台湾乐彩官网恶意程式样本+分析结果

显示全部楼层 · 发表于 2008-11-13 06:22:43

台湾乐彩官网恶意程式样本+分析结果自己动手分析了一下

malicious link:
hxxp://www.asmkuang.cn/2/indexx.htm
*hxxp://www.asmkuang.cn/2/flash.htm
hxxp://www.asmkuang.cn/2/mlink.html <- Flash Player exp
      Flash ver 64 ~ 124 version
      ->hxxp://www.asmkuang.cn/2/m15.swf
      ->hxxp://www.asmkuang.cn/2/m15.swf
      ->hxxp://www.asmkuang.cn/2/m64.swf
      ->hxxp://www.asmkuang.cn/2/m47.swf
      ->hxxp://www.asmkuang.cn/2/m45.swf
      ->hxxp://www.asmkuang.cn/2/m28.swf
      ->hxxp://www.asmkuang.cn/2/m16.swf
         ->hxxp://www.asmkuang.cn/1.exe

->hxxp://www.asmkuang.cn/2/xlink.html <- Flash Player exp
      Flash ver 64 ~ 124 version
      ->hxxp://www.asmkuang.cn/2/x15.swf
      ->hxxp://www.asmkuang.cn/2/x64.swf
      ->hxxp://www.asmkuang.cn/2/x47.swf
      ->hxxp://www.asmkuang.cn/2/x45.swf
      ->hxxp://www.asmkuang.cn/2/x28.swf
      ->hxxp://www.asmkuang.cn/2/x16.swf
            ->hxxp://www.asmkuang.cn/1.exe
*hxxp://www.asmkuang.cn/2/06014.htm
->hxxp://www.asmkuang.cn/1.exe
*hxxp://www.asmkuang.cn/2/mlink.html <- Flash Player exp
      Flash ver 64 ~ 124 version
      ->hxxp://www.asmkuang.cn/2/m15.swf
      ->hxxp://www.asmkuang.cn/2/m64.swf
      ->hxxp://www.asmkuang.cn/2/m47.swf
      ->hxxp://www.asmkuang.cn/2/m45.swf
      ->hxxp://www.asmkuang.cn/2/m28.swf
      ->hxxp://www.asmkuang.cn/2/m16.swf
            ->hxxp://www.asmkuang.cn/1.exe
*hxxp://www.asmkuang.cn/2/xlink.html <- Flash Player exp
      Flash ver 64 ~ 124 version
      ->hxxp://www.asmkuang.cn/2/x15.swf
      ->hxxp://www.asmkuang.cn/2/x64.swf
      ->hxxp://www.asmkuang.cn/2/x47.swf
      ->hxxp://www.asmkuang.cn/2/x45.swf
      ->hxxp://www.asmkuang.cn/2/x28.swf
      ->hxxp://www.asmkuang.cn/2/x16.swf
            ->hxxp://www.asmkuang.cn/1.exe
*hxxp://www.asmkuang.cn/2/off.htm M$ Access Snapsh0t Viewer ActiveX  exp
  ->hxxp://www.asmkuang.cn/1.exe
*hxxp://www.asmkuang.cn/2/r10.htm <-RealPlayer exp
->hxxp://www.asmkuang.cn/1.exe
*hxxp://www.asmkuang.cn/2/r11.htm <-RealPlayer exp
->hxxp://www.asmkuang.cn/1.exe
<script language="javascript" src="hxxp://count7.51yes.com/click.aspx?id=73550626&logo=1"></script>

Virus
hxxp://www.asmkuang.cn/1.exe
偷取金庸,洛汗,Wow魔兽,热血江湖,MSN,Yahoo即时通,IE 等密码..
[add]
C:\WINDOWS\1.bat
C:\WINDOWS\Help\EB6C4499B05F.dll <- injection
C:\WINDOWS\Help\EB6C4499B05F.exe
[add]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
name:{1DBD6574-D6D0-4782-94C3-69619E719765}
values:C:\WINDOWS\Help\EB6C4499B05F.dll

密码提交位置:
hxxp://makemail.3322.org/fuckb.asp
hxxp://makemail.3322.org/xxxx/upfilesg.asp
hxxp://makemail.3322.org/xxxx/sendqimo.asp

