

词条 Ipxsrv、nwlink病毒

病毒图标和本地连接的图标类似,借以欺骗用户。 ipxsrv.exe 及 nwlink.exe 不开放端口,从功能上分析类似 IRCBOT 后门控制手法 ,需要满足某种条件后才可被激活,感染后 在 %Windir%\\ System32\\ 中生成 nwlink.exe( 160,256 字节 ) 和 Ipxsrv.exe( 160,256 字节 ) 两个文件。


病毒名称:Ba ckdoor.Win32.VB.xl(ipxsrv.exe) Backdoor.Win32.VB.xl(nwlink.exe)

病毒类型: WINDOWS下的木马程序


文件长度: nwlink.exe 160,256 字节 Ipxsrv.exe 160,256 字节

感染系统: WINDOWS NT以上 版本

编写语言: Visual Basic 5.0/6.0


开启 NWLink IPX Compatible Transport Protocol 服务。可进行拒绝服务攻击,在进程中增加 nwlink.exe 和 Ipxsrv.exe ,利用客户端可实现,扫描功能,上传文件,下载文件功能,服务端版本升级,获得服务端操作系统版本及语言,处理器型号信息, url 信息,以及 HTTP , SMTP , SCAN 的相关操作,修改注册表文件。 HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices\\


1、 IRCX 功能

命令 S- ping/pong/IRCX/JOIN/MODE/Creat/join/i/privmsg/kick/nick/app/-close-multi/name


IRCX 命令来获知服务器是否支持 IRCX, 一些带有扩展功能的 IRCX 命令会包含一些额外的参数特别是 /mode 命令带有附加模式,只有 IRCX 服务器才能支持 也可查询服务器与 IRCX 的兼容性

/Create /create 创建一个新的闲聊室,并设置其属性

/Join /Join [] 创建或加入闲聊室

/Kick /Kick [] 用于闲聊室的主持人将用户由特定的闲聊室驱逐出去

/MOTD /MOTD 在“状态”窗口显示今天服务器中的消息

/Nick /Nick 更改别名

/Privmsg 与 /Msg 命令相同

/Privmsg {,} 如果你使用别名,则将消息作为耳语向一个或多个用户发送;


i 设置非邀请莫入的闲聊室模式。 Sets invitation-only room mode.

2、 下载文件功能

执行下载时需要满足一些条件,如:执行形式在 0 到 6 之间选择,需要提供要执行的文件名

以 "." 表示结束

Failed to execute file [ ]. 文件执行失败提示:

File name is requirement. 报错提示

Try deleted file [ ] failed. 删除文件失败提示

Delete file [ ]has succeed. 删除文件成功提示

ERR: Source file name and destination file name are requirement. 文件重命名失败提示

Rename [ ] => [ ] has succeed. 文件重命名成功提示

Failed: Source file [ ] is not exist. 失败 : 源文件 [ ] 不存在提示 .

Try remove files( ) has completed. 清除文件成功提示

其他信息: Execute style mode is requirement

Execute file name is requirement

Execute style mode must between 0 to 6


-comtupername 计算机名

-cpu cpu 信息

-localtime -t 服务端的时间

-localip -ip 服务端的 ip 地址

-memory -mem 内存信息

-sysdir system folders 系统文件

-sysver system version 系统版本

-username -u 服务端的用户名

-windir windows 文件

-irc irc 服务

-pop pop3 服务

-port 端口号

-proc 进程

-install . 安装后具有 service 功能

halt 挂起

download 下在文件

-localtime 服务端的本地时间

-localip 服务端的本地 ip

-memory 获得内存大小

-user 获得用户

-windir 列出 win 目录

-tcpd 可用来进行 DNS 反向解析

-kill killedid

-list 进程列表

-reg 注册表功能

-start 开启服务

-task -task-list task 编号

admissive( 允许的 ) -boot -check

-m 列出 \\winnt\\ 或 \\windows\\ 下的文件

4、 传送功能

: (目前判断此功能用来进行 HTTP FLOOD )


Content-Type: application/x-www-form-urlencoded


Cache-Control: no-cache

5、 终止进程命令

Killed: [ ] processess killed. 结束

- list 列出进程表

Failed: [ ] isn't in processes list. 进程不存在

Failed: PID isn't in processes list. PID 不再进程列表中


,内置语言种类如下 :

Process Default Language



"Arabic (Saudi Arabia)"

"Arabic (Iraq)"

"Arabic (Egypt)"

"Arabic (Libya)"

"Arabic (Algeria)"

"Arabic (Morocco)"

"Arabic (Tunisia)"

"Arabic (Oman)"

"Arabic (Yemen)"

"Arabic (Syria)"

"Arabic (Jordan)"

"Arabic (Lebanon)"

"Arabic (Kuwait)"

"Arabic (U.A.E.)"

