snpmw.dll:計算機病毒介紹,病毒指紋,

病毒名稱：snpmw.dll病毒大小：385,024位元組加殼方式：無編寫語言：MicrosoftVisualC++6.0DLL病毒指紋：SHA- 160

基本介紹

名稱：snpmw.dll
性質：計算機病毒
大小：385,024位元組
編寫語言：Microsoft Visual C++ 6.0 DLL

計算機病毒介紹,病毒指紋,

計算機病毒介紹

病毒名稱：snpmw點dll

病毒大小：385,024 位元組

加殼方式：無

編寫語言：Microsoft Visual C++ 6.0 DLL

病毒指紋

SHA-160: 57642C013347E1FCD6590C188F7A612DC847357C

MD5 : 056A372F5469FCB41721F6A952C9AAAD

RIPEMD-160 : 29ED912E067ADA17AEE7CBBB2D1A134C0500D484

CRC-32: 2157E25C

一旦該dll程式被安裝到系統中，將自動下載：

.data:1000D228 off_1000D228 dd offset s_HttpDownload_ ; DATA XREF: sub_10001F9E+8B r

.data:1000D228 ;

cdnprot.dat'/cdnprot.vxd'/cdnprot.sys'/cdntran.dat'/cdntran.vxd'/cdntran點sys'到%systemroot%system32\drivers\目錄下，下載'cdnns.dll'/'cdn.dll'到%systemroot%\system32\目錄下，下載snpmw.cab到%systemroot%\system32\目錄下解壓運行：

.data:1000C120 s_Cdn_dll db 'cdn.dll',0 ; DATA XREF: sub_10001000+18E o

.data:1000C120 ; .data:1000C108 o

.data:1000C128 s_DriversCdnp_1 db 'drivers\cdnprot.dat',0 ; DATA XREF: .data:1000C104 o

.data:1000C13C s_DriversCdnp_0 db 'drivers\cdnprot.vxd',0 ; DATA XREF: .data:1000C100 o

.data:1000C13C ; .data:1000C114 o

.data:1000C150 s_DriversCdnpro db 'drivers\cdnprot.sys',0 ; DATA XREF: .data:1000C0FC o

.data:1000C150 ; .data:1000C110 o

.data:1000C164 s_DriversCdnt_1 db 'drivers\cdntran.dat',0 ; DATA XREF: .data:1000C0F8 o

.data:1000C178 s_Cdnns_dlldb 'cdnns.dll',0 ; DATA XREF: .data:1000C0F4 o

.data:1000C178 ; .data:1000C10C o

.data:1000C182 align 4

.data:1000C184 s_DriversCdnt_0 db 'drivers\cdntran.vxd',0 ; DATA XREF: .data:1000C0F0 o

.data:1000C184 ; .data:1000C11C o

.data:1000C198 s_DriversCdntra db 'drivers\cdntran.sys',0 ; DATA XREF: .data:off_1000C0EC o

.data:1000D230 ; "wmpns.dll"

.data:1000D234 ; "snpmw.dll"

.data:1000D238 ; "wmpns.ini"

.data:1000D23C ; LPCSTR lpszFile

.data:1000D23C lpszFile dd offset s_Wmpns_cab ; DATA XREF: sub_10001ED8+33 r

.data:1000D23C ; "wmpns.cab"

寫註冊表註冊服務、IE鉤子；

.data:1000C1AC s_SystemCurre_3 db 'SYSTEM\CurrentControlSet\Services\cdntran',0

.data:1000C1D8 s_SystemCurrent db 'SYSTEM\CurrentControlSet\Services\cdnprot',0

.data:1000C294 s_SoftwareMi_32 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CdnCtr',0

.data:1000C2CC s_SoftwareMi_31 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\',0

.data:1000C340 s_SoftwareMi_30 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{B53D42E8-872B-430E-82D4'

.data:1000C3AC s_SoftwareMi_29 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\CdnClient',0

.data:1000C3F8 s_SoftwareMi_28 db 'SOFTWARE\Microsoft\Internet Explorer\Extensions\',0

.data:1000C450 s_OftwareMicros db 'OFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT',0

.data:1000C490 s_SoftwareCnn_0 db 'SOFTWARE\CNNIC',0 ;

