病毒名称:game8.exe
病毒大小:26,154 字节
加壳方式:Upack 0.3.9 beta2s -> Dwing [Overlay]
脱壳大小:88,064 字节
编写语言:Borland Delphi v3.0 *
病毒预警:3级
病毒指纹:
SHA-160 : 406414F2773FFC68B7E6A072042DD87FB7133904
MD5 : E069C3EF0C41B86AB48D00BE66D097DD
RIPEMD-160 : 4A96D08DFE08B0DF44E7FDC60DA75825CC10AFDF
CRC-32 : C86EC7DA
命名对照:
http://scanner.virus.org/
| ArcaVir | 1.0.4 | Trojan.Psw.Onlinegames.Tu | 3.39794 secs |
| avast! | 3.0.0 | Clean | 0.00478077 secs |
| AVG Anti Virus | 7.5.47 | Clean | 2.68099 secs |
| BitDefender | 7.1 | Clean | 4.70251 secs |
| CAT QuickHeal | 9.00 | Clean | 4.4323 secs |
| ClamAV | 0.90/3270 | Clean | 0.208995 secs |
| Dr. Web | 4.33.0 | Clean | 8.75378 secs |
| F-PROT | 4.6.7 | Clean | 1.62262 secs |
| F-Secure | 1.02 | Clean | 0.209508 secs |
| H+BEDV AntiVir | 2.1.10-40 | Clean | 6.05688 secs |
| McAfee Virusscan | 5.10.0 | New Malware.n | 1.95304 secs |
| NOD32 | 2.51.1 | Clean | 3.49587 secs |
| Norman Virus Control | 5.70.01 | W32/Suspicious_U.gen | 6.74328 secs |
| Panda | 9.00.00 | Clean | 1.56817 secs |
| Sophos Sweep | 4.17.0 | Mal/Packer | 5.28013 secs |
| Trend Micro | 8.310-1002 | Clean | 0.499315 secs |
| VBA32 | 3.12.0 | Clean | 2.82012 secs |
| VirusBuster | 1.3.3 | Packed/Upack | 2.1315 secs |
http://www.virustotal.com
| AhnLab-V3 | 2007.5.16.1 | 05.18.2007 | no virus found |
| AntiVir | 7.4.0.23 | 05.18.2007 | no virus found |
| Authentium | 4.93.8 | 05.18.2007 | no virus found |
| Avast | 4.7.997.0 | 05.18.2007 | no virus found |
| AVG | 7.5.0.467 | 05.19.2007 | no virus found |
| BitDefender | 7.2 | 05.20.2007 | no virus found |
| CAT-QuickHeal | 9.00 | 05.18.2007 | (Suspicious) - DNAScan |
| ClamAV | devel-20070416 | 05.19.2007 | no virus found |
| DrWeb | 4.33 | 05.19.2007 | no virus found |
| eSafe | 7.0.15.0 | 05.17.2007 | suspicious Trojan/Worm |
| eTrust-Vet | 30.7.3644 | 05.19.2007 | no virus found |
| Ewido | 4.0 | 05.19.2007 | Trojan.OnLineGames.tu |
| FileAdvisor | 1 | 05.20.2007 | no virus found |
| Fortinet | 2.85.0.0 | 05.20.2007 | suspicious |
| F-Prot | 4.3.2.48 | 05.18.2007 | no virus found |
| F-Secure | 6.70.13030.0 | 05.18.2007 | W32/Suspicious_U.gen.dropper |
| Ikarus | T3.1.1.7 | 05.20.2007 | Trojan-Dropper.Win32.Agent.ane |
| Kaspersky | 4.0.2.24 | 05.20.2007 | Trojan-PSW.Win32.OnLineGames.tu |
| McAfee | 5034 | 05.18.2007 | New Malware.n |
| Microsoft | 1.2503 | 05.20.2007 | VirTool:Win32/Obfuscator.C |
| NOD32v2 | 2277 | 05.18.2007 | no virus found |
| Norman | 5.80.02 | 05.18.2007 | W32/Suspicious_U.gen |
| Panda | 9.0.0.4 | 05.19.2007 | Suspicious file |
| Prevx1 | V2 | 05.20.2007 | no virus found |
| Sophos | 4.17.0 | 05.18.2007 | Mal/Packer |
| Aditional Information |
| File size: 26154 bytes |
| MD5: e069c3ef0c41b86ab48d00be66d097dd |
| SHA1: 406414f2773ffc68b7e6a072042dd87fb7133904 |
| packers: UPACK |
| packers: UPack |
文章作者:[G-AVR]孤单每一天
文章地址:
http://hi.baidu.com/renlangliu/blog/item/8cb8094c7c0369f8d72afc2a.html
测试平台:win2000PROSP4+VM
病毒运行后释放msport.dll/fksdy.dll/wgptl.dll/wtrmm.dll/hreax.dll到%systemroot%\system32目录下,调用SetWindowsHookEx函数挂接explorer.exe,使得父进程为explorer.exe启动的的进行全部进行注入,并添加注册表启动项,释放批处理文件删除病毒自身。病毒使用了线程互守,使得单线程无法被结束,rootkit自身的注册表启动项,达到无法找出启动项的目的(有启动项存在,键值为空)
注册表启动项:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{1496D5ED-7A09-46D0-8C92-B8E71A4304DF}><C:\WINNT\system32\msacn.dll>
反汇编察看似乎病毒有操作host文件的行为,2000下没有运行成功
.Upack:004030FA mov ecx, offset s_DriversEtcHos ; "drivers\\etc\\hosts"
病毒清除:
使用SC打开explorer.exe进程,选中“禁止线程创建”,全部选择以上的病毒线程,右键点击“全局卸载指定模块”即可清除该病毒,SC请到我的网盘下载,使用教程请参见以前的文章。
