Bagle.HX [Panda Software], TROJ_MITGLIED.AI [Trend Micro]

[감염경로]

Warez 의 Bitbeamer Crack으로 위장된 트로이목마에 의한 감염

[파일정보]

트로이목마 프로그램은 이미 삭제되어 다시 복원하는 중.

FileName : c:\docunemts and settings\{user}\application data\hidires\hidr.exe
MD5 : DAE7B6343D7D0FDA81B93936A96BB9D3

FileName : c:\windows\extfld\{num}.exe (새롭게 생성함)
MD5 : 2886762CBAE5E41BAEF43EB8685FC288

[트로이 동작]

1. 백신 무력화
2. 윈도우 업데이트 프로세스 종료 (Automatic Updates)
3. 백그라운드 파일 전송 서비스 중단 (Background Intelligent Transfer Service)
4. Bagle worm HX 감염
5. 프로세스 생성
(c:\docunemts and settings\{user}\application data\hidires\hidr.exe)
6. 스텔스 기능 동작
(c:\docunemts and settings\user\application data\hidires\m_hook.sys)
7. 레지스트리수정으로 자동 시작
(HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
drvsyskit
C:\Documents and Settings\맥노턴\Application Data\hidires\hidr.exe

[증상]

1. 백신프로그램의 설치 방해
2. 설치시 error 1304 발생시켜 디렉터리 사용 권한 점유. Installer의 파일 복사 불가. 탐색기로의 액세스는 가능.
3. spy???.exe, kav.exe 등 백신 프로그램의 실행파일명, 자동감시파일명을 가진 파일이 복사되려는 디렉토리 봉쇄.
4. 인터넷 탐색기 점유. 특정 IP와 포트로 접근 시도 (상세 모니터링 필요)

[중단된 서비스 확인]

[시작] - [실행] - 'services.msc'

[해결]

백신프로그램들을 무력화 시키기 때문에 설치가 불가능하며 업데이트또한 차단함. 온라인 백신도 차단하며, 인터넷 익스플로러를 장악.

제거도구 prevx1 (trial version)
http://www.prevx.com/default.asp
(설치는 통과, 프로그램 오류 유발, 업데이트 방해. 스텔스 기능으로 숨겨진 hidr.exe 프로세스 강제 종료 후 검색 삭제)

바이러스체이서 : 업데이트파일, 자동감시파일 무력화
Kaspersky AV : 실행파일(avp.exe) 무력화 (의외)
V3 2004 : 설치 및 실행 불가. 모니터링 파일 무력화
MS One Care Live : 검색 기능 동작하지만, 체크 불가.

[수집한 정보]

hidr.exe
c:\docunemts and settings\user\application data\hidires\hidr.exe
c:\docunemts and settings\user\application data\hidires\m_hook.sys

Discovered: March 23, 2006
Updated: March 27, 2006 09:25:16 AM GMT
Also Known As: Bagle.HX [Panda Software], TROJ_MITGLIED.AI [Trend Micro]
Type: Trojan Horse
Infection Length: 15,876 bytes; 9,732 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

W32.Beagle.DZ is a Trojan horse that attempts to download and execute remote files.

ProtectionVirus Definitions (LiveUpdate™ Daily) March 23, 2006
Virus Definitions (LiveUpdate™ Weekly) March 29, 2006
Virus Definitions (Intelligent Updater) March 23, 2006
Virus Definitions (LiveUpdate™ Plus) March 23, 2006
Threat AssessmentWildWild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Moderate
DamageDamage Level: Medium
Payload: Downloads and executes remote files.
Compromises Security Settings: Attempts to end security-related processes and services.
DistributionDistribution Level: Medium

Writeup By: Mark McGuill

http://virusinfo.prevx.com/pxparall.asp?PX5=2a867c2804bb0bea482800f8c4f56700043f7376

HIDR.EXE
AUTOMATED MALWARE PROFILE, ANALYSIS, REMOVAL AND SIGNATURE INFORMATION:
DEFINITION OF: HIDR.EXE
Safety Rating: Known Malware, do not run
Malware Family: Part of Malware group - Trojan MitGlieder GB
Determination: Automatically determined using Prevx1 centralized heuristics
Malware Form: TROJAN
Protection: Prevx1 is a very powerful PC security product, it will protect, disinfect, cleanup and remove HIDR.EXE and safeguard your PC against viruses, trojans, worms, spyware, rootkits and adware
New Users: You can download the full Prevx1 product and use it to cleanup and remove HIDR.EXE and other infections free of charge, then leave it to monitor your PC for other infections
First seen: Mar 28 2006 (GMT)
Last seen: Mar 28 2006 (GMT)
File Size: 18,436 bytes
MALWARE ASSESSMENT: PREVX 4 AXES OF EVIL METHODOLOGY
1. COVERT ANALYSIS OF: HIDR.EXE
File Names Used: 94
Paths Used: 58
Common File Name: HIDR.EXE
Common Path: %appdata%\hidires\
Vendor Information: No Vendor details specified
HIDR.EXE may use 94 or more path and file names, these are the most common:
1 :%desktop%\malware on stubbs laptop (stubbs101)\2A867C2804BB0BEA482800F8C4F5.....EXE
2 :%windir%\exefld\1388596.EXE
3 :%windir%\exefld\1389407.EXE
4 :%windir%\exefld\140532.EXE
5 :%windir%\exefld\142785.EXE
6 :%windir%\exefld\151407.EXE
7 :%windir%\exefld\160310.EXE
8 :%windir%\exefld\183373.EXE
9 :%WINDIR%\SYSTEM32\DRJO EDLM2.DRJOEDRJOXDRJOE
10:%WINDIR%\SYSTEM32\EDLM2.EXE
11:?:\A00000000
12:?:\as02-thisscan\2A867C2804BB0BEA482800F8C4F5.....EXE
File Name Structure: Normal
File and Path Structure: Suspicious, code execution from unusual location
2. RELATIONSHIP ANALYSIS OF: HIDR.EXE
Malicious Objects Created: 3 objects
Malicious Creators: 3
Malware Run Keys: Creates registry run keys for known malware objects
Self Persists: Yes, creates copies of itself
Antivirus Detection: Yes, detected by one or more 3rd party Antivirus product
Anti-Spyware Detection: Yes, detected by one or more 3rd party Anti-Spyware product
3. ACTIVITY ANALYSIS OF: HIDR.EXE
The following behaviors have been observed for this object:
Installs programs.
Deletes programs.
Invokes dll components.
Creates Run Keys.
Runs other programs.
Hijacks running processes.
Creates registry entries.
Creates run keys for known malware.
Creates known malware.
Creates copies of itself.
Disables Security Products.
4. PROPAGATION ANALYSIS OF: HIDR.EXE
Malware Group Propagation Rate: Moderate (spreading)
Malware Group: Trojan MitGlieder GB
Copyright Prevx Limited 2005, 2006

Written by :맥노턴.
(부족한 부분이 있으므로 아무 곳에나 올리지 마십시오.)