"Arabic (Bahrain)"

"Arabic (Qatar)"

"Windows 2000: Armenian. This is Unicode only."

"Windows 2000: Assamese. This is Unicode only."

"Azeri (Latin)"

"Azeri (Cyrillic)"



"Windows 2000: Bengali. This is Unicode only."




"Chinese (Taiwan Region)"

"Chinese (PRC)"

"Chinese (Hong Kong SAR, PRC)"

"Chinese (Singapore)"

"Chinese (Macau)"




"Dutch (Netherlands)"

"Dutch (Belgium)"

"English (United States)"

"English (United Kingdom)"

"English (Australian)"

"English (Canadian)"

"English (New Zealand)"

"English (Ireland)"

"English (South Africa)"

"English (Jamaica)"

"English (Caribbean)"

"English (Belize)"

"English (Trinidad)"

"English (Zimbabwe)"

"English (Philippines)"





"French (Standard)"

"French (Belgian)"

"French (Canadian)"

"French (Switzerland)"

"French (Luxembourg)"

"French (Monaco)"

"Windows 2000: Georgian. This is Unicode only."

"German (Standard)"

"German (Switzerland)"

"German (Austria)"

"German (Luxembourg)"

"German (Liechtenstein)"


"Windows 2000: Gujarati. This is Unicode only."


"Windows 2000: Hindi. This is Unicode only."




"Italian (Standard)"

"Italian (Switzerland)"


"Windows 2000: Kannada. This is Unicode only."

"Kashmiri (India)"


"Windows 2000: Konkani. This is Unicode only."


"Korean (Johab)"



"Lithuanian (Classic)"


"Malay (Malaysian)"

"Malay (Brunei Darussalam)"

"Windows 2000: Malayalam. This is Unicode only."


"Windows 2000: Marathi. This is Unicode only."

"Windows 2000: Nepali (India). This is Unicode only."

"Norwegian (Bokmal)"

"Norwegian (Nynorsk)"

"Windows 2000: Oriya. This is Unicode only."


"Portuguese (Brazil)"

"Portuguese (Standard)"

"Windows 2000: Punjabi. This is Unicode only."



"Windows 2000: Sanskrit. This is Unicode only."

"Serbian (Cyrillic)"

"Serbian (Latin)"




"Spanish (Traditional Sort)"

"Spanish (Mexican)"

"Spanish (Modern Sort)"

"Spanish (Guatemala)"

"Spanish (Costa Rica)"

"Spanish (Panama)"

"Spanish (Dominican Republic)"

"Spanish (Venezuela)"

"Spanish (Colombia)"

"Spanish (Peru)"

"Spanish (Argentina)"

"Spanish (Ecuador)"

"Spanish (Chile)"

"Spanish (Uruguay)"

"Spanish (Paraguay)"

"Spanish (Bolivia)"

"Spanish (El Salvador)"

"Spanish (Honduras)"

"Spanish (Nicaragua)"

"Spanish (Puerto Rico)"


"Swahili (Kenya)"


"Swedish (Finland)"

"Windows 2000: Tamil. This is Unicode only."

"Tatar (Tatarstan)"

"Windows 2000: Telugu. This is Unicode only."




"Urdu (Pakistan)"

"Urdu (India)"

"Uzbek (Latin)"

"Uzbek (Cyrillic)"


"Unknown New Language"

7、 升级服务端

-updata 通过 80 端口

-r fail to run[ ].

exec 进程信息描述 PID

-l local:





ERR: Unknown downloading status, client will close

Downloading... OVERWRITE

Downloading... bytes/remote:

Downloading... bytes/sec

Download completed.

Failed: Response file length is different than content length.

ERR: Socket error( )

Failed: Download client didn't ready.

Failed: No parameters found.

ERR: Protocal name doesn't found.

ERR: Environ [ ] doesn't exist.

ERR: Illegal local file name. [ ].

ERR: has been exist.

