Троянские кони. Принципы работы и методы защиты

C. . , . . , - 2003 . . ISBN 5-8239-0127-5  & %) , 2003 . 8 31 1 6: 1 7= 67 1 1> - 6: 0 - < L . :...

Author: Белоусов С.А. | Гуц А.К.

19 downloads 167 Views 1MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

DOWNLOAD PDF

C. .

, . .

,

- 2003

. .

ISBN 5-8239-0127-5  &

%)

, 2003 .

8

31 1

6:

1

7= 67

1

1>

-

6:

0

- <

L

.

:

0

8

J7

-K

-4

3

-.

8

=

,=

:

.2

1

4

38

73

:-

3

;?8

6

.

=0

@

1

.

0

;

.

5

.

;

-

351

8D

,

A

-

3

-

4B

1

5

-

A3

=1

1B

.

8

A,G

4

. -. .

6

-+

, 7

@

.

4

1:L

@

6:

,

^

@:3

4

9

.

8

1

>

:3 F

/

@,-

H

,

.

.2

-

=

3

.-

=D

3

3

3.

.

6

5

.

8

A7

;

1

1

+, 5

/ :3 F

3@

-

:3 E

.

>

9

@

.

D

@:3

.

8@

8

-4

8@

3A

. 1 "759

C

;

6

.

=0

+

13

@

.

=0

,

8.

1?

,>

.:=

1

-

; <

: 9 8" ,

.

4

678

-

=

,=

:

9

1B

0,>

1

<

3@

-

1 0,

@

. :H

6

,

,-

+

435

. .

1

30

4

.B-

:

123

-0 0

1

-1

8

,

%&^

;3

.:

1

1B

D

1

1

4

4

A

,

:3 E

K

A,G

B

80

,0

/

%)

"('

"&

%

#

$

#

"!#

. .

]

.2

6:

1

/

31

8

.

85

73 A,G

.

6

,

0

-

/

4

57

4

=

-

=

@:3

+

5

B

0

-

.

-

+,-

*

:

&\

.3

-0

1

0

J4

@

-.

3.

6

5

4

;

4

.

1

54

8

3

3J

,

,

!

0

1

.M-

+

1

1

5

B

,

.:

.

80

3

-

4B

1

8+

.

@

=

.

-0

A

5.

.2

:-

3

?8

.

WX

UV T

R

.B-

4

-.

1

J

4B

?8

@,

A7

0,

.

6

1

8I

.2

:3

6

.

3

@7 .

4 0 D

.B-

:

8

-.

1

8 9

,

48

.

+8

.

%[

Z

# Y

. . RS Q

+,>

-

.3

=0

:3

0M3

,

,8

6:

123

0

-

*

3.

6

5

. .,

( ' "

7

:

13

=

6:

:

.

P

7

-+

3

@

1B

B=

.

-0

1

=0

4

B-

, ,

31

:N

@,-

.

1:

.

-1

>

.

8 O

1

1B=

-

.M3

5

. ,

P L

1

J

-

: . ., . . –

, 2003. – 84 .

ISBN 5-8239-0127-5

-

. -

#

!

!

"

!

/&

XXI

.......................................................... 12

1.

.

-

+,

)*

............................................................................................ 10

'(

&

%&

$

.......................................... 8 ,

1. 2.

...................................................................................................... 6

2

"

2

1

0

1

@;

4

"

.

+,

)*

'(

'

)

'.

FG

E&

... 38

;

K

I=K

J

I

8

6

@;

0 !

4

»......................... 38 Alps6............................................ 39

:

8

I=

;

6

@=

H

!

«

!

;

K

I=K

J

I

8

@;

U

9=

IN

@

N

?M

J

QR

T

;

K

I=K

J

I

8

8

6

9S8

?P

O=M

@

N

O=

<

8

QR

68

?N

9=M

?

8

I

N@

;N

M

K@

N9

:

6

8

I= ?N

9=M

? ? 5 6 L

2.2.1. 2.2.2. 2.2.3.

6 L

:

1

BELPL ………………………………………. .................... 40 BelPL....................................... 41 BelPL............................. 42 ............................. 42

4

!

!

!

2.1. 2.1.1. 2.2.

BELPL

2.

)

C

D&

!

D

>?

&

<=

; : 7

4

9

(

)$

B

8

4

"

C(

&

%&

$

10

A

68 5 7

0

3

1.1. ................. 12 1.2. ........................................................................ 14 1.2.1. Backdoor.BO, aka Back Orifice Trojan ...................................... 14 1.2.2. Trojan.AOL.Buddy ...................................................................... 16 1.2.3. Macro.Word97.Trojan.Tvangeste [8] ......................................... 18 1.2.4. Trojan.Spy.KIM [8]..................................................................... 19 1.2.5. Trojan.PKZ300b [12] ................................................................ 19 1.2.6. mIRC SCRIPT.INI [13] .............................................................. 21 1.3. ACTIVE X.................................. 21 1.3.1. ....................................................................... 25 1.4. ............................................................ 30 1.5. ................................................................... 32 1.6. ........................................................................ 35 1.7. ................................................................. 36

%*

-.

D

.

E

%

)

C

.

+,

)*

'(

*

+G

.

)(

'

*

+G

F.

&

(

,

'

)

.

C(

3.

G

-

D

D

&

(

)$

C(

.

G

$

(

&

%&

$

4

#

B

4

) ....................................................................................55

!

#

" .

+G

!

4

) ........................................................................................58

4

"

.

)

%

A

B

"

..................52

A

,

A

G

C(

4

3.1. 3.2. ( 3.3. (

............................52

1

1

#

!

2

.

+G

.

)

%

63

3 G

C(

1 ......................................................................................63

1

1

.

+G

.

" )

%

G

C(

(406

B

(6-7) )..........................................................................................65

!

2 ......................................................................................65

1

4

!

........................................77

.

+G

.

)

%

2 G

C(

A

3 ......................................................................................77

1

4

"

!

!

..............................80

&

,

(

TCP

'

&

(

! '.

%G

4 ......................................................................................80

............................................................................................83

:

/

=

@

S

I

8

6

N

@M

8

9

9

N

I

8

6

, 3

3

-

4

?

:

@R

9

89

M

=

6

<

8

N

− .

-

+

1998

+

&

'

1997 53,6 !

4

,

/

"

*

%

!

3

.

-

)

-

+

#

/

#

'

(

/

/

&

*

)

,

Internet, , +

#

"

/

#

+

%

*

&

*'

&

*

+

)

(

#

"

(

+

/

0

!

+

*'

#

"

/

#

&

/

!*

*'

!

+

*

*

0

!/ %

&

(

+

&

&

)

/

%

!

(

-

!

-

)

&

*'

&

&

'

*

+

!

)

'

*

#

"

*

&

%

,

.

&

#

$

)

&

'

(

!

&

!

)

(

&

&'

#

"

!

%

$

#

!

@

.

6

,

:

* ,

9

NO

N

I

8

8

@R

@?

Q=

6

9

P@

»

J

7?

8

I?

6

8

,

.

; AB

35

;-

1

8

-

A3

=1

1

D

:3

4

8@

.

4

8

3

;

=

1

5

N

N

<=M

@

8

@

N

O

N9

=

M

NJ

8

I

8

8

N

8

=K 5

@R

9

68

Q

J

K@

8

8

.

!

*

.

&

#

(

/

#

,

*

*

*

)

&

-

,

"

&

*

!

*

+

1

,

/

)

!

*

+

-

)

"

!

+

.

+

/

+

!

20 [6].

&

*

)

,

&

&

!

,

%

'

.

'

!

2

/ *

,

&

#

+

&

1

;

.

&

*

*

!

,

)

!

'

!

-

&

-

/

.

&

!

1

.

.

#

/

/

&

)

+

.

&

)

.

)

2)

!

,

*'

(

!

1) , «

−

. -

.

:

, & %

/ !

-

-

%

-

*

!

%

%

)

-

+

&/

/

*

/

/

*

'

%

!

!

,

.

%

*

!

/

!

*

-

&

+

&

+

»

)

)

#

"

*

!*

+

(

!

/

+

/

*'

-

/

&

/

. , -

!

/

#

'

!

0

%

*

)%

*

/

* %

!

-

#

"

(

!

/

/ 1

!*

&

!

#

"

!

!

,

&

-

)

!

+

!

!

&

+

&

#

"

#

+

)

%

#

"

'

*'

!

(

!

/

-

+

&

!

+

-

(

!

+

(

!

/

!/

+

&

"

0

&

!

#

/+

!

!

/

/

&

/

-

&

!

)

'

%

+

&

+

'

!

0

/

/

0

/

1

'

(

!

/

'

#

"

/

/

0

/

(

*

!

-

&

&

! -

!

*

!

&

!

*

*

"

#

0

&

-

&

)

0

1

+

-

!

#

"

*

,

(

*

+

/

,

-

-

&

+

/

+

#

!

*

+

».

&

"

%

*

-

*'

!*

%

%

/

!

%

(

»,

#

)

/

(

!

!

/

–

'

/ "

&

'

!

!

-

*'

/

&

;

'

%

%

&

%

+

–

/

"

*

/

!

+

&

!

#

&

.

0

+

+

,

&

+

)

' 1

*

.

'

!

&

&

*

+

)

& *

,

-

&

!

&

)

!

-

+ %

0

»

!

,

/

%

!

«

!

&

0

,

%

&

&

&

&

+

*

/

/

/

.

«

/

%

&

&

-

"

/

,

!

/

.

#

*

#

/

.

+

'

!

/

«

+

(

#

%

0

&

+

$

«

%

"

)

"

.

*

%

'

!

*

,

&

+

!

.

,

/

0

1

+

,

'

+

)

&

!

/

/

–

/ *

*

&

.

/

!

-

.

#

!

&

+

-

.

/

!

.

(

,

%

"

*'

,

(

.

&

%

/

$

.

&

&

/

+

,

!

%

!

,

#

,

"

/

#

.

(

+

7 -

-

. -

-

.

,

-

-

/

, (

». + !

&

!

+

!

*

-

+

/

*

!

-

&

%

!

*

!

0

/

&

&

*)

-

+

+

)

/

!

&

!

+

/

-

,

/

0

(

!

/

&

!

*'

/ /

&*

!

+

+

* /

/

/

/

#

-

+

/

) &

/%

)

+

#

&

#

!

-

/

*'

&

/

%

*

*

,

&

&

,

&

#

,

*

!

+

0

&

+

'

*'

&

/

0

!

&

!

!

*

*

) %

&

#

)

'

"

0

*

/

(

.

!

!

1

+

#

"

/

-

1

%

)

!

-

/

&

+

/

!

*'

*'

*'

+

*

!

%

"

0

/

*'

*'

*

/

/

/

'

/

+

'

(

-

)

-

!

+

!

1

&

)

*

+

&

+

-

/

#

"

/

!

+

&

/

/

/

/

%

*

&

!

0

!

%

+

1

!

*'

!

#

"

,

&

'

*

!

&

/

.

%

)

+

-

&

-

!

,

«

-

'

/

(/

!

.

#

)

+

+#

%

-

,

"

&

&

.

&

/

&

#

!

+

!

,

+

'

-

'

)

/

!

!

,

#

(

,

&

/

!

/

,

"

0

1

-

'

/

0

.

-

,

!

%

)

*

.

&

)

/

&

/

*'

&

–

+

&

0

!

!

/

.

(

#

"

/

&

!

-

/

.

+

1

& #

(

!

!

&

&

»

)

*

!

.

0

!

!

.

/

0

%

/

&

1

(

–

*

%

#

/

.

,

%

'

,

-

)

!

.

#

"

1.

!

!

"

)

*'

&

/ "

0

!

0

1

.

/

*'

. ,

"

.

*

*'

&

,

,

%

#

«

%

8

-

-

,

-

,

.

-

-

.

%

!

!

!

/

.

*

-

*

!

*

/

*

3

%

(

+

&

'

&

&

)

/

/

'

&

!

*'

&

)

&

.

!

(

2

+

(

!

'

*'

/

&

+

/

&

+

#

&

,

!

&

.

!

*

.

)

%

/

'

/

!

&

+

&

-

/

!

)

!

+

%

!

*

&

/"

!

/

-

&

/

&

+

+

&

%

#

1

&*

-

*

-

&

!

+

&

!

&

&

-

!

+

&

)

.

#

/

/

!

#

!

.

-

,

!

/

-

-

!

+

"

!

*

+

0

+

. ,

-

"

!

+

+

)

!

%

%

!

!

*'

&

!

/

&

*

4

#

"

/

!

+

&

%

%

*

!

#

!

*

!

!

(

!

0

#

&

-

/ + &

!

+

#

"

*

'

(

/

)

!

(

/

!

!

*

–

&

, &

!

&

'

&

#

!

$

&

+

2

+

#

"

+

(

+

.

&

/

)

&

-

!

0

!

+

&

)

&

1 (

"

%

&

'

(

%

#

)

/

/

'

/

/

#

&

)

!

*

+

)

$

,

+

&

+

'

*

&*

%

!

'

*

: «

0

*

,

'

3

:«

/

(

#

!

#

-

,

*

1

-

*

/

-

-

+

!)

'

/

,

.

.

-

/

)

/

!

,

.

/

&

(

*

2

"

– ,

-

&

,

&

/

)

,

)+

'

*

%

, , ,

&

'

!

+

&

,

.

!

#

/

/

»

*

/

&

!

&

+

/

.

+

*

*

0

)

1

-

"

&

,

&

&

)

!

/

!

,

)

%

)

*

,«

*

%

*

+

&

,

&

'

».

&

!

&

,

,

&

'

!

$

/

,

!

2

'

,

%

,

.

,

, ».

,

+

&

.

!

9

-

. -

-

. -

-

-

&

,

!

/!

,

!

+

&

!

!

&

)

)

&

&

#

#

!

&

+

'

&

,

&

+

#

%

&

!

!

+ !

+

*

!

%

!

&

+

'

&

+ &

'

*

*

,

,

/

!

/

(

#

/"

&

,

0

'

,

/

0

(

!

/

/

'

!/

+

#

&

*

%

%

%

!

+ )

)

)!

&

!

(

'

'

$ %

"

*

#

#

2

2

.

3

$

&

-

!

%

$

3

)

0

(

/

!

2

/%

/

:

1

$

4

3

2

1

3

1

.

.

+

/

(

(

+

*

.

%

&

+

*

!

#

"

(

!

/

"

!

+

&

)

%

,

%

!

-

&

)

#

&

%

/%

(

+

&

!

3

&/

/

)

28- ,

&

,

&

&

#

%

'

&

/

"

,

)

)

!

(

&

+

-

!

,

#

&

&

"

!

)

"

%

#

2

(

/

&

+

*

!

+

*

!

,

!

)

)

,

!

/

&

.

&

'

.

&

)%

,

-

,

+

*

+

/

),

#

"

!

"

).

/

&

-

+

*

/

*

272, 273, 274,

!

*

-

,– /

*&

*'

&

1996

!

&

&'

)

*

(

&

&'

*'

&

)

,

-

!

,

/

)

)

,

!

'

-

+

+

,

24

&*

,

)

)

,

272.

,

,

*

%

, –

!

2.

#

1.

+

'

&

2.

10

-

-

.

28.

.

.

-

-

,

-

-

– .

, /

&

*

&

*

+

%

/

'

(

#

%

/"

&

'

/

!

,

,

'

*

#

+

!

0

/

,

,

)

)

+ )

&

%

'%

)

"

) %

&

!

-

/

-

!

/

!

#

!

&

+

'

&

&

!

