endurer 原创
2007-01-15 第2版 补充Kaspersky的反应
2007-01-12 第1版
网站的网页被加入代码:
/------
<iframe src=hxxp://i***.the*c***.cn/sin**ze*/sin**ze*.htm width=0 height=0></iframe>
------/
sin**ze*.htm Kaspersky 报为 Trojan-Downloader.VBS.Psyme.ei。
在浏览器中打开该网页,会看到信息:
/------
就不让你看!气死你 by ******!
------/
其中******处的字符串可能是作者昵称,这里偶匿了。
还没完,网页中接下来有利用Replace()来保护自身的VBScript脚本,会利用 Microsoft.XMLHTTP 和 Scripting.FileSystemObject 下载文件 sinze.exe,保存为 %temp%/g0ld.com,并利用Shell.Application 对象Q 的 ShellExecute 方法 来运行。
sinze.exe 采用 ASPack 加壳
文件说明符 : D:/test/sinze.exe
获取文件版本信息大小失败!
创建时间 : 2007-1-12 16:21:11
修改时间 : 2007-1-12 16:21:13
访问时间 : 2007-1-12 16:28:57
大小 : 88708 字节 86.644 KB
MD5 : 118e7d74d99e10cef293b254e1dc78ff
Complete scanning result of "__25968", received in VirusTotal at 01.12.2007, 10:20:11 (CET).
| Antivirus | Version | Update | Result |
| AntiVir | 7.3.0.21 | 01.09.2007 | HEUR/Crypted |
| Authentium | 4.93.8 | 01.12.2007 | could be a corrupted executable file |
| Avast | 4.7.892.0 | 12.30.2006 | no virus found |
| AVG | 386 | 01.11.2007 | no virus found |
| BitDefender | 7.2 | 01.12.2007 | no virus found |
| CAT-QuickHeal | 9.00 | 01.12.2007 | no virus found |
| ClamAV | devel-20060426 | 01.12.2007 | no virus found |
| DrWeb | 4.33 | 01.12.2007 | no virus found |
| eSafe | 7.0.14.0 | 01.10.2007 | Suspicious Trojan/Worm |
| eTrust-InoculateIT | 23.73.112 | 01.12.2007 | no virus found |
| eTrust-Vet | 30.3.3319 | 01.11.2007 | no virus found |
| Ewido | 4.0 | 01.11.2007 | no virus found |
| Fortinet | 2.82.0.0 | 01.12.2007 | suspicious |
| F-Prot | 3.16f | 01.11.2007 | no virus found |
| F-Prot4 | 4.2.1.29 | 01.12.2007 | no virus found |
| Ikarus | T3.1.0.27 | 01.09.2007 | no virus found |
| Kaspersky | 4.0.2.24 | 01.12.2007 | no virus found |
| McAfee | 4937 | 01.11.2007 | no virus found |
| Microsoft | 1.1904 | 01.12.2007 | no virus found |
| NOD32v2 | 1972 | 01.11.2007 | no virus found |
| Norman | 5.80.02 | 01.11.2007 | no virus found |
| Panda | 9.0.0.4 | 01.12.2007 | no virus found |
| Prevx1 | V2 | 01.12.2007 | no virus found |
| Sophos | 4.13.0 | 01.11.2007 | no virus found |
| Sunbelt | 2.2.907.0 | 01.12.2007 | VIPRE.Suspicious |
| TheHacker | 6.0.3.147 | 01.11.2007 | no virus found |
| UNA | 1.83 | 01.11.2007 | no virus found |
| VBA32 | 3.11.2 | 01.10.2007 | no virus found |
| VirusBuster | 4.3.19:9 | 01.11.2007 | no virus found |
Aditional Information
File size: 88708 bytes
MD5: 118e7d74d99e10cef293b254e1dc78ff
SHA1: 7e562cfafef92b5f17d279beb2c968bd9e612817
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
今天重下载了这个文件:
文件说明符 : D:/test/sinze.exe
获取文件版本信息大小失败!
创建时间 : 2007-1-15 16:11:33
修改时间 : 2007-1-15 16:13:51
访问时间 : 2007-1-15 16:14:42
大小 : 425569 字节 415.609 KB
MD5 : 03111c59838bf6e6a16ad64413ed3954
下载过程中曾被KAV6拦截了一次,只得到了414,453字节。
Kaspersky报为:Virus.Win32.Delf.an
2331
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
