|
| logogogo最新变种XP.exe的分析(Win32.Logogo)(附专杀) |
| 作者 depressedboy 查看 2021 发表时间 2007/11/17 19:31 【论坛浏览】 |
|
日期:2007/11/17 (转载请保留此声明) vwqagciez vwqagciez 这是之前logogo.exe病毒的最新变种,此次变种可谓是该系列病毒的一个标志性的变种,如同原先的crsss化身成为“禽兽”病毒一样...vwqagciez vwqagciez 技术细节:vwqagciez File: logogogo.exevwqagciez Size: 17196 bytesvwqagciez Modified: 2007年11月17日, 10:06:48vwqagciez MD5: CBD42479BD49AEB0E839B3D4F116516Bvwqagciez SHA1: F1DC3254693CC11C70BCDCB2EC124BD82E550AC5vwqagciez CRC32: 9510B8CCvwqagciez 加壳方式:Upack 0.3.9 vwqagciez AV命名:Win32.Logogo.a(瑞星)vwqagciez vwqagciez 1.病毒有两个参数启动自身vwqagciez -down 和-worm分别执行的是下载和感染操作vwqagciez vwqagciez 2.衍生如下副本:vwqagciez %systemroot%\system\logogogo.exevwqagciez 在每个磁盘分区根目录下释放XP.exe和autorun.inf达到通过移动存储传播的目的vwqagciez vwqagciez 3.创建注册表启动项目vwqagciez HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runvwqagciez 达到开机启动的目的vwqagciez 在HKLM\SOFTWARE下面创建logogo子键,用以记录病毒安装成功的信息。vwqagciez vwqagciez 4.在HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options下面创建映像劫持项目,指向病毒本身。vwqagciez 360rpt.exevwqagciez 360Safe.exevwqagciez 360tray.exevwqagciez ACKWIN32.EXEvwqagciez ANTI-TROJAN.EXEvwqagciez APVXDWIN.EXEvwqagciez AUTODOWN.EXEvwqagciez AVCONSOL.EXEvwqagciez AVE32.EXEvwqagciez AVGCTRL.EXEvwqagciez AVKSERV.EXEvwqagciez AVNT.EXEvwqagciez AVP.EXEvwqagciez AVP32.EXEvwqagciez AVPCC.EXEvwqagciez AVPDOS32.EXEvwqagciez AVPM.EXEvwqagciez AVPTC32.EXEvwqagciez AVPUPD.EXEvwqagciez AVSCHED32.EXEvwqagciez AVWIN95.EXEvwqagciez AVWUPD32.EXEvwqagciez BLACKD.EXEvwqagciez BLACKICE.EXEvwqagciez CFIADMIN.EXEvwqagciez CFIAUDIT.EXEvwqagciez CFINET.EXEvwqagciez CFINET32.EXEvwqagciez CLAW95.EXEvwqagciez CLAW95CF.EXEvwqagciez CLEANER.EXEvwqagciez CLEANER3.EXEvwqagciez DVP95.EXEvwqagciez DVP95_0.EXEvwqagciez ECENGINE.EXEvwqagciez EGHOST.EXEvwqagciez ESAFE.EXEvwqagciez EXPWATCH.EXEvwqagciez F-AGNT95.EXEvwqagciez F-PROT.EXEvwqagciez F-PROT95.EXEvwqagciez F-STOPW.EXEvwqagciez FESCUE.EXEvwqagciez FINDVIRU.EXEvwqagciez FP-WIN.EXEvwqagciez FPROT.EXEvwqagciez FRW.EXEvwqagciez IAMAPP.EXEvwqagciez IAMSERV.EXEvwqagciez IBMASN.EXEvwqagciez IBMAVSP.EXEvwqagciez ICLOAD95.EXEvwqagciez ICLOADNT.EXEvwqagciez ICMON.EXEvwqagciez ICSUPP95.EXEvwqagciez ICSUPPNT.EXEvwqagciez IFACE.EXEvwqagciez IOMON98.EXEvwqagciez Iparmor.exevwqagciez JEDI.EXEvwqagciez KAV32.exevwqagciez KAVPFW.EXEvwqagciez KAVsvc.exevwqagciez KAVSvcUI.exevwqagciez KVFW.EXEvwqagciez KVMonXP.exevwqagciez KVMonXP.kxpvwqagciez KVSrvXP.exevwqagciez KVwsc.exevwqagciez KvXP.kxpvwqagciez KWatchUI.EXEvwqagciez LOCKDOWN2000.EXEvwqagciez Logo1_.exevwqagciez Logo_1.exevwqagciez LOOKOUT.EXEvwqagciez LUALL.EXEvwqagciez MAILMON.EXEvwqagciez MOOLIVE.EXEvwqagciez MPFTRAY.EXEvwqagciez N32SCANW.EXEvwqagciez Navapsvc.exevwqagciez Navapw32.exevwqagciez NAVLU32.EXEvwqagciez NAVNT.EXEvwqagciez navw32.EXEvwqagciez NAVWNT.EXEvwqagciez NISUM.EXEvwqagciez NMain.exevwqagciez NORMIST.EXEvwqagciez