• 欢迎访问金刀客博客!
  • 2019,春节快乐!
> 病毒分析 > Trojan.PSW.Win32.GameOL(.exe)木马群的分析(2)

Trojan.PSW.Win32.GameOL(.exe)木马群的分析(2)

病毒分析 admin 13767次浏览 已收录 0个评论

病毒样本:.exe
大小:18.3KB
MD5: A372676453E6A14310EB923FE1BE633A
Upack V0.37 -> Dwing
类型:下载者
1,运行后,建立服务
HKLM\SYSTEM\CurrentControlSet\Services\mhfp
值: C:\Documents and Settings\Administrator\Local Settings\Temp\tmp3.tmp
2,下载
test.591jx.com/test.exe
iii.chsip.net/listtt.exe
iii.chsip.net/list.txt
在list.txt再获取下载命令

[MAIN]
VERSION=2008-2-3
[URL]
1=http://iii.chsip.net/wm/1.exe
2=http://iii.chsip.net/wm/2.exe
3=http://iii.chsip.net/wm/3.exe
4=http://iii.chsip.net/wm/4.exe
5=http://iii.chsip.net/wm/5.exe
6=http://iii.chsip.net/wm/6.exe
7=http://iii.chsip.net/wm/7.exe
8=http://iii.chsip.net/wm/8.exe
9=http://iii.chsip.net/wm/9.exe
10=http://iii.chsip.net/wm/10.exe
11=http://iii.chsip.net/wm/11.exe
12=http://iii.chsip.net/wm/12.exe
13=http://iii.chsip.net/wm/13.exe
14=http://iii.chsip.net/wm/14.exe
15=http://iii.chsip.net/wm/15.exe
16=http://iii.chsip.net/wm/16.exe
17=http://iii.chsip.net/wm/17.exe
18=http://iii.chsip.net/wm/18.exe
19=http://iii.chsip.net/wm/19.exe
20=http://iii.chsip.net/wm/20.exe
21=http://iii.chsip.net/wm/21.exe
22=http://iii.chsip.net/wm/22.exe
23=http://iii.chsip.net/wm/23.exe
24=http://iii.chsip.net/wm/24.exe
25=http://iii.chsip.net/wm/25.exe
26=http://iii.chsip.net/wm/26.exe
27=http://iii.chsip.net/wm/27.exe
http://iii.chsip.net/wm/1.exe

