致：赵冰——关于你发来的样本Mstss.exe - 瑞星卡卡安全论坛bbs.ikaka.com

瑞星卡卡安全论坛技术交流区 反病毒/反流氓软件论坛致：赵冰——关于你发来的样本Mstss.exe

	瑞星“1+2”全新解决方案巡展在广州画上圆满句号		叶院长揭秘：瑞星如何运用AI技术革新网络安全		俄乌冲突加剧网络攻击风险白俄罗斯政府遭APT攻击		瑞星ESM防病毒系统助力矿业大学筑牢网络安全防线
	实力拉满瑞星第五十次通过VB100测评		携手老友，拥抱新精彩 —— 新论坛新活动，感谢你的陪伴		护航司法，瑞星助力山西省高院构建安全防线		人工智能在网络安全领域的风险和机遇

1

1 / 1 页

跳转页

致：赵冰——关于你发来的样本Mstss.exe

baohe 大版主帖子:72578 注册: 2003-04-10 来自:	发表于： 2007-04-07 21:07 \| 显示全部短消息资料字号：小中大 1楼致：赵冰——关于你发来的样本Mstss.exe 是网马。这个网马有点儿意思。两次植入系统后，释放的文件以及那几个插进程的dll所在的位置均有变化。查杀并不难。根据SRENG日志，删除木马启动项、处理干净进程、删除木马文件即可。 —————— 以下是第一次植入木马后的SRENG日志及释放/下载的木马文件：启动项目注册表 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] <upxdhnd><C:\DOCUME~1\baohelin\LOCALS~1\Temp\upxdhnd.exe> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] <{4DEC9B29-F08F-4cbc-B179-592B9283FAB0}><c:\program files\common files\pfshared\vswxubov.dll> [N/A] <{E464D6D7-935B-4203-9E74-8A6C60906B37}><c:\program files\common files\pfshared\lkigtece.dll> [N/A] <{C883F785-102E-2427-7ADD-5B002D13D077}><C:\windows\system32\gj.dll> [N/A] ================================== 正在运行的进程 [PID: 584][\??\C:\windows\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] [c:\program files\common files\pfshared\vswxubov.dll] [N/A, N/A] [c:\program files\common files\pfshared\lkigtece.dll] [N/A, N/A] [PID: 1044][C:\windows\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)] [C:\DOCUME~1\baohelin\LOCALS~1\Temp\upxdhnd.dll] [N/A, N/A] [c:\program files\common files\pfshared\vswxubov.dll] [N/A, N/A] [c:\program files\common files\pfshared\lkigtece.dll] [N/A, N/A] [C:\windows\system32\gj.dll] [N/A, N/A] [PID: 1860][C:\Program Files\Tiny Firewall Pro\amon.exe] [Computer Associates International, Inc., 6.5.3.2] [C:\windows\system32\gj.dll] [N/A, N/A] [PID: 3672][C:\windows\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] [C:\windows\system32\gj.dll] [N/A, N/A] [PID: 1984][C:\windows\system32\conime.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] [C:\windows\system32\gj.dll] [N/A, N/A] [PID: 276][C:\Program Files\SREng\SREng.exe] [Smallfrogs Studio, 2.2.6.605] [C:\windows\system32\gj.dll] [N/A, N/A] 附件: 文件名:155847200747205737.jpg 下载次数:191 文件类型:image/pjpeg 文件大小: 上传时间:2007-4-7 21:07:21 描述: 预览信息:EXIF信息 User Comment : LEAD Technologies Inc. V1.01 2007-04-08 22:26:32
baohe 大版主帖子:72578 注册: 2003-04-10 来自:	分享到：