)

&

-

+

&

&

'

/

&*

.

&

+

!

&

/

&

!

!

,

'

&

&

&

+

'

/!

+

,

!

-

/

.

'

(

&

,

&

&

0

&'

)

!

%

&

+

*

!

*'

!

&

+

'

&

"

'

&

/

)

!

/

(

)

!

'

/

'

*

*

(

+

*

/

#

!

%

!

–

*

-

/

!

!

&

. !

&

-

"

,

&*

/

&

%

&

(

,

,

*

(

#

/

/

'

&

!

&

!

/

#

/"

&

(

/

(

! )

(

+

+

-

+

+

,

&

/

/

,

&*

!

)

%

&*

*'

,

+

$

! )

$

!

!

!

$ %

!

%

%

)

)

) %

)

%

,

.

&

)

!

&

"

!

,

/

,

(

,

&

,

-

*

/

*

,

,

!

!

#

,

274.

)

)

,

&

)

*

)

273.

,

"

#

,

-

*

+

1.

/

1.

2.

2.

*

–

/

11 -

-

,

,

-

-

. ,

, –

}

z

~

KOY

N

a

V

T

Rf

X

a

K

PS

Y

V

T

a V

kK

Q NRf

SM Ue

_

U

V

M

Y

N

a

,

V

S

V

KY

Ya

;

9

/

<

B

;

C

.

«

~

»1,

K]LV

a

>

5

h

=

;

8

=

A;

=

A=

2

9

/

4

9

/

3

4

D

B

/

2

1

=

16

/

>

>

3 5

5

L

Y

Rf

X

a

K

PS

O

MS

T

S

MS

Y

O

P

RS

VK

]

a

a

Y

eNV

Kg [

S

V

O

Lca

U

V

X

S

L

O

P

LOa

X

Y V

Z

b

_^

V

QR

V

W

a

KV

LU

[OV

Oa

V

U

V

XR

R

KVY

V

XR

P^

V

Y

KV

Rf

Ra

Y

TK

a

V

R

V

LO

O

S

OS

L

.

}~

}

_^

U /

8

/

3

. MS

K\VY

9A

0<

=

7

3?

4

123

a

N

S ]We

L

O

LM

KJ

Z

L

X

W

_^

S]

K

T

S

S

PK

N

W

V

\OS

US

X

S[

XY

KLV

NVW

L

U

LU

TR

QRS

LP

O

LO

N

,

{

z

_

W

Y

R K

Yf

V

R

SX

eR

Vl

L

O

P^

V

Y

8

/

8

/

63

A

/

8

8

./0

W

K

VS

R

Q

S

N

S

V`

NVW

_

a[

S

XW

aL

QR

d

.;

=

H8

96

<

/

3

G

;

6

A

=

BA;

8

/

4

B

>

=

4

G

1

3

>

<

;0

HI

B

;

C

.

23

1

/1

.=

= <

<;

.;

; >

/

1

;01

=

1

;@

1

;? >

9.=

#

$

"#

!

78

16

/

3 5

4

123

9./: 1

(+ ,(

(*

&% ) '(

./0

9.=

5

F E

1CD

1

A=

=

9.=

/

4

1

0

1

A

0

/

BC 9

>

A >

0

2 5 8

=

4

B

/

2

,

}

U

^

b

U

4

LU _

Y

U

V

B

.

a

kK

Rf

\

aL

». ,

, {

, y

S

MS

Y

]V

T

a

=

@

LPK

\

.«

{

b

_

Y

Rf

TRf

L

i

X

S

R

QV

LVK

M

LM

, .

{|

. }

S

W

LMS

«

}

z

{

M

X

a

R

a

K

BF=

8

= 2 5

(+ ,(

4

(*

Oa

X

S[

–

yz

~

,

{

Oa

V^

a

aQ

a

MS

[

_

KYV

Q

S

aX

S

Y

, —

}~

z}

V

Y

X

U

LU

TR

a

a

KP

,

yz{|

—

KYV

V

O

QRS

V

4

G

;4

B

4?

&% ) '(

1.2.

.

w

V

O

LkK

N

4

8

3

;

1.1.

u

nx w

LU

Q

T

S

XV

S[ j

4A

.

,

yz

{

yz

_

O

Y

OS

N

L

R

,

uv

, S]

K

U

S

V

XR

1.1.

}

qrst

V

L

K

Y

,

~}

nop m

1

z

1 XXI

?

.

.

-

-

-

{

, .

}

:

.

N

,

L

O

k

aL

_

O

OZ

NVW

V

QR

V

LMa

M

V

a

Lk

M

T

S

V

W

V

V

U

]V

,

MS

O

VK

a

MW

P

T

a

S

W

OS

«

_

O

J

`

U

R

S

W^

S

V

S

L

a

O

Xa

V

O`

P

RS

^

LUa

M

P

YK

NV

P

Y

kK

P

YW

]

[

a

a

M`

O

f

O

\V

SL

W

T

WQ

S

LkK

X

Oa

NUa

L

T

S

OS ]

O

V

L

WN

f

S

S

_K

R

M

QV a

Y

V^

S

_

O` _

U a

Y

P

Y

P

N a K

V

La a[ K

b

K

RS

Ya

OS

KY Q Ua

_

]O

a

TK

S

W

Ua

P

O

MS

Ua

Ma

Y

O

P

RS

K

LkK

X

_

L

[O

Yf

V

NR

L

Uf

OS

O

V

NVW

V

QR

S

Q

S

X_

R

\VK

a

aL

`

U

R

S

O

g

ab

a

O

MS

XMS

L

QR

K

S

a

U

V

Oa

V

a

P

Y

V

a

Lk

U

b

L

Y

LY

NMW

Q

S

V

R

_

K]V

L

O

PK

NVW

OS

LOa

[

P

RS

X

+

'

K

V

\VK

US

XMa

LOS

YK

fb

S

_K

R

M

Y

a

a

M`

O

f

V

V

L

\

R

NV

YS

_

U

LU

O

P

RS

MK

V

,

Y

Rf

X

_

U

LU

.

~

{

a

a

KLO

S O

c

R

XV

P

PK

Y

KV

T

a

LO

X

,

z{

TR

K

S

a a

LkK

Oa

\V YS

_

LRf

f

O^ U

LU

[

WeQ

S S

S

.

a

QRS

KY

US

aY

X

aL

TR

QRS

S

W

OS

_

O

]V

L

PSW-

aY

R

\

S]

K

Oa

g

,

{

{|

XV

V

_

O

O

Q

[

Y

J

V a

,

~

_ V

{

z

\V

L

f

V

M

Ya

K

_

YK

O

a

a

OS

YK

Ya

P

[

VK

YK

Oa

NUa

L

T

S

OS

O

V

L

WN

Vf

Oa

]V

QV

Y

V^

VS

O

P

Y

VK

a

KOP

Q

S

kK

f

Ra[

V

KLM

LR

U

S

V

U

QRa

L

R

RS S

O

Oa

N

Q

S

Ua

a

Lk

X

VW S

X`

Oa

S

LUa

O

P

RS

PK

Y

V

a

k

P

QRS

X

S

P

Y

L

W

U

NOa

Q

S

OS

L

RK

M

NOS

VS

O

S] OS

K

Ke

a

KV

LU

OS

Y

LU U

TR

QRS

V

MS

Y

]V

R

U V

U

U

P

O MS

a

P

Oa

V

NVW

V

QR

_

U

LU

TR

QRS

V

_

R

S

MSK

V

O

LkK

N

L

Q

Q

Y

a

a

Ua

_

]O

S

PK

Y

kK

P

X

W

P

V

O

_

]

K

Q

Sb

OS

O

RS

M

VK

W

P

Oa

V

LOa

X

RS

\

La

R

a

K

LUS

Y

^

S V

V S]

S

Oa

]V

L

O

L

[O

V

K

V

[R

]V

P

Y

kK

OS

O

XV

YS

SL

K

O

P

R

K

US

P

LO

R

KY

QRS

LY

R

X

a

R

]V

V

_

R

S

MSK

V

.

}

O

K

Y

P

X

L LMS

L O

P

K

L

[NO

V

QR

.

KXVY

LR

a

Q

V

RS

R

V

K

LU

kK

Q

Ue Y

R

Yf

V V

_

MS

OS

XY

V

YW

]

LOa

Y

V

1.2

{

[

S

Ua

MSK

YS

X_

Ua

R

M

aL

`

M

L

We

XOS

a

QRa

Q_

R

]V

1.1 ,

a[

S]

S Y

V

. K

_

O

LY

Q

.

X

a

.

fL

`

U

S

OS

OfK

X

aN

P

»

.

Uf

V

K

,

K

. QRS

]V

Y

_

LU

Q

LOa

X

a

a

O`

NV

MS

S]

X

W

P T

S

V

O MS

Y

,

KY b

N U[

NV

V S\

L

_

L

We

QRS

f

Y

NK

S

Ya

LY

AVP (Password-Stealing-Ware).

KY

Ya

). U

a

VW

»

{

SL

[R ^

M

O

VWe

XP a

Y

P

X

RS

MW

,

z

LkK

X

QRa

X

[

Y

a

O` X

Y

kK

b

Ra

2

{

5

, ),

K

( aY

,(

OS

P

KQ V

R

V

_

O

X

,

OS

K

ca

(

RS

P

_

O

2. Backdoor –

S

U

Oa

Rf

S

XV

X

W

S

K

U

S

K

(

}

ca

XV

N

Q

S

,

K

V

V

KY

YW

RS

Ra

—

z{

LMa

'

&(

&

L

[R

^

R

V

Y

»,

OK

V

,«

Sb

X

a L

M

S

a

W

«

}

'

S

YW

W

PSW-

y

X

WL

QR

N

Y

N

a

f

1. PSW-

Q

S

4.

}

{

{

_Ke ^

.

{

y

{

}

3.

{

~

,

2

z{

13

» [9].

-

, -

-

. [8,10,11]:

.

-

. -

-

. .

%

. Back Orifice #

6

$

#

#

!7

!

/

(

(7

8 0

%

#-

%!

& .

6

4 #.

,-

!+%

*

&

!

()

XR S

L

KN

.

S

V

QR

V

V

R

MS

Y

KYV a

K

S

_

O

Lca

L

+

fK

Q

S

L

O

\V

.

%

#

U

(

,(

+

) '

*

( NOS

a

S

Uf

S

KQ

S

k

YKe

SL

W

c

b

^

V^

[

L

Ke

L

KeX

_

K]

a

NY

Q

S

MS

We

S

PK

Y

Z

Mf

O

MS

V

M

K^

SL

R

L

[R

S

k

aL

`

U

R KL

S

O

a

XW

aL

KY

S

Y

e

SL

WT

L

O

e

MS

Ma b

V

Y

a

a

KY

OS

RK

M

V

Y

Xa

P

L

R

L

[R

P

Y

a

Lk

U

LOa

\

a

S

K\V

US

V

V

N

f

f

V

]OS

^

S

a

V

YK

P

LOa

X

[ L

S

Y

a

V

YW

_

U

Y

X

L

WeQ k [

V

O

U R

V

V

K]LV Y

d

W^

S

L

N

f

` aL

LOa[

T

KLO

LRa

k

LMW

N

R

[

_

S

a

W

a

V

a

PK

R

eV g

P O

RS

LMK

M

T

S

S

VK

YW

Q

S

X

S

MSK

KeY

OS

QRa

N O

X

MS

V

S

K

S

).

&

-

$

)

#

'

+ (

*

)

K]

a

Y

S

O

VK

R

Mf

O

V

_

NO b

^

a XMa

LOS

KY

S

V^

f

V b

[

Z

b

( X

V

O

k

Oa

]V

V

X

W

fQ

SL

L

RK ^

YS

T

S

RS

KY

cf

OS

WeX

S

N

L

X

S

[

WeQ

S

Y

a

L

KeX

]

aL

Q

W

S

OS

WeX

S

RS ^

N

R

S

]VK

U

_

O

L

We

Ra

KeY

OS

LY

Q

L V

Sb

NOS

X

a

]V

PS

Y

KX

a

LOS

YK

a

aL

`

M

a

Ya

LY

MW

YW

OS

V R

U Of

.

L

L

[R

ca b

We

S

N

S

K

S

P

Y

L

O`

P

RS

KT

S

LUS

Y

U

RS

S

KLP

W

Y

OK

kK

M

U

L

O

P

O

MS

V

Oa

V

V

U

V

R

QV

US

LU

TR

QRS

OS

O

V

U

V

XR

ab

Rf

a

LR

eX

X

V

O`

P

RS

K

_

R

V

U

L

[

Lca

a

U

S

WX

[P

N

W

NOS

T

S

X_

V

O

S]

K

S]

K

Uf

S

KQ

S

P

Y

KV

f

[

WeQ

S

Y

Va

O

Ma

Y

]V

a

KLM

QR

U

_

O

KV

LU

U[

SM

c

a

P

Y O

NV

a

LOS

KY

X_

XV

b

K\VR

KX

QRa

V

YW

S

U K

S

K]Y

a

Q

S

T

S

V

XY

NV

\

V

Ua

P

O

MS SL

[

S

MK

S

S

KT Ua

aM SL

W S

LMS

O Y

RS

YK

LP

P

U

P

Oa

\V

O

LO

XP

[

Y

U

LM

[

L

R^

S

YS

150Kb.

&

/-

%

_

,

&

/3

2

«

*

/

V

K

La

(

,

QR

K

S

a

S

MS

QR V

X`

S

k

LOa

Q

U

,

6

Oa

?

&

]V

)

+

,

WQ

SN

V

QR

V

O

NVW

V

P

N

W

KNM

f

QRS

b

MS

V

Oa

NOS

PS

Y

KPV

X

W

P

R

QV

Q

RS

L

O`

P

RS

K

Oa

X

kK

P

NVW

V

QR

VS

O

U

LU

TR

QRS

.

-%

%

» #.%

^

b

\OS

US

,

)

$

/

[

YS

Q

S

Y

'

*

,

Uf

OS

a

YK

QOS

f

YW

_

U

Y

,

k

MW

K

b

(

'

MS

Z RZ

]

X

S

Y

L

W

_

LU

Y

1Kb

&

#

%$!"

S

V

O

S

KY

QRS

b

+

,

,

U

V

K

a

W

a

LU

L

KeN

,

!

%# (

%

,

L

–

&

BO (Back Orifice) .

MS

P

X

_

LU

+

Ma

SM

K^

S

.

/-

&

%

,

%

!

U

V

UW

a

YK b

Y

,

3

&

V

QRa

NV

b

a

U

N '

a

X

&

a

d

KNY

S

V

O NVW

Y

.

#&

1

L

X

'

LM

O

VK

R

-

/

6

(

-

K

La

K\

a

V

Oa

_K ^

f

.

/

#

)

0

#-5

.

$

a

KNY

V

W

(

S

S]

K

, ,

(

"!

%

#

(0

/

LP

[

LM

YW

Q

a

YK

OS

-

3

'

S

P

+

+

:

6.5

0

%

(2"

2

#

(

#

http://www.viruslist.com/ « . . #

!+

#&

(

KT

S

R

XV

,

#

!

#

,

#

,

/

Oa

V

,

,

5#

!2

MS

P

N

W

,

&

,

,

!

#

&

&

%$Internet

!

%

/

#

%

!

1

/

1.2.

(

#&

(

!

%

$

»,

(

%

!

%

6

%

14

.

-

,

-

-

-

.

, , -

-

1.2.1. Backdoor.BO, aka Back Orifice Trojan

-

Windows

).

0

% !

