Worm.Win32.IRCBOT.SDY
Win32:Buzus-AOG (AVAST)
Windows
恶意软件类型:
Worm
有(yǒu)破坏性?:
没有(yǒu)
加密?:
没有(yǒu)
In the Wild:
是的
概要
它以文(wén)件的形式出现在系统中(zhōng),可(kě)能(néng)是其他(tā)恶意软件投放的,或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。
它植入AUTORUN.INF文(wén)件,当用(yòng)户访问受感染系统的驱动器时,自动执行植入的副本。
它连接到IRC(Internet中(zhōng)继聊天)服務(wù)器。 However, as of this writing, the said sites are inaccessible.
它在受感染计算机上收集特定信息。
它连接到某个网站,发送和接收信息。
技(jì )术详细信息
新(xīn)病毒详细信息
它以文(wén)件的形式出现在系统中(zhōng),可(kě)能(néng)是其他(tā)恶意软件投放的,或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。
安(ān)装(zhuāng)
它使用(yòng)不同的文(wén)件名(míng)在下列文(wén)件夹中(zhōng)植入自身的副本:
- If OS is Windows XP or older:
- %ProgramFiles%\CommonFiles\AdobeARM.exe → File attribute is set to system, hidden, readonly
- If OS is Windows 7 or newer:
- %Application Data%\AdobeARM.exe → File attribute is set to system, hidden, readonly
- {Removable or Remote Drive}\RECYCLER\{SID}\Autorunme.scr → File attribute is set to system, hidden, readonly
(注意: %Application Data% 是当前用(yòng)户的 Application Data 文(wén)件夹,通常位于 C:\Windows\Profiles\{user name}\Application Data (Windows 98 和 ME)、C:\WINNT\Profiles\{user name}\Application Data (Windows NT)、C:\Documents and Settings\{user name}\Local Settings\Application Data (Windows 2000(32-bit)、XP 和 Server 2003(32-bit)) 和 C:\Users\{user name}\AppData\Roaming (Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit) 和 10(64-bit))。)
它植入下列文(wén)件:
- {Removable or Remote Drive}\RECYCLER\{SID}\Desktop.ini → File attribute is set to system, hidden, read only
- {Removable or Remote Drive}\autorun.inf → File attribute is set to system, hidden, read only
它添加下列进程:
- If OS is Windows XP or older:
- %ProgramFiles%\CommonFiles\AdobeARM.exe {Malware PID} {Malware File Path}\{Malware File Name}
- If OS is Windows 7 or newer:
- %Application Data%\AdobeARM.exe {Malware PID} {Malware File Path}\{Malware File Name}
(注意: %Application Data% 是当前用(yòng)户的 Application Data 文(wén)件夹,通常位于 C:\Windows\Profiles\{user name}\Application Data (Windows 98 和 ME)、C:\WINNT\Profiles\{user name}\Application Data (Windows NT)、C:\Documents and Settings\{user name}\Local Settings\Application Data (Windows 2000(32-bit)、XP 和 Server 2003(32-bit)) 和 C:\Users\{user name}\AppData\Roaming (Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit) 和 10(64-bit))。)
它创建下列将属性设置為(wèi)“系统”和“隐藏”的文(wén)件夹,以防止用(yòng)户发现并移除其组件:
- {Removable or Remote Drive}\RECYCLER
- {Removable or Remote Drive}\RECYCLER\{SID}
它添加下列互斥条目,确保一次只会运行一个副本:
- routerpccw
- pccwstormlite
- pccwlite
自启动技(jì )术
它添加下列注册表项,在系统每次启动时自行执行:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run (If OS is Windows XP or older)
Adobe ARMS = %ProgramFiles%\CommonFiles\AdobeARM.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run (If OS is Windows 7 or newer)
Adobe ARMS = %Application Data%\AdobeARM.exe
其他(tā)系统修改
它修改下列文(wén)件:
- If OS is Windows XP or older:
