警告，一个利用修改系统时间令Kaspersky过期失效漏洞的网站

浪滔天

IE 6（补丁全）+kis 7.0.0.125 +360时间保护，进去逛了下，就拦了个木马，内容还算丰富

已检测到: 木马程序 Trojan-Dropper.Win32.Mudrop.fe URL: http://60.190.101.206/abc.cab//TestSign.exe//PE_Patch//UPack

[ 本帖最后由 浪滔天 于 2007-10-25 17:47 编辑 ]

icgo

用HijackThis v1.99.1查到

Logfile of HijackThis v1.99.1
Scan saved at 17:58:33, on 2007-10-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\SnowFox\DesktopSprite2\DesktopSprite.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\360safe\safemon\360Tray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WISPTIS.EXE
F:\Program Files\EVEREST\everest.exe
F:\Program Files\GreenBrowser\GreenBrowser.exe
F:\Program Files\Tencent\qq\QQ.exe
F:\Program Files\Tencent\qq\QQ.exe
F:\Program Files\Tencent\qq\TIMPlatform.exe
F:\Program Files\Tencent\qq\QQ.exe
F:\Program Files\Tencent\QQPetNurse\QQPetNurse.exe
F:\Program Files\Tencent\qq\qqpet\QQPenguin\QQPenguin.exe
F:\Program Files\Tencent\qq\qqpet\QQPenguin\QQPenguin.exe

O2 - BHO: SafeMon Class - {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - D:\Program Files\360safe\safemon\safemon.dll
O4 - HKLM\..\Run: [AVP] "D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [360Safetray] D:\Program Files\360safe\safemon\360tray.exe /start
O4 - HKLM\..\Run: [360Antiarp] D:\Program Files\360safe\antiarp\antiarp.exe /start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EVEREST AutoStart] F:\Program Files\EVEREST\everest.exe
O4 - HKCU\..\Run: [DesktopSprite] F:\Program Files\SnowFox\DesktopSprite2\DesktopSprite.exe
O4 - Startup: Windows 任务管理器.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - User Startup: Windows 任务管理器.lnk = C:\WINDOWS\system32\taskmgr.exe
O8 - Extra context menu item: 使用迅雷下载 - D:\Program Files\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - D:\Program Files\Thunder\Program\getallurl.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 添加到反广告条 - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Web 反病毒统计 - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {19EFFC12-25FB-479A-A0F2-1569AE1B3365} - http://60.190.101.206/abc.cab
O16 - DPF: {1E0DFFCF-27FF-4574-849B-55007349FEDA} (iTrusPTA Class) - https://img.alipay.com/download/1101/aliedit.cab
O16 - DPF: {73E4740C-08EB-4133-896B-8D0A7C9EE3CD} (AxInputControl Class) - https://mybank.icbc.com.cn/icbc/perbank/AXSafeControls.cab
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: 卡巴斯基互联网安全套装 7.0 (AVP) - Unknown owner - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)


是不是第016项在作怪呢？

O16 - DPF: {19EFFC12-25FB-479A-A0F2-1569AE1B3365} - http://60.190.101.206/abc.cab
O16 - DPF: {1E0DFFCF-27FF-4574-849B-55007349FEDA} (iTrusPTA Class) - https://img.alipay.com/download/1101/aliedit.cab

用360查到这些是未知ActiveX插件

[ 本帖最后由 icgo 于 2007-10-25 19:06 编辑 ]