-

8 #.%

,

&

-

-%

%

)

&

,)

!

%!

62

#)

%

#-5

!

#

,

2

-%

04

!

%

!

#-

.

/2

!

#

,

& -

62

()

/

%

!

%

#

-

(

%

.

",

%

,

)

.

0

(

! 6

%

$

) -

#

-

()7

/

#

/

#

/20

$

&

(

#

#

,

&

4

()3

(

%

)

78

%!

!+

#&

«

#$

-%

6

,

%

,

,

/

#

,

!

%!

(

!

!

#

6.

#

,

&

&

/-

&

,

.

/

#

6

/

-

#7

*

$

(

/

#

,

#-5 6

&

5

!&

(

#

7(

.

#-

.

/2

%

6

(

#

63

%

62

6

(

#

7(

.

8

'

(

,"

%

#-5

,

!2

#

$

6%

6

(

#

/

#

(

(7

.

MicroPortable Executable -%

6.%

#

,

%

!

%

,

.

,

,

&

!&

(

#

$

#

&

/

2

7 .

!

$

+

!

#&

(

0

!2

.%

!

62

6

(

#

7(

.

'

!

%

+%

4

!+

#

+

-

$

/-

&

!

%

/-

(

.

)

#

#

7!

!

-

$

)

&

-

$

(2

,

#

(

!

%

#

-

(

%

.

!2"

/

%,

,

.%

/

/)

)

#

#&

3

(

!

,

.56

#

,

-

(

.

()

%

)

(

'

6

%

/

&"

/

%

$

#"

%/

#

!

%

#

#

",

%

,

!

%

$

/2

#

#

7

#-

4

4

!

,%

6)

6

(

#

7(

)

.

.

)3,

!

#&

(

!)3

$

(

0

%

%

+%

&

-

-

!

#%

& /

,

,

()3

+%

%

%

,-

6)

6

(

#

7(

.

% !

$

(

.

)

$

(

.

$

!

!

#

,)

#-5

,

#

.

)

8

#

7

*

+

-

$

/-

6

)

!

#

!

#

6

#

0/

(0

!

(

!

#

(

3

6.5

/2

(

(

3

6.5

#

,

6

#

!

!

-

,

$

#

6

6%

,)

!

%!

#-5

4

-%

%

%

#

!

-5

,

#

-

62

, #)

-

!

%!

0

62

#)

-

0

%!

%

(&

#

.

(

/

&

#

%$/&

#

$

(

.

!"

(2

'

(

3

6.5

#

,

!

/2

(

(

3

6.5

#

,

!

)

!

!

#

6.

#

,

#

#

,

,

(

$

$

&3

/-

&

-

0

5

-

(

$

& 0 #

)3

62

,

)

(

%

.%

(

,

#)

-

0

&

!

#

BOSERVE.EXE –

&

-

Windows, 0

,

%

!

2

()

&

/-

&

6

#

-

/

# 8

(

!

/

#

!

(

6$

2

.

%

3

%(

()

/27

#-5

)

!

.

0

%

-

8

#

#

7!

!

(

%

.

&

&3

#-

!

/ 6

(

,-% (2

#

!

1

#

-5

)

0

,

%

/

#

3/

6

( .

#

7(

! %

» » (=

,

(7

%

$

(

2

,

8

/

%

3

-

$

#

*

,

/

#

0

.

6

*

.

%

#.

Windows,

%

6&

.

/

,-%

/

/

#

,

6

. BOCONFIG.EXE, » BOSERVE.EXE ).

&

4

«

/-

#

!

,-%

&3

#-

$

/)3

«

#

.

– ». %#

$

/

#

0

.

!

%#

8

(

,

)

,)

C++

,-3

7

/

#

/

#

-

/

(

/

( ()

8

6

#

(

/

(

».

3

#

7

%

%

(

)

*

0

0

%

"

%

/

2

'

,

#

5

#.%

,

#

%

0

-%

!2

!

4

4

(%

#

76

B ck Orifice Windows.

,

#

-

/3

,

6

+%

!

%

(

%

.

!2"

#

#

#.

-%

,)

-

&

!

,

#+

( (

!2

!

#

!

6

-

#

6.

«

6

()

!

%

+

8

,

,

.

'

",

!2"

,

%

#

#-

#

#

,

%

#

3/

/

/-%

!

)

6

6

(

#

7(

.

&

!

!

4

8

#

! /

( !

#

,

,) 7

!

%!

62

#)

-

0

&3

#-

/

#

0

.

-%

&

!

%

/

#

(

(

%

!

%

6

%

$

#

7!

%

#-%

!

#

,

#

!

24

#

#%

6

#

.

(

%

.

(2

3

6.5

#

,

%

)

5

#

(

$ #-%

) (

,

.

62

,

/%

&4

4

%

6

, $

)

(

),

)

.

#

!

#&

!2 !

$

!

!

%

8

/

«

(

/

/ /

#

,

%

%

/2

8

.

#

0

&

/

%

$

)

5

&

%

(

6.

#

,

/-

«

%

-

8

&

!

(

%

,

» », . .

/

()

#

,

,

)

.

0

6

(

7

. soft Visual C++.

,

/

(

%

%

/

.

)

»

,

#.%

",

%

#-5

%

-

,

-%

6&

WINDLL.DLL Windiows API, , %

#

(

(

(

,

« «

+

!

#&

.

»

(

(

6

«

/

&

15 -

-

,

, -

.

Win32. -

. ) -

-

-

/

"

$

0

6&

#%

(

$

#-%

(

!

!2

$

(

#

.

(

%

.

62

#

%$/

/

2

-

8

/2

#

#

!

#

6

6

!+

(

(

!2

6

%

()

+%

%

/

(%

$

#$

.

2

8

&

/-

(

.

#

%

/

/2

#

(

%

(

8

#

7

,)

!

%

!

/

#

(

, %

#+

(

.

!2

!

,0

)

()

/27

&

/-

( /

.

# 6

+

%

$ -5

)

#-

.

6

/

/

#

#$

.

; 11)

.

)

#

76

6 (

$

#&

(

5

#

(

#

%$6

5

-%

/

#

0

(

) #-5

.

%

#

&

-

/

#

/

/2

#

,

.

)

#

7

-

2

/2

(

3

6.5

#

,

/

%

/

0

-

8

#

/2 /

-3

!&

#-

.

/2

-

8

,-3

#

!

%

#

)

!

%

)

,

,

,

$

#

0

-

8 4

6

!

%

(

%

.

2

#

.

, #

.

(

,"

/

/2

#

!

6

(%

/

!

#5

,

,

3

,+%

!

,

)/

0

/

(2

7#

%(

,

#

%

&

(

#+

(

.

!2"

/

; 9)

.

%

.

,

%#

,

!

!

%

(

-

2

/2

/

(

TCP/IP; 16)

6.5

#

)8

%

,

(

3

.

%

()7

$

&

/-

%

6

/2

%$! .

/%

#+

(

.

.

%

6&

(.

6

(sahre); 3)

%

6

,

,

%$.

)

&

#

)

!2

!

/-

#

!

)

62

%

%(

/

$

!2

!

-

$

)

(

(0

(0

(

#

%

#

3

+%

6

(

#

!

%

8

%

-

/

#

0

#-5

&

/

%

$

%

)3

$

-

!&

#-

.

/2

+

!

#&

(

.

2

!$

6

#

,

#

%

#

6

%

/

%

0'

(

3

6.5

#

,

!

6

%

-

2

/2

%

!

,-%

#

7

$

/

6%

#

!

!

/

#

(

%

/0

&

3

$

(

.

2

!$

6

#

,

2

,

#

8

#

%

#

!

!

-

$ !

%

# )

#

-

!$

(

.

, 6

.%

/

,

%

-

2

!%

,

#

#

, #

$

6

0

!

%

#

#

7!

/

/

,%

).

04 ("

.

(

)

$

5

#

( #+

4

!

%

.

&

!

/

#

!

3!

%

#

-

(

%

.

#

(2

,

,

,

%

6&

#

0

!%

#

%$/ .

/ &

2

/

("

.

+

!

#&

(

#

%

,

#

6

#-

6

)

#

.

/

#

,

Windows ( Windows

#&

,

5

24

"#

%/

,

#

6

(

()

-

$

(2

#

#

,

.

; 5) ; 7)

()

#

/

1

-5

/$

)

#

67

6.5

#

,

0

%

)0

(

(

.

!

#-5

(

.

-

,

()

6

,

6

#

!

!

%

!+

!

%

.%

5

&

!

4

0

#-5

.

,

(

#&

(

5

(

%

%

!

!

6

#%

-%

6)

(

/

#

#

.

!

&

/

(plug-in).

(

#.

(

, Data Fellows Ltd. – «PennyTools Trojan») America Online. #

,

%

(

%$#

.

*

(

.

,%

#

/ ; 8) ; 10) ; 12)

7!

%

,

/

#

&

#$

.

#%

6

#

.

,

&

,

#

#

(

,

6

(

)

!2

#-

/

0

/

(

ScreenSaver ( MessageBox; 14) / / HTTP Web); 17) , 2

#-%

(

%

-

8

,

/

$

24

(

!

%

#

%$

.

!

#.%

,

/

6

/2

#

(0

#$

/

#

#

0

6

#

6

/

%

/

(2

/

/2

#

,

%

-

-3

,

(

.

,

#.

,

#

7

,)

31337)

%

62"

/

,

# 5

&

/-

.%

; 6)

/

6

-%

-

!

(2

("

,-3

, . .; 2) ; 4)

#

0

#-5

,%

(

+

!

)

/

(

,

,-3

#$

1

!2

,

.

-

» %

#&

(

.

)

.

5

.

#

(

(

.

),

!

(%

/

(

18)

!&

#-

.

.

)

:

$

#

0

%

,-

1)

/

#%

6

13) 15) – (

()7

«Trojan.Aol.Buddy» ( Internet

«

#$

.

/2

16

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi on\RunServices. -

. : -

, -

-

); ;

;

. .

-

1.2.2. Trojan.AOL.Buddy

[email protected]

4

/2

!2"

!

#.%

0

[email protected].

&

#

&

,

)

.

0

,

#

#

#

#

"#

!

!2

!

$

/2

#

,

4 (

#$

-

8

(\Windows\Start Menu\Programs\Startup) AIM REMINDER.EXE. ,

%

()0

7

/

-

#

#

7

(2

,

,

)

.

&0

&

/-

+

!

#&

(

-5

/

#

0

#-5 -

24

#

,

/

#

#-

/

6

-

,)

%

#

,

#

(

%

6

!

6

6%

6

%

)

$

6

#

#

!

/

#

8

(

#

/

%

2

)

*

5

$

/

%

)

)

(0

.

4

#

$

#

76

!

+

8

!

(

!

#

-

8

0

%

#%

6

#

.

(

-

8

#

,)

#

(

/

,

)

.

0#

!7

/

&

&

/-

4

#

-

8

&

!

%

!

6

(

/

*

!

(

%,

#

#

7

*

,

)

.

(

/

* !0

!

(

%,

!

6

#

6

/

&

,

-

2

%

!

6

0

%

#%

6

#

.

6

%

#

!7

/

&

!

8

(

%

&

&

/-

4

#

-

7 #

#

(2

,

,

)

.

0

&

-

$

!+

#&

(

#

#

7

*

#

-

-

8

/

#

7

(

#$

4

,-3

(

(

#

#

7!

6

%

#%

6

#

.

0

(

%

&

!&

6

!+

#&

(

%!

%

-

$

)

(

%

.

#

!

$

()

!2"

-5

!

%

(

(2 #-

3

6.5

#

,

!

#.

$

&

!

%

$

#

0

&

-

&

!

( %

$

!

/

# ,$

24

#

# /

-

)

!2"

#

. -%

%

)3

$

(0

5

&

#.

!

!

6

( -

&

/

#

)3 !

0

#-5

.

#$

%

)3

0

%-

,

62

&

$

#

0

#

/

WIN.INI :\Windows\System\NortonAntiVir\REGISTRYREMINDER.EXE "RUN=".

,

%

(

SYSTEM.INI. C:\Windows\System\WINSAVER.EXE. .

!2

!

-

$

(

#.

#$

,

- 0

/

8

,)

.

#

WIN.INI. C:\America Online 4.0\BUDDYLIST.EXE , 80 , .

%

&

!

,

)

.

0

(

%

)

!+

#&

#

.

%

62

%

/ -

4

!

VCLCNTL.DLL, , Windows , .

/

#

!

!

#

+%

(

#.

2

#

(

(

&

1

7

(2

,

0

Windows. C:\COMMAND.EXE,

#

0

#-5

.

#-5

(

.

6&%

%

-

2

#

.

%

#

%

%$!

#

\Windows\System DLL , .

6&

(

/

6)

$5

7

-

.'

-

$

/-

.

merica Online

!"

#

%$#

!

3

# 6

&

,)

#

(

"LOAD=". "LOAD=" ( )

6

&

,

/-

5.

/

'

4

#

$

4.

)

0

%

3.

6

!2

/

62

%$2.

6

#-5

.

%

1.

(

#

7(

,%

17 -

: RUN

,

18

-

C:,D:,E:,

.

:

,

autoexec.bat

1.2.3. Macro.Word97.Trojan.Tvangeste [8]

,

World War starting now! Tvangeste v 1.0 3rd World War.

: 3rd World War.

md c:\atp_tour md c:\atp_tour\kafelnik.001 md c:\atp_tour\sampras.002 md c:\atp_tour\corretja.003 md c:\atp_tour\rafter.004 md c:\atp_tour\moya.006 md c:\atp_tour\henman.007 md c:\atp_tour\rios.008 md c:\atp_tour\philipou.009

autoexec.bat

\").

:

«

» , MS ( "C:\Program Files\Microsoft Office\

,

,

del normal.dot

Word

:

autoexec.bat

cd C:\Program Files\Microsoft Office\ ren kafeln.dot normal.dot.

\kafeln.dot"

"C:\Program Files\Microsoft Office\

Tvangeste.b

124,005 ARJ 2.41,

3.0

:

(Zip2Exe) –5

. :

%WinDir%\System\Krnl40.dll %WinDir%\heak.exe %WinDir%\ki.ini .

1.2.5. Trojan.PKZ300b [12] -

Windows

PkZip 2.04c,

,

.

-

WhatsNew

178,981

WHATSNEW.300 2,417

5,328

"key.dl" Windows (%WinDir%).

2.04c

COMPRESS.000

3 1999 3 1999 Tvangeste v 2.0 Kafelnikov.

PKZINST.EXE

PKZ300B.EXE

,

,

19

md c:\atp_tour\kucera.010 md c:\atp_tour\krajicek.005 subst k: c:\atp_tour >nul

: 1!!!!!!!! 1!!!!!!!!

1.2.4. Trojan.Spy.KIM [8] -

PKZip.

N,

,

«

.

– PKZINST.EXE.

Thanks for waiting, DOS.

[Ctrl]+[Break]. ;

C,

,

101

FILE_ID.DIZ

116,260 ARJ 2.41

COMPRESS.001 DOC-

Reset

– DOS

Y DELTREE. –

.

,

[Ctrl]+[Break], moron. You shouldn't have fucked with us

-

»

20

,

– Pkzip 3.00b.

PKZIP Install Utility Version 3.00b 4-05-950 Copr. 1989-1995 Pkware Inc. All Rights Reserved. Pkzip Reg. U.S. Pat. and Tm. Off.

Initializing, this may take a few minutes....

:

COMMAND.COM /C Format c: NULL

COMMAND.COM /C deltree /y c: \ NULL.

