Trojan.Krompt
警惕程度 ★★★★
影响平台:Win 9X/ME/NT/2000/XP/Server 2003
Trojan.Krompt是一个木马,它在受感染计算机上打开一个后门。
木马执行时,创建下列文件:
%UserProfile%\WindowsUpdate\System\Isass.exe
%Temp%\System\Configurations.ini
然后,创建下列注册表项:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"System." = "%UserProfile%\WindowsUpdate\System\Isass.exe"
木马会连接到以下远程地址接收攻击者的命令:
internetexplorers.org
预防和清除:
不要点击不明网站;打开不明邮件附件;定时经常更新杀毒软件病毒数据库,最好打开杀毒软件的病毒数据库自动更新功能。关闭电脑共享功能,关闭允许远程连接电脑的功能。安装最新的系统补丁。
Trojan.Semnager
警惕程度 ★★★
影响平台:Win 9X/ME/NT/2000/XP/Server 2003
Trojan.Semnager是一个木马,它可能会修改受感染计算机上的web浏览器。
该木马执行时,会创建下列文件:
%ProgramFiles%\Settings Manager\systemk\favicon.ico
%ProgramFiles%\Linkey\ChromeExtension\ChromeExtension.crx
%ProgramFiles%\Linkey\Helper.dll
%Temp%\nsb1C\Helper.dll
%ProgramFiles%\Linkey\Uninstall.exe
%Temp%\nsb1C\Uninstall.exe
%Temp%\nsy3\Helper.dll
%Temp%\nsy3\Starter.exe
%ProgramFiles%\Linkey\IEExtension\iedll64.dll
%ProgramFiles%\Linkey\IEExtension\iedll.dll
%ProgramFiles%\Linkey\log.log
%ProgramFiles%\Settings Manager\systemk\Internet Explorer Settings.exe
%ProgramFiles%\Settings Manager\systemk\sysapcrt.dll
%ProgramFiles%\Settings Manager\systemk\syskldr.dll
%ProgramFiles%\Settings Manager\systemk\syskldr_u.dll
%ProgramFiles%\Settings Manager\systemk\systemkbho.dll
%ProgramFiles%\Settings Manager\systemk\systemk.dll
%ProgramFiles%\Settings Manager\systemk\SystemkService.exe
%ProgramFiles%\Settings Manager\systemk\systemku.exe
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb
然后,创建下列文件夹:
%Temp%\NULLSOFT\
木马会创建以下注册表项:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SystemkService\"ErrorControl" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\"NoExplorer" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"LoadAppInit_DLLs" = "1"
HKEY_CURRENT_USER\Software\SystemK\General\"ie_search_set" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SystemkService\"Start" = "2"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\"CleanShutdown" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SystemkService\"Type" = "110"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SystemkService\"ObjectName" = "LocalSystem"
HKEY_LOCAL_MACHINE\SOFTWARE\Linkey\"norestart" = "yes"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"appid" = "0"
HKEY_CURRENT_USER\Software\Linkey\"appid" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"kapid" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"kisid" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"ie_hp_supported" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"ie_ds_supported" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"ie_search_set" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Use Search Asst" = "no"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"ptype" = "N"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"ln" = "EN"
HKEY_CURRENT_USER\Software\Linkey\"ln" = "EN"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\"Flags" = "400"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"uc" = "310"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"osl" = "en-us"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"os_user_type" = "Admin"
HKEY_CURRENT_USER\Software\Linkey\"sysid" = "300"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"osver" = "5.1"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"sysid" = "427"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SystemkService\Security\"Security" = "[HEXADECIMAL NUMBERS"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"ostype" = "WIN32"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\"browser" = " ie ff cr"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserprotect.exe\"debugger" = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst64.exe\"debugger" = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst32.exe\"debugger" = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snapdo.exe\"debugger" = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotection.exe\"debugger" = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectedsearch.exe\"debugger" = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browsersafeguard.exe\"debugger" = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpsvc.exe\"debugger" = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserdefender.exe\"debugger" = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bprotect.exe\"debugger" = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitguard.exe\"debugger" = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dprotectsvc.exe\"debugger" = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotector.exe\"debugger" = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utiljumpflip.exe\"debugger" = "tasklist.exe"
