木马Trojan-PSW.Win32.Magania.cjy

inst.exe,Setup.exe

Backdoor/Agent.apnf

病毒名称：Trojan-PSW.Win32.Magania.cjy

病毒类型：木马

江民杀毒10.00.650Backdoor/Agent.apnf1.395

NOD322.70.10avariantofWin32/PSW.OnLineGames.NFFtrojan4.185

该病毒为玛格尼亚病毒的新变种，释放一个DLL通过挂钩和内存截获来盗取网络游戏的帐号密码。运行之后将释放一些AV图片并打开，再释放病毒到ProgramFiles与WINDOWSHelp目录下。

行为分析

运行以后释放文件：

c:ProgramFilesinst.exe

Date:11-29-200711:00PM

Size:103,163bytes

c:ProgramFilesinst.txt

Date:11-29-200710:44PM

Size:0bytes

c:ProgramFilesSetup.exe

Date:12-28-20072:41PM

Size:76,388bytes

c:ProgramFilesMyPic2006924192650605.jpg

Date:7-19-20076:28AM

Size:7,613bytes

c:ProgramFilesMyPic2006924192732323.jpg

Date:7-19-20076:28AM

Size:7,649bytes

c:ProgramFilesMyPic2006924192810432.jpg

Date:7-19-20076:28AM

Size:7,598bytes

c:ProgramFilesMyPic2006924192810821.jpg

Date:7-19-20076:28AM

Size:13,258bytes

c:ProgramFilesMyPic2006924192810918.jpg

Date:7-19-20076:28AM

Size:7,702bytes

c:WINDOWS1.bat

Date:1-4-20081:06PM

Size:96bytes

c:WINDOWSHelpF3C74E3FA248.dll

Date:1-4-20031:06PM

Size:60,928bytes

c:WINDOWSHelpF3C74E3FA248.exe

Date:12-28-20072:41PM

Size:76,388bytes

图片均为AV图片。

释放问后运行

c:WINDOWSHelpF3C74E3FA248.dll

c:WINDOWSHelpF3C74E3FA248.exe

盗取游戏帐号密码。

建立服务进行开机启动：

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows

CurrentVersionExplorerShellExecuteHooks"{1DBD6574-D6D0-4782-94C3-69619E719765}"

Type:REG_SZ

Data:c:WINDOWSHelpF3C74E3FA248.dll

解决方案：

删除文件：

c:ProgramFilesinst.exe

c:ProgramFilesinst.txt

c:ProgramFilesSetup.exe

c:ProgramFilesMyPic2006924192650605.jpg

c:ProgramFilesMyPic2006924192732323.jpg

c:ProgramFilesMyPic2006924192810432.jpg

c:ProgramFilesMyPic2006924192810821.jpg

c:ProgramFilesMyPic2006924192810918.jpg

c:WINDOWS1.bat

c:WINDOWSHelpF3C74E3FA248.dll

c:WINDOWSHelpF3C74E3FA248.exe

删除注册表服务启动项目：

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows

CurrentVersionExplorerShellExecuteHooks{1DBD6574-D6D0-4782-94C3-69619E719765}