Trojan.Celptex
警惕程度 ★★★★
影响平台:Win 9X/ME/NT/2000/XP/Server 2003
Trojan.Celptex是一个木马,它在受感染计算机上执行恶意活动。
木马执行时,创建以下文件:
%Temp%\libcurl-4.dll
%Temp%\pthreadGC2.dll
%Temp%\zlib1.dll
然后,创建以下备用数据流(ADS):
%Temp%:rnd.dat
%Temp%:[RANDOM CHARACTERS].dat
%Temp%:pid1
%Temp%:pid2
然后,木马创建下列注册表项:
%HKEY_LOCAL_MACHINE%\SOFTWARE\microsoft\windows\currentversion\run\svchost:regsvr32 /s = %Temp%:[RANDOM CHARACTERS].dat
%HKEY_LOCAL_MACHINE%\SOFTWARE\microsoft\windows\currentversion\run\[LETTER A REPEATED] = 1
木马会新建一个explorer.exe进程,并感染进程。
木马搜集以下信息:
Windows版本 、主机名
木马会将以上信息发送到以下远程地址:
[http://]207.12.89.163/inde[REMOVED]?product_id=[COMPUTER SPECIFIC VALUE]-FbsGEN&dispatch=[HOSTNAME]&target=[WINDOWS VERSION]&v=1&q=009
预防和清除:
不要点击不明网站;打开不明邮件附件;定时经常更新杀毒软件病毒数据库,最好打开杀毒软件的病毒数据库自动更新功能。关闭电脑共享功能,关闭允许远程连接电脑的功能。安装最新的系统补丁。
Trojan.Snifula.F
警惕程度 ★★★★
影响平台:Win 9X/ME/NT/2000/XP/Server 2003
Trojan.Snifula.F是一个木马,它从受感染计算机上窃取机密信息。
木马执行时,创建下列文件:
%AllUsersProfile%\Application Data\[RANDOM FILE NAME]\[RANDOM FILE NAME].dat
然后,木马删除自身的原本文件。
创建以下注册表项,达到开机启动的目的:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM FILE NAME] = regsvr32.exe %AllUsersProfile%\Application Data\[RANDOM FILE NAME]\[RANDOM FILE NAME].dat\
木马还创建下列注册表项:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = DWORD:3
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = DWORD:0
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = DWORD:1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{GUID}\ItemData = [SECURITY SOFTWARE PATH]
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{GUID}\SaferFkags = 0
木马还可以执行以下操作:
在Explorer.exe中注入恶意代码、从不同的FTP客户端,如WS_FTP, CuteFTP, Far2, FlashFXP, BPFTP和FTPExplorer中窃取用户名和密码、窃取WEB证书、窃取数字证书、窃取web表单信息、窃取outlook和windows mail的账户信息、打开一个后门,允许远程攻击者访问计算机、录取视频、录取音频、停用SPDY开放式网络协议
预防和清除:
不要点击不明网站;打开不明邮件附件;定时经常更新杀毒软件病毒数据库,最好打开杀毒软件的病毒数据库自动更新功能。关闭电脑共享功能,关闭允许远程连接电脑的功能。安装最新的系统补丁。
Trojan.Asterope
警惕程度 ★★★★
影响平台:Win 9X/ME/NT/2000/XP/Server 2003
Trojan.Asterope是一个木马,它在受感染计算机上执行点击欺诈。
木马执行时,创建下列文件:
%Temp%\tmp[RANDOM CHARACTER].exe
%UserProfile%\Application Data\Microsoft\Windows\[RANDOM FILE NAME].exe
%AllUsersProfile%\Start Menu\Programs\Startup\[RANDOM FILE NAME].lnk
%UserProfile%\Start Menu\Programs\Startup\[RANDOM FILE NAME].lnk
木马创建以下注册表项:
%HKEY_CURRENT_USER%\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipShadow\DefaultValue = 0
%HKEY_CURRENT_USER%\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipShadow\DefaultApplied = 65
%HKEY_CURRENT_USER%\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipShadow\random value = [BINARY DATA]
木马修改下列注册表项:
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE = \%UserProfile%\Application Data\Microsoft\Windows\[RANDOM FILE NAME].exe\
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun = \%UserProfile%\Application Data\Microsoft\Windows\[RANDOM FILE NAME].exe\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GlobalUserOffline = 0
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = 3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\{A8A88C49-5EB2-4990-A1A2-0876022C854F} = [BINARY DATA]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\{AEBA21FA-782A-4A90-978D-B72164C80120} = [BINARY DATA]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = 3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\{A8A88C49-5EB2-4990-A1A2-0876022C854F} = [BINARY DATA]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\{AEBA21FA-782A-4A90-978D-B72164C80120} = [BINARY DATA]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = 3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\{A8A88C49-5EB2-4990-A1A2-0876022C854F} = [BINARY DATA]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\{AEBA21FA-782A-4A90-978D-B72164C80120} = [BINARY DATA]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1601 = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A05 = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = 3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022C854F} = [BINARY DATA]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C80120} = [BINARY DATA]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1402 = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1601 = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1A02 = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1A03 = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1A05 = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1A06 = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = 3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\{A8A88C49-5EB2-4990-A1A2-0876022C854F} = [BINARY DATA]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\{AEBA21FA-782A-4A90-978D-B72164C80120} = [BINARY DATA]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = \%UserProfile%\Application Data\Microsoft\Windows\[RANDOM FILE NAME].exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM FILE NAME] = \%UserProfile%\Application Data\Microsoft\Windows\[RANDOM FILE NAME].exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\[RANDOM FILE NAME] = \%UserProfile%\Application Data\Microsoft\Windows\[RANDOM FILE NAME].exe\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\GlobalUserOffline = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = 3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\{A8A88C49-5EB2-4990-A1A2-0876022C854F} = [BINARY DATA]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\{AEBA21FA-782A-4A90-978D-B72164C80120} = [BINARY DATA]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = 3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\{A8A88C49-5EB2-4990-A1A2-0876022C854F} = [BINARY DATA]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\{AEBA21FA-782A-4A90-978D-B72164C80120} = [BINARY DATA]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = 3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\{A8A88C49-5EB2-4990-A1A2-0876022C854F} = [BINARY DATA]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\{AEBA21FA-782A-4A90-978D-B72164C80120} = [BINARY DATA]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1601 = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A05 = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = 3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022C854F} = [BINARY DATA]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C80120} = [BINARY DATA]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1402 = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1601 = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1A02 = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1A03 = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1A05 = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1A06 = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = 3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\{A8A88C49-5EB2-4990-A1A2-0876022C854F} = [BINARY DATA]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\{AEBA21FA-782A-4A90-978D-B72164C80120} = [BINARY DATA]
木马试图访问以下IP地址:
146.185.220.23
木马访问以下地址,并下载一个配置文件:
[http://]195.20.141.71:[RANDOM PORT NUMBER]/getC[REMOVED]
[http://]195.20.141.72:[RANDOM PORT NUMBER]/getC[REMOVED]
[http://]195.20.141.73:[RANDOM PORT NUMBER]/getC[REMOVED]
[http://]195.20.141.74:[RANDOM PORT NUMBER]/getC[REMOVED]
木马还可以执行以下操作:
访问特定的URL、点击特定位置、安装Macromedia Flash Player
预防和清除:
不要点击不明网站;打开不明邮件附件;定时经常更新杀毒软件病毒数据库,最好打开杀毒软件的病毒数据库自动更新功能。关闭电脑共享功能,关闭允许远程连接电脑的功能。安装最新的系统补丁。
钓鱼网站提示:
假冒中国好声音类钓鱼网站:http://www.hykx23.com/a/index.html;危害:虚假中奖信息,诱骗用户汇款。
假冒建设银行类钓鱼网站:http://hse360.findhere.org/jianshe.asp;危害:骗取用户银行卡号及密码。
假冒医药宝类钓鱼网站:http://www.shop9939.com/kmsyts/;危害:虚假药品信息,骗取用户钱财。
假冒淘宝类类钓鱼网站:http://192.184.46.29/;危害:骗取用户账户及密码信息。
假冒工商银行类钓鱼网站:http://www.9558801.com/;危害:骗取用户银行卡号及密码。
挂马网站提示:
请勿打开类似上述网站,保持计算机的网络防火墙打开。
以上信息由上海市网络与信息安全应急管理事务中心提供