分析完了...
nSPack 2.1 - 2.5
北斗壳...
不大好玩,还是老样子,注入IE,试图反弹连接
偶阻止了 >_<
(没空和它搅和)
创建
%windir%\Hacker.com.cn.exe
%windir%\uninstal.bat
添加注册表服务Services
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windowns]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,77,00,69,00,6e,00,6e,00,74,00,5c,00,48,00,\
61,00,63,00,6b,00,65,00,72,00,2e,00,63,00,6f,00,6d,00,2e,00,63,00,6e,00,2e,\
00,65,00,78,00,65,00,00,00
"DisplayName"="windowns"
"
ObjectName"="LocalSystem"
"Description"="windowns"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windowns\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,00,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\
00,05,20,00,00,00,23,02,00,00,00,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windowns\Enum]
"0"="Root\\LEGACY_WINDOWNS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[windowns / windowns][Running/Auto Start]
<C:\winnt\Hacker.com.cn.exe><N/A>
这个是添加的服务
后来用灰鸽子工作室的专杀检测不到.....
江民的也检测不到..
哈哈,后来用SREng分析下,直接删除掉咧
呼呼
