Worm.Win32.CONUS.E

感染途徑: 从互联网上下载, 下载了其他(tā)恶意软件

它以文(wén)件的形式出现在系统中(zhōng)，可(kě)能(néng)是其他(tā)恶意软件投放的，或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。

该恶意软件不具(jù)有(yǒu)任何后门例程。

文(wén)件大小(xiǎo): 253,952 bytes

报告日期: EXE

内存驻留: 是的

初始樣本接收日期: 2024年12月17日

Payload: 连接到 URL/Ip, 收集系统信息, 植入文(wén)件, 打开 Internet Explorer 窗口, 窃取信息

新(xīn)病毒详细信息

它以文(wén)件的形式出现在系统中(zhōng)，可(kě)能(néng)是其他(tā)恶意软件投放的，或者是用(yòng)户在访问恶意网站时无意中(zhōng)下载的。

安(ān)装(zhuāng)

它使用(yòng)不同的文(wén)件名(míng)在下列文(wén)件夹中(zhōng)植入自身的副本：

%User Temp%\conhost.exe → if sample is not running as this path and file name
{Removable Drive Letter}:\RECYCLER\Dcfly.exe
{Removable Drive Letter}:\{Folder Name in the Root Path of Removable Drive}.exe

(注意: %User Temp% 是当前用(yòng)户的 Temp 文(wén)件夹。通常位于 C:\Documents and Settings\{user name}\Local Settings\Temp (Windows 2000(32-bit)、XP 和 Server 2003(32-bit))、C:\Users\{user name}\AppData\Local\Temp (Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit) 和 10(64-bit)。)

它植入下列文(wén)件：

%User Temp%\ppxxxx → Used to hide .exe file extension and to create autorun registry, deleted afterwards
%User Temp%\tmpx5.tmp
%User Temp%\must.bat → executes commands that acquire information about the affected machine, deleted afterwards
%User Temp%\t.log
%User Temp%\s.log
%User Temp%\workgrp.tmp
%User Temp%\hostname.tmp
%User Temp%\sharedir.tmp
%User Temp%\sd.t
%User Temp%\winword4.doc → contains the stolen information from the commands executed by %User Temp%\must.bat
%User Temp%\WPDNSE\{Encrypted Computer Name}.NLS → archive file that contains stolen files
{Removable Drive Letter}:\RECYCLER\{Encrypted Computer Name}.NLS → archive file that contains stolen files

(注意: %User Temp% 是当前用(yòng)户的 Temp 文(wén)件夹。通常位于 C:\Documents and Settings\{user name}\Local Settings\Temp (Windows 2000(32-bit)、XP 和 Server 2003(32-bit))、C:\Users\{user name}\AppData\Local\Temp (Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit) 和 10(64-bit)。)

