File: ie3.exe
Size: 15676 bytes
MD5: D3A62CD41F860D563ED1B81EA4DBEB1B
SHA1: AC4EFE2BBFC86D07072C6499C9A96339354D1DDE
CRC32: 73FEEDD5
壳 Upack
行为分析 之本地行为:
1.释放
%systemroot%\system32\gdmoyi32.cfg
%systemroot%\system32\gdmoyi32.dll
%systemroot%\system32\comint32.sys
%homedrive%\name.log
name.log 内容(只有一行):
system32\DRIVERS\comint32.sys
%userprofile%\Local Settings\Temp\tmp***.tmp
tmp***.tmp:
0000004D 0001004D 0 !This program cannot be run in DOS mode.
000001B8 000101B8 0 .text
000001DF 000101DF 0 h.rdata
00000207 00010207 0 HPAGE
00000258 00010258 0 .reloc
0000027F 0001027F 0 BZwOpenKey Wrong
00000294 00010294 0 ZwSetValueKey Value error 1
000002C0 000102C0 0 ZwSetValueKey Value error 2
000004E4 000104E4 0 H:\code\new\GameHack\RegDriver\objfre\i386\Reg.pdb
0000063C 0001063C 0 ZwCreateFile error
00000650 00010650 0 ZwQueryInformationFile error
00000670 00010670 0 ZwReadFile error
00000690 00010690 0 : %ws
0000072C 0001072C 0 SetRegSzValue Wrong
000007AB 000107AB 0 _VVj j
0000093E 0001093E 0 ZwClose
00000948 00010948 0 ZwSetValueKey
00000958 00010958 0 wcslen
00000962 00010962 0 DbgPrint
0000096E 0001096E 0 ZwOpenKey
0000097A 0001097A 0 RtlInitUnicodeString
00000992 00010992 0 ZwReadFile
000009A0 000109A0 0 ZwQueryInformationFile
000009BA 000109BA 0 ZwCreateFile
000009C8 000109C8 0 ntoskrnl.exe
00000A09 00010A09 0 2{3J3e3x3
00000A27 00010A27 0 7 84898f8z8
000002B4 000102B4 0 Start
0000060C 0001060C 0 \DosDevices\c:\name.log
00000698 00010698 0 ImagePath
000006B0 000106B0 0 \Registry\Machine\SYSTEM\CurrentControlSet\Services\AsyncMac
2.注册表主要改动
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AsyncMac\ImagePath
旧的值 system32\DRIVERS\asyncmac.sys.
新的值 system32\DRIVERS\comint32.sys.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AsyncMac\Start
新: DWORD: 2 (0x2)
旧: DWORD: 3 (0x3)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AsyncMac\ImagePath
旧的值 system32\DRIVERS\asyncmac.sys.
新的值 system32\DRIVERS\comint32.sys.
新增的
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_COMINT32\
0000\Control\ActiveService
键值: 字符串: "comint32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_COMINT32\
0000\DeviceDesc
键值: 字符串: "comint32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_COMINT32\
0000\Legacy
键值: DWORD: 1 (0x1)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_COMINT32\
0000\Service
键值: 字符串: "comint32"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_COMINT32\
NextInstance
键值: DWORD: 1 (0x1)
more................
ps:SREng日志表现
驱动程序
[RAS Asynchronous Media Driver / AsyncMac][Running/Auto Start]
{system32\DRIVERS\comint32.sys}{N/A}
[comint32 / comint32][Running/Manual Start]
{\??\C:\WINDOWS\system32\DRIVERS\comint32.sys}{N/A}
【解决方案】
1.建议下载费尔木马强力清除助手(可到down.45its.com下载)删除以下文件:
使用说明:删除时复制所有要删除文件的路径(选清除,是否上报选否,最后选是)
%systemroot%\system32\gdmoyi32.cfg
%systemroot%\system32\gdmoyi32.dll
%systemroot%\system32\comint32.sys
%homedrive%\name.log
注意清空临时目录:右单击c盘--属性--磁盘清理
2.重启后,注册表修复(开始菜单-运行-输入“regedit”进入注册表依次找到说明选项并按提示操作)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AsyncMac\ImagePath
值 system32\DRIVERS\comint32.sys
把 comint32.sys 修改为 asyncmac.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AsyncMac\Start
值: DWORD: 2 (0x2)
修改为: DWORD: 3 (0x3)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AsyncMac\ImagePath
值 system32\DRIVERS\comint32.sys
把 comint32.sys 修改为 asyncmac.sys
用sreng(可到down.45its.com下载)删除驱动程序
[comint32 / comint32][Running/Manual Start]
{\??\C:\WINDOWS\system32\DRIVERS\comint32.sys}{N/A}