本文分析了一种名为Troj/Tompai-B的Windows平台后门木马的行为特征。该木马通过自我复制并修改注册表来实现自启动,并会更改IE设置及隐藏文件显示方式。同时,它还会在受感染系统上打开后门,允许远程用户进行多种操作。
Troj/Tompai-B
Form: http://www.sophos.com
Backdoor.Trojan cmpku.exe cmpkunt.exe
近来计算机莫明奇妙的现象。还有些奇怪的进程。查了资料后才知道是中毒了。哎。。。在显示所有文件和显示后缀名的时候。刷新后又变回去了,,
This section is for technical experts who want to know more.
Troj/Tompai-B is a backdoor Trojan for the Windows platform.
When first run Troj/Tompai-B copies itself to mapserver.exe in the Windows folder and creates three copies of itself in the <system> folder. One of these copies will be called
mainsv.exe and the others are chosen randomly from the following pairs of names:
cmpku.exe and cmpkunt.exe
netcompt.exe and netcomptnt.exe
ptsnopt.exe and ptsnoptnt.exe
ntdllf.exe and ntdllfnt.exe
netcompt.exe and netcomptnt.exe
ptsnopt.exe and ptsnoptnt.exe
ntdllf.exe and ntdllfnt.exe
The following registry entries are created to run the copies of the Trojan.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Ntcheck
<Windows>\mapserver.exe
Ntcheck
<Windows>\mapserver.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Cmpnt
<System>\<random name>.exe
Cmpnt
<System>\<random name>.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce
Cmpnt
<System>\mainsv.exe
Cmpnt
<System>\mainsv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Shell
<System>\mainsv.exe
Shell
<System>\mainsv.exe
Troj/Tompai-B changes settings for Microsoft Internet Explorer by modifying values under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
The Trojan also changes the following registry values:
显示所有文件和显示后缀名:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Hidden
0x00000000
Hidden
0x00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
HideFileExt
0x00000001
HideFileExt
0x00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
ShowSuperHidden
0x00000000
ShowSuperHidden
0x00000000
Troj/Tompai-B will open a backdoor on the infected system and report the infection by contacting a predefined URL and via email.
Troj/Tompai-B gives the following options to a remote user:
Access folder.
Access parent folder.
Change attribute of file/folder.
Change drive.
Delete any file.
Execute any file.
Force PC to Shut Down.
Get IP WAN.
Get the date/time of the server.
Get the list of commands supported by the server
Get the list of the directories.
Get the list of the files.
Logoff PC.
Logout from the server.
Reboot the PC.
Show the User.
Access parent folder.
Change attribute of file/folder.
Change drive.
Delete any file.
Execute any file.
Force PC to Shut Down.
Get IP WAN.
Get the date/time of the server.
Get the list of commands supported by the server
Get the list of the directories.
Get the list of the files.
Logoff PC.
Logout from the server.
Reboot the PC.
Show the User.
扫一扫
281
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
