该病毒为 AV 终结者变种 ,在保留 AV 终结者所有功能的同时又增加了众多新功能:进程
互锁来保护自身功能;提升自身权限进行内存遍历,然后通过匹配内置关键字列表上的信息来
关闭运行中的安全相关进程;破坏瑞星开机杀毒文件;弹出宣传广告网页;内置网络信息以用
来更新自身。该病毒添加的新功能的目的是为了更有效的来对付各种杀毒软件和安全产品,使
自己的生命期更长久;因此会更长时间的存活在用户电脑中,给用户的信息安全带来了很大的
威胁。该病毒还会下载大量的其它病毒,这个功能属于“木马群”中的下载者角色,下载到用
户电脑后自动运行,从而盗取病毒制造者感兴趣的敏感信息。 行为分析:
本地行为:
1、 文件运行后会衍生以下文件,并将其属性设置为系统只读隐藏:
(1)病毒副本文件:
%Program Files%\Common Files\
Microsoft Shared\uhvcrwy.exe 24,820字节
%\Program Files%\Common Files
\System\jidpewy.exe 24,820字节
%Program Files%\meex.exe 24,820字节
%DriveLetter%\ cjlguqc.exe 24,820字节
(2)病毒衍生文件:
%Program Files%\qiauiej.inf 169字节
%DriveLetter%\ autorun.inf 169字节
2、将系统文件verclsid.exe重命名为verclsids.exe,目的是为了使WindowsShell
或Windows资源管理器实例化任何外壳扩展之前对这些扩展进行验证无效:
%System32%\verclsid.exe 28,672字节
%System32%\verclsids.exe 28,672字节
3、将瑞星文件bsmain.exe重命名为bsmains.exe,目的是为了破坏瑞星杀毒软件,
使其不能开机杀毒。
4、创建进程uhvcrwy.exe与jidpewy.exe进行互锁,使用户不能正常结束该病毒进程,
并且在用户打开%Program Files%\Common Files\Microsoft Shared ,%\Program Files%
\Common Files\System两个病毒体存在的文件夹时,该文件夹会自动关闭。
5、病毒将自身权限提升后遍历系统中进线程获取其信息,当检测到有与内置关键字列表
匹配上的进线程,则将其关闭;内置关键字列表如下:
"Ras.exe" "FTCleanerShell.e" "KWatchX.exe"
"avp.com" "xe" "loaddll.exe"
"avp.exe","runiep.exe" "HijackThis.exe" "MagicSet.exe"
"PFW.exe" "Iparmor.exe" "mcconsol.exe"
"FYFireWall.exe" "isPwdSvc.exe" "mmqczj.exe"
"rfwmain.exe" "kabaload.exe" "nod32krn.exe"
"rfwsrv.exe" "KaScrScn.SCR" "PFWLiveUpdate.ex"
"KAVPF.exe" "KASMain.exe" "QHSET.exe"
"KPFW32.exe" "KASTask.exe" "RavMonD.exe"
"nod32kui.exe" "KAV32.exe" "RavStub.exe"
"nod32.exe" "KAVDX.exe" "RegClean.exe"
"Navapsvc.exe" "KAVPFW.exe" "rfwcfg.exe"
"Navapw32.exe" "KAVSetup.exe" "RfwMain.exe"
"avconsol.exe" "KAVStart.exe" "RsAgent.exe"
"webscanx.exe" "KISLnchr.exe" "Rsaupd.exe"
"NPFMntor.exe" "KMailMon.exe" "safelive.exe"
"vsstat.exe" "KMFilter.exe" "scan32.exe"
"KPfwSvc.exe" "KPFW32X.exe" "shcfg32.exe"
"RavTask.exe" "KPFWSvc.exe" "SmartUp.exe"
"Rav.exe" "KRegEx.exe" "SREng.EXE"
"RavMon.exe" "KRepair.com" "symlcsvc.exe"
"mmsk.exe" KsLoader.exe" "SysSafe.exe"
"WoptiClean.exe" "KVCenter.kxp" "TrojanDetector.e"
"QQKav.exe" "KvDetect.exe" "Trojanwall.exe"
"QQDoctor.exe" "KvfwMcl.exe" "TrojDie.kxp"
"EGHOST.exe" "KVMonXP.kxp" "UIHost.exe"
"360Safe.exe" "KVMonXP_1.kxp" "UmxAgent.exe"
"iparmo.exe" "kvol.exe" "UmxAttachment.ex"
"adam.exe" "kvolself.exe" "UmxCfg.exe"
"IceSword.exe" "KvReport.kxp" "UmxFwHlp.exe"
"360rpt.exe" "KVScan.kxp" "UmxPol.exe"
"360tray.exe" "KVSrvXP.exe" "UpLive.exe"
"AgentSvr.exe" "KVStub.kxp" "upiea.exe"
"AppSvc32.exe" "kvupload.exe" "AST.exe"
"autoruns.exe" "kvwsc.exe" "ArSwp.exe"
"avgrssvc.exe" "KvXP.kxp" "USBCleaner.exe"
"AvMonitor.exe" "KvXP_1.kxp" "rstrui.exe"
