详细分析
运行后的流程
释放%Root%\Documents and Settings\tazebama.dll文件,加载并执行tezebama.dll,tazebama.dll释放下列病毒副本:
%SystemDrive%\Documents and Settings\hook.dl_
%SystemDrive%\Documents and Settings\tazebama.dl_
创建tazebama.dl_进程,并运行被感染样本的原始代码。
文件列表
操作 文件 MD5
新增 %SystemDrive%\Documents and Settings\
tazebama.dl_ D57DB1296AA405E1BA6AC12304C959EA
新增 %SystemDrive%\Documents and Settings\
hook.dl_ D57DB1296AA405E1BA6AC12304C959EA
新增 %SystemDrive%\Documents and Settings\
tazebama.dll B6A03576E595AFACB37ADA2F1D5A0529
新增 %SystemDrive%\Documents and Settings\
Administrator\Application Data\tazebama\
zPharaoh.dat
新增 %SystemDrive%\Documents and Settings\
Administrator\Application Data\tazebama\
tazebama.log
新增 autorun.inf
新增 zPharaoh.exe 70c53885a5d7be8753ff83015e1c50f9
1.jpg
图1:样本文件衍生关系
3.3 代码分析
1) 传播的细节
i. 通过邮件传播
根据下列网站来判断是否连接网络,
2.jpg
图2:判断网络连接
通过邮件进行传播,邮件内容有如下几种:
标题:hi
内容: Unfortunately, I received unformatted email with an attached file from you. I couldn',27h,'t understand what is behind the words I wish you next time send me a readable file! I forwarded the attached file again to evaluate your self.
附件: notes.rar
标题: ABOUT PEOPLE WITH WHOM MATRIMONY IS PROHIBITED
内容:
1 : If a man commits adultery with a woman, then it is not permissible for him to marry her mother or her daughters.
2 : If a woman out of sexual passion and with evil intent commits sexual intercourse with a man, then it is not permissible for the mother or daughters of that woman to merry that man. In the same way, the man who committed sexual intercourse with a woman, because prohibited for her mother and daughters.
Download the attached article to read.
附件: PROHIBITED_MATRIMONY.rar
标题: Windows secrets
内容:
The attached article is on \"how to make a folder password\". If your are interested in this article download it, if you are not delete it.
附件: FolderPW_CH(1).rar
标题: Canada immigration
内容:
The debate is no longer about whether Canada should remain open to immigration. That debate became moot when Canadians realized that low birth rates and an aging population would eventually lead to a shrinking populace. Baby bonuses and other such incentives couldn't convince Canadians to have more kids, and demographic experts have forecasted that a Canada without immigration would pretty much disintegrate as a nation by 2050.\nDownload the attached file to know about the required forms.\nThe sender of this email got this article from our side and forwarded it to you.
附件: IMM_Forms_E01.rar
标题: Viruses history
内容:
Nowadays, the viruses have become one of the most dangerous syste ms to attack the computers. There are a lot of kinds of viruses. The common and popular kind is called "Trojan.Backdoor" which run s as a backdoor of the victim machine. This enables the virus to 'have a full remote administration of the victim machine. To read the full story about the viruses history since 1970 download the attached and decompress It by WinRAR.
The sender has red the story and forwarded it to you.
附件: virushistory.rar
标题: Web designer vacancy
内容:
'Fortunately, we have recently received your CV/Resume from moiste web site and we found it matching the job requirements we offer. If your are interested in this job Please send us an updated CV s' howing the required items with the attached file that we sent. Thanks & Regards, Ajy Bokra Computer department. AjyBokra@webconsulting.com
附件: JobDetails.rar
标题: MBA new vision
内容:
MBA (Master of business administration ) one of the most required degree around the world. We offer a lot of books helping you to gain this degree. We attached one of our .doc word formatted book s on "Marketing basics" to download.'
Our web site 1a9K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4c8S2P5X3g2#2L8Y4k6Q4x3X3g2W2k6s2g2Q4x3X3g2U0M7W2)9J5c8X3#2T1j5g2)9J5c8X3W2F1k6X3!0Q4x3X3g2Z5N6r3@1`.
Contacts:
Human resource
Ajy klaf
AjyKolav@tazeunv.com
The sender has added your name to be informed with our services.
附件: Marketing.rar
标题: problem
内容:
When I had opened your last email I received some errors have been saved in the attached file .Please inform me with those errors as soon as possible.
附件: outlooklog.rar
