Lcass.exe之清除

样本来至卡饭，过25日的卡吧、瑞星、AVG、BD、Dr等，蛮多的，针对服务器的

 

Aditional Information

File size: 186368 bytes
CRC32    : 1A710DE6
MD5: 58b63ede251db82494cb134de08c2d50
SHA1: f750d2f6b3f12cd18bbe59fdc3cde4c0f92be0d0
HAVAL(128bit,pass=5): F288A912094640E5D842F479FF8DC1CE
packers: ASPack 2.12
Language:Microsoft Visual Basic 5.0 / 6.0

 

VB写的，很不简单，实现系统服务功能``

 

释放：

 

%Systemroot%\system32\Lcass.dll   180224 字节

%Systemroot%\system32\Lcass.exe  186368 字节

%Systemroot%\system32\Ntsvc.ocx  34304 字节

%Systemroot%\system32\Mswinsck.ocx  这个是反汇看的，不过测试时候并未生成。。

 

修改注册表：

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PnP plug 0n Service]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,00,3a,00,5c,00,77,00,69,00,6e,00,6e,00,74,00,5c,00,73,00,\
  79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4c,00,63,00,61,00,73,00,73,\
  00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="PnP plug 0n Service"
"ObjectName"="LocalSystem"
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,53,00,45,\
  00,01,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00
"Description"="稳定软件与硬件的通讯缓冲区，使计算机的硬件更改不会成生一个非公用套接字。终止或禁用

此服务会造成系统不稳定。"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PnP plug 0n Service\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,00,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,68,06,00,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\
  00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\
  00,05,20,00,00,00,23,02,00,00,68,06,00,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,01,00,00,00,00,00,05,12,00,00,00

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\PnP plug 0n Service]
"EventMessageFile"=hex(2):43,00,3a,00,5c,00,77,00,69,00,6e,00,6e,00,74,00,5c,\
  00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,4e,00,74,00,73,00,\
  76,00,63,00,2e,00,6f,00,63,00,78,00,00,00
"TypesSupported"=dword:00000007

 

运行后不停访问局域，不过都没有成功。

 

并常驻进程监听88端口（TCP）

 

修改服务器用户权限，几乎所有格式都可以上传。：

 

