snpmw.dll

病毒名称:snpmw.dll病毒大小:385,024字节加壳方式:无编写语言:MicrosoftVisualC++6.0DLL病毒指纹:SHA- 160

• 名称 snpmw.dll
• 性质 计算机病毒
• 大小 385,024字节
• 编写语言 Microsoft Visual C++ 6.0 DLL

计算机病毒介绍

　　病毒名称:snpmw点dll

　　病毒大小:385,024 字节

　　加壳方式:无

　　编写语言:企艺全少振包字阶Microsoft Visual C++ 6.0 DLL

病毒指纹

　　SHA-160 : 57642C013347E1FCD6590C188F7A612DC847357C

　　MD5 : 056A372F5469FCB41721F6A952C9AAAD

　　RIPEMD-160 : 29ED912E067ADA17AEE7CBBB2D1A134C0500D484

　　CRC-32 : 2157E25C

　　一旦该dll程序被安装到系统中，将自动下载:

　　.data:1000D228 杨独责关把从历看照田般off_1000D228 dd offset s_HttpDownload_ ; DATA XREF: sub_10001F9E+8B r

　　.data:1000D228 ;

买唱准粒河千把续油　　cdnprot.dat'/cdnprot.vxd'/cdnpr来自ot.sys'/cd360百科ntran.dat'/cdntran.vxd'/cdntran点sy构害虽略响析含际普谓们s'到%systemroot%system32\drivers\目录下，下载'cdnns.dll'/'cdn.dll'到%systemroot%\system32久面局笔口威概区父\目录下，下载snpmw.cab到%systemroot%\system32\目录下解压运行:

　　.data:1000C120 s_Cdn_dll db 'cdn.dll',0 ; DATA XREF: sub_10001000+18E o

　　.data:1000C120 ; .data:1000C108 o

　　.data:1000C128 s_Driver度喜空谓给息感治者银sCdnp_1 db 'drivers\cdnprot.dat',0 ; DATA XREF: .data:1000C104 o

　　.data:1000C13C s_DriversC容集争衡住请示本给dnp_0 db 'driv饭攻等验英家毛ers\cdnprot.vxd',0 ; DATA XREF: .data:1000C100 o

　　.data:1000坐味被志心分众缩C13C ; .da费织军头伤直烈演冷杆ta:1000C114 o

　　.data:1000C150 s_DriversCdnpro db 'drivers\cdnprot.sys',0 ; DATA XREF: .data:1000C0FC o

　　.data:1000C150 ; .data:1000C110 o

　　.data:1000C164 s_DriversCdnt_1 db 'drivers\cdntran.dat',0 ; DATA XREF: .data:1000C0F8 o

　　.data:1000C178 s_C大速害煤失七无dnns_dll db 'c曲段个显套混史夜根dnns.dll',0 ; 结交DATA XREF: .data:1000C0F4 o

　　.data:1000C178 ; .data:1000C10C o

　　.data:1000C182 ali书孙程上或进元及gn 4

　　.data:1000C184 s_DriversCdnt_0 db 'drivers\cdntran.vxd',0 ; DATA XR木留乐余便EF: .data:100松怀云般备距进构适虽会0C0F0 o

　　.data:1000C184 ; .data:1000C11C o

　　.耐尽够用提三注测屋data:1000C198 s_整易危包货企罪DriversCdntra db 'drivers\cdntran.sys',0 ; DATA XREF: .data:off_1000C0EC o

　　.data:1000D230 ; "wmpns.dll"

　　.data:1000D234 ; "snpmw.dll"

　　.data:1000D238 ; "wmpns.ini"

　　.data:1000D23C ; LPCSTR lpszFile

　　.data:1000D23C lpszFile dd offset s_Wmpns_cab ; DATA XREF: sub_10001ED8+33 r

　　.data:1000D23C ; "wmpns.cab"

　　写注册表注册服务、IE钩子;

　　.data:1000C1AC s_SystemCurre_3 db 'SYSTEM\CurrentControlSet\Services\cdntran',0

　　.data:1000C1D8 s_SystemCurrent db 'SYSTEM\CurrentControlSet\Services\cdnprot',0

　　.data:1000C294 s_SoftwareMi_32 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CdnCtr',0

　　.data:1000C2CC s_SoftwareMi_31 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\',0

　　.data:1000C340 s_SoftwareMi_30 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{B53D42E8-872B-430E-82D4'

　　.data:1000C3AC s_SoftwareMi_29 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\CdnClient',0

　　.data:1000C3F8 s_SoftwareMi_28 db 'SOFTWARE\Microsoft\Internet Explorer\Extensions\',0

　　.data:1000C450 s_OftwareMicros db 'OFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CDNCLIENT',0

　　.data:1000C490 s_SoftwareCnn_0 db 'SOFTWARE\CNNIC',0 ;

　　.data:1000C4A0 s_SoftwareCl_14 db 'SOFTWARE\Classes\TypeLib\',0

　　.

　　.data:1000C4E0 s_SoftwareCl_13 db 'SOFTWARE\Classes\TypeLib\',0

　　.

