Trojan-Downloader.Win32.Small.hsh分析
该病毒属木马类。病毒运行后衍生文件到系统临时目录下,修改注册表,
创建服务,以达到随机运行的目的,病毒在计算机重新启动后将修改
%Windir%\explorer.exe文件,并加载,使任务管理器中出现两个explorer.exe
进程,连接网络下载病毒文件,其中大部分为盗号木马,下载后自动运行,病毒
运行完毕后删除自身。
行为分析:
本地行为:
1、文件运行后会释放以下文件:
%System%drivers\phy.sys 1,536 字节
%Documents and Settings%\Administrator
\Local Settings\Temp\tmp1.tmp 8,192 字节
%Documents and Settings%\Administrator
\Local Settings\Temp\tmp2.tmp 8,192 字节
2、修改%Windir%下的explorer.exe文件:
机器重新启动后,tmp1.tmp文件将对explorer.exe文件从起始
位置进行覆盖,其他位置不进行更改,文件大小不发生变化,不
在有版本相关的信息,不在具有原文件的功能。
3、新增注册表:
[HKEY_LOCAL_MACHINE\SYSTEM
\ControlSet001\Services\phy]
注册表值: "DisplayName"
类型: REG_SZ
值:"phy"
描述:服务名称
[HKEY_LOCAL_MACHINE\SYSTEM
\ControlSet001\Services\phy]
注册表值: "ImagePath"
类型:REG_SZ
值:"\??\C:\WINDOWS\system32\DRIVERS\phy.sys"
描述:服务启动的映像路径
[HKEY_LOCAL_MACHINE\SYSTEM
\ControlSet001\Services\phy]
注册表值: "Start"
类型:DWORD
值:"3"
描述:服务的启动方式
网络行为:
1、连接网络下载病毒文件:
连接网络:
http://58.211.8.**/a1.exe
infected: Backdoor.Win32.Hupigon.aqur
http://58.211.8.**/a10.exe
infected: Trojan-PSW.Win32.OnLineGames.odx
http://58.211.8.**/a11.exe
infected: Trojan-PSW.Win32.OnLineGames.nmc
http://58.211.8.**/a12.exe
infected: Trojan-PSW.Win32.OnLineGames.omm
http://58.211.8.**/a13.exe
infected: Trojan-PSW.Win32.Lmir.bpv
http://58.211.8.**/a14.exe
infected: Trojan-PSW.Win32.OnLineGames.onw
http://58.211.8.**/a15.exe
infected: Trojan.Win32.Vaklik.eb
http://58.211.8.**/a16.exe
infected: Trojan-PSW.Win32.OnLineGames.pef
http://58.211.8.**/a17.exe
infected: Trojan-PSW.Win32.OnLineGames.pem
http://58.211.8.**/a18.exe
infected: Trojan-PSW.Win32.OnLineGames.obo
http://58.211.8.**/a19.exe
infected: Trojan-PSW.Win32.OnLineGames.odx
http://58.211.8.**/a2.exe
infected: Trojan.Win32.Vaklik.el
http://58.211.8.**/a20.exe
infected: Backdoor.Win32.Delf.csn
http://58.211.8.**/a21.exe
infected: Trojan-PSW.Win32.OnLineGames.oeg
http://58.211.8.**/a22.exe
infected: Trojan-PSW.Win32.OnLineGames.orf
http://58.211.8.**/a23.exe
infected: Trojan-PSW.Win32.OnLineGames.oed
http://58.211.8.**/a24.exe
infected: Trojan-Downloader.Win32.Zlob.geh
http://58.211.8.**/a25.exe
infected: Trojan.Win32.StartPage.avr
http://58.211.8.**/a26.exe 无法下载
http://58.211.8.**/a3.exe
infected: Trojan-PSW.Win32.OnLineGames.omw
http://58.211.8.**/a4.exe
infected: Trojan-PSW.Win32.Delf.anb
http://58.211.8.**/a5.exe
infected: Trojan-PSW.Win32.OnLineGames.oxl
http://58.211.8.**/a6.exe
infected: Trojan-PSW.Win32.QQPass.asf
http://58.211.8.**/a7.exe 无法下载
http://58.211.8.**/a8.exe
infected: Trojan-PSW.Win32.OnLineGames.oji
http://58.211.8.**/a9.exe
infected: Trojan-PSW.Win32.OnLineGames.ozk
下载病毒文件并自动运行:
%Program Files%\Internet Explorer
\PLUGINS\Sy_Win7k.Jmp
infected: Trojan-PSW.Win32.QQPass.ase
%Program Files%\Internet Explorer
\PLUGINS\Wn_Sys8x.Sys
infected: Trojan-PSW.Win32.QQPass.ase
%Documents and Settings%\当前用户
\Local Settings\TEMP\LYLOADER.EXE
infected: Trojan-PSW.Win32.OnLineGames.peo
%Documents and Settings%\当前用户
\Local Settings\TEMP\LYMANGR.DLL
infected: Trojan-PSW.Win32.OnLineGames.peo
%Documents and Settings%\当前用户
\Local Settings\TEMP\MSDEG32.DLL
infected: Trojan-PSW.Win32.OnLineGames.peo
%Documents and Settings%\当前用户
\Local Settings\TEMP\tmp18.tmp
infected: Trojan-PSW.Win32.OnLineGames.ojf
%Documents and Settings%\当前用户
\Local Settings\TEMP\tmp21.tmp
infected: Trojan-PSW.Win32.OnLineGames.pem
%Documents and Settings%\当前用户
\Local Settings\TEMP\tmp24.tmp
infected: Backdoor.Win32.Delf.csn
%Documents and Settings%\当前用户
\Local Settings\TEMP\tmp2B.tmp
infected: Trojan.Win32.StartPage.avr
%Documents and Settings%\当前用户
\Local Settings\TEMP\tmp2C.tmp
infected: Trojan.Win32.StartPage.avr
%Documents and Settings%\当前用户
\Local Settings\TEMP\tmp4.tmp
infected: Backdoor.Win32.Hupigon.aqur
%Documents and Settings%\当前用户
\Local Settings\TEMP\tmp7dw.dll
infected: Trojan-PSW.Win32.QQPass.asf
%Documents and Settings%\当前用户
\Local Settings\TEMP\tmp9.tmp
infected: Trojan-PSW.Win32.QQPass.asf
%Documents and Settings%\当前用户
\Local Settings\TEMP\tmpA.tmp
infected: Trojan.Win32.StartPage.avr
%Documents and Settings%\当前用户
\Local Settings\TEMP\uninsts.exe
infected: Trojan-PSW.Win32.OnLineGames.pem
%System32%\auhad.dll
infected: Trojan-PSW.Win32.OnLineGames.omq
%System32%\DbgHlp32.dll
infected: Trojan-PSW.Win32.OnLineGames.omm
%System32%\exodyndzyzj.dll
infected: Trojan-PSW.Win32.WOW.ajn
%System32%\gnaixnauhuoyizqq.dll
infected: Trojan-PSW.Win32.OnLineGames.okt
%System32%\ijougiemnaw.dll
infected: Trojan-PSW.Win32.OnLineGames.ony
%System32%\Kvsc3.dll
infected: Trojan-PSW.Win32.OnLineGames.obo
%System32%\LYLOADER.EXE
infected: Trojan-PSW.Win32.OnLineGames.peo
%System32%\LYMANGR.DLL
infected: Trojan-PSW.Win32.OnLineGames.peo
%System32%\MSDEG32.DLL
infected: Trojan-PSW.Win32.OnLineGames.peo
%System32%\mstfhncn32.dll
infected: Trojan-PSW.Win32.OnLineGames.pef
%System32%\niluw.dll
infected: Trojan-PSW.Win32.OnLineGames.ojb
%System32%\Packet.dll 正常文件
%System32%\PTSShell.dll
infected: Trojan-PSW.Win32.OnLineGames.oqy
%System32%\SHAProc.dll
infected: Trojan-PSW.Win32.OnLineGames.pew
%System32%\SSLDyn.dll
infected: Trojan-PSW.Win32.OnLineGames.pbu
%System32%\uohsom.dll
