首页
社区
课程
招聘
[讨论]SVCH"0"ST 病毒 "0"是零!
发表于: 2005-3-22 19:50 6728

[讨论]SVCH"0"ST 病毒 "0"是零!

2005-3-22 19:50
6728
病毒被删除后会自动创建,其属性为
A  SHR     C:\WINDOWS\system32\SVCH0ST.EXE

删除完后又会出现!!

大小 (221,184 字节)       附件:SVCH0ST.rar

注意:此程序是病毒!有能力者下载!后果自负!!!!!

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (14)
雪    币: 75
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
该怎么解决呢?
2005-3-22 19:50
0
雪    币: 301
活跃值: (300)
能力值: ( LV9,RANK:290 )
在线值:
发帖
回帖
粉丝
3
启安全模式看看
2005-3-22 20:00
0
雪    币: 228
活跃值: (16)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
4
用kv进行全面杀毒!
2005-3-22 20:06
0
雪    币: 75
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
安全模式 是一样!
2005-3-22 20:36
0
雪    币: 427
活跃值: (412)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
SVCH0ST.EXE
这个你也敢删?
2005-3-22 21:06
0
雪    币: 107
活跃值: (54)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
大哥你看错了是零不是o
2005-3-22 21:15
0
雪    币: 427
活跃值: (412)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
svch0st
很明显啊
微软所有的文件都是小写或者大写开头
2005-3-22 21:20
0
雪    币: 107
活跃值: (54)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
已知关联文件
lnterapi64.dll
lnterapi32.dll
MlcrosoftSound.wav     ----->这个在window目录下
简单反汇编了一下发现是个盗传奇的木马还用到regsvr32注册(由于本人也是菜鸟所以只能帮你到这---->我自己现在也运行了--->不小心运行了晕!!)
SVCH0ST.EXE
String Resource ID=65457: "Sun"
String Resource ID=65459: "Tue"
String Resource ID=65462: "Fri"
String Resource ID=65464: "Sunday"
String Resource ID=65466: "Tuesday"
String Resource ID=65468: "Thursday"
String Resource ID=65470: "Saturday"
String Resource ID=65473: "Sep"
String Resource ID=65475: "Nov"
String Resource ID=65477: "January"
String Resource ID=65479: "March"
String Resource ID=65481: "May"
String Resource ID=65483: "July"
String Resource ID=65485: "September"
String Resource ID=65487: "November"
String Resource ID=65489: "Variant array index out of bounds"
String Resource ID=65491: "Assertion failed"
String Resource ID=65493: "Exception in safecall method"
String Resource ID=65495: "Abstract Error"
String Resource ID=65497: "Jan"
String Resource ID=65499: "Mar"
String Resource ID=65501: "May"
String Resource ID=65503: "Jul"
String Resource ID=65505: "Invalid class typecast"
String Resource ID=65507: "Stack overflow"
String Resource ID=65509: "Privileged instruction"
String Resource ID=65511: "Application Error"
String Resource ID=65513: "No argument for format '%s'"
String Resource ID=65515: "Invalid variant operation"
String Resource ID=65517: "Read"
String Resource ID=65519: "Error creating variant array"
String Resource ID=65521: "I/O error %d"
