查看: 4379|回复: 15
收起左侧

[已鉴定] 心海(2008.7.11..13点)继续被挂马,见13楼,请高手继续分析

 关闭 [复制链接]
小飞侠.net
发表于 2008-7-11 01:37:41 | 显示全部楼层 |阅读模式

心海被挂马了~~
ht tp://www.hrtsea.com/down/soft/78.htm
晕,刚看出WinRAR 简体中文版 3.80 beta 3,一去爆马哦。。。另想问问回帖的网友,最新测试winrar美化版能放心用吗?
文件 1.rar 接收于 2008.07.10 19:20:50 (CET)
反病毒引擎 版本 最后更新 扫描结果
AhnLab-V3 2008.7.10.0 2008.07.10 -
AntiVir 7.8.0.64 2008.07.10 HTML/Rce.Gen
Authentium 5.1.0.4 2008.07.10 -
Avast 4.8.1195.0 2008.07.09 VBS:Obfuscated-gen
AVG 7.5.0.516 2008.07.10 JS/Downloader.Agent
BitDefender 7.2 2008.07.10 -
CAT-QuickHeal 9.50 2008.07.10 -
ClamAV 0.93.1 2008.07.10 JS.Psyme-36
DrWeb 4.44.0.09170 2008.07.10 -
eSafe 7.0.17.0 2008.07.09 -
eTrust-Vet 31.6.5943 2008.07.10 -
Ewido 4.0 2008.07.10 Downloader.AniLoad.nae
F-Prot 4.4.4.56 2008.07.10 -
F-Secure 7.60.13501.0 2008.07.10 VBS/Psyme.BF
Fortinet 3.14.0.0 2008.07.10 -
GData 2.0.7306.1023 2008.07.10 VBS:Obfuscated-gen
Ikarus T3.1.1.26.0 2008.07.10 Virus.VBS.Obfuscated
Kaspersky 7.0.0.125 2008.07.10 -
McAfee 5335 2008.07.09 -
Microsoft 1.3704 2008.07.10 TrojanDownloader:VBS/Psyme.gen!D
NOD32v2 3259 2008.07.10 -
Norman 5.80.02 2008.07.10 -
Panda 9.0.0.4 2008.07.10 -
Prevx1 V2 2008.07.10 -
Rising 20.52.32.00 2008.07.10 -
Sophos 4.31.0 2008.07.10 -
Sunbelt 3.1.1509.1 2008.07.04 -
Symantec 10 2008.07.10 -
TheHacker 6.2.96.374 2008.07.07 -
TrendMicro 8.700.0.1004 2008.07.10 -
VBA32 3.12.6.9 2008.07.10 -
VirusBuster 4.5.11.0 2008.07.10 HTML.Psyme.Gen
Webwasher-Gateway 6.6.2 2008.07.10 Script.Rce.Gen
附加信息
File size: 2057 bytes
MD5...: bd7217f122f7c043f16ae68ad23a6082
SHA1..: d1ae0c18ea17d696fe4d786a416f095fd4d259f8
SHA256: 29088eb42c017a123fb56031e1c3e68761d1e4ac11a26272e818b40f98ec394d
SHA512: 242cb3867ef92b478a4be92d30c447e6a9f9558b309e57de2c7d5c70fa825a07
620f197a059640e7ce29685c16888fa24e1973add0231083afd8e762d2de5773
PEiD..: -
PEInfo: -
文件 2.rar 接收于 2008.07.10 19:21:59 (CET)
反病毒引擎 版本 最后更新 扫描结果
AhnLab-V3 2008.7.10.0 2008.07.10 -
AntiVir 7.8.0.64 2008.07.10 -
Authentium 5.1.0.4 2008.07.10 -
Avast 4.8.1195.0 2008.07.09 -
AVG 7.5.0.516 2008.07.10 -
BitDefender 7.2 2008.07.10 -
CAT-QuickHeal 9.50 2008.07.10 -
ClamAV 0.93.1 2008.07.10 PUA.JS.Packed-1
DrWeb 4.44.0.09170 2008.07.10 -
eSafe 7.0.17.0 2008.07.09 -
eTrust-Vet 31.6.5943 2008.07.10 -
Ewido 4.0 2008.07.10 -
F-Prot 4.4.4.56 2008.07.10 -
F-Secure 7.60.13501.0 2008.07.10 -
Fortinet 3.14.0.0 2008.07.10 -
GData 2.0.7306.1023 2008.07.10 -
Ikarus T3.1.1.26.0 2008.07.10 Trojan.JS.Flagrab.A
Kaspersky 7.0.0.125 2008.07.10 -
McAfee 5335 2008.07.09 JS/Exploit-BO
Microsoft 1.3704 2008.07.10 Trojan:JS/Flagrab.A
NOD32v2 3259 2008.07.10 -
Norman 5.80.02 2008.07.10 -
Panda 9.0.0.4 2008.07.10 -
Prevx1 V2 2008.07.10 -
Rising 20.52.32.00 2008.07.10 -
Sophos 4.31.0 2008.07.10 Mal/ObfJS-X
Sunbelt 3.1.1509.1 2008.07.04 -
Symantec 10 2008.07.10 -
TheHacker 6.2.96.374 2008.07.07 -
TrendMicro 8.700.0.1004 2008.07.10 -
VBA32 3.12.6.9 2008.07.10 -
VirusBuster 4.5.11.0 2008.07.10 -
Webwasher-Gateway 6.6.2 2008.07.10 -
附加信息
File size: 1752 bytes
MD5...: 8e62c97a29ec34dafc586cb172c15867
SHA1..: 723dce44abb55f6f2406bc9e85a0624804c9f9e3
SHA256: 5f8931e124347115797fe68a6e9965f47e1d0a3eb32e6350716b2201c0b49746
SHA512: 3a160cded36aaf71262687d0f777b7ce2a091b7a7332e59bfac4cbc74ab2672d
9589abbd0ca26369da581fbf80f3ef3c3a02ef065ce1bb98eac0cb52465d2617
PEiD..: -
PEInfo: -

