Email-Worm.Win32.LovGate.ae(爱情后门)分析解决

前言：这应该是比较老的病毒了，如果没记错，应该是出现在2004年左右吧。今天在剑盟下到了样本，这类邮件类的蠕虫我只分析过Warezov，这个爱情后门还是写的不错的，我花了4个多小时去看，中间查了些资料，还有些不懂的，挺累的。要不断学习进步才行！本人是菜鸟，难免会有遗漏的地方。

病毒名称：Email-Worm.Win32.LovGate.ae（Kaspersky）
病毒大小：192000 bytes
加壳方式：多层ASPACK,JDPACK
样本MD5：42ab20ee5f4757a44edff753bc508840
样本SHA1：cc2df80aea902bec125601cd3202a3e5e9010613
编写语言：Microsoft Visual C++ 6.0
病毒类型：后门、蠕虫
传播方式：邮件、网络

行为分析：

病毒运行后，会释放自身拷贝和后门组件到：
%Windows%\SVCHOST.EXE
%Windows%\SYSTRA.EXE
%System32%\HXDEF.EXE
%System32%\IEXPLORE.EXE
%System32%\KERNEL66.DLL
%System32%\RAVMOND.EXE
%System32%\TKBELLEXE.EXE
%System32%\UPDATE_OB.EXE
%System32%\LMMIB20.DLL
%System32%\MSJDBC11.DLL
%System32%\MSSIGN30.DLL
%System32%\NETMEETING.EXE
%System32%\ODBC16.DLL
%System32%\SPOLLSV.EXE

病毒会在各分区根目录复制副本，创建autorun.inf:
AUTORUN.INF
COMMAND.EXE

AUTORUN.INF内容：
[AUTORUN]
Open="c:\COMMAND.EXE" /StartExplorer

病毒创建启动项，以达到随机自启动的目的：
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
run = "RAVMOND.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
WinHelp = "C:\Windows\System32\TkBellExe.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
Hardware Profile = "C:\Windows\System32\hxdef.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
VFW Encoder/Decoder Settings = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
Microsoft NetMeeting Associates, Inc. = "NetMeeting.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
Program In Windows = "C:\Windows\System32\IEXPLORE.EXE"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
Shell Extension = "C:\Windows\System32\spollsv.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
Protected Storage = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
SystemTra = "C:\Windows\SysTra.EXE"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
COM++ System = "svchost.exe"

病毒会注册为系统服务：
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Windows Management Protocol v.0 (experimental)]
显示名：Windows Management Protocol v.0 (experimental)
描述:Windows Advanced Server Performs Scheduled scans for LANguard
可执行文件的路径：%System32%\MSJDBC11.DLL

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\_reg]
显示名：_reg
描述：
可执行文件的路径：%System32%\MSJDBC11.DLL

病毒修改如下注册表项目，使用户在点击.TXT文件时运行病毒拷贝：
[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
default = "Update_OB.exe %1"

[HKEY_LOCAL_MACHINE\Software\Classes\txtfile\shell\open\command]
default = "Update_OB.exe %1"

该病毒可使用MAPI进行传播。病毒搜索系统邮箱，找到后会给收到的邮件回信以实现邮件传播。

病毒发送的邮件有如下细节特征：

标题:Re: <原始主题>

正文:

<原始正文>
<域名> auto-reply:
wrote:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE <Domain name> now! <

附件:
the hardcore game-.pif

Sex in Office.rm.scr

Deutsch BloodPatch!.exe

s3msong.MP3.pif

Me_nude.AVI.pif

How to Crack all gamez.exe

Macromedia Flash.scr

SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
CloneAttack.rm.scr
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe

除了使用MAPI传播外，病毒还会使用自带的SMTP引擎进行传播

病毒从含有如下扩展名的文件中收集邮件地址：
adb
asp
dbx
htm
php
sht
tbb

发件人:
{随机人名}.yahoo.com
随机人名包括：
john
alex
michael
james
mike
kevin
david
george
sam
andrew
jose
leo
maria
jim
brian
serg
mary
ray
tom
peter
robert
bob
jane
joe
dan
dave
matt
steve
smith
stan
bill
bob
jack
fred
ted
adam
brent
alice
anna
brenda
claudia
debby
helen
jerry
jimmy
julie
linda
sandra

正文: (其中之一)
It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
Mail failed. For further assistance, please contact!
The message contains Unicode characters and has been sent as a binary attachment.

病毒避免向含有如下字符串的邮件地址发送邮件：
.gov
.mil
avp
borlan
example
foo.
gov.
hotmail
icrosof
inpris
msn.
mydomai
nodomai
panda
ruslis
sopho
syma

病毒在Windows文件夹下创建一个名为“Media”的共享文件夹，并在其中生成如下自身拷贝:
AUTOEXEC.BAT
CAIN.PIF
CLIENT.EXE
documents and settings.txt.exe
FINDPASS.EXE
I386.EXE
internet explorer.bat
microsoft office.exe
MMC.EXE
MSDN.ZIP.PIF
SUPPORT TOOLS.EXE
WINDOWUPDATE.PIF
windows media player.zip.exe
WINHLP32.EXE
WINRAR.EXE
XCOPY.EXE

病毒还尝试使用以下用户名和密码访问局域网内其它计算机，并试图利用系统默认开启的ipc$和admin$进入到“Admin$”共享进行传播：
Guest

Administrator
zxcv
yxcv
test123

test
temp123
temp
sybase
super
secret
pw123
Password
owner
oracle
mypc123
mypc
mypass123
mypass
love
login

Login
Internet
home
godblessyou
enable
database
computer
alpha
admin123
Admin
abcd
88888888
2004
2600
2003
123asd
123abc
123456789
1234567
123123
121212
11111111
00000000
000000
pass
54321
12345
password
passwd
server
!@#$%^&*
!@#$%^&
!@#$%^
!@#$%
asdfgh
asdf
!@#$
1234
root
abc123
12345678
abcdefg
abcdef
888888
666666
111111
admin
administrator
guest
654321
123456

如果登录成功，病毒会在远程机器的“Admin$\System32”文件夹中生成名为“NETMANAGER.EXE”的自身拷贝。

病毒会开启Windows Management NetWork Service Extensions（Windows管理网络服务扩展）服务。

病毒利用Net Stop命令尝试关闭安全软件的服务：
Symantec AntiVirus Client
Symantec AntiVirus Server
Rising Realtime Monitor Service

病毒还会终止与安全和防病毒相关的进程：
KV
KAV
Duba
NAV
kill
RavMon.exe
Rfw.exe
Gate
McAfee
Symantec
SkyNet
rising

病毒收集计算机存储信息和密码记录在C:\Netlog.txt，每隔一段时间发到hello_zyx@163.com

病毒还会在在E、F盘下生成压缩包文件并发送：
setup.ZIP
setup.RAR
WORK.RAR
WORK.ZIP
install.ZIP
install.RAR
bak.RAR
bak.ZIP
letter.RAR
letter.ZIP