基本介紹
- 中文名:Trojan-PSW.Win32.Nilage.bcw
- 病毒類型:木馬類
- 危害等級:3
- 公開範圍:完全公開
病毒簡介,檔案長度,感染系統,開發工具,加殼類型,病毒描述,行為分析,清除方案,
病毒簡介
病毒名稱: Trojan-PSW.Win32.Nilage.bcw
病毒類型: 木馬類
檔案 MD5: 48ABEEBC0D32069184C46A86A4C363D9
公開範圍: 完全公開
危害等級: 3
檔案長度
33,363 位元組,脫殼後120,832 位元組
感染系統
windows 98以上版本
開發工具
Borland Delphi 6.0 - 7.0
加殼類型
UPX 0.89.6 - 1.02 / 1.05 - 1.22
病毒描述
該病毒通過移動存儲介質、 惡意網站、其它病毒 /木馬下載大面積傳播;由於 該病毒查殺和劫持防毒軟體、防火牆、病毒查殺工具軟體,且插入其它進程的“隨機 8位數字與字母組合.dll”
對註冊表和病毒檔案有監視和保護功能,則對其查殺該病毒有一定難度,更增加了其生存的空間。該木馬可以通過插入的“隨機8位數字與字母組合.dll”來記錄用戶的操作,從而達到盜取用戶的
敏感信息目的。該木馬運行後連線網路,更新檔案,下載其它病毒檔案,進行信息盜取、 arp 欺
騙、遠程控制等。
行為分析
1 、病毒被激活後,複製自身到系統目錄和各個驅動器下,衍生病毒檔案:
自身副本檔案:
%Program Files%\Common Files\Microsoft Shared\
MSInfo\隨機8位數字與字母組合.dat
%WINDIR%\Help\隨機8位數字與字母組合.chm
衍生病毒檔案:
%Program Files%\Common Files\Microsoft Shared\
MSInfo\隨機8位數字與字母組合.dll
%WINDIR%\隨機8位數字與字母組合.hlp
%system%\verclsid.exe.bak(刪除原verclsid.exe檔案,
並建立副本verclsid.exe.bak)
各個驅動器下釋放自身副本:
[DRIVE LETTER]:\ AutoRun.inf
[DRIVE LETTER]:\ 隨機8位數字與字母組合.exe
註:隨機 8位數字與字母組合, 本次感染為:80C88D28
2 、啟動項目:
(1)、修改註冊表,在ShellExecuteHooks添加鍵值,以鉤子掛接檔案的打開操作,以達
到啟動的目的:
HKLM\SOFTWARE\Classes\CLSID\{88D280C8-80C8-8D28-C88D-0C8D2 0C88D28}
鍵值 : 字串: " 默認 " = ""
HKLM\SOFTWARE\Classes\CLSID\{88D280C8-80C8-8D28-C88D-
0C8D20C88D28}\InProcServer32\
HKLM\SOFTWARE\Classes\CLSID\{88D280C8-80C8-8D28-C88D-
0C8D20C88D28}\InProcServer32
鍵值 :字串:"默認"=" %ProgramFiles%\CommonFiles\MicrosoftShared\
MSInfo\ 隨機 8位數字與字母組合.dll "
HKLM\SOFTWARE\Classes\CLSID\{88D280C8-80C8-8D28-C88D-
0C8D20C88D28}\InProcServer32
鍵值 : 字串: " ThreadingModel " = "Apartment"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\ShellExecuteHooks
鍵值 : 字串: " " = ""
(2)、修改註冊表恢復硬碟或光碟機的 AutoRun功能:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
Explorer\NoDriveTypeAutoRun
鍵值 : DWORD: 145 (0x91)
在 各個驅動器下釋放 AutoRun.inf檔案,從而在打開驅動器時運行同目錄下的
