词条 | Trojan-PSW.Win32.Maran.cx |
释义 | 该病毒运行后,衍生病毒文件到系统目录下。添加注册表系统服务项以随系统引导病毒体。 修改注册表 LSP项,当用户连接网络时,即挂载病毒体。将病毒DLL文件注入IE与系统进程中, 当用户访问指定页面时,即获取用户游戏帐号信息。 简介病毒名称: Trojan-PSW.Win32. 中文名称: 马瑞恩 病毒类型: 木马类 文件 MD5: 6F57803D1B0C2F772D72CEA6D0523754 公开范围: 完全公开 危害等级: 3 文件长度: 加壳后 110,592 字节,脱壳后 258,048 字节 感染系统: Win9X 以上系统 开发工具: Borland Delphi 6.0 - 7.0 加壳类型 : Upack 0.3.9 beta2s -> Dwing 命名对照: BitDefender [ Generic.Malware.FB.F6352C32 ] 行为分析衍生下列副本与文件%WinDir%\\lsass.exe %System32%\\md6media.dll Size: 210,944 %System32%\\drivers\\ws2ifsl.sys 新建注册表键值HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WS2IFSL\\DisplayName Value: String: "Windows 套接字 2 .0 Non-IFS 服务提供程序支持环境 " HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WS2IFSL\\ImagePath Value: Type: REG_EXPAND_SZ Length: 41 (0x29) bytes \\SystemRoot\\System32\\drivers\\ws2ifsl.sys. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VGADown\\DisplayName Value: String: "Vedio Adapter" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VGADown\\ImagePath Value: Type: REG_EXPAND_SZ Length: 21 (0x15) bytes %WinDir\\lsass .exe. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\ Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000012\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000013\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes C:\\WINDOWS\\System32\\md6media.dll 修改下列注册表键值HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\ Parameters\\Protocol_Catalog9\\Catalog_Entries\\000000000001\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes %WinDir%\\System32\\md6media.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000004\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\rsvpsp.dll HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\000000000006\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\rsvpsp.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll 删除下列注册表键值HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\ShellHWDetection\\DisplayName Value: String: "Shell Hardware Detection" HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\ShellHWDetection\\ImagePath Value: Type: REG_EXPAND_SZ Length: 45 (0x2d) bytes %SystemRoot%\\System32\\svchost.exe -k netsvcs. 自动生成 bat 文件,用来删除自身它本身会生成bat文件,在必要时删除自身。 当用户访问下列 URL 时, md6media.dll 盗取帐号与密码信息: [url=http://tw.g*m*ni*.com]http://tw.g*m*ni*.com [url=https://tw.gash.g*m*ni*.com/memberindex.aspx]https://tw.gash.g*m*ni*.com/memberindex.aspx [url=https://tw.gash.g*m*ni*.com/gashlogin.aspx]https://tw.gash.g*m*ni*.com/gashlogin.aspx [url=https://tw.gash.g*m*ni*.com/updatemainaccountpassword.aspx]https://tw.gash.g*m*ni*.com/updatemainaccountpassword.aspx [url=https://tw.gash.g*m*ni*.com/updateserviceaccountpassword.aspx]https://tw.gash.g*m*ni*.com/updateserviceaccountpassword.aspx [url=http://tw.gashcard.g*m*ni*.com]http://tw.gashcard.g*m*ni*.com [url=https://tw.login.g*m*ni*.com]https://tw.login.g*m*ni*.com 注: % System% 是一个可变路径。病毒通过查询操作系统来决定当前 System 文件夹的位置。 Windows2000/NT 中默认的安装路径是 C:\\Winnt\\System32 , windows95/98/me 中默认的安装路径是 C:\\Windows\\System , windowsXP 中默认的安装路径是 C:\\Windows\\System32 。 清除方案1 、 使用安天木马防线可彻底清除此病毒 ( 推荐 ) 2 、 手工清除请按照行为分析删除对应文件,恢复相关系统设置。 (1) 使用 安天木马防线 “进程管理”关闭病毒进程: lsass.exe (2) 删除并恢复病毒添加与修改的注册表键值: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ WS2IFSL\\DisplayName Value: String: "Windows 套接字 2 .0 Non-IFS 服务提供 程序支持环境 " HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ WS2IFSL\\ImagePath Value: Type: REG_EXPAND_SZ Length: 41 (0x29) bytes \\SystemRoot\\System32\\drivers\\ws2ifsl.sys. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ VGADown\\DisplayName Value: String: "Vedio Adapter" HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ VGADown\\ImagePath Value: Type: REG_EXPAND_SZ Length: 21 (0x15) bytes %WinDir\\lsass .exe. HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\ 000000000012\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\ 000000000013\\PackedCatalogItem Value: Type: REG_BINARY Length: 888 (0x378) bytes C:\\WINDOWS\\System32\\md6media.dll0) 恢复下列注册表键值为 old 值: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\ 000000000001\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes %WinDir%\\System32\\md6media.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ WinSock2\\Parameters\\ Protocol_Catalog9\\Catalog_Entries\\ 000000000004\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\rsvpsp.dll HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ WinSock2\\Parameters\\Protocol_Catalog9\\Catalog_Entries\\ 000000000006\\PackedCatalogItem New: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\rsvpsp.dll Old: Type: REG_BINARY Length: 888 (0x378) bytes %SystemRoot%\\system32\\mswsock.dll (3) 删除病毒释放文件: %WinDir%\\lsass.exe %System32%\\md6media.dll Size: 210,944 %System32%\\drivers\\ws2ifsl.sys |
随便看 |
百科全书收录4421916条中文百科知识,基本涵盖了大多数领域的百科知识,是一部内容开放、自由的电子版百科全书。