lens690
   
|
分享:
x0
|
病毒名称:PortLess BackDoor (IPRIP)
病毒主档:backexe.exe、hedll.dll、hesys.sys、svchostdll.dll
病毒历程:(资安论坛得资料)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\PortLess\FdsnqbTsuni`: "tjnkbu"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\PortLess\Wfttphuc: "tofiXdo"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 04 00 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 63 00 6F 00 00 00 1C 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 6D 00 00 00 00 00 18 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 20 02 00 00 00 00 1C 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 6D 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Parameters\ServiceDll: "C:\WINNT\system32\Svchostdll.dll"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Parameters\program: "SvchostDLL.exe"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Parameters\Interactive: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Type: 0x00000020
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\ErrorControl: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\ImagePath: "%SystemRoot%\System32\Svchost.exe -k netsvcs"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\DisplayName: "Intranet Services"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\ObjectName: "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 04 00 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 63 00 6F 00 00 00 1C 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 6D 00 00 00 00 00 18 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 20 02 00 00 00 00 1C 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 6D 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters\ServiceDll: "C:\WINNT\system32\Svchostdll.dll"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters\program: "SvchostDLL.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters\Interactive: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\Type: 0x00000020
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\ErrorControl: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\ImagePath: "%SystemRoot%\System32\Svchost.exe -k netsvcs"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\DisplayName: "Intranet Services"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\ObjectName: "LocalSystem"
可以看出,PortLess BackDoor V1.2将自己注册为了服务IPRIP,它使用的启动参数是"%SystemRoot%\System32\Svchost.exe -k netsvcs"
个人处理办法:
1.发现Svchost.exe将CPU吃光,使用Process Explorer察看此Process发现有支异常程式(hedll.dll),使用ICESword将他移除(Process Explorer移除不掉),Process下降。
2.使用SREng察看,发现Service内有不知名服务(因User电脑很乱,看很久).查明服务指向位置,移除程式,至服务指向位置删除问题档。
3.重新开机,正常。
此文章被评分,最近评分记录| 财富:50 (by upside) | 理由: 感谢提供 参考资料 数位男女因你而丰富 | |
|
|
|
