前段时间"大象"说有个样本 "boot.exe"很恐怖的,我们都说要这个样本咯,然后他说不想那么快放出来,但是最后还是在 "动物园样本区"放出来了,反病毒就要敢于试毒,相信G-AVR的都和我一样。
前段时间"大象"说有个样本 "boot.exe"很恐怖的,我们都说要这个样本咯,然后他说不想那么快放出来,但是最后还是在 "动物园样本区"放出来了,哈,反病毒就要敢于试毒,相信G-AVR的都和我一样,只是我比较菜,所以写的不好请大家原谅!期末没大多时间整理,请各位反病毒高手见谅!
SHA-160 : 61D84A068E1116F162FA36088E40E6A6C74898B5
MD5 : 7AECBB688406A738F1FEE28593BAF3D9
CRC-32 : 698D690E
autorun.inf :
[Autorun]
shell\open=打开(&O)
shell\open\Command=boot.exe
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=boot.exe
1.病毒行为:
boot.exe 加载 驱动 IsDrv118.sys
进程:
路径: C:\Documents and Settings\Administrator\桌面\boot.exe
PID: 1252
驱动:
路径: C:\WINDOWS\system32\drivers\IsDrv118.sys
信息: NVIDIA Compatible Windows Miniport Driver, Version 91.31 (NVIDIA Corporation)
-------------------------------------------------------------------------
程序boot.exe 尝试直接存取物理内存,可获得对.系统的完全控制权限.
进程:
路径: C:\Documents and Settings\Administrator\桌面\boot.exe
PID: 1252
对象:
路径: C:\WINDOWS\explorer.exe
信息: Windows Explorer (Microsoft Corporation)
此项允许修改其它程序的虚拟内存,且可用以调整其它程序的性能。
-------------------------------------------------------------------------
程序boot.exe 尝试获取对其他程序的完全控制权限.
进程:
路径: C:\Documents and Settings\Administrator\桌面\boot.exe
PID: 1252
对象:
路径: C:\WINDOWS\explorer.exe
信息: Windows Explorer (Microsoft Corporation)
此项允许获得全部控制于另一进程的某线程上,且可能被用于“DLL注入”。
C:\windows\system32\linkinfo.dll 注入 explorer
-----------------------------------------------------------------------
boot.exe遇到问题.需要关闭.
进程中发现多了一个 C:\windows\system32\cidaemon.exe
模块中也有 C:\windows\system32\linkinfo.dll
然后发现 boot.exe 和 autorun.inf消失了!!! 但是它确切存在!!!
扫描日志:
PE_CORELINK.C[virus found]
-->reboot delete file("C:\windows\linkinfo.dll","","") success
-->add folder("C:\windows\dce_temp","","") success
-->reboot rename file("C:\windows\dce_temp","C:\windows\linkinfo.dll","") success
-->delete process("C:\windows\Explorer.EXE","","") success
TROJ_AGENT.THK[virus found]
-->delete file("C:\windows\system32\DRIVERS\nvmini.sys","","") success
-->add file("C:\Documents and Settings\Administrator\桌面\TSC_869_for_PE_CORELINK_C\corelink.vbs","","") success
-->modify file("C:\Documents and Settings\Administrator\桌面\TSC_869_for_PE_CORELINK_C\corelink.vbs","","") success
-->modify file("C:\Documents and Settings\Administrator\桌面\TSC_869_for_PE_CORELINK_C\corelink.vbs","","") success
-->modify file("C:\Documents and Settings\Administrator\桌面\TSC_869_for_PE_CORELINK_C\corelink.vbs","","") success
-->modify file("C:\Documents and Settings\Administrator\桌面\TSC_869_for_PE_CORELINK_C\corelink.vbs","","") success
-->modify file("C:\Documents and Settings\Administrator\桌面\TSC_869_for_PE_CORELINK_C\corelink.vbs","","") success
-->modify file("C:\Documents and Settings\Administrator\桌面\TSC_869_for_PE_CORELINK_C\corelink.vbs","","") success
-->modify file("C:\Documents and Settings\Administrator\桌面\TSC_869_for_PE_CORELINK_C\corelink.vbs","","") success
-->modify registry data("HKEY_LOCAL_MACHINE","Software\Microsoft\Windows\CurrentVersion\Runonce","CORELINK") success
- -! 一个采用rootkit技术的恶性病毒! 也是我测试过cmd以后.的第2个采用Rootkit技术的...汗啊~ 看来以后要加油了~