loader.exe

테스트를 실시한 환경은
Windows XP SP2 Professional 입니다 .

loader.exe	File size: 68608 bytes MD5 : 6868efcdc10ebd4ebf344fc311ea6a5d
twex.exe	File size: 395776 bytes MD5 : 577285b393d6c3b95a2712c434e9df33

loader.exe 의 바이러스 토탈 검사 결과

검사 파일: loader.exe 전송 시각: 2009.02.04 19:39:10 (CET)
안티바이러스	엔진 버전	정의 날짜	검사 결과
a-squared	4.0.0.93	2009.02.04	Trojan-Spy.Win32.Zbot!IK
AhnLab-V3	5.0.0.2	2009.02.04	-
AntiVir	7.9.0.74	2009.02.04	TR/Spy.ZBot.ljm
Authentium	5.1.0.4	2009.02.04	-
Avast	4.8.1281.0	2009.02.03	Win32:Zbot-AZQ
AVG	8.0.0.229	2009.02.04	Dropper.Small.AQZ
BitDefender	7.2	2009.02.04	Backdoor.Bot.77738
CAT-QuickHeal	10.00	2009.02.04	-
ClamAV	0.94.1	2009.02.04	-
Comodo	964	2009.02.04	-
DrWeb	4.44.0.09170	2009.02.04	-
eSafe	7.0.17.0	2009.02.04	-
eTrust-Vet	31.6.6341	2009.02.04	-
F-Prot	4.4.4.56	2009.02.04	-
F-Secure	8.0.14470.0	2009.02.04	Trojan-Spy.Win32.Zbot.ljm
Fortinet	3.117.0.0	2009.02.04	Spy/Zbot
GData	19	2009.02.04	Backdoor.Bot.77738
Ikarus	T3.1.1.45.0	2009.02.04	Trojan-Spy.Win32.Zbot
K7AntiVirus	7.10.618	2009.02.04	Trojan-Spy.Win32.Zbot.ljm
Kaspersky	7.0.0.125	2009.02.04	Trojan-Spy.Win32.Zbot.ljm
McAfee	5515	2009.02.03	Generic PWS.y
McAfee+Artemis	5515	2009.02.03	Generic PWS.y
Microsoft	1.4306	2009.02.04	PWS:Win32/Zbot.gen!R
NOD32	3826	2009.02.04	a variant of Win32/Kryptik.FH
Norman	6.00.02	2009.02.04	-
nProtect	2009.1.8.0	2009.02.04	-
Panda	9.5.1.2	2009.02.03	Trj/Sinowal.DW
PCTools	4.4.2.0	2009.02.03	-
Prevx1	V2	2009.02.04	Rootkit
Rising	21.15.20.00	2009.02.04	-
SecureWeb-Gateway	6.7.6	2009.02.04	Trojan.Spy.ZBot.ljm
Sophos	4.38.0	2009.02.04	Troj/ZbotPP-Fam
Sunbelt	3.2.1835.2	2009.01.16	-
Symantec	10	2009.02.04	Infostealer.Banker.C
TheHacker	6.3.1.5.246	2009.02.04	Trojan/Spy.Zbot.ljm
TrendMicro	8.700.0.1004	2009.02.04	-
VBA32	3.12.8.12	2009.02.04	-
ViRobot	2009.2.4.1589	2009.02.04	Trojan.Win32.Zbot.68608.R
VirusBuster	4.5.11.0	2009.02.04	-

