最近一个朋友管理的几百台电脑感染了蠕虫木马。主文件如下所示
59b18d6146a2aa066f661599c496090d
cce36235a525858eb55070847296c4c8
a4b7940b3d6b03269194f728610784d6
d4e2ebcf92cf1b2e759ff7ce1f5688ca
5ab6f8ca1f22d88b8ef9a4e39fca0c03
用国内第一的杀软杀后,还有数十台老旧电脑启动后总是卡死。我本来找他喝酒,既然来了,顺便看看,满足下好奇心。发现很多cmd net net1进程。用Procmon.exe查看,全是执行“cmd /c net share c$=c: ” 。用PCHunter查看启动项,果然发现很多系统服务,命令行就是这个,服务名随机,有200多条。开机时耗尽资源。很纳闷杀软为啥没有清理干净。
等杀软升级修复问题,那得猴年马月。一条条删,也是得天荒地老。停车费也老贵,没人给报销。总之等不起。索性写段脚本自动删吧。
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "\\" & strComputer & "\root\cimv2")
Set colServices = objWMIService.ExecQuery("Select * from Win32_Service")
nQuery=0
Count=0
nDel=0
strMsg = "cmd /c net share c$=c:"
For Each objService in colServices
'Wscript.Echo objService.DisplayName & "|" & objService.PathName & "|" & objService.State
nQuery = nQuery+1
pos = InStr(objService.PathName,strMsg)
if pos>0 then
Count=Count+1
objService.StopService()
result = objService.Delete()
If result = 0 Then
nDel = nDel+1
End If
End if
Next
Wscript.Echo "This tool is to CLEAR " & strMsg & vbcrlf & "Made by XYZ "& vbcrlf & vbcrlf & "Look:" & nQuery & vbcrlf & "Found: " & Count & vbcrlf & "Kill: " & nDel
关于这个蠕虫的分析,来历还挺惊险。
https://www.freebuf.com/column/195338.html
https://www.freebuf.com/column/196384.html
http://www.jiangmin.com/aboutus/news/security/2019/0129/357.html
https://www.360zhijia.com/anquan/441420.html
https://www.qianxin.com/other/CVE-2019-0708
http://www.sohu.com/a/292231371_120059572
局域网管理的方便之处,都是木马传播的便利之门。