METEOR13

資料來自http://www.threatexpert.com/report.aspx?md5=a0eddddb76ed7868a17317a70f5a7c33

The following files were created in the system:

Submission details:

Submission received: 28 February 2009, 05:41:02

Processing time: 10 min 55 sec

Submitted sample:

File MD5: 0xA0EDDDDB76ED7868A17317A70F5A7C33

File SHA-1: 0x0C688949FD503368A9BC2041B3E6AC41A64FFBA2

Filesize: 1,001,267 bytes

Alias:

Backdoor.Graybird [Symantec]

Generic.dx [McAfee]

Mal/EncPk-GT [Sophos]

Virus.Win32.Delf.DNR [Ikarus]

 

 Threat  Description

malicious backdoor trojan that runs in the background and allows remote access to the compromised system

 

 

 

 

 

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\WER53d9.dir00\manifest.txt	1,332 bytes	MD5: 0x33345850A0331AB96DE58E0D5D0C0ABD SHA-1: 0xA3B7C3DCF77C1B2A50B516435779EE5CE0EA1D9F	(not available)
2	%Temp%\WER53d9.dir00\sysdata.xml	115,010 bytes	MD5: 0x8E2DDAB7F8924828F278A4697C9E76B9 SHA-1: 0xC14119899A0D98B95CE5BB835CF94475AF0A0FA2	(not available)
3	[pathname with a string SHARE]\rejoice48.exe  [file and pathname of the sample #1]	1,001,267 bytes	MD5: 0xA0EDDDDB76ED7868A17317A70F5A7C33 SHA-1: 0x0C688949FD503368A9BC2041B3E6AC41A64FFBA2	Backdoor.Graybird[Symantec] Generic.dx [McAfee] Mal/EncPk-GT [Sophos] Virus.Win32.Delf.DNR[Ikarus]
4	%ProgramFiles%\_rejoice48.exe	1,001,267 bytes	MD5: 0x87DB6C7613B19E91F2AFB26438C673D3 SHA-1: 0x5B8E49CB8D165FC55CABC54A0F99AC3FF62DC5C0	(not available)

 

 

 

 

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

The following directory was created:

%Temp%\WER53d9.dir00

 

 

Memory Modifications

 

There was a new process created in the system:

 

 

 

 

 

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	745,472 bytes

 

The following Registry Keys were created:

 

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ADOBE_UPDATE_SYSTEM_SERVICE

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ADOBE_UPDATE_SYSTEM_SERVICE\0000

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Adobe Update System Service

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Adobe Update System Service\Security

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ADOBE_UPDATE_SYSTEM_SERVICE

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ADOBE_UPDATE_SYSTEM_SERVICE\0000

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Adobe Update System Service

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Adobe Update System Service\Security

 

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ADOBE_UPDATE_SYSTEM_SERVICE\0000]

 Service = "Adobe Update System Service"

 Legacy = 0x00000001

 ConfigFlags = 0x00000000

 Class = "LegacyDriver"

 ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

 DeviceDesc = "Adobe Update System Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ADOBE_UPDATE_SYSTEM_SERVICE]

 NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Adobe Update System Service\Security]

 Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Adobe Update System Service]

 Type = 0x00000110

 Start = 0x00000002

 ErrorControl = 0x00000000

 ImagePath = [pathname with a string SHARE]\rejoice48.exe"

 DisplayName = "Adobe Update System Service"

 ObjectName = "LocalSystem"

 Description = "Adobe Update System Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ADOBE_UPDATE_SYSTEM_SERVICE\0000]

 Service = "Adobe Update System Service"

 Legacy = 0x00000001

 ConfigFlags = 0x00000000

 Class = "LegacyDriver"

 ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

 DeviceDesc = "Adobe Update System Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ADOBE_UPDATE_SYSTEM_SERVICE]

 NextInstance = 0x00000001

 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Adobe Update System Service\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Adobe Update System Service]

 Type = 0x00000110

 Start = 0x00000002

 ErrorControl = 0x00000000

 ImagePath = [pathname with a string SHARE]\rejoice48.exe"

 DisplayName = "Adobe Update System Service"

 ObjectName = "LocalSystem"

 Description = "Adobe Update System Service"

 

 

 

所以說
解決方法就是去regedit裡面把跟rejoice48.exe有關的機碼通通都解決掉
然後木馬實體的位置是在系統槽的programfiles裡面
另外一個檔案我找不到
不過我把機碼都砍光之後開機就沒事了
之所以會發現這支木馬
是因為我電腦從兩三個星期之前就有明明沒用IE而工作管理員裡面確有IEXPLORER.exe(大寫)
一關掉又自動出現
在網路上查半天都查不到相關線索
其實木馬或病毒偽裝成IE是滿常見的
而且對於掩蔽一般使用者耳目應該不錯
只是對我這個根本不用IE的人來說太容易被我抓包
苦於一直找不到病毒的實體檔案所以沒有處理
想說要直接重灌
直到昨天電腦出現其他異狀
sleipnir會自動放大成全螢幕
然後視窗畫面會亂跳
我卯起來又把IEXPLORER.exe關掉的瞬間突然看到另外一個檔案名稱在處理程序裡面一閃而過之後變成IEXPLORER.exe
經過反覆N次的我關你開之後終於抓到那個有問題的檔名
rejoice48.exe
查好資料重開機進安全模式砍機碼跟檔案砍完
再重開就沒看到IEXPLORER.exe了

 

不過

sleipnir亂跳的狀況還是沒有解決...