它添加下列进程：

regini.exe %User Temp%\ppxxxx
%User Temp%\conhost.exe → if sample is not running as this path and file name
cmd /c %User Temp%\must.bat
%System%\cmd.exe "cmd.exe /v:on /c %User Temp%\must.bat 2"
%System%\cmd.exe chcp
%System%\cmd.exe netuser
%System%\net.exe "%System%\net1 user"
%System%\cmd.exe "net localgroup administrators"
%System%\net.exe "%System%\net1 localgroup administrators"
%System%\cmd.exe tasklist
%System%\cmd.exe systeminfo
%System%\cmd.exe "ipconfig /all"
%System%\cmd.exe "netstat -ano"
%System%\cmd.exe "arp -a"
%System%\cmd.exe "netstat -r"
%System%\NETSTAT.EXE "%System%\cmd.exe /c "%System%\route.exe" print"
%System%\cmd.exe "%System%\route.exe print"
%System%\cmd.exe "nbstat -n"
%System%\cmd.exe "nbstat -c"
%System%\cmd.exe netstart
%System%\net.exe "%System%\net1 start"
%System%\cmd.exe "net use"
%System%\cmd.exe "%System%\cmd.exe /S /D /c" echo n""
%System%\cmd.exe "net share"
%System%\net.exe "%System%\net1 share"
%System%\cmd.exe "net user /domain"
%System%\net.exe "%System%\net1 user /domain"
%System%\cmd.exe "net view domain"
%System%\cmd.exe "%System%\cmd.exe /S /D /c" type %User Temp%\t.log""
%System%\cmd.exe "find /i /v "------""
%System%\cmd.exe "%System%\cmd.exe /S /D /c" type %User Temp%\s.log""
%System%\cmd.exe "find /i /v "domain""
%System%\cmd.exe "%System%\cmd.exe /S /D /c" type %User Temp%\t.log""
%System%\cmd.exe "find /i /v "completed successfully"
%System%\cmd.exe "net view /domain:"WORKGROUP""
%System%\cmd.exe "%System%\cmd.exe /S /D /c" type %User Temp%\workgrp.tmp""
%System%\cmd.exe "find "\""
%System%\cmd.exe "net view \{Networked Computer Name}""
%System%\cmd.exe "find "Disk""
%System%\cmd.exe "ping -n 1 {Networked Computer Name}"
%System%\cmd.exe "findstr /i "Pinging Reply Request Unknown""
%Program Files%\winrar\rar.exe u -apC -ed-tk -dh -hpThis32lPiece -ta{Current Date} %User Temp%\WPDNSE\{Encrypted Computer Name}.NLS "{Stolen File Name}"
%System%\xcopy.exe /d /c /i /h /r /y %User Temp%\WPDNSE\*.NLS {Removable Drive Letter}:\RECYCLER
%System%\xcopy.exe /d /c /i /h /r /y %User Temp%\Media\*.ldf {Removable Drive Letter}:\RECYCLER
%System%\xcopy.exe /d /c /i /h /r /y {Removable Drive Letter}:\RECYCLER\*NLS %User Temp\WPDNSE
%Program Files%\winrar\rar.exe u -apF -r -ed-tk -dh -sl5000000 -hpThis32lPiece -ta{Current Date} %User Temp%\WPDNSE\{Encrypted Computer Name}.NLS {Removable Drive Letter}:\*.doc {Removable Drive Letter}:\*.docx {Removable Drive Letter}:\*.pdf {Removable Drive Letter}:\*.mvd {Removable Drive Letter}:\*.tif {Removable Drive Letter}:\*.xls {Removable Drive Letter}:\*.xlsx
%Program Files%\rar.exe u -ap172.{BLOCKED}.{BLOCKED}.{2-253}\C$ -r -ed -tk -dh -sl1000000 -hpThis32lPiece -ta{Current Date} %User Temp%\WPDNSE\{Encrypted Computer Name}.NLS \172.{BLOCKED}.{BLOCKED}.{2-253}\C$\*.doc \172.{BLOCKED}.{BLOCKED}.{2-253}\C$\*.docx \172.{BLOCKED}.{BLOCKED}.{2-253}\C$\*.pdf \172.{BLOCKED}.{BLOCKED}.{2-253}\C$\*.mvd \172.{BLOCKED}.{BLOCKED}.{2-253}\C$\*.tif \172.{BLOCKED}.{BLOCKED}.{2-253}\C$\*.xls \172.{BLOCKED}.{BLOCKED}.{2-253}\C$\*.xlsx

它创建下列文(wén)件夹：

%User Temp%\WPDNSE
{Removable Drive Letter}:\RECYCLER

(注意: %User Temp% 是当前用(yòng)户的 Temp 文(wén)件夹。通常位于 C:\Documents and Settings\{user name}\Local Settings\Temp (Windows 2000(32-bit)、XP 和 Server 2003(32-bit))、C:\Users\{user name}\AppData\Local\Temp (Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit) 和 10(64-bit)。)

自启动技(jì )术

它添加下列注册表项，在系统每次启动时自行执行：

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
Load = {Malware File Path}\{Malware File name}.exe

后门例程

该恶意软件不具(jù)有(yǒu)任何后门例程。

信息窃取

它收集下列数据:

From the infected machine:
- Computer name
- Current date and time
- Windows version
- Contents of %System%\boot.ini
- List of user accounts
- List of administrator groups
- List of running processes
- System information
- IP configuration
- Active connection and listening ports
- List of running services
- List of network connections
- List of domain user accounts
- List of domains
- List of computers in the domain
- List of directories in drives C:, D:, E:, F:, G:, H:, and I:

(注意: %System% 是 Windows 的 system 文(wén)件夹，通常位于 C:\Windows\System (Windows 98 和 ME)、C:\WINNT\System32 (Windows NT 和 2000) 和 C:\WINDOWS\system32 (Windows 2000(32-bit)、XP、Server 2003(32-bit)、Vista、7、8、8.1、2008(64-bit),2012(64bit) 和 10(64-bit))。)

其他(tā)详细信息

该程序执行以下操作(zuò)：

It sets the attributes of folders in removable drives to Hidden and System and creates a copy of itself in the removable drive using the file name of the folder that it has hidden.
It checks the recently opened files list, removable drives, and {IP Address}\C$ shares for files with the following extensions:
- .doc
- .docx
- .pdf
- .mvd
- .tif
- .xls
- .xlsx
It then adds the found files to the archive file %User Temp%\WPDNSE\{Encrypted Computer Name}.NLS.
It tries to access {IP Address}\C$ shares using the following IP addresses:
- 172.{BLOCKED}.{BLOCKED}.{2-253}
- 172.{BLOCKED}.{BLOCKED}.{2-253}
It uses the following username-password combination to access {IP Address}\C$ shares:
- A\adminlocal - ht@2013
- A\administrator - ttmt-anat
- A\administrator - ttmt-tcv-anat
- TCV\migrator - anat2012