NUPGRADE.EXEvwqagciez NVC95.EXEvwqagciez PAVCL.EXEvwqagciez PAVSCHED.EXEvwqagciez PAVW.EXEvwqagciez PCCWIN98.EXEvwqagciez PCFWALLICON.EXEvwqagciez PERSFW.EXEvwqagciez PFW.EXEvwqagciez Rav.exevwqagciez RAV7.EXEvwqagciez RAV7WIN.EXEvwqagciez RAVmon.exevwqagciez RAVmonD.exevwqagciez RAVtimer.exevwqagciez Rising.exevwqagciez SAFEWEB.EXEvwqagciez SCAN32.EXEvwqagciez SCAN95.EXEvwqagciez SCANPM.EXEvwqagciez SCRSCAN.EXEvwqagciez SERV95.EXEvwqagciez SMC.EXEvwqagciez SPHINX.EXEvwqagciez SWEEP95.EXEvwqagciez TBSCAN.EXEvwqagciez TCA.EXEvwqagciez TDS2-98.EXEvwqagciez TDS2-NT.EXEvwqagciez THGUARD.EXEvwqagciez TrojanHunter.exevwqagciez VET95.EXEvwqagciez VETTRAY.EXEvwqagciez VSCAN40.EXEvwqagciez VSECOMR.EXEvwqagciez VSHWIN32.EXEvwqagciez VSSTAT.EXEvwqagciez WEBSCANX.EXEvwqagciez WFINDV32.EXEvwqagciez ZONEALARM.EXEvwqagciez _AVP32.EXEvwqagciez _AVPCC.EXEvwqagciez _AVPM.EXEvwqagciez 修复工具.exevwqagciez vwqagciez 5.感染除如下文件夹内的*.exe文件vwqagciez windowsvwqagciez winntvwqagciez recyclervwqagciez system volume informationvwqagciez vwqagciez 并不感染如下exe文件vwqagciez XP.EXE vwqagciez CA.exe vwqagciez NMCOSrv.exe vwqagciez CONFIG.exe vwqagciez Updater.exe vwqagciez WE8.exe vwqagciez settings.exe vwqagciez PES5.exe vwqagciez PES6.exe vwqagciez zhengtu.exevwqagciez nettools.exe vwqagciez laizi.exe vwqagciez proxy.exe vwqagciez Launcher.exe vwqagciez WoW.exe vwqagciez Repair.exe vwqagciez BackgroundDownloader.exevwqagciez o2_unins_web.exe vwqagciez O2Jam.exe vwqagciez O2JamPatchClient.exe vwqagciez O2ManiaDriverSelect.exe vwqagciez OTwo.exe vwqagciez sTwo.exevwqagciez GAME2.EXE vwqagciez GAME3.EXE vwqagciez Game4.exe vwqagciez game.exe vwqagciez hypwise.exe vwqagciez Roadrash.exe vwqagciez O2Mania.exe vwqagciez Lobby_Setup.exevwqagciez CoralQQ.exe vwqagciez QQ.exe vwqagciez QQexternal.exe vwqagciez BugReport.exe vwqagciez tm.exe vwqagciez ra2.exe vwqagciez ra3.exe vwqagciez ra4.exe vwqagciez ra21006ch.exevwqagciez dzh.exe vwqagciez Findbug.EXE vwqagciez fb3.exe vwqagciez Meteor.exe vwqagciez mir.exe vwqagciez KartRider.exe vwqagciez NMService.exe vwqagciez AdBalloonExt.exevwqagciez ztconfig.exe vwqagciez patchupdate.exevwqagciez vwqagciez 被感染文件尾部被加入一个名为.ani的节。被感染文件运行后会释放一个名为ani.ani的临时文件并运行,该文件即为病毒主体logogogo.exevwqagciez vwqagciez 6.连接网络下载木马vwqagciez 读取http://dow.*.us/xxx.txt的下载列表vwqagciez 然后下载vwqagciez http://dow.*.com/1.exe~http://dow.*.com/20.exe到%systemroot%\system下面vwqagciez 并以SYSTEM128.tmp作为下载文件过程中的临时文件vwqagciez vwqagciez 7.病毒同时会获得当前机器名,操作系统版本,MAC地址等信息vwqagciez vwqagciez 8.病毒体内留有作者留下的广告信息:“出售下载者 QQ 2892*”vwqagciez vwqagciez
