Trojanウイルスの解析例

チェックポイント
Check1
Check2
Check3 

Creates a new process PID=3848  BASE=0x00400000
RegCreateKeyEx
        hKey: HKEY_CURRENT_USER
        subKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
RegOpenKeyEx
        hKey: HKEY_LOCAL_MACHINE
        subKey: Software\Microsoft\Windows\CurrentVersion\Run 
DeleteFile
        Delete: C:\WINDOWS\java\apps\winjava.exe
DeleteFile
        Delete: C:\WINDOWS\java\apps\msiexec.exe
DeleteFile
        Delete: C:\WINDOWS\System32\svchosts.exe
CopyFile
        Exist: C:\sample_virus2.exe
        New: C:\WINDOWS\java\apps\winjava.exe   
Creates a new process PID=3516  BASE=0x00400000
RegCreateKeyEx
        hKey: HKEY_CURRENT_USER
        subKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
RegSetValueEx
        hKey: 0x000000b8
        Value: Directory
RegSetValueEx
        hKey: 0x000000b8
        Value: Paths
RegSetValueEx
        hKey: 0x000000bc
        Value: CachePath
RegSetValueEx
        hKey: 0x000000c0
        Value: CachePath
RegSetValueEx
        hKey: 0x000000c4
        Value: CachePath
RegSetValueEx
        hKey: 0x000000c8
        Value: CachePath
RegSetValueEx
        hKey: 0x000000bc
        Value: CacheLimit
RegSetValueEx
        hKey: 0x000000c0
        Value: CacheLimit
RegSetValueEx
        hKey: 0x000000c4
        Value: CacheLimit
RegSetValueEx
        hKey: 0x000000c8
        Value: CacheLimit
CreateFile
        File: C:\Documents and Settings\ktabei\Local Settings\Temporary Internet Files\Content.IE5\index.dat
        mode: GENERIC_WRITE
CreateFile
        File: C:\Documents and Settings\ktabei\Local Settings\Temporary Internet
 Files\Content.IE5\index.dat
        mode: GENERIC_WRITE
TerminateProcess
CreateFile
        File: C:\Documents and Settings\ktabei\Cookies\index.dat
        mode: GENERIC_WRITE
CreateFile
        File: C:\Documents and Settings\ktabei\Cookies\index.dat
        mode: GENERIC_WRITE
ExitProcess pid=3848
CreateFile
        File: C:\Documents and Settings\ktabei\Local Settings\History\History.IE5\index.dat
        mode: GENERIC_WRITE
CreateFile
        File: C:\Documents and Settings\ktabei\Local Settings\History\History.IE5\index.dat
        mode: GENERIC_WRITE
RegCreateKeyEx
        hKey: HKEY_LOCAL_MACHINE
        subKey: Software\Microsoft\Tracing
OpenSCManager
        Machine:
OpenService
        Service: RASMAN
OpenSCManager
        Machine:
RegCreateKeyEx
        hKey: 0x00000140
        subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
        hKey: 0x00000144
        Value: MigrateProxy
RegCreateKeyEx
        hKey: 0x00000140
        subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
RegCreateKeyEx
        hKey: 0x00000140
        subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
RegCreateKeyEx
        hKey: 0x00000140
        subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
        hKey: 0x00000144
        Value: ProxyEnable
RegCreateKeyEx
        hKey: 0x80000005
        subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
        hKey: 0x00000148
        Value: ProxyEnable
RegCreateKeyEx
        hKey: 0x00000140
        subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
RegCreateKeyEx
        hKey: 0x00000140
        subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
RegSetValueEx
        hKey: 0x00000150
        Value: SavedLegacySettings
RegCreateKeyEx
        hKey: HKEY_LOCAL_MACHINE
        subKey: SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
        hKey: 0x00000150
        Value: EnableAutodial
RegCreateKeyEx
        hKey: HKEY_LOCAL_MACHINE
        subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
        hKey: 0x00000150
        Value: EnableAutodial
RegCreateKeyEx
        hKey: HKEY_CURRENT_USER
        subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
        hKey: 0x00000150
        Value: EnableAutodial
RegCreateKeyEx
        hKey: HKEY_CURRENT_USER
        subKey: Software\Microsoft\RAS Autodial\Control
RegSetValueEx
        hKey: 0x00000148
        Value: LoginSessionDisable
RegCreateKeyEx
        hKey: HKEY_CURRENT_USER
        subKey: Software\Microsoft\RAS Autodial\Control
RegSetValueEx
        hKey: 0x00000148
        Value: DisableConnectionQuery
RegCreateKeyEx
        hKey: HKEY_LOCAL_MACHINE
        subKey: Software\Microsoft\RAS Autodial\Control
RegSetValueEx
        hKey: 0x00000148
        Value: LoginSessionDisable
RegCreateKeyEx
        hKey: HKEY_LOCAL_MACHINE
        subKey: Software\Microsoft\RAS Autodial\Control
RegSetValueEx
        hKey: 0x00000148
        Value: DisableConnectionQuery
gethostbyname
        host: www.geocities.com			
CreateFileA
        File: C:\WINDOWS\System32\drivers\etc\protocol
        mode: GENERIC_READ
CreateFileA
        File: C:\WINDOWS\System32\drivers\etc\services
        mode: GENERIC_READ
connect
        0.0.0.0 Port: 80

