Rootkit. win32.ressdt. O/Trojan-Downloader.Win32.Agent.mjp Analysis

Rootkit. win32.ressdt. O/Trojan-Downloader.Win32.Agent.mjp Analysis

Original endurer
2008-04-10 1st

It is something that Xialu has published on its official website.

Rootkit. win32.ressdt. O/Trojan-Downloader.Win32.Agent
Http://endurer.bokee.com/6681893.html
Http://blog.csdn.net/Purpleendurer/archive/2008/04/09/2271747.aspx
Http://blog.sina.com.cn/s/blog_49926d910100926n.html

File Description: D:/test/svcos.exe
Attribute: ---
An error occurred while obtaining the file version information!
Created at: 20:48:57
Modification time: 20:48:57
Access time: 20:49:59
Size: 20625 bytes, 20.145 KB
MD5: 12732b8726845cc29c40c06cb10dce2a
Sha1: 56ba924504107273cd6f26edb858dd33295d79f9
CRC32: f671a2a2

Kaspersky reports as Trojan-Downloader.Win32.Agent.mjp, and rising reports as rootkit. win32.ressdt. O> fsg2.0> 96

Svcos.exe release/Create File ressdt.exe, ressdt.sys, sysave.exe, C:/program files/sys. bat, C:/winddk/2600/111/i386/ressdt. PDB, recover ssdt to use system security protection software to fail

Run the following command: cmd.exe/C net stop wscsvc & net stop sharedaccess & SC config sharedaccess start = Disabled & SC config wscsvc start = Disabled & net stop kpfwsvc & net stop kwatchsvc & net stop mcshield & net stop" norton AntiVirus server "& cacls" C: /program files/Tencent/QQ/qqdoctor "/d everyone

Hijacking using common software such as image hijacking Technology

Download the following file:

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/xxz.exe

File Description: D:/test/xxz.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 18709 bytes, 18.277 KB
MD5: 1ffe0d00ae97de0677a0d460667518bb
Sha1: 4fbf007ed9d74143ca029906f9917c6548aa0864
CRC32: 105acb2c

The value of Kaspersky is Worm. win32.autorun. DBM.

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/1.exe Save As COM/man1.exe
File Description: D:/test/1.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 20016 bytes, 19.560 KB
MD5: 64caae21051c28d710976485602c82d4
Sha1: be3366f5db9fc675d513bb815b69f2a6c60cdda7
CRC32: daecea2b

Kaspersky reports Trojan-PSW.Win32.OnLineGames.wem, rising reports Packer. win32.upack.

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/2.exe Save As COM/man2.exe

File Description: D:/test/2.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modified on:
Access time:
Size: 17984 bytes, 17.576 KB
MD5: e6c0906e9d9de19dbafea90fb6458a18
Sha1: 5774696225657df4283822f1d291697fb0820303
CRC32: ae289f05

Rising to Packer. win32.upack.

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/3.exe Save As COM/man3.exe

File Description: D:/test/3.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modified on:
Access time:
Size: 14064 bytes, 13.752 KB
MD5: 4c419721b3c888107be38fccd08be3a7
Sha1: ee9425585453506e02b715d411b97bc82e302bfe
CRC32: c1990ad5

Kaspersky reported as Trojan-PSW.Win32.OnLineGames.zjp

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/4.exe Save As COM/man4.exe

File Description: D:/test/4.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modified on:
Access time:
Size: 19972 bytes, 19.516 KB
MD5: c7a31670725c4050ff8c69c7ba181b60
Sha1: 97c66251f818e53c24d88b83bca1807494a9f690
CRC32: 27da4f2b

Kaspersky reports Trojan-PSW.Win32.OnLineGames.whs, rising reports Packer. win32.upack.

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/5.exe Save As COM/man5.exe

File Description: D:/test/5.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modified on:
Access time:
Size: 18160 bytes, 17.752 KB
MD5: c79446699ca064024a5f7dd706d70e1b
Sha1: 46fa42e1db41bec2715bd3a15ac6964277d9fee5
CRC32: d3c56eff

Kaspersky reports Trojan-PSW.Win32.OnLineGames.yzt, rising reports Packer. win32.upack.

