endurer 原創
2007-04-17 第2版 補充pe_xscan的log分析,Dr.Web CureIt的掃描結果,部本病毒樣本資訊
2007-04-16 第1版
剛才一位網友反應說他的電腦最近工作速度很慢,讓偶通過QQ遠程協助協助檢查。
開啟工作管理員,發現有名為 Down(0).exe 和 iexplore.exe 的進程,而當時並沒有運行IE。估計是中標了。
下載 pe_xscan 和 HijackThis掃描log。
在 pe_xscan 的 log 中發現如下可疑項目:
/===
pe_xscan 07-03-25 by Purple Endurer
2007-4-16 21:59:33
Windows XP Service Pack 2(5.1.2600)
管理使用者組
[System Process] * 0
C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/WINDOWS/system32/Down(0).exe * 1484 | 1980-4-2 7:1:30
C:/WINDOWS/system32/Down(0).exe | 1980-4-2 7:1:30
C:/WINDOWS/Explorer.EXE * 1644 | 2004-8-17 12:0:0 | Microsoft(R) Windows(R) OperatingSystem | 6.00.2900.2180 | Windows Explorer | (C) Microsoft Corporation. All rights reserved.| 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | explorer |EXPLORER.EXE
C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Program Files/Internet Explorer/IEXPLORE.EXE * 1720 | 2004-8-17 20:0:0 |Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C)Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) |Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Program Files/Internet Explorer/IEXPLORE.EXE * 1784 | 2004-8-17 20:0:0 |Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C)Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) |Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26C:/program files/internet explorer/iexplore.exe * 1804 | 2004-8-17 20:0:0 |Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C)Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) |Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
C:/WINDOWS/system32/ok6250522.3322.org.dll | 2007-4-15 14:21:32 | Microsoft?Windows? Operating System | 5.1.2600.2180 | Microsoft? Windows? Operating System | MicrosoftCorporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | MicrosoftCorporation | | VipDll | msgsvc4.dll
C:/WINDOWS/system32/khooker.exe * 236 | 2002-9-24 1:50:48 | SIS (R) Compatible SuperVGA keyboard daemon for Windows 2000/XP | 0.0.0.2098 | SiS Compatible Super VGA KeyboardDaemon | Copyright (C) Silicon Integrated Systems Corp. 1998-2002 | 0.0.0.2098 | SiliconIntegrated Systems Corporation | | KHOOKER 2.09j.03 | KHOOKER.EXE
C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Program Files/Common Files/Real/Update_OB/realsched.exe * 320 | 2007-2-1415:9:14 | RealPlayer (32-bit) | 0.1.0.3760 | RealNetworks Scheduler | Copyright ?RealNetworks, Inc. 1995-2004 | 0.1.0.3760 | RealNetworks, Inc. | RealAudio(tm) is atrademark of RealNetworks, Inc. | schedapp | realsched.exe
C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/WINDOWS/system32/ctfmon.exe * 352 | 2004-8-17 12:0:0 | Microsoft? Windows?Operating System | 5.1.2600.2180 | CTF Loader | ? Microsoft Corporation. All rightsreserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CTFMON |CTFMON.EXE
C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/SVCHOST.exe * 428 | 2006-11-15 21:59:30 C:/SVCHOST.exe | 2006-11-15 21:59:30 C:/WINDOWS/system32/ntdll.dll | 2004-8-17 12:0:0 | Microsoft(R) Windows(R)Operating System | 5.1.2600.2180 | NT Layer DLL | (C) Microsoft Corporation. All rightsreserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | ntdll.dll| ntdll.dll
C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Program Files/Messenger/msmsgs.exe * 456 | 2004-10-14 0:24:38 | Messenger |Version 4.7.3001 | Windows Messenger | Copyright (c) Microsoft Corporation 2004 | 4.7.3001 |Microsoft Corporation | Microsoft(R) is a registered trademark of Microsoft Corporation inthe U.S. and/or other countries. | msmsgs | msmsgs.exe
