好友
阅读权限40
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 smallyou93 于 2009-4-23 20:56 编辑
释放文件:
%Temp%\7.tmp
以程序自身的安全设置启动进程7.tmp
7.tmp创建文件
%SystemRoot%\System32\kender.dll
并安装服务ko并启动
[系统安全 / ko][Running/Auto Start]
<C:\WINDOWS\system32\svchost.exe -k netsvcs-->C:\WINDOWS\system32\kender.dll><N/A>
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ko]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,\
5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,\
00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,\
6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="系统安全"
"ObjectName"="LocalSystem"
"Description"="系统安全"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ko\Parameters]
"ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\
00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6b,00,65,00,\
6e,00,64,00,65,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ko\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ko\Enum]
"0"="Root\\LEGACY_KO\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
注册表:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs]
6to4 ko AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov napagent hkmsvc BITS wuauserv ShellHWDetection helpsvc WmdmPmSN
删除自身Setup.exe
延迟删除%Temp%\7.tmp
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\\PendingFileRenameOperations]
\??\C:\DOCUME~1\SMALLY~1\LOCALS~1\Temp\7.tmp
进程结束 |
-
-
Setup.zip
62.26 KB, 下载次数: 6, 下载积分: 吾爱币 -1 CB
-
-
kender.zip
53.83 KB, 下载次数: 1, 下载积分: 吾爱币 -1 CB
%SystemRoot%\System32\kender.dll
|
[复制链接]
发表于 2009-4-23 20:51
发表于 2009-4-23 21:04
|
发表于 2009-4-23 21:07
发表于 2009-4-23 21:55
