已证实Au_.exe是NSIS安装包的一个组成部分,不是病毒
其卸载360safe时的确会连接如下地址的80端口
60.195.253.85
抓包如下:
源地址:10.1.5.189端口:1214目标地址:60.195.253.85端口:80TTL:64PacketSize:64
协议:TCPTCP标志:ACK|URG
0x020x040x050xAC0x010x030x030x020x010x010x080x0A0x000x000x000x00................
0x000x000x000x000x010x010x040x02........
源地址:10.1.5.189端口:1214目标地址:60.195.253.85端口:80TTL:64PacketSize:52
协议:TCPTCP标志
0101080A00327A7859FDD135.....2zxY..5
源地址:60.195.253.85端口:80目标地址:10.1.5.189端口:1214TTL:50PacketSize:60
协议:TCPTCP标志:URG
0x020x040x050x180x010x030x030x000x010x010x080x0A0x590xFD0xD10x35............Y..5
0x000x000x000x00....
源地址:10.1.5.189端口:1214目标地址:60.195.253.85端口:80TTL:64PacketSize:352
协议:TCPTCP标志
0x010x010x080x0A0x000x320x7A0x780x590xFD0xD10x350x470x450x540x20.....2zxY..5GET
0x2F0x720x650x670x2F0x730x610x660x650x5F0x750x6E0x690x2E0x680x74/reg/safe_uni.ht
0x6D0x3F0x700x610x720x740x6E0x650x720x3D0x680x5F0x680x6F0x6D0x65m?partner=h_home
0x260x760x650x720x3D0x320x2E0x300x2E0x300x2E0x330x300x300x330x26&ver=2.0.0.3003&
0x740x3D0x330x330x300x380x320x370x310x380x370x200x480x540x540x50t=330827187HTTP
0x2F0x310x2E0x310x0D0x0A0x410x630x630x650x700x740x3A0x200x2A0x2F/1.1..Accept:*/
0x2A0x0D0x0A0x410x630x630x650x700x740x2D0x450x6E0x630x6F0x640x69*..Accept-Encodi
0x6E0x670x3A0x200x670x7A0x690x700x2C0x200x640x650x660x6C0x610x74ng:gzip,deflat
0x650x0D0x0A0x550x730x650x720x2D0x410x670x650x6E0x740x3A0x200x4De..User-Agent:M
0x6F0x7A0x690x6C0x6C0x610x2F0x340x2E0x300x200x280x630x6F0x6D0x70ozilla/4.0(comp
0x610x740x690x620x6C0x650x3B0x200x4D0x530x490x450x200x360x2E0x30atible;MSIE6.0
0x3B0x200x570x690x6E0x640x6F0x770x730x200x4E0x540x200x350x2E0x31;WindowsNT5.1
0x3B0x200x530x560x310x3B0x200x540x650x6E0x630x650x6E0x740x540x72;SV1;TencentTr
0x610x760x650x6C0x650x720x200x3B0x200x460x440x4D0x3B0x200x2E0x4Eaveler;FDM;.N
0x450x540x200x430x4C0x520x200x310x2E0x310x2E0x340x330x320x320x3BETCLR1.1.4322;
0x200x2E0x4E0x450x540x200x430x4C0x520x200x320x2E0x300x2E0x350x30.NETCLR2.0.50
0x370x320x370x290x0D0x0A0x480x6F0x730x740x3A0x200x690x6E0x730x74727)..Host:inst
0x2E0x330x360x300x730x610x660x650x2E0x630x6F0x6D0x0D0x0A0x430x6F.360safe.com..Co
0x6E0x6E0x650x630x740x690x6F0x6E0x3A0x200x4B0x650x650x700x2D0x41nnection:Keep-A
0x6C0x690x760x650x0D0x0A0x0D0x0Aive.....
源地址:60.195.253.85端口:80目标地址:10.1.5.189端口:1214TTL:50PacketSize:215
协议:TCPTCP标志
0x010x010x080x0A0x590xFD0xD10x450x000x320x7A0x780x480x540x540x50....Y..E.2zxHTTP
0x2F0x310x2E0x310x200x320x300x300x200x4F0x4B0x0D0x0A0x440x610x74/1.1200OK..Dat
0x650x3A0x200x540x750x650x2C0x200x310x370x200x4F0x630x740x200x32e:Tue,17Oct2
0x300x300x360x200x300x320x3A0x340x330x3A0x330x340x200x470x4D0x5400602:43:34GMT
0x0D0x0A0x530x650x720x760x650x720x3A0x200x410x700x610x630x680x65..Server:Apache
0x0D0x0A0x580x2D0x500x6F0x770x650x720x650x640x2D0x420x790x3A0x20..X-Powered-By:
0x500x480x500x2F0x340x2E0x330x2E0x310x310x0D0x0A0x430x6F0x6E0x74PHP/4.3.11..Cont
0x650x6E0x740x2D0x4C0x650x6E0x670x740x680x3A0x200x320x0D0x0A0x43ent-Length:2..C
0x6F0x6E0x6E0x650x630x740x690x6F0x6E0x3A0x200x630x6C0x6F0x730x65onnection:close
0x0D0x0A0x430x6F0x6E0x740x650x6E0x740x2D0x540x790x700x650x3A0x20..Content-Type:
0x740x650x780x740x2F0x680x740x6D0x6C0x0D0x0A0x0D0x0A0x6F0x6Bext/html....ok.
源地址:60.195.253.85端口:80目标地址:10.1.5.189端口:1214TTL:50PacketSize:52
协议:TCPTCP标志
0101080A59FDD14500327A78....Y..E.2zx
源地址:10.1.5.189端口:1214目标地址:60.195.253.85端口:80TTL:64PacketSize:52
协议:TCPTCP标志
0101080A00327A7A59FDD145.....2zzY..E
源地址:10.1.5.189端口:1214目标地址:60.195.253.85端口:80TTL:64PacketSize:52
协议:TCPTCP标志
0101080A00327A7A59FDD145.....2zzY..E
源地址:60.195.253.85端口:80目标地址:10.1.5.189端口:1214TTL:50PacketSize:52
协议:TCPTCP标志
0101080A59FDD15400327A7A....Y..T.2zz
NSIS即NullsoftInstallSystem,一种制作安装程序的一个软件
搜索结果如下:
NSIS是“Nullsoft脚本安装系统”(NullsoftScriptableInstallationSystem)的缩写,它是一个免费的Win32安装、卸载系统,采用了简洁高效的脚本方式。它本来是一个由Nullsoft创建并用于作为Winamp及其插件发布的系统,但现已被上百个应用程序所应用,作为它们进行程序发布的工具。
NSIS创建的安装程序可以进行安装、卸载、设置系统设置、解压文件等等。几乎可以做所有事情。因为它基于脚本文件,所以你可以完全控制你的安装程序的每个部分。它的脚本语言支持变量、函数、字串处理,就像是一个普通的程序语言-但其仅设计用来创建安装程序。