好友
阅读权限255
听众
最后登录1970-1-1
|
Hmily
发表于 2009-9-17 18:22
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
最近这个很流行,木马杀掉后会导致菜单栏失效,下面说明下木马的行径
shell64.dll wscnlv.dll msocx 这3个都是同一个文件,只是存放的路径不同
地址分别是:
C:\Program Files\Common Files\System\msocx
C:\WINDOWS\system32\wscnlv.dll (注入到winlogon.exe)
C:\WINDOWS\system32\shell64.dll (注入到explorer.exe)
C:\WINDOWS\system32\bdsl2.dll (这个是好像是个IE相关的插件)
shell64.dll wscnlv.dll 这2个文件会再进程模块中,直接先用XueTr查找进程模块,然后直接删除文件,其他2个都可以手动删除,删除后会发现开始菜单栏失效,这是木马替换了注册表的缘故.
[HKEY_CLASSES_ROOT\CLSID\{5b4dae26-b807-11d0-9815-00c04fd91972}\InProcServer32]
@="C:\\WINDOWS\\system32\\SHELL64.DLL"
"ThreadingModel"="Apartment"
原来注册键值应该%SystemRoot%\system32\shell32.dll,木马做了替换,成了中介,杀掉后导致功能失效,这里要替换成shell32.dll才行
[HKEY_CLASSES_ROOT\CLSID\{5b4dae26-b807-11d0-9815-00c04fd91972}\LOCALSYSTEM]
@="C;^ZMSJOXU_w~ytfo66aYHFNO774dmn"
[HKEY_CLASSES_ROOT\CLSID\{AFA0C9F8-324C-4567-B4AC-E4DB8E186BD4}\InprocServer32]
@="C:\\Program Files\\Common Files\\SYSTEM\\msocx"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr"=dword:00000001
"PlaySound"=dword:00000001
"UseSecBand"=dword:00000000
"BlockUserInit"=dword:00000000
"UseTimerMethod"=dword:00000000
"UseHooks"=dword:00000000
"AllowHTTPS"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ShellService"="{AFA0C9F8-324C-4567-B4AC-E4DB8E186BD4}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wscnlv]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000000
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartShell"="WLEventStartShell"
"DLLName"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,\
5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,77,00,73,00,63,\
00,6e,00,6c,00,76,00,2e,00,64,00,6c,00,6c,00,00,00
另外把这五个创建的键值删除就可以了!
shell64.dll内的字符串如下:
Ultra String Reference
Address Disassembly Text String
10001044 push SHELL64.1000E208 iexplore.exe
1000109F push SHELL64.1000E1F8 explorer.exe
100010BD push SHELL64.1000E1E8 flashget.exe
100010DB push SHELL64.1000E1DC Thunder.exeflashget.exe
100010FC push SHELL64.1000E1D0 360tray.exeThunder.exeflashget.exe
1000111D push SHELL64.1000E1C0 rundll32.exe
1000113E push SHELL64.1000E1B8 QQ.exe
1000115F push SHELL64.1000E1AC msnmsgr.exeQQ.exe
10001180 push SHELL64.1000E19C winlogon.exe
100011A1 push SHELL64.1000E190 logonui.exewinlogon.exe
100011C2 push SHELL64.1000E184 fine.exe
10001A92 push SHELL64.1000E250 CTX_SITE
10001C91 push SHELL64.1000E250 CTX_SITE
10001E08 push SHELL64.1000E250 CTX_SITE
10001F74 push SHELL64.1000E250 CTX_SITE
1000239C push SHELL64.1000E2E0 hwndlv
100023A1 push SHELL64.1000E2DC hsthwndlv
100023C2 push SHELL64.1000E2D8 htmhsthwndlv
100023C7 push SHELL64.1000E2DC hsthwndlv
100023DA push SHELL64.1000E2D4 0
100023DF push SHELL64.1000E2D8 htmhsthwndlv
100023E4 push SHELL64.1000E2DC hsthwndlv
10002427 push SHELL64.1000E2D8 htmhsthwndlv
1000242C push SHELL64.1000E2DC hsthwndlv
100024A0 push SHELL64.1000E2CC STATIC
10002562 mov edx,dword ptr ds:[esi*4+1000E2B8] huvs>45wxy1|z{xv0fsr5sofqs{kl/rkt
10002562 mov edx,dword ptr ds:[esi*4+1000E2B8] huvs>45wxy1|z{xv0fsr5tpqo2mzm
