Siêu engine GG CHESS 2010 -1.52MB

[tien210]

Phân tích con GGChess-201003-6U-709K của concotrang :

1. General Information
- Information about Anubis' invocation
Time needed: 241 s
Report created: 03/30/10, 07:21:28 UTC
Termination reason: Timeout
Program version: 1.74.2681

2. GGChess-201003-6U-709KB.exe
- General information about this executable
Analysis Reason: Primary Analysis Subject
Filename: GGChess-201003-6U-709KB.exe
MD5: b8fd9083014712af127b7b9425e7dce1
SHA-1: cbb4177d2c8fe4ab5d177f49cd799f5492dc76d7
File Size: 1170432 Bytes
Command Line: "C:\GGChess-201003-6U-709KB.exe"
Process-status at analysis end: alive
Exit Code: 0

- Load-time Dlls
Module Name Base Address Size
C:\​WINDOWS\​system32\​ ntdll.dll 0x7C900000 0x000AF000
C:\​WINDOWS\​system32\​ kernel32.dll 0x7C800000 0x000F6000
C:\​WINDOWS\​system32\​ ADVAPI32.dll 0x77DD0000 0x0009B000
C:\​WINDOWS\​system32\​ RPCRT4.dll 0x77E70000 0x00092000
C:\​WINDOWS\​system32\​ Secur32.dll

- Run-time Dlls
Module Name Base Address Size
C:\​WINDOWS\​system32\​ feclient.dll 0x693F0000 0x00009000
C:\​WINDOWS\​system32\​ MPR.dll 0x71B20000 0x00012000
C:\​WINDOWS\​system32\​ MSCTF.dll 0x74720000 0x0004C000
C:\​WINDOWS\​system32\​ advpack.dll 0x75260000 0x00029000
C:\​WINDOWS\​system32\​ USERENV.dll

2.a) GGChess-201003-6U-709KB.exe - Registry Activities
- Registry Values Modified:
Key Name New Value
HKLM\​Software\​Microsoft\​ Windows\​CurrentVersion\​RunOnce info


- Monitored Registry Keys:
Key Name Watch subtree Notify Filter Count
HKLM\​system\​ CurrentControlSet\​control\​NetworkProvider\​HwOrder 0 Value Change 1

2.b) GGChess-201003-6U-709KB.exe - File Activities
- Files Created:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\1r.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\TMP4351$.TMP
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\cyclone.exe

- Files Modified:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\1r.exeinfo
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\cyclone.exeinfo
MountPointManagerinfo
PIPE\lsarpcinfo

- Directories Created:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP

2.c) GGChess-201003-6U-709KB.exe - Process Activities
- Processes Created:
Executable Command Line
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\1r.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\1r.exe

- Remote Threads Created:
Affected Process
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\1r.exe

- Foreign Memory Regions Read:
Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\1r.exe

- Foreign Memory Regions Written:
Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\1r.exe

- Ikarus Virus Scanner
Backdoor.Win32.Hupigon (Sig-Id:375763)

--------------------------------------------------------------------------------

Bên trong Engine có thể có Virus, xem các mục như :

- Registry Values Modified: Thay đổi giá trị Rgistry :
Key Name New Value
HKLM\​Software\​Microsoft\​ Windows\​CurrentVersion\​RunOnce info wextract_cleanup0 rundll32.exe C:\​WINDOWS\​system32\​advpack.dll,DelNodeRunDLL32 "C:\​DOCUME~1\​ADMINI~1\​LOCALS~1\​Temp\​IXP000.TMP\​"

- Files Created: Tạo ra các File nguy hiểm :

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\1r.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\TMP4351$.TMP
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\cyclone.exe


- Directories Created: Tạo thư mục quả lý và thực thi mã độc :
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP

- Processes Created: Tạo Processes của Virus

Executable Command Line
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\1r.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\1r.exe
Key Name Watch subtree Notify Filter Count
HKLM\​system\​ CurrentControlSet\​control\​NetworkProvider\​HwOrder 0 Value Change 1
Đã đổi trị số Rgistry từ 0 thành 1

- File System Control Communication: tạo File điều khiển hệ thống
File Control Code Times
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\ 0x00090028 1

- Ikarus Virus Scanner : Ikarus khẳng định là 1 Backdoor

Backdoor.Win32.Hupigon (Sig-Id:375763)


Vậy ai chơi thì trước tiên dính nó, sau 1 thời gian, con Backdoor này mở cổng sau tải thêm anh em Virus của nó về nữa là cũng toi mạng luôn.

Tui không dám chơi và xóa rồi, backup 1 bản vào kho Virus chung với Virus mà TCNguyen cho ( cho nó ở chung với Virus HoaKimCuong giết máy tính Alex2001 mấy hôm trước) hehehe....