“Trojan.Win32.Agent”的意思、由来-中文百科全书

木马家族：Trojan.Win32.agent

中毒症状：运行后在系统目录system32衍生病毒文件，并通过修改注册表增加系统启动项目达到开机启动自身，从而

达到生成病毒文件的目的。

成员举例：病毒名称： Trojan-Spy.Win32.Agent.pn

病毒类型：木马

文件 MD5： 90C9DEF19AB8A96484A12C65F697586F

文件大小： 91928 bytes

公开范围：完全公开

危害等级：中等

感染系统： Win2000以上系统

对照命名： Trojan.Spy.Agent.DK

行为分析：

1、一旦运行，该木马复制自身到如下目录，然后运行它的这些副本：

D:\\myplay.pif

%System%\\AlxRes061124.exe

%System%\\scrsys061124.scr

副本运行后，会释放如下文件，然后运行它们。

%System%\\winsys32_061124.dll

%System%\\scrsys16_061124.scr

%System%\\\\winsys16_061124.dll

C:\\myDelm.bat

myDelm.bat包含的内容如下：

:try

del "C:\\Documents and Settings\\Hunter\\桌面\\Trojan-Spy.Win32.Agent.pn(90C9DEF19AB8A96484A12C65F697586F).exe"

if exist "C:\\Documents and Settings\\Hunter\\桌面\\Trojan-Spy.Win32.Agent.pn(90C9DEF19AB8A96484A12C65F697586F).exe" goto try

del %0

该打包文件的运行会导致原始样本在运行后，被删除，从而增加木马的隐蔽性。

2、修改如下系统配置文件。

winsys.ini [hitpop] test = 1

winsys.ini [hitpop] first = 1

d:\\autorun.inf [autorun] open = d:\\myplay.pif

winsys.ini [hitpop] ver = 061124

winsys.ini [exe] fn = C:\\WINDOWS\\system32\\AlxRes061124.exe

winsys.ini [exe_bak] fn = C:\\WINDOWS\\system32\\scrsys061124.scr

winsys.ini [dll_hitpop] fn = C:\\WINDOWS\\system32\\winsys32_061124.dll

winsys.ini [dll_start_bak] fn = C:\\WINDOWS\\system32\\scrsys16_061124.scr

winsys.ini [dll_start] fn = C:\\WINDOWS\\system32\\winsys16_061124.dll

winsys.ini [hitpop] kv = 0

3、修改注册表键值，达到随系统启动的目的：

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon

"Userinit" = C:\\WINDOWS\\system32\\userinit.exe,rundll32.exe C:\\WINDOWS\\system32\\winsys16_061124.dll start

4、查找包含如下信息的窗体，尝试关闭这些窗体：

瑞星注册表监控提示

主动防御信息

主动防御警报

主动防御警告

主动防护提示

主动防护警告

主动防护警报

主动防护信息

Kaspersky Anti-Virus: 通知

5、链接互联网，试图下载如下文件：

http://207.46.19.30/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

http://208.172.13.254/

http://65.54.152.126/

http://69.108.159.61/library/dap.js

http://69.108.159.61/ads/6028/0000006028_000000000000000385411.swf?fd=www.msn.com&clickTAG=http%3A//g.msn.com/0AD00042/1023104.5.1%3F%3FPID%3D3505768%26amp%3BUIT%3DG%26amp%3BTargetID%3D1081844%26amp%3BAN%3D419629108%26amp%3BPG%3DMSNREC

http://69.108.159.61/br/hp/en-us/css/7/blu.css

http://69.108.159.61/br/hp/en-us/css/7/decoration/pipe.gif

http://69.108.159.61/br/hp/en-us/css/7/decoration/t.gif?http://stb.msn.com/i/BE/C7FA55CFA986A26FE1A325D0E2CC64.jpg

http://69.108.159.61/br/hp/en-us/css/7/decoration/t.gif?http://stb.msn.com/i/1D/E96930DEEF7EFDA819FBDC624BCBE.jpg

http://69.108.159.61/br/hp/en-us/css/7/decoration/msn_b.gif

http://69.108.159.61/br/hp/en-us/css/7/decoration/bullet.gif

http://69.108.159.61/br/hp/en-us/css/7/decoration/video.gif

http://69.108.159.61/br/hp/en-us/css/7/decoration/buttons.gif

http://207.46.216.62/c.gif?di=340&pi=7317&ps=83527&tp=http://www.msn.com/&rf=

http://207.46.216.55/c.gif?di=340&pi=7317&ps=83527&tp=http://www.msn.com/&rf=&RedC=c.msn.com&MXFR=9AD480265CF549E4BCE7D194DF92E5A5

http://63.150.153.30/br/om/js/1/s_code.js

http://207.46.216.62/c.gif?di=340&pi=7317&ps=83527&tp=http://www.msn.com/&rf=&MUID=9AD480265CF549E4BCE7D194DF92E5A5