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/6.exe Save As COM/man6.exe

File Description: D:/test/6.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modified on:
Access time:
Size: 12549 bytes, 12.261 KB
MD5: fdf8c09cb412f496f4aee6bd881e02a5
Sha1: 0e8442e2d14d0c12eaa59194b07d45b2f7ab64e3
CRC32: a3e40e61

Kaspersky reported as Trojan-PSW.Win32.OnLineGames.zfe

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/7.exe Save As COM/man7.exe

File Description: D:/test/7.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 29613 bytes, 28.941 KB
MD5: 90a66cb2fce36d5f42f3c661ef651144
Sha1: 4774dbd051757097dac464b06fed977b3f7d4405
CRC32: c8c55483

AVP _ Trojan-PSW.Win32.Lmir.bpv, rising to Trojan. psw. win32.gamesonline. FZ> upack0.39

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/8.exe Save As COM/man8.exe

File Description: D:/test/8.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 14116 bytes, 13.804 KB
MD5: 17ac4a402988c118a8e89b3cf92108c6
Sha1: 14a971a4f1c45f5c1768b6b505fd61a1d55f7fe9
CRC32: a6bf5608

AVP _ Trojan-PSW.Win32.OnLineGames.whs, rising to Packer. win32.upack.

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/9.exe Save As COM/man9.exe
/---
File does not exist
---/

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/10.exe Save As COM/man10.exe

File Description: D:/test/10.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 16164 bytes, 15.804 KB
MD5: baba0dcdaf86c033516cf1f0730b182f
Sha1: da2c54adfe41584b10abd234d239115767bc2923
CRC32: 1d93548a

Kaspersky reports Trojan-PSW.Win32.OnLineGames.zel, rising reports Packer. win32.upack.

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/11.exe Save As COM/man11.exe
/---
File does not exist
---/

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/12.exe Save As COM/man12.exe

File Description: D:/test/12.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 12166 bytes, 11.902 KB
MD5: 1ecd3591093c79175b21f70454589c11
Sha1: 905528e3ec0ba2e172a3258a00e4591bea4badb2
CRC32: a32eb333

Kaspersky reports Trojan-PSW.Win32.OnLineGames.yip, rising reports Trojan. psw. win32.sunonline. NH

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/13.exe Save As COM/man13.exe

File Description: D:/test/13.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 12378 bytes, 12.90 KB
MD5: 87f692f3b461d0ce1af45d61086a90c1
Sha1: eabe82e83de5fd4155c0917e1e3599345a9fd586
CRC32: a0f00d4e

Kaspersky reported as Trojan-PSW.Win32.OnLineGames.zfe

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/14.exe Save As COM/man14.exe

File Description: D:/test/14.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 12649 bytes, 12.361 KB
MD5: 6d014d3266ec3a6f381_a081b62096c
Sha1: b9320fde7aad06b6e48d2e97f03a73b1b237c1c1
CRC32: 966bbf18

Kaspersky reported as Trojan-PSW.Win32.OnLineGames.zfe

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/15.exe Save As COM/man15.exe

File Description: D:/test/15.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 17984 bytes, 17.576 KB
MD5: aa9e5588bd4bd5deebd247ce5012461b
Sha1: aed93b4f2b307d056b725da-ecf3d6c71baa9d8a
CRC32: 1adcdd9b

Rising to Packer. win32.upack.

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/16.exe Save As COM/man16.exe

File Description: D:/test/16.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 19996 bytes, 19.540 KB
MD5: 442da-8bb0b21e602318e00829ca7193
Sha1: 6de0115d3c2f480e6bca5acc803c4cee367c92e6
CRC32: 58d68f12

Kaspersky reports Trojan-PSW.Win32.OnLineGames.zea, rising reports Packer. win32.upack.

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/17.exe Save As COM/man17.exe

File Description: D:/test/17.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 16872 bytes, 16.488 KB
MD5: 468e7cda-cf9791b4c3ee49a378060e7
Sha1: 2fbf17e568d3cd4bbc45e2fbef5aaecb1b08450a
CRC32: e56f14a3

Kaspersky reports Trojan-PSW.Win32.OnLineGames.xml, rising reports Packer. win32.upack.