C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Program Files/Internet Explorer/IEXPLORE.EXE * 932 | 2004-8-17 20:0:0 |Microsoft(R) Windows(R) Operating System | 6.00.2900.2180 | Internet Explorer | (C)Microsoft Corporation. All rights reserved. | 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) |Microsoft Corporation| ? | iexplore | IEXPLORE.EXE
C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/WINDOWS/system32/Down(0).exe * 964 | 1980-4-2 7:1:30
C:/WINDOWS/system32/Down(0).exe | 1980-4-2 7:1:30
C:/PROGRA~1/GAMECH~1/GameHall.exe * 3084 | 2007-1-19 13:7:42 | GameHall 應用程式 | 18, 0, 2006, 1012 | 遊戲大廳程式 | 同城遊戲 (C) 2003-2004 | 18, 0, 2006, 1012 | 同城遊戲 | | GameHall | GameHall.EXE
C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/WINDOWS/system32/conime.exe * 1312 | 2004-8-17 12:0:0 | Microsoft? Windows?Operating System | 5.1.2600.2180 | Console IME | ? Microsoft Corporation. All rightsreserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | Console |CONIME.EXE
C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/YHL2J69S/3[1].exe * 2692 | 2007-4-16 16:50:30
C:/WINDOWS/SYSTEM32/WINNETWORKKEY.DLL | 1980-4-2 7:1:26
O4 - HKCR/../Run: [bgswitch] C:/WINDOWS/system32/bgswitch.exe
O4 - HKCR/../Run: [system] c:/SVCHOST.exe
O4 - HKLM/../Run: [HTpatch] C:/WINDOWS/htpatch.exe
D:/autorun.inf
/-----
[AutoRun]
open=sxs.exe
shellexecute=sxs.exe
shell/Auto/command=sxs.exe
-----/
F:/autorun.inf
/-----
[AutoRun]
open=sxs.exe
shellexecute=sxs.exe
shell/Auto/command=sxs.exe
-----/
O9 - IE工具列擴充按鈕HKLM:JUJU貓 - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.jujumao.com
O9 - IE工具菜單擴充項HKLM: - {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.jujumao.com
O23 - 服務: 110 (110) - C:/WINDOWS/system32/Down(0).exe | 1980-4-2 7:1:30(自動)
O23 - 服務: cdnprot (cdnprot) - system32/drivers/cdnprot.sys(引導)
O23 - 服務: cdntran (cdntran) - system32/drivers/cdntran.sys(自動)
O23 - 服務: DHCPmanager (DHCPmanager) - C:/WINDOWS/system32/DHCPmanager.exe | 1980-4-2 7:1:40(自動)
O23 - 服務: ferdr (FERDR) - C:/WINDOWS/system32/Drivers/Ferdr.sys | 2002-5-31 10:26:22(自動)
O23 - 服務: GrayPigeonServer1.23 (Gray_Pigeon_Server1.23) - C:/WINDOWS/G_Server1.23.exe | 2007-3-21 21:40:6(自動)
O23 - 服務: ok6250522.3322.org (ok6250522.3322.org) - C:/WINDOWS/system32/ok6250522.3322.org.exe | 2007-4-16 13:32:18(自動)
O23 - 服務: windows backup for xp (window backup for xp) - c:/backup/backupms0213313751.exe | 2007-3-21 20:49:42(自動)
O23 - 服務: Windows XP Vista (Windows XP Vista ) - C:/WINDOWS/Hac.exe(自動)
O23 - 服務: windows_0 (Windows Accounts Driver) - C:/WINDOWS/system32/Down(0).exe | 1980-4-2 7:1:30(自動)
SHOWALL Type isn't dword
===/
再看HijackThis 的 log:
/---
Logfile of HijackThis v1.99.1
Scan saved at 22:01:17, on 2007-4-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:/WINDOWS/system32/Down(0).exe
O4 - HKLM/../Run: [HTpatch] C:/WINDOWS/htpatch.exe
O4 - HKCU/../Run: [bgswitch] C:/WINDOWS/system32/bgswitch.exe
O4 - HKCU/../Run: [system] c:/SVCHOST.exe
O23 - Service: 110 - Unknown owner - C:/WINDOWS/system32/Down(0).exe
O23 - Service: DHCPmanager - Unknown owner - C:/WINDOWS/system32/DHCPmanager.exe
O23 - Service: Gray_Pigeon_Server1.23 (GrayPigeonServer1.23) - Unknown owner - C:/WINDOWS/G_Server1.23.exe (file missing)
O23 - Service: ok6250522.3322.org - Unknown owner - C:/WINDOWS/system32/ok6250522.3322.org.exe
O23 - Service: window backup for xp (windows backup for xp) - Unknown owner - c:/backup/backupms0213313751.exe