RegCreateKeyEx
        hKey: HKEY_LOCAL_MACHINE
        subKey: SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
        hKey: 0x00000154
        Value: EnableAutodial
RegCreateKeyEx
        hKey: HKEY_LOCAL_MACHINE
        subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
        hKey: 0x00000154
        Value: EnableAutodial
RegCreateKeyEx
        hKey: HKEY_CURRENT_USER
        subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
        hKey: 0x00000154
        Value: EnableAutodial
RegCreateKeyEx
        hKey: HKEY_CURRENT_USER
        subKey: Software\Microsoft\RAS Autodial\Control
RegSetValueEx
        hKey: 0x00000154
        Value: LoginSessionDisable
RegCreateKeyEx
        hKey: HKEY_CURRENT_USER
        subKey: Software\Microsoft\RAS Autodial\Control
RegSetValueEx
        hKey: 0x00000154
        Value: DisableConnectionQuery
RegCreateKeyEx
        hKey: HKEY_LOCAL_MACHINE
        subKey: Software\Microsoft\RAS Autodial\Control
RegSetValueEx
        hKey: 0x00000154
        Value: LoginSessionDisable
RegCreateKeyEx
        hKey: HKEY_LOCAL_MACHINE
        subKey: Software\Microsoft\RAS Autodial\Control
RegSetValueEx
        hKey: 0x00000154
        Value: DisableConnectionQuery
gethostbyname
        host: www.geocities.com

CreateFile
        File: C:\WINDOWS\System32\drivers\etc\protocol
        mode: GENERIC_READ
CreateFile
        File: C:\WINDOWS\System32\drivers\etc\services
        mode: GENERIC_READ
connect
        0.0.0.0 Port: 80

RegCreateKeyEx
        hKey: HKEY_LOCAL_MACHINE
        subKey: SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
        hKey: 0x000000b4
        Value: EnableAutodial
RegCreateKeyEx
        hKey: HKEY_LOCAL_MACHINE
        subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
        hKey: 0x000000b4
        Value: EnableAutodial
RegCreateKeyEx
        hKey: HKEY_CURRENT_USER
        subKey: Software\Microsoft\windows\CurrentVersion\Internet Settings
RegSetValueEx
        hKey: 0x000000b4
        Value: EnableAutodial
RegCreateKeyEx
        hKey: HKEY_CURRENT_USER
        subKey: Software\Microsoft\RAS Autodial\Control
RegSetValueEx
        hKey: 0x000000b4
        Value: LoginSessionDisable
RegCreateKeyEx
        hKey: HKEY_CURRENT_USER
        subKey: Software\Microsoft\RAS Autodial\Control
RegSetValueEx
        hKey: 0x000000b4
        Value: DisableConnectionQuery
RegCreateKeyEx
        hKey: HKEY_LOCAL_MACHINE
        subKey: Software\Microsoft\RAS Autodial\Control
RegSetValueEx
        hKey: 0x000000b4
        Value: LoginSessionDisable
RegCreateKeyEx
        hKey: HKEY_LOCAL_MACHINE
        subKey: Software\Microsoft\RAS Autodial\Control
RegSetValueEx
        hKey: 0x000000b4
        Value: DisableConnectionQuery
gethostbyname
        host: www.geocities.com