转自:[url]http://hi.baidu.com/%B9%C2%B6%C0%B8%FC%BF%C9%BF%BF/[/url]

文件名称:explorer.exe
文件大小:11636 byte
AV命名:Trojan-Downloader.Win32.Agent.blm(卡吧斯基)
加壳方式:未知
编写语言:MASM32 / TASM32
病毒类型:后门\下载器
文件MD5:e01388a75b670d9cbe54038eec8f5ecb
文件SHA1:80296d92d913526431fce628e1452c6f01194055

行为分析:
1、释放病毒文件:
%Systemroot%\system32\drivers\pcihdd.sys   6768 字节
2、注册为系统服务,为:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PciHdd]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,77,00,69,00,6e,00,\
   6e,00,74,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
   00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,63,00,69,00,68,00,64,00,\
   64,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="PciHdd"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PciHdd\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
   00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
   00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\
   05,12,00,00,00,69,00,48,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
   20,00,00,00,20,02,00,00,64,00,64,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\
   00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\
   00,05,20,00,00,00,23,02,00,00,64,00,64,00,01,01,00,00,00,00,00,05,12,00,00,\
   00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PciHdd\Enum]
"0"="Root\\LEGACY_PCIHDD\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
3、通过直接访问PhysicalHardDisk0 、PhysicalDrive0 、Harddisk0\DR0修改MBR。
导致还原卡失效,重启后无法还原初始系统状态。
4、尝试覆盖系统文件userinit.exe?系统重启后应该是由pcihdd.sys完成
不过测试时并未实现。
5、如第4点成立,则连接hXXp://yu.8s7.net/cert.cer(58.221.254.103)下载木马。
大概7。8个这样子(我不记得了-_-)有盗魔域、梦幻等网游的``
=================================================================
自己使用的影子成功抵挡了机器狗,所以解决方法无从写起
按理说被修改的MBR只能重写了``   :(
走一步算一步了:
2、打开PowerRmv,选上“抑制对象再次生成”填入:
C:\windows\system32\drivers\pcihdd.sys
3、打开SREng:删除:
驱动
[PciHdd / PciHdd][Stopped/Manual Start]
   <\??\C:\windows\system32\drivers\pcihdd.sys><N/A>
4、看看那个userinit.exe的数字签字,如果不能经过MS校验,则删除,重新栲贝个过来``
5、木马群解决方法:
打开SREng,删除:
注册表:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
     <cmdbcs><C:\winnt\cmdbcs.exe>   []
     <AVPSrv><C:\winnt\AVPSrv.exe>   []
     <DbgHlp32><C:\winnt\DbgHlp32.exe>   []
     <DiskMan32><C:\winnt\DiskMan32.exe>   []
     <mppds><C:\winnt\mppds.exe>   []
     <upxdnd><C:\winnt\upxdnd.exe>   []
     <WinForm><C:\winnt\WinForm.exe>   []
     <msccrt><C:\winnt\msccrt.exe>   []
     <MsIMMs32><C:\winnt\MsIMMs32.exe>   []
6、重启电脑,重启后删除文件:
     [C:\winnt\system32\mppds.dll]   [N/A, ]
     [C:\winnt\system32\cmdbcs.dll]   [N/A, ]
     [C:\winnt\system32\WinForm.dll]   [N/A, ]
     [C:\winnt\system32\upxdnd.dll]   [N/A, ]
     [C:\winnt\system32\MsIMMs32.dll]   [N/A, ]
     [C:\winnt\system32\msccrt.dll]   [N/A, ]
     [C:\winnt\system32\AVPSrv.dll]   [N/A, ]
     [C:\winnt\system32\DbgHlp32.dll]   [N/A, ]
     [C:\winnt\system32\DiskMan32.dll]   [N/A, ]
注,XP的系统,路径为C:\windows
=====================================================
其实这个Explorer这是个drooper,重点是那个pcihdd.sys驱动``
如果它无法加载的话,看看有多尴尬 -_-!:
Trojan-Downloader.Win32.Agent.blm_职场_03
=====================================================
一些PP:
Trojan-Downloader.Win32.Agent.blm_职场_04
Trojan-Downloader.Win32.Agent.blm_休闲_05
Trojan-Downloader.Win32.Agent.blm_休闲_06
Trojan-Downloader.Win32.Agent.blm_休闲_07
Trojan-Downloader.Win32.Agent.blm_休闲_08
无聊之余``跟了一会:)
哈哈``因为用影子测试,所以只能保存文本格式了``
重点:
Trojan-Downloader.Win32.Agent.blm_休闲_09
修改MBR:
Trojan-Downloader.Win32.Agent.blm_休闲_10
Trojan-Downloader.Win32.Agent.blm_职场_11