病毒名称：snpmw.dll病毒大小：385,024字节加壳方式：无编写语言：MicrosoftVisualC++6.0DLL病毒指纹：SHA- 160

计算机病毒介绍

病毒指纹

计算机病毒介绍

病毒名称：snpmw点dll

病毒大小：385,024 字节

加壳方式：无

编写语言：Microsoft Visual C++ 6.0 DLL

病毒指纹

SHA-160 : 57642C013347E1FCD6590C188F7A612DC847357C

MD5 : 056A372F5469FCB41721F6A952C9AAAD

RIPEMD-160 : 29ED912E067ADA17AEE7CBBB2D1A134C0500D484

CRC-32 : 2157E25C

一旦该dll程序被安装到系统中，将自动下载：

.data:1000D228 off_1000D228 dd offset s_HttpDownload_ ; DATA XREF: sub_10001F9E+8B r

.data:1000D228 ;

cdnprot.dat'/cdnprot.vxd'/cdnprot.sys'/cdntran.dat'/cdntran.vxd'/cdntran点sys'到%systemroot%system32\\drivers\\目录下，下载'cdnns.dll'/'cdn.dll'到%systemroot%\\system32\\目录下，下载snpmw.cab到%systemroot%\\system32\\目录下解压运行：

.data:1000C120 s_Cdn_dll db 'cdn.dll',0 ; DATA XREF: sub_10001000+18E o

.data:1000C120 ; .data:1000C108 o

.data:1000C128 s_DriversCdnp_1 db 'drivers\\cdnprot.dat',0 ; DATA XREF: .data:1000C104 o

.data:1000C13C s_DriversCdnp_0 db 'drivers\\cdnprot.vxd',0 ; DATA XREF: .data:1000C100 o

.data:1000C13C ; .data:1000C114 o

.data:1000C150 s_DriversCdnpro db 'drivers\\cdnprot.sys',0 ; DATA XREF: .data:1000C0FC o

.data:1000C150 ; .data:1000C110 o

.data:1000C164 s_DriversCdnt_1 db 'drivers\\cdntran.dat',0 ; DATA XREF: .data:1000C0F8 o

.data:1000C178 s_Cdnns_dll db 'cdnns.dll',0 ; DATA XREF: .data:1000C0F4 o

.data:1000C178 ; .data:1000C10C o

.data:1000C182 align 4

.data:1000C184 s_DriversCdnt_0 db 'drivers\\cdntran.vxd',0 ; DATA XREF: .data:1000C0F0 o

.data:1000C184 ; .data:1000C11C o

.data:1000C198 s_DriversCdntra db 'drivers\\cdntran.sys',0 ; DATA XREF: .data:off_1000C0EC o

.data:1000D230 ; "wmpns.dll"

.data:1000D234 ; "snpmw.dll"

.data:1000D238 ; "wmpns.ini"

.data:1000D23C ; LPCSTR lpszFile

.data:1000D23C lpszFile dd offset s_Wmpns_cab ; DATA XREF: sub_10001ED8+33 r

.data:1000D23C ; "wmpns.cab"

写注册表注册服务、IE钩子；

.data:1000C1AC s_SystemCurre_3 db 'SYSTEM\\CurrentControlSet\\Services\\cdntran',0

.data:1000C1D8 s_SystemCurrent db 'SYSTEM\\CurrentControlSet\\Services\\cdnprot',0

.data:1000C294 s_SoftwareMi_32 db 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\CdnCtr',0

.data:1000C2CC s_SoftwareMi_31 db 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\',0

.data:1000C340 s_SoftwareMi_30 db 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache\\{B53D42E8-872B-430E-82D4'

.data:1000C3AC s_SoftwareMi_29 db 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache\\CdnClient',0

.data:1000C3F8 s_SoftwareMi_28 db 'SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\',0

.data:1000C450 s_OftwareMicros db 'OFTWARE\\Microsoft\\Internet Explorer\\AdvancedOptions\\CDNCLIENT',0

.data:1000C490 s_SoftwareCnn_0 db 'SOFTWARE\\CNNIC',0 ;

.data:1000C4A0 s_SoftwareCl_14 db 'SOFTWARE\\Classes\\TypeLib\\',0

.

.data:1000C4E0 s_SoftwareCl_13 db 'SOFTWARE\\Classes\\TypeLib\\',0

.

.data:1000C520 s_SoftwareCl_12 db 'SOFTWARE\\Classes\\TypeLib\\',0

.

.data:1000C560 s_SoftwareCl_11 db 'SOFTWARE\\Classes\\Interface\\',0

.

