需要修復電腦?
聘請專家
Virus:W32/Agent.DP
Date discovered:20/11/2009
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:26.112 Bytes
MD5 checksum:13aec81e42625335dbbe845426f2db2a
IVDF version:7.10.01.37 - Friday, November 20, 2009

 General Method of propagation:
   • Autorun feature


Aliases:
   •  Mcafee: W32/Autorun.worm.c virus
   •  Sophos: W32/FuzVir-A
   •  Panda: W32/Autorun.JLX.worm
   •  Eset: Win32/AutoRun.AntiAV.P
   •  Bitdefender: Trojan.Generic.3041547


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %drive%\recycle\{645FF040-5081-101B-9F08-00AA002F954E}\Ghost.exe
   • %SYSDIR%\dllcache\lsasvc.dll



It overwrites the following files.
%SYSDIR%\qmgr.dll
%SYSDIR%\drivers\etc\hosts



It deletes the initially executed copy of itself.



It deletes the following files:
   • %TEMPDIR%\NtHid.sys
   • %TEMPDIR%\Loopt.bat



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%TEMPDIR%\NtHid.sys Further investigation pointed out that this file is malware, too. Detected as: Rkit/Agent.xsa

%TEMPDIR%\Loopt.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to download a file:

– The location is the following:
   • http://nbtj.114anhui.com/msn/**********




It tries to executes the following files:

– Filename:
   • cmd /c ""%TEMPDIR%\Loopt.bat" "


– Filename:
   • "%PROGRAM FILES%\Internet Explorer\iexplore.exe" http://nbtj.114anhui.com/msn/163.htm

 Registry The values of the following registry key are removed:

–  [HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
   • 0048F8D37B153F6EA2798C323EF4F318A5624A9E
   • 00EA522C8A9C06AA3ECCE0B4FA6CDC21D92E8099
   • 0483ED3399AC3608058722EDBC5E4600E3BEF9D7
   • 049811056AFE9FD0F5BE01685AACE6A5D1C4454C
   • 0B77BEBBCB7AA24705DECC0FBD6A02FC7ABD9B52
   • 1331F48A5DA8E01DAACA1BB0C17044ACFEF755BB
   • 1F55E8839BAC30728BE7108EDE7B0BB0D3298224
   • 209900B63D955728140CD13622D8C687A4EB0085
   • 216B2A29E62A00CE820146D8244141B92511B279
   • 23E594945195F2414803B4D564D2A3A3F5D88B8C
   • 24A40A1F573643A67F0A4B0749F6A22BF28ABB6B
   • 24BA6D6C8A5B5837A48DB5FAE919EA675C94D217
   • 273EE12457FDC4F90C55E82B56167F62F532E547
   • 284F55C41A1A7A3F8328D4C262FB376ED6096F24
   • 2F173F7DE99667AFA57AF80AA2D1B12FAC830338
   • 317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6
   • 36863563FD5128C7BEA6F005CFE9B43668086CCE
   • 394FF6850B06BE52E51856CC10E180E882B385CC
   • 3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA
   • 4072BA31FEC351438480F62E6CB95508461EAB2F
   • 40E78C1D523D1CD9954FAC1A1AB3BD3CBAA15BFC
   • 43DDB1FFF3B49B73831407F6BC8B975023D07C50
   • 43F9B110D5BAFD48225231B0D0082B372FEF9A54
   • 4463C531D7CCC1006794612BB656D3BF8257846F
   • 47AFB915CDA26D82467B97FA42914468726138DD
   • 4B421F7515F6AE8A6ECEF97F6982A400A4D9224E
   • 4BA7B9DDD68788E12FF852E1A024204BF286A8F6
   • 4C95A9902ABE0777CED18D6ACCC3372D2748381E
   • 4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9
   • 4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C
   • 4F65566336DB6598581D584A596C87934D5F2AB4
   • 54F9C163759F19045121A319F64C2D0555B7E073
   • 58119F0E128287EA50FDD987456F4F78DCFAD6D4
   • 5B4E0EC28EBD8292A51782241281AD9FEEDD4E4C
   • 5D989CDB159611365165641B560FDBEA2AC23EF1
   • 5E5A168867BFFF00987D0B1DC2AB466C4264F956
   • 5E997CA5945AAB75FFD14804A974BF2AE1DFE7E1
   • 627F8D7827656399D27D7F9044C9FEB3F33EFA9A
   • 6372C49DA9FFF051B8B5C7D4E5AAE30384024B9C
   • 6782AAE0EDEEE21A5839D3C0CD14680A4F60142A
   • 67EB337B684CEB0EC2B0760AB488278CDD9597DD
   • 687EC17E0602E3CD3F7DFBD7E28D57A0199A3F44
   • 688B6EB807E8EDA5C7B17C4393D0795F0FAE155F
   • 68ED18B309CD5291C0D3357C1D1141BF883866B1
   • 69BD8CF49CD300FB592E1793CA556AF3ECAA35FB
   • 6A174570A916FBE84453EED3D070A1D8DA442829
   • 720FC15DDC27D456D098FABF3CDD78D31EF5A8DA
   • 74207441729CDD92EC7931D823108DC28192E2BB
   • 742C3192E607E424EB4549542BE1BBC53E6174E2
   • 7639C71847E151B5C7EA01C758FBF12ABA298F7A
   • 78E9DD0650624DB9CB36B50767F209B843BE15B3
   • 7A74410FB0CD5C972A364B71BF031D88A6510E9E
   • 7AC5FFF8DCBC5583176877073BF751735E9BD358
   • 7CA04FD8064C1CAA32A37AA94375038E8DF8DDC0
   • 7E784A101C8265CC2DE1F16D47B440CAD90A1945
   • 81968B3AEF1CDC70F5FA3269C292A3635BD123D3
   • 838E30F77FDD14AA385ED145009C0E2236494FAA
   • 85371CA6E550143DCE2803471BDE3A09E8F8770F
   • 85A408C09C193E5D51587DCDD61330FD8CDE37BF
   • 879F4BEE05DF98583BE360D633E70D3FFE9871AF
   • 8EB03FC3CF7BB292866268B751223DB5103405CB
   • 9078C5A28F9A4325C2A7C73813CDFE13C20F934E
   • 90AEA26985FF14804C434952ECE9608477AF556F
   • 90DEDE9E4C4E9F6FD88617579DD391BC65A68964
   • 96974CD6B663A7184526B1D648AD815CF51E801A
   • 97817950D81C9670CC34D809CF794431367EF474
   • 97E2E99636A547554F838FBA38B82E74F89A830A
   • 99A69BE61AFE886B4D2B82007CB854FC317E1539
   • 9BACF3B664EAC5A17BED08437C72E4ACDA12F7E7
   • 9E6CEB179185A29EC6060CA53E1974AF94AF59D4
   • 9FC796E8F8524F863AE1496D381242105F1B78F5
   • A399F76F0CBF4C9DA55E4AC24E8960984B2905B6
   • A3E31E20B2E46A328520472D0CDE9523E7260C6D
   • A5EC73D48C34FCBEF1005AEB85843524BBFAB727
   • AB48F333DB04ABB9C072DA5B0CC1D057F0369B46
   • ACED5F6553FD25CE015F1F7A483B6A749F6178C6
   • B172B1A56D95F91FE50287E14D37EA6A4463768A
   • B19DD096DCD4E3E0FD676885505A672C438D4E9C
   • B3EAC44776C9C81CEAF29D95B6CCA0081B67EC9D
   • B5D303BF8682E152919D83F184ED05F1DCE5370C
   • B6AF5BE5F878A00114C3D7FEF8C775C34CCD17B6
   • B72FFF92D2CE43DE0A8D4C548C503726A81E2B93
   • BC9219DDC98E14BF1A781F6E280B04C27F902712



