Backdoorウイルスの解析例
チェックポイント
Check1
Check2
Check3
Check4
Check5
Check6
Check7
Creates a new process PID=2964 BASE=0x00400000
RegCreateKeyEx
hKey: HKEY_CURRENT_USER
subKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
CreateFile
File: \.SICE
mode: GENERIC_WRITE
CreateFile
File: \.NTICE
mode: GENERIC_WRITE
RegCreateKeyEx
hKey: HKEY_LOCAL_MACHINE
subKey: SOFTWARE\EES\「スエ肓ウ免ヘ
RegSetValueEx
hKey: 0x00000088
Value: セコイ・
RegCreateKeyEx
hKey: HKEY_LOCAL_MACHINE
subKey: Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
RegSetValueEx
hKey: 0x00000088
Value: Common Startup
RegCreateKeyEx
hKey: HKEY_LOCAL_MACHINE
subKey: Software\Microsoft\Active Setup\Installed Components\{9EC0745F-CAD3-628A-48E9-02B9AFEC8E74}
RegSetValueEx
hKey: 0x00000088
Value: StubPath
RegCreateKeyEx
hKey: HKEY_LOCAL_MACHINE
subKey: Software\Microsoft\Active Setup\Installed Components\{9EC0745F-CAD3-628A-48E9-02B9AFEC8E74}
RegSetValueEx
hKey: 0x00000088
Value: StubPath
RegCreateKeyEx
hKey: HKEY_LOCAL_MACHINE
subKey: SOFTWARE\EES\「スエ肓ウ免ヘ
RegSetValueEx
hKey: 0x00000084
Value: ェ・
RegCreateKeyEx
hKey: HKEY_LOCAL_MACHINE
subKey: SOFTWARE\EES\「スエ肓ウ免ヘ
RegSetValueEx
hKey: 0x00000084
Value: 黒ム・
RegCreateKeyEx
hKey: HKEY_LOCAL_MACHINE
subKey: SOFTWARE\EES\「スエ肓ウ免ヘ
RegSetValueEx
hKey: 0x00000084
Value: 黒ム・
DeleteFile
Delete: C:\WINDOWS\java\apps\wsock32.exe
CopyFile
Exist: C:\sample_virus.exe
New: C:\WINDOWS\java\apps\wsock32.exe
Creates a new process PID=1996 BASE=0x00400000
RegCreateKeyEx
hKey: HKEY_CURRENT_USER
subKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
CreateFile
File: \.SICE
mode: GENERIC_WRITE
CreateFile
File: \.NTICE
mode: GENERIC_WRITE
CreateFile
File: \.SICE
mode: GENERIC_WRITE
CreateFile
File: \.NTICE
mode: GENERIC_WRITE
TerminateProcess
ExitProcess pid=2964
OpenSCManager
Machine:
OpenService
Service: SmcService
OpenSCManager
Machine:
OpenService
Service: BlackICE
OpenSCManager
Machine:
OpenService
Service: PersFw
OpenSCManager
Machine:
OpenServiceA
Service: McAfee Firewall
OpenSCManager
Machine:
OpenService
Service: OutpostFirewall
OpenSCManager
Machine:
OpenService
Service: NWService
OpenSCManager
Machine:
OpenService
Service: alerter
OpenSCManager
Machine:
OpenService
Service: sharedaccess
OpenSCManager
Machine:
OpenService
Service: NISUM
OpenSCManager
Machine:
OpenService
Service: NISSERV
OpenSCManager
Machine:
OpenService
Service: vsmon
OpenSCManager
Machine:
OpenService
Service: srservice
OpenSCManager
Machine:
OpenService
Service: navapsvc
OpenSCManager
Machine:
OpenService
Service: NProtectService
OpenSCManager
Machine:
OpenService
Service: Norton AntiVirus Server
OpenSCManager
Machine:
OpenService
Service: VexiraAntivirus
OpenSCManager
Machine:
OpenService
Service: dvpinit
OpenSCManager
Machine:
OpenService
Service: dvpapi
OpenSCManager
Machine:
OpenService
Service: schscnt
OpenSCManager
Machine:
OpenService
Service: BackWeb Client - 7681197
OpenSCManager
Machine:
OpenService
Service: F-Secure Gatekeeper Handler Starter
OpenSCManager
Machine:
OpenService
Service: F-Secure Network Request Broker
OpenSCManager
Machine:
OpenService
Service: FSMA
OpenSCManager
Machine:
OpenService
Service: AVPCC
OpenSCManager
Machine:
OpenService
Service: KAVMonitorService
OpenSCManager
Machine:
OpenService
Service: Norman NJeeves
OpenSCManager