WARNING: ALL DATA ON NON-REMOVABLE DISK DRIVE C: WILL BE LOST!

Proceed with Format (Y/N)?

-

, SCRIPT.INI, . SCRIPT.INI

mIRC,

NULL

IRC-

C:\MIRC). C:\DOWNLOAD,

,

Trojan.PKZ300b

, NUL.

(

mIRC

.

:

,

,

mIRC (

DOS User's Guide DOS.

.

-

.

NULL,

mIRC

,

DCC mIRC.

,

dcc

SCRIPT.INI Windows), IRC-

,

,

Active X. Active X Microsoft: – OLE (Object Linking and Embedding) – COM (Component Object Model).

,

1.3.

AVP

IRC-

21 -

, N

. -

1.2.6. mIRC SCRIPT.INI [13]

-

IRC.

-

-

SCRIPT.INI

.

Active X

-

:

,

webOBJECT.

,

,

Active X

.

OLE,

.

.OCX.

Microsoft),

. Active X (

Active X,

,

,

,

, ,

OLE

,

.

Microsoft, .

OLE

. Active X

(

,

.

) Active X

.

Word.

,

, ?

Active X,

,

. OLE-

(

,

«

,

.

web-

.

Java,

,

,

1000

-

,

,

:

,

,

,

22

Active X – Internet. Excel. -

.

. -

-

.

-

-

). -

.

-

,

».

Active X.

,

,

(

.

ActiveX . Microsoft , , Java , Java VM Active X

VBScript JavaScript

Web1000

-

,

,

,

(

Java.

) Windows 95

.

,

Excel). ,

,

«

.

Active X – (applet),

C/C++, Visual Basic, Delphi Active X Active X Web, HTML ( Word Active Scripting – Visual Basic JScript ( Microsoft),

Java Java Virtual Machine (VM) –

Java. Active X Server Framework – Web.

, Netscape.

Microsoft, (

[8],

).

,

Fred McLain 1996 Internet Exploder, ,

Sun Microsoft

OLE).

Microsoft Authenticode. »

,

•

•

•

•

•

23 .

-

.

-

-

,

.

-

, -

. Mi

). Active X

,

Imple

:

Active X :

, Active X. , Safe

, Microsoft ,

?

-

.

,

,

.

.

-

,

.

,

,

.

,

,

? mented Categories 7dd95801-9882-11cf-9fa9-00aa006c42c4.

,

,

,

.

»,

.

?

.

,

, Microsoft,

,

(

,

,

.

.

,

?

ACTIVE

,

for scripting (

«

,

.

crosoft, ,

24

,

. -

).

,

X

. . ,

-

-

,

-

-

.

7

, , Active X ,

5

*

-3

2

/

$'

1

0%

,

#/

+%

#

$*

%

-

(

+

%

-

(

+,

)*

%

&'(

%$.

!

. .

,

.

8

,

.

,

.

4

"

,

#

,

,

7

6

»,

Local Intranet ( ). Trusted Sites ( ). Internet ( Internet). Restricted Sites ( – Local machine, ( IE Administration Kit). Internet “.”, . , ,

7

« Java,

Internet

.

.

9

.

,

,

.

.

:

1. 2. 3. 4.

.

,

1.

25

, -

.

1.3.1. -

-

Active X.

: -

). -

-

.

-

.1.1.

Security (

9

.1.1).

Internet Properties,

26

. -

,

.

4

?»

.

7

6

Custom Level. ,

,

:«

,

.

Internet,

,

,

,

, Active X.

,

.1.2.

(

:

27 -

.1.2).

Internet

-

,

.

!

!

!

.

.

.

9

,

9

,

:

,

Internet

.1.3.

,

,

28

-

.

Outlook Express

-

, Active X.

.

4

!

8

!

,

,

. .

Active X),

,

:

4

9

9

.

,

,

.

!

,

4

9

9

Microsoft,

,

,

, Active X

.

.

security

,

,

,

8

,

8

.

,

4

options

,

?

,

Advanced,

,

.

-

-

9

Tools

,

. Active X

,

,

,

,

,

(

7

.

(

HTML,

Outlook Express,

!

.

,

,

Outlook

-

.

.

4

,

,

net

29

. -

-

.1.3.).

Restricted Sites.

: Inter-

-

-

. .

-

-

-

. -

.

"

». !

!

!

–

)

'

9

9

.

+

!)

+

)

,

(

9

9

Microsoft,

-+

7

,

%

– '

&*

!

!

9

, .

"

,

.

"

(

'

,

,

&

,

!

Active X.

Active X. .

-

,

,

,

Office

,

!+

%

,

.

.

$

,

,

. « #

1.4.

*

,

2.

!

"

9

8

30

-

.

Safe for scripting

-

-

http://www.microsoft.com/technet/security/bulletin/ms99-32.asp

http://officeupdate.microsoft.com/2000/downloadDetails/Uactlsec.htm .

.

). -

-

-

"

&

"

"

#

,

&

-.

)

)

%

#

%

&

#

#

+

,

&

!

#

#

*

#

,

Windows, . javascript,

#

#

%

,

*

+

&

%

*

#

(

)

'

$

(

)

%

&

, Microsoft Internet 12 1999 . ,

&

%

"

"

!

#

$

-+

"

"

(

+

-

*

)

+

"

"

&

*

(

"

, +

"

"

-

(

$

&

+

*

-

$

(

+

$

$

+

)

"

!

"

"

*

"

(

$

"

*

"

!+

"

!

*

"

!)

+

)

"

)

"

'

+

(

-*

(

"! '

$

!)

+

+

"

$

+

$

"

$

"

!

!

"

%

"

(

%

"

*

"

!

+

"

"

+

!)

$

(

%

"

)

"

-

zip

"

&

3

+

2

, , Buffer Overflow ( Windows

)

-.

.

[1].

1

«

AVP

.

,

%

%

-

)

(/

.

%

-

#

,

rar ActiveX-

"

*

,

%

Microsoft Internet Explorer . WINSOCK.DLL -3.495.123.11a

)

,

#

.

.

.

-.

.

-

0/

/

,

Word

,

WINDOWS

Microsoft Microsoft Windows, Explorer,

)

,

,

%

,

,

"

),

,

-

%

.

.

'

,

-

, win98-42332113.exe, 21645 Bytes, 312312A

&

31 ,

-

. »

:

From: [email protected] To: [email protected] Subject: Microsoft Corporation Update. !

-

. . – -

.

CRC32:patch-i386-win95-

, ,

.

"

&

!

-

(

!

(

+

"

(*

&

(

"

!

*

(

"

&

(

* (

(

"

"

"

+

)

*

+

)

+

#

&

"!

"

)

"!

!

)

!$

*(

!

(

!+

+

"

!

+

+

(

-

+

"

+

*

$

$

*

"!

%

+

"

(

&

&

–

)

"

'

&

.

-

"

.

( 90%

(

'

+

$

(

$

"

"

, Windows.

(

?

%

!

)

(

(

"

"

)

+

)

(

"!

"

*

"

!

+

"

)

!$

$ ,

"!

$ ,

:«

(

"

)

!

*

,

&

$

"

!

)

'

,

!

*

?

!

"

)

"

?

$

).

+

,

!

!*

(

)

$

.

-

'

)

(

+

$

" "

)

"

.

#

"

!

+

*

+

,

.

&

$

!+

+

(

-

$

?».

Trojan.WebMoney.Wmpatch :«

*

»

*

.

,

)

&

*

$

,

!$

"*

*

+

"

,

-

&

«

!

+

»

%

!+

-

"

*

(

)

,

$

)

DLL. , , . .

"

"

,

,

1.5.

+

,

, 3

«

3

(

, : http://www.yahoo-greeting- ards.com/****/viewcard_680fe23d52.asp.scr ».

,

.

32

.

Microsoft -

.

.

-

-

HKEY_LOCAL_MASHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\RunServices.

, -

.

.

,

!

! "

-

"

#

%

!

"

!

"

"

!

"

(

».

.§ 3.1).

!

!

"

(

, Windows).

'

!

%

2.

\

#

" load).

run

"

!

#

%

"

)

"

,

.

-

#

+

.

*

3.

\

( ). win.ini system.ini (

:

,

(

!

AVP

!

!

&

"

" "

(

$

-

"

« ),

(

"

#

,

),

.

,

1.

33

,

: PATCH, : C:\ WINDOWS\ PATCH.EXE /nomsg,

-

.

(

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunOnce HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Runservices HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunservicesOnce HKEY_USERS\ .Default\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run HKEY_USERS\ .Default\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunOnce HKEY_USERS\ .Default\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Runservices HKEY_USERS\ .Default\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunservicesOnce,

.

.

"

!

"

!

!

"

"

,

&

"

"

!

"

!

"

!

"

"

"

!

"'

%

"

"

!

%

"

Kernel32, 1,3.

,

!

!

#

!

%

. Visual Studio

,

"

,

!

.

,

(

-

!

!

!

!

3).

.

#

,

"

"

!

,

"

"

.

. '

!

,

!

!

.

%

"

. §3.2),

#

!

"

"

BackDoor (

.

!

, , Process Viewer Application. , , ?

.

,

!

"

(

"

(

!

"

,

.

,

"

,

,

.

-

!

,

(

"

.

#

,

%

.

'

-

.

"

.

"

%

,

,

"

.

+

!

6.

5.

4.

"

,

?

1

!

!

"

,

"

,

.

34

-

-

-

login. -

-

-

-

-

-

-

. , 91

0

?

4

6

9

N

1

7

?

67A

9

6

>

8

=

3

;

=E

5

?

A

:

1

4

6

@

7A

1

01A

<

0

6

D

1

7K

?

=>

4

4

1

=>

<

2

6

=

4

5

2

O

4

8

?

G6

A

5

=I

0

97

6

0

9

H

?

=

A0

12

A

:

4

6

@

7A

9

@

7

?

7

?

6

2

0

?

A

:

41

<

13

F

. 6

J

?@

6

A

7

15

A

?

5

6

6

A

67

0

H

H

=

>

?

=>

<

2

41

6

4

=

4B

6

@

7A

=

>

?

<E

;

0

1

4B

6

@

7A

4?@

1

=>

<

2

8

6

9

;

$,

+

%

"

"

"

"

"

%

$

Alps6 ,

6

@

13

=

8

<

2

;

S

0

2

6

4

97

=

4

A

6

=

3

=

3

#

#

,

5

4?

. =7

0

6

8

8

6

7

Q

5

4?

01

?G

A 6D

)*

'(

"

"

,

?

7A

1

7

9

U

=

4B

6

@

,

7

9

=

@

7

.

.

6

6 3

0

<

1

T1

6

@

A

6

2

=I

(

2

9I

1

:

=L

9

<

5

NR

13

=7

H

4

9

@

7

0?

,

7K

K

E

6

=

6

7

7A

=

>

OP

4

6

6

A

67

0

A

6

D

6

4

=

6

9:

1

$

&

"

%

, ,

?

97

?

6

9

5

2 6D

Q

O

N

H

0

5

1

7K

97

A

:

=

4

@

9

,

<

7

F

?

=

2

4

F

=:

G

0

>8

=

M

L

?

=1

6.8

67

%$

.

D

4?

<

1

7

?

<E

=13

3

?

1

4

?

=>

<

2

<

A

0?

415

"#

!

"

,

=:

1

7K

9

5

, .

G

9

@

12

9>

<

7

<1

.

6

13

?

;

0

97

.

1

. =7

4?

6

=

4

A

6

41

=E

4

4 8

=

9>

6

?

47

=

13

012

,

D

67A

?

=

2

4

2

0?

0

<

7

9

?

6

A

7

15

J

?

9>

C

-

Internet,

1

7

?

6

2

3

:

autoexec.bat

6

N

=

4B

0

8

?

9>

=

?

A

:

4

1

=E

=

A

41

).

9

6 3

=I

4

6

6

@

7K

1

3

=

3

6D

6

4

0

=

75

6:8

3

9 5

0

@

6

0

6

./

.

3

9

K

1

7

?

4

6

1

3

?

6

A

<

1

9

5

?

A

?

2

9

@

7

?

6

2

7

.

6

:

6

3

67

<

G

7A

0

;

3

?

A

:

5

6:

4

G

0

=

7K

H

=I

6

D

1

.

5

=

4

A

41

:

1

6

@

91

;

=

4

@

A

0

6

?

=>

<

2

9

K

1

7

=

4

4

6

,

1

A

=D

?

>

,

1

2

D2

6V

W

6

2

I

6

=

2

4

97K

6

A

?

6:

9

5

6

4

7

:8

,

7

G

1

?

=7

0

6

A

7

=L

0

9

<

5

=7K

7

41

;

>K

1

7

,

1

E

1

1

7

4?

,

E

J

I

6

2

4

8

41

6

A

0?

=E

5

13

=13

A

?

0

8

0%,

6

1A

. =

4

2

0

6

6

3

=:

:

=

9

8

?

7

?

47

=

4

6

@

,

3

0

4?@

41

1

?

.

8

6

D

1

5

=V

97K

4

6

4

F

6

7A

67

@

I

,

=

=>

7

F

G

?

5

, ,

<

3

6

6:

A

:

=

?

9>

C

=7

97

6

2

,

=F

7K

6

6D

3

?

4?

1

4

6

6

7

F

4

8

.

4

6

?G

6

7

6

9

<

8

A

0?

?

B8

,

0>@

=

1

7

3

=

1

F

L

>

0

5

6

3

2

.

3

97

4?

=

6

2

4

=

9

?

6:

A

:

.

9

? 67

J

6

4

5

41

G

=

30

6

7

F

,

7K

@6

A

6I

9

?

1

7

?

7A

.

A

<

<13

7

01

6

U

1.6.

07

6

J

9

1

1. , ,

:

13

F

6

. . 9

@

2

7

2. ,

7

1

2

?

A

:

35

-

.

, -

.

-

RESET [14].

,

-

, .

9

@

. =

, 6

4

9

H

B

9

@

1

0

3

=

=

G

4

9

<

A

0?

?

47

=

0

6

9

1

A

=

2

I

6

6

3

:

41

6

7

1

E

?

9>

<

6

=>

E

=7K

9

?

=:

4

6

;

6

4

K

=>

?

B

1

9:

=

8

6

7

.

<

A

0?

?

8

<13

4

1

;

S

;

=

3

1

4

8

=

3

>

15

A

1

0

8

?

>

6

=

4

G

H

6

A

?

>

?

=

015

6

>

1

F

6

6D

6

3

=

4

5

41

G

67

6

3

=

3

6D

A

A

:

6

4

9

H

H

4?

6

5

1

?

9

4

5

6

@

7A

?

=

=>

=F

4

?

1

4?

1

E

6

>

?

A

:

6

7

1

7

4?

=

A

6I

9

6

6D

6

3

=

4

5

6

G

D

1

6V

6

A

I

6

D

1

=V

0

67

6

@

A

9:

7K

8

<

7

6D

3

I

4?

0

;

=

3

9 3

K

?

:

5

4?@

1

E

6

>

?

A

:

1

7

=

0

8

A

675

41

?

0

6

?

9>

1

1

=E

2

,

47

1 A

<

4

C

<E

4

5

?

6V

9:

6

6

9 3

K

?

:

?

>

?

6>

<

A

0?

?

47

H

E

1

=

4

2

41

?G

3

=

3

6D

A

A

:

1

1A

7

L

K

:

6

3

=

5

4

@

91

<

1

7

=

9

<

5

=:

G

1

;

H

U

>

0?

=

A

:

?G

?

=

3

7

4

5

<

:

9

=

>

1

J

;

?

