心海(2008.7.11..13点)继续被挂马，见13楼，请高手继续分析

显示全部楼层 · 发表于 2008-7-11 01:37:41

心海被挂马了~~
ht tp://www.hrtsea.com/down/soft/78.htm
晕，刚看出WinRAR 简体中文版 3.80 beta 3，一去爆马哦。。。另想问问回帖的网友，最新测试winrar美化版能放心用吗？
文件 1.rar 接收于 2008.07.10 19:20:50 (CET)
反病毒引擎版本最后更新扫描结果
AhnLab-V3 2008.7.10.0 2008.07.10 -
AntiVir 7.8.0.64 2008.07.10 HTML/Rce.Gen
Authentium 5.1.0.4 2008.07.10 -
Avast 4.8.1195.0 2008.07.09 VBS:Obfuscated-gen
AVG 7.5.0.516 2008.07.10 JS/Downloader.Agent
BitDefender 7.2 2008.07.10 -
CAT-QuickHeal 9.50 2008.07.10 -
ClamAV 0.93.1 2008.07.10 JS.Psyme-36
DrWeb 4.44.0.09170 2008.07.10 -
eSafe 7.0.17.0 2008.07.09 -
eTrust-Vet 31.6.5943 2008.07.10 -
Ewido 4.0 2008.07.10 Downloader.AniLoad.nae
F-Prot 4.4.4.56 2008.07.10 -
F-Secure 7.60.13501.0 2008.07.10 VBS/Psyme.BF
Fortinet 3.14.0.0 2008.07.10 -
GData 2.0.7306.1023 2008.07.10 VBS:Obfuscated-gen
Ikarus T3.1.1.26.0 2008.07.10 Virus.VBS.Obfuscated
Kaspersky 7.0.0.125 2008.07.10 -
McAfee 5335 2008.07.09 -
Microsoft 1.3704 2008.07.10 TrojanDownloader:VBS/Psyme.gen!D
NOD32v2 3259 2008.07.10 -
Norman 5.80.02 2008.07.10 -
Panda 9.0.0.4 2008.07.10 -
Prevx1 V2 2008.07.10 -
Rising 20.52.32.00 2008.07.10 -
Sophos 4.31.0 2008.07.10 -
Sunbelt 3.1.1509.1 2008.07.04 -
Symantec 10 2008.07.10 -
TheHacker 6.2.96.374 2008.07.07 -
TrendMicro 8.700.0.1004 2008.07.10 -
VBA32 3.12.6.9 2008.07.10 -
VirusBuster 4.5.11.0 2008.07.10 HTML.Psyme.Gen
Webwasher-Gateway 6.6.2 2008.07.10 Script.Rce.Gen
附加信息
File size: 2057 bytes
MD5...: bd7217f122f7c043f16ae68ad23a6082
SHA1..: d1ae0c18ea17d696fe4d786a416f095fd4d259f8
SHA256: 29088eb42c017a123fb56031e1c3e68761d1e4ac11a26272e818b40f98ec394d
SHA512: 242cb3867ef92b478a4be92d30c447e6a9f9558b309e57de2c7d5c70fa825a07
620f197a059640e7ce29685c16888fa24e1973add0231083afd8e762d2de5773
PEiD..: -
PEInfo: -
文件 2.rar 接收于 2008.07.10 19:21:59 (CET)
反病毒引擎版本最后更新扫描结果
AhnLab-V3 2008.7.10.0 2008.07.10 -
AntiVir 7.8.0.64 2008.07.10 -
Authentium 5.1.0.4 2008.07.10 -
Avast 4.8.1195.0 2008.07.09 -
AVG 7.5.0.516 2008.07.10 -
BitDefender 7.2 2008.07.10 -
CAT-QuickHeal 9.50 2008.07.10 -
ClamAV 0.93.1 2008.07.10 PUA.JS.Packed-1
DrWeb 4.44.0.09170 2008.07.10 -
eSafe 7.0.17.0 2008.07.09 -
eTrust-Vet 31.6.5943 2008.07.10 -
Ewido 4.0 2008.07.10 -
F-Prot 4.4.4.56 2008.07.10 -
F-Secure 7.60.13501.0 2008.07.10 -
Fortinet 3.14.0.0 2008.07.10 -
GData 2.0.7306.1023 2008.07.10 -
Ikarus T3.1.1.26.0 2008.07.10 Trojan.JS.Flagrab.A
Kaspersky 7.0.0.125 2008.07.10 -
McAfee 5335 2008.07.09 JS/Exploit-BO
Microsoft 1.3704 2008.07.10 Trojan:JS/Flagrab.A
NOD32v2 3259 2008.07.10 -
Norman 5.80.02 2008.07.10 -
Panda 9.0.0.4 2008.07.10 -
Prevx1 V2 2008.07.10 -
Rising 20.52.32.00 2008.07.10 -
Sophos 4.31.0 2008.07.10 Mal/ObfJS-X
Sunbelt 3.1.1509.1 2008.07.04 -
Symantec 10 2008.07.10 -
TheHacker 6.2.96.374 2008.07.07 -
TrendMicro 8.700.0.1004 2008.07.10 -
VBA32 3.12.6.9 2008.07.10 -
VirusBuster 4.5.11.0 2008.07.10 -
Webwasher-Gateway 6.6.2 2008.07.10 -
附加信息
File size: 1752 bytes
MD5...: 8e62c97a29ec34dafc586cb172c15867
SHA1..: 723dce44abb55f6f2406bc9e85a0624804c9f9e3
SHA256: 5f8931e124347115797fe68a6e9965f47e1d0a3eb32e6350716b2201c0b49746
SHA512: 3a160cded36aaf71262687d0f777b7ce2a091b7a7332e59bfac4cbc74ab2672d
9589abbd0ca26369da581fbf80f3ef3c3a02ef065ce1bb98eac0cb52465d2617
PEiD..: -
PEInfo: -