[ 本帖最后由 小飞侠.net 于 2008-7-11 13:47 编辑 ]

1.rar

2.01 KB, 下载次数: 63

2.rar

1.71 KB, 下载次数: 47

tanlimo
发表于 2008-7-11 01:44:09 | 显示全部楼层
小飞侠.net
 楼主| 发表于 2008-7-11 01:45:09 | 显示全部楼层
原帖由 tanlimo 于 2008-7-11 01:44 发表
http://down.nihao69.cn/down/ko.exe


那winrar最新测试版没问题?
tanlimo
发表于 2008-7-11 01:58:02 | 显示全部楼层
  • Summary of the findings:
What's been foundSeverity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Downloads/requests other files from Internet.
Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection).
Contains characteristics of an identified security risk.


Technical Details:
Possible Security Risk
  • Attention! Characteristics of the following security risks were identified in the system:
Security RiskDescription
Trojan-Downloader.Zlob.GENTrojan.Downloader.Zlob.GEN is a generic trojan horse that downloads other trojans and attempts to hijack Internet Explorers home page.
Trojan-Dropper.AgentTrojan-Dropper.Agent attempts to drop a malicious file and run it on the compromised computer.

  • Attention! The following threat categories were identified:
Threat CategoryDescription
A program that can be used to hijack certain aspects of users' web browser functionality (such as homepage, search page, and security settings)
A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment


File System Modifications
  • The following files were created in the system:
#Filename(s)File SizeFile MD5Alias
1c:\mahtesf3.bat 128 bytes0xD31C0557638F79C6BEC32A6918688900(not available)
2%System%\explorer.exe 1,032,192 bytes0xA0732187050030AE399B241436565E64(not available)
3[file and pathname of the sample #1] 17,296 bytes0x4852872A1D42518562438D0C85FBCEB4Trojan-Downloader.Zlob.GEN [PCTools]
Trojan.Drondog [Symantec]
New Malware.aj [McAfee]

  • Note:
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications
  • There were new processes created in the system:
Process NameProcess FilenameMain Module Size
explorer.exe%System%\explorer.exe1,044,480 bytes
[filename of the sample #1][file and pathname of the sample #1]208,896 bytes
czfv.exe%Windir%\czfv.exe73,728 bytes


Other details
  • To mark the presence in the system, the following Mutex object was created:
    • ExplorerIsShellMutex
  • The following Host Names were requested from a host database:
    • www.google.cn
    • www.baidu.com
  • The following Internet Connections were established:
Server NameServer PortConnect as UserConnection Password
www.google.cn80(null)(null)
www.baidu.com80(null)(null)



http://down.nihao29.cn/ko.txt
  1. [oo]
  2. c0=http://121.14.154.193/1.exe
  3. c1=http://121.14.154.193/2.exe
  4. c2=http://121.14.154.193/3.exe
  5. c3=http://121.14.154.193/4.exe
  6. c4=http://121.14.154.193/5.exe
  7. c5=http://121.14.154.193/6.exe
  8. c6=http://121.14.154.193/7.exe
  9. c7=http://121.14.154.193/8.exe
  10. c8=http://121.14.154.193/9.exe
  11. c9=http://121.14.154.193/10.exe
  12. c10=http://121.14.154.193/11.exe
  13. c11=http://121.14.154.193/12.exe
  14. c12=http://121.14.154.193/13.exe
  15. c13=http://121.14.154.193/14.exe
  16. c14=http://121.14.154.193/15.exe
  17. c15=http://121.14.154.193/16.exe
  18. c16=http://121.14.154.193/17.exe
  19. c17=http://121.14.154.193/18.exe
  20. c18=http://121.14.154.193/19.exe
  21. c19=http://121.14.154.193/20.exe
  22. c20=http://121.14.154.194/21.exe
  23. c21=http://121.14.154.194/22.exe
  24. c22=http://121.14.154.194/23.exe
  25. c23=http://121.14.154.194/24.exe
  26. c24=http://121.14.154.194/25.exe
  27. c25=http://121.14.154.194/26.exe
  28. c26=http://121.14.154.194/27.exe
  29. c27=http://121.14.154.194/28.exe
  30. c28=http://121.14.154.194/29.exe
  31. c29=http://121.14.154.194/30.exe
  32. c30=http://121.14.154.194/31.exe
  33. c31=http://121.14.154.194/32.exe
  34. c32=http://121.14.154.194/33.exe
  35. c33=http://121.14.154.194/34.exe
  36. c34=http://121.14.154.194/35.exe
  37. c35=http://121.14.154.194/36.exe
  38. c36=http://121.14.154.194/37.exe
  39. c37=http://121.14.154.194/38.exe
  40. c38=http://121.14.154.194/39.exe
复制代码




