[06-26] A little analysis on virus Trojan. DL. Agent. ALB (version 3rd)

EndurerOriginal

3Added: Kaspersky confirmed as a virus:Trojan. win32.agent. ut
2Edition supplement: Kaspersky (09:06:15) and Jiangmin kv2006 engine version: 9.02.2040 virus database Date: are not reported.

1Version

A netizen said that sometimes browsing the Web page on his computer is slow recently, and sometimes an inexplicable webpage hxxp: // www.88u.com is displayed. The logs scanned by hijackthis are sent concurrently.

The following suspicious items are found in the log:

 

 

O2-BHO: iehlprobj class-{A3803141-3CF5-4D66-B7EA-8D2674FE152C}-C:/Windows/stdie. dll

O4-hkcu/../run: [LocalSystem] C:/Windows/system/svchost.exe

 

 

After the reply, the netizen packed the two files and sent them.

The svchost.exe report isTrojan. DL. Agent. ALB

This file is written in Microsoft Visual C ++ 7.0 [debug ].

Download micpip by creating a named pipeline:

 

 

Hxxp: // www. Ad **** developer.com/filmweb/webad.asp
Hxxp: // www. Ad **** developer.com/filmweb/file.asp
Hxxp: // www. Ad **** developer.com/filmweb/file.dat
Hxxp: // www. Ad **** developer.com/filmweb/ehu.up

 

 

Create a file
1.% WINDIR %/setupsvc.txt

2.% USERPROFILE %/Local Settings/temp/run1.bat

File Content:

 

 

Rundll32 syssetup, setupinfobjectinstallaction defainstall install 128 drv1.inf

 

 

3.% USERPROFILE %/Local Settings/temp // drv1.inf

File Content:

 

 

[Version]
Signature = "$ Windows NT $"
[Defainstall install]
Delreg = MYDEL
[MYDEL]
Hkcu, software/Microsoft/Windows/CurrentVersion/policies/system, disableregistrytools

 

 

4. netinfo. xml

5.% WINDIR %/system/svchost.exe

6.% WINDIR %/system/netshell. dll

7.% WINDIR %/netshell. dll

Modify multiple key values in the Registry

The most important one is:

 

 

Software/Microsoft/Windows/CurrentVersion/policies/explorer % S. dll

 

 

To load netshell. dll.

This item is not reported in the concise log of hijackthis.