W32/Swizzor.K-tr

FortiProtect >>> Encyclopedia >>> 病毒资料

深度分析

W32/Swizzor.K-tr

概述

病毒描述

最后更新:*

Nov 30 2004

捕获时间:*

Nov 15 2004

FortiGate能检测到的
病毒库版本*

FOS/V2.36:	4.514
FOS/V2.50:	4.514
FOS/V2.80:	4.514

病毒特点

威胁程度:*	1 2 3 4 5
病毒长度:*	292,695
病毒类型:*	Trojan horse

受影响系统*

TCP系统服务漏洞

MS-Windows

其它名称*

TrojanDownloader.Win32.Swizzor.bz [KAV]

表现特征

被感的系统将会在系统的桌面上创建以下指向网络的快捷方式 -

Bingo .lnk
Card Games.lnk
Casino Online.lnk
Internet .lnk
Poker .lnk
Printer Cartridges.lnk
Travel .lnk
Website Hosting.lnk

连接指向 "search200.com" 或者其他赌博网站。

另外，该木马会在 IE 收藏夹中按照以下的分组创建至少 148 个连接地址 -

Antivirus.url
Casino Online.url
Computers.url
Games.url
Instant Messaging.url
Internet.url
Movie.url
Web Hosting.url
Computers\Antivirus.url
Computers\Communication Technology.url
Computers\Computer Jobs .url
Computers\Computer Programming.url
Computers\Domain Hosting.url
Computers\Dvd.url
Computers\Hosting.url
Computers\Inkjet Cartridge.url
Computers\Instant Messenger.url
Computers\Internet.url
Computers\Working From Home.url
Computers\Games\Computer game.url
Computers\Games\Gamecube.url
Computers\Games\Microsoft.url
Computers\Games\Playstation.url
Computers\Games\Quake.url
Computers\Games\Sega Dreamcast.url
Computers\Games\Xbox.url
Cool Stuff\Dating.url
Cool Stuff\Descrambler.url
Cool Stuff\Dvd To Cd.url
Cool Stuff\Mp3.url
Cool Stuff\Online Pharmacy.url
Cool Stuff\Pass Drug Test.url
Cool Stuff\Printer Cartridge.url
Cool Stuff\Satellite Television.url
Cool Stuff\Scratch Card.url
Cool Stuff\Video Surveillance.url
Dating\Christian dating.url
Dating\Dating Agency.url
Dating\Dating Service.url
Dating\Internet Dating.url
Dating\Jewish Dating.url
Dating\Online Dating.url
Home\Adjustable Bed.url
Home\Food Nutrition.url
Home\Health Plan.url
Home\Home Equity Loan.url
Home\Home Improvements.url
Home\Home Refinancing.url
Home\Home Security.url
Home\Interior Decorating .url
Home\Office Space.url
Home\Outdoor Cooking.url
Home\Outdoor Furniture.url
Home\Phone System.url
Home\Satellite Television.url
Home\Sleep Aids.url
Home\Timeshare.url
Home\Working From Home.url
Internet\Domain Registrations.url
Internet\Firewall.url
Internet\Flowers.url
Internet\Free Long Distance.url
Internet\Hosting.url
Internet\Internet Business.url
Internet\Investing Money.url
Internet\Jokes.url
Internet\Newsgroup.url
Internet\Online Football Games.url
Internet\Online Gaming.url
Internet\Spyware.url
Internet\Starting A Business.url
Internet\Web Marketing.url
Internet\Education\Adult Education.url
Internet\Education\Book.url
Internet\Education\College.url
Internet\Education\Community.url
Internet\Education\Education.url
Internet\Education\Essay.url
Internet\Education\School.url
Online Gaming\Bingo.url
Online Gaming\Black Jack Poker.url
Online Gaming\Casino Online.url
Online Gaming\Craps.url
Online Gaming\Gamble.url
Online Gaming\Jackpot.url
Online Gaming\Roulette Gambling.url
Online Gaming\Slots.url
Online Gaming\Sport Betting.url
Online Gaming\Sport Book.url
Online Gaming\Time Cards.url
Online Pharmacy\Buy Adipex.url
Online Pharmacy\Buy Celebrex.url
Online Pharmacy\Buy Fidrex.url
Online Pharmacy\Buy Ionamin.url
Online Pharmacy\Buy Meridia .url
Online Pharmacy\Buy Phentermine.url
Online Pharmacy\Buy Propecia.url
Online Pharmacy\Buy Soma.url
Online Pharmacy\Buy Tenuate.url
Online Pharmacy\Buy Ultram Online.url
Online Pharmacy\Buy Viagra.url
Online Pharmacy\Buy Xenical.url
Online Pharmacy\Consumer Consulting.url
Online Pharmacy\Doctor.url
Online Pharmacy\Mexican Pharmacy.url
Online Pharmacy\Pass Drug Test.url
Online Pharmacy\Pet Med.url
Online Pharmacy\Pharmacy Online.url
Shopping Gifts\Birthday Gift.url
Shopping Gifts\Cellular.url
Shopping Gifts\Christmas Gift.url
Shopping Gifts\Corporate Gift.url
Shopping Gifts\Digital Cameras.url
Shopping Gifts\Dress Fashion.url
Shopping Gifts\DVD Players.url
Shopping Gifts\Gift Basket.url
Shopping Gifts\Jewelry.url
Shopping Gifts\Leather Jackets.url
Shopping Gifts\Perfume.url
Shopping Gifts\Sexy Lingerie.url
Shopping Gifts\Shoes.url
Shopping Gifts\Smoke Shop.url
Shopping Gifts\Underwear.url
Shopping Gifts\Video Surveillance.url
Shopping Gifts\Watches.url
Shopping Gifts\Wedding Gifts.url
Shopping Gifts\Wine Gifts.url
Shopping Gifts\Womens Clothing.url
Travel\Air Travel.url
Travel\Cancun vacation.url
Travel\Car Rental.url
Travel\Cruises.url
Travel\Discount Travel.url
Travel\Europe Travel.url
Travel\Family Vacation.url
Travel\Hawaii Travel.url
Travel\Hotels.url
Travel\Las Vegas Hotel.url
Travel\London Hotel.url
Travel\New York.url
Travel\Orlando Hotel.url
Travel\Resort.url
Travel\Skiing.url
Travel\Timeshare.url
Travel\Travel Agent.url
Travel\Travel Insurance.url
Travel\Vacation.url
Travel\World Travel.url

攻击分析

这是一个32位木马，使用UPC加壳，病毒长度为292,695 字节。当该木马运行后，将会创建一个隐藏得 IE 进程，并将自己的代码注入该进程。该木马会从固定的网址获取二进制可执行文件。
　

文件下载程序

木马会从"lop.com"的下属域名中获取其他的 UPC 压缩过的文件。具体地址为 -

%random%.bins.lop.com/bins/int/

这里 %random% 是一个随机字符串。它会使用 DNS 查询 ip 地址为 66.220.17.158 的域名。TCP trace 工具检测表明木马还会连接其他类似的地址 -

66.220.17.154
66.220.17.158
66.220.17.169

下载文件是以 .int 为扩展名的二进制文件，例如 -

upAYB.int
dkgen_up.int
tp_map6.int
updbho2.int
upd_admn.int
kr2.int

下载后的文件被存入新创建的文件夹。木马会创建非常奇怪名称的目录，例如 -

C:\..\All Users\Application Data\admin title delete defy\
C:\..\%user name%\Application Data\JUMP ROAD NOUN\

在这些文件夹中，木马会将下载的文件更名为 .exe 文件。文件名如 -

Close amen remote more.exe
GRIM THE SURF.exe
hope drv readme.exe
Owns This Vc.exe
sjypglqj.exe
Drive bin.exe

许多下载的程序都是 spyware/adware 下的程序。

跟随系统启动加载

木马会把一些下载的程序添加到注册表的启动组中。

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
"thunkburn" = %path%\Owns This Vc.exe

HKEY_CLASSES_ROOT\CLSID\{%unique CLSID%}
"64535DBE" = 2C0411726CB7B446F792

HKEY_CLASSES_ROOT\CLSID\{%unique CLSID%}\InprocServer32\
"(Default)" = %path%\Drive bin.exe
"ThreadingModel" = Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"DeleteDefySendRoad" = %path%\Thunkfilm.exe

一个"好"的方面是，这些程序中至少还有一个拥有反安装程序，可以通过控制面板中的"添加/删除软件"来卸载 -

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Uninstall\64 slow user\
"DisplayName" = Search Plugin
"UninstallString" = %path%\Owns This Vc.exe -uninstall
　

处理方式

用Web界面检查ForiGate的病毒库是否最新病毒库，更新到最新病毒库，如有必要请使用"Allow Push Update"选项。

网站指南 | 法律声明