Backdoor.Win32.DEVILSHADOW.THEAABO
Trojan.Win32.Scar.sydj (KASPERSKY)
Windows
恶意软件类型:
Backdoor
有破坏性?:
没有
加密?:
没有
In the Wild:
是的
概要
它以其他恶意软件释放的文件或用户访问恶意网站时不知不觉下载的文件的形式到达系统。
它执行远程恶意用户的命令,有效地攻击受感染的系统。 它连接到网站,发送和接收信息。
技术详细信息
新病毒详细信息
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
安装
它植入下列文件:
- %User Temp%\pyclient.cmd → Detected as Backdoor.BAT.DEVILSHADOW.THEAABO
- %User Temp%\cmd_shell.exe → Detected as Trojan.Win32.DEVILSHADOW.THEAABO
- %User Profile%\boot-startup.vbs → Detected as Trojan.BAT.DEVILSHADOW.THEAABO
- %User Profile%\new_script.txt → Detected as Trojan.JS.DEVILSHADOW.THEAABO
- %User Profile%\shell.bat → Detected as Trojan.BAT.DEVILSHADOW.THEAABO
- %User Temp%\zoom.exe → Legitimate Zoom Installer
- %User Profile%\node.exe → Legitimate node.exe
- %System Root%\botnet\client_id_file → contains generated_id
- %System Root%\botnet\bot_id_{Generated ID} {Hostname} {IP Address} {Client} → Client Identifier
- %System Root%\botnet\botnet_start.vbs
- %System Root%\botnet\wget.js
- %System Root%\botnet\pyclient.cmd → Copy of the one in %User Temp%
- %System Root%\botnet\scexec-win32.exe
- %System Root%\botnet\scexec-win64.exe
- %System Root%\botnet\Rar.exe
- %System Root%\botnet\K7firewall.exe
- %System Root%\botnet\unzip.exe
- %System Root%\botnet\webcam.exe
- %System Root%\botnet\execute.vbs
- %User Temp%\av → contains result of Anti-Virus Query
它添加下列进程:
- %System%\cmd.exe /c %User Temp%\pyclient.cmd
- %System%\cmd.exe /c %User Temp%\cmd_shell.exe
- %System%\cmd.exe /c %User Temp%\zoom.exe
- %System%\cmd.exe /c cd %userprofile% & attrib +s +h +a *.vbs & attrib +s +h +a *.bat & reg add Hkey_CURRENT_USER\software\microsoft\windows\currentversion\run /v bootstartup /t reg_sz /d %userprofile%\boot-startup.vbs /f & shell.bat
- %System%\cmd.exe /c "Tasklist /FI WINDOWTITLE eq D3ViL ShaDow"
- %System%\cmd.exe /c "Tasklist /FI WINDOWTITLE eq Administrator: D3ViL ShaDow"
- %System%\cmd.exe attrib +s +h +a %System Root%\botnet
- %System%\cmd.exe copy /y %User Temp%\pyclient.cmd %System Root%\botnet\pyclient.cmd
- %System%\cmd.exe reg add hkcu\software\microsoft\windows\currentversion\run /v botnet /t reg_sz /d C:\botnet\botnet_start.vbs /f
- %System%\cmd.exe ping www.google.com -n 1
- %System&\cmd.exe unzip.exe -ox python_client.zip
- %System%\cmd.exe %System%\WScript.exe %System Root%\botnet\botnet_start.vbs
- %System%\cmd.exe copy /y %System%\cmd.exe %Public%\explorer.exe
- %System%\cmd.exe %User Profile%\node.exe new_script.txt
- %Public%\explorer.exe
- %System&\cmd.exe wmic /namespace:\root\securitycemter2 path antivirusproduct GET displayName, productState, pathToSignedProductExe
它创建下列文件夹:
- %System Root%\botnet
(注意: %System Root% 是根文件夹,通常位于 C:\。它也是操作系统所在的位置。)
自启动技术
它添加下列注册表项,在系统每次启动时自行执行:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
bootstartup = %User Profile%\boot-startup.vbs
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
botnet = %System Root%\botnet\botnet_start.vbs
后门例程
它执行远程恶意用户的下列命令:
- Update/Reset/Terminate Client (Self)
- Load Client Modules (Self)
- Log Keystrokes
- Take Screenshots
- Record Desktop
- Operate Webcam
- Operate CMD
- Install Programming Languages
- Download/Upload/Execute Files
- Install and Operate Ngrok
- Install and Operate WinVNC
- List and Modify AutoStart Registries
- List, Add and Start Scheduled Tasks
- Check and Elevate User Privileges
- Execute Shellcode and Scripts
- Harvest the Following Information:
- Process List
- Drive List
- Directories and Files List
- System Info
- Startup Items
- AntiVirus Info
- Locally Stored Credentials
它连接到下列网站,发送和接收信息:
- https://hosting303.{BLOCKED}hostapp.com
- madleets.{BLOCKED}s.net:4444
下载例程
它访问下列网站下载文件:
- https://raw.{BLOCKED}usercontent.com/DevilBot000/Tools/master/unzip.exe → %System Root%\botnet\unzip.exe
- https://raw.{BLOCKED}usercontent.com/DevilBot000/Tools/master/python_client.zip → %System Root%\botnet\python_client.zip
解决方案
Step 1
对于Windows ME和XP用户,在扫描前,请确认已禁用系统还原功能,才可全面扫描计算机。
Step 2
请注意,在执行此恶意软件/间谍软件/灰色软件期间,并非所有文件、文件夹、注册表项和条目都安装在您的计算机上。这可能是由于安装不完整或其他操作系统条件造成的。如果找不到相同的文件/文件夹/注册表信息,请继续下一步。
Step 3
确定和终止Backdoor.Win32.DEVILSHADOW.THEAABO检测到的文件
Step 4
删除该注册表值
注意事项:错误编辑Windows注册表会导致不可挽回的系统故障。只有在您掌握后或在系统管理员的帮助下才能完成这步。或者,请先阅读Microsoft文章,然后再修改计算机注册表。
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- bootstartup = %User Profile%\boot-startup.vbs
- bootstartup = %User Profile%\boot-startup.vbs
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- botnet = %System Root%\botnet\botnet_start.vbs
- botnet = %System Root%\botnet\botnet_start.vbs
Step 5
搜索和删除这些文件夹
- %System Root%\botnet
Step 6
搜索和删除该文件
- %User Profile%\node.exe
- %System Root%\botnet\client_id_file
- %System Root%\botnet\bot_id_{Generated ID} {Hostname} {IP Address} {Client}%System Root%\botnet\botnet_start.vbs
- %System Root%\botnet\wget.js
- %System Root%\botnet\pyclient.cmd
- %System Root%\botnet\scexec-win32.exe
- %System Root%\botnet\scexec-win64.exe
- %System Root%\botnet\Rar.exe
- %System Root%\botnet\K7firewall.exe
- %System Root%\botnet\unzip.exe
- %System Root%\botnet\webcam.exe
- %System Root%\botnet\execute.vbs
Step 7
使用亚信安全产品扫描计算机,并删除检测到的Backdoor.Win32.DEVILSHADOW.THEAABO文件 如果检测到的文件已被亚信安全产品清除、删除或隔离,则无需采取进一步措施。可以选择直接删除隔离的文件。请参阅知识库页面了解详细信息。