|
释放:
%Systemroot%\system32\Lcass.dll 180224 字节
%Systemroot%\system32\Lcass.exe 186368 字节
%Systemroot%\system32\Ntsvc.ocx 34304 字节
%Systemroot%\system32\Mswinsck.ocx 这个是反汇看的,不过测试时候并未生成。。
修改注册表:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PnP plug 0n Service]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,00,3a,00,5c,00,77,00,69,00,6e,00,6e,00,74,00,5c,00,73,00,\
79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4c,00,63,00,61,00,73,00,73,\
00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="PnP plug 0n Service"
"ObjectName"="LocalSystem"
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,53,00,45,\
00,01,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00
"Description"="稳定软件与硬件的通讯缓冲区,使计算机的硬件更改不会成生一个非公用套接字。终止或禁用
此服务会造成系统不稳定。"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PnP plug 0n Service\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
20,00,00,00,20,02,00,00,68,06,00,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\
00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\
00,05,20,00,00,00,23,02,00,00,68,06,00,00,01,01,00,00,00,00,00,05,12,00,00,\
00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\PnP plug 0n Service]
"EventMessageFile"=hex(2):43,00,3a,00,5c,00,77,00,69,00,6e,00,6e,00,74,00,5c,\
00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,74,00,73,00,\
76,00,63,00,2e,00,6f,00,63,00,78,00,00,00
"TypesSupported"=dword:00000007
运行后不停访问局域,不过都没有成功。
并常驻进程监听88端口(TCP)
修改服务器用户权限,几乎所有格式都可以上传。:
0041E9C3 mov dword ptr [ebp-400], 00407A1C UNICODE "</blockquote></body></html>"
0041EF5D push 00407DFC UNICODE ".EXE"
0041EF72 mov dword ptr [ebp-DC], 00407C00 UNICODE "application/x-msdownloa"
0041EFA6 push 00407860 UNICODE ".RTF"
0041EFBB mov dword ptr [ebp-DC], 00407E0C UNICODE "application/rtf"
0041EFEF push 00407E30 UNICODE ".JS"
0041F004 mov dword ptr [ebp-DC], 00407E3C UNICODE "application/x-javascript"
0041F038 push 00407E74 UNICODE ".SWF"
0041F04D mov dword ptr [ebp-DC], 00407E84 UNICODE "application/x-shockwave-flash"
0041F081 push 00407EC4 UNICODE ".ZIP"
0041F096 mov dword ptr [ebp-DC], 00407ED4 UNICODE "application/x-zip-compressed"
0041F0CA push 00407F14 UNICODE ".RAR"
0041F0DF mov dword ptr [ebp-DC], 00407ED4 UNICODE "application/x-zip-compressed"
0041F113 push 00407F24 UNICODE ".GIF"
0041F128 mov dword ptr [ebp-DC], 00406968 UNICODE "image/gif"
0041F15C push 00407F34 UNICODE ".JPG"
0041F171 mov dword ptr [ebp-DC], 00407F44 UNICODE "image/jpeg"
0041F1A5 push 00407F60 UNICODE ".TIF"
0041F1BA mov dword ptr [ebp-DC], 00407F70 UNICODE "image/tiff"
0041F1EE push 00407F8C UNICODE ".BMP"
0041F203 mov dword ptr [ebp-DC], 004068E4 UNICODE "image/bmp"
0041F237 push 00407F9C UNICODE ".MP3"
0041F24C mov dword ptr [ebp-DC], 00407FAC UNICODE "audio/x-mpeg"
0041F280 push 00407870 UNICODE ".RM"
0041F295 mov dword ptr [ebp-DC], 00407FCC UNICODE "audio/x-pn-realaudio"
0041F2C9 push 00407FFC UNICODE ".MID"
0041F2DE mov dword ptr [ebp-DC], 0040800C UNICODE "audio/x-midi"
0041F312 push 0040802C UNICODE ".MPEG"
0041F327 mov dword ptr [ebp-DC], 0040803C UNICODE "video/mpeg"
0041F35B push 00408058 UNICODE ".MPG"
0041F370 mov dword ptr [ebp-DC], 0040803C UNICODE "video/mpeg"
0041F3A4 push 00408068 UNICODE ".ASF"
0041F3B9 mov dword ptr [ebp-DC], 00408078 UNICODE "video/x-ms-asf"
0041F3ED push 0040809C UNICODE ".WMV"
0041F402 mov dword ptr [ebp-DC], 004080AC UNICODE "video/x-ms-wmv"
0041F436 push 004080D0 UNICODE ".AVI"
0041F44B mov dword ptr [ebp-DC], 004080E0 UNICODE "video/x-msvideo"
0041F47F push 00408104 UNICODE ".HTM"
0041F494 mov dword ptr [ebp-DC], 00408114 UNICODE "text/html"
0041F4C8 push 0040812C UNICODE ".HTML"
0041F4DD mov dword ptr [ebp-DC], 00408114 UNICODE "text/html"
0041F511 push 0040813C UNICODE ".TXT"
0041F526 mov dword ptr [ebp-DC], 00408114 UNICODE "text/html"
0041F55A push 0040814C UNICODE ".BAS"
0041F56F mov dword ptr [ebp-DC], 00408114 UNICODE "text/html"
0041F5A3 push 0040815C UNICODE ".BAT"
0041F5B8 mov dword ptr [ebp-DC], 00408114 UNICODE "text/html"
0041F5EC push 0040816C UNICODE ".INI"
0041F601 mov dword ptr [ebp-DC], 00408114 UNICODE "text/html"
0041F635 push 00407730 UNICODE ".REG"
0041F64A mov dword ptr [ebp-DC], 00408114 UNICODE "text/html"
0041F67E push 00408180 UNICODE ".LOG"
0041F693 mov dword ptr [ebp-DC], 00408114 UNICODE "text/html"
0041F6C7 push 00408190 UNICODE ".C"
0041F6DC mov dword ptr [ebp-DC], 00408114 UNICODE "text/html"
0041F710 push 0040819C UNICODE ".CPP"
0041F725 mov dword ptr [ebp-DC], 00408114 UNICODE "text/html"
0041F759 push 004081AC UNICODE ".H"
0041F76E mov dword ptr [ebp-DC], 00408114 UNICODE "text/html"
0041F79F push 0040813C UNICODE ".TXT"
0041F7B4 mov dword ptr [ebp-DC], 00408114 UNICODE "text/html"
汗汗的``
还查找数据库中一些图片格式的网页,好像是想挂ANI的马,乱乱的,偶也看不懂```
应该还会遍历分区生成Autorun.inf和Lcass.exe,不过测试中未现实。。
解决方法:
到down.45it.com下载:SREng.rar和PowerRmv.com
首先打开PowerRmv,逐个填入以下文件路径删除:
C:\autorun.inf
C:\Lcass.exe
D:\autorun.inf
D:\Lcass.exe
E:\autorun.inf
E:\Lcass.exe
F:\autorun.inf
F:\Lcass.exe
C:\Windows\system32\Lcass.dll
C:\Windows\system32\Lcass.exe
打开SREng(详细步骤:打开SREng-启动项目-win32服务应用程序),删除:
服务:
[PnP plug 0n Service / PnP plug 0n Service][Stopped/Auto Start]
<C:\winnt\system32\Lcass.exe><Miorosoft>
另外:
%Systemroot%\system32\Ntsvc.ocx 34304 字节
%Systemroot%\system32\Mswinsck.ocx
这2个是两面性的文件,如果要删除的话,建议备份一下(否则可能出现其它意外)。
清除完毕。
|
