ldr.exe

테스트를 실시한 환경은
Windows XP SP2 Professional 입니다 .

시스템에 ldr.exe 이란 파일이 다운로드되어 실행될 시
변경 사항입니다 .

파일 추가 사항

C:\WINDOWS\system32\twext.exe

레지스트리 변경 사항

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt
\currentversion\winlogon]
"userinit"="C:\WINDOWS\system32userinit.exe,"

위 정상 값이 아래 값으로 변경됨 .

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt
\currentversion\winlogon]
"userinit"="C:\WINDOWS\system32userinit.exe,C:\WINDOWS\system32\twext.exe,"

twext.exe가 시스템에 미치는 영향입니다 .

레지스트리 추가 사항

[HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam
\MUICache]
"C:\WINDOWS\system32\twext.exe"="twext"

위 두 파일의 검사 결과입니다 .

검사 파일: ldr.exe 전송 시각: 2009.02.02 20:07:53 (CET)
안티바이러스	엔진 버전	정의 날짜	검사 결과
a-squared	4.0.0.93	2009.02.02	Trojan-Spy.Win32.Zbot!IK
AhnLab-V3	5.0.0.2	2009.02.02	-
AntiVir	7.9.0.71	2009.02.02	-
Authentium	5.1.0.4	2009.02.02	-
Avast	4.8.1281.0	2009.02.02	Win32:Rootkit-gen
AVG	8.0.0.229	2009.02.02	Crypt.CJW
BitDefender	7.2	2009.02.02	-
CAT-QuickHeal	10.00	2009.02.02	(Suspicious) - DNAScan
ClamAV	0.94.1	2009.02.02	-
Comodo	959	2009.02.02	-
DrWeb	4.44.0.09170	2009.02.02	-
eSafe	7.0.17.0	2009.02.01	Suspicious File
eTrust-Vet	31.6.6337	2009.02.02	-
F-Prot	4.4.4.56	2009.02.02	-
F-Secure	8.0.14470.0	2009.02.02	-
Fortinet	3.117.0.0	2009.02.02	-
GData	19	2009.02.02	Win32:Rootkit-gen
Ikarus	T3.1.1.45.0	2009.02.02	Trojan-Spy.Win32.Zbot
K7AntiVirus	7.10.615	2009.02.02	Trojan.Win32.Malware.1
Kaspersky	7.0.0.125	2009.02.02	-
McAfee	5514	2009.02.02	-
McAfee+Artemis	5514	2009.02.02	Generic!Artemis
Microsoft	1.4306	2009.02.02	TrojanSpy:Win32/Zbot.gen!C
NOD32	3819	2009.02.02	a variant of Win32/Kryptik.GA
Norman	6.00.02	2009.02.02	-
nProtect	2009.1.8.0	2009.02.02	-
Panda	9.5.1.2	2009.02.02	-
PCTools	4.4.2.0	2009.02.02	-
Prevx1	V2	2009.02.02	-
Rising	21.14.61.00	2009.02.01	Trojan.Clicker.Win32.Undef.gj
SecureWeb-Gateway	6.7.6	2009.02.02	-
Sophos	4.38.0	2009.02.02	Troj/FakeAle-LE
Sunbelt	3.2.1835.2	2009.01.16	-
Symantec	10	2009.02.02	Suspicious.MH690
TheHacker	6.3.1.5.243	2009.02.02	-
TrendMicro	8.700.0.1004	2009.02.02	-
VBA32	3.12.8.12	2009.02.01	Malware-Cryptor.Win32.Stit
ViRobot	2009.2.2.1585	2009.02.02	-
VirusBuster	4.5.11.0	2009.02.02	-