0041E9C3   mov     dword ptr [ebp-400], 00407A1C   UNICODE "</blockquote></body></html>"
0041EF5D   push    00407DFC                        UNICODE ".EXE"
0041EF72   mov     dword ptr [ebp-DC], 00407C00    UNICODE "application/x-msdownloa"
0041EFA6   push    00407860                        UNICODE ".RTF"
0041EFBB   mov     dword ptr [ebp-DC], 00407E0C    UNICODE "application/rtf"
0041EFEF   push    00407E30                        UNICODE ".JS"
0041F004   mov     dword ptr [ebp-DC], 00407E3C    UNICODE "application/x-javascript"
0041F038   push    00407E74                        UNICODE ".SWF"
0041F04D   mov     dword ptr [ebp-DC], 00407E84    UNICODE "application/x-shockwave-flash"
0041F081   push    00407EC4                        UNICODE ".ZIP"
0041F096   mov     dword ptr [ebp-DC], 00407ED4    UNICODE "application/x-zip-compressed"
0041F0CA   push    00407F14                        UNICODE ".RAR"
0041F0DF   mov     dword ptr [ebp-DC], 00407ED4    UNICODE "application/x-zip-compressed"
0041F113   push    00407F24                        UNICODE ".GIF"
0041F128   mov     dword ptr [ebp-DC], 00406968    UNICODE "image/gif"
0041F15C   push    00407F34                        UNICODE ".JPG"
0041F171   mov     dword ptr [ebp-DC], 00407F44    UNICODE "image/jpeg"
0041F1A5   push    00407F60                        UNICODE ".TIF"
0041F1BA   mov     dword ptr [ebp-DC], 00407F70    UNICODE "image/tiff"
0041F1EE   push    00407F8C                        UNICODE ".BMP"
0041F203   mov     dword ptr [ebp-DC], 004068E4    UNICODE "image/bmp"
0041F237   push    00407F9C                        UNICODE ".MP3"
0041F24C   mov     dword ptr [ebp-DC], 00407FAC    UNICODE "audio/x-mpeg"
0041F280   push    00407870                        UNICODE ".RM"
0041F295   mov     dword ptr [ebp-DC], 00407FCC    UNICODE "audio/x-pn-realaudio"
0041F2C9   push    00407FFC                        UNICODE ".MID"
0041F2DE   mov     dword ptr [ebp-DC], 0040800C    UNICODE "audio/x-midi"
0041F312   push    0040802C                        UNICODE ".MPEG"
0041F327   mov     dword ptr [ebp-DC], 0040803C    UNICODE "video/mpeg"
0041F35B   push    00408058                        UNICODE ".MPG"
0041F370   mov     dword ptr [ebp-DC], 0040803C    UNICODE "video/mpeg"
0041F3A4   push    00408068                        UNICODE ".ASF"
0041F3B9   mov     dword ptr [ebp-DC], 00408078    UNICODE "video/x-ms-asf"
0041F3ED   push    0040809C                        UNICODE ".WMV"
0041F402   mov     dword ptr [ebp-DC], 004080AC    UNICODE "video/x-ms-wmv"
0041F436   push    004080D0                        UNICODE ".AVI"
0041F44B   mov     dword ptr [ebp-DC], 004080E0    UNICODE "video/x-msvideo"
0041F47F   push    00408104                        UNICODE ".HTM"
0041F494   mov     dword ptr [ebp-DC], 00408114    UNICODE "text/html"
0041F4C8   push    0040812C                        UNICODE ".HTML"
0041F4DD   mov     dword ptr [ebp-DC], 00408114    UNICODE "text/html"
0041F511   push    0040813C                        UNICODE ".TXT"
0041F526   mov     dword ptr [ebp-DC], 00408114    UNICODE "text/html"
0041F55A   push    0040814C                        UNICODE ".BAS"
0041F56F   mov     dword ptr [ebp-DC], 00408114    UNICODE "text/html"
0041F5A3   push    0040815C                        UNICODE ".BAT"
0041F5B8   mov     dword ptr [ebp-DC], 00408114    UNICODE "text/html"
0041F5EC   push    0040816C                        UNICODE ".INI"
0041F601   mov     dword ptr [ebp-DC], 00408114    UNICODE "text/html"
0041F635   push    00407730                        UNICODE ".REG"
0041F64A   mov     dword ptr [ebp-DC], 00408114    UNICODE "text/html"
0041F67E   push    00408180                        UNICODE ".LOG"
0041F693   mov     dword ptr [ebp-DC], 00408114    UNICODE "text/html"
0041F6C7   push    00408190                        UNICODE ".C"
0041F6DC   mov     dword ptr [ebp-DC], 00408114    UNICODE "text/html"
0041F710   push    0040819C                        UNICODE ".CPP"
0041F725   mov     dword ptr [ebp-DC], 00408114    UNICODE "text/html"
0041F759   push    004081AC                        UNICODE ".H"
0041F76E   mov     dword ptr [ebp-DC], 00408114    UNICODE "text/html"
0041F79F   push    0040813C                        UNICODE ".TXT"
0041F7B4   mov     dword ptr [ebp-DC], 00408114    UNICODE "text/html"

 

汗汗的``

 

还查找数据库中一些图片格式的网页，好像是想挂ANI的马，乱乱的，偶也看不懂```

 

应该还会遍历分区生成Autorun.inf和Lcass.exe，不过测试中未现实。。

 

 

解决方法：

 

 

[url]http://gudugengkekao.ys168.com/[/url]下载：

 

SREng.rar 597KB

PowerRmv.com 101KB

首先打开PowerRmv，填入：

 

C:\autorun.inf

C:\RECYCLER\Lcass.exe

D:\autorun.inf

D:\RECYCLER\Lcass.exe

E:\autorun.inf

E:\RECYCLER\Lcass.exe

F:\autorun.inf

F:\RECYCLER\Lcass.exe

C:\Windows\system32\Lcass.dll

C:\Windows\system32\Lcass.exe

 

然后搜索系统文件,查找Lcass.exe和Lcass.dll,有的话全部删除``

 

打开SREng，删除：

 

 

服务：

 

[PnP plug 0n Service / PnP plug 0n Service][Stopped/Auto Start]
  <C:\winnt\system32\Lcass.exe><Miorosoft>

 

另外：

 

%Systemroot%\system32\Ntsvc.ocx  34304 字节

%Systemroot%\system32\Mswinsck.ocx

这2个是两面性的文件，如果要删除的话，建议备份一下。

收工````

如果如果删除掉的话，请来我博客留言`````3Q`