词条 | Email-Worm.Win32.LovGate.ae |
释义 | Email-Worm.Win32.LovGate.ae分析 前言:这应该是比较老的病毒了,如果没记错,应该是出现在2004年左右吧。今天在剑盟下到了样本,这类邮件类的蠕虫我只分析过Warezov,这个爱情后门还是写的不错的,我花了4个多小时去看,中间查了些资料,还有些不懂的,挺累的。要不断学习进步才行!本人是菜鸟,难免会有遗漏的地方。 字串3 病毒名称:Email-Worm.Win32.LovGate.ae(Kaspersky) 病毒大小:192000 bytes 加壳方式:多层ASPACK,JDPACK 样本MD5:42ab20ee5f4757a44edff753bc508840 样本SHA1:cc2df80aea902bec125601cd3202a3e5e9010613 编写语言:Microsoft Visual C++ 6.0 病毒类型:后门、蠕虫 传播方式:邮件、网络 字串2 行为分析: 字串6 病毒运行后,会释放自身拷贝和后门组件到: %Windows%\\SVCHOST.EXE %Windows%\\SYSTRA.EXE %System32%\\HXDEF.EXE %System32%\\IEXPLORE.EXE %System32%\\KERNEL66.DLL %System32%\\RAVMOND.EXE %System32%\\TKBELLEXE.EXE %System32%\\UPDATE_OB.EXE %System32%\\LMMIB20.DLL %System32%\\MSJDBC11.DLL %System32%\\MSSIGN30.DLL %System32%\ETMEETING.EXE %System32%\\ODBC16.DLL %System32%\\SPOLLSV.EXE 字串2 病毒会在各分区根目录复制副本,创建autorun.inf: AUTORUN.INF COMMAND.EXE 字串2 AUTORUN.INF内容: [AUTORUN] Open="c:\\COMMAND.EXE" /StartExplorer 字串9 病毒创建启动项,以达到随机自启动的目的: [HKEY_CURRENT_USER\\Software\\Microsoft\\Windows 字串4 NT\\CurrentVersion\\Windows] run = "RAVMOND.exe" 字串5 [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ 字串1 CurrentVersion\\Run] WinHelp = "C:\\Windows\\System32\\TkBellExe.exe" 字串7 [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ 字串5 CurrentVersion\\Run] Hardware Profile = "C:\\Windows\\System32\\hxdef.exe" 字串6 [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ 字串3 CurrentVersion\\Run] VFW Encoder/Decoder Settings = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg" 字串3 [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ 字串1 CurrentVersion\\Run] Microsoft NetMeeting Associates, Inc. = "NetMeeting.exe 字串3 [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ 字串2 CurrentVersion\\Run] Program In Windows = "C:\\Windows\\System32\\IEXPLORE.EXE" 字串5 [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ 字串8 CurrentVersion\\Run] Shell Extension = "C:\\Windows\\System32\\spollsv.exe" 字串6 [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ 字串5 CurrentVersion\\Run] Protected Storage = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg" 字串9 [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ 字串3 CurrentVersion\\RunServices] SystemTra = "C:\\Windows\\SysTra.EXE" 字串7 [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\ 字串8 CurrentVersion\\RunServices] COM++ System = "svchost.exe" 字串5 病毒会注册为系统服务: [HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\ 字串9 Services\\Windows Management Protocol v.0 (experimental)] 显示名:Windows Management Protocol v.0 (experimental) 描述:Windows Advanced Server Performs Scheduled scans for LANguard 可执行文件的路径:%System32%\\MSJDBC11.DLL 字串2 [HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\_reg] 显示名:_reg 描述: 可执行文件的路径:%System32%\\MSJDBC11.DLL 字串1 病毒修改如下注册表项目,使用户在点击.TXT文件时运行病毒拷贝: [HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command] default = "Update_OB.exe %1" 字串9 [HKEY_LOCAL_MACHINE\\Software\\Classes\\txtfile\\shell\\ 字串8 open\\command] default = "Update_OB.exe %1" 字串8 该病毒可使用MAPI进行传播。病毒搜索系统邮箱,找到后会给收到的邮件回信以实现邮件传播。 