추가 정보
File size: 56320 bytes
MD5...: 42e8ecada9e3791a6b3dea798ce4362a
SHA1..: c554756ba4868a8cf3da1898fff657d99aa17a4c
SHA256: 1df53b8bc1e507c46dadc12903beccc39efdc3317e751e936c46513bb5e0fcbd
SHA512: f4a3867490703b6efa0c5bc4d908bc8ae0dc0f67e5c89ca95fb434e359637700 fd3608a0f8c1ae6865c1d48d048e6019d81ac3e6ae336adecdb2be8acc01bd82
ssdeep: 1536:zVy370dYuFcHEmrcCMRBYHAkEOIO9TJBZe7JU8+7ztZ:zVyrLBEIcjkEjO9 s7JUFD
PEiD..: -
TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.2%) Clipper DOS Executable (9.1%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1007 timedatestamp.....: 0x461110d4 (Mon Apr 02 14:19:00 2007) machinetype.......: 0x14c (I386) ( 2 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xe000 0xd200 7.99 1278f356611a1d8344c77d6288187a84 .data 0xf000 0x17000 0x600 4.65 bc03a809dbd56a18b7777b71dce1ad68 ( 4 imports ) > KERNEL32.DLL: lstrlenA, GetProcAddress, ReadConsoleOutputCharacterA, GetPrivateProfileSectionW, GetModuleHandleA, GetCommandLineA, ExitProcess, Module32First, CreateMutexW, SetComputerNameA, ResetWriteWatch, TerminateThread, ExpandEnvironmentStringsW, GetProcessAffinityMask, LocalCompact, GetCommState, ReadFileEx, InterlockedDecrement > USER32.DLL: SetDeskWallpaper, DlgDirListW, SetMessageExtraInfo, EnableScrollBar, EditWndProc, CreateAcceleratorTableA, SetRect, GetCaretBlinkTime, CallNextHookEx > GDI32.DLL: GetObjectType, GetTextExtentExPointW, SelectObject, SetWindowOrgEx, FillPath, ResizePalette, GetObjectA, GetROP2, SetTextAlign, OffsetWindowOrgEx, PtInRegion > ADVAPI32.DLL: SetServiceObjectSecurity, RegisterServiceCtrlHandlerW, InitializeSecurityDescriptor, SetNamedSecurityInfoW, RegSetValueA, CryptDecrypt, BuildExplicitAccessWithNameW, CryptHashData, CryptSignHashW, CryptDeriveKey, CryptAcquireContextA, GetAce, RegLoadKeyW, GetAuditedPermissionsFromAclW, CryptCreateHash, LookupPrivilegeDisplayNameW, CryptDuplicateKey, AbortSystemShutdownA ( 0 exports )
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=42e8ecada9e3791a6b3dea798ce4362a' target='_blank'>http://www.threatexpert.com/report.aspx?md5=42e8ecada9e3791a6b3dea798ce4362a</a>

검사 파일: twext.exe 전송 시각: 2009.02.02 20:12:49 (CET)
안티바이러스	엔진 버전	정의 날짜	검사 결과
a-squared	4.0.0.93	2009.02.02	-
AhnLab-V3	5.0.0.2	2009.02.02	-
AntiVir	7.9.0.71	2009.02.02	-
Authentium	5.1.0.4	2009.02.02	-
Avast	4.8.1281.0	2009.02.02	Win32:Rootkit-gen
AVG	8.0.0.229	2009.02.02	Crypt.CJW
BitDefender	7.2	2009.02.02	-
CAT-QuickHeal	10.00	2009.02.02	-
ClamAV	0.94.1	2009.02.02	-
Comodo	959	2009.02.02	-
DrWeb	4.44.0.09170	2009.02.02	-
eSafe	7.0.17.0	2009.02.01	-
eTrust-Vet	31.6.6337	2009.02.02	-
F-Prot	4.4.4.56	2009.02.02	-
F-Secure	8.0.14470.0	2009.02.02	-
Fortinet	3.117.0.0	2009.02.02	-
GData	19	2009.02.02	Win32:Rootkit-gen
Ikarus	T3.1.1.45.0	2009.02.02	-
K7AntiVirus	7.10.615	2009.02.02	Trojan.Win32.Malware.1
Kaspersky	7.0.0.125	2009.02.02	-
McAfee	5514	2009.02.02	-
McAfee+Artemis	5514	2009.02.02	-
Microsoft	1.4306	2009.02.02	TrojanSpy:Win32/Zbot.gen!C
NOD32	3819	2009.02.02	a variant of Win32/Kryptik.GA
Norman	6.00.02	2009.02.02	-
nProtect	2009.1.8.0	2009.02.02	-
Panda	9.5.1.2	2009.02.02	-
PCTools	4.4.2.0	2009.02.02	-
Prevx1	V2	2009.02.02	-
Rising	21.14.61.00	2009.02.01	Trojan.Clicker.Win32.Undef.gj
SecureWeb-Gateway	6.7.6	2009.02.02	-
Sophos	4.38.0	2009.02.02	Troj/FakeAle-LE
Sunbelt	3.2.1835.2	2009.01.16	-
Symantec	10	2009.02.02	-
TheHacker	6.3.1.5.243	2009.02.02	-
TrendMicro	8.700.0.1004	2009.02.02	-
VBA32	3.12.8.12	2009.02.01	Malware-Cryptor.Win32.Stit
ViRobot	2009.2.2.1585	2009.02.02	-
VirusBuster	4.5.11.0	2009.02.02	-

