当前位置:在线查询网 > 在线百科全书查询 > Email-Worm.Win32.LovGate.ae

Email-Worm.Win32.LovGate.ae_在线百科全书查询


请输入要查询的词条内容:

Email-Worm.Win32.LovGate.ae

Email-Worm.Win32.LovGate.ae分析

前言:这应该是比较老的病毒了,如果没记错,应该是出现在2004年左右吧。今天在剑盟下到了样本,这类邮件类的蠕虫我只分析过Warezov,这个爱情后门还是写的不错的,我花了4个多小时去看,中间查了些资料,还有些不懂的,挺累的。要不断学习进步才行!本人是菜鸟,难免会有遗漏的地方。

字串3

病毒名称:Email-Worm.Win32.LovGate.ae(Kaspersky)

病毒大小:192000 bytes

加壳方式:多层ASPACK,JDPACK

样本MD5:42ab20ee5f4757a44edff753bc508840

样本SHA1:cc2df80aea902bec125601cd3202a3e5e9010613

编写语言:Microsoft Visual C++ 6.0

病毒类型:后门、蠕虫

传播方式:邮件、网络

字串2

行为分析:

字串6

病毒运行后,会释放自身拷贝和后门组件到:

%Windows%\\SVCHOST.EXE

%Windows%\\SYSTRA.EXE

%System32%\\HXDEF.EXE

%System32%\\IEXPLORE.EXE

%System32%\\KERNEL66.DLL

%System32%\\RAVMOND.EXE

%System32%\\TKBELLEXE.EXE

%System32%\\UPDATE_OB.EXE

%System32%\\LMMIB20.DLL

%System32%\\MSJDBC11.DLL

%System32%\\MSSIGN30.DLL

%System32%\\NETMEETING.EXE

%System32%\\ODBC16.DLL

%System32%\\SPOLLSV.EXE

字串2

病毒会在各分区根目录复制副本,创建autorun.inf:

AUTORUN.INF

COMMAND.EXE 字串2

AUTORUN.INF内容:

[AUTORUN]

Open="c:\\COMMAND.EXE" /StartExplorer

字串9

病毒创建启动项,以达到随机自启动的目的:

[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows

字串4

NT\\CurrentVersion\\Windows]

run = "RAVMOND.exe"

字串5

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\

字串1

CurrentVersion\\Run]

WinHelp = "C:\\Windows\\System32\\TkBellExe.exe" 字串7

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\

字串5

CurrentVersion\\Run]

Hardware Profile = "C:\\Windows\\System32\\hxdef.exe"

字串6

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ 字串3

CurrentVersion\\Run]

VFW Encoder/Decoder Settings = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"

字串3

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\

字串1

CurrentVersion\\Run]

Microsoft NetMeeting Associates, Inc. = "NetMeeting.exe 字串3

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ 字串2

CurrentVersion\\Run]

Program In Windows = "C:\\Windows\\System32\\IEXPLORE.EXE" 字串5

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ 字串8

CurrentVersion\\Run]

Shell Extension = "C:\\Windows\\System32\\spollsv.exe"

字串6

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\

字串5

CurrentVersion\\Run]

Protected Storage = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"

字串9

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ 字串3

CurrentVersion\\RunServices]

SystemTra = "C:\\Windows\\SysTra.EXE" 字串7

[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\

字串8

CurrentVersion\\RunServices]

COM++ System = "svchost.exe"

字串5

病毒会注册为系统服务:

[HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\

字串9

Services\\Windows Management Protocol v.0 (experimental)]

显示名:Windows Management Protocol v.0 (experimental)

描述:Windows Advanced Server Performs Scheduled scans for LANguard

可执行文件的路径:%System32%\\MSJDBC11.DLL 字串2

[HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\_reg]

显示名:_reg

描述:

可执行文件的路径:%System32%\\MSJDBC11.DLL 字串1

病毒修改如下注册表项目,使用户在点击.TXT文件时运行病毒拷贝:

[HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command]

default = "Update_OB.exe %1"

字串9

[HKEY_LOCAL_MACHINE\\Software\\Classes\\txtfile\\shell\\

字串8

open\\command]

default = "Update_OB.exe %1" 字串8

该病毒可使用MAPI进行传播。病毒搜索系统邮箱,找到后会给收到的邮件回信以实现邮件传播。

字串5

病毒发送的邮件有如下细节特征: 字串2

标题:Re: <原始主题> 字串6

正文:

字串6

<原始正文>

<域名> auto-reply:

wrote:

If you can keep your head when all about you

Are losing theirs and blaming it on you;

If you can trust yourself when all men doubt you,

But make allowance for their doubting too;

If you can wait and not be tired by waiting,

Or, being lied about,don''''''''''''''''''''''''''''''''t deal in lies,

Or, being hated, don''''''''''''''''''''''''''''''''t give way to hating,

And yet don''''''''''''''''''''''''''''''''t look too good, nor talk too wise;

... ... more look to the attachment.