String Resource ID=65523: "Invalid filename"
String Resource ID=65525: "File access denied"
String Resource ID=65527: "Disk full"
String Resource ID=65529: "Division by zero"
String Resource ID=65531: "Integer overflow"
String Resource ID=65533: "Floating point division by zero"
String Resource ID=65535: "Floating point underflow"
" AMPM"
" 准备就绪!
----------------"
"        EExternal?U@"
"        TErrorRec"
"
"
"
EDivByZero?V@"
"
StringX@"
"
TExceptRec"
" EInOutError脑@"
" EOutOfMemory?"
"
"
"
EConvertError??@"
"
EVariantError?t[@"
"!@#$cjt%^&*"
""
""
""
""  goto try
"
""
"
""""
"#32770"
"$$"
"$$336699.bat"
"%.*x"
"(("
".."
".34"
".44"
".exe /s "
":mm"
":mm:ss"
":try
del ""
";;"
"?"
"??衫"
"???溃@壤"
"?Y "
"?评"
"@M@"
"\:"
"\\"
"00"
"0U"
"0x"
"11"
"1?音-Rf;
t f;Jtf;Jtf;Jt?脘????"
"2?"
"3?∧忱"
"3烂?VQ?? ?u3离&j"
"7005file"
"abc"
"am"
"AMPM "
"CCENTER.EXE"
"ChuanQi2"
"CreateToolhelp32Snapshot"
"del ""
"d?d??"
"d?d?j ?佚?3黎???佚?桄?????????
"EAbstractError?\@"
"EAccessViolation?"
"EAssertionFailed?"
"ee"
"eeee"
"EExternalException?U@"
"EInvalidPointer糌@"
"Form1"
"FPUMaskValue"
"GetDiskFreeSpaceExA"
"GetLongPathNameA"
"gg"
"ggg"
"H00kDLL"
"H00kDLLFile is not exists"
"hD2@"
"Heap32First"
"Heap32ListFirst"
"Heap32ListNext"
"Heap32Next"
"hh"
"HV"
"hぉ@"
"if exist ""
"InstallHook"
"intrenat"
"IPArmor"
"jjh?
"kernel32.dll"
"KVSRVXP.EXE"
"lnterapi32.dll"
"lnterapi64.dll"
"lntrenat"
"LoadHookDLL faild"
"m/d/yy"
"MAINICON"
"MapFileNameForMir2"
"mir"
"MlcrosoftSound.wav"
"mmmm d, yyyy"
"Module32First"
"Module32FirstW"
"Module32Next"
"Module32NextW"
"MyClass"
"pm"
"PQ@"
"Process32First"
"Process32FirstW"
"Process32Next"
"Process32NextW"
"RAVMOND.EXE"
"RAVTIMER.EXE"
"RegisterServiceProcess"
"regsvr32"
"regsvr32.exe /s "
"Runtime error     at 00000000"
"s??_^?@"
"Sehll7005DLL"
"Software\Borland\Delphi\Locales"
"SOFTWARE\Borland\Delphi\RTL"
"Software\Borland\Locales"
"Static"
"SVCH0ST.EXE"
"SV?3鲦?f=弊r/f=匙w)f%沧f=沧u????u??
"S???"
"S???t ?tJ?r??<壤"
"T,m,i,r,2=20041114"
"T.m.i.r.2-20040619"
"TForm1"
"Thread32First"
"Thread32Next"
"TIntrenat"
"tj"
"Tlntrenat"
"Tm`i`r2.20050228"
"TNaNaDE"
"Toolhelp32ReadProcessMemory"
"TSeSkinButton"
"TZhangyongPwS3"
"UnHook"
"U?3勒h%?"
"U?j"
"U?SV3龌"
"U??栌??u3?U鹨?粢????P????E?m?
"Vf?f        鲷f?"
"vV"
"Windows IDE"
"yy"
"yyyy"
"栊@"
"敢@"
"?$骼"
"?$(?"
"?@"
"?$PWVS柘??栗?$???$Z_^[糜VWQ???j"
"桦??嗝@"
"椟??E绦乖?"
"绿鹰PC万能精灵"
"瑁??_袄"
"没有配置或配置错误,不能运行!"
"密码防盗专家"
"木马克星"
"瑙??抢"
"嘀@"
"启动"
"抢"
"?旌"
"?艉"
"??"
"?$?搡???t?览"
"匮"
"宋体"
"杌??@抢"
"感@"
"栩??"
"???"
"暂停"
"柘??H抢"
"执行者5.16(独立版)"
"???赴@"
"腙f瞧白桦??菝SV???3珊L"
"?袄"
"??"

