12
返回列表 发新帖
楼主: domino
收起左侧

[病毒样本] FlashGet = Downloader ?

[复制链接]
byxxdrls
头像被屏蔽
发表于 2008-11-9 16:43:40 | 显示全部楼层
防不胜防。
dikex
发表于 2008-11-9 17:56:07 | 显示全部楼层
和我遇到同意情况
经鉴别,是自动升级某些文件时,某些文件URL被重定向了,包括flashget3.ini以及updates.cab

http://hi.baidu.com/dikex/blog/item/e871cd1fa88c7364f624e4a0.html

评分

参与人数 1经验 +10 人气 +1 收起 理由
jimmyleo + 10 + 1 更透彻!

查看全部评分

domino
 楼主| 发表于 2008-11-9 18:40:32 | 显示全部楼层
更新档网址
hxxp://dl.flashget.com/flashget/updates.cab (59.51.114.16) 湖南省 衡阳市 电信
被转向为hxxp://60.28.209.126/updates.cab (60.28.209.126) 天津市 网通ADSL
Site found: dl.flashget.com=59.51.114.16
Connecting to 59.51.114.16
Connected to 59.51.114.16
GET hxxp://dl.flashget.com/flashget/updates.cab
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
> Host: dl.flashget.com
Request sent. 401 bytes
Data available. 304/304 bytes
< hxxp/1.0 302 Moved Temporarily
< Date: Sun, 09 Nov 2008 10:34:11 GMT
< Location: hxxp://60.28.209.126/updates.cab
< Content-Length: 304
< Content-Type: text/html; charset=iso-8859-1
< Connection: keep-alive
<
302 Request complete
Site found: 60.28.209.126=60.28.209.126
Connecting to 60.28.209.126
Connected to 60.28.209.126
GET hxxp://60.28.209.126/updates.cab
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
> Host: 60.28.209.126
Request sent. 225 bytes
Data available. 16384/16384 bytes
Data available. 16384/32768 bytes
Data available. 16384/49152 bytes
Data available. 16384/65536 bytes
Data available. 11824/77360 bytes
< hxxp/1.1 200 OK
< Content-Type: application/octet-stream
< ETag: "-718413286"
< Accept-Ranges: bytes
< Last-Modified: Sun, 09 Nov 2008 01:07:04 GMT
< Content-Length: 77360
< Date: Sun, 09 Nov 2008 10:42:45 GMT
< Server: lighxxpd/1.4.13
<
200 Request complete
GET hxxp://dl.flashget.com/flashget/updates.cab
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
> Host: dl.flashget.com
Request sent. 236 bytes
Data available. 304/304 bytes
< hxxp/1.0 302 Moved Temporarily
< Date: Sun, 09 Nov 2008 10:34:31 GMT
< Location: hxxp://60.28.209.126/updates.cab
< Content-Length: 304
< Content-Type: text/html; charset=iso-8859-1
< Connection: keep-alive
<
302 Request complete


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="hxxp://60.28.209.126/updates.cab">here</a>.</p>
<hr>
<address>Apache/2.2.0 (Unix) PHP/5.1.6 Server at dl.flashget.com Port 80</address>
</body></html>

[ 本帖最后由 domino 于 2008-11-9 18:45 编辑 ]
ngh55
发表于 2008-11-12 22:43:22 | 显示全部楼层
早就发现FLASHGET 有些不正常的动,如企图修改HOSTS 文件,以前快车没有这个动作。因为启用了文件保护,SYSTEM32 目录下的文件它无法创建及替换,企图修改HOSTS 文件也被阻止。
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-12-17 11:39 , Processed in 0.086421 second(s), 15 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表