97

6

4

9

=

6:

1

G

1

5

4?

I

1

7

6

=

G

A

T

1

3

?

6

A

0

6

6D

:

9

@

<13

G

K

6>

9:

6

?

3

8

6

A

67

415

;

K

1A

:

1

61

5 6

=>

97

=

5

5 6

6D

7

1

9>

6

:

0

1

4B

6

@

7A

1

67

=

6

A

6

4

97

01

?G

6

7

F

Q

;

?

=

3

B

5

0

I

4

8

4

1

012

?

A

:

=

97A

1

1

A

=I

F

L

>

0

1

7

?

=>

2

4

6

@

7A

9

?

F5

6

97A

§ 1.5,

=

1

E

1

.

97K

6

K

,

6

7A

M

9 3

K

?

6

:

7

6

D

91

0

1

1

6

A

9

–

?

=V

>K

?

6

12

A

0:

41

6

5

:

0

8

?

>

–

4

U

9

5

:

6

7

=

=7

9

5

T?

@

=V

0

0

6

7

F

H

=

6

5

4?

F

6

R

>@

6

2

7

<

6

3

4

4

1

E

6

>

?G

1

V

0

8

6

4

9

=

>

6D

9

1

7

<

0

97

1

2

1

1

=>

H

H

1

6

3

A

5

?

>

1

2

0?

41

8

6

A

:

91

6

2

0

8

?

9>

1

91

0

413

0

1

7

=

A

?

97

6

7

,

0

A

AVP). 1

3

L

6

0

?

9:

0

6

4

=

1

A

=

2

6

,

?

M

M

9

=

4

=

9>

?

A

:

=

6D

7

=>

1

7

=

4

C

>

V

?

97

?

I

4

8

.

7

15

1

=F

1

7

=

3

9:

>@

<

2

67

6:

:

6

9>

?

9

<

8

.

=7K

672

0?

6

4

=

97

<

1

7

0?

=

675

=

9 3

K

9 3

G

6

D

1

1

A

:

6

9 3

K

?

:

-

4

7

<1

12

6

4

?

7

91

<

?

A

0?

4

= 8

7

,

?

;

9>

1

A

:

67

9

1

6

7

K

01A

6

A

:

autoexec.bat

8

G

1

4

8

;

= A

,

9

<

>K

1

=7

G

O

K

,

4?

1

7

F

6

:

@

:

7

?

?

«

7

A

0?

7K

12

A

?

:

?

=

=B

4?G

=

D

Windows 98.

=1

E

4?

9

0>@

2

1

=7K

9 3

K

?

:

1.

6

5

A

:

3. (

6

4

=7

97A

4?

6>

:

41

2. ,

G

<

7

9?

41

0

?

3

=

2

,

1

;

7

=1

D

,

A

6

1.7.

8

3

=

3

6D

A

A

:

,

3

7

<1

12

9>

3. .

=

3

6D

A

A

:

H

H

36

mode con codepage prepare=((866) c:/windows/command/ega3.cpi) mode con codepage selest=866 key ru,,c:/windows/command/keybrd3.sys .

[14]. -

,

».

-

-

. -

. -

$

$

5

?

=

3

>

<

G

?

3

?

=

5

9

?

9

5

1

F

?

6

<

3

=

3

6D

A

A

:

1

7

=

9

<

5

=:

G

9

@

7

=1

T

6

»

.

.

6

5 3

5

( 9

3

?

9

5

?

:

1

1A

:

?

5

T?

K

=>

0

6

A

?

V

=7K

0

6

M

Q

6

4

=7

>

9:

1

9

@

7

L

4

=

@

97A

6

;

?G

=

1A

M

:

?

78

1

=

5

:

?

7

91

?G

1

T?

=L

A

?

7

6

A

:

1

4

8

>K

1

7

?

6

A

G

6

2

9

@

7

4

2

1

6

3

15

7

<1

=

5

). », Tiny Personal Firewall, AtGuard4. .

5

T?

0

6

A

9?

9

=

7A

H

G

K

6>

9:

?

6

4

E

6

3

1

E

=

5

A

9:

=

1

4

;

6

:

7

=1

0

?

E

1

9>

67

=

3

=

3

6D

A

A

:

7A

>K

?

4

8

7

1

=

5

:

1

7

0?

6

4

=

97

M

H

R

41

0

?G

?

=

5

=7

1

=7

7

<>K

1

G

0

A

I

?

I

4

8

6

>

=

H

M

41

?

=V

3

6

4

4

=

=

2

4

41

9

@

I

T?

4

=

@

IA

0

4?@

1

2

E

1

0

A

6

:

=

9>

=

4

H

H

13

97

9?

I

?@

6:

5

I

4

8

0

1A

1

G

6

A

9

@

7K

?

67

=

6

G

:

1

41

=

=

A

G

1

V

;

?

6

5

9

A

1

4

8

>K

1

7

?

E

6>

6

2

A

:

41

6

4

K

6>

0

6

0

2

1

G

7K

?

>

1

12

A

6:

6

4

E

6

3

K

6>

=

A

:

=

4B

6

@

7A

?

>5

9

=

8

G

1

=E

2

47

1

6

3

3

4

8

4

=

=

2

4

;

H

K

6>

=

A

:

6

0

9

1

7

4

@

1

3

B

9

@

1

0

3

=

=

G

6

A

6D

4

6

2

1

E

1

A

1

=

5

5

=

5

7

H

H

U

,

=V

0

;

«

,

7K

1

2

0?

<

=

30

7

J

4 8

<:

97

,

)

.

78

6

A

:

1

?

2

?

1A

A

8

=

(

&

.

?

,

#

http://home.ural.ru/~guard/atguard.htm netstat.exe c «-a» «-n». &

!

,

%

%

$

=

2

Internet): «

/

.

.

#

AtGuard -

*#

6>

0

6

8. 5

5

G

:

6

7

1A

3

?

7. PGP.

1

G

1A

F

?

3

=

3

DA

6.

4.

,

"!

1A

7

A

=:

4

5. ,

*+

)

#$

§3.2).

5

(

%

4

('

L

K

:

37

. -

. -

-

,

. -

Studio. )

)

,L

$

'

$

%&

(

$

%

)

,

".

J

%)

"

,

.

,

,

)

,

&L

)

J

,

+

.

%

,

(

#

#

"

-

%)

.

,

!

#

+

+

F

>?

H

6F

4

C2

C

:G

B

6

0C

?

=

:C

20

>AB

2

5

=@

2

1

>?

6

:1

<=1

1

:; 7

9

(

536 #

,

.

8 7

536

(

)

)!

(

"

-

,

!

*

+

+

&"%

%

$

#

"

!

,

#

,

$

.

9

' '

6

CF

4

#.

D

=E 7

=

)

)

*

2

0

=

)

#

53

234

01 /

'

-

(#

Process Viewer,

$

,

K

J

+

+

&

=

C 7

6

!

)

,

#

,

, "

$

'

#

$

.

"%

,

#

#

%

'

M

#

06

@

.

-

'

.

!

N

!

#

Internet [1],

$

"-

*

#

"

I

,

)

)L

, ,

,

(

J

K

,

(#

$

2.1. «

+

+

.

login-

-

2

BelPL

»

Alps6.

. -

-

Visual

, «

"

+

-

Internet.

,

/

0

+

.

"

"

+

)*

'

%

'

(

,

, ».

+

,

%

&

$

#

!

"

.

"

.

/

,

,

MPR.dll,

,

.

/

.

Alps6

2.1.1.

-

,

"

,

/

VXD-

,

-

"

,

+

»,

"

«

,

0

.

,

.

,

,

4.

0

1.

5.

,

1. 2. 3.

.

1

2. 3 IP3.

39

Alps6

-

: . .

.

. -

:

. -

.

.

-

-

. .

. -

-

.

-

. .

:

.

. . ) & *

$

&$

(

$

"

!

4

-

&

1

$

#

#

-

0

/)

!

-"

&$

()

"

& *

#

%"

. Windows NT 4.0, "

!

#

/(

+

/

.

6

"

)

0

/

/

«

"

%

%7

$

'

)

%

(

&

(

&$'

/

/

/

+

!

/

+

/

"

/

, . .

1

&$

"

%

&

-&

,

(

$

&

"

&

,

!#

0

"

!

#

%$

#

%$,

"

&

%"

%$/%

/

"

!

),

'

&$

"

#

&

-&

#

$

&.

$

#

&

%"

(

BelPL

)

%

$

"(

)

!

$

.

"

#

(

"

(-

&

%

,

%8

'

%#

%

1

&

"

2

&

&

1

"

!

#

. ,

&

(

$

!/

!#

" ,

"

,

%"

2

"

&

*

$

"

%

$

1

&

-

$

AVP,

4

"

2

7

$

#

$

"

&

/

$

&

Internet (

)

%

(

)

1

-

$

&

-

3$

#

,

&

%$$

!

-

-

3$

*

+

, .

-"

)

%

%$

$

&$

"

0

%

(

%"

BelPL,

-

-

"

/

/

(

,

%"

%

.

#

"

%"

*

&

-

(

%

6

)

(

1

».

"

%

#

"

,

$

7

0

"

"

$

$

"-

(

,

$:

*

(

*

$% 5

5

&

%$$

. 2000, XP.

*

)

9

#

2.2.

(

%"

.

$

%

(

"(

"

+

1. 2. 3. 4. 5

$

7

0

!

!

40

.

, -

,

.

-

.

-

$

$

"

,–

$

&

'

&

%

(

3

!

"

!

&

2*

1

$

$

&

$

&

$

$

.

$

$

,

"

!

.

(

(

(

&

$

&

$

$

$

&

'

&

&

&

&

!

#

%

"

$

"

$

$

$

$

,

, &

!

,

(

$

#

,

"

"

&

!

$

.

"

.

"

,

$

!

,

$

$

&

"

.

%

*

$

,

&

,

"

0

./

%

,

"

&

$

,

$

$

(

, + -

*)

2.2.1.

,

,

,

(

$

, , «

"

. <

&

,

.

&

,

;

4

,

.:

"

&

,

<

,

, %

9

.

$

$

,

1

.

&

'

.

"

.

$

(

78

6

$

,

.

,

"

,

"

/

-

$

,

.

&

+

5

$

$

.

=

,

%

.

.

.

,

.

,

-

,

$

&

) ,

»

'

41

BelPL .

-

-

.

-

-

-

.

-

.

(

$

&

%

(

"

&

(

#

$

'

4

.

(

&

'

;

"

"

!

$

%

&

&

$

$

$

.

,

#

&

.

-

$

%

%

(

!

.

2.2.2.

%

$

$

$

"

"

$

(

&

,

&

&

$

.

$

$

$

,

,

«

,

&

%

,

&

,

$

,

%

&

=

.

&

;

(

&

,

"

,

.

&

,

"

.

–

!

$

$

-

,

$

,

,

,

: Windows NT 4.0, 2000, XP. : 166MHz. : 32 Mb, 64Mb.

.

"

4

),

"

.

(

.

&

,

4

.

3

,

$

(

$

,

42

,

.

-

.

», -

.

BelPL

:

2.2.3.

.2.2.

BelPL.

(

(

.2.1).

.2.1.

.2.2):

$

$

&

&

%

"

(

#

$

autorun).

$

43

toolbar

–

$

&

.

%

"

.2.3. -

"

&

&

$

$

$

$

$

&

&

$

(

$

&

%

&

!

&

.

&

$

(

. messagebox

, «

4

,

"

$

&

"

.

$

,

&

&

(

&

$

$

(

$

$

&

,

(

(

%

BelPL.

.

,

,

.2.3.

&

).

,

− ,

.

:

»,

.

#

44

-

-

-

-

-

.

-

.2.4.

.

"

.

(

&

&

&

$

).

$

,

$

!

,

&

&

:

,

BelPL.

(

propertysheet, .

1.

2.

45

-

-

.

,

!

$

-

,

,

&

&

$

&

&

$

(

!

%

&

!

$

$

$

!

$

$

&

#

'

#

&

&

$

$

(

$

$

$

&

$

#

.

(

=

3

3

!

,

, .

,

,

%

'

!

.

$

&

,

&

&

&

&

$

,

,

!

$

,

,

.

&

&

. ,

!

%

,

&

,

$

&

$

!

#

&

!

'

.

,

$

,

, $

!

,

,

,

!

&

(

,

%

. (

&

&

%

.

,

&

.

, .

$

&

.2.4) −

$

.2.4)

"

&

.

$

$

,

( .

*

1

2

!

*

( .

$

.

$

,

.

,

,

,

,

.

.2.4.

,

$

46

-

-

.

-

. -

,

-

«

».

$

$

.

& &

, &

&

,

$

&

&

"

$

&

.

&

%

(

BelPL.

$

!

$3

,

&

$

&

<

'

.

(

, ,

%

&

.2.5.

'

,

&

:

.

.

&

(

47

.2.5).

.

-

. -

.)

$

&

$

:

&

"

$

"

,

,

"

$

&

$

&

(

;

&

%

$

$

&

(

.2.6.

,

.

$

"

"

&

.:

«

,

"

),

,

&

$

$

$

$

$

&

&

3

HKEY_LOCAL_MASHINE\SOFTWARE\Microsoft\Windows\CurrentVersi . on\Run

&

$

&

*

(

$

&

$

1

* 2

&

$

$

%

!

$

$

.

%

–

.

%

.

#

&

».

,

, :

&

%

.

,

&

$

&

,

$

.

'

"

»(

.

$

-

$

#

.

,

,

,

$

'

.

,

,

«

$

&

"

4

«

– ,

&

"

.

,

&

.

$

(

,

.

%

(

48

-

HKEY_LOCAL_MASHINE\SOFTWARE\Microsoft\Windows\CurrentVersi on\RunServices

HKEY_CURRENTUSER\Software\Microsoft\CurrentVersion\Run

»

-

-

-

.

. .

,

!

$

$

$

"

(

$

#

"

.

'

$

.

».

&

&

Windows ,

"

"

&

. »

#

&

$

«

#

$

#

=

&

$

,

$

«

,

BelPL.

"

$

.

6

$

&

%

1

–

,

– 30

#

&

$

*

2

*

,

&

,

$

&

.2.6.

,

,

$

-

.

,

&

.

$

,

49

.

-

. -

&

.

$

&

$

%

&

&

4

.

%

(

;

.

.2.7.

.

:

$

,

,

$

$

"

$

&

$3

.

!

%

&

.

BelPL.

$

$

$

.2.7.

$

$3

.

&

–

$

,

*

.

1

2

*

,

50

.

.

. -

. -

. ,

,

. .

. . [email protected].

<

.

4

&

&

&

!

&

$

$

&

$

$

$

"

&

&

%

.

&

$

&

"

%

,

&

.

&

*** -

.

(

<

$

&

(

,

BelPL

&

.

&

#

=

51

,

-

.

-

&

,

"

"

#

&

%

/ ,

#

"

'

, #

1

(

#

"

$

#

#

"

%

,

)

%

%

&

.

! -

*

!

$

*

#

&

+

"

*+

(

)

"(

#

'

,

%

&

%

"

$

#

"

#

"

!

&

&

%

!

(

(

&

(

!

$

.

+

"

#/

&

%

&

(

*!

%

0

!

"

».

$

2

*

5

" "(

"(

#4

,

*+

#

!

,

)

&

&

$

.

"

$

&

%

,

%

«

&

#

"

%

'

$

"

,

#

"(

#

2

*

2

&

"

/ ,

,

%

(

#

#

'

$

&

, , ,

"

, "

(

*($

$

"

:

$

#

(

"(

3.1.