3,运行上面下载的文件,释放的文件如下
c:\1.exe
c:\2.exe
c:\_uninsep.bat
C:\Documents and Settings\All Users\「开始」菜单\程序\启动\.exe
C:\Documents and Settings\All Users\「开始」菜单\程序\启动\2.exe
C:\Program Files\Internet Explorer\PLUGINS\Sys_Win7s.Jmp
C:\Program Files\Internet Explorer\PLUGINS\WinSys8k.Sys
C:\WINDOWS\DbgHlp32.exe
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\WSockDrv32.exe
C:\WINDOWS\system32\10.exe
C:\WINDOWS\system32\12.exe
C:\WINDOWS\system32\13.exe
C:\WINDOWS\system32\14.exe
C:\WINDOWS\system32\16.exe
C:\WINDOWS\system32\18.exe
C:\WINDOWS\system32\21.exe
C:\WINDOWS\system32\22.exe
C:\WINDOWS\system32\24.exe
C:\WINDOWS\system32\26.exe
C:\WINDOWS\system32\3.exe
C:\WINDOWS\system32\4.exe
C:\WINDOWS\system32\6.exe
C:\WINDOWS\system32\7.exe
C:\WINDOWS\system32\8.exe
C:\WINDOWS\system32\73144.dat
C:\WINDOWS\system32\bauhgnem.cfg
c:\windows\system32\bauhgnem.dll
C:\WINDOWS\system32\BOLE.INI
C:\WINDOWS\system32\CBB-CBB-1028.dll
C:\WINDOWS\system32\DbgHlp32.dlL
C:\WINDOWS\system32\eohsom.cfg
C:\WINDOWS\system32\eohsom.dll
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\system32\gnolnait.cfg
C:\WINDOWS\system32\gnolnait.dll
C:\WINDOWS\system32\HACHAC1036.dll
C:\WINDOWS\system32\hfrdzx.dll
C:\WINDOWS\system32\hhrdxd.dll
C:\WINDOWS\system32\hjiq.cfg
C:\WINDOWS\system32\hjiq.dll
C:\WINDOWS\system32\IGBWD1031.dll
C:\WINDOWS\system32\JADJAD1038.dll
C:\WINDOWS\system32\knaixnauhuoyizqq.cfg
C:\WINDOWS\system32\knaixnauhuoyizqq.dll
C:\WINDOWS\system32\lordm.dll
C:\WINDOWS\system32\mseion.sys
C:\WINDOWS\system32\msepion.sys
C:\WINDOWS\system32\msosmhfp.dat
C:\WINDOWS\system32\msosmhfp00.dll
C:\WINDOWS\system32\netsrv.dll
C:\WINDOWS\system32\NNNNNN1029.dll
C:\WINDOWS\system32\oqnauhc.cfg
C:\WINDOWS\system32\oqnauhc.dll
C:\WINDOWS\system32\qlihzouhgnfe.cfg
C:\WINDOWS\system32\qlihzouhgnfe.dll
C:\WINDOWS\system32\SABSAB1013.dll
C:\WINDOWS\system32\twzlu.gjm
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\WIN.INI
C:\WINDOWS\system32\WSockDrv32.dll
C:\WINDOWS\system32\wyhesm.dll
C:\WINDOWS\system32\wyrsdj.dll
C:\WINDOWS\system32\xadpy.dll
C:\WINDOWS\system32\xjxr.cfg
C:\WINDOWS\system32\xjxr.dll
C:\WINDOWS\system32\zgxfdx.dll
C:\WINDOWS\system32\zjydcx.dll
C:\WINDOWS\system32\drivers\msaclue.sys
C:\WINDOWS\system32\drivers\mselk.sys
C:\WINDOWS\system32\drivers\msosfpids32.sys
C:\WINDOWS\system32\drivers\msyecp.sys
C:\WINDOWS\system32\drivers\npf.sys
4,
访问v43.dsfkjfs8i3jksdfj3hdds3jj3.com//down.asp
www.ads520.com/tj/f.asp
获取修改hosts列表,屏蔽安全网站。