HKEY_CLASSES_ROOT\AppID\iedll.dll\"AppID" = "{6A7CD9EC-D8BD-4340-BCD0-77C09A282921}"
HKEY_CLASSES_ROOT\CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\InprocServer32\"(Default)" = "%SYSTEMROOT%\PROGRA~1\Linkey\IEEXTE~1\iedll.dll"
HKEY_CLASSES_ROOT\Linkey.Linkey\CLSID\"(Default)" = "{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}"
HKEY_CURRENT_USER\Software\Linkey\"home" = "%ProgramFiles%\Linkey"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Approved Extensions\"{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}" = "51 66 7a 6c 4c 1d 3b 1b c6 1e 83 5c 92 08 24 0c a3 d4 38 6d f4 0e ca 5b"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\"(Default)" = "Linkey"
HKEY_CLASSES_ROOT\AppID\{6A7CD9EC-D8BD-4340-BCD0-77C09A282921}\"(Default)" = "Linkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Linkey\"ie_jsurl" = "http://app.linkeyproject.com/popup/IE/background.js"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"home" = "%ProgramFiles%\Settings Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"guid" = "{EB25CAE0-E5F3-E993-3950-E055FE755242}"
HKEY_CLASSES_ROOT\Linkey.Linkey\"(Default)" = "Linkey Class"
HKEY_CURRENT_USER\Software\Linkey\"clid" = "{C6201B99-D766-43B6-A557-8AE750836432}"
HKEY_CURRENT_USER\Software\Linkey\"iver" = "0.0.0.333"
HKEY_CURRENT_USER\Software\Linkey\"pver" = "0.0.0.333"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\"SearchAssistant" = "http://www.default-search.net?sid=427&aid=0&itype=n&ver=11471&tm=310&src=ds&p="
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\"SearchAssistant" = "http://www.default-search.net?sid=427&aid=0&itype=n&ver=11471&tm=310&src=ds&p="
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Bar" = "http://www.default-search.net?sid=427&aid=0&itype=n&ver=11471&tm=310&src=ds&p="
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"clid" = "{8163580A-CD0C-4A87-97D6-05AC17A36F6C}"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"itime" = "2014-04-07"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\"Version" = "5.0.0.11471"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"pver" = "5.0.0.11471"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"iver" = "5.0.0.11471"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"kbn" = "11471"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General\"uid" = "8163580023024087"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\"x86" = "%PROGRAMFILES%\Settings Manager\systemk\sysapcrt.dll""
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SystemkService\"Description" = "Serving SystemK modules functionality"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SystemkService\"DisplayName" = "Systemk Service"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SystemkService\"ImagePath" = "%ProgramFiles%\Settings Manager\SYSTEMk\SystemkService.exe"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "http://www.default-search.net?sid=427&aid=0&itype=n&ver=11471&tm=310&src=hmp"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"AppInit_DLLs" = "%SystemDrive%\PROGRA~1\Linkey\IEEXTE~1\iedll.dll %SystemDrive%\PROGRA~1\SETTIN~1\systemk\syskldr.dll"
木马连接到以下远程地址:
[http://]preved.aztecbe.com/lo[REMOVED]
[http://]service.aztecbe.com/install_sta[REMOVED]
木马还可以执行以下操作:
安装一个叫做Linkey的浏览器插件、改变浏览器默认搜索引擎、更改浏览器主页设置、阻止用户更改浏览器设置
预防和清除:
不要点击不明网站;打开不明邮件附件;定时经常更新杀毒软件病毒数据库,最好打开杀毒软件的病毒数据库自动更新功能。关闭电脑共享功能,关闭允许远程连接电脑的功能。安装最新的系统补丁。
.Simplocker
警惕程度 ★★★
影响平台:Android
Android.Simplocker可能会对受感染设备进行加密,并要求用户支付金额用以解密设备。
该木马可能作为一个安装包被下载,它具有以下特点:
1.其中的包名如下:
Package name: com.adobe.flashplugin
Name: flashplugin
2.权限
当被安装了木马,它要求一些权限来执行以下操作:
获取当前或最近运行的任务信息、允许访问低级别系统日志、使手机震动、改变网络状态、防止设备休眠、关于无线网络状态的访问信息、更改无线网络连接状态、打开网络连接、随开机自动启动、检查手机当前状态、写入到外部存储设备、读取或写入系统设置、控制设备上的摄像头
3.安装
4.功能:
该木马会锁定受感染设备,并要求赎金。
然后,该木马连接到下列远程地址:
[http://][REMOVED]/bigaboo/gate[REMOVED]
该木马可以识别受感染设备上安装的以下应用程序,并发送信息到远程服务器:
compromised device and send the information to the remote server:
com.usaa.mobile.android.usaa
com.citi.citimobile
com.americanexpress.android.acctsvcs.us
com.wf.wellsfargomobile
com.tablet.bofa
com.infonow.bofa
com.tdbank
com.chase.sig.android
com.bbt.androidapp.activity
com.regions.mobbanking
预防和清除:
不要下载不明渠道的APP,尽可能使用正规APP商店来获取安装包。若非必要,尽量不要root,获取系统权限
钓鱼网站提示:
假冒中国好声音类钓鱼网站:http://zjthd3.com/;危害:虚假中奖信息,诱骗用户汇款。
假冒中国好舞蹈类钓鱼网站:http://www.zghwdjmhd.com/;危害:虚假中奖信息,诱骗用户汇款。
假冒淘宝类钓鱼网站:http://50.117.38.185/;危害:骗取用户的账号及密码。
假冒医药类钓鱼网站:http://gp.fdwygl.com/tyb/;危害:虚假医疗信息,骗取用户钱财。
假冒工商银行类钓鱼网站:http://www.icbtui.com/;危害:骗取用户银行卡号及密码。
挂马网站提示:
http://jump.**666.org
http://wbm2000.**222.org
http://hj688.**222.org
http://cnhbwz.**222.org
http://tubeschina.**222.org
请勿打开类似上述网站,保持计算机的网络防火墙打开。
以上信息由上海市网络与信息安全应急管理事务中心提供