.data:1000C4A0 s_SoftwareCl_14 db 'SOFTWARE\Classes\TypeLib\',0

.data:1000C4E0 s_SoftwareCl_13 db 'SOFTWARE\Classes\TypeLib\',0

.data:1000C520 s_SoftwareCl_12 db 'SOFTWARE\Classes\TypeLib\',0

.data:1000C560 s_SoftwareCl_11 db 'SOFTWARE\Classes\Interface\',0

.data:1000C5A4 s_SoftwareCl_10 db 'SOFTWARE\Classes\Interface\',0

.data:1000C5E8 s_SoftwareCla_9 db 'SOFTWARE\Classes\Interface\',0

.data:1000C62C s_SoftwareCla_8 db 'SOFTWARE\Classes\Interface\',0

.data:1000C670 s_SoftwareCla_7 db 'SOFTWARE\Classes\CndnIEHelper.CndnIEHlprObj',0

.data:1000C69C s_SoftwareCla_6 db 'SOFTWARE\Classes\CndnIEHelper.CndnIEHlprObj.1',0

.data:1000C6CC s_SoftwareCla_5 db 'SOFTWARE\Classes\CLSID\',0

.data:1000C70C s_SoftwareCla_4 db 'SOFTWARE\Classes\CLSID\',0

.data:1000C74C s_SoftwareCla_3 db 'SOFTWARE\Classes\CLSID\',0

.data:1000C78C s_SoftwareCla_2 db 'SOFTWARE\Classes\CLSID\',0

.data:1000C7CC s_SoftwareCla_1 db 'SOFTWARE\Classes\Cdn.CdnObj',0

.data:1000C7E8 s_SoftwareCla_0 db 'SOFTWARE\Classes\Cdn.CdnObj.1',0

.調用Rundll32命令執行被下載的AutoLive.dll，寫註冊表

.data:1000CFCC s_Sautoliveinst db '%sAutoLiveInst.cab',0 ; DATA XREF: ekfs+2C9 o

.data:1000CF08 s_Rundll32SRund db 'Rundll32 %s,Rundll32',0 ; DATA XREF: DllMain(x,x,x)+DB o

.data:1000CFB8 s_Sautolive_dll db '%sAutoLive.dll',0 ; DATA XREF: ekfs+329 o

添加流氓程式啟動項：

.data:1000D198 s_SoftwareMic_1 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0

.data:1000D18C s_Exfilterdb 'ExFilter',0 ; DATA XREF: ekfs+5C o

懷疑是最新的3721流氓，因為時間是20070423：

.data:1000D308 s_D20070423EkEk db 'D:\20070423\EK\EK\EKWrap.cpp',0

修改host檔案：

.data:1000F348 s_Hosts db 'hosts',0 ; DATA XREF: sub_100056B5:loc_10005724 o

.data:1000F34E align 10h

.data:1000F350 s_System32Drive db 'system32\drivers\etc\hosts',0

.data:1000F350 ; DATA XREF: sub_100056B5+68 o

.data:1000F36B align 4

.data:1000F36C ; char s__3721_net[]

.data:1000F36C s__3721_netdb '.3721點net',0 ; DATA XREF: sub_100057C4:loc_100058DA o

.data:1000F376 align 4

.data:1000F378 ; char s__3721_com[]

.data:1000F378 s__3721_comdb '.3721點com',0 ; DATA XREF: sub_100057C4:loc_100058B6 o

註冊驅動：

.data:1000F5AC s_DriversAnfad_ db '\drivers\Anfad.sys',0 ; DATA XREF: sub_10005B0D+10A o

.data:1000F5BF align 10h

.data:1000F5C0 ; char s_SystemCurre_2[]

.data:1000F5C0 s_SystemCurre_2 db 'SYSTEM\CurrentControlSet\Services\Anfad',0

.data:1000F5C0 ; DATA XREF: sub_10005B0D+DB o

.data:1000F5E8 ; char s_DriversHcalwa[]

.data:1000F5E8 s_DriversHcalwa db '\drivers\hcalway.sys',0 ; DATA XREF: sub_10005B0D+96 o

.data:1000F5FD align 10h

.data:1000F600 ; char s_SystemCurre_1[]

.data:1000F600 s_SystemCurre_1 db 'SYSTEM\CurrentControlSet\Services\hcalway',0

.data:1000F600 ; DATA XREF: sub_10005B0D+50 o

.data:1000F62A align 4

.data:1000F62C ; char s_DriversFad_sy[]

.data:1000F62C s_DriversFad_sy db '\drivers\fad.sys',0 ; DATA XREF: sub_1000610D+CB o

.data:1000F63D align 10h

.data:1000F640 ; char s_SystemCurre_0[]

.data:1000F640 s_SystemCurre_0 db 'SYSTEM\CurrentControlSet\Services\FAD',0

通過該網址自動確認運行以上操作：

.data:1000F720 s_HttpLogs_soft db ;,0

snpmw.dll

基本介紹

計算機病毒介紹

病毒指紋

熱門詞條