127.0.0.1 localhost
219.235.3.16 search.114.vnet.cn
219.235.3.16 keyword.vnet.cn
219.235.3.16 auto.search.msn.com
219.235.3.16 search.msn.com
219.235.3.16 cnweb.search.live.com
219.235.3.16 www.hao123.com
219.235.3.16 hao123.com
219.235.3.16 www.360safe.com
219.235.3.16 360safe.com
202.165.102.243 update.360safe.com
219.235.3.16 dl.360safe.com
219.235.3.16 bbs.360safe.com
219.235.3.16 www.btbaicai.com
219.235.3.16 btbaicai.com
219.235.3.16 www.pctutu.com
219.235.3.16 www.7322.com
219.235.3.16 www.5566.net
219.235.3.16 www.9991.com
219.235.3.16 9991.com
219.235.3.16 forum.ikaka.com
219.235.3.16 www.ikaka.com
202.165.102.243 update.ikaka.com
219.235.3.16 forum.jiangmin.com
202.165.102.243 update.jiangmin.com
219.235.3.16 post.baidu.com
219.235.3.16 tieba.baidu.com
202.165.102.243 update.rising.com.cn
219.235.3.16 online.rising.com.cn
202.165.102.243 center.rising.com.cn
219.235.3.16 up.duba.net
219.235.3.16 shadu.baidu.com
219.235.3.16 du.baidu.com
219.235.3.16 security.symantec.com
219.235.3.16 shadu.duba.net
219.235.3.16 bbs.duba.net
219.235.3.16 www.duba.net
219.235.3.16 online.jiangmin.com
219.235.3.16 cn.mcafee.com
219.235.3.16 www.ahn.com.cn
219.235.3.16 www.kaspersky.com.cn
219.235.3.16 www.pcav.cn
219.235.3.16 mopery.hits.io
219.235.3.16 www.luosoft.com
219.235.3.16 luosoft.com
219.235.3.16 www.im286.com
219.235.3.16 bbs.htmlman.net
202.165.102.243 download.rising.com.cn
202.165.102.243 rsup08.rising.com.cn
219.235.3.16 10000.286er.com
219.235.3.16 im286.net
219.235.3.16 cool.47555.com
219.235.3.16 ju.qihoo.com
219.235.3.16 bbs.chinaz.com
219.235.3.16 www.qihoo.com
219.235.3.16 360safe.qihoo.com
219.235.3.16 360.qihoo.com
202.165.102.243 dnl-cn1.kaspersky-labs.com
202.165.102.243 dnl-cn2.kaspersky-labs.com
202.165.102.243 dnl-cn3.kaspersky-labs.com
202.165.102.243 dnl-cn4.kaspersky-labs.com
202.165.102.243 dnl-cn5.kaspersky-labs.com
202.165.102.243 dnl-cn6.kaspersky-labs.com
202.165.102.243 dnl-cn7.kaspersky-labs.com
202.165.102.243 dnl-cn8.kaspersky-labs.com
202.165.102.243 dnl-cn9.kaspersky-labs.com
202.165.102.243 dnl-cn10.kaspersky-labs.com
202.165.102.243 dnl-cn11.kaspersky-labs.com
202.165.102.243 dnl-cn12.kaspersky-labs.com
202.165.102.243 dnl-cn13.kaspersky-labs.com
202.165.102.243 dnl-cn14.kaspersky-labs.com
202.165.102.243 dnl-cn15.kaspersky-labs.com
202.165.102.243 dnl-eu1.kaspersky-labs.com
202.165.102.243 dnl-eu2.kaspersky-labs.com
202.165.102.243 dnl-eu3.kaspersky-labs.com
202.165.102.243 dnl-eu4.kaspersky-labs.com
202.165.102.243 dnl-eu5.kaspersky-labs.com
202.165.102.243 dnl-eu6.kaspersky-labs.com
202.165.102.243 dnl-eu7.kaspersky-labs.com
202.165.102.243 dnl-eu8.kaspersky-labs.com
202.165.102.243 dnl-eu9.kaspersky-labs.com
202.165.102.243 dnl-eu10.kaspersky-labs.com
202.165.102.243 dnl-eu11.kaspersky-labs.com
202.165.102.243 dnl-eu12.kaspersky-labs.com
202.165.102.243 dnl-eu13.kaspersky-labs.com
202.165.102.243 dnl-eu14.kaspersky-labs.com
202.165.102.243 dnl-eu15.kaspersky-labs.com
202.165.102.243 dnl-us1.kaspersky-labs.com
202.165.102.243 dnl-us2.kaspersky-labs.com
202.165.102.243 dnl-us3.kaspersky-labs.com
202.165.102.243 dnl-us4.kaspersky-labs.com
202.165.102.243 dnl-us5.kaspersky-labs.com
202.165.102.243 dnl-us6.kaspersky-labs.com
202.165.102.243 dnl-us7.kaspersky-labs.com
202.165.102.243 dnl-us8.kaspersky-labs.com
202.165.102.243 dnl-us9.kaspersky-labs.com
202.165.102.243 dnl-us10.kaspersky-labs.com
202.165.102.243 dnl-us11.kaspersky-labs.com
202.165.102.243 dnl-us12.kaspersky-labs.com