- %System%\drivers\tcpip.sys
(注意: %System% 是 Windows 的 system 文(wén)件夹,通常位于 C:\Windows\System (Windows 98 和 ME)、C:\WINNT\System32 (Windows NT 和 2000) 和 C:\WINDOWS\system32 (Windows 2000(32-bit)、XP、Server 2003(32-bit)、Vista、7、8、8.1、2008(64-bit),2012(64bit) 和 10(64-bit))。)
它添加下列注册表项作(zuò)為(wèi)其安(ān)装(zhuāng)例程的一部分(fēn):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run (If OS is Windows XP or older)
Patches = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List (If OS is Windows XP or older)
%Program Files%\Common Files\AdobeARM.exe = %Program Files%\Common Files\AdobeARM.exe:*:Enabled:Adobe ARMS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Tcpip\Parameters (If OS is Windows XP or older)
TcpNumConnections = 0x00FFFFFE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Dnscache\Parameters (If OS is Windows XP or older)
MaxCacheTtl = 0x00000708
它修改下列注册表项:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer (If OS is Windows XP or older)
NoFolderOptions = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer (If OS is Windows XP or older)
NoRun = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer (If OS is Windows XP or older)
NoFolderOptions = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer (If OS is Windows XP or older)
NoRun = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced (If OS is Windows XP or older)
Hidden = 2
(Note: The default value data of the said registry entry is 1.)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced (If OS is Windows XP or older)
ShowSuperHidden = 0
(Note: The default value data of the said registry entry is 1.)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced (If OS is Windows XP or older)
SuperHidden = 0
(Note: The default value data of the said registry entry is 1.)
传播
它植入AUTORUN.INF文(wén)件,当用(yòng)户访问受感染系统的驱动器时,自动执行植入的副本。
上述的 .INF 檔案含有(yǒu)下列字串:
[autorun]
{garbage code}
USEAUTOPLAY=1
open=RECYCLER\{SID}\autorunme.scr
{garbage code}
action=Open folder to view files
{garbage code}
shell\open=Open
shell\open\command=RECYCLER\{SID}\autorunme.scr
shell\open\default=1
{garbage code}
后门例程
它连接到下列任一IRC(Internet中(zhōng)继聊天)服務(wù)器:
- tcp://{BLOCKED}opto.org:7562
However, as of this writing, the said sites are inaccessible.
信息窃取
它在受感染计算机上收集以下信息:
- OS version
- Computer name
- Locale Info
其他(tā)详细信息
它连接到下列网站,发送和接收信息:
- tcp://{BLOCKED}.0:71
该程序执行以下操作(zuò):
- It terminates itself if the following checks if it is running in a sandbox or virtual environment is successful:
- Loads sbiedll.dll.
- Checks if username is CurrentUser.
- Execute an instruction that will raise an exception in virtual machines.
- It terminates itself if it detects that it is being debugged.
- It injects code into explorer.exe that will start the malware if it is terminated.
- Based on code analysis, it has the capability to download files from its server and terminate processes.
