论坛发布的SH3.41貌似有毒？

逆夏 · 发表于 2016-4-6 17:26:23

本帖最后由逆夏于 2016-4-6 18:33 编辑

使用该模块后有时候会自动生成一个子文件（宿主程序的名字+Srv.exe）有没毒我就不说了,上检测报告。你们也可以自己去体验。该模块地址为http://bbs.125.la/thread-13880456-1-1.html

有人说，一大堆分析有毛用。我想问你下哥们  你是不是傻逼？

关键行为行为描述：修改原系统的EXE文件
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll
行为描述：跨进程写入数据
详情信息： TargetProcess = iexplore.exe, WriteAddress = 0x20040000, Size = 53248
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12
行为描述：跨进程写代码段数据
详情信息： C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25
行为描述：查找文件方式探测虚拟机
详情信息： FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VBoxGuestAdditions\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\All Users\Application Data\VMware\*.*
行为描述：获取窗口截图信息
详情信息： Foreground window Info: HWND = 0x24010301, DC = 0x24010301.
Foreground window Info: HWND = 0x160104cc, DC = 0x160104cc.
行为描述：设置特殊文件夹属性
详情信息： C:\DiskX\RECYCLER
行为描述：修改注册表_启动项
详情信息： \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
进程行为行为描述：跨进程写入数据
详情信息： TargetProcess = iexplore.exe, WriteAddress = 0x20040000, Size = 53248
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12
行为描述：创建本地线程
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.590138.exe_7zdump\服务器\1111111.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.590479.exe_7zdump\服务器\1111111.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.590822.exe_7zdump\服务器\1111111Srv.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.591167.exe_7zdump\服务器\1111111Srv.exe
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.591895.exe_7zdump\服务器\1111111Srv.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.592243.exe_7zdump\服务器\1111111Srv.exe
C:\Program Files\Internet Explorer\iexplore.exe
行为描述：创建进程
详情信息： ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
行为描述：创建新文件进程
详情信息： ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.617696.exe_7zdump\服务器\1111111Srv.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.617696.exe_7zdump\服务器\1111111Srv.exe"
ImagePath = C:\Program Files\Microsoft\DesktopLayer.exe, CmdLine = "C:\Program Files\Microsoft\DesktopLayer.exe"
行为描述：枚举进程
详情信息： N/A
行为描述：跨进程写代码段数据
详情信息： C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25
行为描述：进程退出
详情信息： N/A
运行截图基本信息文件名称：服务器.zip

MD5： 921cb539286ed0781f79fbe41a6fd923
文件类型： zip
上传时间： 2016-04-06 17:10:47
出品公司： N/A
版本： N/A
壳或编译器信息： COMPILER:Elan
报毒名称： Virus.Win32.Ramnit.c
子文件信息：详情
1111111.exe /  4efcf57d4176f22478b2d18c0a90c96c /  EXE
01.dll /  46c9c92f490e25f32d1ec228b5a200ec /  DLL
02.dll /  06e459ab2e0b83b518d7fcb405cca928 /  DLL
03.dll /  dbcfd8d2c04e18e24b0cd68eba641afb /  DLL
krnln.fnr /  bd01aea6d5bb2e93937531f8b47ec871 /  DLL
mysql.fne /  5bc00022d9be69c4f21c1ef15fb8170c /  DLL
Email.dll /  65e62401c1c0bea4b27ae14fd0a92397 /  DLL
The dream-seeker TCP engine.dll /  328fb225d89066754bdb3d15c39d7aa3 /  DLL
mysql.dll /  a315f1dff5ffa2c40f200bbd911a9f5d /  DLL
jmail.dll /  2e3a4a1dce3fe450dd7ec4f97cfc789f /  DLL
eAPI.fne /  7c1ff88991f5eafab82b1beaefc33a42 /  DLL
iext.fnr /  856495a1605bfc7f62086d482b502c6f /  DLL
HPSocket4C.dll /  1714ce47815be2e0eff0ce049820d4f8 /  DLL
HPSocket4C_U.dll /  5b88851d11918404d73e86a7359d192c /  DLL
spec.fne /  bd6eef5ea9a52a412a8f57490d8bd8e4 /  DLL
EThread.fne /  206396257b97bd275a90ce6c2c0c37fd /  DLL
商务风格.she /  bf6e3646e68632052c14d31548c878c0 /  Unknown
pz.ini /  8efb6e189c81d67bbc5b6bbf663a50ba /  Unknown

关键行为行为描述：修改原系统的EXE文件
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll

行为描述：跨进程写入数据
详情信息： TargetProcess = iexplore.exe, WriteAddress = 0x20040000, Size = 53248
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12

行为描述：跨进程写代码段数据
详情信息： C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25

行为描述：查找文件方式探测虚拟机
详情信息： FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VBoxGuestAdditions\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\All Users\Application Data\VMware\*.*

行为描述：获取窗口截图信息
详情信息： Foreground window Info: HWND = 0x24010301, DC = 0x24010301.
Foreground window Info: HWND = 0x160104cc, DC = 0x160104cc.

行为描述：设置特殊文件夹属性
详情信息： C:\DiskX\RECYCLER

行为描述：修改注册表_启动项
详情信息： \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

进程行为行为描述：跨进程写入数据
详情信息： TargetProcess = iexplore.exe, WriteAddress = 0x20040000, Size = 53248
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12

行为描述：创建本地线程
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.590138.exe_7zdump\服务器\1111111.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.590479.exe_7zdump\服务器\1111111.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.590822.exe_7zdump\服务器\1111111Srv.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.591167.exe_7zdump\服务器\1111111Srv.exe
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.591895.exe_7zdump\服务器\1111111Srv.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.592243.exe_7zdump\服务器\1111111Srv.exe
C:\Program Files\Internet Explorer\iexplore.exe

行为描述：创建进程
详情信息： ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE"

行为描述：创建新文件进程
详情信息： ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.617696.exe_7zdump\服务器\1111111Srv.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.617696.exe_7zdump\服务器\1111111Srv.exe"
ImagePath = C:\Program Files\Microsoft\DesktopLayer.exe, CmdLine = "C:\Program Files\Microsoft\DesktopLayer.exe"

行为描述：枚举进程
详情信息： N/A

行为描述：跨进程写代码段数据
详情信息： C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25

行为描述：进程退出
详情信息： N/A

文件行为行为描述：创建文件
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.515565.exe_7zdump\服务器\1111111Srv.exe
C:\Program Files\Microsoft\px4.tmp
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Microsoft\px5.tmp
C:\Program Files\Internet Explorer\dmlconf.dat

行为描述：修改原系统的EXE文件
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll

行为描述：创建可执行文件
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.463056.exe_7zdump\服务器\1111111Srv.exe
C:\Program Files\Microsoft\DesktopLayer.exe

行为描述：覆盖已有文件
详情信息： C:\Program Files\Microsoft\px4.tmp
C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.516906.exe_7zdump\服务器\1111111Srv.exe
C:\Program Files\Microsoft\px5.tmp
C:\Program Files\Internet Explorer\dmlconf.dat

行为描述：复制文件
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.603981.exe_7zdump\服务器\1111111Srv.exe ---> C:\Program Files\Microsoft\DesktopLayer.exe

行为描述：内存映射方式修改可执行文件
详情信息： \device\harddiskvolume1\documents and settings\administrator\application data\sogouexplorer\extension\com.sogou.snaptaker\0.4.2\npprintscreen.dll

行为描述：删除文件
详情信息： C:\Program Files\Microsoft\px4.tmp
C:\Program Files\Microsoft\px5.tmp

行为描述：查找文件
详情信息： FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.619555.exe_7zdump\服务器
FileName = C:\Program Files\Internet Explorer\IEXPLORE.EXE
FileName = C:\Program Files\Internet Explorer\iexplore.exe
FileName = C:\*.*
FileName = C:\222c25ed\*.*
FileName = C:\222c25ed\IE8-Setup-Full\*.*
FileName = C:\222c25ed\IE8-Setup-Full\log\*.*
FileName = C:\AnalyzeControl\*.*
FileName = C:\DiskD\*.*
FileName = C:\DiskX\*.*
FileName = C:\DiskX\RECYCLER\*.*
FileName = C:\Documents and Settings\*.*
FileName = C:\Documents and Settings\Administrator\*.*
行为描述：设置特殊文件夹属性
详情信息： C:\DiskX\RECYCLER
行为描述：修改文件内容
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.522037.exe_7zdump\服务器\1111111Srv.exe

