当前位置:
文件名称:explorer.exe
文件大小:20400 Bytes
AV命名:TrojanDownloader:Win32/Small.gen!N-- Microsoft
加壳方式:NsPack
文件MD5:eccd9d6ce0766d1fc2b75287ed1908df
行为:
1、释放文件:
%systemroot%\system32\ wuauc1t.exe 20400 Bytes
2、查找可用磁盘,生成:explorer.exe、autorun.inf。
3、尝试下载木马:
http://2.trojan8.com/dd/self.gif
http://2.trojan8.com/dd/gz.exe
http://2.trojan8.com/dd/do.exe
http://2.trojan8.com/dd/ar.exe
http://2.trojan8.com/dd/3.exe
http://2.trojan8.com/dd/4.exe
http://2.trojan8.com/dd/5.exe
http://2.trojan8.com/dd/6.exe
http://2.trojan8.com/dd/7.exe
http://2.trojan8.com/dd/8.exe
http://2.trojan8.com/dd/9.exe
http://2.trojan8.com/dd/10.exe
http://2.trojan8.com/dd/11.exe
http://2.trojan8.com/dd/12.exe
http://2.trojan8.com/dd/13.exe
http://2.trojan8.com/dd/14.exe
http://2.trojan8.com/dd/15.exe
http://2.trojan8.com/dd/16.exe
http://2.trojan8.com/dd/17.exe
http://2.trojan8.com/dd/2.exe
4、Ifeo重定向劫持:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution