反病毒殺手變種BE危險等級:★★★病毒名稱:Worm.Win32.AvKiller.be截獲時間:2007-9-26類型:病毒感染的操作系統:Windows XP, Windows NT, Windows Server 2003, Windows 2000威脅情況:傳播級別:高全球化傳播態勢:低清除難度:困難破壞力:高破壞手段:通過IM程序傳播,從列表中下載病毒,偷盜用戶敏感信息 這是一個蠕蟲病毒,利用Upack程序進行保護 病毒會利用CreateMutex創建一個"system"的互斥,保證系統中只有一個實例在運行,如這個互斥已經存在,則病毒直接退出. 病毒運行後,先利用"LookupPrivilegeValueA","AdjustTokenPrivileges"提升自己的運行權限,然後遍歷系統所有進程,查找下列進程: "360Safe.exe", "360tray.exe","VsTskMgr.exe","UpdaterUI.exe","TBMon.exe", "scan32.exe","VPC32.exe","VPTRAY.exe", "KRegEx.exe","KRegEx.exe","kvsrvxp.kxp","kvsrvxp.exe","KVWSC.EXE", "Iparmor.exe","AST.EXE",如發現上述中的進程,則利用"TerminateProcess"關掉進程,使當前系統失去保護. 病毒將自身複製到%SYSTEM32%目錄,並將自已重命名爲iexplrer.exe和explorer.exe,並利用GetDriveType判斷,向可移動存儲設備和本地磁盤寫入autorun.inf和病毒本身(explorer.exe),其實autorun.inf的內容如下: [autorun] Open=explorer.exe Shellexecute=explorer.exe Shell/Auto/command=explorer.exe Shell=Auto 病毒接下來,會修改註冊表的如下地方 SOFTWARE/Microsoft/Windows/CurrentVersion/explorer/advanced/folder/hidden/showall/ 將CheckedValue值賦爲0 修改這裏是爲了隱藏文件 HKEY_CLASSES_ROOT//Rising.QuickScan//shell//open//command 將這裏的值改爲C://windows//system32//iexplorer.exe 使殺毒軟件掃描指向病毒. HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360rpt.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360safe.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360tray.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AVP.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AvMonitor.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/CCenter.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/IceSword.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Iparmor.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVMonxp.kxp/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVSrvXP.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVWSC.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Navapsvc.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Nod32kui.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRegEx.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Frameworkservice.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Mmsk.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Wuauclt.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Ast.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/WOPTILITIES.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Regedit.EXE/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AutoRunKiller.exe/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/VPC32.exe/ HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/VPTRAY.exe/ 病毒會在上述鍵值內,加入 Debugger = "C:/WINDOWS/system32/iexplorer.exe"子鍵和鍵值.被修改後,如果運行上述程序,剛被直接指向到C:/WINDOWS/system32/iexplorer.exe這個病毒上面 接下來,病毒會開啓一個Iexplore.exe,利用FindWindow查找IEFrame,利用GetWindowThreadProcessId得到進程ID,然後打開該進程後,利用VirtualAlloc申請一段內存空間,利用WriteProcessMemory寫入一段代碼,代碼的作用就是依次從下面的網址下載程序,並保存在C:/winl.pif,C:/winns.pif,C:/system.pif,c:/windows.pif並運行。 網址如下: http://%77%77%77%2E%68%61%63%6B%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx http://%77%77%77%2E%68%61%63%6B%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx http://%6D%6D%62%65%73%74%39%39%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx http://%77%77%77%2E%68%61%63%6B%xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 上列地址已經失效,所以無法得知是何類型的病毒。 最後病毒利用SetTimer設置一個CallBack,每兩分鐘執行一次,該段代碼的作用就是複製自身到%SYSTEM32%目錄中,向可移動存儲設備和本地磁盤寫入autorun.inf和病毒本身,並通過一些即時通信軟件(如:QQ等)向對方發送病毒本身,但名字改爲一些比較有誘惑力的名字,如:我的性感照片等....