网络行为行为描述：建立到一个指定的套接字连接
详情信息： URL: go******om, IP: <FAKE_SERVER_IP>:80, SOCKET = 0x00000120
URL: fg***********om, IP: <FAKE_SERVER_IP>:443, SOCKET = 0x0000012c
行为描述：按名称获取主机地址
详情信息： gethostbyname: go******om
gethostbyname: fg***********om
行为描述：创建互斥体
详情信息： KyUffThOkYwRRtgPP
CTF.LBES.MutexDefaultS-*
CTF.Compart.MutexDefaultS-*
CTF.Asm.MutexDefaultS-*
CTF.Layouts.MutexDefaultS-*
CTF.TMD.MutexDefaultS-*
CTF.TimListCache.FMPDefaultS-*MUTEX.DefaultS-*
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.MJE

行为描述：创建事件对象
详情信息： EventName = DINPUTWINMM
EventName = MSCTF.SendReceiveConection.Event.MJE.IC
EventName = MSCTF.SendReceive.Event.MJE.IC

行为描述：修改后的可执行文件MD5
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll ---> 8d4d6552452617a59ccce32abb98899e

行为描述：窗口信息
详情信息： Pid = 124, Hwnd=0x202c2, Text = 0%, ClassName = Afx:400000:b:10011:1900015:0.
Pid = 124, Hwnd=0x302bc, Text = 连接[0]位[0/5000] 空闲[2000]位, ClassName = _EL_Label.
Pid = 124, Hwnd=0x202cc, Text = 累计请求：, ClassName = msctls_statusbar32.
Pid = 124, Hwnd=0x202a8, Text = SHTB控制终端, ClassName = WTWindow.

行为描述：修改后的可执行文件签名信息
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll(签名验证: 未通过)
行为描述：获取窗口截图信息
详情信息： Foreground window Info: HWND = 0x24010301, DC = 0x24010301.
Foreground window Info: HWND = 0x160104cc, DC = 0x160104cc.
行为描述：可执行文件签名信息
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.599453.exe_7zdump\服务器\1111111Srv.exe(签名验证: 未通过)
C:\Program Files\Microsoft\DesktopLayer.exe(签名验证: 未通过)
行为描述：隐藏指定窗口
详情信息： [Window,Class] = [,msctls_progress32]
[Window,Class] = [0%,Afx:400000:b:10011:1900015:0]
[Window,Class] = [,_EL_Timer]
[Window,Class] = [SHTB控制终端,WTWindow]

行为描述：可执行文件MD5
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934846.598272.exe_7zdump\服务器\1111111Srv.exe ---> ff5e1f27193ce51eec318714ef038bef
C:\Program Files\Microsoft\DesktopLayer.exe ---> ff5e1f27193ce51eec318714ef038bef
行为描述：查找指定窗口
详情信息： NtUserFindWindowEx: [Class,Window] = [,]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述：查找文件方式探测虚拟机
详情信息： FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VBoxGuestAdditions\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\All Users\Application Data\VMware\*.*

逆夏 · 发表于 2016-4-6 17:26:38

下面是自动创建的文件（1111111Srv.exe）的检测报告

行为描述：修改原系统的EXE文件
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll

行为描述：跨进程写入数据
详情信息： TargetProcess = iexplore.exe, WriteAddress = 0x20040000, Size = 53248
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12

行为描述：修改注册表_启动项
详情信息： \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

行为描述：跨进程写代码段数据
详情信息： C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25

行为描述：设置特殊文件夹属性
详情信息： C:\DiskX\RECYCLER

行为描述：查找文件方式探测虚拟机
详情信息： FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VBoxGuestAdditions\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\All Users\Application Data\VMware\*.*
其他行为基本信息文件名称： 1111111Srv.exe

MD5： 7c724e154505b4700ce3de14f47f02e8
文件类型： EXE
上传时间： 2016-04-06 17:04:54
出品公司： SOFTWIN S
版本： 106.42.73.61---106.42.73
壳或编译器信息： PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
报毒名称： Trojan.Win32.Ramnit.efg

关键行为行为描述：修改原系统的EXE文件
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll

行为描述：跨进程写入数据
详情信息： TargetProcess = iexplore.exe, WriteAddress = 0x20040000, Size = 53248
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12