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/18.exe Save As COM/man18.exe

File Description: D:/test/18.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 17395 bytes, 16.1011 KB
MD5: 39ff978de3b20a2eeef2e28423d9e827
Sha1: bd2496e5456da-d1e4da08d33f8b70bf47f3010
CRC32: 3327ef21

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/19.exe Save As COM/man19.exe

File Description: D:/test/19.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 17276 bytes, 16.892 KB
MD5: 888cad78608d92971b93ec2551f2fd2a
Sha1: 6a4025ce14993d0512a3e3d6e4e4f04ce249d6c4
CRC32: 2cfa9442

Kaspersky reports Trojan-PSW.Win32.OnLineGames.yxl, rising reports Packer. win32.upack.

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/20.exe Save As COM/man20.exe

File Description: D:/test/20.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 11710 bytes, 11.446 KB
MD5: ef33b6aa76673ab8b9eefd2df849b60d
Sha1: 5905c2238bd133ae936418a44c25a4ac6f5d9e5d
CRC32: 86ba07fd

Kaspersky reports Trojan-PSW.Win32.OnLineGames.yip, rising reports for Trojan. psw. win32.sunonline. NH> upack0.39

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/21.exe Save As COM/man21.exe

File Description: D:/test/21.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 14468 bytes, 14.132 KB
MD5: 7e02b5bd61365bc7646ccdcc96c70e23
Sha1: cd1b8cae6898c11067467393483dc9e40ed8b7b6
CRC32: 0dd9e32f

Kaspersky reports Trojan-PSW.Win32.OnLineGames.yzt, rising reports Packer. win32.upack.

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/22.exe Save As COM/man22.exe

File Description: D:/test/22.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 12340 bytes, 12.52 KB
MD5: b3921445c539dc03cc856a8fb0abaddb
Sha1: c0f26e200a4caed0394ddc20a0b9045b354072af
CRC32: 54efbd17

Kaspersky reported as Trojan-PSW.Win32.OnLineGames.zdk

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/23.exe Save As COM/man23.exe

File Description: D:/test/23.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 13422 bytes, 13.110 KB
MD5: 2ff28cadafd1943b52f4d34e08f00ac9
Sha1: ac9de9658f454a359bde0a573e4696fff8a86798
CRC32: fbfad1af

Kaspersky reports Trojan-PSW.Win32.OnLineGames.yrt, rising reports for Trojan. psw. win32.sunonline. NH> upack0.39

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/24.exe Save As COM/man24.exe

File Description: D:/test/24.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 4537 bytes, 4.441 KB
MD5: 6ba5a1fa266096207dc7e560e9764e41
Sha1: 17138421250a9bf89a9cc6078b8ed0dbfa4f9238
CRC32: 7d478692

Kaspersky reported as Trojan-PSW.Win32.Nilage.cfp

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/25.exe Save As COM/man25.exe

File Description: D:/test/25.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 31348 bytes, 30.628 KB
MD5: f3ba591f8d6222f83c066633515a8079
Sha1: a2c9f2cb9eb0291ab54263de5146e0f52b64d7e6
CRC32: 1ba8e7c2

Kaspersky reports Trojan-Downloader.Win32.Small.suu, rising reports Trojan. DL. win32.mnless. zbh> upack0.39> pecompact2x

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/26.exe Save As COM/atisrvn.exe

File Description: D:/test/26.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 39765 bytes, 38.853 KB
MD5: 31345d961619da423cae8b7c316f2c68
Sha1: descrifa5ed4be8ceab746705a602c34570e7cc9f73
CRC32: f2b343a0

Kaspersky reported as Trojan-Downloader.Win32.VB.dox, rising as backdoor. win32.scan. A> fsg2.0> 65> 65

Hxxp: // ***. Look *** des ** t **. ***. CN/HB/27.exe Save As COM/man27.exe

File Description: D:/test/27.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 12585 bytes, 12.297 KB
MD5: fbc9031e06adf9def86a8378072fd93e
Sha1: 9619e8a55fb9f7c71127d4d5cd81d8c5daeff3a7
CRC32: f7c20aad

Kaspersky reported as Trojan-PSW.Win32.OnLineGames.zfe