Trojan-Downloader.Win32.Agent.blm分析手动解决
文件大小:11636 byte
AV命名:Trojan-Downloader.Win32.Agent.blm(卡吧斯基)
编写语言:MASM32 / TASM32
病毒类型:后门\\下载器
文件MD5:e01388a75b670d9cbe54038eec8f5ecb
文件SHA1:80296d92d913526431fce628e1452c6f01194055
病毒行为分析:
1、释放病毒文件:
%Systemroot%\\system32\\drivers\\pcihdd.sys 6768 字节
2、注册为系统服务,为:
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PciHdd]
\"Type\"=dword:00000001
\"Start\"=dword:00000003
\"ErrorControl\"=dword:00000000
\"ImagePath\"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,77,00,69,00,6e,00,\\
6e,00,74,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\\
00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,63,00,69,00,68,00,64,00,\\
64,00,2e,00,73,00,79,00,73,00,00,00
\"DisplayName\"=\"PciHdd\"
(来源 www.iocblog.net)
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PciHdd\\Security]
\"Security\"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\\
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\\
05,12,00,00,00,69,00,48,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\\
20,00,00,00,20,02,00,00,64,00,64,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\\
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\\
00,05,20,00,00,00,23,02,00,00,64,00,64,00,01,01,00,00,00,00,00,05,12,00,00,\\
00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PciHdd\\Enum]
\"0\"=\"Root\\\\LEGACY_PCIHDD\\\\0000\"
\"Count\"=dword:00000001
\"NextInstance\"=dword:00000001
3、通过直接访问PhysicalHardDisk0 、PhysicalDrive0 、Harddisk0\\DR0修改MBR。
导致还原卡失效,重启后无法还原初始系统状态。
4、尝试覆盖系统文件userinit.exe?系统重启后应该是由pcihdd.sys完成
不过样本测试中并未实现。
5、如第4点成立,则连接hXXp://yu.8s7.net/cert.cer(58.221.254.103)下载木马。
大概7。8个这样子(我不记得了-_-)有盗魔域、梦幻等网游的``
=================================================================
自己使用的影子成功抵挡了机器狗,所以解决方法无从写起
按理说被修改的MBR只能重写了`` :(
走一步算一步了:
1、到down.45it.com下载sreng2.zip和IceSword120_cn.zip(以下简称冰刃)
2、打开PowerRmv,选上“抑制对象再次生成”填入:
C:\\windows\\system32\\drivers\\pcihdd.sys
3、打开SREng:删除:
驱动(详细步骤:打开SREng-启动项目-驱动程序)
[PciHdd / PciHdd][Stopped/Manual Start]
4、看看那个userinit.exe的数字签字,如果不能经过MS校验,则删除,重新栲贝个过来``
5、木马群解决方法:
打开SREng,删除:
注册表(详细步骤:打开SREng-启动项目-注册表):
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]
cmdbcs>C:\\windows\\cmdbcs.exe> []
AVPSrv>C:\\windows\\AVPSrv.exe> []
DbgHlp32 C:\\windows\\DbgHlp32.exe> []
DiskMan32>C:\\windows\\DiskMan32.exe> []
mppds>C:\\windows\\mppds.exe> []
upxdnd>C:\\windows\\upxdnd.exe> []
WinForm>C:\\windows\\WinForm.exe> []
msccrt>C:\\windows\\msccrt.exe> []
MsIMMs32>C:\\windows\\MsIMMs32.exe> []
6、重启电脑,重启后删除文件:
[C:\\windows\\system32\\mppds.dll] [N/A, ]
[C:\\windows\\system32\\cmdbcs.dll] [N/A, ]
[C:\\windows\\system32\\WinForm.dll] [N/A, ]
[C:\\windows\\system32\\upxdnd.dll] [N/A, ]
[C:\\windows\\system32\\MsIMMs32.dll] [N/A, ]
[C:\\windows\\system32\\msccrt.dll] [N/A, ]
[C:\\windows\\system32\\AVPSrv.dll] [N/A, ]
[C:\\windows\\system32\\DbgHlp32.dll] [N/A, ]
[C:\\windows\\system32\\DiskMan32.dll] [N/A, ]
Tag: Trojan-Downloader