. 3

(

"(

+

*(

1. 2. 3.

#

"

"

3 ,

-

.

. -

.

,

, -

0

0

(

#

)

0

*(4

#

/&

)

/

(

0

'4

,

#

0

*

&

+

#

#

"

$

#

'

.

,

-

"(

,

"

,

,

*(

)

(

0

(4

#

&

%

&

0

4

$

*

#

"

#

,

!

*

$"

&

'

,

/

"(

!

&

"+

(

" ,

0

&

$

/ #

( # *(

(

&

" '

#

!

/

3

*

AVP (Antiviral Toolkin Pro)

(4

#

%

#

#

"

(

(

(

*

"

*

&

%

&

,

"

)

%

"

$

#

#

"

&

)

%

"

$

#

"(

*

#

*+/

&

"

&

"

(

!

#

!

#

"

&

)

(

*

,

+

"

(

1

&

/

"

#(/

"

#

*

%

)

0

%$ &

%

&

#

!

$

/

"

/

$

'

$

#

&

)

-

,

,

3

*

%

%

'

#

#

&

&

/

'

,

4

$

,

#

"

#

"(

+

'

*

/

*+

-

"

&

*

#

%

'

"(

(

)

)

"

4

,

$

#

+

" #(/

)

!

$

%

,

"

%

&

$

+

$#

+

$

&

$

$

!

$

"/

!

2

%

,

)

(

" &

&

2

%

&

0#

$

,

* $

&

#

+

,

!

%

/ ,

*

#

)

"

'

3

,

$

* &

"

+4

"

&

)

%

"

$

#

#

%

/

$

)

(

#

"

)

%

&

&

,

)

#

# %

*

"

%

"

$

#

/

#

,

"(

/

*+

,

"

1

,

#

( "

/&

/

"

&

#

"

%

"

& '

(*

#

(

#

(

,

(

"

: &

"

)

&

41

%

"

"

1

$

#

"(0

#

/

&

"(

*(4

#

(

/

,

,

,

&

,

#

&

)

%

"

,

"

4

(

$

/

3

,

!

*

*

-

/

,

*+

&

)

&

$'

(0

&

,

"

"(

'

$

#

)

(

%

#

&

+

"

'

,

$"

(

.

#

5

%

"

0

*(4

"

*

#

"

&

-

,

*

"

. /#

*

%

)

"

/ ,

–

*

&

0

4#

$

"

;

"

%

,

$

"

"

-

,

0

&$

#

"

"

)

'

4

3

"(

.

5

,

&

$

4

#

"

"

"

,

$

*

" /

$

"

0"

'

)

% (

*

#

*+

.

"( "

'

$

1

,

#

,

"

&

%

*

!

(

,

,

$

,

–

0

+

&

$,

0

"

,

*(

#

$

"(

4

"

.

"

"(

'

"

#

#

–

#

"

(

#

"

"

"

.

*

!

#

"

–

*

!

*

.

*

0"

$

'

3

*

$

(0

,

$

"

2

#

1

(

1

"(

4

%

&

(

!

*

&

%

#

.

#

%

&

–

#

+

#

1.

*

"

"

4.

$

3.

$

*+

(

2.

,

,

!

"

,

4

#

*+/

&

,

53

,

. . -

,

.

-

.

.

-

: -

. -

.

.

. ,

,

&

"

.

%

,

1

/

'

*

/

#

%

,

,

"

"

&

/,

+

"

&

2

'

$

,

"

&

)

"+

(

*

%

"

"

"

*

/,

#

"

%

*

&

#

+

'

*

4

"

&

+

"

.

&

"

'

!

"

#

.

"

)

+

)

*(

1

)

%

#

+

(

&

2+

*

&

%

"

"

%

%

*

#

/

*(

%

$

*+/

&

"

$

5

3

* !

&

"

&

/,

*

&

#

'

+

/

$

*

$

!

%

"

"

)

&

4

$

#

/

+

(

*

$

# &

!

AVP . ,

!

0

4

$

/

#

$

(

+

#

%

.

#

&

,

$

(

"

2

!

&

&

$

&

$

!

"

#

"

*

,

$

,

&

&

$"

"(

0

&

/

'

%

)

%

(

&

%

*+

*

"

"(

*(

(

*

&

+

"

*

' "

"(

+

#

)

!

$

,

$

&

,

,

+

"

AVP.

*

,

*

#

%

$

*

"

1

"

, .

*

"(

#

(

&

&

,

"

*

#

AVP-

"(

$

&

1

'

).

,

#

%

/

. 3.1.

*

"(

AVP

"

+

"

,

1$

#

%

"

,

#4

"

%

"

#

.

%

"

"

&

$

/

3

, ,

/

.

#

.

4

#

&

"

,

"

*+

2

$

/

4

0

#

&

&

1

&

"(

(4

*

&

%

#

%

"

"

54

-

-

-

-

-

:

.

1

.

$

* !

&

%

"

"

,

*

#

1

+

"

&

$

/

,

1

"(

,

/ , +

'

*

4

*

#

&

'

"

0

4,

$

*(

#

*+/

*+

*

"

'

#

#

"

(

#

(

(

)

%

#

1

#

*

"

%

. .

,

-

"

&

/,

( +

'

#

&

&

"

(

.

&

"

(

&

"

" *

(

#

"

(

#

"

+

"

'

%

,

%

/

. .

!

'

*

4

#

%

1

&

"

#

"(

4

0

$

$

/

"

+

'

*

'

*

*+

/

&

&

*

+

*(

/

+

$

$

+

"

$

42

,

$

*+

,

*(

(

*

2

"

%

*

+

%

#

*

)

%

#

%

#

'

%

*

,

&

%

#

"

$

3

4

#

"

" "

&

"

"(

#

%

/

$

5

,

"+

,

*

/

(

#

%

*

%

#

)

/

&

, "

"

"

#

.

&

0

4

*

%

-

!

, *

,

,

/

"(

2

#

+

0

"

"

&

*

!

"

"

)

*

)

%

2

"(

#

%

/

$

&

(

$&

&

,

4

$

*+

*

*+

-

"(

'

*

(

"(

#4

%

/

%$

0

"

-

!

/

*

"

&

,

+

"

3

,

&

#

0

!

*

&

%

&

#

"

&

"

,

&

, )

%

.

%

/

+

,

1

"

#

%

&

"(

#4

%

/

$

%

)

%

#

&

,

*

4

"

"

(

#

+

"

&

3

1

.

#

(

*

#

,

0

'

*

%

*

)

,

.

#

*+/

&

&

$

,

&

$&

#

/ 2

,

/

,

1

2

%

#

(

*

*(

#

"

&

"

#

!

&

,

,

&

/

"

*

.

'

*

.

(

&

*(

"

"

*

,

) "

+

#

%

$

!

(

&

,

,

+

,

*(4

#

%

,

%

&

/

,

-

&/

#

*

4

$

)

%

0

):

4

$

#

)

#

'

"

:

/*

#

,

&

+

&

$

)

/*

#

»

$

,

$

"

#

/

-

,

"

*

,

*+/

&

"

(

%

,

#

,

&

&

%

"

%

# &

&/

)

"

»

/

,

,

(

,

(

%

+

/

»

'

'

$

,

,

/

$

,

-

».

#

"

2

&

'

:

*!

5

,

"

%

,

. «

&

(

2

,

«

,

$

«

&

#

*

$

. .

*(

+

(

*

!

.

&

%

#

"

,

#4

%

*(

«

#

)

"

3

.

*+

'

%

3.2.

"

'

).

*

$

&

$

/

,

&

,

(

(

+

!

*

$"

,

,

55

-

-

-

-

. -

-

-

, .

(0

*

%

,

». NT

4#

,

&

'

$

"(

"

%

&

$

,

+

"

"

#

" &

(

"

#

*

,

3

"

$

&

,

(

'

*

$

&

*

%

(

(

*

!

,

!

#

,

#

"

"

&

"

"

,

4

$

*+

"

(

&

#

,

$

"

*

&

"

"(

(

*(

$

% & &

%

'

"

&

"

"

*

)

,

!

*

&

)

%

(

*

#

"

&

/

"4

#

-

.

–

"

)

"

*

#

'

$

"

5

"

#

,

5

"

"

5

&

"

*

'

+

,

DOS-

*+

"

!

3

(

!

*

#

'

!

*

!

*

/

0

%$

&

&

'

*

#

"

&

(

#

*+/

&

"

*

&

*

,

*(

!

#

+

#

&

"(

,

$

-

"

%

#

%

/

&

)

"

(

'

#

-

*

41

4

$

*(

#

&

(

$

*

*+/

*(

'

*

$

&

"

" &

#

'

*

$"

#

"

$

*+/

&

"

#

&

'

2

#

&

%

&

(

,

/

"

#

*+

&

,

(0

Unix

&

"(

*

*(

#

(

"

&

+$

#

/

1

%

$

*+/

&

"

"(

#

"

%

*+

4

$"

'

/

"(

'4

*

/

*

#

&

#

/

1

&

%

&

"

1

/*

4

$ +4

&

#(/

"

"

,

#

)

#

"

&

'

"

3

$

)/

%

"

"

)

%

$

!

41

4

$,

!

*

$"

+

"

&

,

$

)

%

5

$

,

$

'

$

&

*(4

#

$

*+

*

!

+

0

#

4

. /&

#

0

"

"

/

"

,

#

.3.2 &

*

$

. "

&

. . 41

.

. .

#

"

"+

#

#

%

#

"

#(/

"

+

"

,

Windows – Windump.

,

#

.

.

&

4

)

&

#

"

5

«

&

.

'

-

"

'

"

.

$,

!

*

$"

/

*(

%

#

&

[15]. wpcap.dll ,

/

. !

$

&

*

'

&

/

&

"

,

!

"

(

41

,

&

*(

*(

%

$

*+/

&

"

(

/

.

)

%

#

.

.

*

&

'

& '

*

$

.

2

&

*

#

&

,

-

&

&

&

"

.

&

&

&

"

"

#

$

*

,

-

2

$

/

*(

,

"(

"

.

/

*+/

,

%

#

/

.

#

(

1

&

"

. .

$

"(

,

*

,

)

+

$

1

#

"

,

&

%

, &

#

TCPdump

#

1. 2. 3. 4. 5. 6. 7.

#

!

*

"

,

"

"

56

,

, -

.

-

.

:

-

.

. /

"

#

&

&

#

,

*

"

&

)

"

(*

"(

$

*+/

&

%

#

&

*(

#

& #

*(

'

*

$

&

&

"

;

*(

*

&

'

&

#

&

*

"

'

2

*+

+

)

&

,

(

#

&

'

&

&/

"

% *

%

*+

*

&

'

*

"

);

(0

)

"

;

&

&

"

&

!

*

&

#

&

'

&

%

!

$

$

"

;

,

1

*

0

4

$

"

)

*

"

,

#

*

'

$

*+/

&

"

.

%

.

&

(

#

'

0

#

,

&

"

*

#

&

,

)

%

"

"

#

&

&

14

,

&

'

*

&

-

,

1

"

*(

#

"

&

,

&

&

"(

/

,

(0

*+/

"

/

)

&

*(

/

)

&

!

/#

,

%

#

,

&

, : 1) 14:52:43.388334 – –

%

'

/

&

!

&

. 3.2.

/

&

1

"

#

/

.

"(

&

'

2) 3) 4) 5)

$

*+/

&

IP – c1r120n2.omskreg.ru.445 – > – (> – mm7.matmod.univer.omsk.su.1563 – ; 6) P – (P – PSH ); 7) 665022:665061(39) – . ; 8) ack 124065 – 9) win 64195 – /

57

WinDump.

14:52:43.388334.

, -

; , -

&

&

2

*+

*

!

)

$

%

&

/

"

(

&

$

"

"

*

&

4

*

2

%

/

41

+

*

&

,

#

"

"

$"

*

$

0

4

$

$

'

%

,

*

%

#

1

*

#

&

!

#

+

#

!

"

"

,

0

%

#

&

*

!

*(

'

*

$

&

&

%

'

0 (

#4

%

&

' *

/

"

"

4

&

#

"

&

&

(

*(

#

"

&

(

1

&

*

& (

#

"(

0

"

# %

1

&

*+

*

&

%

/

%$

*

%

.

,

(

#

#

0

"

!

(

#

"

&

1

,

,

#

/

&

*

%

(

1

%

*

"

"+

/

,

"

+

"

*+

)

5

$

#

,

,

%

! -

#

,

"

1

"

(

/

"

,

,

"(

&

-

1

/,

"(

(

&

'

'

/

"

/

)

%

*

#

&

!

#

&

-

,

*

"

'

"

#

/ % )

,

#

/ )

&

"

'

.

,

)$

2

&

*+

'+

5

"(

#

&

*

&

#

,

&

/

+4

0

*

#

$

*(

*+ #

*

&

$

/

%

#

1

*+

"(

+

#

-

,

&

!

*(

'

*

$

&

%

2

'

*

$

&

(

!

#

&

-

+

,

&

"

+

#

,

*

"

+

#

#

"

"

"

1

&

#

&

,

4

#

*(

%

'

#

4

"

"

. .

$'

/

,

/

"

"

/%

%

,

#

*+/

1

:

%

&

#

*+/

&

"

*

"

*

1

. ,

"

! -

(application proxy).

!

*

4

"

#

.

&

"

*

&

%

-

'

+

#

,

#4

'

%

#

*+

"(

,

,

&

"

,

"

*

"

(

,

&

*(

/

!

)

&

"

–

,

"(

&

(

*+/

&

Tcpdump

4

%

3

,

%

%

&

%

(

$"

'

4

5

!

*

10) DF – Fragment).

'

"

$

"

.

/

&

1

,

"

&

,

"

3

– –

*

"

3.3.

*+

#

/

,

*+

#

&

58

.

-

; -

(Don’t

.

,

-

. , -

.

)

. -

-

.

"

.

(

&

%

)

!

*

"(

"

&

$

/

#

*+/

&

)

%

*

#

*

1

*+

,

$

&

5

&

41

4

$

)

,

/

"+

#

%

*

#

/

*(

"

&

"

)

"( #

*(

#

(

,

#

5

$

,

#

/&

'

%

"

-

&

"

&

/

+

#

&

#

"

"

,

#

,

,

,

$

"

"/

$

.

(

-

4

$

'

%

"

/

%

!

+ )

%

#

#

"

)

*

!$

#

"(

%

'

,

0

)

(

)

"

(

1

)

&

5

,

3

"

#

"

,

(

!

*

&

"

&

* !

&

1

$

#

"(

(4

)

"

*

#

$

& /

&

"(

"(

+

"

*

*

$ 4

/#

"

*

&

&

%

"

%

-

*

&

"(

+

#

%

/

$

%

/

(

1

,

"(

*(

#

"

"

&

*(

%

&

*

*

%

"

$ *

-

&

&

#

"

)

"

"

&

#4

%

/

&

. UDPUDP 1

&

#

)

%

*

#

"

*$

#

&

#

"

%

*/

/

$

/

'

0

4

$

*

"

#

"

" +

#

3

#

!

*

"

*

*

"

5

*

#

*+/

&

&

*

#

&

#

&

)

)

%

#

&

%

TCP

*

,

#

0

!

&

,

,

"

"

4

"

"

/

'

$

,

%

*

'

5

$

&

#

&

,

!

*

3

,

"

"

$

*$

"

%

$

"

+

"(

$

&

,

"

* !

&

:

.

&

!

*

$"

#

&

,

*(4

41

#

-

*

"

0

.