O23 - Service: Windows XP Vista - Unknown owner - C:/WINDOWS/Hac.exe (file missing)
O23 - Service: Windows Accounts Driver (windows_0) - Unknown owner - C:/WINDOWS/system32/Down(0).exe
O23 - Service: WinNetwork - Unknown owner - C:/WINDOWS/system32/WinNetwork.exe
---/
用到 http://endurer.ys168.com 下載 IceSword檢查進程,發現還有一個隱藏的IE進程。
終止病毒進程。
停止並禁用O23中的服務。
到 http://purpleendurer.ys168.com 下載 FileInfo 和 bat_do。用FileInfo提取檔案資訊,用 bat_do 將病毒檔案打包。
下載 Dr.Web CureIt(和使用方法可參考:
免費的惡意程式檢測和清除工具---Dr.Web CureIt! http://endurer.bokee.com/5488502.html),因為時間關係,只掃描 c:/windows 和 c:/Documents and Settings,結果……明天補上。
============================
Dr.Web(R) Scanner for Windows v4.33.2 (4.33.2.10067)
[Scan path] c:/windows/htpatch.exe
c:/windows/htpatch.exe is hacktool program Tool.Htpatch
----------------------------
[Scan path] C:/WINDOWS
C:/WINDOWS/htpatch.exe is hacktool program Tool.Htpatch
>C:/WINDOWS/system32/DHCPmanager.exe.vi infected with BackDoor.Pigeon.1220 - deleted
C:/WINDOWS/system32/DHCPmanager.DLL.vi infected with BackDoor.Pigeon.680 - deleted
C:/WINDOWS/system32/DHCPMANAGERKEY.DLL.vi infected with BackDoor.Pigeon.1294 - deleted
C:/WINDOWS/system32/RpcS.dll infected with BackDoor.Klj - deleted
C:/WINDOWS/system32/WinNetwork.exe.vi infected with BackDoor.Pigeon.1562 - deleted
>C:/WINDOWS/system32/WinNetwork.DLL.vi infected with BackDoor.Pigeon.1562 - deleted
>C:/WINDOWS/system32/WINNETWORKKEY.DLL.vi infected with BackDoor.Pigeon.1562 - deleted
>C:/WINDOWS/system32/ok6250522.3322.org.exe.vi probably infected with BINARYRES
C:/WINDOWS/system32/ok6250522.3322.org.dll.vi probably infected with DLOADER.Trojan
C:/WINDOWS/system32/drivers/i.sys is adware program Adware.Cdn
C:/WINDOWS/Temp/DHCPmanager0.DLL infected with BackDoor.Pigeon.680 - deleted
>C:/WINDOWS/Temp/WinNetwork0.DLL infected with BackDoor.Pigeon.1562 - deleted
>C:/WINDOWS/Temp/WinNetwork1.DLL infected with BackDoor.Pigeon.1562 - deleted
[Scan path] C:/Documents and Settings
>C:/Documents and Settings/Administrator/Local Settings/Temp/MPSampleSubmit/WinNetwork.exe.xor infected with BackDoor.Pigeon.1562 - deleted
>C:/Documents and Settings/Administrator/Local Settings/Temp/MPSampleSubmit/DHCPMANAGERKEY.DLL.xor infected with BackDoor.Pigeon.1294 - deleted
>C:/Documents and Settings/Administrator/Local Settings/Temp/MPSampleSubmit/DHCPmanager.DLL.xor infected with BackDoor.Pigeon.680 - deleted
>C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/68YH35WC/icast[1].js>C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/LVN1357C/formdatecheck[1].jsC:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/ZVPBN9SW/network[1].exe infected with BackDoor.Pigeon.1562 - deleted
----------------------------
c:/windows/htpatch.exe - deleted
C:/WINDOWS/htpatch.exe - deleted
C:/WINDOWS/system32/ok6250522.3322.org.exe.vi - deleted
C:/WINDOWS/system32/ok6250522.3322.org.dll.vi.vi - will be deleted after reboot
C:/WINDOWS/system32/drivers/i.sys - deleted
============================
Total session statistics
============================
Objects scanned: 30891
Infected objects found: 14
Objects with modifications found: 0
Suspicious objects found: 2
Adware programs found: 1
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 2
Objects cured: 0
Objects deleted: 19
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 1800 Kb/s
Scan time: 00:28:41
============================
用HijackThis 修複可疑項。
Dr.Web CureIt未能發現和清除的,對bat_do產生取消檔案所有屬性和刪除檔案命令,下次啟動時執行。
檔案說明符 : C:/WINDOWS/system32/WINNETWORKKEY.DLL
屬性 : -SHR
擷取檔案版本資訊大小失敗!
