|
卡卡技术团队
- 帖子:8368
- 注册:
2006-01-09
- 来自:
|
发表于:
2008-06-06 12:34
|
短消息
资料
是否是灰鸽子的初步判断方法
先用ESP定律把NSPack的壳给手脱了。附件为脱壳后的程序,压缩包无密码。 脱壳后再提交多引擎病毒扫描,出来的结果如下: 文件 iewoptimem_u.exe 接收于 2008.06.06 05:50:21 (CET) | 反病毒引擎 | 版本 | 最后更新 | 扫描结果 | | AhnLab-V3 | 2008.5.30.1 | 2008.06.05 | - | | AntiVir | 7.8.0.26 | 2008.06.05 | - | | Authentium | 5.1.0.4 | 2008.06.05 | - | | Avast | 4.8.1195.0 | 2008.06.06 | Win32:GrayBird-PY | | AVG | 7.5.0.516 | 2008.06.05 | - | | BitDefender | 7.2 | 2008.06.06 | - | | CAT-QuickHeal | 9.50 | 2008.06.05 | - | | ClamAV | 0.92.1 | 2008.06.06 | - | | DrWeb | 4.44.0.09170 | 2008.06.05 | - | | eSafe | 7.0.15.0 | 2008.06.05 | - | | eTrust-Vet | 31.6.5850 | 2008.06.05 | - | | Ewido | 4.0 | 2008.06.05 | - | | F-Prot | 4.4.4.56 | 2008.06.05 | - | | F-Secure | 6.70.13260.0 | 2008.06.06 | - | | Fortinet | 3.14.0.0 | 2008.06.06 | - | | GData | 2.0.7306.1023 | 2008.06.06 | Win32:GrayBird-PY | | Ikarus | T3.1.1.26.0 | 2008.06.06 | - | | Kaspersky | 7.0.0.125 | 2008.06.06 | - | | McAfee | 5311 | 2008.06.05 | - | | Microsoft | 1.3604 | 2008.06.06 | - | | NOD32v2 | 3162 | 2008.06.05 | - | | Norman | 5.80.02 | 2008.06.05 | - | | Panda | 9.0.0.4 | 2008.06.05 | - | | Prevx1 | V2 | 2008.06.06 | - | | Rising | 20.47.32.00 | 2008.06.05 | - | | Sophos | 4.30.0 | 2008.06.06 | - | | Sunbelt | 3.0.1145.1 | 2008.06.05 | - | | Symantec | 10 | 2008.06.06 | - | | TheHacker | 6.2.92.337 | 2008.06.06 | - | | VBA32 | 3.12.6.7 | 2008.06.05 | - | | VirusBuster | 4.3.26:9 | 2008.06.05 | - | | Webwasher-Gateway | 6.6.2 | 2008.06.06 | Win32.Malware.gen (suspicious) |
| | 附加信息 | | File size: 914944 bytes | | MD5...: f3526ba7f6ad11a18cc39063e1356b6a | | SHA1..: c441a85100db092b1fc55473afd125e2f8ef13b5 | | SHA256: e42f2df688f308f3d4a5a25ac92e89e9db395cdd41df161305edefa44c4aa4b2 | | SHA512: 8d4b0884144c8399d4656032a2fc847c231fc2a70949c28270d6d080af2c780b<BR>b93da85128ab592dfa1b7a1215eb682144e7514f9054762429d4e18c328c3197 | | PEiD..: - | | PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x484b48<BR>timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 4 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.nsp0 0x1000 0xa3000 0xa3000 5.97 83feacb135e944436365b63c22a8a4cb<BR>.nsp1 0xa4000 0x39000 0x39000 7.89 d73c0f8d6a9875e315b748b300110a90<BR>.nsp2 0xdd000 0x6d4 0x6d4 0.00 6156a687057bd02c80f35ed9155a23c5<BR>.idata2 0xde000 0x2000 0x1e00 5.18 300f4265ca3fcf74d114467d86ae5789<BR><BR>( 17 imports ) <BR>> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlen, lstrcpyn, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle<BR>> USER32.DLL: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA<BR>> ADVAPI32.DLL: RegQueryValueExA, RegOpenKeyExA, RegCloseKey<BR>> OLEAUT32.DLL: SysFreeString, SysReAllocStringLen, SysAllocStringLen<BR>> kernel32.dll: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA<BR>> ADVAPI32.DLL: RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegDeleteValueA, RegCreateKeyExA, RegCloseKey, GetUserNameA<BR>> kernel32.dll: lstrcpy, lstrcmp, WritePrivateProfileStringA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetProcessWorkingSetSize, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReleaseMutex, ReadFile, OpenProcess, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalMemoryStatus, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProfileStringA, GetProcAddress, GetPrivateProfileStringA, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileAttributesA, GetEnvironmentVariableA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateMutexA, CreateFileA, CreateEventA, CompareStringA, CloseHandle<BR>> VERSION.DLL: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA<BR>> GDI32.dll: UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtTextOutA, ExcludeClipRect, EndPage, EndDoc, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICA, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt<BR>> USER32.DLL: CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, SendDlgItemMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterClipboardFormatA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessage, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyCursor, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout<BR>> kernel32.dll: Sleep<BR>> OLEAUT32.DLL: SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit<BR>> ole32.dll: CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize<BR>> WINSPOOL.DRV: OpenPrinterA, EnumPrintersA, DocumentPropertiesA, ClosePrinter<BR>> SHELL32.DLL: Shell_NotifyIcon, ShellAboutA<BR>> SHELL32.DLL: SHGetSpecialFolderLocation, SHGetPathFromIDList, SHGetMalloc<BR>> COMDLG32.DLL: ChooseFontA<BR><BR>( 0 exports ) <BR> |
可以看到,之前报毒而现在不报的,显然是报壳的。 剩下只有三家报,两家还是报鸽子,一家报可疑。 那么我们就来先简单判断一下它是不是鸽子。 鸽子,众所周知,是Delphi写的win32服务程序,运行之后复制自身到某个目录(通常为系统目录)下,注册为服务,然后将病毒主体以系统服务的方式启动。
那么,其创建并运行自身服务的过程,必须包括对OpenSCManagerA、CreateServiceA、OpenServiceA、StartServiceA等API的调用。
其程序以服务启动之后,必须调用StartServiceCtrlDispatcherA来将其线程与SCManager相连接,使之能够对系统服务控制的指令进行响应。
在其服务控制响应线程中,必须调用RegisterServiceCtrlHandlerA、SetServiceStatus等API来完成对系统服务控制的响应
以上就是一个灰鸽子作为一个win32服务应用程序,并且作为病毒能够自己创建并启动自身的服务,所必须具有的要件。
以上提到的API,均由ADVAPI32.DLL导出,理应存在于脱壳后文件的输入表。并且,灰鸽子完成服务功能,所使用的是Delphi提供的TService类,该类对以上这些服务操作进行了封装,使用者在此类的基础上派生自己的服务程序类。在TService类中,以上提到的功能应是一应俱全的,因此这几个API是必然会出现在输入表的。然而从上述扫描结果可以看到,输入表中并没有出现这几个API。同样的,也不可能全部用GetProcAddress临时获取。因此,该程序缺乏win32服务应用程序的必要要件,它不但没有创建服务的功能,如以系统服务方式启动该程序,也会在启动后将因为没有注册响应系统服务控制的例程,而被系统中止,从而不可能以服务形式常驻内存。 当然你可以说现在的灰鸽子直接注入IE之后就结束自身了。但是结束自身是它自己退出,而不是因为没有正常的服务响应而被系统强制中止。 综上,通过以上的判断,已经可以断定,该程序不是灰鸽子,杀软的报毒为误报。
 附件:
您所在的用户组无法下载或查看附件
 轩辕小聪 最后编辑于 2008-06-06 12:51:02
|