#

"

"

0

4

%

(

.

"

"

% ,

%

#

#

/&

+

0

&

,

!

*

*

"

"

*(

,

%

&

"

*+

(

,

,

&

$

/

#

,

#

*

&

)

"

&

#

1

&

#

+

.

#

/,

&

,

+

*(

4

"

"

"

(

"

&

!

!

*

&

,

*

#

"

$ )

.

#

0

,

&

"

.

#

*+/

&

,

!

,

&

,

!

1

,

,

0"

$

&

& 4

$'

%

"(

,

%

*

3

%

?

%

#

$ 4

"

*

& &

#

"

(

#

"

).

– !

&

,

"(

(

#

"

!

,

* !

*

!

,

2

#

"

*+/

&

"

#

&

.

(

2

/,

,

"

/

+

"

,

)

$

%

$

0

,

*

/

/

%

!

"

"

,

4

!

.

#

#

Outpost Firewall Pro. .

.

'

!

+

3

(

*+

*

*

"

*

,

&

" ,

&

TCP

2.

1.

&

$

/ "

,

$

/

4

$

59

-

, -

-

.

Agnitum -

-

.

" "(

*

(

-

-

#

*

. #

#

"

* !

&

#

"

&(

&

"

,

(

!

*

&

%

*! (

*

&

"(

#4

!

%

(

/

% ,

+

(

)

"

$

$

#4

$

*+

/

&

)

&

*

!$

*

"

&

$

"

/

!

"(

#

*

#

"

,

#

/

' +

#

#

"

2

# "

"

(

"

'

#

"

# "

$

&

#

!

'

&

*(

#

/&

&

$

'

*

0

4#

$

"

0"

$

+

*!

*+

$

+

, %

%

#

,

$

*

,

,

*+

$

,

"

%

"(

#

%

(

*

#

"

,

5

$

.

&

$

4

,

0

/

'

%

#

+

'

*

4

&

!

"

#

5

*

$

%

'

*

4

&

"

#

"

*

4

#

*+/

&

*(4

#

"

#

!

*

$"

"

#

"

,

%

#

/

%

#

/ ,

&

*

$

%

'

3

*

4

&

*

#

&

$

"

"

#

"

"

%

*+

*

&

+

"

&

*

4

$

"

'

#

"(

*

"

"

"(

#

&

1

$

"

"(

"

$

,

0

/

*+

'

/

%

#

/ ,

!

*

3

,

&

#

$"

"

$

%

/

"+$

'

"

&

)

"

+

&

"

"

"

%

&

!

*

&

)

"

#

#

*

"

)

& "

,

"

#

+

#

*

&

*

,

"

"

,

-

2

!

*

&

) /

"

#

(

#

*+

%

#

*

#

&

%

*

%

,

#

*

!

"

"(

4

0

&

/

#

"

$

&

,

(

!

*

&

/

$

/

&

(

/"

*

"

&

$

/

"

"(

/,

(

' (4

,

& $

! %

*

#

&

"

#

"(

4

/"

!

#

,

&

)

$

"+

%

$

!

*

"(

&

,

&

)

#

"(

$

.

%

&

(

,

0

%

!

,

-

2

)

%

%

&

,

+4

.

0

&

!

#

#

,

2

/

0

&

%/

.

4

"

+

(

#

'

!

*

#

$

"

*+

»

%

&

)

"

+

.3.3. .

&

'

*

#

,

*

%

"

*(

,

#

*(

/

».

NetBIOS, ICMP, . UDP ,

, .

"(

/

'

#

3

*

#

"

.

&

#

!

&

*

3

"

*

#

,

.

*(4

TCP , ,

$

&

*+/

"

%$

,

#

&

«

*+/

&

"

*

!$

%

!

&

,

"

%

*+/

*

&

"(

.

»–

&

"

*

!$

*

«

4

$'

&

#

"

#

/

.

"(

(

$

#!

%

.

(

,

#$

#

0

& 2

0

#4

–

&

) ,

"(

#

"

4

$

*

"(

–

0

%

*(4

/

/

%

"(

–

*

"

"

"( +

#

+

'

*

.

#

%

&

$

(0

)

$

&

. ,

#

#4

%

*+/

&

,

%

*

"(

*(4

#

"

,

"

/

#

&

«

%

"(

*

,

5.

#

"

"(

4

.

#4

*

4.

"(

-

#4

2

3.

*

%

&

60 -

.

-

. .

:

-

-

,

,

-

#

"

,

*(

$

%

'

*

.

%

0

"

&

'

"

+

%

&

%

"

#

+

'

$

%

/

" "

#

*

%

*

&

)

-

"

)

%

#

&

$

/

+

/

$

#

% )

! !

"+

,

,

5

#

#

"

2

"

*

$

&

"(

+

"

&

,

&

)

%

#

/ ,

!

*

$"

&

$

*

"

"

(

#/

"

"

&

+

"

"

&

/#

,

%

,

*

&

"(

#

*

#

"

$

"+

/

*

3

%

#

+

#

"/

*

*

#

&

"(

0

,

#

*

4

+

#

*

!

(

*

#

&

. .

4

&

"

"

, %

2

%

#

! /

5 $

*

» –

*(

#

"

!

$

«

2

.

&

)

%

,

#

.3.3.

/,

%

$#

%

,

/

"

*

,

#

+

%

,

&

.

%

"

,

"

,

61

. -

Agnitum OutPost Firewall

). -

-

.

,

'

&

"

&

*+ '+

"

&

#

#

&

(

#

$

)

%

'

*

4

#

+4

0

&

"

/

*

&

%

*

%

,

1

"

/

"

%

+

*+

$

"(

*(

#

+

"

&

,

,

*

$

%

, *

+

"

*

,

"

'

'

*

4

*(

#

/&

2

"

+

*(

#

"

&

%

*!

*

$

,

*

#

*

"

*

$

%

'

*

4

3

$

+

#

,

!

/#

+

*

,

*

$

%

*+

*

&

! '

" +

,

&

&

$"

+

#

,

(

!

,

/

"(

+

!

$

&

-

*

»

%

&

*

"

$

% %

&

, ,

&

+

,

+

'

"

+

*(

#

.

$ *

4

#

"

$

"

&

.

&

Win2k &

*

"

/

!

#/

$

.

,

, &

*(

#

/&

,

*

«

+

$

.

'

+

*

*

#

&

$

,

24

/

62

-

, -

.

1 [7] 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31.

Acid Shivers Antigen Back End Back Orifice Back Door Count2K DeepThroat Devil Dmsetup DoS.DieWar EvilFTP Executer 1 Executer 2 Flooder Fore 1.0b FTP99cmp GateCrasher Gjamer Gina GirlFriend Hacker's Paradise ICKiLLEr ICQ Trojen Invisible FTP Kuang Lamer's Death Leave Master's Paradise Millenium NetBus Net Monitor

64

Netspy NetSphere Nuker Pass Ripper phAse zero Phineas Phucker PortalOfDoom Priotrity Prosiak 0.47 PSS QAZ Randon (Apher, 445) Remote Grab Ripper Pro Remote windows shutdown Silencer ShockRave Shtirlitz Sivka-Burka Sstrojg ( Senna Spy Trojan Back Door Generator ) Sockets de Troje Socket23 Socket25 StealthSpy Beta Storm SubSeven Telecommando TheSpy TrojanCow Voice Vodoo Ultimx Win Crash Wingate (Socks-Proxy) Wrapper Y3k

32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. 45. 46. 47. 48. 49. 50. 51. 52. 53. 54. 55. 56. 57. 58. 59. 60. 61. 62. 63. 64. 65. 66. 67.

65

2 (406

(6-7) ) [7]

1.Lists most of the commands (description of command) 2.Hide a task from control + alt + delete 3.Show a hidden task in control + alt + delete 4.List Contents of Current Directory 5.Change To Specified Directory/Drive 6.Clear Screen 7.Kill Process by PID (Shown in PS) 8.Shows Running Processes 9.Deletes Specified Files 10.Change Port Acid Shiver Listens on (Until Next Reboot) 11.Change to default Windows Desktop folder 12.Change to Windows Recent folder 13.Change to default WS_FTP folder 14.Show Version Number of Acid Shiver 15.Show physical, RAM, CD-ROM, and Network drives 16.Relay connection to host on port, Control + C to abort 17.Sendkeys to active window 18.Show ethernet stats and physical address 19.Rename the users computer 20.Shows DOS Environment variables 21.Beeps the specified number of times 22.Type 'CDROM' for more informationv - Terminate Acid Shiver 23.Rename a specified disk drive 24.Type 'Shutdown' for more information 25.Retrives information on specified drive 26.Disconnect a session by socket index show in 'STATUS' 27.Shows users current system time 28.Shows users current system date

66 29.Shows some general system information about host and user 30.Show the state of all sockets used since last reboot 31.Retrieve specified file 32.Retrieve specified file in hex form 33.Run the specified shell command 34.Run the specified command and display results (may lock up) 35.Make a new directory 36.Remove a directory and all files and subdirectories inside 37. opy file1 to file2 38.Spawn a text based application on a tcp port. 39.Stops an application from listening for connections. 40.Lists the applications currently listening for connections. 41.Creates a directory. 42.Lists files and directory. You must specify a wildcard if you want more than one file to be listed. 43.Removes a directory. 44.Creates an export on the server. 45.Deletes an export. 46.Lists current shared resourses (name, drive, access, password). 47.Copys a file. 48.Deletes a file. 49.Searches a directory tree for files that match a wildcard specification. 50.Compresses a file. 51.Decompresses a file. 52.Views the contents of a text file. 53.Disables the http server. 54.Enables the http server. 55.Logs keystrokes on the server machine to a text file. 56.Ends keyboard logging. To end keyboard logging from the text client, use 'keylog stop'. 57.Captures video and audio (if available) from a video input device to an avi file. 58.Captures a frame of video from a video input device to a bitmap file. 59.Captures an image of the server machine's screen to a

67 bitmap file. 60.Lists video input devices. 61.Plays a wav file on the server machine. 62.Lists current incomming and outgoing network connections. 63.Disconnects the server machine from a network resource. 64.Connects the server machine to a network resource. 65.Views all network interfaces, domains, servers, and exports visable from the server machine. 66.Pings the host machine. Returns the machine name and the BO version number. 67.Executes a Back Orifice plugin. 68.Tells a specific plugin to shut down. 69.Lists active plugins or the return value of a plugin that has exited. 70.Terminates a process. 71.Lists running processes. 72.Runs a program. Otherwise it will be executed hidden or detached. 73.Redirects incomming tcp connections or udp packets to another ip address. 74.Stops a port redirection. 75.Lists active port redirections. 76.Creates a key in the registry. 77.Deletes a key from the registy. 78.Deletes a value from the registy. 79.Lists the sub keys of a registry key. 80.Lists the values of a registry key. 81.Sets a value for a registry key. 82.Resolves the ip address of a machine name relative to the server machine. 83.Creates a dialog box on the server machine with the supplied text and an 'ok' button. 84.Displays system information for the server machine. 85.Locks up the server machine. 86.Displays cached passwords for the current user and the screen saver password. 87.Shuts down the server machine and reboots it. 88.Connects the server machine and saves any data recieved

68 from that connection to the specified file. 89.Connects the server machine and sends the contents of the specified file, then disconnects. 90.Ejecting And Closing The CD-ROM Drive. 91.Sends a Msg Box To The Host. 92.Hide\Show Startbar. 93.Starts a FTP Server (On Port 21). 94.Captures the screen to a Jpeg around 80 Kb and sends it to you. 95.Sends Host to A Url Of Your Choice. 96.Turn Monitor On/Off. 97.Spawn Prog. 98.Spawns a program invisibly. 99.Reboot 100.Scan for Hosts with DT server running. 101.Sends a packet to see in host is Running the Server. 102.Host System info. 103.Open/Close CDROM 104.Send "Beep" Signal 105.Send text to Notepad 106.Send Message "Yche! Yche!" with interval 107.Send Applications Bomb 108.Notepad Flooder 109.Reboot 110.Windows Clean Up 111.ICQ Killer 112.Full FTP access 113.Destroy Mouse Double Click 114.Change All System Colors To Yellow 115.Hang Up All Connections 116.Disable CTRL+ALT+DEL Keys 117.Set Cursor Position To 0,0 118.Hide Windows TaskBar 119.Reboot Computer 120.Enable Jumping Mouse 121.Enable Mouse Double Click 122.Enable CTRL+ALT+DEL Keys 123.Show Windows TaskBar 124.Disable Jumping Mouse

69 125.Copy EXECUTER To C:\Windows\ Directory 126.Add EXECUTER To Windows StartUp 127.Show Message-'Hello' 128.Show Message-'Hello bitch!!!!!!!!!!!!!!' 129.Show Message-'Do u ready to fuck your system??????!!!' 130.Show Message-'ShutUp bitch!!!!!!!!!!' 131.Show Message-'Get ready to start!!!!!!' 132.Show Message-'Thats All bitch!!!!!!!!!' 133.Delete C:\Logo.sys 134.Delete C:\Windows\Win.com 135.Delete C:\IO.sys 136.Delete C:\Windows\System.ini 137.Delete C:\Windows\Win.ini 138.Delete C:\Config.sys 139.Delete C:\Autoexec.bat 140.Enable Paiting On The Screen('DIE!!! DIE!!! DIE!!!') 141.Disable Paiting On The Screen('DIE!!! DIE!!! DIE!!!') 142.Enable Creating Of Many Forms With Caption('DIE!!! DIE!!! DIE!!!') 143.Disable Creating Of Many Forms With Caption('DIE!!! DIE!!! DIE!!!') 144.Execute File 145.Change Desktop Colors 146.Send Message 147.Hide/Show Taskbar 148.Open/Close CDROM 149.Mouse Double Click On/Off 150.Get Windows, System & Application Directory 151.Terminate Server 152.Reboot Computer 153."No Access" for server 154.Self Removing Server 155.List Dialup parameters (phone, passwords...) 156.List ICQ UIN 157.Process List 158.Start FTP Server 159.Hides the victims TaskBar 160.Shows the victims taskBar 161.Starts an Program on the victims computer, program

70 doesn't have to be an .EXE, it will start and file with it's default program too. 162.Opens the victims default Web Browser at the URL you specify 163.Opens the victims Control Panel 164.Opens the victims Date/Time Options 165.Opens the victims Appearence Options 166.Starts the victims Screen Saver 167.Closes the Server on the victims machine 168.Deletes a file you specify, from the victims machine 169.Reboots the victims computer 170.Deletes a WHOLE directory from the victims computer 171.Clears the victims recent folder (The Documents folder on the START menu) 172.Ends the current windows session 173.Forces a shutdown ! 174.Loggs the victim off his/her current windows session 175.Reads from the victims floppy drive 176.Sends a ping to the Server 177.Sends a Message to the victim 178.Returns the victims WINDOWS directory 179.Returns the victims TEMP Directory 180.Returns the path that the server is installed on 181.Returns the victims Hard Disk Letter 182.Returns the victims LOCAL TIME 183.Returns the victims OPEN WINDOWS 184.Maximises a window on the victims computer that you specify 185.Sets the victims Computer Name 186.Makes the victims Mouse "CRAZY" and uncontolable 187.Returns the victims Mouse to normal 188.Returns the vitims ICQ# 189.Lists all the files and any directory 190.Formats and drive on the victims Computer 191.Closes any window on the vitims Computer 192.Serches for a File, or a Pattern, on the vistims Computer 193.Sets the name of Drive C: 194.Sets the victims Computer Name 195.Sends text to and active input box on the victims computer

