早上在一个H网抓到的(唉,真不是省油的灯)
因为跟之前的差不多,简单分析下~
0、检查explorer.exe、spoolsv.exe是否有ntfs.dll模块,并查找“ssppoooollssvv”字符串(互斥体)
如果发现,则退出。
1、首先启动一个进程:spoolsv.exe,这是一个打印服务相关的进程。
即便是禁用系统的打印服务,它仍然可以由机器狗启动。
从任务管理器可以发现,这是一个当前用户级的权限,很容易区别
2、临时文件夹和%SystemRoot%\system32\drivers\释放Ntfs.dll。
并尝试注入spoolsv.exe。测试时没有实现。
3、根据病毒体内的加密字符串解密:
10004180=userinit.10004180 (ASCII "NB0dDqN55bCYi1jO4jtulzpa2G3iC244")(ecx)
77C178C0 8B01 mov eax, dword ptr ds:[ecx]
77C178C2 BA FFFEFE7E mov edx, 7EFEFEFF
77C178C7 03D0 add edx, eax
77C178C9 83F0 FF xor eax, FFFFFFFF
77C178CC 33C2 xor eax, edx
77C178CE 83C1 04 add ecx, 4 \\循环
77C178D1 A9 00010181 test eax, 81010100
77C178C2 BA FFFEFE7E mov edx, 7EFEFEFF
77C178C7 03D0 add edx, eax
77C178C9 83F0 FF xor eax, FFFFFFFF
77C178CC 33C2 xor eax, edx
77C178CE 83C1 04 add ecx, 4 \\循环
77C178D1 A9 00010181 test eax, 81010100
每次取双字节,与7EFEFEFF相加。(Edx)
再将双字节内的数据和FFFFFFFF异或(Eax)
然后xor eax, edx
最后解密得:hXXp://a1.av.gs/tick.asp
从这个网站获得urlabcdown.txt。读取里面的内容:
最后下载27盗号***,品种还是比较齐的,大话、梦幻、机战、奇迹、传奇、QQ、QQgame等。
释放路径是:%SystemRoot%\system32\drivers。
4、加载驱动%SystemRoot%\system32\drivers\puid.sys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\puid]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,70,00,75,00,69,00,64,00,2e,00,73,\
00,79,00,73,00,00,00
"DisplayName"="puid"
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,70,00,75,00,69,00,64,00,2e,00,73,\
00,79,00,73,00,00,00
"DisplayName"="puid"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\puid\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\puid\Enum]
"0"="Root\\LEGACY_PUID\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"0"="Root\\LEGACY_PUID\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
并释放iefjsdfas.txt,里面记录一些puid.sys信息。
如果iefjsdfas.txt里面的内容和实际的不符合,可能判断为puid.sys是免疫文件夹或无效文件。
这时候它可能会删除这个文件,再重新加载。
(未证实,我禁止了它的驱动加载)
5、记录一个进程快照,每隔30秒执行一次。如果发现以下字符串则结束:
antiarp.exe
360tray.exe
360Safe.exe
360tray.exe
360Safe.exe
6、另外那个puid.sys可能会修改userinit.exe达到穿透还原的目的。
