close

資料來源:賽門鐵克


這支病毒會把在 Porgram Files\Internet Explorer 下的 Iexplorer.exe 刪除掉,並會用病毒檔改名成 iexplorer.exe.並多了很多病毒檔


原始來源文章如下:


http://www.symantec.com/norton/security_response/writeup.jsp?docid=2010-040208-1901-99&tabid=2


Discovered: April 2, 2010

Updated: April 2, 2010 9:17:10 AM

Type: Virus

Infection Length: 265,437 bytes

Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000


When the virus executes, it drops the following file, which is an executable .rar file:
%System%\reinstall.exe

Next, it deletes the following file:
%ProgramFiles%\Internet Explorer\IEXPLORE.EXE

The virus then replaces the above file with its own copy of iexplore.exe:
%ProgramFiles%\Internet Explorer\IEXPLORE.EXE

It also drops the following files:



  • %ProgramFiles%\Internet Explorer\bootloader.dll
  • %ProgramFiles%\Internet Explorer\detoured.dll
  • %ProgramFiles%\Internet Explorer\funcition.dll
  • %ProgramFiles%\Internet Explorer\funcition.ini
  • %ProgramFiles%\Internet Explorer\install.exe
  • %ProgramFiles%\Internet Explorer\pserver.exe
  • %ProgramFiles%\Internet Explorer\pserver.ini
  • %System%\Internet Explorer\bootloader.dll
  • %System%\Internet Explorer\detoured.dll
  • %System%\Internet Explorer\funcition.dll
  • %System%\Internet Explorer\funcition.ini
  • %System%\Internet Explorer\iexplore.exe
  • %System%\Internet Explorer\install.exe
  • %System%\Internet Explorer\pserver.exe
  • %System%\Internet Explorer\pserver.ini



Next, it creates the following registry entries so that it executes whenever Windows starts:



  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\getpass\"DllName" = "bootloader.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\getpass\"Logon" = "OnEventShutDown"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\getpass\"Shutdown" = "OnEventShutDown"



When the computer restarts, bootloader.dll loads the following files in memory:



  • %System%/funcition.dll
  • %System%/pserver.exe



The virus creates the following mutex so that only one instance of it exists on the compromised computer:
PSERVER_MY1236363

It may download additional files and updates from the following locations:



  • [http://]www.tdbbw.com/getpass/funcit[REMOVED]
  • [http://]www.tdbbw.com/getpass/live[REMOVED]
  • [http://]www.tdbbw.com/getpass/updat[REMOVED]
arrow
arrow
    全站熱搜
    創作者介紹
    創作者 奕宏資訊社 的頭像
    奕宏資訊社

    奕宏資訊社的部落格

    奕宏資訊社 發表在 痞客邦 留言(2) 人氣()