http://128.241.21.149/b/ss/msnportalhome/1/H.1-pdv-2/s17852470343337?[AQB]&ndh=1&t=8/0/2007%204%3A28%3A6%201%20300&ns=msnportal&pageName=US%20Homepage%20V10.5&g=http%3A//www.msn.com/&cc=USD&ch=www.msn.com&server=msn.com&c1=Portal&c2=en-us&c3=10.5&c19=Dblu%2CW1%2CM5%2CF5%2CT5%2CE5%2CQ0&c22=False&c29=http%3A//www.msn.com/&s=1152x864&c=24&j=1.3&v=Y&k=Y&bw=792&bh=471&ct=lan&hp=N&[AQE]

http://65.54.194.118/ADSAdClient31.dll?GetSAd=&PG=MSN9TP&AP=1376

http://65.54.194.118/ADSAdClient31.dll?GetSAd=&PG=MSNREC&AP=1440

http://69.108.159.61/br/hp/en-us/css/7/decoration/WL.gif

http://69.108.159.61/br/hp/en-us/css/7/decoration/beta.gif

http://69.108.159.61/br/hp/en-us/css/7/decoration/search.gif

http://69.108.159.61/br/hp/en-us/css/7/decoration/msnbf.gif

http://69.108.159.61/br/hp/en-us/css/7/decoration/msft.gif

http://65.54.195.185/ADSAdClient31.dll?GetSAd=&PG=MSN9UT&AP=1339

http://65.54.195.185/ADSAdClient31.dll?GetSAd=&PG=MSNMMT&AP=1402

http://66.142.247.254/i/B2/B38AE443CC7154FB0B1FC2B5ACDA.JPG

http://66.142.247.254/i/91/94AB84A3A8C3441B39C4BFDF6885.jpg

http://66.142.247.254/i/AB/48246F6727DCA16791D0144BA78FA.jpg

http://66.142.247.254/i/F0/C71AF17271768EA57FE35F49CFF77.jpg

http://66.142.247.254/i/3A/E2E2E0FEA8E55AD59AAEBE43A7E246.jpg

http://66.142.247.254/i/50/C396B4EC11355010D2DF18C76E9F7D.jpg

http://66.142.247.254/i/31/DF78637BD438B9BB69A582FEA6879.jpg

http://66.142.247.254/i/AA/F78459FF8DDD39BF14DE4431D3395.JPG

http://66.142.247.254/i/56/F28E5AC0B9C07C5B1E13C6B797DC10.jpg

http://66.142.247.254/i/F2/C46FA12BAD98C59238B88C8417522.jpg

http://65.54.194.118/ADSAdClient31.dll?GetSAd=&PG=MSNCNT&AP=1463

http://65.54.194.118/ADSAdClient31.dll?GetSAd=&PG=MSNSUR&AP=1140

http://66.142.254.157/ads/764/0000000764_000000000000000385427.jpg

http://66.142.254.157/ads/1/0000000001_000000000000000017246.gif

http://69.108.159.61/as/wea3/i/en-US/saw/34.gif

http://69.108.159.61/as/wea3/i/en-US/saw/28.gif

http://69.108.159.61/as/wea3/i/en-US/saw/4.gif

http://69.108.159.61/br/hp/en-us/js/5/hpb.js

http://69.108.159.61/br/hp/en-us/js/5/ieminwidth.js

http://209.67.78.3/CNT/view/msnnkspc0020000003cnt/direct/01/

http://64.132.34.79/images/pixel.gif

试图链接的IP为：

207.46.19.30

208.172.13.254

65.54.152.126

69.108.159.61

207.46.216.62

207.46.216.55

63.150.153.30

207.46.216.62

128.241.21.149

65.54.194.118

69.108.159.61

65.54.195.185

66.142.247.254

65.54.194.118

66.142.254.157

69.108.159.61

209.67.78.3

64.132.34.79

注：% System%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。Windows2000/NT中默认的安装路径是C:\\Winnt\\System32，windows95/98/me中默认的安装路径是C:\\Windows\\System，windowsXP中默认的安装路径是C:\\Windows\\System32。