最小(xiǎo)扫描引擎: 9.800

First VSAPI Pattern File: 19.782.05

VSAPI 第一样式发布日期: 2024年12月17日

VSAPI OPR样式版本: 19.783.00

VSAPI OPR样式发布日期: 2024年12月18日

Step 1

对于Windows ME和XP用(yòng)户，在扫描前，请确认已禁用(yòng)系统还原功能(néng)，才可(kě)全面扫描计算机。

Step 2

注意：在此恶意软件/间谍软件/灰色软件执行期间，并非所有(yǒu)文(wén)件、文(wén)件夹和注册表键值和项都会安(ān)装(zhuāng)到您的计算机上。这可(kě)能(néng)是由于不完整的安(ān)装(zhuāng)或其他(tā)操作(zuò)系统条件所致。如果您没有(yǒu)找到相同的文(wén)件/文(wén)件夹/注册表信息，请继续进行下一步操作(zuò)。

Step 3

重启进入安(ān)全模式

[ 更多(duō) ]

Step 4

删除该注册表值

[ 更多(duō) ]

注意事项：错误编辑Windows注册表会导致不可(kě)挽回的系统故障。只有(yǒu)在您掌握后或在系统管理(lǐ)员的帮助下才能(néng)完成这步。或者，请先阅读Microsoft文(wén)章，然后再修改计算机注册表。

In HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
- Load = {Malware File Path}\{Malware File name}.exe

Step 5

搜索和删除这些文(wén)件

[ 更多(duō) ]

有(yǒu)些组件文(wén)件可(kě)能(néng)是隐藏的。请确认在"高级选项"中(zhōng)已选中(zhōng)搜索隐藏文(wén)件和文(wén)件夹复选框，使查找结果包括所有(yǒu)隐藏文(wén)件和文(wén)件夹。

%User Temp%\ppxxxx
%User Temp%\tmpx5.tmp
%User Temp%\must.bat
%User Temp%\t.log
%User Temp%\s.log
%User Temp%\workgrp.tmp
%User Temp%\hostname.tmp
%User Temp%\sharedir.tmp
%User Temp%\sd.t
%User Temp%\winword4.doc
%User Temp%\WPDNSE\{Encrypted Computer Name}.NLS
{Removable Drive Letter}:\RECYCLER\{Encrypted Computer Name}.NLS
%User Temp%\conhost.exe
{Removable Drive Letter}:\RECYCLER\Dcfly.exe
{Removable Drive Letter}:\{Folder Name in the Root Path of Removable Drive}.exe

DATA_GENERIC_FILENAME_1

在查找范围下拉列表中(zhōng)，选择

我的電(diàn)脑然后回車(chē)确认。

一旦找到，请选择文(wén)件，然后按下SHIFT+DELETE彻底删除文(wén)件。

对剩余的文(wén)件重复第2到4步： %User Temp%\ppxxxx
%User Temp%\tmpx5.tmp
%User Temp%\must.bat
%User Temp%\t.log
%User Temp%\s.log
%User Temp%\workgrp.tmp
%User Temp%\hostname.tmp
%User Temp%\sharedir.tmp
%User Temp%\sd.t
%User Temp%\winword4.doc
%User Temp%\WPDNSE\{Encrypted Computer Name}.NLS
{Removable Drive Letter}:\RECYCLER\{Encrypted Computer Name}.NLS
%User Temp%\conhost.exe
{Removable Drive Letter}:\RECYCLER\Dcfly.exe
{Removable Drive Letter}:\{Folder Name in the Root Path of Removable Drive}.exe

Step 6

搜索和删除这些文(wén)件夹

[ 更多(duō) ]

请确认在高级选项中(zhōng)已选中(zhōng)搜索隐藏文(wén)件和文(wén)件夹复选框，使查找结果包括所有(yǒu)隐藏文(wén)件夹。;
%User Temp%\WPDNSE
{Removable Drive Letter}:\RECYCLER

删除恶意软件/灰色软件/间谍软件文(wén)件夹：

右键单击然后搜索...或查找...（具(jù)體(tǐ)取决于您运行的Windows版本）。

在“要搜索的文(wén)件或文(wén)件夹名(míng)為(wèi)”输入框，输入：

%User Temp%\WPDNSE
{Removable Drive Letter}:\RECYCLER

在查找范围下拉列表中(zhōng)，选择
我的電(diàn)脑
然后回車(chē)确认。
一旦找到，请选择文(wén)件夹，然后按下SHIFT+DELETE彻底删除文(wén)件夹。

对剩余的文(wén)件夹重复第2到4步： %User Temp%\WPDNSE
{Removable Drive Letter}:\RECYCLER

概要

技(jì )术详细信息

解决方案