CCenter.exe" "KWatch.exe"
"ccSvcHst.exe" "KWatch9x.exe"
"FileDsty.exe"
6、调用系统net.exe,以命令行的形式结束服务wscsvc、helpsvc、wuauserv、
SharedAccess。
7、该病毒遍历各个驱动器盘符根目录文件,如有autorun.inf文件或文件夹则删除,
如未能删除则将其先更名,再创建病毒的autorun.inf文件和病毒体;磁盘免疫在此
病毒下已失去作用。
8、添加启动项,以达到随机启动的目的:
(1)在各个驱动器盘符根目录下(系统目录除外)释放启动文件autorun.inf
和与其对应的执行文件,当用户打开驱动器根目录时便启动了病毒体:
%DriveLetter%\ cjlguqc.exe 24,820字节
%DriveLetter%\ autorun.inf 169字节
autorun.inf文件内容如下:
[AutoRun]
open=cjlguqc.exe
shell\open=打开(&O)
shell\open\Command=cjlguqc.exe
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=cjlguqc.exe
(2)在注册表中添加启动项:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\Run
键值: 字串: "cjlguqc" ="C:\Program Files
\Common Files\Microsoft Shared\uhvcrwy.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\Run
键值: 字串: "qiauiej" ="C:\Program Files
\Common Files\System\jidpewy.exe"
9、修改注册表如下:
(1)删除安全模式相关注册表键值,使安全模式无法启动:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Control\SafeBoot\Minimal
\{4D36E967-E325-11CE-BFC1-08002BE10318}\@
键值: 字符串: "DiskDrive"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Control\SafeBoot\Network
\{4D36E967-E325-11CE-BFC1-08002BE10318}\@
键值: 字符串: "DiskDrive"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\SafeBoot\Minimal
\{4D36E967-E325-11CE-BFC1-08002BE10318}\@
键值: 字符串: "DiskDrive"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\SafeBoot\Network
\{4D36E967-E325-11CE-BFC1-08002BE10318}\@
键值: 字符串: "DiskDrive"
(2)使隐藏文件不可见:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\Explorer\Advanced
\Folder\Hidden\SHOWALL\CheckedValue
新: DWORD: 0 (0)
旧: DWORD: 1 (0x1)
(3)禁用windows的帮助与支持功能:
HKEY_LOCAL_MACHINE\SYSTEM
\ControlSet001\Services\helpsvc\Start
新: DWORD: 4 (0x4)
旧: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\helpsvc\Start
新: DWORD: 4 (0x4)
旧: DWORD: 2 (0x2)
(4)禁用windows防火墙相关功能:
HKEY_LOCAL_MACHINE\SYSTEM
\ControlSet001\Services\SharedAccess\Start
新: DWORD: 4 (0x4)
旧: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\SharedAccess\Start
新: DWORD: 4 (0x4)
旧: DWORD: 2 (0x2)
(5)禁用windows的系统安全设置和配置服务:
HKEY_LOCAL_MACHINE\SYSTEM
\ControlSet001\Services\wscsvc\Start
新: DWORD: 4 (0x4)
旧: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\wscsvc\Start
新: DWORD: 4 (0x4)
旧: DWORD: 2 (0x2)
(6)禁用windows自动升级功能:
HKEY_LOCAL_MACHINE\SYSTEM
\ControlSet001\Services\wuauserv\Start
新: DWORD: 4 (0x4)
旧: DWORD: 2 (0x2)
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\wuauserv\Start
新: DWORD: 4 (0x4)
旧: DWORD: 2 (0x2)
(7)添加映像劫持项114项,使被劫持杀毒软件与安全工具无法运行,
且激发病毒文件uhvcrwy.exe执行,劫持项如下(由于劫持项太
多,只列出部分):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\360rpt.exe\Debugger
键值: 字符串: "C:\Program Files\Common Files
