I.
ការអធិប្បាយ
ចាប់ផ្តើមឆ្លងនៅ:
ថ្ងៃទី 23 ខែកម្ភ:
ឆ្នាំ 2008
ឈ្មោះមេរោគ:
Trojan.Win32.Agent.awyk
ឈ្មោះ file កូដ: 0x7C5C919274EA9BCD63546847BB672DFA
ប្រភេទ : Spyware
ទំហំ: 172.032 bytes
លំដាប់គ្រោះមធ្យម
ឈ្មោះ file កូដ: 0x7C5C919274EA9BCD63546847BB672DFA
ប្រភេទ : Spyware
ទំហំ: 172.032 bytes
លំដាប់គ្រោះមធ្យម
II. ពិស្តារពីបច្ចេកទេស
ប្រយ័ត្ន: ប្រភេទមេរោគខាងក្រោមនេះគឺអាចវាយប្រហារយ៉ាងខ្លាំង វាជាប្រភេទ វ៉ីរ៉ស ដែលមានលទ្ធភាពអាចផ្លាស់ប្តូរ file និងតោងជាប់នៅលើ
file របស់ យើង។
A)
ការផ្លាស់ប្តូរ
file
|
ឈ្មោះ file
|
ខ្មាត
|
Code file
|
ឈ្មោះមេរោគ
|
|
%System%\klomp.ex
|
5,120 bytes
|
0x264ED533FA75A1D6285A5576FB433D8D
|
Trojan-Downloader.Win32.Agent.aukz
|
|
%System%\qdbon.dll
[file and pathname of the sample #1] |
172,032 bytes
|
0x7C5C919274EA9BCD63546847BB672DFA
|
Trojan.Win32.Agent.awyk
|
B)
ការចង់ចាំ Modification
|
File
ធ្វើសកម្មភាព
|
ឈ្មោះ Files
|
ទំហំ
|
|
klomp.exe
|
%System%\klomp.exe
|
16,384 bytes
|
គន្លឹះនៃការបង្កើតនៅលើ Registry
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{15B8F776-7581-3513-A87E-23F5C0EE529D}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{15B8F776-7581-3513-A87E-23F5C0EE529D}\InprocServer32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1939A923-4E9C-30C7-BE4E-6F7DFFA0EA88}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1939A923-4E9C-30C7-BE4E-6F7DFFA0EA88}\ProxyStubClsid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1939A923-4E9C-30C7-BE4E-6F7DFFA0EA88}\ProxyStubClsid32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1939A923-4E9C-30C7-BE4E-6F7DFFA0EA88}\TypeLib
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{743F1787-B124-320F-8C23-184AAE2503E2}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{743F1787-B124-320F-8C23-184AAE2503E2}\1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{743F1787-B124-320F-8C23-184AAE2503E2}\1.0\0
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{743F1787-B124-320F-8C23-184AAE2503E2}\1.0\0\win32
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{743F1787-B124-320F-8C23-184AAE2503E2}\1.0\FLAGS
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{743F1787-B124-320F-8C23-184AAE2503E2}\1.0\HELPDIR
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15B8F776-7581-3513-A87E-23F5C0EE529D}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
[HKEY_LOCAL_MACHINE \ SOFTWARE \
Classes \ CLSID \ (15B8F776-7581-3513-A87E-23F5C0EE529D) \ InprocServer32]
- (Default) = "[file and pathname of the sample #1]" = "[tập file និង pathname របស់គំរូ # 1]"
- ThreadingModel = "Apartment" ThreadingModel = "căn hộ"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{15B8F776-7581-3513-A87E-23F5C0EE529D}]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ (15B8F776-7581-3513-A87E-23F5C0EE529D)]
- (Default) = "D" = "D"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1939A923-4E9C-30C7-BE4E-6F7DFFA0EA88}\TypeLib]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ Interface \
(1939A923-4E9C-30C7-BE4E-6F7DFFA0EA88) \ TypeLib]
- (Default) = "{743F1787-B124-320F-8C23-184AAE2503E2}" = "(743F1787-B124-320F-8C23-184AAE2503E2)"
- Version = "1.0" Version = "1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1939A923-4E9C-30C7-BE4E-6F7DFFA0EA88}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ Interface \
(1939A923-4E9C-30C7-BE4E-6F7DFFA0EA88) \ ProxyStubClsid32]
- (Default) = "{00020424-0000-0000-C000-000000000046}" (Mặc định) = "(00020424-0000-0000-C000-000000000046)"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1939A923-4E9C-30C7-BE4E-6F7DFFA0EA88}\ProxyStubClsid]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ Interface \
(1939A923-4E9C-30C7-BE4E-6F7DFFA0EA88) \ ProxyStubClsid]
- (Default) = "{00020424-0000-0000-C000-000000000046}" (Mặc định) = "(00020424-0000-0000-C000-000000000046)"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1939A923-4E9C-30C7-BE4E-6F7DFFA0EA88}]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ Interface \
(1939A923-4E9C-30C7-BE4E-6F7DFFA0EA88)]
- (Default) = "IDOMPeek" = "IDOMPeek"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{743F1787-B124-320F-8C23-184AAE2503E2}\1.0\0\win32]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ TypeLib \
(743F1787-B124-320F-8C23-184AAE2503E2) \ 1.0 \ 0 \ Win32]
- (Default) = "[file and pathname of the sample #1]" = "[ ឈ្មោះ file និង pathname នៃគំរូ # 1]"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{743F1787-B124-320F-8C23-184AAE2503E2}\1.0\HELPDIR]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ TypeLib \
(743F1787-B124-320F-8C23-184AAE2503E2) \ 1,0 \
HELPDIR]
- (Default) = "%System%\" = "% System% \"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{743F1787-B124-320F-8C23-184AAE2503E2}\1.0\FLAGS]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ TypeLib \
(743F1787-B124-320F-8C23-184AAE2503E2) \ 1.0 \ FLAGS]
- (Default) = "0" = "0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{743F1787-B124-320F-8C23-184AAE2503E2}\1.0]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ TypeLib \
(743F1787-B124-320F-8C23-184AAE2503E2) \ 1,0]
- (Default) = "LIB" = "LIB"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{15B8F776-7581-3513-A87E-23F5C0EE529D}]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \
Explorer \ Browser Helper Objects \ (15B8F776-7581-3513-A87E-23F5C0EE529D)]
- IExplore = 0x00000001 IExplore = 0x00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\iexplore.exe]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \
Image File Execution Options \ iexplore.exe]
- Debugger = "%System%\klomp.exe" Debugger = "% System% \ klomp.exe"
Post a Comment