infected: Trojan-PSW.Win32.OnLineGames.oji
%System32%\upxdnd.dll
infected: Trojan-PSW.Win32.OnLineGames.oxo
%System32%\WanPacket.dll 正常文件
%System32%\wpcap.dll 正常文件
%System32%\drivers\msaclue.sys
infected: Trojan-PSW.Win32.OnLineGames.oxd
%System32%\drivers\msacpe.sys
infected: Trojan-PSW.Win32.OnLineGames.oke
%System32%\drivers\npf.sys 正常文件
%System32%\drivers\phy.sys
infected: Trojan-Downloader.Win32.Small.hsh
%System32%\drivers\scvhost.exe
infected: Backdoor.Win32.Delf.awy
%System32%\drivers\svchost.exe
infected: Backdoor.Win32.Delf.csn
%Windir%\192896M.exe
infected: Trojan-PSW.Win32.Lmir.bpv
%Windir%\192896MM.DLL
infected: Trojan-PSW.Win32.OnLineGames.oqu
%Windir%\DbgHlp32.exe
infected: Trojan-PSW.Win32.OnLineGames.omm
%Windir%\Kvsc3.exE
infected: Trojan-PSW.Win32.OnLineGames.obo
%Windir%\PTSShell.exe
infected: Trojan.Win32.Vaklik.eb
%Windir%\SHAProc.exe
infected: Trojan-PSW.Win32.OnLineGames.orf
%Windir%\SSLDyn.exE
infected: Trojan.Win32.Vaklik.el
%Windir%\upxdnd.exe
infected: Trojan-PSW.Win32.OnLineGames.oxl
%Windir%\font\avzxoin.dll
infected: Trojan-PSW.Win32.OnLineGames.oiy
%Windir%\font\avzxomn.dll
infected: Trojan-PSW.Win32.OnLineGames.oin
%Windir%\font\avzxost.exe
infected: Trojan-PSW.Win32.OnLineGames.odx
%Windir%\font\chrebur.fon
infected: Trojan-PSW.Win32.OnLineGames.oil
%Windir%\font\gejibnd.fon
infected: Trojan-PSW.Win32.OnLineGames.oit
%Windir%\font\jshubxw.fon
infected: Trojan-PSW.Win32.OnLineGames.oim
%Windir%\font\jsqxcss.dll
infected: Trojan-PSW.Win32.OnLineGames.oie
%Windir%\font\jsqxcyc.dll
infected: Trojan-PSW.Win32.OnLineGames.oeh
%Windir%\font\jsqxczc.exe
infected: Trojan-PSW.Win32.OnLineGames.oed
%Windir%\font\mszhbsda.fon
infected: Trojan-PSW.Win32.OnLineGames.oie
%Windir%\font\rarjfni.dll
infected: Trojan-PSW.Win32.OnLineGames.oig
%Windir%\font\rarjfpi.dll
infected: Trojan-PSW.Win32.OnLineGames.oql
%Windir%\font\rarjftl.exe
infected: Trojan-PSW.Win32.OnLineGames.odx
%Windir%\font\rsjzbfg.dll
infected: Trojan-PSW.Win32.OnLineGames.oib
%Windir%\font\rsjzbpm.dll
infected: Trojan-PSW.Win32.OnLineGames.oef
%Windir%\font\rsjzbsp.exe
infected: Trojan-PSW.Win32.OnLineGames.oeg
注: %System32% 是一个可变路径。病毒通过查询操作系统来决定当前 System文件夹的
位置。
%Windir% WINDODWS所在目录
%DriveLetter% 逻辑驱动器根目录
%ProgramFiles% 系统程序默认安装目录
%HomeDrive% 当前启动的系统的所在分区
%Documents and Settings% 当前用户文档根目录
%Temp% \Documents and Settings
\当前用户\Local Settings\Temp
%System32% 系统的 System32文件夹
Windows2000/NT中默认的安装路径是C:\Winnt\System32
windows95/98/me中默认的安装路径是C:\Windows\System
windowsXP中默认的安装路径是C:\Windows\System32
您的位置: