
["Button" , "配置"]
["Edit" , ""]
["Edit" , "5"]
["Edit" , "500"]
["Edit" , "60"]
["msctls_statusbar32" , ""]
行为描述：设置文件属性
附加信息：
\\%HostShared%_02\jgulcu.exe >> HIDE
\\%HostShared%_02\jgulcu.exe >> HIDE >> SYSTEM
\\%HostShared%_02\jgulcu.exe >> SYSTEM
\\%HostShared%_02\jjop.exe >> HIDE
\\%HostShared%_02\jjop.exe >> HIDE >> SYSTEM
\\%HostShared%_02\jjop.exe >> SYSTEM
\\%HostShared%_02\swut.exe >> HIDE
\\%HostShared%_02\swut.exe >> HIDE >> SYSTEM
\\%HostShared%_02\swut.exe >> SYSTEM
\\%HostShared%_02\zPharaoh.exe >> HIDE
\\%HostShared%_02\zPharaoh.exe >> HIDE >> SYSTEM
\\%HostShared%_02\zPharaoh.exe >> SYSTEM
行为描述：创建互斥体
附加信息：
"60.173.9.195"
"Residented"
行为描述：创建进程
附加信息：
%temp%\2.0.exe
%temp%\server.exe
行为描述：查找文件
附加信息：
"%USERPROFILE%\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1645522239-1123561945-1417001333-500\*.*"
"%USERPROFILE%\「开始」菜单\程序\附件\*.scr"
"%AllUsersProfile%\Application Data\Microsoft\Media Index\*.*"
"%AllUsersProfile%\Application Data\Microsoft\Network\*.scr"
"%AllUsersProfile%\桌面\*.*"
"C:\Documents and Settings\Default User\*.*"
"C:\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\*.exe"
"C:\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates\*.scr"
"C:\Documents and Settings\Default User\Local Settings\History\History.IE5\*.*"
"C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\ODANQ7YX\*.scr"
"C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\C3SZADKD\*.*"
"C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\C3SZADKD\*.exe"
"C:\Documents and Settings\NetworkService\Local Settings\Application Data\*.scr"
"C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Credentials\*.*"
"\\%HostShared%_02\3186590163216510.\*.*"
"\\%HostShared%_02\318659016321651022.\*.*"
"\\%HostShared%_02\318659016321651050.\*.scr"
"\\%HostShared%_02\318659016321651076.\*.exe"
"\\%HostShared%_02\318659016321651092.\*.scr"
"\\%HostShared%_02\3186590163216511.\*.scr"
"\\%HostShared%_02\318659016321651101.\*.*"
"\\%HostShared%_02\318659016321651117.\*.scr"
"\\%HostShared%_02\318659016321651133.\*.*"
"\\%HostShared%_02\31865901632165114.\*.exe"
"\\%HostShared%_02\318659016321651142.\*.scr"
"\\%HostShared%_02\318659016321651143.\*.*"
"\\%HostShared%_02\318659016321651145.\*.scr"
"\\%HostShared%_02\318659016321651152.\*.scr"
"\\%HostShared%_02\318659016321651169.\*.scr"
"\\%HostShared%_02\318659016321651184.\*.scr"
"\\%HostShared%_02\318659016321651192.\*.*"
"\\%HostShared%_02\318659016321651227.\*.exe"
"\\%HostShared%_02\318659016321651242.\*.scr"
"\\%HostShared%_02\31865901632165125.\*.*"
"\\%HostShared%_02\318659016321651270.\*.exe"
"\\%HostShared%_02\318659016321651293.\*.scr"
"\\%HostShared%_02\318659016321651394.\*.*"
"\\%HostShared%_02\318659016321651400.\*.scr"
"\\%HostShared%_02\318659016321651432.\*.scr"
"\\%HostShared%_02\318659016321651434.\*.exe"
"\\%HostShared%_02\318659016321651444.\*.*"
"\\%HostShared%_02\318659016321651450.\*.scr"
"\\%HostShared%_02\318659016321651451.\*.scr"
"\\%HostShared%_02\318659016321651466.\*.*"
"\\%HostShared%_02\318659016321651505.\*.scr"
"\\%HostShared%_02\318659016321651513.\*.scr"
"\\%HostShared%_02\318659016321651556.\*.*"
"\\%HostShared%_02\318659016321651605.\*.scr"
"\\%HostShared%_02\318659016321651610.\*.*"
"\\%HostShared%_02\318659016321651610.\*.exe"
"\\%HostShared%_02\318659016321651736.\*.exe"
"\\%HostShared%_02\318659016321651823.\*.*"
"\\%HostShared%_02\318659016321651829.\*.exe"
"\\%HostShared%_02\31865901632165184.\*.exe"
"\\%HostShared%_02\318659016321651886.\*.scr"
"\\%HostShared%_02\318659016321651894.\*.*"
"\\%HostShared%_02\31865901632165195.\*.exe"
"\\%HostShared%_02\318659016321651967.\*.*"
"\\%HostShared%_02\318659016321651968.\*.exe"
"\\%HostShared%_02\31865901632165213.\*.*"
"\\%HostShared%_02\31865901632165216.\*.scr"
"\\%HostShared%_02\31865901632165222.\*.exe"
"\\%HostShared%_02\31865901632165269.\*.exe"
"\\%HostShared%_02\31865901632165279.\*.*"
"\\%HostShared%_02\3186590163216528.\*.exe"
"\\%HostShared%_02\31865901632165282.\*.scr"
"\\%HostShared%_02\31865901632165305.\*.*"
"\\%HostShared%_02\31865901632165369.\*.*"
"\\%HostShared%_02\31865901632165372.\*.exe"
"\\%HostShared%_02\31865901632165390.\*.*"
"\\%HostShared%_02\31865901632165411.\*.*"
"\\%HostShared%_02\31865901632165415.\*.exe"
"\\%HostShared%_02\3186590163216543.\*.scr"
"\\%HostShared%_02\31865901632165430.\*.*"
"\\%HostShared%_02\31865901632165474.\*.exe"
"\\%HostShared%_02\31865901632165496.\*.scr"
"\\%HostShared%_02\31865901632165507.\*.*"
"\\%HostShared%_02\31865901632165567.\*.exe"
"\\%HostShared%_02\31865901632165577.\*.*"
"\\%HostShared%_02\31865901632165586.\*.scr"
"\\%HostShared%_02\31865901632165611.\*.scr"
"\\%HostShared%_02\31865901632165617.\*.*"
"\\%HostShared%_02\31865901632165630.\*.exe"
"\\%HostShared%_02\3186590163216567.\*.exe"
"\\%HostShared%_02\3186590163216570.\*.scr"
"\\%HostShared%_02\31865901632165728.\*.scr"
"\\%HostShared%_02\31865901632165729.\*.*"
"\\%HostShared%_02\31865901632165778.\*.*"
"\\%HostShared%_02\31865901632165792.\*.*"
"\\%HostShared%_02\31865901632165823.\*.scr"
"\\%HostShared%_02\3186590163216583.\*.*"
"\\%HostShared%_02\31865901632165854.\*.scr"
"\\%HostShared%_02\3186590163216586.\*.exe"
"\\%HostShared%_02\31865901632165890.\*.scr"
"\\%HostShared%_02\31865901632165944.\*.*"
"\\%HostShared%_02\31865901632165960.\*.exe"
"\\%HostShared%_02\31865901632165971.\*.exe"
"\\%HostShared%_02\3d4c9d4c8a2d0d0ab4bbc48d7cc99b26934b429c2fecd71c5ea6850b91e50715aebb6832\*.scr"
"\\%HostShared%_02\tmpeiam2f\*.exe"
"\\%HostShared%_02\tmpfnmgve\*.exe"
"\\%HostShared%_02\tmphbwdpw\*.scr"
行为描述：绑定监听端口
附加信息：
0.0.0.0:30167
行为描述：隐藏指定窗口
附加信息：
Afx:400000:8:10011:1900015:0 : [2.0.exe]
Afx:400000:b:10011:1900010:0 : [2.0.exe]
行为描述：遍历磁盘类型
附加信息：
C:,B:,D:,E:,F:,G:,H:,I:,J:,K:,L:,M:,N:,O:,P:,Q:,R:,S:,T:,U:,V:,W:,X:,Y:,Z:
行为描述：校验自身进程名
附加信息：
explorer.exe
行为描述：在其他进程中申请内存
附加信息：
%temp%\2.0.exe
%temp%\server.exe

