20CN网络安全小组论坛 - 病毒专区 - trojan.Benfgame木马求医

论坛: 病毒专区标题: trojan.Benfgame木马求医

作者: adan [adan]

论坛用户

朋友特别喜欢玩边锋游戏 www.gameabc.net
其中有梭哈，昨天他去happygame.net下载了个看牌器（%$%^$%$&^&&^!!@@$)作弊的玩意,却不知道该软件含trojan.Benfgame木马，请教大侠如何修复，
NORTON无法隔离，木马感染MSBFSET2.EXE

[此贴被阿单(adan) 在 02月09日21时46分编辑过]

地主发表时间: 2003-02-09 21:40:46

回复: nanhairen [nanhairen]

前任版主

我按照你说得去下载了一个回来。真的有木马在里面。但马上就被我的杀毒软件杀掉了。

你的？升级吧

B1层发表时间: 02/10 00:11

回复: adan [adan]

论坛用户

When Trojan.Benfgame runs, it waits for players to log in to the game. When the user/password dialog box appears, Trojan.Benfgame grabs the user name and password from the dialog box.

Trojan.Benfgame then tries to send this information to the attacker using the victim's SMTP server and account. The message that it sends contains the following information:

Mima_wenjian: (password_file)
Fuwuqi: (server)
Jieshou_youxiang: (receiving mailbox)
Yonghu_ming: (username)
Yonghu_mima: (user password)
Smtp_biaozhi: (smtp_ID)
Fasong_zhuti: (send_subject)

During execution, Trojan.Benfgame searches for and tries to terminate any processes that match these names (this fail under Windows NT 4.0):
Kav9x.exe
Smenu.exe
Ravmon.exe

It then copies itself as:
%windir%\Msbflet2.exe
%windir%\Mscvt2.exe
%system%\Msbfrun2.exe
%system%\Msbfset2.exe

NOTES:
%windir% is a variable. The Trojan locates the Windows installation folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location.
%system% is a variable. The Trojan locates the System folder and copies itself to that location. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Trojan.Benfgame then hooks the system by creating registry values (and keys as needed):

It adds the value

MSBenCheck %system%\MSBFRUN2.EXE

to the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It changes the value of

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\txtfile\shell\open\command

to

(Default) %system%\MSBFSET2.EXE %1

It changes the value of

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command

to

(Default) %system%\MSBFSET2.EXE %1 %*

It changes the value of

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\scrfile\shell\open\command

to

(Default) %windir%\MSBFLET2.EXE %1

It changes the value of

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\chm.file\shell\open\command

to

(Default) %windir%\MSBFLET2.EXE %1

These registry changes cause Trojan.Benfgame to be executed when
The system is restarted
A text file is opened (Trojan.Benfgame opens the text file using Notepad)
An executable file is opened
A screen saver is executed
A compiled Help file is opened

Trojan.Benfgame also changes the run= line in the Win.ini file to

run=%windir%\MSCVT2.EXE

which results in it being executed during system startup.

Trojan.Benfgame also inserts the %windir%\Mswinsck.ocx file onto the system. This is a clean system file that is not detected by Symantec antivirus products.

Trojan.Benfgame contains the following strings in its body:
fuwuqi - "server"
mima_wenjian - "password_file"
fasong_youxiang - "send_mailbox"
yonghu_ming - "username"
yonghu_mima: - "user_password"
youxiang_mima - "mailbox_password"
smtp_biaozhi - "smtp_ID"
fasong_zhuti - "send_subject"
jieshou_youxiang: - "receiving_mailbox"
muma_yunxing - "troja_run"
jincheng_id - "process_id"
jincheng_ming - "process_name"
benf2.dt
Microsoft BF Runtime Support (as file description in resource)
MICROSOFT BENF (as product name in resource)
BENF298.EXE (as original name in resource)

NOTES:
These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
If Trojan.Benfgame has run, it makes changes to the registry as previously described. Some of the (Default) values that it changes vary depending on the operating system. The following is an outline of the basic procedure that is needed, followed by step-by step instructions. However, because the (Default) values can vary, unless you are sure of what these values should be on your computer, we suggest that you obtain the services of a qualified computer consultant.
1. Update the virus definitions, run a full system scan, and delete all files that are detected as Trojan.Benfgame.
2. Delete the text that the Trojan added to Win.ini.
3. Copy Regedit.exe as Regedit.com.
4. Delete the value

MSBenCheck %system%\MSBFRUN2.EXE

from the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

5. Change the (Default) values back to their original values

For details on how to do this, read the following instructions.

