Win32.Troj.DownLoader.se.1367552
病毒名称(中文):黑客木马下载器1367552病毒别名:威胁级别:★★☆☆☆病毒类型:木马下载器病毒长度:1367552影响系统:Win9x WinMe WinNT Win2000 WinXP Win2003
病毒行为:
这是一个下载者木马,运行后会从指定网址下载一个病毒列表的文本,然后对照该文本中的网址下载木马并运行。经毒霸反病毒专家跟踪分析,被下载的木马是一个远程控制软件,如果该软件被安装并运行,黑客可以完全控制用户的电脑。
该木马运行后,读取资源,释放文件到%systemRoot%\\system\\1sass.exe,调用cmd启动该文件。然后创建一个批处理文件删除自身。
1sass.exe行为分析
将自身注册为系统服务,并以服务的方式启动
添加的相关注册表项为:
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_DRIVERS_MANAGEMENT\\0000]
"Service"="Drivers Management"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Manage Drivers installed"
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_DRIVERS_MANAGEMENT\\0000\\Control]
"*NewlyCreated*"=dword:00000000
"ActiveService"="Drivers Management"
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Drivers Management]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,\\
5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,5c,00,31,00,73,00,61,00,73,00,73,\\
00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="Manage Drivers installed"
"ObjectName"="LocalSystem"
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Drivers Management\\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Drivers Management\\Enum]
"0"="Root\\\\LEGACY_DRIVERS_MANAGEMENT\\\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
该服务启动后首先会连接黑客网站http://nb.******.com/list.txt下载一个病毒列表的文本文件,
然后根据该列表中的网址下载其他的木马并运行,分析其下载的文件,发现为一个远程控制软件。