202.165.102.243 dnl-us13.kaspersky-labs.com
202.165.102.243 dnl-us14.kaspersky-labs.com
202.165.102.243 dnl-us15.kaspersky-labs.com
202.165.102.243 dnl-ru1.kaspersky-labs.com
202.165.102.243 dnl-ru2.kaspersky-labs.com
202.165.102.243 dnl-ru3.kaspersky-labs.com
202.165.102.243 dnl-ru4.kaspersky-labs.com
202.165.102.243 dnl-ru5.kaspersky-labs.com
202.165.102.243 dnl-ru6.kaspersky-labs.com
202.165.102.243 dnl-ru7.kaspersky-labs.com
202.165.102.243 dnl-ru8.kaspersky-labs.com
202.165.102.243 dnl-ru9.kaspersky-labs.com
202.165.102.243 dnl-ru10.kaspersky-labs.com
202.165.102.243 dnl-ru11.kaspersky-labs.com
202.165.102.243 dnl-ru12.kaspersky-labs.com
202.165.102.243 dnl-ru13.kaspersky-labs.com
202.165.102.243 dnl-ru14.kaspersky-labs.com
202.165.102.243 dnl-ru15.kaspersky-labs.com
202.165.102.243 dnl-jp1.kaspersky-labs.com
202.165.102.243 dnl-jp2.kaspersky-labs.com
202.165.102.243 dnl-jp3.kaspersky-labs.com
202.165.102.243 dnl-jp4.kaspersky-labs.com
202.165.102.243 dnl-jp5.kaspersky-labs.com
202.165.102.243 dnl-jp6.kaspersky-labs.com
202.165.102.243 dnl-jp7.kaspersky-labs.com
202.165.102.243 dnl-jp8.kaspersky-labs.com
202.165.102.243 dnl-jp9.kaspersky-labs.com
202.165.102.243 dnl-jp10.kaspersky-labs.com
202.165.102.243 dnl-jp11.kaspersky-labs.com
202.165.102.243 dnl-jp12.kaspersky-labs.com
202.165.102.243 dnl-jp13.kaspersky-labs.com
202.165.102.243 dnl-jp14.kaspersky-labs.com
202.165.102.243 dnl-jp15.kaspersky-labs.com
202.165.102.243 dnl-kr1.kaspersky-labs.com
202.165.102.243 dnl-kr2.kaspersky-labs.com
202.165.102.243 dnl-kr3.kaspersky-labs.com
202.165.102.243 dnl-kr4.kaspersky-labs.com
202.165.102.243 dnl-kr5.kaspersky-labs.com
202.165.102.243 dnl-kr6.kaspersky-labs.com
202.165.102.243 dnl-kr7.kaspersky-labs.com
202.165.102.243 dnl-kr8.kaspersky-labs.com
202.165.102.243 dnl-kr9.kaspersky-labs.com
202.165.102.243 dnl-kr10.kaspersky-labs.com
202.165.102.243 dnl-kr11.kaspersky-labs.com
202.165.102.243 dnl-kr12.kaspersky-labs.com
202.165.102.243 dnl-kr13.kaspersky-labs.com
202.165.102.243 dnl-kr14.kaspersky-labs.com
202.165.102.243 dnl-kr15.kaspersky-labs.com
202.165.102.243 dnl-cd1.kaspersky-labs.com
202.165.102.243 dnl-cd2.kaspersky-labs.com
202.165.102.243 dnl-cd3.kaspersky-labs.com
202.165.102.243 dnl-cd4.kaspersky-labs.com
202.165.102.243 dnl-cd5.kaspersky-labs.com
202.165.102.243 dnl-cd6.kaspersky-labs.com
202.165.102.243 dnl-cd7.kaspersky-labs.com
202.165.102.243 dnl-cd8.kaspersky-labs.com
202.165.102.243 dnl-cd9.kaspersky-labs.com
202.165.102.243 dnl-cd10.kaspersky-labs.com
202.165.102.243 dnl-cd11.kaspersky-labs.com
202.165.102.243 dnl-cd12.kaspersky-labs.com
202.165.102.243 dnl-cd13.kaspersky-labs.com
202.165.102.243 dnl-cd14.kaspersky-labs.com
202.165.102.243 dnl-cd15.kaspersky-labs.com
202.165.102.243 downloads1.kaspersky-labs.com
202.165.102.243 downloads2.kaspersky-labs.com
202.165.102.243 downloads3.kaspersky-labs.com
202.165.102.243 downloads4.kaspersky-labs.com
202.165.102.243 downloads5.kaspersky-labs.com
219.235.3.16 ishare.sina.com.cn
219.235.3.16 search.cn.yahoo.com
219.235.3.16 www.google.com
219.235.3.16 google.com
219.235.3.16 www.google.cn
219.235.3.16 www.sogou.com
219.235.3.16 www.yahoo.com.cn
219.235.3.16 cn.yahoo.com
222.73.210.148 www.comewz.com
219.235.3.16 search.tom.com
219.235.3.16 zhuansha.duba.net
219.235.3.16 buy.duba.net
219.235.3.16 page.so.163.com
219.235.3.16 www.soso.com
219.235.3.16 sou.china.com
219.235.3.16 toolsbar.kuaiso.com
219.235.3.16 www.kuaiso.com