2007-11-17 16:33vwqagciez vwqagciez vwqagciez vwqagciez 病毒木马植入完毕后的sreng日志如下:vwqagciez vwqagciez 启动项目vwqagciez 注册表vwqagciez [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] vwqagciez [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]vwqagciez [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]vwqagciez <{8E32FA58-3453-FA2D-BC49-F340348ACCE8}><%systemroot%\system32\rsmyhpm.dll> []vwqagciez <{A2AC7E3B-30BE-466f-8BAB-1FF9DADD8C7D}><%systemroot%\system32\KVBatch01.dll> []vwqagciez <{5A321487-4977-D98A-C8D5-6488257545A5}><%systemroot%\system32\kapjezy.dll> []vwqagciez <{5A1247C1-53DA-FF43-ABD3-345F323A48D5}><%systemroot%\system32\avwgemn.dll> []vwqagciez <{6859245F-345D-BC13-AC4F-145D47DA34F6}><%systemroot%\system32\avzxfmn.dll> []vwqagciez <{4960356A-458E-DE24-BD50-268F589A56A4}><%systemroot%\system32\avwldmn.dll> []vwqagciez <{5598FF45-DA60-F48A-BC43-10AC47853D55}><%systemroot%\system32\rarjepi.dll> []vwqagciez <{A6650011-3344-6688-4899-345FABCD156A}><%systemroot%\system32\ratbjpi.dll> []vwqagciez <{38907901-1416-3389-9981-372178569983}><%systemroot%\system32\kawdczy.dll> []vwqagciez <{9D561258-45F3-A451-F908-A258458226D9}><%systemroot%\system32\kvdxsima.dll> []vwqagciez <{44783410-4F90-34A0-7820-3230ACD05F44}><%systemroot%\system32\raqjdpi.dll> []vwqagciez <{97D81718-1314-5200-2597-587901018079}><%systemroot%\system32\kaqhizy.dll> []vwqagciez <{38847374-8323-FADC-B443-4732ABCD3783}><%systemroot%\system32\sidjczy.dll> []vwqagciez <{8D47B341-43DF-4563-753F-345FFA3157D8}><%systemroot%\system32\kvmxhma.dll> []vwqagciez <{24909874-8982-F344-A322-7898787FA742}><%systemroot%\system32\swjqbzc.dll> []vwqagciez <{A12C8D43-AC10-4C17-9136-E3E2FC9B3D21}><%Program Files%\Internet Explorer\PLUGINS\Wn_Sys8x.Sys> []vwqagciez vwqagciez [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe]vwqagciez [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe]vwqagciez vwqagciez ==================================vwqagciez 正在运行的进程vwqagciez [PID: 1724][%systemroot%\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]vwqagciez [%systemroot%\system32\rsmyhpm.dll] [N/A, ]vwqagciez [%systemroot%\system32\KVBatch01.dll] [N/A, ]vwqagciez [%systemroot%\system32\kapjezy.dll] [N/A, ]vwqagciez [%systemroot%\system32\avwgemn.dll] [N/A, ]vwqagciez [%systemroot%\system32\avzxfmn.dll] [N/A, ]vwqagciez [%systemroot%\system32\avwldmn.dll] [N/A, ]vwqagciez [%systemroot%\system32\rarjepi.dll] [N/A, ]vwqagciez [%systemroot%\system32\ratbjpi.dll] [N/A, ]vwqagciez [%systemroot%\system32\kawdczy.dll] [N/A, ]vwqagciez [%systemroot%\system32\kvdxsima.dll] [N/A, ]vwqagciez [%systemroot%\system32\raqjdpi.dll] [N/A, ]vwqagciez [%systemroot%\system32\kaqhizy.dll] [N/A, ]vwqagciez [%systemroot%\system32\sidjczy.dll] [N/A, ]vwqagciez [%systemroot%\system32\kvmxhma.dll] [N/A, ]vwqagciez [%systemroot%\system32\swjqbzc.dll] [N/A, ]vwqagciez [%Program Files%\Internet Explorer\PLUGINS\Wn_Sys8x.Sys] [N/A, ]vwqagciez ==================================vwqagciez Winsock 提供者vwqagciez MSAPI Tcpip [TCP/IP]vwqagciez %systemroot%\system32\qdshm.dll(, N/A)vwqagciez MSAPI Tcpip [UDP/IP]vwqagciez %systemroot%\system32\qdshm.dll(, N/A)vwqagciez ==================================vwqagciez Autorun.infvwqagciez [C:\]vwqagciez [AutoRun]vwqagciez OPEN=XP.EXEvwqagciez shellexecute=XP.EXEvwqagciez shell\打开(&O)\command=XP.EXEvwqagciez [D:\]vwqagciez [AutoRun]vwqagciez OPEN=XP.EXEvwqagciez shellexecute=XP.EXEvwqagciez shell\打开(&O)\command=XP.EXE...vwqagciez vwqagciez 解决办法:vwqagciez 下载sreng:http://download.kztechs.com/files/sreng2.zipvwqagciez Xdelbox:http://www.dodudou.com/down/里面的原创软件文件夹下vwqagciez vwqagciez 首先重启计算机进入安全模式下(开机后不断 按F8键 然后出来一个高级菜单 选择第一项 安全模式 进入系统)vwqagciez 分别解压Xdelbox和srengvwqagciez (注意:如果winrar也被感染,请重装winrar后再解压文件,推荐重装winrar)vwqagciez vwqagciez 1.打开srengvwqagciez vwqagciez 启动项目 注册表 删除如下项目 vwqagciez [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] vwqagciez vwqagciez 并删除所有红色的IFEO项目vwqagciez vwqagciez 修复-系统修复-重置winsockvwqagciez vwqagciez 2.解压Xdelbox所有文件到一个文件夹vwqagciez vwqagciez 在 添加旁边的框中 分别输入vwqagciez %systemroot%\system32\rsmyhpm.dllvwqagciez %systemroot%\system32\KVBatch01.dllvwqagciez %systemroot%\system32\kapjezy.dllvwqagciez %systemroot%\system32\avwgemn.dllvwqagciez %systemroot%\system32\avzxfmn.dllvwqagciez %systemroot%\system32\avwldmn.dllvwqagciez %systemroot%\system32\rarjepi.dllvwqagciez %systemroot%\system32\ratbjpi.dllvwqagciez %systemroot%\system32\kawdczy.dllvwqagciez %systemroot%\system32\kvdxsima.dllvwqagciez %systemroot%\system32\raqjdpi.dllvwqagciez %systemroot%\system32\kaqhizy.dllvwqagciez %systemroot%\system32\sidjczy.dllvwqagciez %systemroot%\system32\kvmxhma.dllvwqagciez %systemroot%\system32\swjqbzc.dllvwqagciez %Program Files%\Internet Explorer\PLUGINS\Wn_Sys8x.Sysvwqagciez 输入完一个以后 点击旁边的添加 按钮 被添加的文件 将出现在下面的大框中vwqagciez 然后一次性选中 (按住ctrl)下面大框中所有的文件vwqagciez 右键 单击 点击 重启立即删除vwqagciez vwqagciez 3.重启计算机后 vwqagciez 双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件(推荐)"前面的钩。在提示确定更改时,单击“是” 然后确定vwqagciez 点击 菜单栏下方的 文件夹按钮(搜索右边的按钮)vwqagciez 在左边的资源管理器中单击打开系统所在盘vwqagciez 删除%systemroot%\system\logogogo.exevwqagciez %systemroot%\system32\qdshm.dllvwqagciez vwqagciez 在左边的资源管理器中单击打开每个盘vwqagciez 删除各个盘根目录下的XP.exe和autorun.infvwqagciez vwqagciez 4.打开sreng vwqagciez vwqagciez 启动项目 注册表 vwqagciez 双击AppInit_DLLs把其键值清空vwqagciez vwqagciez 5.使用杀毒软件全盘杀毒修复被感染的exe文件(如果杀毒软件也被感染,请重装杀毒软件以免造成反复感vwqagciez vwqagciez vwqagciez 附件: vwqagciez logogogo__.zipvwqagciez 2007/11/23 18:21, 285.24 KB, 下载次数: 40vwqagciez vwqagciez vwqagciez 下载 dr.web 全盘扫描一遍vwqagciez ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exevwqagciez Dr.Web CureIT 4.44vwqagciez vwqagciez 修复受感染的文件 |
| 序号 | 评论者 | 共有评论 5 【论坛浏览】 【发表评论】 | 评论时间 |
| 1 | tfnyga | 感染EXE文件的病毒特别的让人心烦 | 2007/11/19 01:05 |
| 2 | depressedboy | 回复 3楼 的帖子 感染了让你无法修复。。。。 |
2007/11/21 23:39 |
| 3 | depressedboy | 让人想起了那个熊猫。。。:/(26: | 2007/11/21 23:39 |
| 4 | see360 | 正好在找 | 2007/12/29 10:03 |
| 5 | bobo781003 | 支持哟~~~~~~~~~~~~~~~~~~~~~~~~~~~ | 2008/2/8 10:22 |
共有评论数 5 每页显示 10
|
|||