lnterapi32.dll
" AMPM"
"        EExternal?@P@"
"        TErrorRec"
"
StringX@"
"
TExceptRec"
"
角色~2="
"
密 码="
"
未配置,不能发送!"
"
物品装备
----------------
"
"
账 号="
" EInOutError柘@"
" EOutOfMemory?"
"
EConvertError?性@"
""
"#<<<<<Kx=<<<<<<<<I_a@HoE@Io=@LoDnI?@sMPE=L`PnM"
"%.*x"
"%s(%d);"
"%s(%s)%s级%s"
"&Append="
"&Area="
"&DPW="
"&Equip="
"&ID="
"&PW="
"&PW2="
"&Role1="
"&Role2="
"&Serv="
"(无)"
".34"
".44"
":mm"
":mm:ss"
";IP地址: "
";操作系统: "
"\H@"
"_Area"
"_Equip"
"_Role1"
"_Role2"
"_Serv"
"{骺荞骺胞骺"
"|M@"
"<<<<\><<<<<<@<"
"<<<<<B\<<<<<<<<<"
"<<<<<I@C<<<<<<<<"
"<<<<<IHC<<<<<<<<"
"<<<<<Kd?<<<<<<<<"
"<<<<<KtC<<<<<<<<"
"1?音-Rf;
t f;Jtf;Jtf;Jt?脘????"
"AMPM "
"Content-Type: application/x-www-form-urlencode"
"EAbstractError?W@"
"EAC179D362A35DB1188B27DA3DE3"
"EAccessViolation?"
"EAssertionFailed?"
"eeee"
"EExternalException?P@"
"EInvalidPointerT@"
"FPUMaskValue"
"GetDiskFreeSpaceExA"
"GetLongPathNameA"
"ggg"
"http generic"
"HTTP/1.0"
"ioctlsocket"
"IsTest=noX&EmailAddr="
"kernel32.dll"
"m/d/yy"
"M@"
"MapFileNameForMir2"
"mmmm d, yyyy"
"On Win95"
"POST"
"Q√美"
"recv"
"Running"
"Runtime error     at 00000000"
"send"
"ShareMem Fail"
"Software\Borland\Delphi\Locales"
"SOFTWARE\Borland\Delphi\RTL"
"Software\Borland\Locales"
"Software\mir2"
"succeed"
"S???t ?tJ?r??@乩"
"TComboBox"
"TEdit"
"TFRMMAIN"
"TMyData,"
"U?j"
"U?SV3龌"
"U??栌??u3?U鹨?粢????P????E?m?
"U???VW3?E?]? 3勒h姝@"
"U????SV3????u3勒h川@"
"Windows 2000"
"Windows 3.x"
"Windows 95"
"Windows 95OSR2"
"Windows 98"
"Windows 98SE"
"Windows ME"
"Windows NT3"
"Windows NT4"
"Windows XP"
"ws2_32.dll"
"WSOCK32.DLL"
"X@"
"Y@"
"yyyy"
"继@"
"不能识别"
"传奇客户端"
"道士"
"多次发送失败!"
"发送成功!"
"?@"
"服务器="
"?$骼"
"改密码="
"?$(瑁"
"角色~1="
"密 宝="
"魔法师"
"?$?搡???t?欣"
"赐@"
"未知性别:"
"未知职业:"
"武士"
"桌"
"???"
"游戏区="
"主机名: "