行为描述：修改注册表_启动项
详情信息： \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

行为描述：跨进程写代码段数据
详情信息： C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25

行为描述：设置特殊文件夹属性
详情信息： C:\DiskX\RECYCLER

行为描述：查找文件方式探测虚拟机
详情信息： FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VBoxGuestAdditions\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\All Users\Application Data\VMware\*.*

进程行为行为描述：创建进程
详情信息： ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE"

行为描述：创建新文件进程
详情信息： ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe"
ImagePath = C:\Program Files\Microsoft\DesktopLayer.exe, CmdLine = "C:\Program Files\Microsoft\DesktopLayer.exe"
ImagePath = C:\Program Files\Microsoft\DesktopLayerSrv.exe, CmdLine = "C:\Program Files\Microsoft\DesktopLayerSrv.exe"
ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.133821.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.133821.exe"

行为描述：跨进程写入数据
详情信息： TargetProcess = iexplore.exe, WriteAddress = 0x20040000, Size = 53248
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12

行为描述：枚举进程
详情信息： N/A

行为描述：跨进程写代码段数据
详情信息： C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25

行为描述：创建本地线程
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.196238.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.196566.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\DesktopLayerSrv.exe

行为描述：进程退出
详情信息： N/A

文件行为行为描述：创建文件
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\px3.tmp
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Microsoft\px4.tmp
C:\Program Files\Microsoft\DesktopLayerSrv.exe
C:\Program Files\Internet Explorer\dmlconf.dat

行为描述：修改原系统的EXE文件
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll

行为描述：创建可执行文件
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Microsoft\DesktopLayerSrv.exe

行为描述：覆盖已有文件
详情信息： C:\Program Files\Microsoft\px3.tmp
C:\Program Files\Microsoft\px4.tmp
C:\Program Files\Internet Explorer\dmlconf.dat

行为描述：复制文件
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.206134.exe ---> C:\Program Files\Microsoft\DesktopLayer.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> C:\Program Files\Microsoft\DesktopLayer.exe

行为描述：内存映射方式修改可执行文件
详情信息： \device\harddiskvolume1\documents and settings\administrator\application data\sogouexplorer\extension\com.sogou.snaptaker\0.4.2\npprintscreen.dll

行为描述：删除文件
详情信息： C:\Program Files\Microsoft\px3.tmp
C:\Program Files\Microsoft\px4.tmp

行为描述：查找文件
详情信息： FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
FileName = C:\Program Files\Internet Explorer\IEXPLORE.EXE
FileName = C:\Program Files\Internet Explorer\iexplore.exe
FileName = C:\*.*
FileName = C:\222c25ed\*.*
FileName = C:\222c25ed\IE8-Setup-Full\*.*
FileName = C:\222c25ed\IE8-Setup-Full\log\*.*
FileName = C:\AnalyzeControl\*.*
FileName = C:\DiskD\*.*
FileName = C:\DiskX\*.*
FileName = C:\DiskX\RECYCLER\*.*
FileName = C:\Documents and Settings\*.*
FileName = C:\Documents and Settings\Administrator\*.*

行为描述：设置特殊文件夹属性
详情信息： C:\DiskX\RECYCLER

行为描述：修改文件内容
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> Offset = 0
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 0
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 65536
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 4096
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 8192
C:\Program Files\Microsoft\DesktopLayerSrv.exe ---> Offset = 0
C:\Program Files\Internet Explorer\dmlconf.dat ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html ---> Offset = 2787
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\backgroundpage.html ---> Offset = 873
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\popup.html ---> Offset = 39547
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.secondAccount\0.0.0.1\backgroundpage.html ---> Offset = 1227
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.share\0.0.0.1\backgroundpage.html ---> Offset = 5201
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html ---> Offset = 65536
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\backgroundpage

行为描述：修改注册表_启动项
详情信息： \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

基本信息关键行为进程行为文件行为网络行为注册表行为其他行为基本信息文件名称： 1111111Srv.exe

MD5： 7c724e154505b4700ce3de14f47f02e8
文件类型： EXE
上传时间： 2016-04-06 17:04:54
出品公司： SOFTWIN S
版本： 106.42.73.61---106.42.73
壳或编译器信息： PACKER:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
报毒名称： Trojan.Win32.Ramnit.efg