추가 정보
File size: 68608 bytes
MD5...: 6868efcdc10ebd4ebf344fc311ea6a5d
SHA1..: 63b9920a18e91ac06135cba99cd98a9ba2b678b2
SHA256: 57307abd2aee051ef55ccf54618e2b4b651c4e6553b002adae9a36dd4472685e
SHA512: f593b813e0b3c830cf827b2a9a3894b3d41e05a0ce7d84af2a900e47cee45eee c9a3cfd5450060b7c0c02a7d66ab0eeb372184c445a0c2127cdfa0da3e25c14b
ssdeep: 1536:w9PdHOekQdtoLbkOQ7usiIwLyINsDeNWf/2dExZp7:w2ehdKL5Q1iIJ4saN Y77
PEiD..: -
TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) VXD Driver (0.1%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x4523 timedatestamp.....: 0x474753ed (Fri Nov 23 22:27:57 2007) machinetype.......: 0x14c (I386) ( 2 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x105c0 0x10600 6.79 64494032688a018d522032e810fa50d2 .data 0x12000 0x4085 0x200 0.06 5be9daa2d59485f6ad55fcd674f72451 ( 4 imports ) > SHLWAPI.dll: wvnsprintfW, PathFileExistsW, PathCombineW, StrStrW, StrCmpNIA, wnsprintfA, wvnsprintfA, PathMatchSpecW, SHDeleteKeyA, wnsprintfW, PathRemoveFileSpecW, PathFindFileNameW > KERNEL32.dll: lstrcpynW, VirtualAlloc, HeapReAlloc, lstrcatA, GetTimeZoneInformation, VirtualProtect, lstrcmpiA, GetVersionExW, GetFileAttributesA, GetTickCount, CreateFileA, CreateEventW, EnterCriticalSection, HeapAlloc, GetSystemTime, GetFileTime, InitializeCriticalSection, Sleep, MultiByteToWideChar, ReleaseMutex > ADVAPI32.dll: RegSetValueExA, RegEnumKeyExA, CryptGetHashParam, CryptReleaseContext, RegCreateKeyExA, GetUserNameW, RegCloseKey, CryptCreateHash, RegDeleteValueA, DuplicateTokenEx, CryptAcquireContextW, CryptDestroyHash, RegQueryValueExA > USER32.dll: DispatchMessageA, FindWindowExA, SetThreadDesktop, GetCursorPos, ExitWindowsEx, OpenDesktopA, GetWindowTextA, GetKeyboardState, DrawIcon, CloseWindowStation, CharLowerBuffA, GetForegroundWindow, LoadCursorA, SendMessageA, PeekMessageA, SetProcessWindowStation, MsgWaitForMultipleObjects ( 0 exports )
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=39C4C64000BB7BA70CE10135092A6400CF94B7C9' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=39C4C64000BB7BA70CE10135092A6400CF94B7C9</a>
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=6868efcdc10ebd4ebf344fc311ea6a5d' target='_blank'>http://www.threatexpert.com/report.aspx?md5=6868efcdc10ebd4ebf344fc311ea6a5d</a>
CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=6868efcdc10ebd4ebf344fc311ea6a5d' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=6868efcdc10ebd4ebf344fc311ea6a5d</a>

twex.exe 의 바이러스 토탈 검사 결과

검사 파일: twex.exe 전송 시각: 2009.02.04 19:39:57 (CET)
안티바이러스	엔진 버전	정의 날짜	검사 결과
a-squared	4.0.0.93	2009.02.04	Trojan-Spy.Win32.Zbot.ljm!A2
AhnLab-V3	5.0.0.2	2009.02.04	-
AntiVir	7.9.0.74	2009.02.04	-
Authentium	5.1.0.4	2009.02.04	-
Avast	4.8.1281.0	2009.02.03	Win32:Zbot-AZQ
AVG	8.0.0.229	2009.02.04	Dropper.Small.AQZ
BitDefender	7.2	2009.02.04	Backdoor.Bot.77738
CAT-QuickHeal	10.00	2009.02.04	-
ClamAV	0.94.1	2009.02.04	-
Comodo	964	2009.02.04	-
DrWeb	4.44.0.09170	2009.02.04	-
eSafe	7.0.17.0	2009.02.04	-
eTrust-Vet	31.6.6341	2009.02.04	-
F-Prot	4.4.4.56	2009.02.04	-
F-Secure	8.0.14470.0	2009.02.04	-
Fortinet	3.117.0.0	2009.02.04	-
GData	19	2009.02.04	Backdoor.Bot.77738
Ikarus	T3.1.1.45.0	2009.02.04	-
K7AntiVirus	7.10.618	2009.02.04	Trojan-Spy.Win32.Zbot.ljm
Kaspersky	7.0.0.125	2009.02.04	-
McAfee	5515	2009.02.03	-
McAfee+Artemis	5515	2009.02.03	-
Microsoft	1.4306	2009.02.04	PWS:Win32/Zbot.gen!R
NOD32	3826	2009.02.04	a variant of Win32/Kryptik.FH
Norman	6.00.02	2009.02.04	-
nProtect	2009.1.8.0	2009.02.04	-
Panda	9.5.1.2	2009.02.03	-
PCTools	4.4.2.0	2009.02.03	-
Prevx1	V2	2009.02.04	Rootkit
Rising	21.15.20.00	2009.02.04	-
SecureWeb-Gateway	6.7.6	2009.02.04	-
Sophos	4.38.0	2009.02.04	Troj/ZbotPP-Fam
Sunbelt	3.2.1835.2	2009.01.16	-
Symantec	10	2009.02.04	Infostealer.Banker.C
TheHacker	6.3.1.5.246	2009.02.04	Trojan/Spy.Zbot.ljm
TrendMicro	8.700.0.1004	2009.02.04	-
VBA32	3.12.8.12	2009.02.04	-
ViRobot	2009.2.4.1589	2009.02.04	Trojan.Win32.Zbot.68608.R
VirusBuster	4.5.11.0	2009.02.04	-

