早上在一個H網抓到的(唉,真不是省油的燈)
因爲跟之前的差不多,簡單分析下~
0、檢查explorer.exe、spoolsv.exe是否有ntfs.dll模塊,並查找“ssppoooollssvv”字符串(互斥體)
如果發現,則退出。
1、首先啓動一個進程:spoolsv.exe,這是一個打印服務相關的進程。
即便是禁用系統的打印服務,它仍然可以由機器狗啓動。
從任務管理器可以發現,這是一個當前用戶級的權限,很容易區別
2、臨時文件夾和%SystemRoot%\system32\drivers\釋放Ntfs.dll。
並嘗試注入spoolsv.exe。測試時沒有實現。
3、根據病毒體內的加密字符串解密:
10004180=userinit.10004180 (ASCII "NB0dDqN55bCYi1jO4jtulzpa2G3iC244")(ecx)
77C178C0 8B01 mov eax, dword ptr ds:[ecx]
77C178C2 BA FFFEFE7E mov edx, 7EFEFEFF
77C178C7 03D0 add edx, eax
77C178C9 83F0 FF xor eax, FFFFFFFF
77C178CC 33C2 xor eax, edx
77C178CE 83C1 04 add ecx, 4 \\循環
77C178D1 A9 00010181 test eax, 81010100
77C178C2 BA FFFEFE7E mov edx, 7EFEFEFF
77C178C7 03D0 add edx, eax
77C178C9 83F0 FF xor eax, FFFFFFFF
77C178CC 33C2 xor eax, edx
77C178CE 83C1 04 add ecx, 4 \\循環
77C178D1 A9 00010181 test eax, 81010100
每次取雙字節,與7EFEFEFF相加。(Edx)
再將雙字節內的數據和FFFFFFFF異或(Eax)
然後xor eax, edx
最後解密得:hXXp://a1.av.gs/tick.asp
從這個網站獲得urlabcdown.txt。讀取裏面的內容:
最後下載27盜號***,品種還是比較齊的,大話、夢幻、機戰、奇蹟、傳奇、QQ、QQgame等。
釋放路徑是:%SystemRoot%\system32\drivers。
4、加載驅動%SystemRoot%\system32\drivers\puid.sys:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\puid]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,70,00,75,00,69,00,64,00,2e,00,73,\
00,79,00,73,00,00,00
"DisplayName"="puid"
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,70,00,75,00,69,00,64,00,2e,00,73,\
00,79,00,73,00,00,00
"DisplayName"="puid"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\puid\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\puid\Enum]
"0"="Root\\LEGACY_PUID\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
"0"="Root\\LEGACY_PUID\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
並釋放iefjsdfas.txt,裏面記錄一些puid.sys信息。
如果iefjsdfas.txt裏面的內容和實際的不符合,可能判斷爲puid.sys是免疫文件夾或無效文件。
這時候它可能會刪除這個文件,再重新加載。
(未證實,我禁止了它的驅動加載)
5、記錄一個進程快照,每隔30秒執行一次。如果發現以下字符串則結束:
antiarp.exe
360tray.exe
360Safe.exe
360tray.exe
360Safe.exe
6、另外那個puid.sys可能會修改userinit.exe達到穿透還原的目的。
