分析888个样本c221.exe取得下载地址。各位来提取地址文件

molicn

0040A624: 'c:\log.txt',0
0040A630: '%04d%02d',0
0040A640: 'Software\Microsoft\Updates',0
0040A65C: 'LastUpdateTime',0
0040A66C: 'NextUpdateTime',0
0040A67C: 'CurrentVersion',0
0040A698: 'RebootReg',0
0040A6A8: 'tmp\',0
0040A6B0: 'wordpad',0
0040A6B8: 'rg.dat',0
0040A6C0: '\bigdv.dat',0
0040A6CC: 'bigdv.dat',0
0040A6D8: 'Microsoft Update',0
0040A6EC: 'Microsoft Update',0
0040A700: 'kernel32.dll',0
0040A710: 'RegisterServiceProcess',0
0040A728: 'SoftWare\Microsoft\Windows\CurrentVersion\Internet Settings',0
0040A764: 'ProxyEnable',0
0040A770: 'ProxyServer',0
0040A7AC: 'File(s) update will take effect after you reboot your system. We suggest you reboot the computer now.',0
0040A820: 'Updater Information',0
0040A840: 'Updater Information',0
0040A868: 'File(s) update has been successfully completed!',0
0040A8B4: 'Something wrong with the file(s) update, possibly because of the Internet.',0
0040A900: '1.0.0.0',0
0040A908: '1.0.0.0',0
0040A910: 'todo',0
0040A918: 'Install',0
0040A920: '\todo.exe',0
0040A92C: 'C:\WINDOWS\Temp\',0
0040A940: 'Number',0
0040A948: 'File',0
0040A950: 'Number',0
0040A958: 'File',0
0040A964: 'File',0
0040A96C: 'File',0
0040A980: 'File',0
0040A98C: 'http://4.guzhijijin.com/bigd/c221/',0
0040A9B0: 'C:\WINDOWS\Temp\',0
0040A9E4: 'Updating from version !',0
0040A9FC: ', Please waiting!',0
0040AA30: 'Downloading files....',0
0040AA48: '.dll',0
0040AA50: '.new',0
0040AA58: '.dll',0
0040AA60: '.new',0
0040AA70: 'Number',0
0040AA78: 'RegNum',0
0040AA80: 'Number',0
0040AA88: 'RegFile',0
0040AA94: 'RegFile',0
0040AAA0: '1.0.0',0
0040AAA8: 'VersionNo',0
0040AAB4: 'Version',0
0040AAD8: 'Updating file(s)....',0
0040AAF4: 'RegFile',0
0040AAFC: 'Number',0
0040AB04: 'RegNum',0
0040AB0C: 'WININIT.INI',0
0040AB18: 'rename',0
0040AB20: 'RegSvr32.exe /s ',0
0040AB34: 'Software\Microsoft\Windows\CurrentVersion\Uninstall\hup',0
0040AB6C: 'DisplayName',0
0040AB78: 'http://4.guzhijijin.com/bigd/c221/',0
0040AB9C: 'C:\WINDOWS\Temp\',0
0040ABBC: 'Updater Information',0
0040AC08: 'Error with network connection, try again please!',0
0040AC3C: '1.0.0.0',0
0040AC44: 'VersionNo',0
0040AC50: 'Version',0
0040AC58: '1.0.0.0',0
0040AC60: 'VersionNo',0
0040AC6C: 'Version',0
0040AC80: 'Updater Information',0
0040ACEC: 'Find a new version. Would you like to update now?',0
0040AD20: 'Number',0
0040AD28: 'File',0
0040AD3C: 'Updater Information',0
0040AD94: 'This software is up to date!',0
0040ADC4: 'Regsvr32.exe /s ',0
0040ADD8: 'Number',0
0040ADE0: 'RegNum',0
0040ADEC: 'RegFile',0
0040ADF4: 'wdg.dll',0
0040ADFC: '%s%s',0
0040AE24: 'C:\WINDOWS\Temp\',0
0040AE38: 'C:\WINDOWS\Temp\',0
0040AFF4: 'CMainFrame',0
0040B004: '%04d%02d%02d%',0

注意：地址：http://4.guzhijijin.com/bigd/c221/
附上木马下载样本

[ 本帖最后由 molicn 于 2008-6-17 23:38 编辑 ]

sanhu35

伞报

sam.to

Forbidden

You don't have permission to access /bigd/c221/ on this server.

已刪除: 特洛伊木馬程式 Trojan.Win32.BHO.dnl        檔案: C:\Documents and Settings\kato9096\桌面\SYSDIR.rar/wordpad.exe

tgzw1680

费尔砍掉

傻猪猪米走鸡

probably a variant of Win32/Adware.Cinmus application

电影结束了

站拒绝显示此网页
HTTP 403  
   最可能的原因是:
此网站要求您登录。

   您可以尝试以下操作:
     返回到上一页。

     更多信息

....

xuhaonan

瑞星病毒查杀结果报告

清除病毒种类列表：
病毒： Trojan.Win32.BHO.dgq     

用户来源：互联网

软件版本：20.49.12

qigang

瑞星病毒查杀结果报告

清除病毒种类列表：

病毒： Trojan.Win32.BHO.dgq     

MAC 地址：00:11:5B:F3:6D:69

用户来源：互联网

软件版本：20.49.22