“隨機8位數字與字母組合.exe”檔案, AutoRun代碼如下:
[AutoRun]
open=80C88D28.exe
shell\open=打開(&O)
shell\open\Command= 隨機 8位數字與字母組合.exe
shell\open\Default=1
shell\explore=資源管理器(&X)
shell\explore\Command= 隨機 8位數字與字母組合.exe
3 、“隨機 8位數字與字母組合.dll”插入到Explorer.exe進程中,以Explorer.exe進程監視其
寫入的註冊表鍵值,如刪除則恢復; 嘗試通過鉤子掛接使“隨機8位數字與字母組合.dll”插入
到IEXPLORER.EXE進程和應用程式進程中。
4 、監視並關閉眾多防毒軟體、防火牆、病毒查殺工具軟體的進程與視窗及和防毒相關網站,甚
至帶有病毒等關鍵字的視窗:
AntiVirus TrojanFirewall
Kaspersky
JiangMin
KV200
Kxp
Rising
RAV
RFW
KAV200
KAV6
McAfe
Network Associates
NortonSymantec SYMANT~1
Norton SystemWorks
ESET
Grisoft
F-Pro
Alwil Software
ALWILS~1
F-Secure
ArcaBit
Softwin
ClamWin
DrWe
Fortineanda Software
Vba3
Trend Micro
QUICKH~1
TRENDM~1
Quick Heal
eSafewido
Prevx1
Ers
Avg
Ikarus
SophoSunbeltPC-cilli
ZoneAlar
Agnitum
WinAntiVirus
AhnLab
Normasurfsecret
Bullguard\Blac
360safe
SkyNet
Micropoint
Iparmor
Ftc
mmjk2007
Antiy Labs
LinDirMicro Lab
Filseclab
Ast
System Safety Monitor
ProcessGuard
FengYun
Lavasoft
Spy Cleaner Gold
CounterSpy
EagleEyeOS
Webroot
BufferZ
Avp
AgentSvr
CCenter
Rav
RavMonD
RavStub
RavTask
Rfwcfg
Rfwsrv
RsAgent
Rsaupd
Runiep
SmartUp
FileDsty
RegClean
360tray
360Safe
360rpt
Kabaload
Safelive
Ras
KASMain
KASTask
KAV32
KAVDX
KISLnchr
KMailMon
KMFilter
KPFW32
KPFW32X
KPFWSvc
KWatch9x
KWatch
KWatchX
TrojanDetector
UpLive.EXE
KVSrvXP
KvDetect
KRegEx
Kvol
Kvolself
Kvupload
Kvwsc
UIHost
IceSword
iparmo
mmsk
adam
MagicSet
PFWLiveUpdate
SREng
WoptiClean
scan32
QHSET
zxsweep.
AvMonitor
UmxCfg
UmxFwHlp
UmxPol
UmxAgent
UmxAttachment
KPFW32
KPFW32X
KvXP_1
KVMonXP_1
KvReport
KVScan
KVStub
KvXP
KVMonXP
KVCenter
TrojDie
avp.com.
krepair.COM
KaScrScn.SCR
Trojan
Virus
kaspersky
jiangmin
rising
ikaka
duba
kingsoft
360safe
木馬
木馬
病毒
防毒
防毒
防毒
反病毒
專殺
專殺
卡卡社區
金山社區
360安全
舉報
報警
殺軟
殺軟
防駭
MSInfo
winRAR
IceSword
HijackThis
Killbox
Procexp
Magicset
EQSysSecureProSecurity
Yahoo!
