经过对样本的分析和测试,DF6.0、DF6.1、DF6.2及以前版本均被成功穿透,这是一个木马下载器,下载器通过名为PCIHDD.SYS驱动文件进行与DF的硬盘控制权的争夺,并修改userinit.exe文件。实现彻底的隐蔽开机启动。目前的临时解决方案:一是封IP,二是在c:\windows\system32\drivers下建立免疫文件: pcihdd.sys
刚写好的ROS脚本,要的自己加上去
以下为引用的内容:
/ ip firewall filter
add chain=forward c.8s7.net/cert.cer action=reject comment="DF6.0"
add chain=forward c.tomwg.com/mm/mm.jpg action=reject
add chain=forward c.tomwg.com/mm/wow.jpg action=reject
add chain=forward c.tomwg.com/mm/mh011.jpg action=reject
add chain=forward c.tomwg.com/mm/zt.jpg action=reject
add chain=forward c.tomwg.com/mm/wl.jpg action=reject
add chain=forward c.tomwg.com/mm/wd.jpg action=reject
add chain=forward c.tomwg.com/mm/tl.jpg action=reject
add chain=forward c.tomwg.com/mm/dh3.jpg action=reject
/ ip firewall filter
add chain=forward c.221.254.103 action=reject comment="DF6.0"
批处理注,此批处理最好是安装还原以后再用.)
以下为引用的内容:
echo tinking > c:\windows\system32\drivers\pcihdd.sys
echo y|cacls c:\windows\system32\drivers\pcihdd.sys /c /d everyone
echo y|cacls c:\windows\system32\userinit.exe /c /d everyone
echo y|cacls c:\windows\system32\userinit.exe /c /p everyone:r
穿透冰点病毒分析
004016ED >/$ 6A 00 push 0 ; /pModule = NULL
004016EF |. E8 80000000 call 00401774 ; \GetModuleHandleA
004016F4 |. A3 F0304000 mov dword ptr [4030F0], eax
004016F9 |. E8 CBF9FFFF call 004010C9
004016FE |. 68 00010000 push 100 ; /DestSizeMax = 100 (256.)
00401703 |. 68 F4304000 push 004030F4 ; |DestString = ""
00401708 |. 68 2B134000 push 0040132B ; |SrcString = "%SystemRoot%\System32\Userinit.exe"
0040170D |. E8 50000000 call 00401762 ; \ExpandEnvironmentStringsA
00401712 |. 68 F4304000 push 004030F4 ; /Arg1 = 004030F4
00401717 |. E8 32FCFFFF call 0040134E ; \111.0040134E
0040171C |. 0BC0 or eax, eax
0040171E |. 75 0C jnz short 0040172C
00401720 |. 68 E7304000 push 004030E7 ; /String = ""B2,"?,D7,"",F7,"成?,A6,""
00401725 |. E8 68000000 call 00401792 ; \OutputDebugStringA
0040172A |. EB 06 jmp short 00401732
0040172C |> 50 push eax &
您当前的位置:
减小字体
增大字体