基本讯息
病毒名称:W32/Bagle.FC-mm
类型:木马 长度:35307 威胁及别:2
其它别名:Email-Worm.Win32.Bagle.fc(KAV), WORM_BAGLE.FC(Trend), W32.Beagle.DU(Norton)
影响系统:Windows 98/me,Windows 2K,Windows XP
表现特征
1.系统响应速度相对减慢;
2.存在如下文件:
SYSTEM\anti_troj.exe
SYSTEM\winlog.dll
SYSTEM\winlog.exe
TEMP\~{RANDOM NUMBER}.tmp
TEMP\~{RANDOM NUMBER}.exe
TEMP\~{RANDOM NUMBER+1}.tmp
TEMP\~{RANDOM NUMBER+1}.exe
注:{RANDOM NUMBER} 为一个随即数字;
3.存在文件夹:SYSTEM\exefld\ ;
4.进程列表中存在进程:winlog.exe,~{RANDOM NUMBER+1}.exe
行动力分析
1.这是一个 PE 病毒,使用 Yoda's Crypter 加壳,加壳后长度为 35,307 字节;
2.创建如下文件:
SYSTEM\anti_troj.exe (文件 TEMP\~{RANDOM NUMBER+1}.exe 的拷贝)
SYSTEM\winlog.dll (释放的文件,Fortinet 检测为 W32/Bagle.FC!tr)
SYSTEM\winlog.exe (文件 TEMP\~{RANDOM NUMBER}.exe 的拷贝)
TEMP\~{RANDOM NUMBER}.tmp (0字节的干净文件)
TEMP\~{RANDOM NUMBER}.exe (释放的文件,Fortinet 检测为 W32/Bagle.FC!tr)
TEMP\~{RANDOM NUMBER+1}.tmp (0 字节的干净文件)
TEMP\~{RANDOM NUMBER+1}.exe (释放的文件,Fortinet 检测为 W32/Bagle.Y!dldr)
注:{RANDOM NUMBER} 为一个随即数字;
3.创建注册表键值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“anti_troj”=“SYSTEM\anti_troj.exe”
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“anti_troj”=“SYSTEM\anti_troj.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“key2”=“SYSTEM\winlog.exe”
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“key2”=“SYSTEM\winlog.exe”
4.终止如下安全相关的进程:
ashAvast.exe
ashDisp.exe
ashEnhcd.exe
ashPopWz.exe
ashShA64.dll
ashSimpl.exe
ashSkPck.exe
ashWebSv.exe
AUPDATE.EXE
Avconsol.exe
avgcc.exe
AVGCMSG.DLL
avgemc.exe
AVGNT.EXE
…… (因列表过长,故只列出部分)
5.停止如下安全相关的服务:
alerter
AlertManger
AntiVir Service
aswUpdSv
Ati HotKey Poller
avast! Antivirus
AVEService
AVExch32Service
avg7alrt
avg7updsvc
AvgCore
AvgFsh
AvgServ
AVIRAMailService
AVIRAService
avpcc
AVUPDService
…… (因列表过长,故只列出部分)
6.删除包含如下字符串的文件:
“\ashAvast.exe”
“\ashDisp.exe”
“\ashEnhcd.exe”
“\ashPopWz.exe”
“\ashShA64.dll”
“\ashSimpl.exe”
“\ashSkPck.exe”
“\ashWebSv.exe”
“\AUPDATE.EXE”
“\Avconsol.exe”
“\avgcc.exe”
“\AVGCMSG.DLL”
“\avgemc.exe”
“\AVGNT.EXE”
“\AVSCHED32.DLL”
“\AVSCHED32.EXE”
“\Avsynmgr.exe”
“\AVWUPD32.EXE”
“\BCGCB59.dll”
“\bdmcon.exe”
“\bdnews.exe”
“\bdsubmit.exe”
“\bdswitch.exe”
“\cafix.exe”
…… (因列表过长,故只列出部分)
7.阻止对以下安全相关域名的访问:
upgrade.bitdefender.com
report.bitdefender.com
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
avp.ru
awaps.net
banner.fastclick.net
banners.fastclick.net
ca.com
ca.com... click.atdmt.com
clicks.atdmt.com
…… (因列表过长,故只列出部分)
8.删除以下安全相关的注册表项:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Symantec NetDriver Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ccApp
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NAV CfgWiz
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SSC_UserPrompt
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee Guardian
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,McAfee.InstantUpdate.Monitor
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,APVXDWIN
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,KAV50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_cc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avg7_emc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Zone Labs Client
HKLM\SOFTWARE\Symantec
HKLM\SOFTWARE\McAfee
HKLM\SOFTWARE\KasperskyLab
HKLM\SOFTWARE\Agnitum
HKLM\SOFTWARE\Panda Software
HKLM\SOFTWARE\Zone Labs
HKLM\SOFTWARE\Trend Micro
清除方法
1.终止病毒相关进程;
2.删除如下文件:
SYSTEM\anti_troj.exe
SYSTEM\winlog.dll
SYSTEM\winlog.exe
TEMP\~{RANDOM NUMBER}.tmp
TEMP\~{RANDOM NUMBER}.exe
TEMP\~{RANDOM NUMBER+1}.tmp
TEMP\~{RANDOM NUMBER+1}.exe
3.删除注册表项:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“anti_troj”=“SYSTEM\anti_troj.exe”
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“anti_troj”=“SYSTEM\anti_troj.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“key2”=“SYSTEM\winlog.exe”
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“key2”=“SYSTEM\winlog.exe”
转
病毒资料之七-winlog.exe过程病毒