10002562 mov edx,dword ptr ds:[esi*4+1000E2B8] huvs>45wxy1~z{zv0fr4
100026DB push SHELL64.1000E2E0 hwndlv
100026E0 push SHELL64.1000E2DC hsthwndlv
100027B3 push SHELL64.1000E354 MYMUTEXCR
100027FB push SHELL64.1000E338 Microsoft\Network\cmt.dat
1000282D push SHELL64.1000E330 tmLvrefMicrosoft\Network\cmt.dat
10002832 push SHELL64.1000E2DC hsthwndlv
1000288A push SHELL64.1000E330 tmLvrefMicrosoft\Network\cmt.dat
1000288F push SHELL64.1000E2DC hsthwndlv
100028BC push SHELL64.1000E328 tmIsreftmLvrefMicrosoft\Network\cmt.dat
100028C1 push SHELL64.1000E2DC hsthwndlv
100028F6 push SHELL64.1000E31C UseSecBand
100028FB push SHELL64.1000E2E8 Software\Microsoft\Internet Explorer\New Windows
10002926 push SHELL64.1000E31C UseSecBand
1000292B push SHELL64.1000E2E8 Software\Microsoft\Internet Explorer\New Windows
10002974 push SHELL64.1000E328 tmIsreftmLvrefMicrosoft\Network\cmt.dat
10002979 push SHELL64.1000E2DC hsthwndlv
100029C7 push SHELL64.1000E2D8 htmhsthwndlv
100029CC push SHELL64.1000E2DC hsthwndlv
10002A9D push SHELL64.1000E31C UseSecBand
10002AA2 push SHELL64.1000E2E8 Software\Microsoft\Internet Explorer\New Windows
10002AD9 push SHELL64.1000E31C UseSecBand
10002ADE push SHELL64.1000E2E8 Software\Microsoft\Internet Explorer\New Windows
10002B05 push SHELL64.1000E330 tmLvrefMicrosoft\Network\cmt.dat
10002B0A push SHELL64.1000E2DC hsthwndlv
10002C08 mov edx,dword ptr ds:[eax*4+1000E2A8] huvs>45b/;<4=7.dqp3kgrgvs3fsoo0jmk
10002C08 mov edx,dword ptr ds:[eax*4+1000E2A8] huvs>45fbtixu4gp31g8<1/phx4gmpp1knl
10002C08 mov edx,dword ptr ds:[eax*4+1000E2A8] huvs>45962:2pqgh0qiy5anqq2lof
10002C08 mov edx,dword ptr ds:[eax*4+1000E2A8] huvs>45fbtixu4bscyimusu0fsr5anqq2lof
10002C08 mov edx,dword ptr ds:[eax*4+1000E2A8] huvs>45wxy1|z{xv0fsr5sofqs{kl/rkt
10002C08 mov edx,dword ptr ds:[eax*4+1000E2A8] huvs>45wxy1|z{xv0fsr5tpqo2mzm
10002C08 mov edx,dword ptr ds:[eax*4+1000E2A8] huvs>45wxy1~z{zv0fr4
10002E1E push SHELL64.1000E31C UseSecBand
10002E23 push SHELL64.1000E2E8 Software\Microsoft\Internet Explorer\New Windows
10002E58 push SHELL64.1000E31C UseSecBand
10002E5D push SHELL64.1000E2E8 Software\Microsoft\Internet Explorer\New Windows
10002EBE push SHELL64.1000E3E0 {AFA0C9F8-324C-4567-B4AC-E4DB8E186BD4}
10002EC3 push SHELL64.1000E3C8 CLSID\%s\InprocServer32{AFA0C9F8-324C-4567-B4AC-E4DB8E186BD4}
10002F76 push SHELL64.1000E3C0 SYSTEM
10002F82 push SHELL64.1000E3B8 msocx
10002FC9 mov edx,SHELL64.1000E370 SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
1000300C push SHELL64.1000E360 ShellService
10003029 push SHELL64.1000E3E0 {AFA0C9F8-324C-4567-B4AC-E4DB8E186BD4}
1000303B mov edi,SHELL64.1000E3E0 {AFA0C9F8-324C-4567-B4AC-E4DB8E186BD4}
10003052 push SHELL64.1000E3E0 {AFA0C9F8-324C-4567-B4AC-E4DB8E186BD4}
10003059 push SHELL64.1000E360 ShellService
10003116 push SHELL64.1000E4F8 DLLNameCLSID\%s\LOCALSYSTEM
1000311B push SHELL64.1000E4B4 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wscnlvDLLNameCLSID\%s\LOCALSYSTEM
100031A1 push SHELL64.1000E4A4 Asynchronous