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\krnl360svc.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MPSVC2.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\UfSeAgnt.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MpfSrv.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TMBMSRV.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360hotfix.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\TmProxy.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avgnt.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\msksrver.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Mcagent.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360rpt.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avmailc.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MPMon.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kmailmon.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavTask.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kswebshield.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVSrvXP.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\rsnetsvr.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ScanFrm.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360tray.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\KVMonXP.kxp]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avwebgrd.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcsysmon.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RsTray.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ekrn.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kwatch.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\seccenter.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\vsserv.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\CCenter.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MPSVC1.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ccSvcHst.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\SfCtlCom.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\bdagent.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360safe.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kissvc.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360speedld.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\McSACore.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\egui.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avguard.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\sched.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360SoftMgrSvc.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Mcshield.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kpfwsvc.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MPSVC.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avp.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\360safebox.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\qutmserv.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RavMonD.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\livesrv.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kpfw32.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcvsshld.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\mcmscsvc.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\McProxy.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\McNASvc.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\ast.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\avcenter.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\Mcods.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\RsAgent.exe]
   • "Debugger"="ntsd -"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\kavstart.exe]
   • "Debugger"="ntsd -"



The following registry keys are changed:

– [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\
   Winlogon]
   New value:
   • "ParseAutoexec"="1"

– [HKLM\SYSTEM\CurrentControlSet\Services\BITS]
   New value:
   • "Start"=dword:0x00000002

 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

 Injection –  It injects the following file into a process: %SYSDIR%\qmgr.dll

    Process name:
   • svchost.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

說明撰寫者 Petre Galan 開啟 2010年6月22日星期二
說明更新者 Petre Galan 開啟 2010年6月24日星期四

返回 . . . .
https:// 為了你的安全,此視窗已加密。