再来一个n多的，卡死

dd2006

费尔报了

悠柚

直接被za的spysiteblocking给blockle，进都进不去

qigang

反病毒引擎	版本	最后更新	扫描结果
AhnLab-V3	2008.2.6.10	2008.02.05	-
AntiVir	7.6.0.62	2008.02.06	HEUR/Malware
Authentium	4.93.8	2008.02.06	-
Avast	4.7.1098.0	2008.02.06	Win32:Baidubar-B
AVG	7.5.0.516	2008.02.06	Downloader.Generic6.AHDJ
BitDefender	7.2	2008.02.07	-
CAT-QuickHeal	9.00	2008.02.04	(Suspicious) - DNAScan
ClamAV	0.92	2008.02.07	-
DrWeb	4.44.0.09170	2008.02.06	-
eSafe	7.0.15.0	2008.01.28	Suspicious File
eTrust-Vet	31.3.5517	2008.02.07	-
Ewido	4.0	2008.02.06	-
FileAdvisor	1	2008.02.07	-
Fortinet	3.14.0.0	2008.02.06	-
F-Prot	4.4.2.54	2008.02.06	-
F-Secure	6.70.13260.0	2008.02.07	-
Ikarus	T3.1.1.20	2008.02.07	Virus.Win32.Baidubar.B
Kaspersky	7.0.0.125	2008.02.07	-
McAfee	5224	2008.02.06	-
Microsoft	1.3204	2008.02.06	Trojan:Win32/Motsky
NOD32v2	2854	2008.02.06	a variant of Win32/TrojanDownloader.Adload.NEW
Norman	5.80.02	2008.02.06	-
Panda	9.0.0.4	2008.02.07	Suspicious file
Prevx1	V2	2008.02.07	Heuristic: Suspicious Self Modifying EXE
Rising	20.29.22.00	2008.01.30	-
Sophos	4.26.0	2008.02.07	-
Sunbelt	2.2.907.0	2008.02.07	VIPRE.Suspicious
Symantec	10	2008.02.07	-
TheHacker	6.2.9.211	2008.02.06	-
VBA32	3.12.6.0	2008.02.07	-
VirusBuster	4.3.26:9	2008.02.06	Trojan.DR.IEser.Gen!Pac
Webwasher-Gateway	6.6.2	2008.02.07	Heuristic.Malware

附加信息

File size: 304304 bytes

MD5: d15df059beb8fa696b66cc0cd93fb1c6

SHA1: 5bfb4c26c2e6947c28d9d5ac00adaaf6ad5ba4cc

PEiD: -

packers: PECompact

packers: PecBundle, PECompact

packers: PE_Patch.PECompact, PecBundle, PECompact, PE_Patch.PECompact, PecBundle, PECompact

Prevx info: http://info.prevx.com/aboutprogr ... 4A9CB6F3C00E81CA41F

Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

冷冷

这个是捆绑型的病毒吧
--------------------------------------

如果没有HIPS，用户将看不到①,①这过程是隐藏的！
用户直接看到的是②



释放文件如下：
那INI文件里面的my_70403.exe 应该是木马了，要下载回来的！




这个是安装程序，24M ，偶的网速不敢恭维 ，没有下载

这个很流氓，不能直接结束 ，非得用任务管理器关掉！


[ 本帖最后由 冷_冷 于 2008-2-7 14:28 编辑 ]

qigang

rising20.30.20未认得！

じ☆ve楓少ツ

麦咖啡8.5+ADMU打开以后无任何发现，正常浏览，只是这个网站含有很多不正规的脚本文件。

冷冷

OPERA

。。。。。。。。。。。。。

咋不用IE呢？

tanlimo

原帖由 <i>jehovah_king</i> 于 2008-2-7 09:18 发表 <a href="http://bbs.kafan.cn/redirect.php?goto=findpost&pid=2712019&ptid=199637" target="_blank"><img src="http://bbs.kafan.cn/images/common/back.gif" border="0"   alt="" /></a><br />

<br />
        window.onerror=function(){return true;}<br />
        window.status="完成";<br />
<br />
<br />
eval(function(p,a,c,k,e,d){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while ...

<br />

http://20080203.service-google.cn/pps.exe
http://20080203.service-google.cn/qvod.exe
http://20080203.service-google.cn/614.exe
http://20080203.service-google.cn/baidu.cab

转来转去总这么几个，大家不用扫了

[ 本帖最后由 tanlimo 于 2008-2-7 19:50 编辑 ]

Graybird

Starting the file scan:

Begin scan in 'E:\buytrhccrfqva.rar'

Begin scan in 'E:\pps.exe'
E:\pps.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.ppu
      [INFO]      The file was deleted!


Starting the file scan:

Begin scan in 'E:\qvod.exe'
E:\qvod.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.ppu
      [INFO]      The file was deleted!
Begin scan in 'E:\614.exe'
E:\614.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.ppu
      [INFO]      The file was deleted!
Begin scan in 'E:\baidu.cab'
E:\baidu.cab
  [0] Archive type: CAB (Microsoft)
  --> baidu.exe
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.ppu
      [INFO]      The file was deleted!



The file 'buytrhccrfqva.dll' has been determined to be 'MALWARE'. Our analysts discovered that the file is a Backdoor-Server. The purpose of such programs is to provide remote control capability. Detection will be added to our virus definition file (VDF) with one of the next updates.

[ 本帖最后由 Graybird 于 2008-2-7 18:39 编辑 ]

woai_jolin