                                          文件操作监控
                     操作文件MD5文件大小文件路径
新增114054313070472cd1a6d7d28f7c500288576

%windir%\jedata.dll

新增d41179e6e8470505727865724d5360ca178189

%temp%\server.exe

新增b2ba6eda25523412fa0784c08fb7d2f21238492

%temp%\2.0.exe

新增d1e5a42fc42cb8c779c7f12b58f3464e7122

%windir%\win8.she

新增无0

%temp%\涛探测\未完成.txt

新增685f1cbd4af30a1d0c25f252d399a666176128

%temp%\aen1B.tmp

修改无0

%APPDATA%\Microsoft\Installer\{052...

修改无0

%APPDATA%\Microsoft\Installer\{052...

修改无0

%APPDATA%\Microsoft\Installer\{052...

修改1a3d48b124192e63d1aa9418b6697566221144

C:\osrloader.exe

修改0b163622cfc4a71968c26f7609a9bb2e208856

%APPDATA%\Tencent\QQ\SafeBase\QQSa...

                                                                                                      进程操作监控

创建进程：%temp%\server.exe
启动参数：无
创建进程：%temp%\2.0.exe
启动参数：无
创建进程：%temp%\server.exe
启动参数："%temp%\server.exe"
创建进程：%temp%\2.0.exe
启动参数："%temp%\2.0.exe"

新增
删除
修改

注册表监控

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib[vga.drv 1024x768x32(BGR 0)] = [31,31,31,31]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer[PINF] = [\x07\x00\x43\x3a\x5c...]

                                          网络监控

网络操作[Connect HOST]76.188.18.122:2014
[Open URL]0.0.0.0
[Resolve HOST Name]60.173.9.195

Hmily · 发表于 2014-12-1 14:58

你标题问的问题在主题贴上都回复了啊。

Hmily · 发表于 2014-12-1 17:57

sosoppp 发表于 2014-12-1 17:55
我不太懂主要。。
网络监控

程序在访问这个地址。

sosoppp · 发表于 2014-12-1 17:55

Hmily 发表于 2014-12-1 14:58
你标题问的问题在主题贴上都回复了啊。

我不太懂主要。。
网络监控

网络操作[Connect HOST]76.188.18.122:2014
[Open URL]0.0.0.0
[Resolve HOST Name]60.173.9.195

这两个网址是做什么用的。。

Hmily · 发表于 2014-12-1 18:32

sosoppp 发表于 2014-12-1 18:30
请问这个存在远控行为么

从这个日志看不出来，但程序其他行为很像是。

sosoppp · 发表于 2014-12-1 18:30

Hmily 发表于 2014-12-1 17:57
程序在访问这个地址。

请问这个存在远控行为么

sosoppp · 发表于 2014-12-1 19:54

Hmily 发表于 2014-12-1 18:32
从这个日志看不出来，但程序其他行为很像是。

正在杀毒呢。。360杀一次可以了不。。

帐号		自动登录	找回密码
密码			注册[Register]

[PC样本分析] 哪个大神帮忙看看这病毒都有那些行为。。

点评

免费评分

点评

点评

个人中心