> Get your FREE now! <

字串6

附件:

the hardcore game-.pif 字串1

Sex in Office.rm.scr

字串2

Deutsch BloodPatch!.exe

字串9

s3msong.MP3.pif 字串9

Me_nude.AVI.pif

字串4

How to Crack all gamez.exe

字串1

Macromedia Flash.scr

字串9

SETUP.EXE

Shakira.zip.exe

dreamweaver MX (crack).exe

CloneAttack.rm.scr

StarWars2 - CloneAttack.rm.scr

Industry Giant II.exe

DSL Modem Uncapper.rar.exe

joke.pif

Britney spears nude.exe.txt.exe

I am For u.doc.exe

字串7

除了使用MAPI传播外,病毒还会使用自带的SMTP引擎进行传播 字串2

病毒从含有如下扩展名的文件中收集邮件地址:

adb

asp

dbx

htm

php

sht

tbb 字串7

发件人:

{随机人名}.yahoo.com

随机人名包括:

john

alex

michael

james

mike

kevin

david

george

sam

andrew

jose

leo

maria

jim

brian

serg

mary

ray

tom

peter

robert

bob

jane

joe

dan

dave

matt

steve

smith

stan

bill

bob

jack

fred

ted

adam

brent

alice

anna

brenda

claudia

debby

helen

jerry

jimmy

julie

linda

sandra 字串7

正文: (其中之一)

It''''''''''''''''''''''''''''''''s the long-awaited film version of the Broadway hit. 字串2

The message sent as a binary attachment.

Mail failed. For further assistance, please contact!

The message contains Unicode characters and has been 字串8

sent as a binary attachment.

字串4

病毒避免向含有如下字符串的邮件地址发送邮件:

.gov

.mil

avp

borlan

example

foo.

gov.

hotmail

icrosof

inpris

msn.

mydomai

nodomai

panda

ruslis

sopho

syma

字串7

病毒在Windows文件夹下创建一个名为“Media”的共享文件夹,并在其中生成如下自身拷贝:

AUTOEXEC.BAT

CAIN.PIF

CLIENT.EXE

documents and settings.txt.exe

FINDPASS.EXE

I386.EXE

internet explorer.bat

microsoft office.exe

MMC.EXE

MSDN.ZIP.PIF

SUPPORT TOOLS.EXE

WINDOWUPDATE.PIF

windows media player.zip.exe

WINHLP32.EXE

WINRAR.EXE

XCOPY.EXE

字串4

病毒还尝试使用以下用户名和密码访问局域网内其它计算机,并试图利用系统默认开启的ipc$和admin$进入到“Admin$”共享进行传播:

Guest 字串7

Administrator

zxcv

yxcv

test123 字串3

test

temp123

temp

sybase

super

secret

pw123

Password

owner

oracle

mypc123

mypc

mypass123

mypass

love

login

字串1

Login

Internet

home

godblessyou

enable

database

computer

alpha

admin123

Admin

abcd

88888888

2004

2600

2003

123asd

123abc

123456789

1234567

123123

121212

11111111

00000000

000000

pass

54321

12345

password

passwd

server

!@#$%^&*

!@#$%^&

!@#$%^

!@#$%

asdfgh

asdf

!@#$

1234

root

abc123

12345678

abcdefg

abcdef

888888

666666

111111

admin

administrator

guest

654321

123456 字串4

如果登录成功,病毒会在远程机器的“Admin$\\System32”文件夹中生成名为“NETMANAGER.EXE”的自身拷贝。 字串7

病毒会开启Windows Management NetWork Service Extensions(Windows管理网络服务扩展)服务。

字串2

病毒利用Net Stop命令尝试关闭安全软件的服务:

Symantec AntiVirus Client

Symantec AntiVirus Server

Rising Realtime Monitor Service

字串8

病毒还会终止与安全和防病毒相关的进程:

KV

KAV

Duba

NAV

kill

RavMon.exe

Rfw.exe

Gate

McAfee

Symantec

SkyNet

rising 字串2

病毒收集计算机存储信息和密码记录在C:\\Netlog.txt,每隔一段时间发到

字串9

hello_zyx@163.com 字串7

病毒还会在在E、F盘下生成压缩包文件并发送:

setup.ZIP

setup.RAR

WORK.RAR

WORK.ZIP

install.ZIP

install.RAR

bak.RAR

bak.ZIP

letter.RAR

letter.ZIP

字串5

相关分词: Email-Worm Email Worm Win 32 LovGate ae