杀毒方法：

1、下载杀毒软件

2、在断网的情况下，

关闭所有盘系统还原（右键我的电脑，属性，系统还原标签页，勾选在所有驱动器上关闭系统还原，确定.），

清空IE缓存（右键IE图标，属性里，勾选清除所有脱机内容），

开机按F8进入安全模式，在安全模式下安装杀毒软件，并杀毒

词条	Trojan.Win32.Agent
释义	Trojan.Win32.Agent，该木马病毒本身是一个 Windows PE EXE 文件，大小为91928字节。该木马会在用户不知情的情况下，自动链接到网络中下载其他恶意程序，同时该木马会尝试关闭受影响系统中的反病毒软件。木马家族：Trojan.Win32.agent 中毒症状：运行后在系统目录system32衍生病毒文件，并通过修改注册表增加系统启动项目达到开机启动自身，从而达到生成病毒文件的目的。成员举例：病毒名称： Trojan-Spy.Win32.Agent.pn 病毒类型：木马文件 MD5： 90C9DEF19AB8A96484A12C65F697586F 文件大小： 91928 bytes 公开范围：完全公开危害等级：中等感染系统： Win2000以上系统对照命名： Trojan.Spy.Agent.DK 行为分析： 1、一旦运行，该木马复制自身到如下目录，然后运行它的这些副本： D:\\myplay.pif %System%\\AlxRes061124.exe %System%\\scrsys061124.scr 副本运行后，会释放如下文件，然后运行它们。 %System%\\winsys32_061124.dll %System%\\scrsys16_061124.scr %System%\\\\winsys16_061124.dll C:\\myDelm.bat myDelm.bat包含的内容如下： :try del "C:\\Documents and Settings\\Hunter\\桌面\\Trojan-Spy.Win32.Agent.pn(90C9DEF19AB8A96484A12C65F697586F).exe" if exist "C:\\Documents and Settings\\Hunter\\桌面\\Trojan-Spy.Win32.Agent.pn(90C9DEF19AB8A96484A12C65F697586F).exe" goto try del %0 该打包文件的运行会导致原始样本在运行后，被删除，从而增加木马的隐蔽性。 2、修改如下系统配置文件。 winsys.ini [hitpop] test = 1 winsys.ini [hitpop] first = 1 d:\\autorun.inf [autorun] open = d:\\myplay.pif winsys.ini [hitpop] ver = 061124 winsys.ini [exe] fn = C:\\WINDOWS\\system32\\AlxRes061124.exe winsys.ini [exe_bak] fn = C:\\WINDOWS\\system32\\scrsys061124.scr winsys.ini [dll_hitpop] fn = C:\\WINDOWS\\system32\\winsys32_061124.dll winsys.ini [dll_start_bak] fn = C:\\WINDOWS\\system32\\scrsys16_061124.scr winsys.ini [dll_start] fn = C:\\WINDOWS\\system32\\winsys16_061124.dll winsys.ini [hitpop] kv = 0 3、修改注册表键值，达到随系统启动的目的： HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon "Userinit" = C:\\WINDOWS\\system32\\userinit.exe,rundll32.exe C:\\WINDOWS\\system32\\winsys16_061124.dll start 4、查找包含如下信息的窗体，尝试关闭这些窗体：瑞星注册表监控提示主动防御信息主动防御警报主动防御警告主动防护提示主动防护警告主动防护警报主动防护信息 Kaspersky Anti-Virus: 通知 5、链接互联网，试图下载如下文件： http://207.46.19.30/isapi/redir.dll?prd=ie&pver=6&ar=msnhome http://208.172.13.254/ http://65.54.152.126/ http://69.108.159.61/library/dap.js http://69.108.159.61/ads/6028/0000006028_000000000000000385411.swf?fd=www.msn.com&clickTAG=http%3A//g.msn.com/0AD00042/1023104.5.1%3F%3FPID%3D3505768%26amp%3BUIT%3DG%26amp%3BTargetID%3D1081844%26amp%3BAN%3D419629108%26amp%3BPG%3DMSNREC http://69.108.159.61/br/hp/en-us/css/7/blu.css http://69.108.159.61/br/hp/en-us/css/7/decoration/pipe.gif http://69.108.159.61/br/hp/en-us/css/7/decoration/t.gif?http://stb.msn.com/i/BE/C7FA55CFA986A26FE1A325D0E2CC64.jpg http://69.108.159.61/br/hp/en-us/css/7/decoration/t.gif?http://stb.msn.com/i/1D/E96930DEEF7EFDA819FBDC624BCBE.jpg http://69.108.159.61/br/hp/en-us/css/7/decoration/msn_b.gif http://69.108.159.61/br/hp/en-us/css/7/decoration/bullet.gif http://69.108.159.61/br/hp/en-us/css/7/decoration/video.gif http://69.108.159.61/br/hp/en-us/css/7/decoration/buttons.gif http://207.46.216.62/c.gif?di=340&pi=7317&ps=83527&tp=http://www.msn.com/&rf= http://207.46.216.55/c.gif?di=340&pi=7317&ps=83527&tp=http://www.msn.com/&rf=&RedC=c.msn.com&MXFR=9AD480265CF549E4BCE7D194DF92E5A5 http://63.150.153.30/br/om/js/1/s_code.js http://207.46.216.62/c.gif?di=340&pi=7317&ps=83527&tp=http://www.msn.com/&rf=&MUID=9AD480265CF549E4BCE7D194DF92E5A5 http://128.241.21.149/b/ss/msnportalhome/1/H.1-pdv-2/s17852470343337?