http://2hdahlk3md.cn/9/jx.txt



复制代码
  1. [oo]
  2. c0=http://ssskuki88.cn/inte/dlld1.exe
  3. c1=http://ssskuki88.cn/inte/dlld2.exe
  4. c2=http://ssskuki88.cn/inte/dlld3.exe
  5. c3=http://ssskuki88.cn/inte/dlld4.exe
  6. c4=http://ssskuki88.cn/inte/dlld5.exe
  7. c5=http://ssskuki88.cn/inte/dlld6.exe
  8. c6=http://ssskuki88.cn/inte/dlld7.exe
  9. c7=http://ssskuki88.cn/inte/dlld8.exe
  10. c8=http://ssskuki88.cn/inte/dlld9.exe
  11. c9=http://ssskuki88.cn/inte/dlld10.exe
  12. c10=http://ssskuki88.cn/inte/dlld11.exe
  13. c11=http://ssskuki88.cn/inte/dlld12.exe
  14. c12=http://ssskuki88.cn/inte/dlld13.exe
  15. c13=http://ssskuki88.cn/inte/dlld14.exe
  16. c14=http://ssskuki88.cn/inte/dlld15.exe
  17. c15=http://adwim8812.cn/inte/dlld16.exe
  18. c16=http://adwim8812.cn/inte/dlld17.exe
  19. c17=http://adwim8812.cn/inte/dlld18.exe
  20. c18=http://adwim8812.cn/inte/dlld19.exe
  21. c19=http://adwim8812.cn/inte/dlld20.exe
  22. c20=http://adwim8812.cn/inte/dlld21.exe
  23. c21=http://adwim8812.cn/inte/dlld22.exe
  24. c22=http://adwim8812.cn/inte/dlld23.exe
  25. c23=http://adwim8812.cn/inte/dlld24.exe
  26. c24=http://adwim8812.cn/inte/dlld25.exe
  27. c25=http://adwim8812.cn/inte/dlld26.exe
  28. c26=http://adwim8812.cn/inte/dlld27.exe
  29. c27=http://adwim8812.cn/inte/dlld28.exe
  30. c28=http://adwim8812.cn/inte/dlld29.exe
  31. c29=http://adwim8812.cn/inte/dlld30.exe
复制代码

[ 本帖最后由 tanlimo 于 2008-7-11 21:12 编辑 ]
tanlimo
发表于 2008-7-11 02:05:36 | 显示全部楼层

回复 3楼 小飞侠.net 的帖子

winRAR3.8 b3版没问题。
小飞侠.net
 楼主| 发表于 2008-7-11 03:18:12 | 显示全部楼层
原帖由 tanlimo 于 2008-7-11 02:05 发表
winRAR3.8 b3版没问题。


谢谢。
残缺的唯美
发表于 2008-7-11 07:05:23 | 显示全部楼层
The page you are trying to open has been reported for distributing malicious software. Any software from this page may be harmful. Opera Software strongly discourages visiting this page.
Ignore this warning
opera警告=。=
barbara
发表于 2008-7-11 07:17:46 | 显示全部楼层
原帖由 za1012 于 2008-7-11 07:05 发表
The page you are trying to open has been reported for distributing malicious software. Any software from this page may be harmful. Opera Software strongly discourages visiting this page.
Ignore this  ...

Opera真的是超好用
电影结束了
发表于 2008-7-11 09:29:28 | 显示全部楼层

最近KO开始流行起来了...~
Kitman
发表于 2008-7-11 09:30:05 | 显示全部楼层
Warning: The content of this website is part of a unwanted category: Malware

Requested URL:  http://down.nihao69.cn/down/ko.exe


--------------------------------------------------------------------------------
Generated by AntiVir WebGuard 8.0.13.0, WCDB 7.0.710.1230
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-12-17 02:31 , Processed in 0.147386 second(s), 20 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表