建立時間 : 2007-4-12 18:29:56
修改時間 : 1980-4-2 7:1:26
訪問時間 : 2007-4-16 0:0:0
大小 : 27664 位元組 27.16 KB
MD5 : 66e062502fb59d9157526f25614dfdfc
檔案說明符 : D:/sxs.exe
屬性 : -SH-
擷取檔案版本資訊大小失敗!
建立時間 : 2006-9-2 20:28:51
修改時間 : 2006-8-11 2:12:48
訪問時間 : 2007-4-16 0:0:0
大小 : 33815 位元組 33.23 KB
MD5 : 1781cb8004dc700ac66d799c35ac5c5a
卡巴報為 Trojan-PSW.Win32.QQPass.jn
檔案說明符 : C:/net.exe
屬性 : A---
擷取檔案版本資訊大小失敗!
建立時間 : 1980-4-2 7:1:34
修改時間 : 1980-4-2 7:1:36
訪問時間 : 2007-4-16 0:0:0
大小 : 315697 位元組 308.305 KB
MD5 : 8b50d965ffacdb56e00e670ad105fa53
檔案說明符 : C:/WINDOWS/Hac.exe
屬性 : A---
擷取檔案版本資訊大小失敗!
建立時間 : 2007-4-5 13:33:5
修改時間 : 2007-4-5 13:33:6
訪問時間 : 2007-4-16 0:0:0
大小 : 627712 位元組 613.0 KB
MD5 : 9dd4cae0b290fc6c3183e0b867079ea3
檔案說明符 : C:/WINDOWS/system32/Down(0).exe
屬性 : A---
擷取檔案版本資訊大小失敗!
建立時間 : 1980-4-2 7:1:31
修改時間 : 1980-4-2 7:1:30
訪問時間 : 2007-4-16 0:0:0
大小 : 17920 位元組 17.512 KB
MD5 : 911c879eba7bc9a474ec8fa5c327d6b6
檔案說明符 : C:/WINDOWS/system32/WinNetwork.DLL
屬性 : ASHR
擷取檔案版本資訊大小失敗!
建立時間 : 1980-4-8 22:6:5
修改時間 : 1980-4-2 7:1:12
訪問時間 : 2007-4-16 0:0:0
大小 : 257258 位元組 251.234 KB
MD5 : 3ffee9665b61a4cb9155098b0fa63a01
卡巴報為 Backdoor.Win32.Hupigon.edb
檔案說明符 : C:/WINDOWS/system32/WINNETWORKKEY.DLL
屬性 : ASHR
擷取檔案版本資訊大小失敗!
建立時間 : 2007-4-12 18:29:56
修改時間 : 1980-4-2 7:1:26
訪問時間 : 2007-4-16 0:0:0
大小 : 27664 位元組 27.16 KB
MD5 : 66e062502fb59d9157526f25614dfdfc
卡巴報為 Backdoor.Win32.Hupigon.cge
檔案說明符 : C:/WINDOWS/system32/DHCPmanager.exe
屬性 : ASHR
擷取檔案版本資訊大小失敗!
