廣告廣告
  加入我的最愛 設為首頁 風格修改
首頁 首尾
 手機版   訂閱   地圖  簡體 
您是第 3869 個閱讀者
 
發表文章 發表投票 回覆文章
  可列印版   加為IE收藏   收藏主題   上一主題 | 下一主題   
lens690 手機
個人頭像
個人文章 個人相簿 個人日記 個人地圖
初露鋒芒
級別: 初露鋒芒 該用戶目前不上站
推文 x1 鮮花 x51
分享: 轉寄此文章 Facebook Plurk Twitter 版主評分 複製連結到剪貼簿 轉換為繁體 轉換為簡體 載入圖片
推文 x0
[心得分享] PortLess BackDoor 最近碰上的後門,綁在Svchost.exe上面...
病毒名稱:PortLess BackDoor (IPRIP)
病毒主檔:backexe.exe、hedll.dll、hesys.sys、svchostdll.dll

病毒歷程:(資安論壇得資料)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\PortLess\FdsnqbTsuni`: "tjnkbu"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\PortLess\Wfttphuc: "tofiXdo"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 04 00 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 63 00 6F 00 00 00 1C 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 6D 00 00 00 00 00 18 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 20 02 00 00 00 00 1C 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 6D 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Parameters\ServiceDll: "C:\WINNT\system32\Svchostdll.dll"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Parameters\program: "SvchostDLL.exe"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Parameters\Interactive: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Type: 0x00000020
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\ErrorControl: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\ImagePath: "%SystemRoot%\System32\Svchost.exe -k netsvcs"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\DisplayName: "Intranet Services"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IPRIP\ObjectName: "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\Security\Security: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 04 00 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 63 00 6F 00 00 00 1C 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 6D 00 00 00 00 00 18 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 20 02 00 00 00 00 1C 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 6D 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters\ServiceDll: "C:\WINNT\system32\Svchostdll.dll"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters\program: "SvchostDLL.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters\Interactive: 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\Type: 0x00000020
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\Start: 0x00000002
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\ErrorControl: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\ImagePath: "%SystemRoot%\System32\Svchost.exe -k netsvcs"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\DisplayName: "Intranet Services"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPRIP\ObjectName: "LocalSystem"

可以看出,PortLess BackDoor V1.2將自己註冊為了服務IPRIP,它使用的啟動參數是"%SystemRoot%\System32\Svchost.exe -k netsvcs"

個人處理辦法:
1.發現Svchost.exe將CPU吃光,使用Process Explorer察看此Process發現有支異常程式(hedll.dll),使用ICESword將他移除(Process Explorer移除不掉),Process下降。
2.使用SREng察看,發現Service內有不知名服務(因User電腦很亂,看很久).查明服務指向位置,移除程式,至服務指向位置刪除問題檔。
3.重新開機,正常。

此文章被評分,最近評分記錄
財富:50 (by upside) | 理由: 感謝提供 參考資料 數位男女因你而豐富




確保電腦安全,勿點選不明檔案或網址
獻花 x1 回到頂端 [樓 主] From:局域網對方和您在同一內部網 | Posted:2007-02-08 17:40 |

首頁  發表文章 發表投票 回覆文章
Powered by PHPWind v1.3.6
Copyright © 2003-04 PHPWind
Processed in 0.094490 second(s),query:15 Gzip disabled
本站由 瀛睿律師事務所 擔任常年法律顧問 | 免責聲明 | 本網站已依台灣網站內容分級規定處理 | 連絡我們 | 訪客留言