Email-Worm.Win32.LovGate.ae(爱情后门)分析解决

前言：这应该是比较老的病毒了，如果没记错，应该是出现在2004年左右吧。今天在剑盟下到了样本，这类邮件类的蠕虫我只分析过Warezov，这个爱情后门还是写的不错的，我花了4个多小时去看，中间查了些资料，还有些不懂的，挺累的。要不断学习进步才行！本人是菜鸟，难免会有遗漏的地方。

病毒名称：Email-Worm.Win32.LovGate.ae（Kaspersky）
病毒大小：192000 bytes
加壳方式：多层ASPACK,JDPACK
样本MD5：42ab20ee5f4757a44edff753bc508840
样本SHA1：cc2df80aea902bec125601cd3202a3e5e9010613
编写语言：Microsoft Visual C++ 6.0
病毒类型：后门、蠕虫
传播方式：邮件、网络

行为分析：

病毒运行后，会释放自身拷贝和后门组件到：
%Windows%\SVCHOST.EXE
%Windows%\SYSTRA.EXE
%System32%\HXDEF.EXE
%System32%\IEXPLORE.EXE
%System32%\KERNEL66.DLL
%System32%\RAVMOND.EXE
%System32%\TKBELLEXE.EXE
%System32%\UPDATE_OB.EXE
%System32%\LMMIB20.DLL
%System32%\MSJDBC11.DLL
%System32%\MSSIGN30.DLL
%System32%\NETMEETING.EXE
%System32%\ODBC16.DLL
%System32%\SPOLLSV.EXE

病毒会在各分区根目录复制副本，创建autorun.inf:
AUTORUN.INF
COMMAND.EXE

AUTORUN.INF内容：
[AUTORUN]
Open="c:\COMMAND.EXE" /StartExplorer

病毒创建启动项，以达到随机自启动的目的：
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
run = "RAVMOND.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
WinHelp = "C:\Windows\System32\TkBellExe.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
Hardware Profile = "C:\Windows\System32\hxdef.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
VFW Encoder/Decoder Settings = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
Microsoft NetMeeting Associates, Inc. = "NetMeeting.exe

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
Program In Windows = "C:\Windows\System32\IEXPLORE.EXE"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
Shell Extension = "C:\Windows\System32\spollsv.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
Protected Storage = "RUNDLL32.EXE MSSIGN30.DLL ondll_reg"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
SystemTra = "C:\Windows\SysTra.EXE"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
COM++ System = "svchost.exe"

病毒会注册为系统服务：
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Windows Management Protocol v.0 (experimental)]
显示名：Windows Management Protocol v.0 (experimental)
描述:Windows Advanced Server Performs Scheduled scans for LANguard
可执行文件的路径：%System32%\MSJDBC11.DLL

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\_reg]
显示名：_reg
描述：
可执行文件的路径：%System32%\MSJDBC11.DLL

病毒修改如下注册表项目，使用户在点击.TXT文件时运行病毒拷贝：
[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
default = "Update_OB.exe %1"

[HKEY_LOCAL_MACHINE\Software\Classes\txtfile\shell\open\command]
default = "Update_OB.exe %1"

该病毒可使用MAPI进行传播。病毒搜索系统邮箱，找到后会给收到的邮件回信以实现邮件传播。

病毒发送的邮件有如下细节特征：

标题:Re: <原始主题>

正文:

<原始正文>
<域名> auto-reply:
wrote:
If you can keep your head when all about you
Are losing theirs and blaming it on you;
If you can trust yourself when all men doubt you,
But make allowance for their doubting too;
If you can wait and not be tired by waiting,
Or, being lied about,don't deal in lies,
Or, being hated, don't give way to hating,
And yet don't look too good, nor talk too wise;
... ... more look to the attachment.
> Get your FREE <Domain name> now! <

附件:
the hardcore game-.pif                                                                                                       

Sex in Office.rm.scr                                                                                                         

Deutsch BloodPatch!.exe                                                                                                      

s3msong.MP3.pif                                                                                                              

Me_nude.AVI.pif                                                                                                              

How to Crack all gamez.exe                                                                                                   

Macromedia Flash.scr                                                                                                         

SETUP.EXE
Shakira.zip.exe
dreamweaver MX (crack).exe
CloneAttack.rm.scr
StarWars2 - CloneAttack.rm.scr
Industry Giant II.exe
DSL Modem Uncapper.rar.exe
joke.pif
Britney spears nude.exe.txt.exe
I am For u.doc.exe

除了使用MAPI传播外，病毒还会使用自带的SMTP引擎进行传播

病毒从含有如下扩展名的文件中收集邮件地址：
adb
asp
dbx
htm
php
sht
tbb

发件人:
{随机人名}.yahoo.com
随机人名包括：
john
alex
michael
james
mike
kevin
david
george
sam
andrew
jose
leo
maria
jim
brian
serg
mary
ray
tom
peter
robert
bob
jane
joe
dan
dave
matt
steve
smith
stan
bill
bob
jack
fred
ted
adam
brent
alice
anna
brenda
claudia
debby
helen
jerry
jimmy
julie
linda
sandra

正文: (其中之一)
It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
Mail failed. For further assistance, please contact!
The message contains Unicode characters and has been sent as a binary attachment.

病毒避免向含有如下字符串的邮件地址发送邮件：
.gov
.mil
avp
borlan
example
foo.
gov.
hotmail
icrosof
inpris
msn.
mydomai
nodomai
panda
ruslis
sopho
syma 请记住技术无忧网 中文域名 http://www.技术无忧.com