近期一个名为Win32.PSWTroj.OnLineGames.167936的盗号木马利用映像劫持技术让众多国内外安全软件失效。
这是一个盗号木马,它会注入用户电脑的系统进程中运行,盗取病毒作者指定的帐号和密码。在磁盘中释放出以下文件:
C:\WINDOWS\SYSTEM32\gstwxb |
在注册表中创建了以下信息:
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\DrvAnti.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\avp.com"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\avp.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\runiep.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\PFW.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\FYFireWall.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\rfwmain.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\rfwsrv.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\KAVPF.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\KPFW32.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\nod32kui.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\nod32.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\Navapsvc.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\Navapw32.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\avconsol.exe"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\webscanx.exe" |
在注册表中设置了以下信息:
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\DrvAnti.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\avp.com" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\avp.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\runiep.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\PFW.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\FYFireWall.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\rfwmain.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\rfwsrv.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\KAVPF.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\KPFW32.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\nod32kui.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\nod32.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\Navapsvc.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\Navapw32.exe" "Debugger" "ntsd -d"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KAV32.exe\avconsol.exe" "Debugger" "ntsd -d" |
在系统中创建了以下进程:
病毒尝试使用[SeDebugPrivilege]权限枚举进程。
在系统中创建了以下服务:
服务名:"gstwxb (gstwxb)"
映像路径:"C:\WINDOWS\SYSTEM32\gstwxb"。