ºô¯¸­º­¶ > ¼öªù¯f¬r±MÃD > Trojan.Generic.rnn ¯f¬r¸Ô¸Ñ
¡@
¼ÐÃD¡GTrojan.Generic.rnn ¯f¬r¸Ô¸Ñ
¤ÀÃþ¡G¼öªù¯f¬r±MÃD ¤é´Á¡G2012/9/18 ¤U¤È 05:13:57



Trojan.Generic.rnn ¯f¬r¬O¤@­Ó³Q·P¬Vªº¨t²ÎDLLÀÉ¡AùØ­±³Q­×§ï¤F­ì¥»ªº¥\¯à¡ADLLÀq»{ªº¥\¯à¬O¨t²Îlpk.dllªºÀÉ¡A³Q­×§ï«á¥u«O¯d¤F¨ä¾É¥Xªí³¡¤À¬O­ì¥»dll¸ê°T¡A³o¬O¬°¤F¨¾¤î¨ä¥Lµ{¦¡¸ü¤Jªº®É­Ô¥X²{²§±`¡A¾É­P¨t²Î±Y¼ì¡C·P¬Vlpk«á¡A·|¦blpk.dllùؼg¤J¸ê·½ÀɮסA¸ê·½Àɮ׬°¥i°õ¦æÀÉ¡C


¯f¬r´y­z

¯f¬r¦WºÙ    :  Trojan.Generic.rnn
¤å¥óMD5     :  6781b0be83d99c66eb95b4750db10f6b
¤å¥ó¤j¤p    :  77,312 ¦ì¤¸²Õ
½s¼gÀô¹Ò    :  C++
¬O§_¥[´ß    :  µL


¤åÀɤ½¶}¯Å§O ¡G §¹¥þ¤½¶}

 

¯f¬r°õ¦æÅé´y­z¡G

    Trojan.Generic.rnn  ¯f¬r¬O¤@­Ó³Q·P¬Vªº¨t²ÎDLLÀÉ¡AùØ­±³Q­×§ï¤F­ì¥»ªº¥\¯à¡ADLLÀq»{ªº¥\¯à¬O¨t²Îlpk.dllªºÀÉ¡A³Q­×§ï«á¥u«O¯d¤F¨ä¾É¥Xªí³¡¤À¬O­ì¥»dll¸ê°T¡A³o¬O¬°¤F¨¾¤î¨ä¥Lµ{¦¡¸ü¤Jªº®É­Ô¥X²{²§±`¡A¾É­P¨t²Î±Y¼ì¡C·P¬Vlpk«á¡A·|¦blpk.dllùؼg¤J¸ê·½ÀɮסA¸ê·½Àɮ׬°¥i°õ¦æÀÉ¡C
    ·íTrojan.Generic.rnn³Q¸ü¤J®É,­º¥ý·|ÀË´ú·í«e¦WºÙ¬O§_¬°"lpk.dll",¦pªG¤£¬O«h±q¸ê·½¤¤ÄÀ©ñ¥X¥i°õ¦æ±J¥Dµ{§Ç¡A¨ìÁ{®É¥Ø¿ý"temp"¤¤,¨Ã¥ß§Y¹B¦æ¡C¥i°õ¦æÀÉ°õ¦æ«á¶i¦æ¨t²ÎªA°Èªº²K¥[¡A¨Ã³s±µºô¸ô¤U¸ü¨ä¥L¯f¬r¦Ü¥»¦a¹q¸£¡A¯}Ãa¥Î¤á¨t²Î¦w¥þ¡C


¯f¬r¦æ¬°¬yµ{¤ÀªR:

¤@¡BTrojan.Generic.rnn ¯f¬r¨ä¦Û¨­¤£·|°õ¦æ¡A»Ý­n¨ä¥L¥i°õ¦æµ{¦¡¦Û°Ê½Õ¥Î§¹¦¨¡C¨t²Î·P¬V¤§«á¡A·|¦b¨C­Ó¥i°õ¦æÀɪº·í«e¥Ø¿ý¦s©ñ¤@­Ólpk.dll³Q·P¬VªºÀÉ¡A·í¥i°õ¦æÀɹB¦æ«á¡A·|¦Û°ÊÀu¥ý¸ü¤J·í«e¥Ø¿ý¤Uªºlpk.dll¹B¦æ¡C

¤G¡BTrojan.Generic.rnnªì¦¸°õ¦æ·|ÀË´ú¦Û¨­ªº¦WºÙ¬O§_¬Olpk.dll,­Y¤£¬O±q¸ê·½¤¤¸ü¤J¨ä±J¥D°õ¦æÀɨì"temp"¥Ø¿ý¤¤¡A¨Ã¥ß§Y³Ð«Ø¶iµ{¹B¦æ¡CDll¦Û¨­¨¾¤î¦h­«¸ü¤J«h³Ð«Ø¤¬¥¸Åé"Nationalpmm", ·í¬Û¦P¤@­Ó¶iµ{¨â¦¸¸ü¤Jlpk.dll®É¡A²Ä¤G¦¸«h·|¸õ¹L¬ÛÃöÀô¹Òªº·f«Ø¡C

¤T¡BTrojan.Generic.rnn ÄÀ©ñªºÀɦb"temp"¥Ø¿ý¤¤¹B¦æ«á¡A·|¦b¨t²Î¦øªA¾¹¤¤²K¥[¤@­ÓªA°È¶µ,¥ý±N¦Û¨­½Æ»s¨ì"c:windowssystem32"¥Ø¿ý¤U¡A­«·s©R¦WÀɬ°xxx.exe(xxx¬°¨t²Î®É¶¡),½Õ¥Î¨t²ÎAPI¨ç¼Æ²K¥[ªA°È¦WºÙ¬°"Nationalpmm"¡AªA°ÈÀɮצW¬°"c:windowssystem32tsqse.exe"¡AÀɦWºÙ¬°ÀH¾÷¦WºÙ¡A¨C¦¸¸ü¤JªA°È¦WºÙ³£¤£·|ÅÜ¡C§¹¦¨Àô¹Òªº·f«Ø¥H«á«h¶i¦æªA°È±Ò°Ê¡C