100031A6 push SHELL64.1000E4B4 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wscnlvDLLNameCLSID\%s\LOCALSYSTEM
100031C3 push SHELL64.1000E498 ImpersonateAsynchronous
100031C8 push SHELL64.1000E4B4 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wscnlvDLLNameCLSID\%s\LOCALSYSTEM
100031DC mov edi,SHELL64.1000E488 WLEventLogon
100031EC push SHELL64.1000E488 WLEventLogon
100031F3 push SHELL64.1000E480 Logon
100031F8 push SHELL64.1000E4B4 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wscnlvDLLNameCLSID\%s\LOCALSYSTEM
10003204 mov edi,SHELL64.1000E470 WLEventLogoff
10003214 push SHELL64.1000E470 WLEventLogoff
1000321B push SHELL64.1000E468 Logoff
10003220 push SHELL64.1000E4B4 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wscnlvDLLNameCLSID\%s\LOCALSYSTEM
1000322C mov edi,SHELL64.1000E458 WLEventStartup
1000323C push SHELL64.1000E458 WLEventStartup
10003243 push SHELL64.1000E450 StartupWLEventStartup
10003248 push SHELL64.1000E4B4 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wscnlvDLLNameCLSID\%s\LOCALSYSTEM
10003254 mov edi,SHELL64.1000E440 WLEventShutdownStartupWLEventStartup
10003264 push SHELL64.1000E440 WLEventShutdownStartupWLEventStartup
1000326B push SHELL64.1000E434 Shutdown
10003270 push SHELL64.1000E4B4 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wscnlvDLLNameCLSID\%s\LOCALSYSTEM
1000327C mov edi,SHELL64.1000E420 WLEventStartShell
1000328C push SHELL64.1000E420 WLEventStartShell
10003293 push SHELL64.1000E414 StartShell
10003298 push SHELL64.1000E4B4 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wscnlvDLLNameCLSID\%s\LOCALSYSTEM
100032B9 push SHELL64.1000E408 wscnlv.dll
100032EC push SHELL64.1000E4F8 DLLNameCLSID\%s\LOCALSYSTEM
100032F1 push SHELL64.1000E4B4 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wscnlvDLLNameCLSID\%s\LOCALSYSTEM
10003365 mov eax,dword ptr ds:[1000E2A0] {5b4dae26-b807-11d0-9815-00c04fd91972}
10003365 mov eax,dword ptr ds:[1000E2A0] SHELL64.DLL
10003365 mov eax,dword ptr ds:[1000E2A0] huvs>45b/;<4=7.dqp3kgrgvs3fsoo0jmk
10003365 mov eax,dword ptr ds:[1000E2A0] huvs>45fbtixu4gp31g8<1/phx4gmpp1knl
10003365 mov eax,dword ptr ds:[1000E2A0] huvs>45962:2pqgh0qiy5anqq2lof
10003365 mov eax,dword ptr ds:[1000E2A0] huvs>45fbtixu4bscyimusu0fsr5anqq2lof
10003365 mov eax,dword ptr ds:[1000E2A0] huvs>45wxy1|z{xv0fsr5sofqs{kl/rkt
10003365 mov eax,dword ptr ds:[1000E2A0] huvs>45wxy1|z{xv0fsr5tpqo2mzm
10003372 push SHELL64.1000E3C8 CLSID\%s\InprocServer32{AFA0C9F8-324C-4567-B4AC-E4DB8E186BD4}
100033CD mov edx,dword ptr ds:[1000E2A4] SHELL64.DLL
100033CD mov edx,dword ptr ds:[1000E2A4] huvs>45b/;<4=7.dqp3kgrgvs3fsoo0jmk
100033CD mov edx,dword ptr ds:[1000E2A4] huvs>45fbtixu4gp31g8<1/phx4gmpp1knl
100033CD mov edx,dword ptr ds:[1000E2A4] huvs>45962:2pqgh0qiy5anqq2lof
100033CD mov edx,dword ptr ds:[1000E2A4] huvs>45fbtixu4bscyimusu0fsr5anqq2lof
100033CD mov edx,dword ptr ds:[1000E2A4] huvs>45wxy1|z{xv0fsr5sofqs{kl/rkt
100033CD mov edx,dword ptr ds:[1000E2A4] huvs>45wxy1|z{xv0fsr5tpqo2mzm
100033CD mov edx,dword ptr ds:[1000E2A4] huvs>45wxy1~z{zv0fr4