Machine:
OpenService
Service: NVCScheduler
OpenSCManager
Machine:
OpenService
Service: nvcoas
CreateFile
File: C:\WINDOWS\System32\drivers\etc\protocol
mode: GENERIC_READ
CreateFile
File: C:\WINDOWS\System32\drivers\etc\services
mode: GENERIC_READ
listen
SERVER Port : 1063
OpenSCManager
Machine:
OpenService
Service: Norman ZANDA
OpenSCManager
Machine:
OpenService
Service: PAVSRV
OpenSCManager
Machine:
OpenService
Service: SweepNet
OpenSCManager
Machine:
OpenService
Service: SWEEPSRV.SYS
OpenSCManager
Machine:
OpenService
Service: NOD32ControlCenter
OpenSCManager
Machine:
OpenService
Service: NOD32Service
OpenSCManager
Machine:
OpenService
Service: PCCPFW
OpenSCManager
Machine:
OpenService
Service: Tmntsrv
OpenSCManager
Machine:
OpenService
Service: AvxIni
OpenSCManager
Machine:
OpenService
Service: XCOMM
OpenSCManager
Machine:
OpenService
Service: ravmon8
OpenSCManager
Machine:
OpenService
Service: AvSynMgr
OpenSCManager
Machine:
OpenService
Service: McShield
DeleteFile
Delete: C:\WINDOWS\ra_slave.log
DeleteFile
Delete: c:\ra_slave.log
RegCreateKeyEx
hKey: HKEY_LOCAL_MACHINE
subKey: SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
hKey: 0x000000b0
Value: EnableAutodial
RegSetValueEx
hKey: 0x0000010c
Value: Directory
RegSetValueEx
hKey: 0x0000010c
Value: Paths
RegSetValueEx
hKey: 0x00000110
Value: CachePath
RegSetValueEx
hKey: 0x00000114
Value: CachePath
RegSetValueEx
hKey: 0x00000118
Value: CachePath
RegSetValueEx
hKey: 0x0000011c
Value: CachePath
RegSetValueEx
hKey: 0x00000110
Value: CacheLimit
RegSetValueEx
hKey: 0x00000114
Value: CacheLimit
RegSetValueEx
hKey: 0x00000118
Value: CacheLimit
RegSetValueEx
hKey: 0x0000011c
Value: CacheLimit
CreateFile
File: C:\Documents and Settings\ktabei\Local Settings\Temporary Internet Files\Content.IE5\index.dat
mode: GENERIC_WRITE
CreateFile
File: C:\Documents and Settings\ktabei\Local Settings\Temporary Internet Files\Content.IE5\index.dat
mode: GENERIC_WRITE
CreateFile
File: C:\Documents and Settings\ktabei\Cookies\index.dat
mode: GENERIC_WRITE
CreateFile
File: C:\Documents and Settings\ktabei\Cookies\index.dat
mode: GENERIC_WRITE
CreateFile
File: C:\Documents and Settings\ktabei\Local Settings\History\History.IE5\index.dat
mode: GENERIC_WRITE
CreateFile
File: C:\Documents and Settings\ktabei\Local Settings\History\History.IE5\index.dat
mode: GENERIC_WRITE
RegCreateKeyEx
hKey: HKEY_LOCAL_MACHINE
subKey: Software\Microsoft\Tracing
OpenSCManager
Machine:
OpenService
Service: RASMAN
OpenSCManager
Machine:
RegCreateKeyEx
hKey: 0x00000190
subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
hKey: 0x00000194
Value: MigrateProxy
RegCreateKeyEx
hKey: 0x00000190
subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
RegCreateKeyEx
hKey: 0x00000190
subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
RegCreateKeyEx
hKey: 0x00000190
subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
hKey: 0x00000194
Value: ProxyEnable
RegCreateKeyEx
hKey: 0x80000005
subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
hKey: 0x00000198
Value: ProxyEnable
RegCreateKeyEx
hKey: 0x00000190
subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
RegCreateKeyEx
hKey: 0x00000190
subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
RegSetValueEx
hKey: 0x000001a0