Google
Baidu
P4P
Sogou PXP
Ardsys
超級兔子木馬
KSysFiltsys
KSysCallsys
KsLoader
KvfwMcl
autoruns
AppSvc32
ccSvcHst
isPwdSvc
symlcsvcnod32kui
avgrssvc
RfwMain
KAVPFW
Iparmor
nod32krn
AVK
K7
Zondex
Blcorp
Tiny Firewall Pro
Jetico
HAURI
CA
Kmx
PCClear_Plus
Novatix
Ashampoo
WinPatrol
PFW
Mmsk
The Cleaner
kis6Beheadsreng
Trojanwall
FTCleanerShell
loaddll
rfwProxy
mcconsol
HijackThis
Mmqczj
RavMon
KAVSetup
NAVSetup
SysSafe
hcfg32
NOD3
5 、破壞註冊表安全模式,刪除下列註冊表項:
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\
6、改變註冊表值使隱藏檔案不可見,達到病毒體隱藏目的:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL
鍵值 : dword:"CheckedValue"=dword:00000001
改為:鍵值 : dword:"CheckedValue"=dword:00000000
7、在註冊表的映像劫持中添加多個劫持項,劫持多個防毒軟體、防火牆、病毒查殺工具等相關
軟體:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avp.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\CCenter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\ccSvcHst.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\FileDsty.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\FTCleanerShell.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\HijackThis.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\IceSword.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360rpt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360Safe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\360tray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\adam.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AgentSvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AppSvc32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\autoruns.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\avgrssvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\AvMonitor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\iparmo.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Iparmor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\isPwdSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kabaload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KaScrScn.SCR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KASMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KASTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAV32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVDX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVPFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KAVStart.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KISLnchr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KMailMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KMFilter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KPFW32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KPFW32X.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KPFWSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KRegEx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\krepair.COM
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KsLoader.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVCenter.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvDetect.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvfwMcl.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVMonXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVMonXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvolself.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvReport.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVScan.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVSrvXP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KVStub.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvupload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\kvwsc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KvXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KWatch.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KWatch9x.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\KWatchX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\loaddll.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\MagicSet.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mcconsol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mmqczj.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\mmsk.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\NAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\nod32krn.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\nod32kui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\PFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\PFWLiveUpdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\QHSET.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Ras.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Rav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavMonD.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavStub.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RavTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RegClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwcfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RfwMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwProxy.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\rfwsrv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\RsAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Rsaupd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\runiep.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\safelive.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\scan32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\shcfg32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SmartUp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SREng.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\symlcsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\SysSafe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\TrojanDetector.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\Trojanwall.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\TrojDie.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\WoptiClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\zxsweep.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UIHost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxAttachment.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxCfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxFwHlp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UmxPol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\UpLive.EXE.exe
被劫持到 C:\Program Files\Common Files\Microsoft Shared\MSInfo\
下面的那個dat檔案
8、在註冊表中改變鍵值,以禁用特定防毒軟體服務項,禁用自動更新功能:
HKLM\SYSTEM\ControlSet001\Services\防毒軟體服務名\Start
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Start
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\start
9、該木馬運行後連線網路,更新檔案,下載其它病毒檔案,進行信息盜取、arp欺騙、遠程
控制等。
註:隨機 8位數字與字母組合, 本次感染為:80C88D28 .
%System%是一個可變路徑。病毒通過查詢作業系統來決定當前System資料夾的位置。Windows2000/NT中默認的安裝路徑是C:\Winnt\System32,windows95/98/me中默認的安裝路徑是C:\Windows\System,windowsXP中默認的安裝路徑是C:\Windows\System32。
清除方案
1 、 使用安天木馬防線可徹底清除此病毒 ( 推薦 )
2 、 手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
mstsc.exe
(2)強行刪除病毒檔案:
%Program Files%\Common Files\Microsoft Shared\
MSInfo\XXXXXXXX.dat
%Program Files%\Common Files\Microsoft Shared\
MSInfo\XXXXXXXX.dll
%WINDIR%\Help\ XXXXXXXX.chm
%WINDIR%\XXXXXXXX.hlp
[DRIVE LETTER]:\ AutoRun.inf
[DRIVE LETTER]:\ XXXXXXXX.exe
(3)恢復病毒修改的註冊表項目,刪除病毒添加的註冊表項:
HKLM\SOFTWARE\Classes\CLSID\
鍵值 : 字串: " 默認 " = ""
HKLM\SOFTWARE\Classes\CLSID\
\InProcServer32\
HKLM\SOFTWARE\Classes\CLSID\
\InProcServer32
鍵值 :字串:"默認"="%ProgramFiles%\CommonFiles\
MicrosoftShared\MSInfo\XXXXXXXX.dll"
HKLM\SOFTWARE\Classes\CLSID\
\InProcServer32
鍵值 : 字串: " ThreadingModel " = "Apartment"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\ShellExecuteHooks
鍵值 : 字串: " " = ""
(4)將%system%\verclsid.exe.bak中的.bak後綴去掉,改為:
%system%\verclsid.exe
(5)顯示隱藏檔案:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\SHOWALL