5,添加启动
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WSockDrv32 C:\WINDOWS\WSockDrv32.exe
upxdnd c:\windows\upxdnd.exe
NVDispDrv c:\windows\nvdispdrv.exe
DbgHlp32 c:\windows\dbghlp32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
CBB-CBB-1028.dll c:\windows\system32\cbb-cbb-1028.dll
HACHAC1036.dll c:\windows\system32\hachac1036.dll
hfrdzx.dll c:\windows\system32\hfrdzx.dll
hhrdxd.dll c:\windows\system32\hhrdxd.dll
IGBWD1031.dll c:\windows\system32\igbwd1031.dll
JADJAD1038.dll c:\windows\system32\jadjad1038.dll
NNNNNN1029.dll c:\windows\system32\nnnnnn1029.dll
SABSAB1013.dll c:\windows\system32\sabsab1013.dll
winsys8k.sys c:\program files\internet explorer\plugins\winsys8k.sys
wyhesm.dll c:\windows\system32\wyhesm.dll
wyrsdj.dll c:\windows\system32\wyrsdj.dll
zgxfdx.dll c:\windows\system32\zgxfdx.dll
zjydcx.dll c:\windows\system32\zjydcx.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
suwzb.dll c:\windows\system32\suwzb.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
ybeqz File not found: C:\WINDOWS\system32\twzlu.gjm
HKLM\System\CurrentControlSet\Services
fpids32 c:\windows\system32\drivers\msosfpids32.sys
msert c:\windows\system32\drivers\mselk.sys
msertk c:\windows\system32\drivers\msyecp.sys
msskye c:\windows\system32\drivers\msaclue.sys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
2ty.dll
msosmhfp00.dll
……
所有项。
6,运行进程截图