¥|¡B·íªA°È±Ò°Êªº®É­Ô·|³Ð«Ø³ÈÀw¶iµ{¨Ó§¹¦¨¨ä¥L¯f¬rªº¤U¸ü¡ASvchosts.exe³Ð«Ø®É­Ô´N§â¥¦±¾°_¡CµM«á±o¨ì¥¦ªº¸Ë¸ü°ò§}¡A¨Ï¥Î¨ç¼ÆZwUnmapViewOfSection¨Ó¨ø¸ü³o­Ó³o­Ó°ò§}°O¾ÐÅéªÅ¶¡ªº¸ê®Æ¡A¡C¦A¥ÎVirtualAllocEx¨Ó­ÓSvchosts.exe¶iµ{­«·s¤À°t°O¾ÐÅéªÅ¶¡¡A¤j¤p¬°­nª`¤Jµ{¦¡ªº¤j¤p(´N¬O¦Û¨­ªºimagesize)¡C¨Ï¥ÎWriteProcessMemory­«·s¼gSvchosts,.exe¶iµ{ªº°ò§}¡A´N¬O­è¤~¤À°tªº°O¾ÐÅéªÅ¶¡ªº¦ì§}¡C¦A¥ÎWriteProcessMemory§â¦Û¤vªº¥N½X¼g¤JSvchosts,.exeªº°O¾ÐÅéªÅ¶¡¡C¥ÎSetThreadContext³]¸m¤U¶iµ{ª¬ºA¡A³Ì«á¨Ï¥ÎResumeThreadÄ~Äò¹B¦æSvchosts,.exe¶iµ{¡C

¤­¡BSvchosts.exeªº¥\¯à§¹¦¨«á¦Û°Ê°h¥X¡ASvchosts.exe¥\¯à¹M¾ä·í«eºÏ¤ùªº¥i°õ¦æÀÉ¡A¨Ã¦b¥i°õ¦æÀÉ·í«e¥Ø¿ýÄÀ©ñÁôÂêºlpk.dll·P¬VÀÉ¡A«OÃÒ¯f¬r¦Û¨­¤£·|³Q¬d±þ¡C¨Ã¥B½Õ¥ÎUrldownLoadTofile ³s±µºô¯¸¨Ã¤U¸ü¨ä¥L¯f¬rµ{¦¡¡C

 

¯f¬r§Þ³N­nÂI

    Trojan.Generic.rnn ¹ï¨t²Î¨ã¦³¯}Ãa©Ê¡A·P¬VªºÀÉ©Mµ{¦¡¦b¹B¦æ¹Lµ{¤¤·|¤£Â_¦Û§Ú½Æ»s¡A¦Û§ÚÀË´ú¡A¨Ã¥B¤@­Ó±J¥DÀÉùؼg¤F¦hºØ¥Î³~¡A¦Û¨­¥i°õ¦æ¡A¨Ã¥i²K¥[¦ÜªA°È¤¤Ä~Äò¹B¦æ¡A¼Ò²Õ¥i¥H¨Ñ¨ä¥Lµ{¦¡½Õ¥Î¡A¨¾¤î¬d±þ¡A¹ï§Ü±þ¬r³¡¤À¨Ï¥Î³ÈÀw³Ð«Ø"Svchosts.exe"¶i¦æ±H¥Í¡A²V²c±þ³nÀË´ú¡A·P¬VEXEªº¬O ¬Û¦P¥Ø¿ý¤Uªºlpk.dllªº§T«ù¡A¹ïEXEÀɨS¦³¶i¦æ­×§ï¡A¤ñ¸ûÁô½ªªº·P¬V¨t²Î¡C


¯f¬r²M²z¬yµ{

1.©Ò¦³¶iµ{¤¤±½´yLpk.dll(·P¬V§T«ùÀÉ), °O¾ÐÅé¯S¼x.¨ø¸ü°O¾ÐÅéÃè¶H;
2.¬d§äHKLMSYSTEMControlSet001ControlSession ManagerÁä­È PendingFileRenameOperations, ²MªÅ;
3.ªA°ÈDistribukhq, §ä¨ì¨Ã§R°£,§R°£ªA°Èªº°õ¦æÅéÀÉ.¥i¦bHKLMSYSTEMControlSet001ServicesNationalpmm ¤UImagePath¤¤¬Ý¨£¸ô®|;
4.§R°£local settingTemp ¥Ø¿ý¤¤Hrxx.tmp  §R°£. ¬d§äwindowstemp¥Ø¿ý¤U,¬d§ährxx.tmp ¨Ã§R°£;
5.¹M§Q©Ò¦³½L²Å¥Ø¿ý¤¤¬d§älpk.dll ¡A¨äÀÉÄݩʬ°¨t²ÎÄÝ©Ê¡A°ßŪÁôÂÃÄÝ©Ê,§ä¨ì²M°£;

¡@
¡@
¡@
CopyRight  © ¦¿¥Á¬ì§Þ 1996 - 2021 ª©Åv©Ò¦³ All Rights Reserved
Á`¥N²z¡G¤»¦X°ê»Ú¹ê·~¦³­­¤½¥q¡@E-mail¡G jiangmin@jiangmin.com.tw