lnterapi64.dll

" AMPM"
" k@"
" 彬}T?"
"        EExternal??@"
"        EOleError?hダ"
"        TErrorRec"
"
String@"
"
TExceptRec"
" EInOutError<c@"
" EOleSysError?"
" EOutOfMemory?"
" tagEXCEPINFO "
"
EConvertError?$h@"
""
""
".\:"
":mm"
":mm:ss"
"\Clsid"
"\ProgID"
"`@"
"?@"
"1?音-Rf;
t f;Jtf;Jtf;Jt?脘????"
"a@"
"AMPM "
"AUTOMATION"
"classname"
"CLSID\"
"CoAddRefServerProcess"
"CoCreateInstanceEx"
"CoInitializeEx"
"CoReleaseServerProcess"
"CoResumeClassObjects"
"CoSuspendClassObjects"
"CurrentVersion\"
"dZ@"
"EAbstractError?j@"
"EAccessViolation?"
"EAssertionFailed?"
"eeee"
"EExternalException?c@"
"EInvalidPointerlg@"
"EMBEDDING"
"EOleRegistrationError?U?j"
"Explorer\"
"FPUMaskValue"
"GetDiskFreeSpaceExA"
"GetLongPathNameA"
"ggg"
"hookmir"
"InprocServer32"
"ITypeLibp@"
"kernel32.dll"
"Ld@"
"LocalServer32"
"m/d/yy"
"Microsoft\Windows\"
"MlcrosoftSound.wav"
"mmmm d, yyyy"
"ole32.dll"
"OLEAUT32.DLL"
"p`@"
"REGSERVER"
"Runtime error     at 00000000"
"ShellExecuteHooks"
"SOFTWARE\"
"Software\Borland\Delphi\Locales"
"SOFTWARE\Borland\Delphi\RTL"
"SVCH0ST.EXE"
"S??Jt JtJ?r??隼"
"TActiveThreadArray"
"TComClassManager?"
"ThreadingModel"
"Tm`i`r2.20050228"
"UnRegisterTypeLib"
"UNREGSERVER"
"U?3裳QQQQQQQSV??3勒hê@"
"U?SV3龌"
"U?S?1佬PPP?P?PP??P? 桴??睹???"
"yyyy"
"ぎ@"
"?$骼"
"朽@"
"奥@"
"荇@"
"???"
"槔z???D"
"?@"
"??"
2005-3-22 21:33
0
雪    币: 107
活跃值: (54)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
似乎不象楼主所说的不能删除?
我删除成功了
我是这样做的
先用进程管理器结束掉进程
然后把4个文件一起删了,刚才一直打开文件运行程序它都没出现应该说删除掉了吧,至于哪4个文件刚才上面那个贴我已经贴过了
MlcrosoftSound.wav   ---->在window目录下,其实这个SVCH0ST.EXE的备份
SVCH0ST.EXE
lnterapi32.dll
lnterapi64.dll
2005-3-22 21:57
0
雪    币: 202
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
11
mir again! why do they always like to write such programs???
i really did not notice that!
2005-3-23 01:06
0
雪    币: 75
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
12
3Q!删是可以删!不知道为什么删了又会出来! 好象是svchost 让恢复的(用fliemon监视的)

2005-3-23 01:25
0
雪    币: 427
活跃值: (412)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
13
最初由 bird 发布
3Q!删是可以删!不知道为什么删了又会出来! 好象是svchost 让恢复的(用fliemon监视的)



教你一招必杀,可以对付所有得HOOK形式得木马,当你不知道这个木马来源时可以切断它得启动源,这类木马主要程序在DLL,所以切断DLL,这个木马就完全失效。
所以呢,从保护模式启动系统,干脆用维护盘启动WINPE
把这两个文件都删除掉
lnterapi32.dll
lnterapi64.dll
然后再自己建立2个同样的文件名的空文件,并且改属性为只读。之后启动系统,你就发现此木马已经KO了。实在是没什么技术含量,这类木马。如果是ROOKIT的话,也很容易的。
2005-3-23 12:27
0
雪    币: 75
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
14
谢谢!鸡蛋壳
2005-3-23 13:07
0
雪    币: 215
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
15
关闭进程,XP关机倒记时。

最新的瑞星对它没反应。

SVCH0ST都干哪些坏事?
2005-3-25 10:14
0
游客
登录 | 注册 方可回帖
返回
//