바이러스/악성코드 정보 - BitDefender

BitDefender - Trojan.PWS.OnLineGames.WOM

엘뤼아르

2008.08.13 19:54:44

1849

File Name: wow.exe
MD5: 37a1579a13ccf47a98c22a1da7ed0091
SHA1: d9269d6ac56503b8402747439a007f9185c53bbc
SHA256: ad60a399c519637407df33381a8a2552f58704c4b517ed6e53c37c077f3d3fd7
SHA512:

4070b755d17176e7ed6cb8c67244fe77babf4171d5cd2e2f21c729409bc1069f8ebbdc7b8c20e9156f33953849100f48988ca93775d344586e94

131c5f4ae89f

VirusTotal Result: 24/32 (75.00%)
Scanned on 05.14.2008 18:53:11 (CET)

AntiVir - - TR/Dropper.Gen
AVG - - Agent.UNN
BitDefender - - Trojan.PWS.OnLineGames.WOM
CAT-QuickHeal - - Trojan.Agent.lpv
ClamAV - - Trojan.Agent-23164
DrWeb - - Trojan.MulDrop.15082
eSafe - - suspicious Trojan/Worm
eTrust-Vet - - Win32/Konvoy.F
F-Secure - - Trojan.Win32.Agent.lpv
Fortinet - - Dropper.BB!tr
GData - - Trojan.Win32.Agent.lpv
Ikarus - - Virus.Trojan.Win32.Agent.lpv
Kaspersky - - Trojan.Win32.Agent.lpv
McAfee - - Generic Dropper.bb
Microsoft - - TrojanDropper:Win32/Rootkit.AFH
NOD32v2 - - Win32/TrojanDropper.Agent.NKK
Norman - - W32/Smalltroj.EGWF
Panda - - Generic Malware
Prevx1 - - Malware Dropper
Sophos - - Troj/Agent-GYS
Symantec - - Trojan.Dropper
TheHacker - - Trojan/Agent.lpv
VBA32 - - Trojan.Win32.Agent.lpv
Webwasher-Gateway - - Trojan.Dropper.Gen

***** Resources ****************************************************
--- DLL ------------------------------------------------------------
101
102

***** PE Header ****************************************************
Signature: 00004550
Machine: 014C - Intel 386
Number of sections: 0003
Time/Date stamp: 48149298
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 010F
Magic: 010B
Linker version (major): 06
Linker version (minor): 00
Size of code: 00008000
Size of initialized data: 00001000
Size of uninitialized data: 00008000
Address of entry point: 00010E90
Base of code: 00009000
Base of data: 00011000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 00012000
Size of headers: 00001000
Checksum: 00000000
Sub system: 0002 - Windows graphical user interface (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00100000
Size of stack commit: 00001000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010

***** PE Sections **************************************************
Section VirtSize VirtAddr PhysSize PhysAddr Flags
UPX0 00008000 00001000 00000000 00000400 E0000080
UPX1 00008000 00009000 00008000 00000400 E0000040
.rsrc 00001000 00011000 00000200 00008400 C0000040

***** Import table *************************************************
KERNEL32.DLL (imports: 3)
LoadLibraryA
GetProcAddress
ExitProcess
ADVAPI32.dll (imports: 1)
RegCloseKey
MSVCRT.dll (imports: 1)
memcpy

Process Details:
Process ID 2420
Filename C:\file.exe
Filesize 38400 bytes
MD5 37a1579a13ccf47a98c22a1da7ed0091
Start Reason AnalysisTarget

New Files
C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp
C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat6.tmp
C:\file.exe

Opened Files
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\system32\Rundll32.exe
\\.\PIPE\lsarpc

Deleted Files
C:\WINDOWS\system32\VERCLSID.exe
C:\WINDOWS\system32\DLLCACHE\VERCLSID.exe
C:\DOCUME~1\Sandbox\LOCALS~1\Temp\_re1D.tmp

Chronological order
Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp
Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat6.tmp
Set File Attributes: C:\WINDOWS\system32\VERCLSID.exe Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Delete File: C:\WINDOWS\system32\VERCLSID.exe
Set File Attributes: C:\WINDOWS\system32\DLLCACHE\VERCLSID.exe Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Delete File: C:\WINDOWS\system32\DLLCACHE\VERCLSID.exe
Create/Open File: C:\file.exe (OPEN_ALWAYS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\Rundll32.exe ()
Find File: Rundll32.exe
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\_re1D.tmp

Changes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop "" = C:\file.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop "" = C:\file.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop "" = [REG_BINARY, size: 228 bytes]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop "" = [REG_BINARY, size: 228 bytes]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop "" = [REG_BINARY, size: 47 bytes]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop "" = [REG_BINARY, size: 47 bytes]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop "" = [REG_BINARY, size: 94 bytes]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop "" = [REG_BINARY, size: 94 bytes]
HKEY_CURRENT_USER\_reg "" = "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\shell32.dll",Control_RunDLL

"C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "" =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E25C29AB-12B9-4523-A53C-324B5FBA648C} "" =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E25C29AB-12B9-4523-A53C-324B5FBA648C}\InProcServer32 "" =

C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E25C29AB-12B9-4523-A53C-324B5FBA648C}\InProcServer32 "" = Apartment

Reads
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop ""
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter ""

Creates Process:
Filename () CommandLine: ("C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\shell32.dll",Control_RunDLL

"C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp") As User: () Creation Flags: ()

Start Process:
Process ID 2436
Filename C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\shell32.dll,Control_RunDLL

C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp

New Files
C:\DOCUME~1\Sandbox\LOCALS~1\Temp\datA.tmp
C:\WINDOWS\system32\drivers\beep.sys

Opened Files
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp
\\.\PIPE\lsarpc

Chronological order
Get File Attributes: C:\WINDOWS\system32\shell32.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\system32\shell32.dll.manifest Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp.manifest Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp ()
Find File: dat3.tmp
Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\datA.tmp
Copy File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\datA.tmp to C:\WINDOWS\system32\drivers\beep.sys
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)

Reads
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility ""
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop ""

Kill Process - Filename () CommandLine: () Target PID: (2436) As User: () Creation Flags: ()
Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1640)

Open Service Manager - Name: "SCM"
Open Service - Name: "beep"
Start Service - Name: (beep) Display Name: () File Name: () Control: () Start Type: ()
Control Service - Name: (beep) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()

Create Process:
Process ID 688
Filename services.exe

Unload Driver - Name: (_HANDLE(0)_) Display Name: () File Name: () Control: () Start Type: ()
Load Driver - Name: (\Registry\Machine\System\CurrentControlSet\Services\Beep) File Name: ()

Process ID 1640
Filename C:\WINDOWS\Explorer.EXE
Filesize 1032192 bytes
MD5 a0732187050030ae399b241436565e64
Start Reason InjectedCode
_________________

이 게시물을..