今天在网上找会计论文时候，发现了一个挂马地址

http://www.xxxx.com/doc/940538

通过MS-07017漏洞和MS-0614漏洞下载

http://www.xxx080.com/xjz2007.htm
http://www.xxx080.com/pf.js

分别下载http://www.xxx520.com/wm/0.exe和http://www.xxx080.com/wm/0.exe

两个其实是同一个文件 不过通过不同的漏洞下载

运行0.exe 生成C:\WINDOWS\system32\servet.exe

建立服务WindowsDeowns

服务相关注册表值

HKLM\SYSTEM\ControlSet001\Services\WindowsDeowns\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\ControlSet001\Services\WindowsDeowns\Type: 0x00000110
HKLM\SYSTEM\ControlSet001\Services\WindowsDeowns\Start: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\WindowsDeowns\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\WindowsDeowns\ImagePath: "C:\WINDOWS\system32\servet.exe"
HKLM\SYSTEM\ControlSet001\Services\WindowsDeowns\DisplayName: "Windows FileExe"
HKLM\SYSTEM\ControlSet001\Services\WindowsDeowns\ObjectName: "LocalSystem"
HKLM\SYSTEM\ControlSet001\Services\WindowsDeowns\Description: "Windows FileExe"

启动IE 连接60.190.118.7:80 下载1.exe~9.exe至系统文件夹 并由IE分别启动他们

最后的结果还是那些木马群
C:\WINDOWS\system32\mppds.dll
C:\WINDOWS\system32\shualai.dll
C:\WINDOWS\system32\winform.dll
C:\WINDOWS\mppds.exe
C:\WINDOWS\shualai.exe
C:\WINDOWS\winform.exe

临时文件夹里面c0nime.exe Gjzo0.dll Gjzo1.dll upxdnd.exe upxdnd.dll iexpl0re.exe..

清除方法参考那个木马群的做就可以

最后劝大家还是打好系统补丁吧 现在这类挂马的地址太多了..