本文详细分析了一种名为Troj/Tompai-B的木马病毒,该病毒针对Windows平台,通过复制自身并修改注册表实现自启动。Troj/Tompai-B能够改变IE设置,并通过联系预定义URL及发送邮件报告感染状态。此外,它还为远程用户提供了一系列控制选项。
Troj/Tompai-B
Form: http://www.sophos.com
Backdoor.Trojan cmpku.exe cmpkunt.exe
近来计算机莫明奇妙的现象。还有些奇怪的进程。查了资料后才知道是中毒了。哎。。。在显示所有文件和显示后缀名的时候。刷新后又变回去了,,
This section is for technical experts who want to know more.
Troj/Tompai-B is a backdoor Trojan for the Windows platform.
When first run Troj/Tompai-B copies itself to mapserver.exe in the Windows folder and creates three copies of itself in the <system> folder. One of these copies will be called
mainsv.exe and the others are chosen randomly from the following pairs of names:
cmpku.exe and cmpkunt.exe
netcompt.exe and netcomptnt.exe
ptsnopt.exe and ptsnoptnt.exe
ntdllf.exe and ntdllfnt.exe
netcompt.exe and netcomptnt.exe
ptsnopt.exe and ptsnoptnt.exe
ntdllf.exe and ntdllfnt.exe
The following registry entries are created to run the copies of the Trojan.
HKCU/Software/Microsoft/Windows/CurrentVersion/Run
Ntcheck
<Windows>/mapserver.exe
Ntcheck
<Windows>/mapserver.exe
HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
Cmpnt
<System>/<random name>.exe
Cmpnt
<System>/<random name>.exe
HKCU/Software/Microsoft/Windows/CurrentVersion/Runonce
Cmpnt
<System>/mainsv.exe
Cmpnt
<System>/mainsv.exe
HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices
Shell
<System>/mainsv.exe
Shell
<System>/mainsv.exe
Troj/Tompai-B changes settings for Microsoft Internet Explorer by modifying values under:
HKCU/Software/Microsoft/Windows/CurrentVersion/Internet Settings/Zones/
The Trojan also changes the following registry values:
显示所有文件和显示后缀名:
HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/Advanced/
Hidden
0x00000000
Hidden
0x00000000
HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/Advanced/
HideFileExt
0x00000001
HideFileExt
0x00000001
HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/Advanced/
ShowSuperHidden
0x00000000
ShowSuperHidden
0x00000000
Troj/Tompai-B will open a backdoor on the infected system and report the infection by contacting a predefined URL and via email.
Troj/Tompai-B gives the following options to a remote user:
Access folder.
Access parent folder.
Change attribute of file/folder.
Change drive.
Delete any file.
Execute any file.
Force PC to Shut Down.
Get IP WAN.
Get the date/time of the server.
Get the list of commands supported by the server
Get the list of the directories.
Get the list of the files.
Logoff PC.
Logout from the server.
Reboot the PC.
Show the User.
Access parent folder.
Change attribute of file/folder.
Change drive.
Delete any file.
Execute any file.
Force PC to Shut Down.
Get IP WAN.
Get the date/time of the server.
Get the list of commands supported by the server
Get the list of the directories.
Get the list of the files.
Logoff PC.
Logout from the server.
Reboot the PC.
Show the User.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
