CreateMutex
까보면 다나와~

spoo1sv.exe

spoo1sv.exe (게임 계정 해킹 프로그램 드럽퍼)

-> IAT reconstruction
-> Create "C:\\WINDOWS\\tasks\\SA01.dat" (Resource of Malicious Dll) -> MZ => 3030
-> Copy itself "C:\\WINDOWS\\tasks\\SA02.dat"
-> Copy itself "C:\\WINDOWS\\spoo1sv.exe"
-> Change signature "C:\\WINDOWS\\tasks\\SA02.dat" MZ to 00
-> sfc_os.dll load and WPA clear ("C:\\WINDOWS\\system32\\ws2help.dll", "C:\\WINDOWS\\system32\\dllcache\\ws2help.dll")
-> check "%system32%\wimedump.dll" file exists. if the file does not exists, move file from wehelp.dll to wimedump.dll(same directory)
-> Create "C:\\WINDOWS\\system32\\ws2help.dll" (Resource of Malicious Dll)
-> Copy "C:\\WINDOWS\\system32\\ws2help.dll" to "C:\\WINDOWS\\system32\\dllcache\\ws2help.dll"
-> Create_Version_File
-> Delete itself

추가 - (우와 이거때문에 많은 분이 찾으셨네요.)

치료하려면
0. 우선 프로세스 목록에서 spoo1sv.exe를 종료하고 spoo1sv.exe를 삭제
1. "C:\windows\system32\dllcache\ws2help.dll" -> 삭제
2. "C:\windows\system32\ws2help.dll" -> 삭제
3. "C:\windows\system32\wimedump.dll.dll" -> ws2help.dll로 이름 변경 ->
"C:\windows\system32\dllcache\"에 복사
4. windows 폴더에서 winurl.dat, version.dat 삭제

또는 알약2.0 버젼으로 설치하셔서 치료(2.0대 버젼에서 안티백신 로직을 잘 피해갔네요.)

  Comments,   0  Trackbacks
댓글 쓰기