关键行为行为描述：修改原系统的EXE文件
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll

行为描述：跨进程写入数据
详情信息： TargetProcess = iexplore.exe, WriteAddress = 0x20040000, Size = 53248
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12

行为描述：修改注册表_启动项
详情信息： \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

行为描述：跨进程写代码段数据
详情信息： C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25

行为描述：设置特殊文件夹属性
详情信息： C:\DiskX\RECYCLER

行为描述：查找文件方式探测虚拟机
详情信息： FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VBoxGuestAdditions\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\All Users\Application Data\VMware\*.*

进程行为行为描述：创建进程
详情信息： ImagePath = C:\Program Files\Internet Explorer\IEXPLORE.EXE, CmdLine = "C:\Program Files\Internet Explorer\IEXPLORE.EXE"

行为描述：创建新文件进程
详情信息： ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe"
ImagePath = C:\Program Files\Microsoft\DesktopLayer.exe, CmdLine = "C:\Program Files\Microsoft\DesktopLayer.exe"
ImagePath = C:\Program Files\Microsoft\DesktopLayerSrv.exe, CmdLine = "C:\Program Files\Microsoft\DesktopLayerSrv.exe"
ImagePath = C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.133821.exe, CmdLine = "C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.133821.exe"

行为描述：跨进程写入数据
详情信息： TargetProcess = iexplore.exe, WriteAddress = 0x20040000, Size = 53248
TargetProcess = iexplore.exe, WriteAddress = 0x00020000, Size = 563
TargetProcess = iexplore.exe, WriteAddress = 0x00401a25, Size = 12

行为描述：枚举进程
详情信息： N/A

行为描述：跨进程写代码段数据
详情信息： C:\Program Files\Internet Explorer\iexplore.exe, WriteAddress = 0x00401A25, EntryPoint = 0x00401A25

行为描述：创建本地线程
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.196238.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.196566.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\DesktopLayerSrv.exe

行为描述：进程退出
详情信息： N/A

文件行为行为描述：创建文件
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\px3.tmp
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Microsoft\px4.tmp
C:\Program Files\Microsoft\DesktopLayerSrv.exe
C:\Program Files\Internet Explorer\dmlconf.dat

行为描述：修改原系统的EXE文件
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll

行为描述：创建可执行文件
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
C:\Program Files\Microsoft\DesktopLayer.exe
C:\Program Files\Microsoft\DesktopLayerSrv.exe

行为描述：覆盖已有文件
详情信息： C:\Program Files\Microsoft\px3.tmp
C:\Program Files\Microsoft\px4.tmp
C:\Program Files\Internet Explorer\dmlconf.dat

行为描述：复制文件
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\1459934495.206134.exe ---> C:\Program Files\Microsoft\DesktopLayer.exe
C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> C:\Program Files\Microsoft\DesktopLayer.exe

行为描述：内存映射方式修改可执行文件
详情信息： \device\harddiskvolume1\documents and settings\administrator\application data\sogouexplorer\extension\com.sogou.snaptaker\0.4.2\npprintscreen.dll

行为描述：删除文件
详情信息： C:\Program Files\Microsoft\px3.tmp
C:\Program Files\Microsoft\px4.tmp

行为描述：查找文件
详情信息： FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe
FileName = C:\Program Files\Internet Explorer\IEXPLORE.EXE
FileName = C:\Program Files\Internet Explorer\iexplore.exe
FileName = C:\*.*
FileName = C:\222c25ed\*.*
FileName = C:\222c25ed\IE8-Setup-Full\*.*
FileName = C:\222c25ed\IE8-Setup-Full\log\*.*
FileName = C:\AnalyzeControl\*.*
FileName = C:\DiskD\*.*
FileName = C:\DiskX\*.*
FileName = C:\DiskX\RECYCLER\*.*
FileName = C:\Documents and Settings\*.*
FileName = C:\Documents and Settings\Administrator\*.*