추가 정보
File size: 395776 bytes
MD5...: 577285b393d6c3b95a2712c434e9df33
SHA1..: 7ff19ec8ad915ebfd76318db8cbc684e345a4b41
SHA256: 231ad31a6ab4a07ca0510486dc981959e658ed8392a272c767f49bb95eb93151
SHA512: c76f79ee0fe09f61a8a5605657cde881b315cd95f03886b01c45ff06be9e6b99 2cd7422850f22b7162d5770fe63a19b1f234dc12446fb1754df14f2a16e2b1aa
ssdeep: 6144:w2qKL5JIJ5aNY77XMGba6Bz0RShZQzQF/idfdF7mZ1alpnhqpArFYyiy/ob EK818:w2qQcpXbokZ76MClPO4Fay/oQV1P0
PEiD..: -
TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) VXD Driver (0.1%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x4523 timedatestamp.....: 0x474753ed (Fri Nov 23 22:27:57 2007) machinetype.......: 0x14c (I386) ( 2 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x105c0 0x10600 6.79 64494032688a018d522032e810fa50d2 .data 0x12000 0x4085 0x200 0.06 5be9daa2d59485f6ad55fcd674f72451 ( 4 imports ) > SHLWAPI.dll: wvnsprintfW, PathFileExistsW, PathCombineW, StrStrW, StrCmpNIA, wnsprintfA, wvnsprintfA, PathMatchSpecW, SHDeleteKeyA, wnsprintfW, PathRemoveFileSpecW, PathFindFileNameW > KERNEL32.dll: lstrcpynW, VirtualAlloc, HeapReAlloc, lstrcatA, GetTimeZoneInformation, VirtualProtect, lstrcmpiA, GetVersionExW, GetFileAttributesA, GetTickCount, CreateFileA, CreateEventW, EnterCriticalSection, HeapAlloc, GetSystemTime, GetFileTime, InitializeCriticalSection, Sleep, MultiByteToWideChar, ReleaseMutex > ADVAPI32.dll: RegSetValueExA, RegEnumKeyExA, CryptGetHashParam, CryptReleaseContext, RegCreateKeyExA, GetUserNameW, RegCloseKey, CryptCreateHash, RegDeleteValueA, DuplicateTokenEx, CryptAcquireContextW, CryptDestroyHash, RegQueryValueExA > USER32.dll: DispatchMessageA, FindWindowExA, SetThreadDesktop, GetCursorPos, ExitWindowsEx, OpenDesktopA, GetWindowTextA, GetKeyboardState, DrawIcon, CloseWindowStation, CharLowerBuffA, GetForegroundWindow, LoadCursorA, SendMessageA, PeekMessageA, SetProcessWindowStation, MsgWaitForMultipleObjects ( 0 exports )
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=39C4C64000BB7BA70AE10635092A64002AD63CFB' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=39C4C64000BB7BA70AE10635092A64002AD63CFB</a>

loader.exe 로 인한 변화

파일 변화

C\WINDOWS\system32\twex.exe 생성

레지스트리 변화

[HHKEY_LOCAL_MACHINE\software\microsoft\windows nt
\currentversion\winlogon]
"userinit"="C:\WINDOWS\system32\userinit.exe,"

위 정상 값이 아래처럼 변함

[HHKEY_LOCAL_MACHINE\software\microsoft\windows nt
\currentversion\winlogon]
"userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,"

twex.exe 로 인한 레지스트리 변화

[HKEY_CURRENT_USER\software\Microsoft\Windows\ShellNoRoam
\MUICache]
"C:\WINDOWS\system32\twex.exe"="twex"

알려진 레지스트리 정보와 파일 정보로써 악성코드를 삭제하려면 ?

2009/02/02 - [유용한 팁들] - 레지스트리 항목(.reg) 파일 사용법

2009/02/04 - [유용한 팁들] - movefile 활용

저작자표시 비영리 변경금지

'Malwares 분석' 카테고리의 다른 글

update.exe (0)	2009.02.15
load.exe (0)	2009.02.15
r.exe (2)	2009.02.14
twixz.exe (0)	2009.02.13
keygen.LimeWire.5.0.6.PRo.exe (0)	2009.02.06
rege.exe (0)	2009.02.05
ldr.exe (0)	2009.02.03
svchost.exe (0)	2009.01.31

글벌레의 블로그

loader.exe

'Malwares 분석' 카테고리의 다른 글

댓글

티스토리툴바

loader.exe

'Malwares 분석' 카테고리의 다른 글

관련글

댓글

티스토리툴바