7,发现此病毒一个很有意思的功能,一发现sreng的文件就关闭删除,还删除名称含“扫描”,“专杀”,“MON”和“木马”或“克星”的文件。


清除办法:
1,断开网络,切断病毒更新的后路。
2,复制上面所列释放文件名,选用XDelBoxX的“从粘贴坂输入”,”立刻重启删除“。一定得确保启动项对应的文件被删除!
C:\WINDOWS\system32\twzlu.gjm似乎都没能被费尔木马清除助手和XDelBoxX清除,可用巡警的FileForceKiller暴力删除。


3,确定文件都被删除后。打开autoruns.exe,删除上面所列启动项。
run值:

shellexecutehooks值:

驱动项:

还有一个fpids32。
appinit dlls值:

4,把twzlu.gjm清除之后,终于可以打开sreng了。
系统修复,windows shell/IE,全选,修复。
系统修复,高级修复,修复安全模式。
系统修复,HOSTS文件,重置,
再“新建”或自己手动用记事本打开C:\WINDOWS\system32\drivers\etc\hosts
添加如下内容:
127.0.0.1 iii.chsip.net
127.0.0.1 www.ads520.com
127.0.0.1 v43.dsfkjfs8i3jksdfj3hdds3jj3.com
5,清空C:\WINDOWS\Prefetch文件夹
6,用杀软扫描全盘,以防漏网之鱼
瑞星扫描样本包的结果:
.exe Trojan.DL.Win32.Undef.az
1.exe Trojan.DL.Win32.Small.tpr
10.exe Trojan.PSW.Win32.GamesOnline.oa
2.exe>>upack0.39>>IFTDLL Trojan.DL.Win32.Direct.me
22.exe>>upack0.39 Trojan.PSW.Win32.GamesOnline.oa
26.exe>>upx_c>>FILE Worm.Win32.PaBug.get
3.exe>>upack0.32 Trojan.PSW.Win32.GameOL.GEN
73144.dat Trojan.Win32.Undef.dcv
8.exe>>upack0.39 Trojan.PSW.Win32.ZeroOnline.dj
bauhgnem.dll>>upack0.34 Trojan.PSW.Win32.XYOnline.abk
CBB-CBB-1028.dll>>upack0.34 Trojan.PSW.Win32.GameOL.GEN
cratgw.exe>>upack0.32 Trojan.PSW.Win32.GameOL.GEN
DbgHlp32.dlL Trojan.PSW.Win32.GameOL.mbv
DbgHlp32.exe>>upack0.32 Trojan.PSW.Win32.GameOL.GEN
eohsom.dll>>upack0.34>>68 Trojan.PSW.Win32.GameOL.GEN
\eohsom.dll>>upack0.34>>67 RootKit.Win32.GameSuper.c
explorer.exe>>upack0.39 Trojan.DL.Win32.Small.tpr
gnolnait.dll>>upack0.34>>68 Trojan.PSW.Win32.OnlineGames.GEN
gnolnait.dll>>upack0.34>>67 RootKit.Win32.GameSuper.c
HACHAC1036.dll>>upack0.34 Trojan.PSW.Win32.GameOL.GEN
hfrdzx.dll>>upack0.34 Trojan.PSW.Win32.GameOL.mcj
\hhrdxd.dll>>upack0.34 Trojan.PSW.Win32.GameOL.mci
hjiq.dll>>upack0.34 Trojan.PSW.Win32.GameOL.lvx
IGBWD1031.dll>>upack0.34 Trojan.PSW.Win32.GameOL.GEN
JADJAD1038.dll>>upack0.34 Trojan.PSW.Win32.ZeroOnline.dk
\knaixnauhuoyizqq.dll>>upack0.34 RootKit.Win32.GameHack.GEN
msaclue.sys RootKit.Win32.GameSuper.b
mseion.sys RootKit.Win32.Mnless.if
\mselk.sys RootKit.Win32.Mnless.ie
msepion.sys RootKit.Win32.Undef.bm
msosfpids32.sys RootKit.Win32.Mnless.hz
syecp.sys Trojan.PSW.Win32.OnlineGames.GEN
\netsrv.dll Trojan.DL.Win32.Small.tpr
NNNNNN1029.dll>>upack0.34 Trojan.PSW.Win32.GameOL.mce
oqnauhc.dll>>upack0.34>>68 Trojan.PSW.Win32.OnlineGames.GEN
oqnauhc.dll>>upack0.34>>67 RootKit.Win32.GameSuper.c
qlihzouhgnfe.dll>>upack0.34 Trojan.PSW.Win32.OnlineGames.GEN
SABSAB1013.dll>>upack0.34 Trojan.PSW.Win32.GameOL.mce
upxdnd.dll Trojan.PSW.Win32.GameOL.maq
upxdnd.exe>>upack0.32 Trojan.PSW.Win32.GameOL.GEN
WinSys8k.Sys Worm.Win32.PaBug.get
WSockDrv32.dll Trojan.PSW.Win32.QQGame.geu
WSockDrv32.exe>>upack0.32 Trojan.PSW.Win32.GameOL.GEN
\xjxr.dll>>upack0.34 Trojan.PSW.Win32.YBOnline.dj
zjydcx.dll>>upack0.34 Trojan.PSW.Win32.GameOL.mcd
zwybfi.exe>>upack0.32 Trojan.PSW.Win32.GameOL.GEN
纳米盘下载:
纳米下载地址
附:点击下载金刀客工具包(含本文中涉及的所有工具)
病毒上报信箱: daokers@qq.com

金刀客博客 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权 , 转载请注明Trojan.PSW.Win32.GameOL(.exe)木马群的分析(2)
喜欢 (3)
发表我的评论
取消评论

表情 贴图 加粗 删除线 居中 斜体 签到