行为描述：设置特殊文件夹属性
详情信息： C:\DiskX\RECYCLER

行为描述：修改文件内容
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> Offset = 0
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 0
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 65536
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 4096
C:\Program Files\Microsoft\DesktopLayer.exe ---> Offset = 8192
C:\Program Files\Microsoft\DesktopLayerSrv.exe ---> Offset = 0
C:\Program Files\Internet Explorer\dmlconf.dat ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html ---> Offset = 2787
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\backgroundpage.html ---> Offset = 873
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\popup.html ---> Offset = 39547
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.secondAccount\0.0.0.1\backgroundpage.html ---> Offset = 1227
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.share\0.0.0.1\backgroundpage.html ---> Offset = 5201
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html ---> Offset = 0
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.privateSurf\0.0.0.1\backgroundpage.html ---> Offset = 65536
C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.quicklink\0.0.0.1\backgroundpage.html ---> Offset = 0

网络行为行为描述：建立到一个指定的套接字连接
详情信息： URL: go******om, IP: <FAKE_SERVER_IP>:80, SOCKET = 0x00000120
URL: fg***********om, IP: <FAKE_SERVER_IP>:443, SOCKET = 0x00000128

行为描述：按名称获取主机地址
详情信息： gethostbyname: go******om
gethostbyname: fg***********om

注册表行为行为描述：修改注册表_启动项
详情信息： \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

其他行为行为描述：创建互斥体
详情信息： KyUffThOkYwRRtgPP

行为描述：修改后的可执行文件MD5
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll ---> ff7db3db534236b7738ccce99ae33e09

行为描述：修改后的可执行文件签名信息
详情信息： C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Extension\com.sogou.snapTaker\0.4.2\npprintscreen.dll(签名验证: 未通过)

行为描述：可执行文件签名信息
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe(签名验证: 未通过)
C:\Program Files\Microsoft\DesktopLayer.exe(签名验证: 未通过)
C:\Program Files\Microsoft\DesktopLayerSrv.exe(签名验证: 未通过)

行为描述：可执行文件MD5
详情信息： C:\Documents and Settings\Administrator\Local Settings\%temp%\996ESrv.exe ---> ff5e1f27193ce51eec318714ef038bef
C:\Program Files\Microsoft\DesktopLayer.exe ---> 7c724e154505b4700ce3de14f47f02e8
C:\Program Files\Microsoft\DesktopLayerSrv.exe ---> ff5e1f27193ce51eec318714ef038bef

行为描述：查找文件方式探测虚拟机
详情信息： FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Application Data\VMware\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VBoxGuestAdditions\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\Administrator\Local Settings\Temp\VMwareDnD\*.*
FindFirstFileEx: FileName = C:\Documents and Settings\All Users\Application Data\VMware\*.*

易语言12345 · 发表于 2016-4-6 21:58:30

楼主直接复制的吧‘

空之影 · 发表于 2016-4-6 21:56:24

QQ2388300238 发表于 2016-4-6 18:57
听你这意思好像是反破J机制被触发了

应该是吧。

学习不易哦 · 发表于 2016-4-6 20:50:33

我擦，能看懂的都是大牛~！

铅笔刀 · 发表于 2016-4-6 19:09:38

类似模块官方论坛貌似有开源的

逆夏 · 发表于 2016-4-6 19:03:04

QQ2388300238 发表于 2016-4-6 18:57
听你这意思好像是反破J机制被触发了

没破J。直接正常调用

liux · 发表于 2016-4-6 19:01:51

我中这个病毒5年了都懒得杀附带装杀工具和检测工具检测是自己写的专杀网上找的

专杀srv.rar (308.74 KB, 下载次数: 7)

红颜脸庞仍娇俏 · 发表于 2016-4-6 18:57:38

精易丿小猪发表于 2016-4-6 17:39
这毒好像打开OD的时候才会出现，正常运行不会。

听你这意思好像是反破J机制被触发了

13600798154 · 发表于 2016-4-6 18:57:24

srv 是感染型病毒吧，危险啥的没有就是杀不干净恶心

代表太阳太阳你 · 发表于 2016-4-6 18:52:46

我以前中过一个毒,会在C盘生成一个自启动的毒C:\Program Files\Microsoft\DesktopLayer.exe.这个毒会感染全盘的exe还有图片文件
md5地址 https://habo.qq.com/file/showdetail?md5=54424837157c1d5a2e79f4efd71405b2&pk=ADQGZV1oB2IIPls4

		自动登录	找回密码
密码			注册

[闲聊] 论坛发布的SH3.41貌似有毒？

点评

评分

浏览过的版块