解决方案
Step 1
对于Windows ME和XP用(yòng)户,在扫描前,请确认已禁用(yòng)系统还原功能(néng),才可(kě)全面扫描计算机。
Step 2
注意:在此恶意软件/间谍软件/灰色软件执行期间,并非所有(yǒu)文(wén)件、文(wén)件夹和注册表键值和项都会安(ān)装(zhuāng)到您的计算机上。这可(kě)能(néng)是由于不完整的安(ān)装(zhuāng)或其他(tā)操作(zuò)系统条件所致。如果您没有(yǒu)找到相同的文(wén)件/文(wén)件夹/注册表信息,请继续进行下一步操作(zuò)。
Step 3
重启进入安(ān)全模式
Step 4
删除该注册表值
注意事项:错误编辑Windows注册表会导致不可(kě)挽回的系统故障。只有(yǒu)在您掌握后或在系统管理(lǐ)员的帮助下才能(néng)完成这步。或者,请先阅读Microsoft文(wén)章,然后再修改计算机注册表。
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Adobe ARMS = %ProgramFiles%\CommonFiles\AdobeARM.exe
- Adobe ARMS = %ProgramFiles%\CommonFiles\AdobeARM.exe
- In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Adobe ARMS = %Application Data%\AdobeARM.exe
- Adobe ARMS = %Application Data%\AdobeARM.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Patches = 1
- Patches = 1
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- %Program Files%\Common Files\AdobeARM.exe = %Program Files%\Common Files\AdobeARM.exe:*:Enabled:Adobe ARMS
- %Program Files%\Common Files\AdobeARM.exe = %Program Files%\Common Files\AdobeARM.exe:*:Enabled:Adobe ARMS
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpNumConnections = 0x00FFFFFE
- TcpNumConnections = 0x00FFFFFE
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
- MaxCacheTtl = 0x00000708
- MaxCacheTtl = 0x00000708
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
- MaxNegativeCacheTtl = 0
- MaxNegativeCacheTtl = 0
DATA_GENERIC_ENTRY
Step 5
恢复该修改的注册表值
注意事项:错误编辑Windows注册表会导致不可(kě)挽回的系统故障。只有(yǒu)在您掌握后或在系统管理(lǐ)员的帮助下才能(néng)完成这步。或者,请先阅读Microsoft文(wén)章,然后再修改计算机注册表。
- InHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
- From: NoFolderOptions = “1”
To: NoFolderOptions= “0” - From: NoFolderOptions = “1”
To:NoRun = “0”
To:NoFolderOptions = “0”
To:NoRun = “0”
To: Hidden = “1”
To:ShowSuperHidden = “1”
To:SuperHidden = “1”
Step 6
搜索和删除这些文(wén)件夹
- {Removable or Remote Drive}\RECYCLER\{SID}
- {Removable or Remote Drive}\RECYCLER
- {Removable or Remote Drive}\RECYCLER\{SID}
- {Removable or Remote Drive}\RECYCLER
Step 7
搜索和删除AUTORUN.INF文(wén)件,由Worm.Win32.IRCBOT.SDY创建,包含这些字符串
[autorun]
{garbage code}
USEAUTOPLAY=1
open=RECYCLER\{SID}\autorunme.scr
{garbage code}
action=Open folder to view files
{garbage code}
shell\open=Open
shell\open\command=RECYCLER\{SID}\autorunme.scr
shell\open\default=1
{garbage code}
Step 8
搜索和删除这些文(wén)件
- %ProgramFiles%\CommonFiles\AdobeARM.exe
- %Application Data%\AdobeARM.exe
- {Removable or Remote Drive}\RECYCLER\{SID}\Autorunme.scr
- {Removable or Remote Drive}\RECYCLER\{SID}\Desktop.ini
- %ProgramFiles%\CommonFiles\AdobeARM.exe
- %Application Data%\AdobeARM.exe
- {Removable or Remote Drive}\RECYCLER\{SID}\Autorunme.scr
- {Removable or Remote Drive}\RECYCLER\{SID}\Desktop.ini
Step 9
重启进入正常模式,使用(yòng)亚信安(ān)全产(chǎn)品扫描计算机,检测Worm.Win32.IRCBOT.SDY文(wén)件 如果检测到的文(wén)件已被亚信安(ān)全产(chǎn)品清除、删除或隔离,则无需采取进一步措施。可(kě)以选择直接删除隔离的文(wén)件。请参阅知识库页(yè)面了解详细信息。
Step 10
Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.
- %System%\drivers\tcpip.sys (If OS is Windows XP or older)
Step 11
使用(yòng)亚信安(ān)全产(chǎn)品扫描计算机,并删除检测到的Worm.Win32.IRCBOT.SDY文(wén)件 如果检测到的文(wén)件已被亚信安(ān)全产(chǎn)品清除、删除或隔离,则无需采取进一步措施。可(kě)以选择直接删除隔离的文(wén)件。请参阅知识库页(yè)面了解详细信息。