71 196.Creats a file on the victims Computer that fills up the entire drive 197.Returns the Registered User of that Computer 198.Returns the Registered Organization of that Computer 199.Returns the amount of free space on any drive 200.Returns the Operating System of the victims Computer 201.Returns the Serial Number of any Disk 202.Opens an FTP Server on the victims computer, gives you; List, Read Write, Delete, Make Dir, Delete Dir and Execute 203.information as text, that "infected" user enters to any window containing password field. 204.information aspasswords, which "infected" user enters to password fields. 205.send "system" messages to remote PC. 206.play sounds. 207.show bitmaps (.bmp pictures). 208.run exe files. 209.send "victim" to any URL. 210.change server's port. 211.hide GF Client with BOSSKEY=F12. 212.scan subnet for infected servers. 213.save windows list. 214.work with files and folders using GF filemanager. 215.Shutdown Remote Computer 216.Restart Remote Computer 217.Log-Off Remote Computer 218.Restart Remote Computer in MS-DOS 219.Close Remote Computer Spy 220.Remove Remote Computer Spy 221.Open Remote Computer CD-ROM 222.Close Remote Computer CD-ROM 223.Disconnect Remote Computer 224.Disable Ctrl+Alt+Del On Remote Computer 225.Enable Ctrl+Alt+Del On Remote Computer 226.Hide Remote Computer Taskbar 227.Show Remote Computer Taskbar 228.Turn Caps Lock On On Remote Computer 229.Turn Caps Lock Off On Remote Computer

72 230.Turn Num Lock On On Remote Computer 231.Turn Num Lock Off On Remote Computer 232.Change Remote Computer Computer Name 233.Change Remote Computer Recycling Bin Name 234.Swap Remote Computer Mouse Buttons 235.Unswap Remote Computer Mouse Buttons 236.Set Remote Computer Cursor Position 237.Show Remote Computer Cursor 238.Hide Remote Computer Cursor 239.Get Mouse Double Click Speed Of Remote Computer 240.Set Mouse Double Click Speed Of Remote Computer 241.Get Remote Computer Windows Mode 242.Get Remote Computer Amount Of Mouse Buttons 243.Get Remote Computer Windows Run Time 244.Get Remote Computer Free Space On C:\ 245.Get Current User Logged In On Remote Computer 246.Get Serial Number Of Drive C:\ On Remote Computer 247.Get Remote Computer Temp Directory 248.Get Remote Computer Windows Directory 249.Get Remote Computer Windows System Directory 250.Get Resolution Of Remote Computer 251.Set Resolution Of Remote Computer 252.Start Remote Computer Default Screen Saver 253.Set Remote Computer Start Menu Pop-up Speed 254.Add A Line To Remote Computer Autoexec.bat File 255.Get Percent Of Memory Used On Remote Computer 256.Get Number Of Bytes In Physical Memory Of Remote Computer 257.Get Available Bytes Of Physical Memory On Remote Computer 258.Get Total Memory Amount In Page File On Remote Computer 259.Get Available Memory Amount In Page File On Remote Computer 260.Get Total Amount Of Virtual Memory On Remote Computer 261.Get Available Amount Of Virtual Memory On Remote Computer 262.Pop-up Remote Computer Message

73 263.Delete Files 264.Copy Remote Computer Files 265.Rename Remote Computer Files 266.Create Remote Computer Files 267.Close Remote Computers Programs 268.Get List Of Running Remote Computer Programs 269.Set Spy Password On Remote Computer 270.Server Admin (set password, close server, restrict access) 271.Host Info (system info, cached passwords) 272.Message Manager 273.File Manager (create/delete folder, upload/download /delete file) 274.Window Manager 275.Registry Manager 276.Sound System Balance 277.Plugin Manager 278.Port Redirect 279.Application Redirect 280.File Actions (execute file, play sound, show image, open document, print document) 281.Spy Functions (keyboard listen, capture screen image, capture camera video, record sound) 282.Exit Windows (logoff, poweroff, reboot, shutdown) 283.Client chat 284.Open/Close CDROM 285.Keyboard (disable keys, key click, restore keys) 286.Mouse (swap buttons, resore buttons) 287.Go To URL 288.Send Text 289.Send message 290.Shutdown remote computer 291.Download files 292.Upload files 293.Delete files 294.Execute files 295.Create folders 296.Screeb capture 297.View process list 298.Kill process

74 299.tell the server to upload the specified local file via ftp to remote path 300.tell the server to download the specified remote file via ftp to local path 301.execute a file (show window, hide window) 302.change directory 303.list directory 304.create directory 305.remove directory 306.show current dir 307.copy file 308.move file 309.rename file 310.delete file 311.type the specified text file 312.shows an hexadecimal dump of the specified binary or text file 313.shows the specified message into a dialog box on the server 314.locks up the server 315.trashes the server and locks it up 316.create the specified registry key 317.deletes the specified registry key 318.deletes the specified registry value 319.determines if a key or a name exists 320.sets the currently open registry key 321.read the specified key's value 322.creates or updates the specified key and associated value 323.lists available keys in the currently open key 324.lists available values in the currently open key 325.terminates the current session only 326.terminates all connections and unloads the server 327.Log all of the Dial-Up Networking accounts on a remote computer 328.Capturing full-size screen 329.Kill any programm (window) 330.View help screen 331.Shutdown remote machine 332.Reboot remote machine

75 333.Logoff remote machine 334.Hide active window 335.Destroy active window 336.Kill window with matching title 337.List files in current directory 338.Change directory to [dir] 339.Execute DOS command 340.Launch application 341.Send message 342.Chat with remote 343.Enter notification mode 344.Sends some information - process list and more 345.Exits server 346.Disconnects you from server 347.Remove server from remote computer memory 348.Destroy the server autostart 349.Take rights on server 350.Change & delete password 351.Send dialog box with OK button 352.Send dialog box with Yes/No buttons 353.Change folder 354.Make new folder 355.Remove folder 356.Delete files 357.List Files 358.Get current directory 359.Get logical drives 360.Lock/Unlock desktop 361.Make a puzzle with remote desktop 362.Stars On/Off on remote desktop 363.Hide/Show Start button 364.Hide/Show Taskbar 365.Hide/Show Desktop 366.Execute application (Normal/Minimized/Maximized/ Hidden Status) 367.List/Kill 32 bit process 368.LogOff user 369.Reboot system 370.Shutdown system

76 371.Get user name 372.Get computer name 373.Get date & time 374.Keyboard Lights Bomb 375.Lock/Unlock Mouse 376.Move Mouse 377.Monitor On/Off 378.Flip Screen 379.Open/Close CD-ROM Drive 380.Flood Server Printer 381.System Keys ON/OFF 382.Clipboard Lock 383.Screen Saver Bomb 384.Hide/Show Taskbar 385.Hide/Show Start Button 386.Disable/Enable Start Button 387.Active the Screen Saver 388.Remove Desktop Wallpaper 389.Change Desktop Wallpaper 390.Modify Remote Date 391.Close Server EXE 392.Delete Server EXE 393.Lock Up the System 394.Close all Programs 395.Exit Windows 396.Shutdown Windows 397.MSG Box [Chat] 398.Send Text 399.Get Server Information 400.View Remote Passwords 401.View Remote Netstat 402.View Active Process 403.Open Server Hard Disk 404.Play Wav Files 405.Delete and Execute Files 406.Modify Remote Autoexec.bat

77

3 ( 1. ACiDShivers.exe (186368) 2. Agent.exe (293376) 3. Agent.exe (325632) 4. Agent.exe (327680) 5. antigen.exe (19456) 6. backdoor.exe (233472) 7. backdoor.exe (241664) 8. backdoor.exe (294912) 9. backdoor.exe (344064) 10. backend.exe (102912) 11. boclient.exe (57856) 12. boclient.exe (707072) 13. bogui.exe (284160) 14. boserve.exe (124928) 15. bug.exe (57344) 16. cfg95.exe (79242) 17. client.exe (164352) 18. Client.exe (180224) 19. client.exe (202240) 20. client.exe (334848) 21. client.exe (471552) 22. client.exe (54272) 23. Controller.exe (313856) 24. Controller.exe (340992) 25. control.exe (499200) 26. DeepBo.exe (530432) 27. Devil13.exe (95232) 28. dmsetup.exe (40188) 29. Exec.exe (231424) 30. Exec.exe (249344) 31. faxmgr.exe (27648)

)

78 32. 33. 34. 35. 36. 37. 38. 39. 40. 41. 42. 43. 44. 45. 46. 47. 48. 49. 50. 51. 52. 53. 54. 55. 56. 57. 58. 59. 60. 61. 62. 63. 64. 65. 66. 67. 68. 69. 70.

FixIT.exe (23087) foreclient.exe (482304) foresvr.exe (309248) FTP99cmp.exe (369185) ftp.exe (402944) gc.exe (221184) GF.exe (425984) GF.exe (454656) gserver.exe (126976) hs.exe (267264) ICKiLLeR.exe (534016) icqclient.exe (31744) icqcrk.exe (50688) ICQFlood.exe (24576) ICQFuckerExtentitions.exe (182272) icqnuke.exe (10240) icqtrogen.exe (39424) inet.drv (36864) inet.hlp (98304) KeyHook.dll (54272) lame.exe (335872) MSTConfig.exe (378880) mustget.exe (527360) NBSvr.exe (612864) NetBus.exe (1114112) NetBus.exe (494592) NetBus.exe (567296) NetBus.exe (599552) NetMonitor.exe (205824) netspy.exe (141312) Paradise.exe (1096704) Paradise.exe (1310208) Paradise.exe (855552) Paradise.exe (888320) Paradise.exe (916480) Paradise.exe (924672) Patch.exe (494592) Path.exe (472576) phase.exe (301568)

79 71. Phineas.com (93250) 72. Phucker.exe (352768) 73. port.dat (94208) 74. port.doc (39424) 75. port.exe (40960) 76. procmom.exe (14848) 77. PSS-Client.exe (80384) 78. Readme.exe (102400) 79. Readme.exe (73728) 80. Readme.exe (77824) 81. Readme.exe (98304) 82. RemoteControl.exe (505344) 83. Rgrab.exe (258048) 84. RipClient.exe (305664) 85. RipServer.exe (211968) 86. RmtEwxC.exe (268800) 87. Server.exe (210432) 88. Server.exe (211456) 89. Server.exe (296448) 90. Server.exe (533013) 91. Setup.exe (14336) 92. Sockets23.exe (1082880) 93. Spyserver.exe (30720) 94. Spy.exe (48128) 95. SysEdit.exe (473088) 96. SystemPatch.exe (491008) 97. TeLeCoMMaNDo.exe (327276) 98. Telman.exe (137216) 99. Telserv.exe (235520) 100.Tserv.dll (82432) 101.uagent.exe (282624) 102.wave.dll (27648) 103.Wave.exe (38400) 104.win32cfg.exe (4128) 105.wincrash.exe (309248) 106.windll.exe (331264) 107.windll.exe (344064)

80

4 TCP

,

31 - Master Paradise 121 - BO jammerkillahV 456 - Hackers Paradise 555 - Stealth Spy, Phase0, NeTadmin 666 - Attack FTP 1001 - Silencer, WebEx 1010 - Doly trojan v1.35 1011 - Doly Trojan 1015 - Doly trojan v1.5 1033 - Netspy 1042 - Bla1.1 1080 - Wingate 1170 - Streaming Audio Trojan 1243 - SubSeven 1245 - Vodoo 1269 - Maverick's Matrix 1492 - FTP99CMP 1509 - Psyber 1600 - Sivka Burka 1807 - SpySender 1981 - ShockRave 1999 - Backdoor 2001 - TrojanCow 2023 - Pass Ripper 2115 - Bugs 2140 - The Invasor 2283 - HVL Rat5 2300 - PC Xplorer v1.2 2565 - Striker 2583 - Wincrash2

81 2801 - Phineas 3791 - Total Eclypse 1.0 4950 - IcqTrojan 5000 - Blazer 5 5011 - OOTLT + OOTLT Cart 5031 - NetMetro 1.0 5321 - Firehotcker 5400 - BladeRunner 0.80, BackConstruction1.2 5521 - Illusion Mailer 5550 - Xtcp 5569 - RoboHack 5742 - Wincrash 6400 - The tHing 6669 - Vampire 6670 - Deep Throath 1,2,3.x 6883 - DeltaSource 6912 - ShitHeep 6969 - Gatecrasher 7306 - NetMonitor 7789 - ICQKiller 9400 - InCommand 1.0 9872 - PortalOfDoom 9989 - InIkiller 4567 - FileNail 6939 - Indoctrination 9875 - Portal of Doom 9989 - iNi-Killer 10101 - BrainSpy 10607 - Coma 11000 - Senna Spy Trojans 11223 - ProgenicTrojan 12076 - Gjamer 12223 - Hack¦99 KeyLogger 12346 - NetBus 1.x 12701 - Eclipse 2000 16969 - Priotrity 17300 - Kuang2 theVirus 20000 - Millenium 20034 - NetBus Pro

82 20331 - Bla 21554 - GirlFriend, Schwindler 1.82 22222 - Prosiak 0.47 23023 - Logget 23456 - WhackJob, UglyFtp, Evil ftp 29891 - The Unexplained 30029 - AOLTrojan1.1 30100 - NetSphere 30303 - Socket23 30999 - Kuang 31337 - BackOriffice, Chaplins Bo Spy v1.3, ExCulibar, Orc2 31339 - NetSpy 31787 - Hack'a'tack 33911 - Trojan Spirit 2001 34324 - Tiny Telnet Server, BigGluck 40412 - TheSpy 40423 - Master Paradise 50766 - Fore, Schwindler 53001 - Remote Windows Shutdown 54321 - SchoolBus v2.0 61466 - Telecommando 65000 - Devil 1.03

Internet. C

Alps6, BackDoor, PassCash. http://www.alguszone.ru

1.

'

"

+

)(' "

$

+

$

,

$ '

,

-

-

+

*

+%

" !

&

%

$

" !

$

#

. Internet. http://www.viruslist.com . . , 3. 2001. 4. . ., . . . Windows NT. .: , 1998. Windows NT. 5. . . . Internet. C 6. http://www.info_sec.ru. : http://www.hackzone.ru/articles/sweet.html. 7. . http://www.viruslist.com/viruslist.html?id=3971. 8. . , , // ComputerWorld. 9. 2000. N.19. - http://www.osp.ru/cw/2000/19/031_0.htm. 10. TROJANS. - http://kardinal.nn.ru/NT_HOLE/bkdoor-1.htm. . 11. - http://lib.isystem.ru/Encyclopedia.Rus/1classi/z_bad_pr.htm. . 12. http://www.nestor.minsk.by/kg/kg98/kg9801/kg80105.htm. 13. Kolotsov V. mIRC SCRIPT.INI. - http://www.irc.portal.ru/script_ini.html. 14. . - http://alexhak.narod.ru/stat/antitrojan.html. , 15. - http://alguszone.chat.ru/. 2.

'

.

. $

0

,

(+

"

!"

!

'

04.06.98.

32, .11, . (381-2) 65-47-31 58-47 21.04.97 .

#

67

!

*

(

.

)

071680

'

"

15.03.2003. . . 5,39. .- . . 5,3. 200 .

3

2

'

1

/

&

%

$

#

,

5

4

, . .

)

"

'

60 84 1.16.

,

8

-

C. .

(

'

, *

"

.

'.

«

)

(

644050, .

84

. .

. .

»

Троянские кони. Принципы работы и методы защиты

Recommend Documents