[ 本帖最后由小飞侠.net 于 2008-7-11 13:47 编辑 ]

显示全部楼层 · 发表于 2008-7-11 01:44:09

http://down.nihao69.cn/down/ko.exe

显示全部楼层 · 发表于 2008-7-11 01:45:09

原帖由 tanlimo 于 2008-7-11 01:44 发表
 http://down.nihao69.cn/down/ko.exe

那winrar最新测试版没问题？

显示全部楼层 · 发表于 2008-7-11 01:58:02

Submission details:
- Submission received: 11 July 2008, 03:45:05
- Processing time: 4 min 48 sec
- Submitted sample:
  - File MD5: 0x4852872A1D42518562438D0C85FBCEB4
  - Filesize: 17,296 bytes
  - Alias: Trojan-Downloader.Zlob.GEN [PCTools], Trojan.Drondog [Symantec], New Malware.aj [McAfee]

Summary of the findings:

What's been found	Severity Level
Capability to send out email message(s) with the built-in SMTP client engine.
Downloads/requests other files from Internet.
Packed with a packer that is known to be used by malware (e.g. to complicate threat analysis or detection).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan-Downloader.Zlob.GEN	Trojan.Downloader.Zlob.GEN is a generic trojan horse that downloads other trojans and attempts to hijack Internet Explorers home page.
Trojan-Dropper.Agent	Trojan-Dropper.Agent attempts to drop a malicious file and run it on the compromised computer.

Attention! The following threat categories were identified:

Threat Category	Description
	A program that can be used to hijack certain aspects of users' web browser functionality (such as homepage, search page, and security settings)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File MD5	Alias
1	c:\mahtesf3.bat	128 bytes	0xD31C0557638F79C6BEC32A6918688900	(not available)
2	%System%\explorer.exe	1,032,192 bytes	0xA0732187050030AE399B241436565E64	(not available)
3	[file and pathname of the sample #1]	17,296 bytes	0x4852872A1D42518562438D0C85FBCEB4	Trojan-Downloader.Zlob.GEN [PCTools] Trojan.Drondog [Symantec] New Malware.aj [McAfee]

Note:
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
explorer.exe	%System%\explorer.exe	1,044,480 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	208,896 bytes
czfv.exe	%Windir%\czfv.exe	73,728 bytes

Other details

To mark the presence in the system, the following Mutex object was created:
- ExplorerIsShellMutex

The following Host Names were requested from a host database:
- www.google.cn
- www.baidu.com

The following Internet Connections were established:

Server Name	Server Port	Connect as User	Connection Password
www.google.cn	80	(null)	(null)
www.baidu.com	80	(null)	(null)

