BYR Achieve · 镜像论坛

[size=2]昨天开机发现好像闪了一下360safe的更改设置的提示，可是我压根没装过360，结果在D盘发现果然多了个360safe的文件夹，里面有个360safe.exe的文件。本想打个包留一份样本然后删了，结果悲剧的事情发生了，那个文件被system锁定了。我用XueTr找了下启动项发现在注册表两个诡异的位置有这个文件，果断删除后选择重启后把那个文件改个位置又换了名字。结果重启后神奇的发现那个文件真的换了位置和名字，但是居然还是被system锁定！我功力不够实在是没找出到底是插入的什么代码导致的，发到论坛上跟大家分享下病毒样本吧，如果有高手能具体分析下那更是感激不尽。顺便附上自动分析的结果。（PS：我的电脑没装杀软，实在是配置不够，而且之前觉得自己习惯挺好的，真不知怎么中的这个木马） File System Modifications The following files were created in the system: # Filename(s) File Size File Hash Alias 1 %ProgramFiles%\ maroon } %ProgramFiles%\ red } %ProgramFiles%\12pt i? 1/2 i? 1/2 i? 1/2 i? 1/2 } %ProgramFiles%\15pt i? 1/2 i? 1/2 i? 1/2 i? 1/2 } %ProgramFiles%\i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 O?i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 N 3/4 i? 1/2 E 3/4 i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 E±i? 1/2 i? 1/2 i? 1/2 i? 1/2 i? 1/2 A?i? 1/2 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available) 2 [file and pathname of the sample #1] 1,537,064 bytes MD5: 0xB922C76542F380A193D265C2BC953772 SHA-1: 0x234AE3123F3FA2FCDB33DEFA9B0522E70B4685F2 Trojan.ADH [PCTools] Trojan.ADH [Symantec] Trojan.Win32.Sasfis.bvtp [Kaspersky Lab] VirTool:Win32/Injector.gen!BB [Microsoft] Virus.Win32.Injector[Ikarus] Note: %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files. The following directory was created: %CommonAppData%\TEMP Notes: %CommonAppData% is a variable that refers to the file system directory containing application data for all users. A typical path is C:\Documents and Settings\All Users\Application Data. Registry Modifications The following Registry Keys were created: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABC833EA-2D94-77FB-B0FD-1FC08A27178C} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABC833EA-2D94-77FB-B0FD-1FC08A27178C}\LocalServer32 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABC833EA-2D94-77FB-B0FD-1FC08A27178C}\ProgID HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABC833EA-2D94-77FB-B0FD-1FC08A27178C}\Programmable HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABC833EA-2D94-77FB-B0FD-1FC08A27178C}\TypeLib HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABC833EA-2D94-77FB-B0FD-1FC08A27178C}\VersionIndependentProgID HKEY_LOCAL_MACHINE\SOFTWARE\Licenses The newly created Registry Values are: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABC833EA-2D94-77FB-B0FD-1FC08A27178C}\VersionIndependentProgID] (Default) = "MSNIASVC.LogonManager" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABC833EA-2D94-77FB-B0FD-1FC08A27178C}\TypeLib] (Default) = "{F62EC210-3A46-4AE0-AFC4-22A796213285}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABC833EA-2D94-77FB-B0FD-1FC08A27178C}\ProgID] (Default) = "MSNIASVC.LogonManager.1" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABC833EA-2D94-77FB-B0FD-1FC08A27178C}\LocalServer32] (Default) = "%ProgramFiles%\MSN\MSNIA\msniasvc.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABC833EA-2D94-77FB-B0FD-1FC08A27178C}] (Default) = "LogonManager Class" AppID = "{F15FFFBD-FC14-40E6-88B7-AA7E73FEB112}" [HKEY_LOCAL_MACHINE\SOFTWARE\Licenses] {R7C0DB872A3F777C0} = 4A 8D 7D 4C {K7C0DB872A3F777C0} = 78 DA 5C 56 7A 12 1F 7D 75 8E 32 07 1E 46 2E 03 07 99 01 65 14 0F C8 1F F3 29 FB 4A 8D 7D 4C FF FF FF FF 87 30 0C C3 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F {ID73632B3F99583F9} = 03 00 00 00 {0D73632B3F99583F9} = 5B 32 93 0F EF 81 A6 A4 41 06 51 9E 01 B2 AC 82 DA 3A 95 64 DA B4 7F B3 95 EA 73 89 18 B3 06 6B 7A E9 03 23 47 C2 4F 73 F4 A9 05 51 7B F3 0F 61 1E EC C5 57 BE 9D DB BE 39 2F 13 63 FB 34 CA 03 6E 84 54 6F 4C AB A9 3F F4 06 65 BE 5B 59 F6 BF 13 C9 F3 A[/size]

中了一个挺有意思的木马，有样本，求分析