To delete the text that the Trojan added to Win.ini
This is necessary only on computers that are running Windows 95/98/Me.

NOTE: (For Windows Me users only) Due to the file-protection process in Windows Me, a backup copy of the file that you are about to edit exists in the C:\Windows\Recent folder. Symantec recommends that you delete this file before you continue with the steps in this section. To do this using Windows Explorer, go to C:\Windows\Recent, and in the right pane select the Win.ini file and delete it. It will be regenerated as a copy of the file that you are about to edit when you save your changes to that file.

1. Click Start, and click Run.
2. Type the following, and then click OK.

edit c:\windows\win.ini

The MS-DOS Editor opens.

NOTE: If Windows is installed in a different location, make the appropriate path substitution.

3. In the [windows] section of the file, look for an entry similar to the following:

run=%windir%\MSCVT2.EXE

4. Select the entire line. Be sure that you have not selected any other text, and then press Delete.
5. Click File, and click Save.
6. Click File, and click Exit.

To scan for and delete the infected files:
1. Obtain the most recent virus definitions. There are two ways to do this:
Run LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions have undergone full quality assurance testing by Symantec Security Response and are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions have undergone full quality assurance testing by Symantec Security Response. They are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.

Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.

2. Start your Symantec antivirus program, and make sure that it is configured to scan all files.
Norton AntiVirus consumer products: Read the document How to configure Norton AntiVirus to scan all files.
Symantec enterprise antivirus products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files.
3. Run a full system scan.
4. If any files are detected as infected with Trojan.Benfgame, click Delete.

To copy Regedit.exe as Regedit.com:
Because the worm modified the registry so that you cannot run .exe files, you must first make a copy of the Registry Editor as a file with the .com extension and then run that file.

1. Do one of the following, depending on which version of Windows you are running:
Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt. This opens a DOS window at the C:\Windows prompt. Go on to step 2 of this section.
Windows Me users: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt. This opens a DOS window at the C:\Windows prompt. Go on to step 2 of this section.
Windows NT/2000 users:
a. Click Start, and click Run.
b. Type the following, and then press Enter:

command

A DOS window opens.

c. Type the following, and then press Enter:

cd \winnt

d. Go on to step 2 of this section.
Windows XP:
a. Click Start, and click Run.
b. Type the following, and then press Enter:

command

A DOS window opens.

c. Type the following commands (press Enter after typing each one):

cd\
cd \windows

d. Proceed to step 2 of this section.

2. Type the following, and then press Enter:

copy regedit.exe regedit.com

3. Type the following, and then press Enter:

start regedit.com

The Registry Editor opens in front of the DOS window. After you finish editing the registry, exit the Registry Editor, and then exit the DOS window.

1. Proceed to the next section, "To remove the added value and restore the (Default) values:," only after you have accomplished the previous steps.

NOTES:
The Registry Editor will open in front of the DOS window. After you finish editing the registry and close the Registry Editor, then close the DOS window.
After you remove BackDoor.Benfgame, then you may delete the Regedit.com file.

To delete the value that the Trojan added and restore the (Default) values:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the value

MSBenCheck %system%\MSBFRUN2.EXE

5. For each of these keys, follow the instructions in steps 6 and 7:

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\txtfile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\scrfile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\chm.file\shell\open\command

6. For each one, double-click the (Default) value in the right pane, .
7. Delete the current value data, and then replace it with the correct data for your operating system and installation. As mentioned previously, this can vary. For example, in a default installation of Windows 98, the (Default) values are:

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\txtfile\shell\open\command

(Default) C:\Windows\NOTEPAD %1

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command

(Default) "%1" %*

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\scrfile\shell\open\command

(Default) %1 /s

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\chm.file\shell\open\command

(Default) C:\Windows\hh.exe %1

8. When you have finished, exit the Registry Editor and restart the computer.

Additional information:

NOTE: Definitions dated prior to August 26, 2002 may detect this as W32.Benf@mm.

Write-up by: Atli Gudmundsson

B2层发表时间: 02/10 01:01

回复: nanhairen [nanhairen]

前任版主

更象一个硬盘炸弹。我运行程序后，C 盘里的所有程序全部瘫痪，杀毒软件，防火墙也不例外。好象是破坏注册表一类的。我重装系统后，用最新版的KV3000杀毒王在其他的分区里查杀到特洛伊木马的存在。大家小心啊！

B3层发表时间: 02/10 08:29

论坛: 病毒专区