病毒名称:Backdoor.Win32.IRCBot.acd(Kaspersky)
病毒大小:118,272字节
加壳方式:PE_PatchNTKrnl
样本MD5:71b015411d27794c3e900707ef21e6e7
样本SHA1:934b80b2bfbb744933ad9de35bc2b588c852d08e
发现时间:2007.7
更新时间:2007.7
传播方式:通过MSN传播
技术分析
病毒向MSN联系人发送消息和伪装成照片的带毒压缩包,对方联系人接收并打开压缩包中的病毒文件时系统被感染。
病毒发送给MSN联系人的病毒压缩包文件名不固定,发送的消息里有汉语拼音。
病毒被运行后在系统目录%Windows%生成包含自身副本的ZIP压缩文件,文件名不固定,由以下字符加随机数字组成:
Code:
images
photos2007_
album
photo
photo_album
image0
例如:
photos2007_79.zip(photos2007_79.scr)
photo12.zip(photo12.scr)
创建病毒副本:
%System%msn.exe
释放dll注入进程:
%System%notice.dll
创建ShellServiceObjectDelayLoad启动方式:
Code:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
"modems"="{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"
[HKEY_CLASSES_ROOTCLSID{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}InProcServer32]
@="notice.dll"
注:{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}为一串CLSID,病毒产生的这段CLSID不固定,如:{8EA5A050-8F75-4443-9830-9949156E066F}
病毒根据染毒系统的语言给MSN联系人发送相应的文字消息,同时发送带毒ZIP压缩包:
Quote:
Heypleaselookatmeandmypet..:p
Lookingforhotsummerpictures?wellheretheyare!!(h)
Lookatmeandmyvolleyballteam,workingourassesoffff(h)
Heypleaselookatmeandmypet..:p
Psssssst....justbetweenmeandyou,pleaseaccept:$
Thisismetotalynaked:opleasedontsendtoanyoneelse
baksanaParisHiltonnehalegelmishapiste:(
SenveBen!!!....BAK:p
Baksanabenimfotograflarahihi:p
Heybenimfotolarimikabulet:o!!
Iyiarkadasimlafotorafdayim:$!!
benimbuciplakfotoda:oamabaskasinayollama
Regardelestofdemesvacancesentunisieloool
Toietmoi!!!....regarde:p
heystpregardemestof!
Heys'ilteplaitacceptemesphotos:o!!
Unetofdemoiet...:$!!
KijkhoeergParisHiltoneraantoeisnagevangenschap:(
JijenIk!!!!....kijk:p
Kijkeensnaarmijnfotoshihi:p
HEY!!accepteermnfotosdan!
metmijnbestevriendopdefoto!!:$
Ditbeniknaaktopdefoto,stuuralsjeblieftnietdoor.
guckwiescheisseParisHiltonaussieht,seitdemsiewiederausdemknastist:(
duundich!!!....guck:p
siehemeinefotoshihi:p
heybittenimmmeinefotosan:o!!
einfotomitmeinembestenfreundundmir:$!!
dasbinichtotalnackt:obittesendeesniemandanderem
GuardacomeParisHiltonsprecato?dopocheeraimprijonata:(
Tuedio!!!....guarda:p
Guardilemiefotohihi:p
Maireephotosacceptkaro:o!!
Unafotoconmeedilmioamicomigliore:$!!
Questaemetotalynudo:opregonontrasmetteachiunque
VejacomoParisHiltonest?acabadadepoisdetersidopresa:(
Voc?eeu!!!!....Veja:p
Vejaasminhasfotoshehehe:p
Porfavoraceiteasminhasfotos:o!!
Umafotocomomeumelhoramigoeeu:$!!
Estasoueutotalmentenua:oporfavorn鉶mandeissopraningu閙
kANBALIXIERDUNJINJIANYUHOUSHIDUOMEQIAOCUI:(
NIHEWO!!!....QINGKAN:p
KANWODEZHAOPIAN:p
JIESHOUWODEZHAOPIAN:o!!
YIZHANGWOGENWOPENGYOUZUIHAODEZHAOPIAN:$!!
ZHESHIWODELUOZHAO:oQINGBUYAOFAGEIBIEREN!!
Kollahurf鰎st鰎dParisHilton鋜,efteratthonf鋘gslades:(
Duochjag!!....Kolla;)
Kollap?minbilder,hihi:p
Hey,accepteraminabilder,sn鋖la:o
Enbildp?migochminb鋝tav鋘:$!!!
Detta鋜jagHELTnaken..:oSkickaintetilln錱onannan,sn鋖la...
Mirac髆oParisHiltonesperdidadespu閟deserencarcelada:(
Ustedeyo!!!....Mira:p
Miramisfotosjejeje:p
Haaceptadomisfotosporfavor:o!!
Unafotoconmimejoramigoeyo:$!!
Estasoyyototalmentedesnuda:oporfavornoenv韆paranadie
LedehvorspildParisHiltonerefterhunfikf鎛gsel:(
JerogMig!!!...se:p
Sep?minfotos:p
Hejbehageoptageminfoto:o!!
ENfotohosmigogminbedstven:$!!
denneermighelebarbehagevagevendligogsendedenikktilnogle:o
尝试连接远程IRC:john.free4people.net
清除步骤
==========
1.删除病毒的启动方式(开始菜单-运行-输入“regedit”进入注册表依次找到说明选项并按提示操作):
Code:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
"modems"="{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}"
以及对应的:
Code:
[HKEY_CLASSES_ROOTCLSID{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}InProcServer32]
@="notice.dll"
2.重新启动计算机
3.删除文件
%System%msn.exe
%System%notice.dll
%userprofile%new.txt
%userprofile%{6位随机字母}.exe
以及%Windows%目录下文件名由以下字符和随机数字组成,文件大小约116KB的病毒压缩包文件:
Code:
images
photos2007_
album
photo
photo_album
image0
例如:
photos2007_79.zip(photos2007_79.scr)
photo12.zip(photo12.scr)