　　.data:1000C520 s_SoftwareCl_12 db 'SOFTWARE\Classes\TypeLib\',0

　　.

　　.data:1000C560 s_SoftwareCl_11 db 'SOFTWARE\Classes\Interface\',0

　　.

　　.data:1000C5A4 s_SoftwareCl_10 db 'SOFTWARE\Classes\Interface\',0

　　.data:1000C5E8 s_SoftwareCla_9 db 'SOFTWARE\Classes\Interface\',0

　　.data:1000C62C s_SoftwareCla_8 db 'SOFTWARE\Classes\Interface\',0

　　.data:1000C670 s_SoftwareCla_7 db 'SOFTWARE\Classes\CndnIEHelper.CndnIEHlprObj',0

　　.data:1000C69C s_SoftwareCla_6 db 'SOFTWARE\Classes\CndnIEHelper.CndnIEHlprObj.1',0

　　.data:1000C6CC s_SoftwareCla_5 db 'SOFTWARE\Classes\CLSID\',0

　　.data:1000C70C s_SoftwareCla_4 db 'SOFTWARE\Classes\CLSID\',0

　　.data:1000C74C s_SoftwareCla_3 db 'SOFTWARE\Classes\CLSID\',0

　　.data:1000C78C s_SoftwareCla_2 db 'SOFTWARE\Classes\CLSID\',0

　　.data:1000C7CC s_SoftwareCla_1 db 'SOFTWARE\Classes\Cdn.CdnObj',0

　　.data:1000C7E8 s_SoftwareCla_0 db 'SOFTWARE\Classes\Cdn.CdnObj.1',0

　　.调用Rundll32命令执行被下载的AutoLive.dll，写注册表

　　.data:1000CFCC s_Sautoliveinst db '%sAutoLiveInst.cab',0 ; DATA XREF: ekfs+2C9 o

　　.data:1000CF08 s_Rundll32SRund db 'Rundll32 %s,Rundll32',0 ; DATA XREF: DllMain(x,x,x)+DB o

　　.data:1000CFB8 s_Sautolive_dll db '%sAutoLive.dll',0 ; DATA XREF: ekfs+329 o

　　添加流氓程序启动项:

　　.data:1000D198 s_SoftwareMic_1 db 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run',0

　　.data:1000D18C s_Exfilter db 'ExFilter',0 ; DATA XREF: ekfs+5C o

　　怀疑是最新的3721流氓，因为时间是20070423:

　　.data:1000D308 s_D20070423EkEk db 'D:\20070423\EK\EK\EKWrap.cpp',0

　　修改host文件:

　　.data:1000F348 s_Hosts db 'hosts',0 ; DATA XREF: sub_100056B5:loc_10005724 o

　　.data:1000F34E align 10h

　　.data:1000F350 s_System32Drive db 'system32\drivers\etc\hosts',0

　　.data:1000F350 ; DATA XREF: sub_100056B5+68 o

　　.data:1000F36B align 4

　　.data:1000F36C ; char s__3721_net[]

　　.data:1000F36C s__3721_net db '.3721点net',0 ; DATA XREF: sub_100057C4:loc_100058DA o

　　.data:1000F376 align 4

　　.data:1000F378 ; char s__3721_com[]

　　.data:1000F378 s__3721_com db '.3721点com',0 ; DATA XREF: sub_100057C4:loc_100058B6 o

　　注册驱动:

　　.data:1000F5AC s_DriversAnfad_ db '\drivers\Anfad.sys',0 ; DATA XREF: sub_10005B0D+10A o

　　.data:1000F5BF align 10h

　　.data:1000F5C0 ; char s_SystemCurre_2[]

　　.data:1000F5C0 s_SystemCurre_2 db 'SYSTEM\CurrentControlSet\Services\Anfad',0

　　.data:1000F5C0 ; DATA XREF: sub_10005B0D+DB o

　　.data:1000F5E8 ; char s_DriversHcalwa[]

　　.data:1000F5E8 s_DriversHcalwa db '\drivers\hcalway.sys',0 ; DATA XREF: sub_10005B0D+96 o

　　.data:1000F5FD align 10h

　　.data:1000F600 ; char s_SystemCurre_1[]

　　.data:1000F600 s_SystemCurre_1 db 'SYSTEM\CurrentControlSet\Services\hcalway',0

　　.data:1000F600 ; DATA XREF: sub_10005B0D+50 o

　　.data:1000F62A align 4

　　.data:1000F62C ; char s_DriversFad_sy[]

　　.data:1000F62C s_DriversFad_sy db '\drivers\fad.sys',0 ; DATA XREF: sub_1000610D+CB o

　　.data:1000F63D align 10h

　　.data:1000F640 ; char s_SystemCurre_0[]

　　.data:1000F640 s_SystemCurre_0 db 'SYSTEM\CurrentControlSet\Services\FAD',0

　　通过该网址自动确认运行以上操作:

　　.data:1000F720 s_HttpLogs_soft db ;,0