Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about the case analysis of virus self-horizontal spread through port 445. Many people may not know much about it. In order to let you know more, Xiaobian summarizes the following contents for you. I hope you can gain something according to this article.

One day, I found that a host on the intranet kept sending SYN to port 445 of the network segment, so I logged in to this host with the command>netstat -ano.| findstr 445 See the following screenshot of the status of this host's active and particularly bad behavior.

In addition to a large number of 61260 processes, there are actually 94248 processes that have been ESTABLISHED frequently. Combined with Windows Task Manager, ESTABLISHED processes are found in the application directory: C:\Windows\AppDiagnostics\

Go to the corresponding directory C:\Windows\AppDiagnostics\and see the following suspicious files:

Follow the folder name AppDiagnostics online search, according to professional security netizens or security vendors introduced the virus is an updated version of the NSRminer encryption currency mining machine or WannaMine upgrade to V3.0 version of the East in the use of MS17-010/Eternal Blue what the vulnerability in November 2018 began to spread from Vietnam, so soon to China, hurry to see how to kill it, according to netizens:

The first step is to stop the virus infection service snmpstorsrv and spooler and end the corresponding PID process (61260, 94248) as follows:

The second step is to delete the virus folder AppDiagnostics (under C:\Windows\directory) and the file MarsTraceDiagnostics.xml (under C:\Windows\System32\MarsTraceDiagnostics.xml directory) as shown in the screenshot below, and prompt that the folder was created at 14:01 on December 14, 2018 when deleting.

The third step is to open the infection service snmpstorsrv and spooler test and find that there is no longer SYN_SENT for port 445 as shown in the screenshot below: (Note: When the infection service snmpstorsrv and spooler are opened without deleting the MarsTraceDiagnostics.xml file under C:\Windows\System32\, the virus folder AppDiagnostics is written to the C:\Windows\directory again, and SYN_SENT for port 445 starts again. It seems that the infected service is no longer the original service, and further cleaning is needed.）

The problem seems to be under control from the surface, but listen to the big shots say that the virus infected host, not these two can handle clean, but also analyze how infected, infected file registry has been handled clean, exploit the vulnerability has not really fixed, there is a lot of work behind this rookie currently can not write.

After reading the above, do you have any further understanding of the case analysis of virus self-lateral spread through port 445? If you still want to know more knowledge or related content, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.