BKDR_PLUGX.ZTBL-EC
Backdoor:Win32/Kriskynote.A (Microsoft), Backdoor:Win32/Kriskynote.B (Microsoft), Backdoor.Korplug.B (Symantec)
Windows
恶意软件类型:
Backdoor
有破坏性?:
没有
加密?:
是的
In the Wild:
是的
概要
如需此「間諜程式」的快速全面一覽,請參閱下面的「安全威脅圖表」。
它执行远程恶意用户的命令,有效地攻击受感染的系统。
技术详细信息
安装
它植入下列文件:
- %User Temp%\tmp2B.tmp - detected as BKDR_PLUGX.ZTBL-EC, executable image, will be deleted
- %User Temp%\tmp2C.tmp - will be used to replace the loader and deleted
- %User Temp%\tmp2D.tmp - detected as BKDR_PLUGX.ZTBL-EC, dll image, will be deleted
- %Application Data%\dat2E.tmp - will be deleted
- %Application Data%\dat2F.tmp - will be deleted
- %Application Data%\dat30.tmp - will be deleted
- %System%\NtUserEx.dat
- %System%\NtUserEx.dll
(注意: %User Temp% 是当前用户的 Temp 文件夹。通常位于 C:\Documents and Settings\{user name}\Local Settings\Temp (Windows 2000、XP 和 Server 2003)。. %Application Data% 是当前用户的 Application Data 文件夹,通常位于 C:\Windows\Profiles\{user name}\Application Data (Windows 98 和 ME)、C:\WINNT\Profiles\{user name}\Application Data (Windows NT) 和 C:\Documents and Settings\{user name}\Local Settings\Application Data (Windows 2000、XP 和 Server 2003)。. %System% 是 Windows 的 system 文件夹,通常位于 C:\Windows\System (Windows 98 和 ME)、C:\WINNT\System32 (Windows NT 和 2000) 和 C:\WINDOWS\system32 (Windows XP 和 Server 2003)。)
它添加下列进程:
- rundll32.exe
- svchost.exe
它向下列进程中注入代码:
- created rundll32.exe
- created svchost.exe
自启动技术
它将其植入的组件注册为系统服务,确保在每次系统启动时自动执行。它通过创建下列注册项来执行此操作:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{service name}
ImagePath = "%SystemRoot%\System32\svchost.exe -k netsvcs"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{service name}
DisplayName = "automaticallydevice"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{service name}
Description = "Monitoring of hardwares and automatically updates the device drivers"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{service name}
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{service name}
Type = "32"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{service name}
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{service name}\Parameters
ServiceDll = "%System%\NtUserEx.dll"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{service name}\Parameters
ServiceMain = sqlite3_aggregate_num
它将其植入的组件注册为系统服务,确保在每次系统启动时自动执行。它通过创建下列注册表键值来执行此操作:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{service name}\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{service name}
后门例程
它执行远程恶意用户的下列命令:
- Copy, move, rename, delete files
- Create directories
- Create files
- Enumerate files
- Execute files
- Get drive information
- Get file information
- Open and modify files
- Enumerate TCP and UDP connections
- Enumerate network resources
- Set TCP connection state
- Lock workstation
- Log off user
- Restart/Reboot/Shutdown system
- Display a message box
- Perfrom port mapping
- Enumerate processes
- Get process information
- Terminate processes
- Enumerate registry keys
- Create registry keys
- Delete registry keys
- Copy registry keys
- Enumerate registry entries
- Modify registry entries
- Delete registry values
- Screen capture
- Delete services
- Enumerate services
- Get service information
- Modify services
- Start services
- Perform remote shell
- Host Telnet server
- Connect to a database server and execute SQL statement
- Log keystrokes and active window
解决方案
Step 1
对于Windows ME和XP用户,在扫描前,请确认已禁用系统还原功能,才可全面扫描计算机。
Step 3
使用亚信安全产品扫描计算机,记录检测为BKDR_PLUGX.ZTBL-EC的文件
Step 4
重启进入安全模式
Step 5
删除该注册表值
注意事项:错误编辑Windows注册表会导致不可挽回的系统故障。只有在您掌握后或在系统管理员的帮助下才能完成这步。或者,请先阅读Microsoft文章,然后再修改计算机注册表。
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}
- ImagePath = "%SystemRoot%\System32\svchost.exe -k netsvcs"
- ImagePath = "%SystemRoot%\System32\svchost.exe -k netsvcs"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}
- DisplayName = "automaticallydevice"
- DisplayName = "automaticallydevice"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}
- Description = "Monitoring of hardwares and automatically updates the device drivers"
- Description = "Monitoring of hardwares and automatically updates the device drivers"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}
- Start = "2"
- Start = "2"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}
- Type = "32"
- Type = "32"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}
- ObjectName = "LocalSystem"
- ObjectName = "LocalSystem"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}\Parameters
- ServiceDll = "%System%\NtUserEx.dll"
- ServiceDll = "%System%\NtUserEx.dll"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}\Parameters
- ServiceMain = sqlite3_aggregate_num
- ServiceMain = sqlite3_aggregate_num
Step 6
删除该注册表键值
注意事项:错误编辑Windows注册表会导致不可挽回的系统故障。只有在您掌握后或在系统管理员的帮助下才能完成这步。或者,请先阅读Microsoft文章,然后再修改计算机注册表。
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}\Parameters
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{service name}
Step 7
搜索和删除这些文件
- %System%\NtUserEx.dll
- %System%\NtUserEx.dat
- %System%\NtUserEx.dll
- %System%\NtUserEx.dat
Step 9
重启进入正常模式,使用亚信安全产品扫描计算机,检测BKDR_PLUGX.ZTBL-EC文件 如果检测到的文件已被亚信安全产品清除、删除或隔离,则无需采取进一步措施。可以选择直接删除隔离的文件。请参阅知识库页面了解详细信息。