字串5 病毒发送的邮件有如下细节特征: 字串2 标题:Re: <原始主题> 字串6 正文: 字串6 <原始正文> <域名> auto-reply: wrote: If you can keep your head when all about you Are losing theirs and blaming it on you; If you can trust yourself when all men doubt you, But make allowance for their doubting too; If you can wait and not be tired by waiting, Or, being lied about,don''''''''''''''''t deal in lies, Or, being hated, don''''''''''''''''t give way to hating, And yet don''''''''''''''''t look too good, nor talk too wise; ... ... more look to the attachment. > Get your FREE now! < 字串6 附件: the hardcore game-.pif 字串1 Sex in Office.rm.scr 字串2 Deutsch BloodPatch!.exe 字串9 s3msong.MP3.pif 字串9 Me_nude.AVI.pif 字串4 How to Crack all gamez.exe 字串1 Macromedia Flash.scr 字串9 SETUP.EXE Shakira.zip.exe dreamweaver MX (crack).exe CloneAttack.rm.scr StarWars2 - CloneAttack.rm.scr Industry Giant II.exe DSL Modem Uncapper.rar.exe joke.pif Britney spears nude.exe.txt.exe I am For u.doc.exe 字串7 除了使用MAPI传播外,病毒还会使用自带的SMTP引擎进行传播 字串2 病毒从含有如下扩展名的文件中收集邮件地址: adb asp dbx htm php sht tbb 字串7 发件人: {随机人名}.yahoo.com 随机人名包括: john alex michael james mike kevin david george sam andrew jose leo maria jim brian serg mary ray tom peter robert bob jane joe dan dave matt steve smith stan bill bob jack fred ted adam brent alice anna brenda claudia debby helen jerry jimmy julie linda sandra 字串7 正文: (其中之一) It''''''''''''''''s the long-awaited film version of the Broadway hit. 字串2 The message sent as a binary attachment. Mail failed. For further assistance, please contact! The message contains Unicode characters and has been 字串8 sent as a binary attachment. 字串4 病毒避免向含有如下字符串的邮件地址发送邮件: .gov .mil avp borlan example foo. gov. hotmail icrosof inpris msn. mydomai nodomai panda ruslis sopho syma 字串7 病毒在Windows文件夹下创建一个名为“Media”的共享文件夹,并在其中生成如下自身拷贝: AUTOEXEC.BAT CAIN.PIF CLIENT.EXE documents and settings.txt.exe FINDPASS.EXE I386.EXE internet explorer.bat microsoft office.exe MMC.EXE MSDN.ZIP.PIF SUPPORT TOOLS.EXE WINDOWUPDATE.PIF windows media player.zip.exe WINHLP32.EXE WINRAR.EXE XCOPY.EXE 字串4 病毒还尝试使用以下用户名和密码访问局域网内其它计算机,并试图利用系统默认开启的ipc$和admin$进入到“Admin$”共享进行传播: Guest 字串7 Administrator zxcv yxcv test123 字串3 test temp123 temp sybase super secret pw123 Password owner oracle mypc123 mypc mypass123 mypass love login 字串1 Login Internet home godblessyou enable database computer alpha admin123 Admin abcd 88888888 2004 2600 2003 123asd 123abc 123456789 1234567 123123 121212 11111111 00000000 000000 pass 54321 12345 password passwd server !@#$%^&* !@#$%^& !@#$%^ !@#$% asdfgh asdf !@#$ 1234 root abc123 12345678 abcdefg abcdef 888888 666666 111111 admin administrator guest 654321 123456 字串4 如果登录成功,病毒会在远程机器的“Admin$\\System32”文件夹中生成名为“NETMANAGER.EXE”的自身拷贝。 字串7 病毒会开启Windows Management NetWork Service Extensions(Windows管理网络服务扩展)服务。 字串2 病毒利用Net Stop命令尝试关闭安全软件的服务: Symantec AntiVirus Client Symantec AntiVirus Server Rising Realtime Monitor Service 字串8 病毒还会终止与安全和防病毒相关的进程: KV KAV Duba NAV kill RavMon.exe Rfw.exe Gate McAfee Symantec SkyNet rising 字串2 病毒收集计算机存储信息和密码记录在C:\etlog.txt,每隔一段时间发到 字串9 hello_zyx@163.com 字串7 病毒还会在在E、F盘下生成压缩包文件并发送: setup.ZIP setup.RAR WORK.RAR WORK.ZIP install.ZIP install.RAR bak.RAR bak.ZIP letter.RAR letter.ZIP 字串5 |
随便看 |
|
百科全书收录4421916条中文百科知识,基本涵盖了大多数领域的百科知识,是一部内容开放、自由的电子版百科全书。