추가 정보
File size: 535040 bytes
MD5...: 14ef7a28a664271c092fe8a5202cc3fe
SHA1..: c5ff7692e12a35bdee9865ff72ddae46e790c46c
SHA256: f8de04146463a946c5d9dd78dd6770982b4e5cd1336207547b4b6ed84bff4944
SHA512: 7fd9f30a610a0e25c71709a0dd8398de68e2828917c5ed49eb4fb45e25db3357 fb9cdc70db50b424b5978d597380324fecca57f23db882319c2e9b07f08306c1
ssdeep: 12288:cBER/bkFchYHcC49QdfRkP9qmCVRUCuU5Xw0dljr06RNJ2k8:cBER/bkaQ 4gRCEVuU5jr06RY
PEiD..: -
TrID..: File type identification Win32 Executable Generic (38.4%) Win32 Dynamic Link Library (generic) (34.2%) Clipper DOS Executable (9.1%) Generic Win/DOS Executable (9.0%) DOS Executable Generic (9.0%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1007 timedatestamp.....: 0x461110d4 (Mon Apr 02 14:19:00 2007) machinetype.......: 0x14c (I386) ( 2 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xe000 0xd200 7.99 1278f356611a1d8344c77d6288187a84 .data 0xf000 0x17000 0x600 4.65 bc03a809dbd56a18b7777b71dce1ad68 ( 4 imports ) > KERNEL32.DLL: lstrlenA, GetProcAddress, ReadConsoleOutputCharacterA, GetPrivateProfileSectionW, GetModuleHandleA, GetCommandLineA, ExitProcess, Module32First, CreateMutexW, SetComputerNameA, ResetWriteWatch, TerminateThread, ExpandEnvironmentStringsW, GetProcessAffinityMask, LocalCompact, GetCommState, ReadFileEx, InterlockedDecrement > USER32.DLL: SetDeskWallpaper, DlgDirListW, SetMessageExtraInfo, EnableScrollBar, EditWndProc, CreateAcceleratorTableA, SetRect, GetCaretBlinkTime, CallNextHookEx > GDI32.DLL: GetObjectType, GetTextExtentExPointW, SelectObject, SetWindowOrgEx, FillPath, ResizePalette, GetObjectA, GetROP2, SetTextAlign, OffsetWindowOrgEx, PtInRegion > ADVAPI32.DLL: SetServiceObjectSecurity, RegisterServiceCtrlHandlerW, InitializeSecurityDescriptor, SetNamedSecurityInfoW, RegSetValueA, CryptDecrypt, BuildExplicitAccessWithNameW, CryptHashData, CryptSignHashW, CryptDeriveKey, CryptAcquireContextA, GetAce, RegLoadKeyW, GetAuditedPermissionsFromAclW, CryptCreateHash, LookupPrivilegeDisplayNameW, CryptDuplicateKey, AbortSystemShutdownA ( 0 exports )

twext.exe 를 생성하는 또 다른 말웨어 보기

2009/01/31 - [Malwares 분석] - svchost.exe

svchost.exe 제거시 알아야 할 사항 .

2009/01/31 - [유용한 팁들] - svchost.exe의 정상 경로

알려진 레지스트리 값으로 키 및 값 제거하는.reg 파일 만들기

2009/02/02 - [유용한 팁들] - 레지스트리 항목(.reg) 파일 사용법

삭제되지 않는 파일 삭제하기

2009/01/28 - [프로그램 리뷰/파일 강제 삭제 도구들] - fileassassin - 삭제안되는 파일 삭제하기 .

대처 방법은 아래처럼 하시면 됩니다 .

알려진 레지스트리 키를 제거하기 위한 .reg 파일을 만들어 등록하신 후
찾아진/알려진 말웨어 파일들을 fileassassin으로 제거 예약하시고 재부팅 하시면 됩니다 .

참고 - 찾아야 할 : 정상 경로가 아닌 svchost.exe
ldr.exe
알려진 : \WINDOWS\system32\twext.exe

Conference

ldr.exe가 생성한 twext.exe
File size: 535040 bytes
MD5...: 14ef7a28a664271c092fe8a5202cc3fe

svchost.exe가 생성한 twext.exe
File size: 343040 bytes
MD5...: c87860dfbb86a096b178ffe77ed07ee2

저작자표시 비영리 변경금지

'Malwares 분석' 카테고리의 다른 글

update.exe (0)	2009.02.15
load.exe (0)	2009.02.15
r.exe (2)	2009.02.14
twixz.exe (0)	2009.02.13
keygen.LimeWire.5.0.6.PRo.exe (0)	2009.02.06
loader.exe (0)	2009.02.05
rege.exe (0)	2009.02.05
svchost.exe (0)	2009.01.31

글벌레의 블로그

ldr.exe

'Malwares 분석' 카테고리의 다른 글

댓글

티스토리툴바

ldr.exe

'Malwares 분석' 카테고리의 다른 글

관련글

댓글

티스토리툴바