标题: 发现未知木马，正在发邮件 [打印本页]

---

作者: ccfish     时间: 2008-11-4 21:46    标题: 发现未知木马，正在发邮件

不小心把邮件搞大了，　ＳＯＲＲＹ



发现未知木马，删　之


但是注册表．．．．

Quote:

创建时间        键        名称        原数据        新数据        创建者 2008-11-04 21:19:19        HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WMDMPMSN\PARAMETERS\        SERVICEDLL        C:\WINDOWS\SYSTEM32\MSPMSNSV.DLL        %SYSTEMROOT%\SYSTEM32\WMDMPMSVC.DLL        C:\WINDOWS\SYSTEM32\DTS3211.EXE 2008-11-04 20:31:32        HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\        SHELL        EXPLORER.EXE        EXPLORER.EXE        D:\PROGRAM FILES\TENCENT\QQ\QQ.EXE

---

作者: ccfish     时间: 2008-11-4 22:01
冒充我的系统文件，加载服务

---

作者: gudan     时间: 2008-11-4 22:20
抓到黑客,直接打死

---

作者: Legend     时间: 2008-11-4 22:26
请把样本发送到 VIRUS@micropoint.com.cn 邮箱，发送的时候将本帖链接一并发送。

---

作者: ccfish     时间: 2008-11-4 22:29
已经发过了，邮箱是ＳＤＹＧ１０７（ＡＴ）１６３．ｃｏｍ

并且邮件里描述比这里清楚，不过没有写本帖地址．
邮件的主题是：应该是未知木马入侵，伪装系统文件，创建服务自启动

ＳＯＲＲＹ　把附件补上．．．．

[ Last edited by ccfish on 2008-11-4 at 22:30 ]

---

作者: yurong7777777     时间: 2008-11-4 23:20
好，要搞死

---

作者: 点饭的百度空间     时间: 2008-11-5 20:31

Quote:

Originally posted by ccfish at 2008-11-4 22:01:

sReng显示函数内容不符 应该是微点新版的原因:D

---

作者: ccfish     时间: 2008-11-5 21:33
再补一张图，好像还没有解决

---

作者: Legend     时间: 2008-11-5 23:03
请加微点技术交流群管理员qq:383154254或者466248167帮您具体分析下。

---

作者: feya     时间: 2008-11-6 14:50
这几天也被这丫烦着呢，都不知道什么时候进来的，从哪里进来的，我还多个msGDI1.dll，应该是一路的，小红伞报的也不全，删掉以后，IE无法直接访问FTP了

涉嫌文件大约如下：
taskmagr.exe
msGDI1.dll
dmserver.dll
dts3211.exe
wmdmpmsvc.dll

[ Last edited by feya on 2008-11-6 at 15:04 ]

---

作者: newduba     时间: 2008-11-6 14:55
MSPMSNSV.DLL
这个我也在几台机器看到了进程，感觉可疑；
后来留下文件去测试了发现居然没有问题，
而且通过了微软数字签名的认证。
最后只能够判断是MSPMSNSV.DLL被劫持了，
用超级巡警扫描解决了问题，
MSPMSNSV.DLL本身是无辜的：）

---

作者: ccfish     时间: 2008-11-6 20:51
关键是我系统防得好，只发现这两个文件．．．

system32目录下：

dts3211.exe（不知道怎么回事，隔离区没有）
taskmagr.exe
wmdmpmsvc.dll

可疑程序加载的注册表项：

Quote:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN] "Type"=dword:00000010 "Start"=dword:00000004 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\   74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\   00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\   6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00 "DisplayName"="Portable Media Serial Number Service" "ObjectName"="LocalSystem" "Description"=hex(2):52,00,65,00,74,00,72,00,69,00,65,00,76,00,65,00,73,00,20,\   00,74,00,68,00,65,00,20,00,73,00,65,00,72,00,69,00,61,00,6c,00,20,00,6e,00,\   75,00,6d,00,62,00,65,00,72,00,20,00,6f,00,66,00,20,00,61,00,6e,00,79,00,20,\   00,70,00,6f,00,72,00,74,00,61,00,62,00,6c,00,65,00,20,00,6d,00,65,00,64,00,\   69,00,61,00,20,00,70,00,6c,00,61,00,79,00,65,00,72,00,20,00,63,00,6f,00,6e,\   00,6e,00,65,00,63,00,74,00,65,00,64,00,20,00,74,00,6f,00,20,00,74,00,68,00,\   69,00,73,00,20,00,63,00,6f,00,6d,00,70,00,75,00,74,00,65,00,72,00,2e,00,20,\   00,49,00,66,00,20,00,74,00,68,00,69,00,73,00,20,00,73,00,65,00,72,00,76,00,\   69,00,63,00,65,00,20,00,69,00,73,00,20,00,73,00,74,00,6f,00,70,00,70,00,65,\   00,64,00,2c,00,20,00,70,00,72,00,6f,00,74,00,65,00,63,00,74,00,65,00,64,00,\   20,00,63,00,6f,00,6e,00,74,00,65,00,6e,00,74,00,20,00,6d,00,69,00,67,00,68,\   00,74,00,20,00,6e,00,6f,00,74,00,20,00,62,00,65,00,20,00,64,00,6f,00,77,00,\   6e,00,20,00,6c,00,6f,00,61,00,64,00,65,00,64,00,20,00,74,00,6f,00,20,00,74,\   00,68,00,65,00,20,00,64,00,65,00,76,00,69,00,63,00,65,00,2e,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Parameters] "ServiceDll"=hex(2):25,00,53,00,59,00,53,00,54,00,45,00,4d,00,52,00,4f,00,4f,\   00,54,00,25,00,5c,00,53,00,59,00,53,00,54,00,45,00,4d,00,33,00,32,00,5c,00,\   4d,00,53,00,50,00,4d,00,53,00,4e,00,53,00,56,00,2e,00,44,00,4c,00,4c,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Security] "Security"=hex:01,00,14,80,b8,00,00,00,c4,00,00,00,14,00,00,00,30,00,00,00,02,\   00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\   00,00,02,00,88,00,06,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\   05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\   20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,\   00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,00,00,14,00,00,01,\   00,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,\   00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,\   01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Enum] "0"="Root\\LEGACY_WMDMPMSN\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001

---

作者: feya     时间: 2008-11-9 20:57
刚从装完系统，这丫又开始来烦了，又开始改我的dmserver.dll文件名取而代之，感觉Flashget196安装文件夹下的updates.exe很有嫌疑

---

欢迎光临 微点交流论坛 (http://bbs.micropoint.com.cn/)

bbs.micropoint.com.cn