\Microsoft Shared\uhvcrwy.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\360Safe.exe\Debugger
键值: 字符串: "C:\Program Files\Common Files
\Microsoft Shared\uhvcrwy.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\360tray.exe\Debugger
键值: 字符串: "C:\Program Files\Common Files
\Microsoft Shared\uhvcrwy.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\adam.exe\Debugger
键值: 字符串: "C:\Program Files\Common Files
\Microsoft Shared\uhvcrwy.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\AgentSvr.exe\Debugger
键值: 字符串: "C:\Program Files\Common Files
\Microsoft Shared\uhvcrwy.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\AppSvc32.exe\Debugger
键值: 字符串: "C:\Program Files\Common Files
\Microsoft Shared\uhvcrwy.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\ArSwp.exe\Debugger
键值: 字符串: "C:\Program Files\Common Files
\Microsoft Shared\uhvcrwy.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\AST.exe\Debugger
键值: 字符串: "C:\Program Files\Common Files
\Microsoft Shared\uhvcrwy.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\UpLive.exe\Debugger
键值: 字符串: "C:\Program Files\Common Files
\Microsoft Shared\uhvcrwy.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\USBCleaner.exe\Debugger
键值: 字符串: "C:\Program Files\Common Files
\Microsoft Shared\uhvcrwy.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\vsstat.exe\Debugger
键值: 字符串: "C:\Program Files\Common Files
\Microsoft Shared\uhvcrwy.exe"
……略
……略
……略
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\webscanx.exe\Debugger
键值: 字符串: "C:\Program Files\Common Files
\Microsoft Shared\uhvcrwy.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows NT\CurrentVersion
\Image File Execution Options\WoptiClean.exe\Debugger
键值: 字符串: "C:\Program Files\Common Files
\Microsoft Shared\uhvcrwy.exe"
10、该病毒可通过移动存储介质传播,还可通过恶意网站、其它病毒/木马下载传播;
该病毒可以盗取用户敏感信息;占用大量系统与网络资源使系统与网络运行速度
变慢。
网络行为:
1、连接网络下载病毒文件,下载的病毒文件不再一一列出;
网址如下:
gx.gx-ruan****.com(219.146.145.186:**)
221.130.182.52:**
59.151.26.116:**
go.lele.com(59.151.26.105:**)
pub.lele.com(221.6.5.163:**)
www.u8u.com(221.6.5.163:**)
2、该病毒弹出广告网页www.dvdfo****.com,达到宣传的目的。
3、通过分析可知当该病毒得到激发条件时,该病毒会执行如下两个内置网络信息,
以下载更新病毒列表和病毒体本身:
exe">
http://www.web***.com/TDown1.exe
http://www.web***.com/ReadDown.txt
注: %System32% 是一个可变路径。病毒通过查询操作系统来决定当前 System文件夹的
位置。
%Windir% WINDODWS所在目录
%DriveLetter% 逻辑驱动器根目录
%ProgramFiles% 系统程序默认安装目录
%HomeDrive% 当前启动的系统的所在分区
%Documents and Settings% 当前用户文档根目录
%Temp% \Documents and Settings
\当前用户\Local Settings\Temp
%System32% 系统的 System32文件夹
Windows2000/NT中默认的安装路径是C:\Winnt\System32
windows95/98/me中默认的安装路径是C:\Windows\System
windowsXP中默认的安装路径是C:\Windows\System32