建立時間 : 1980-4-3 23:39:46
修改時間 : 1980-4-2 7:1:40
訪問時間 : 2007-4-16 0:0:0
大小 : 293058 位元組 286.194 KB
MD5 : 0c8db59d9480bb0eb745fc97dd2bd729
檔案說明符 : C:/WINDOWS/system32/WinNetwork.exe
屬性 : A---
擷取檔案版本資訊大小失敗!
建立時間 : 1980-4-8 22:6:2
修改時間 : 1980-4-2 7:1:42
訪問時間 : 2007-4-16 0:0:0
大小 : 315697 位元組 308.305 KB
MD5 : 8b50d965ffacdb56e00e670ad105fa53
卡巴報為 Backdoor.Win32.Hupigon.edb
檔案說明符 : C:/backup/backupms0213313751.exe
屬性 : -SHR
擷取檔案版本資訊大小失敗!
建立時間 : 2007-3-21 19:51:1
修改時間 : 2007-3-21 20:49:42
訪問時間 : 2007-4-16 0:0:0
大小 : 624236 位元組 609.620 KB
MD5 : e855d4668047e699077d5b3b5e6eb250
C:/>dir backup /a
磁碟機 C 中的卷沒有標籤。
卷的序號是 84E4-56E2
C:/backup 的目錄
2007-03-21 19:51 <DIR> .
2007-03-21 19:51 <DIR> ..
2007-03-21 20:49 624,236 backupms0213313751.exe
2007-04-16 16:52 18,944 Down(0).exe
2007-04-16 13:06 18,944 Down(1).exe
2007-04-13 22:05 18,944 Down(2).exe
2007-04-13 22:08 18,944 Down(3).exe
2007-04-05 17:59 18,944 Down(4).exe
2007-04-05 17:59 18,944 Down(5).exe
2007-04-02 18:53 18,944 Down(6).exe
2007-04-02 18:53 18,944 Down(7).exe
2007-03-31 20:50 18,944 Down(8).exe
2007-03-31 20:13 18,944 Down(9).exe
2007-03-31 20:13 18,944 Down(10).exe
2007-03-31 20:13 18,944 Down(11).exe
2007-03-31 20:13 18,944 Down(12).exe
2007-03-31 20:13 18,944 Down(13).exe
2007-03-31 20:13 18,944 Down(14).exe
16 個檔案 908,396 位元組
2 個目錄 3,691,520,000 可用位元組
檔案說明符 : C:/WINDOWS/system32/ok6250522.3322.org.dll
屬性 : -SHR
語言 : 中文(中國)
檔案版本 : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
說明 : Microsoft? Windows? Operating System
著作權 : Microsoft Corporation. All rights reserved.
備忘 :
產品版本 : 5.1.2600.2180
產品名稱 : Microsoft? Windows? Operating System
公司名稱 : Microsoft Corporation
合法商標 :
內部名稱 : VipDll
源檔案名稱 : msgsvc4.dll
建立時間 : 2007-4-15 14:21:31
修改時間 : 2007-4-15 14:21:32
訪問時間 : 2007-4-16 0:0:0
大小 : 17408 位元組 17.0 KB
MD5 : 74d1ab119831c91da4bc22d44761fcd4
檔案說明符 : C:/WINDOWS/system32/ok6250522.3322.org.exe
屬性 : A---
擷取檔案版本資訊大小失敗!
建立時間 : 2007-4-15 14:21:28
修改時間 : 2007-4-16 13:32:18
訪問時間 : 2007-4-16 0:0:0
大小 : 43008 位元組 42.0 KB
MD5 : 212b77e3914735ee18ef5fde966870b4
檔案說明符 : C:/WINDOWS/htpatch.exe
屬性 : A--R
擷取檔案版本資訊大小失敗!
建立時間 : 2007-11-15 10:55:18
修改時間 : 2002-12-20 0:40:24
訪問時間 : 2007-4-16 0:0:0
大小 : 28672 位元組 28.0 KB
MD5 : 47122e4e9b3da3e6ee66e1a56aae8f57
DrWeb 報為 Tool.Htpatch
G_Server1.23.exe 卡巴報為 Packed.Win32.PePatch.ev
DHCPmanager.exe、DHCPmanager.DLL、DHCPMANAGERKEY.DLL 卡巴報為 Backdoor.Win32.Hupigon.emr