http://down.nihao29.cn/ko.txt

[oo]
c0=http://121.14.154.193/1.exe
c1=http://121.14.154.193/2.exe
c2=http://121.14.154.193/3.exe
c3=http://121.14.154.193/4.exe
c4=http://121.14.154.193/5.exe
c5=http://121.14.154.193/6.exe
c6=http://121.14.154.193/7.exe
c7=http://121.14.154.193/8.exe
c8=http://121.14.154.193/9.exe
c9=http://121.14.154.193/10.exe
c10=http://121.14.154.193/11.exe
c11=http://121.14.154.193/12.exe
c12=http://121.14.154.193/13.exe
c13=http://121.14.154.193/14.exe
c14=http://121.14.154.193/15.exe
c15=http://121.14.154.193/16.exe
c16=http://121.14.154.193/17.exe
c17=http://121.14.154.193/18.exe
c18=http://121.14.154.193/19.exe
c19=http://121.14.154.193/20.exe
c20=http://121.14.154.194/21.exe
c21=http://121.14.154.194/22.exe
c22=http://121.14.154.194/23.exe
c23=http://121.14.154.194/24.exe
c24=http://121.14.154.194/25.exe
c25=http://121.14.154.194/26.exe
c26=http://121.14.154.194/27.exe
c27=http://121.14.154.194/28.exe
c28=http://121.14.154.194/29.exe
c29=http://121.14.154.194/30.exe
c30=http://121.14.154.194/31.exe
c31=http://121.14.154.194/32.exe
c32=http://121.14.154.194/33.exe
c33=http://121.14.154.194/34.exe
c34=http://121.14.154.194/35.exe
c35=http://121.14.154.194/36.exe
c36=http://121.14.154.194/37.exe
c37=http://121.14.154.194/38.exe
c38=http://121.14.154.194/39.exe

复制代码

http://2hdahlk3md.cn/9/jx.txt

复制代码

[oo]
c0=http://ssskuki88.cn/inte/dlld1.exe
c1=http://ssskuki88.cn/inte/dlld2.exe
c2=http://ssskuki88.cn/inte/dlld3.exe
c3=http://ssskuki88.cn/inte/dlld4.exe
c4=http://ssskuki88.cn/inte/dlld5.exe
c5=http://ssskuki88.cn/inte/dlld6.exe
c6=http://ssskuki88.cn/inte/dlld7.exe
c7=http://ssskuki88.cn/inte/dlld8.exe
c8=http://ssskuki88.cn/inte/dlld9.exe
c9=http://ssskuki88.cn/inte/dlld10.exe
c10=http://ssskuki88.cn/inte/dlld11.exe
c11=http://ssskuki88.cn/inte/dlld12.exe
c12=http://ssskuki88.cn/inte/dlld13.exe
c13=http://ssskuki88.cn/inte/dlld14.exe
c14=http://ssskuki88.cn/inte/dlld15.exe
c15=http://adwim8812.cn/inte/dlld16.exe
c16=http://adwim8812.cn/inte/dlld17.exe
c17=http://adwim8812.cn/inte/dlld18.exe
c18=http://adwim8812.cn/inte/dlld19.exe
c19=http://adwim8812.cn/inte/dlld20.exe
c20=http://adwim8812.cn/inte/dlld21.exe
c21=http://adwim8812.cn/inte/dlld22.exe
c22=http://adwim8812.cn/inte/dlld23.exe
c23=http://adwim8812.cn/inte/dlld24.exe
c24=http://adwim8812.cn/inte/dlld25.exe
c25=http://adwim8812.cn/inte/dlld26.exe
c26=http://adwim8812.cn/inte/dlld27.exe
c27=http://adwim8812.cn/inte/dlld28.exe
c28=http://adwim8812.cn/inte/dlld29.exe
c29=http://adwim8812.cn/inte/dlld30.exe

复制代码

[ 本帖最后由 tanlimo 于 2008-7-11 21:12 编辑 ]

显示全部楼层 · 发表于 2008-7-11 02:05:36

winRAR3.8 b3版没问题。

显示全部楼层 · 发表于 2008-7-11 03:18:12

原帖由 tanlimo 于 2008-7-11 02:05 发表
winRAR3.8 b3版没问题。

谢谢。

显示全部楼层 · 发表于 2008-7-11 07:05:23

The page you are trying to open has been reported for distributing malicious software. Any software from this page may be harmful. Opera Software strongly discourages visiting this page.
Ignore this warning
opera警告=。=

显示全部楼层 · 发表于 2008-7-11 07:17:46

原帖由 za1012 于 2008-7-11 07:05 发表
The page you are trying to open has been reported for distributing malicious software. Any software from this page may be harmful. Opera Software strongly discourages visiting this page.
Ignore this ...

Opera真的是超好用

显示全部楼层 · 发表于 2008-7-11 09:29:28

最近KO开始流行起来了...~

显示全部楼层 · 发表于 2008-7-11 09:30:05

Warning: The content of this website is part of a unwanted category: Malware

Requested URL: http://down.nihao69.cn/down/ko.exe

--------------------------------------------------------------------------------
Generated by AntiVir WebGuard 8.0.13.0, WCDB 7.0.710.1230

[已鉴定] 心海(2008.7.11..13点)继续被挂马，见13楼，请高手继续分析

回复 3楼小飞侠.net 的帖子

[已鉴定] 心海(2008.7.11..13点)继续被挂马，见13楼，请高手继续分析

回复 3楼 小飞侠.net 的帖子

回复 3楼小飞侠.net 的帖子