基本情況
病毒名稱: SpamTool.Win32.Agent.u中文名稱: 派送器
病毒類型: 蠕蟲類
檔案 MD5: F86E61CCF7A06C67736F4B108CE0D1C0
公開範圍: 完全公開
危害等級: 5
檔案長度: 加殼後 102,916 位元組,脫殼後49,664 位元組
感染系統: Win95 以上系統
開發工具: Microsoft Visual C++ 6.0
加殼類型: UPX 變形殼
病毒描述
該病毒運行後,從某網際網路地址下載病毒病毒體到本機運行,並添加註冊表自動運行項與系統服務項、修改 LSP ,以達到隨系統啟動的目的。通過內建的 SMTP 蠕蟲程式連線到網際網路 SMTP 伺服器,獲得需要偽造的郵件信息,進而大量傳送垃圾郵件,嚴重占用網路資源。行為分析
1 、衍生下列副本與檔案:%System32%\mfolpnzbz.dll
2 、修改下列驅動檔案:
%System32%\mfolpnzbz.dll
%System32%\dirvers\ndis.sys
3 、新建註冊表鍵值:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ntldr.sys\DisplayName
Value: Type: REG_EXPAND_SZ Length: 10 (0xa) bytes ntldr.sys.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ntldr.sys\ImagePath
Value: Type: REG_EXPAND_SZ Length: 17 (0x11) bytes C:\ntldr.sys .
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\DisplayName
Value: String: "Windows 套接字 2 .0 Non-IFS 服務提供程式支持環境 "
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\ImagePath
Value: Type: REG_EXPAND_SZ Length: 41 (0x29) bytes
\systemroot\System32\drivers\ws2ifsl.sys.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winsock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000012\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000013\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000014\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000015\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\rsvpsp.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000016\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000016\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\rsvpsp.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000017\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000017\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000018\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000018\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000019\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000019\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000020\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000020\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000021\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000021\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000022\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000022\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000023\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000023\PackedCatalogItem
Value: Type: REG_BINARY Length: 888 (0x378) bytes
C:\WINDOWS\System32\mfolpnzbz.dll
4 、修改下列註冊表鍵值,破壞 LSP 。並可實現檢測網路啟動自身與蒐集用戶信息:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
C:\WINDOWS\System32\mfolpnzbz.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
C:\WINDOWS\System32\mfolpnzbz.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
C:\WINDOWS\System32\mfolpnzbz.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
C:\WINDOWS\System32\mfolpnzbz.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\rsvpsp.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
C:\WINDOWS\System32\mfolpnzbz.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\rsvpsp.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
C:\WINDOWS\System32\mfolpnzbz.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
C:\WINDOWS\System32\mfolpnzbz.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
C:\WINDOWS\System32\mfolpnzbz.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
C:\WINDOWS\System32\mfolpnzbz.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
C:\WINDOWS\System32\mfolpnzbz.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
New: Type: REG_BINARY Length: 888 (0x378) bytes
C:\WINDOWS\System32\mfolpnzbz.dll
Old: Type: REG_BINARY Length: 888 (0x378) bytes
%SystemRoot%\system32\mswsock.dll
5 、郵件包含一張帶有連結的圖片,誘使用戶點擊:連結地址為某男性藥品網站首頁:
http://h*x.hz*nn*nj*8mbchhs4zzsmzzz.secamonecj.com/?ljlrh
6 、病毒可能傳送帶有附屬檔案的郵件:
7 、向下列搜尋引擎地址提交查詢信息,從而獲得相關郵件信息,進而偽造郵件:
www.g**g*e.com(208.7*.1*8.1*0)/bn/comgate.xhtml?name=78 TCP DstPort:7712
註: % System% 是一個可變路徑。病毒通過查詢作業系統來決定當前 System 資料夾的位置。 Windows2000/NT 中默認的安裝路徑是 C:\Winnt\System32 , windows95/98/me 中默認的安裝路徑是 C:\Windows\System , windowsXP 中默認的安裝路徑是 C:\Windows\System32 。
清除方案
1 、 使用安天木馬防線可徹底清除此病毒 ( 推薦 )2 、 手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
(1) 使用 安天木馬防線 “進程管理”關閉病毒進程
刪除下列新建項:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
ntldr.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\
…………..
…………..
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000023\
恢復下列修改項:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\
PackedCatalogItem
…………..
…………..
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\
Parameters\Protocol_Catalog9\Catalog_Entries\0000000000011\
PackedCatalogItem
恢復鍵值為:
%SystemRoot%\system32\mswsock.dll
(2) 重新啟動計算機
(3) 刪除病毒衍生檔案:
%System32%\mfolpnzbz.dll
%System32%\dirvers\ndis.sys