含.cmd的rar壓縮檔病毒

 

近日攔截到許多RAR檔案，

含有.cmd的病毒檔，以下附夾檔的Email，都不要任意開啟：

 

台灣與香港校園漂亮mm照片.rar

寫真.rar

我的相冊.rar

秘密.rar

(或許會有變種的可能…)

 

開啟後會執行以下動作：

Drops file "2.bat" under directory c:\

Drops file "f3c74e3fa248.dll" under directory %windir%\help

Drops itself as "f3c74e3fa248.exe" under directory %windir%\help

Drops file "1.bat" under directory %windir%

Modifies the following registry entry:

Set "(default)" = "ssuudl", under key HKLM\SOFTWARE\Classes\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}

Set "(default)" = "%windir%\help\f3c74e3fa248.dll", under key HKLM\SOFTWARE\Classes\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32

Set "{1DBD6574-D6D0-4782-94C3-69619E719765}" = "0", under key HKLM\softWaRe\MiCrOsOfT\wiNdOwS\CUrReNtveRsIoN\eXpLoReR\ShElLexEcuteHOoKs

Launches the file <system folder>\cmd.exe, by running cmd /c 2.bat

Launches the file <system folder>\cmd.exe, by running cmd /c 2.bat

Launches the file <system folder>\cmd.exe, by running cmd /c C:\WINDOWS\1.bat

 

回報了四家，各狀態如下：

Kaspersky- 1/18回報，2hr內分析完畢，名稱Trojan-PSW.Win32.Magania.czq

Microsoft- 1/18回報，2hr內分析完畢，名稱Win32/Viking.IT

Avira        – 1/18回報，2hr內分析完畢，名稱DR/PSW.Magania.cjs

Symantec- 1/18回報，仍在處理中…

 

PS: 其它有的須是產品用戶才能回報、或都石沉大海者，這次我就不花時間了