[AQB]&ndh=1&t=8/0/2007%204%3A28%3A6%201%20300&ns=msnportal&pageName=US%20Homepage%20V10.5&g=http%3A//www.msn.com/&cc=USD&ch=www.msn.com&server=msn.com&c1=Portal&c2=en-us&c3=10.5&c19=Dblu%2CW1%2CM5%2CF5%2CT5%2CE5%2CQ0&c22=False&c29=http%3A//www.msn.com/&s=1152x864&c=24&j=1.3&v=Y&k=Y&bw=792&bh=471&ct=lan&hp=N&[AQE] http://65.54.194.118/ADSAdClient31.dll?GetSAd=&PG=MSN9TP&AP=1376 http://65.54.194.118/ADSAdClient31.dll?GetSAd=&PG=MSNREC&AP=1440 http://69.108.159.61/br/hp/en-us/css/7/decoration/WL.gif http://69.108.159.61/br/hp/en-us/css/7/decoration/beta.gif http://69.108.159.61/br/hp/en-us/css/7/decoration/search.gif http://69.108.159.61/br/hp/en-us/css/7/decoration/msnbf.gif http://69.108.159.61/br/hp/en-us/css/7/decoration/msft.gif http://65.54.195.185/ADSAdClient31.dll?GetSAd=&PG=MSN9UT&AP=1339 http://65.54.195.185/ADSAdClient31.dll?GetSAd=&PG=MSNMMT&AP=1402 http://66.142.247.254/i/B2/B38AE443CC7154FB0B1FC2B5ACDA.JPG http://66.142.247.254/i/91/94AB84A3A8C3441B39C4BFDF6885.jpg http://66.142.247.254/i/AB/48246F6727DCA16791D0144BA78FA.jpg http://66.142.247.254/i/F0/C71AF17271768EA57FE35F49CFF77.jpg http://66.142.247.254/i/3A/E2E2E0FEA8E55AD59AAEBE43A7E246.jpg http://66.142.247.254/i/50/C396B4EC11355010D2DF18C76E9F7D.jpg http://66.142.247.254/i/31/DF78637BD438B9BB69A582FEA6879.jpg http://66.142.247.254/i/AA/F78459FF8DDD39BF14DE4431D3395.JPG http://66.142.247.254/i/56/F28E5AC0B9C07C5B1E13C6B797DC10.jpg http://66.142.247.254/i/F2/C46FA12BAD98C59238B88C8417522.jpg http://65.54.194.118/ADSAdClient31.dll?GetSAd=&PG=MSNCNT&AP=1463 http://65.54.194.118/ADSAdClient31.dll?GetSAd=&PG=MSNSUR&AP=1140 http://66.142.254.157/ads/764/0000000764_000000000000000385427.jpg http://66.142.254.157/ads/1/0000000001_000000000000000017246.gif http://69.108.159.61/as/wea3/i/en-US/saw/34.gif http://69.108.159.61/as/wea3/i/en-US/saw/28.gif http://69.108.159.61/as/wea3/i/en-US/saw/4.gif http://69.108.159.61/br/hp/en-us/js/5/hpb.js http://69.108.159.61/br/hp/en-us/js/5/ieminwidth.js http://209.67.78.3/CNT/view/msnnkspc0020000003cnt/direct/01/ http://64.132.34.79/images/pixel.gif 试图链接的IP为： 207.46.19.30 208.172.13.254 65.54.152.126 69.108.159.61 69.108.159.61 69.108.159.61 207.46.216.62 207.46.216.55 63.150.153.30 207.46.216.62 128.241.21.149 65.54.194.118 69.108.159.61 65.54.195.185 66.142.247.254 66.142.247.254 65.54.194.118 66.142.254.157 69.108.159.61 69.108.159.61 209.67.78.3 64.132.34.79 注：% System%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。Windows2000/NT中默认的安装路径是C:\\Winnt\\System32，windows95/98/me中默认的安装路径是C:\\Windows\\System，windowsXP中默认的安装路径是C:\\Windows\\System32。杀毒方法： 1、下载杀毒软件 2、在断网的情况下，关闭所有盘系统还原（右键我的电脑，属性，系统还原标签页，勾选在所有驱动器上关闭系统还原，确定.），清空IE缓存（右键IE图标，属性里，勾选清除所有脱机内容），开机按F8进入安全模式，在安全模式下安装杀毒软件，并杀毒
随便看	迤资水电站迤资站迤俪迤逦迤蚱么村迤蚱自然村迩迩安远至迩来迩僚迩年迩日迩身迩时迩室迩岁迩文迩续迩遥迩英阁迩怨迩月迩志迩遐迦