baohe 大版主帖子:72578 注册: 2003-04-10 来自:	发表于： 2007-04-07 21:08 \| 显示全部短消息资料字号：小中大 2楼以下是第二次植入木马后的SRENG日志及释放/下载的木马文件： [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] <upxdhnd><C:\DOCUME~1\baohelin\LOCALS~1\Temp\upxdhnd.exe> [N/A] <kernel32><C:\windows\Kernel32.exe> [N/A] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] <{4DEC9B29-F08F-4cbc-B179-592B9283FAB0}><c:\program files\internet download manager\pqiwgkiw.dll> [N/A] <{E464D6D7-935B-4203-9E74-8A6C60906B37}><c:\program files\internet download manager\wcxpjetr.dll> [N/A] <{C883F785-102E-2427-7ADD-5B002D13D077}><C:\windows\system32\gj.dll> [N/A] 正在运行的进程 [PID: 584][\??\C:\windows\system32\winlogon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] [c:\program files\internet download manager\pqiwgkiw.dll] [N/A, N/A] [c:\program files\internet download manager\wcxpjetr.dll] [N/A, N/A] [PID: 1608][C:\windows\Explorer.EXE] [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)] [C:\DOCUME~1\baohelin\LOCALS~1\Temp\upxdhnd.dll] [N/A, N/A] [c:\program files\internet download manager\pqiwgkiw.dll] [N/A, N/A] [c:\program files\internet download manager\wcxpjetr.dll] [N/A, N/A] [C:\windows\system32\gj.dll] [N/A, N/A] [C:\DOCUME~1\baohelin\LOCALS~1\Temp\~TmD.tmp.rom] [N/A, N/A] [C:\DOCUME~1\baohelin\LOCALS~1\Temp\~TmE.tmp..rom] [N/A, N/A] [PID: 2008][C:\windows\system32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] [C:\DOCUME~1\baohelin\LOCALS~1\Temp\~TmD.tmp.rom] [N/A, N/A] [PID: 2020][C:\Program Files\Tiny Firewall Pro\amon.exe] [Computer Associates International, Inc., 6.5.3.2] [C:\windows\system32\gj.dll] [N/A, N/A] [C:\DOCUME~1\baohelin\LOCALS~1\Temp\~TmD.tmp.rom] [N/A, N/A] [C:\DOCUME~1\baohelin\LOCALS~1\Temp\~TmE.tmp..rom] [N/A, N/A] [PID: 1156][C:\Program Files\Internet Download Manager\IDMan.exe] [Internet Download Manager Corp., Tonec Inc. , 5, 0, 2, 5] [C:\windows\system32\gj.dll] [N/A, N/A] [C:\DOCUME~1\baohelin\LOCALS~1\Temp\~TmD.tmp.rom] [N/A, N/A] [PID: 2640][C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe] [TechSmith Corporation, 7.1.2.0] [C:\windows\system32\gj.dll] [N/A, N/A] [PID: 384][C:\windows\system32\svchost.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] [C:\windows\system32\gj.dll] [N/A, N/A] [C:\DOCUME~1\baohelin\LOCALS~1\Temp\~TmD.tmp.rom] [N/A, N/A] [PID: 3216][C:\windows\system32\conime.exe] [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] [C:\windows\system32\gj.dll] [N/A, N/A] [PID: 4036][C:\Program Files\SREng\SREng.exe] [Smallfrogs Studio, 2.2.6.605] [C:\windows\system32\gj.dll] [N/A, N/A] [C:\DOCUME~1\baohelin\LOCALS~1\Temp\~TmD.tmp.rom] [N/A, N/A] [C:\DOCUME~1\baohelin\LOCALS~1\Temp\~TmE.tmp..rom] [N/A, N/A] 附件: 文件名:155847200747205836.jpg 下载次数:239 文件类型:image/pjpeg 文件大小: 上传时间:2007-4-7 21:08:20 描述: 预览信息:EXIF信息 User Comment : LEAD Technologies Inc. V1.01
baohe 大版主帖子:72578 注册: 2003-04-10 来自:

<<上一主题|下一主题>>

1

1 / 1 页

跳转页

页面顶部

Powered by Discuz!NT