10003462 mov eax,dword ptr ds:[1000E2A4] SHELL64.DLL
10003462 mov eax,dword ptr ds:[1000E2A4] huvs>45b/;<4=7.dqp3kgrgvs3fsoo0jmk
10003462 mov eax,dword ptr ds:[1000E2A4] huvs>45fbtixu4gp31g8<1/phx4gmpp1knl
10003462 mov eax,dword ptr ds:[1000E2A4] huvs>45962:2pqgh0qiy5anqq2lof
10003462 mov eax,dword ptr ds:[1000E2A4] huvs>45fbtixu4bscyimusu0fsr5anqq2lof
10003462 mov eax,dword ptr ds:[1000E2A4] huvs>45wxy1|z{xv0fsr5sofqs{kl/rkt
10003462 mov eax,dword ptr ds:[1000E2A4] huvs>45wxy1|z{xv0fsr5tpqo2mzm
10003462 mov eax,dword ptr ds:[1000E2A4] huvs>45wxy1~z{zv0fr4
100034B8 mov edx,dword ptr ds:[1000E2A0] {5b4dae26-b807-11d0-9815-00c04fd91972}
100034B8 mov edx,dword ptr ds:[1000E2A0] SHELL64.DLL
100034B8 mov edx,dword ptr ds:[1000E2A0] huvs>45b/;<4=7.dqp3kgrgvs3fsoo0jmk
100034B8 mov edx,dword ptr ds:[1000E2A0] huvs>45fbtixu4gp31g8<1/phx4gmpp1knl
100034B8 mov edx,dword ptr ds:[1000E2A0] huvs>45962:2pqgh0qiy5anqq2lof
100034B8 mov edx,dword ptr ds:[1000E2A0] huvs>45fbtixu4bscyimusu0fsr5anqq2lof
100034B8 mov edx,dword ptr ds:[1000E2A0] huvs>45wxy1|z{xv0fsr5sofqs{kl/rkt
100034B8 mov edx,dword ptr ds:[1000E2A0] huvs>45wxy1|z{xv0fsr5tpqo2mzm
100034C6 push SHELL64.1000E500 CLSID\%s\LOCALSYSTEM
1000364F push SHELL64.1000E52C CLSID\%S\LOCALSYSTEM
100036FD push SHELL64.1000E518 DllGetClassObject
10003977 push SHELL64.1000E3E0 {AFA0C9F8-324C-4567-B4AC-E4DB8E186BD4}
1000397C push SHELL64.1000E3C8 CLSID\%s\InprocServer32{AFA0C9F8-324C-4567-B4AC-E4DB8E186BD4}
100039E2 push SHELL64.1000E4F8 DLLNameCLSID\%s\LOCALSYSTEM
100039E7 push SHELL64.1000E4B4 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wscnlvDLLNameCLSID\%s\LOCALSYSTEM
10003A11 mov edx,dword ptr ds:[1000E544] {5b4dae26-b807-11d0-9815-00c04fd91972}
10003A11 mov edx,dword ptr ds:[1000E544] SHELL64.DLL
10003A11 mov edx,dword ptr ds:[1000E544] huvs>45b/;<4=7.dqp3kgrgvs3fsoo0jmk
10003A11 mov edx,dword ptr ds:[1000E544] huvs>45fbtixu4gp31g8<1/phx4gmpp1knl
10003A11 mov edx,dword ptr ds:[1000E544] huvs>45962:2pqgh0qiy5anqq2lof
10003A11 mov edx,dword ptr ds:[1000E544] huvs>45fbtixu4bscyimusu0fsr5anqq2lof
10003A11 mov edx,dword ptr ds:[1000E544] huvs>45wxy1|z{xv0fsr5sofqs{kl/rkt
10003A11 mov edx,dword ptr ds:[1000E544] huvs>45wxy1|z{xv0fsr5tpqo2mzm
10003A1F push SHELL64.1000E3C8 CLSID\%s\InprocServer32{AFA0C9F8-324C-4567-B4AC-E4DB8E186BD4}
10003A5F mov ecx,dword ptr ds:[1000E548] SHELL64.DLL
10003A5F mov ecx,dword ptr ds:[1000E548] huvs>45b/;<4=7.dqp3kgrgvs3fsoo0jmk
10003A5F mov ecx,dword ptr ds:[1000E548] huvs>45fbtixu4gp31g8<1/phx4gmpp1knl
10003A5F mov ecx,dword ptr ds:[1000E548] huvs>45962:2pqgh0qiy5anqq2lof
10003A5F mov ecx,dword ptr ds:[1000E548] huvs>45fbtixu4bscyimusu0fsr5anqq2lof
10003A5F mov ecx,dword ptr ds:[1000E548] huvs>45wxy1|z{xv0fsr5sofqs{kl/rkt
10003A5F mov ecx,dword ptr ds:[1000E548] huvs>45wxy1|z{xv0fsr5tpqo2mzm
10003A5F mov ecx,dword ptr ds:[1000E548] huvs>45wxy1~z{zv0fr4
另外把文件打包,解压密码:52pojie
|
-
-
dll.7z
83.32 KB, 下载次数: 202, 下载积分: 吾爱币 -1 CB
|
[复制链接]
发表于 2009-9-17 18:39
发表于 2009-9-17 18:39
发表于 2009-9-17 18:50