ERR: Socket did not ready.

8、 获得服务端操作系统的版本信息


Windows 32s

Windows NT

Windows 95


Windows NT 4


Windows NT 5.0


Windows NT 5.1


Windows NT 5.2


9、 获得服务端处理器型号

,内置型号信息如下 :

"Intel 386 Processor"

"Intel 486 Processor"

"Intel Pentium Processor"

"MIPS R4000 Processor"

"DEC Alpha 21064 Processor"


,内置浏览器版本如下 :

"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...

"Mozilla/4.0 (compatible; MSIE 5.0; Wind"...

"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...

"Mozilla/4.0 (compatible; MSIE 5.0; Wind"...

"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...

"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...

"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...

"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...

"Mozilla/4.0 (compatible; MSIE 5.5; Wind"...

"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...

"Mozilla/4.0 (compatible; MSIE 5.01; Win"...

"Mozilla/4.0 (compatible; MSIE 6.0b; Win"...

"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...

"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...

"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...

"Mozilla/4.0 (compatible; MSIE 5.5; Wind"...

"Mozilla/4.0 (compatible; MSIE 6.0b; Win"...

"Mozilla/4.0 (compatible; MSIE 6.0; Wind"...

11、 SCAN 功能

: Scan port, start ipaddr, end ipaddr, all are requirement

连接扫描 connected.

Scan [ ] to [ ] has completed.

ip#s will scan( clients ).

错误扫描 ERR: illegal port number [ ].

ERR: illegal start ipaddr [ ].

ERR: illegal end paddr [ ]

ERR: You must make lesser IP address forward.

停止扫描 Stop scan [ ].

No active scaning




Connection: Keep-Alive

13、 帮助功能

Index 索引

Number 帮助选项

Description 功能描述

Scode 服务器代码

Source 来源

HelpFile 帮助文件

HelpContext 关联帮助

CancelDisplay 取消显示


调用 IcmpSendEcho ,通过打开的句柄发送 ICMP 请求,在超时或接收到应答报文后返回

包含如下信息: Stop sending to 停止发送数据

Start sending to 开始发送数据

No active ICMP working 无活动的 ICMP

Stop tcp to(clients) / start tcp to(clients)

No active tcp in working.

Stop flood port on (clients) and start flood port on (clients)

No active flood port working.

Stop full port on

start full port on

No active full port working.

15 、 使用 SMTP 服务功能发送新建

:可重置,可获得 smtp 邮件服务器的域名,

使用 hello 命令 参数 \\\r

服务器应答: 220 服务已准备好

250 所请求的邮件操作已进行完毕

354 开始邮件输入,以单行“ . ”号结束。

Helo 命令存在安全问题,如 helo hostname 从客户端打开问候信息,使用 SMTP 服务器识别客户机的身份,但客户机可随意修改这个 hostname

包含如下信息: smtp 服务关闭

smtp 服务数据到达

smtp 服务错误

16 、开启 / 停止对SMTP 服务器发启攻击

包含如下信息: Start / Stop smtp sending to

Start / Stop smtp sending to

Start / Stop ending to

Error start sending to [ ] is an illegal port.

No active UDP working.

No active smtp send working.

Can't resolve name.

Failed: Target port is requirement.

Failed: Target host/ipaddr is requirement.

Failed: Illegal web host name []

Failed: Illegal smtp host/ip []

Failed: Illegal smtp domain name.

Failed: Can't resolve ip address by name [

Failed: Can't resolve smtp host [

Failed: Smtp mail domain is requirement.

Failed: Smtp host/ip is requirement.

GET / 命令 相关参数 /c/s/n/u/h ( 此参数同样怀疑被用来进行 HTTP FLOOD)

端口 80

单位 KBytes/sec KB/Sec

:// ERR: Protocal name doesn't found.

http Failed: [ ] protocol does not support.

http:// Can't resolve name.

/n/r/p 客户端具有刷新和停止刷新功能

ERR: Unknown http type [ ].

ERR: URL is requirement.

17 、发送邮件功能

MAIL FROM: < 邮件来自于某处

RCPT TO: < smtp 命令,用来标识接收方 , 可能包含客户端用户的 email 地址

DATA 发送的数据



18、是后门在特定时间,主动连接 IRC 服务器,执行 IRC 脚本。

19、 后门在特定条件下发送 IP 通知邮件,等待服务端主动连接。






