当前位置:在线查询网 > 在线百科全书查询 > Win32.Troj.DownLoader.se.1367552

Win32.Troj.DownLoader.se.1367552_在线百科全书查询


请输入要查询的词条内容:

Win32.Troj.DownLoader.se.1367552

病毒名称(中文):黑客木马下载器1367552病毒别名:威胁级别:★★☆☆☆病毒类型:木马下载器病毒长度:1367552影响系统:Win9x WinMe WinNT Win2000 WinXP Win2003

病毒行为:

这是一个下载者木马,运行后会从指定网址下载一个病毒列表的文本,然后对照该文本中的网址下载木马并运行。经毒霸反病毒专家跟踪分析,被下载的木马是一个远程控制软件,如果该软件被安装并运行,黑客可以完全控制用户的电脑。

该木马运行后,读取资源,释放文件到%systemRoot%\\system\\1sass.exe,调用cmd启动该文件。然后创建一个批处理文件删除自身。

1sass.exe行为分析

将自身注册为系统服务,并以服务的方式启动

添加的相关注册表项为:

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_DRIVERS_MANAGEMENT\\0000]

"Service"="Drivers Management"

"Legacy"=dword:00000001

"ConfigFlags"=dword:00000000

"Class"="LegacyDriver"

"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"

"DeviceDesc"="Manage Drivers installed"

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_DRIVERS_MANAGEMENT\\0000\\Control]

"*NewlyCreated*"=dword:00000000

"ActiveService"="Drivers Management"

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Drivers Management]

"Type"=dword:00000110

"Start"=dword:00000002

"ErrorControl"=dword:00000000

"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,\\

5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,5c,00,31,00,73,00,61,00,73,00,73,\\

00,2e,00,65,00,78,00,65,00,00,00

"DisplayName"="Manage Drivers installed"

"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Drivers Management\\Security]

"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\\

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\\

00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\\

05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\\

20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\\

00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\\

00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Drivers Management\\Enum]

"0"="Root\\\\LEGACY_DRIVERS_MANAGEMENT\\\\0000"

"Count"=dword:00000001

"NextInstance"=dword:00000001

该服务启动后首先会连接黑客网站http://nb.******.com/list.txt下载一个病毒列表的文本文件,

然后根据该列表中的网址下载其他的木马并运行,分析其下载的文件,发现为一个远程控制软件。

相关分词: Win 32 Troj DownLoader se 1367552