Value: SavedLegacySettings
gethostbyname
host: www.geocities.com
CreateFile
File: C:\WINDOWS\System32\drivers\etc\protocol
mode: GENERIC_READ
CreateFile
File: C:\WINDOWS\System32\drivers\etc\services
mode: GENERIC_READ
connect
0.0.0.0 Port: 80
gethostbyname
host: tp:
CreateFileA
File: C:\WINDOWS\System32\drivers\etc\protocol
mode: GENERIC_READ
CreateFileA
File: C:\WINDOWS\System32\drivers\etc\services
mode: GENERIC_READ
connect
0.0.0.0 Port: 80
gethostbyname
host: web.icq.com
CreateFileA
File: C:\WINDOWS\System32\drivers\etc\protocol
mode: GENERIC_READ
CreateFileA
File: C:\WINDOWS\System32\drivers\etc\services
mode: GENERIC_READ
connect
0.0.0.0 Port: 80
CreateFile
File: \.SICE
mode: GENERIC_WRITE
CreateFile
File: \.NTICE
mode: GENERIC_WRITE
OpenSCManager
Machine:
OpenService
Service: SmcService
OpenSCManager
Machine:
OpenService
Service: BlackICE
OpenSCManager
Machine:
OpenService
Service: PersFw
OpenSCManager
Machine:
OpenService
Service: McAfee Firewall
OpenSCManager
Machine:
OpenService
Service: OutpostFirewall
OpenSCManager
Machine:
OpenService
Service: NWService
OpenSCManager
Machine:
OpenService
Service: alerter
OpenSCManager
Machine:
OpenService
Service: sharedaccess
OpenSCManager
Machine:
OpenService
Service: NISUM
OpenSCManager
Machine:
OpenService
Service: NISSERV
OpenSCManager
Machine:
OpenService
Service: vsmon
OpenSCManager
Machine:
OpenService
Service: srservice
OpenSCManager
Machine:
OpenService
Service: navapsvc
OpenSCManager
Machine:
OpenService
Service: NProtectService
OpenSCManager
Machine:
OpenService
Service: Norton AntiVirus Server
OpenSCManager
Machine:
OpenService
Service: VexiraAntivirus
OpenSCManager
Machine:
OpenService
Service: dvpinit
OpenSCManager
Machine:
OpenService
Service: dvpapi
OpenSCManager
Machine:
OpenService
Service: schscnt
OpenSCManager
Machine:
OpenService
Service: BackWeb Client - 7681197
OpenSCManager
Machine:
OpenService
Service: F-Secure Gatekeeper Handler Starter
OpenSCManager
Machine:
OpenService
Service: F-Secure Network Request Broker
OpenSCManager
Machine:
OpenService
Service: FSMA
OpenSCManager
Machine:
OpenService
Service: AVPCC
OpenSCManager
Machine:
OpenService
Service: KAVMonitorService
OpenSCManager
Machine:
OpenService
Service: Norman NJeeves
OpenSCManager
Machine:
OpenService
Service: NVCScheduler
OpenSCManager
Machine:
OpenService
Service: nvcoas
OpenSCManager
Machine:
OpenService
Service: Norman ZANDA
OpenSCManager
Machine:
OpenService
Service: PAVSRV
OpenSCManager
Machine:
OpenService
Service: SweepNet
OpenSCManager
Machine:
OpenService
Service: SWEEPSRV.SYS
OpenSCManager
Machine:
OpenService
Service: NOD32ControlCenter
OpenSCManager
Machine:
OpenService
Service: NOD32Service
OpenSCManager
Machine:
OpenService
Service: PCCPFW
OpenSCManager
Machine:
OpenService
Service: Tmntsrv
OpenSCManager
Machine:
OpenService
Service: AvxIni
OpenSCManager
Machine:
OpenService
Service: XCOMM
OpenSCManager
Machine:
OpenService
Service: ravmon8
OpenSCManager
Machine:
OpenService
Service: AvSynMgr
OpenSCManager
Machine:
OpenService
Service: McShield
DeleteFile
Delete: C:\WINDOWS\ra_slave.log
DeleteFile
Delete: c:\ra_slave.log
RegCreateKeyEx
hKey: HKEY_LOCAL_MACHINE
subKey: SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
hKey: 0x000001a0
Value: EnableAutodial