簡介
病毒名稱: Worm.Win32.Delf.by中文名稱: 酷豬
病毒類型: 蠕蟲類
檔案 MD5: 354861D7F587F1553FBBF6779426EDE8
公開範圍: 完全公開
危害等級: 4
檔案長度: 加殼後 51,840 位元組,脫殼後241,664 位元組
感染系統: Win9X以上系統
開發工具: Borland Delphi 6.0 - 7.0
加殼類型: Upack 0.3.9 beta2s -> Dwing
命名對照: NORMAN [Virus W32/Downloader]
BitDefender[ BehavesLike:Trojan.Downloader]
病毒描述
該病毒運行後,衍生病毒檔案到系統目錄下。添加註冊表隨機運行項以隨機引導病毒體。病毒自動從某伺服器下載大量盜號程式到本機運行,試圖截獲用戶遊戲帳號信息傳送出去。
行為分析
1 、衍生下列副本與檔案:%Windir%\cmdbcs.exe
%WinDir%\Kvsc3.exe
%WinDir%\msccrt.exe
%WinDir%\msppds.exe
%WinDir%\shualai.exe
%WinDir%\winform.exe
%System32%\cmdbcs.dll
%System32%\explorer.exe
%System32%\kupini.dll
%System32%\Kvsc3.dll
%System32%\msccrt.dll
%System32%\msppds.dll
%System32%\shualai.dll
%System32%\winform.dll
%\DOCUME~1%\ 當前用戶名 \LOCALS~1\Temp\upxdnd.exe
2 、新建註冊表鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{ DD7D4640-4464-48C0-82F D-21338366D2D2 }\InProcServer32\@
Value: String: "C:\Program Files\Internet Explorer\MoWang.tdm"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{ DD7D4640-4464-48C0-82FD-21338366D2D2 }\InProcServer32\ThreadingModel
Value: String: "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer \
ShellExecuteHooks\{ 42A612A4-4334-4424-4234-42261A31A236 }
Value: String: "pdkpri.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
ShellExecuteHooks\{ DD7D4640-4464-48C0-82FD-21338366D2D2 }
Value: String: ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmdbcs
Value: String: "WINDIRcmdbcs.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kvsc3
Value: String: "WINDIRKvsc3.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msccrt
Value: String: "WINDIRmsccrt.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msppds
Value: String: "WINDIRmsppds.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\shualai
Value: String: "WINDIRshualai.exe /i"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upxdnd
Value: String: "%\DOCUME~1%\ 當前用戶名 \LOCALS~1\Temp\upxdnd.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winform
Value: String: "WINDIRwinform.exe"
3 、從下列地址下載病毒體:
Host: n*w.h*ck*p.com/down.txt 內容為動態更新的病毒體地址列表 :
http://n*w.h*ck*p.com/ma/1.exe
http://n*w.h*ck*p.com/ma/2.exe
http://n*w.h*ck*p.com/ma/3.exe
http://n*w.h*ck*p.com/ma/4.exe
http://n*w.h*ck*p.com/ma/6.exe
http://n*w.h*ck*p.com/ma/7.exe
http://n*w.h*ck*p.com/ma/8.exe
http://n*w.h*ck*p.com/ma/IE.exe
註: % System% 是一個可變路徑。病毒通過查詢作業系統來決定當前 System 資料夾的位置。 Windows2000/NT 中默認的安裝路徑是 C:\Winnt\System32 , windows95/98/me 中默認的安裝路徑是 C:\Windows\System , windowsXP 中默認的安裝路徑是 C:\Windows\System32 。
清除方案
1 、 使用安天木馬防線可徹底清除此病毒 ( 推薦 )2 、 手工清除請按照行為分析刪除對應檔案,恢復相關係統設定。
(1) 使用安天木馬防線斷開網路,結束病毒進程:
%WinDir%\cmdbcs.exe
%WinDir%\Kvsc3.exe
%WinDir%\msccrt.exe
%WinDir%\msppds.exe
%WinDir%\shualai.exe
%WinDir%\winform.exe
(2) 刪除並恢復病毒添加與修改的註冊表鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{ DD7D4640-4464-48C 0-82F D-21338366D2D2 }\
InProcServer32\@
Value: String: "C:\Program Files\InternetExplorer\
MoWang.tdm"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
{ DD7D4640-4464-48C0-82FD-21338366D2D2 }\
InProcServer32\ThreadingModel
Value: String: "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\ShellExecuteHooks\
{ 42A612A4-4334-4424-4234-42261A31A236 }
Value: String: "pdkpri.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\ShellExecuteHooks\
{ DD7D4640-4464-48C0-82FD-21338366D2D2 }
Value: String: ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\cmdBcs
Value: String: "WINDIRcmdbcs.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\Kvsc3
Value: String: "WINDIRKvsc3.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\mscCrt
Value: String: "WINDIRmsccrt.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\mspPds
Value: String: "WINDIRmsppds.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\shuAlai
Value: String: "WINDIRshualai.exe /i"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\upxDnd
Value: String: "%\DOCUME~1%\ 當前用戶名\
LOCALS~1\Temp\upxdnd.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\winForm
Value: String: "WINDIRwinform.exe"
(3) 刪除病毒釋放檔案:
%WinDir%\cmdbcs.exe
%WinDir%\Kvsc3.exe
%WinDir%\msccrt.exe
%WinDir%\msppds.exe
%WinDir%\shualai.exe
%WinDir%\winform.exe
%System32%\cmdbcs.dll
%System32%\explorer.exe
%System32%\kupini.dll
%System32%\Kvsc3.dll
%System32%\msccrt.dll
%System32%\msppds.dll
%System32%\shualai.dll
%System32%\winform.dll
