木马下载器Win32.TrojDownloader.Delf.114688

木马下载器Win32.TrojDownloader.Delf.114688病毒行为:
该病毒是一个木马下载者,会从网上下载其他病毒至客户的机器上并运行.病毒运行后生衍生一个DLL文件至系统目录中.

1.生成文件
%WinDir%\System32\Downdll.dll

2.修改注册表
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings = hex:3c,00,00,00,06,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,20,94,af,51,08,a1,c7,01,01,00,00,00,c0,a8,1c,f4,00,00,00,00,00,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
Count = dword:00000005
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
Time = hex:d7,07,08,00,04,00,10,00,06,00,19,00,38,00,9b,00,

3.病毒运行后创建一个IEXPLORE.EXE进程.

4.从http://www.*****.cn/images/js/az.exe下载病毒文件保存到c:盘根目录下.

5.在C:\Windows\system32下生成一个Delme.bat文件用于删除源文件.