.data:1000C5A4 s_SoftwareCl_10 db 'SOFTWARE\\Classes\\Interface\\',0

.data:1000C5E8 s_SoftwareCla_9 db 'SOFTWARE\\Classes\\Interface\\',0

.data:1000C62C s_SoftwareCla_8 db 'SOFTWARE\\Classes\\Interface\\',0

.data:1000C670 s_SoftwareCla_7 db 'SOFTWARE\\Classes\\CndnIEHelper.CndnIEHlprObj',0

.data:1000C69C s_SoftwareCla_6 db 'SOFTWARE\\Classes\\CndnIEHelper.CndnIEHlprObj.1',0

.data:1000C6CC s_SoftwareCla_5 db 'SOFTWARE\\Classes\\CLSID\\',0

.data:1000C70C s_SoftwareCla_4 db 'SOFTWARE\\Classes\\CLSID\\',0

.data:1000C74C s_SoftwareCla_3 db 'SOFTWARE\\Classes\\CLSID\\',0

.data:1000C78C s_SoftwareCla_2 db 'SOFTWARE\\Classes\\CLSID\\',0

.data:1000C7CC s_SoftwareCla_1 db 'SOFTWARE\\Classes\\Cdn.CdnObj',0

.data:1000C7E8 s_SoftwareCla_0 db 'SOFTWARE\\Classes\\Cdn.CdnObj.1',0

.调用Rundll32命令执行被下载的AutoLive.dll，写注册表

.data:1000CFCC s_Sautoliveinst db '%sAutoLiveInst.cab',0 ; DATA XREF: ekfs+2C9 o

.data:1000CF08 s_Rundll32SRund db 'Rundll32 %s,Rundll32',0 ; DATA XREF: DllMain(x,x,x)+DB o

.data:1000CFB8 s_Sautolive_dll db '%sAutoLive.dll',0 ; DATA XREF: ekfs+329 o

添加流氓程序启动项：

.data:1000D198 s_SoftwareMic_1 db 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run',0

.data:1000D18C s_Exfilter db 'ExFilter',0 ; DATA XREF: ekfs+5C o

怀疑是最新的3721流氓，因为时间是20070423：

.data:1000D308 s_D20070423EkEk db 'D:\\20070423\\EK\\EK\\EKWrap.cpp',0

修改host文件：

.data:1000F348 s_Hosts db 'hosts',0 ; DATA XREF: sub_100056B5:loc_10005724 o

.data:1000F34E align 10h

.data:1000F350 s_System32Drive db 'system32\\drivers\\etc\\hosts',0

.data:1000F350 ; DATA XREF: sub_100056B5+68 o

.data:1000F36B align 4

.data:1000F36C ; char s__3721_net[]

.data:1000F36C s__3721_net db '.3721点net',0 ; DATA XREF: sub_100057C4:loc_100058DA o

.data:1000F376 align 4

.data:1000F378 ; char s__3721_com[]

.data:1000F378 s__3721_com db '.3721点com',0 ; DATA XREF: sub_100057C4:loc_100058B6 o

注册驱动：

.data:1000F5AC s_DriversAnfad_ db '\\drivers\\Anfad.sys',0 ; DATA XREF: sub_10005B0D+10A o

.data:1000F5BF align 10h

.data:1000F5C0 ; char s_SystemCurre_2[]

.data:1000F5C0 s_SystemCurre_2 db 'SYSTEM\\CurrentControlSet\\Services\\Anfad',0

.data:1000F5C0 ; DATA XREF: sub_10005B0D+DB o

.data:1000F5E8 ; char s_DriversHcalwa[]

.data:1000F5E8 s_DriversHcalwa db '\\drivers\\hcalway.sys',0 ; DATA XREF: sub_10005B0D+96 o

.data:1000F5FD align 10h

.data:1000F600 ; char s_SystemCurre_1[]

.data:1000F600 s_SystemCurre_1 db 'SYSTEM\\CurrentControlSet\\Services\\hcalway',0

.data:1000F600 ; DATA XREF: sub_10005B0D+50 o

.data:1000F62A align 4

.data:1000F62C ; char s_DriversFad_sy[]

.data:1000F62C s_DriversFad_sy db '\\drivers\\fad.sys',0 ; DATA XREF: sub_1000610D+CB o

.data:1000F63D align 10h

.data:1000F640 ; char s_SystemCurre_0[]

.data:1000F640 s_SystemCurre_0 db 'SYSTEM\\CurrentControlSet\\Services\\FAD',0

通过该网址自动确认运行以上操作：

.data:1000F720 s_HttpLogs_soft db ;,0