IP:202.105.179.130 => 202.105.179.130
广东省珠海市电信

765ff56114eac7175249ff99c27c4111  x64.swf
5ba07bfd7e3de6c1b2666b20cb51f0cb  m15.swf
123b8e7fb7f565f61c0043b36e664577  m16.swf
8b87510a85dc404a0aac49d846d0257d  m28.swf
60282a9c6fd537bc91fdbcbc4599a636  m45.swf
60282a9c6fd537bc91fdbcbc4599a636  m47.swf
443b7ac340562224fe925df505b8e034  m64.swf
d6587f3ed2210927f14fbbd999b83113  x15.swf
123b8e7fb7f565f61c0043b36e664577  x16.swf
85171748d78a393c71d03743c24bce59  x28.swf
c334697013b561418b55c393c7fbabf9  x45.swf
c334697013b561418b55c393c7fbabf9  x47.swf
96aeb2e4cd1b17983e9b300ca944ed3f  1.exe
2017e32a4bc720ccbdf00dcd2e69b6c1  EB6C4499B05F.dll
96aeb2e4cd1b17983e9b300ca944ed3f  EB6C4499B05F.exe

[ 本帖最后由 domino 于 2008-11-13 08:31 编辑 ]

显示全部楼层 · 发表于 2008-11-13 08:03:38

确实不是什么好网站，手动的分析，佩服一下。

显示全部楼层 · 发表于 2008-11-13 08:35:07

显示全部楼层 · 发表于 2008-11-13 12:18:14

显示全部楼层 · 发表于 2008-11-13 12:19:42

红伞全灭
Begin scan in 'E:\Download\Virus\virus'
E:\Download\Virus\virus\1.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE]    The file was deleted!
E:\Download\Virus\virus\flash exp\m15.swf
[0] Archive type: SWC
--> Object
   [DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE]    The file was deleted!
E:\Download\Virus\virus\flash exp\m16.swf
[0] Archive type: SWC
--> Object
   [DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE]    The file was deleted!
E:\Download\Virus\virus\flash exp\m28.swf
[0] Archive type: SWC
--> Object
   [DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE]    The file was deleted!
E:\Download\Virus\virus\flash exp\m45.swf
[0] Archive type: SWC
--> Object
   [DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE]    The file was deleted!
E:\Download\Virus\virus\flash exp\m47.swf
[0] Archive type: SWC
--> Object
   [DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE]    The file was deleted!
E:\Download\Virus\virus\flash exp\m64.swf
[0] Archive type: SWC
--> Object
   [DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE]    The file was deleted!
E:\Download\Virus\virus\flash exp\x15.swf
[0] Archive type: SWC
--> Object
   [DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE]    The file was deleted!
E:\Download\Virus\virus\flash exp\x16.swf
[0] Archive type: SWC
--> Object
   [DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE]    The file was deleted!
E:\Download\Virus\virus\flash exp\x28.swf
[0] Archive type: SWC
--> Object
   [DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE]    The file was deleted!
E:\Download\Virus\virus\flash exp\x45.swf
[0] Archive type: SWC
--> Object
   [DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE]    The file was deleted!
E:\Download\Virus\virus\flash exp\x47.swf
[0] Archive type: SWC
--> Object
   [DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE]    The file was deleted!
E:\Download\Virus\virus\flash exp\x64.swf
[DETECTION] Contains recognition pattern of the EXP/Flash.Gen exploit
[NOTE]    The file was deleted!

End of the scan: 2008年11月13日星期四  12:19
Used time: 00:04 Minute(s)

The scan has been done completely.

   2 Scanning directories
   13 Files were scanned
   13 viruses and/or unwanted programs were found
   0 Files were classified as suspicious:
   13 files were deleted
   0 files were repaired
   0 files were moved to quarantine
   0 files were renamed
   0 Files cannot be scanned
   0 Files not concerned
   0 Archives were scanned
   0 Warnings
   13 Notes

显示全部楼层 · 发表于 2008-11-13 13:34:13

原帖由 domino 于 2008-11-13 06:22 发表
台湾乐彩官网恶意程式样本+分析结果自己动手分析了一下

malicious link:
hxxp://www.asmkuang.cn/2/indexx.htm
*hxxp://www.asmkuang.cn/2/flash.htm
hxxp://www.asmkuang.cn/2/mlink.html hxxp ...

分析的真不错～
请问你说的台湾乐彩官网是这里吗？hxxp://www.taiwanlottery.com.tw/
我去那个网站小红伞都没报警...

hxxp://www.asmkuang.cn/2/******* 那些恶意代码藏在那里？我一直没找到...

显示全部楼层 · 发表于 2008-11-13 15:36:33

我也是去那个网站小红伞都没报警

显示全部楼层 · 发表于 2008-11-13 15:41:29

有13个病毒吗？咖啡杀出了13个12个SWF，一个EXE

显示全部楼层 · 发表于 2008-11-13 18:52:36

显示全部楼层 · 发表于 2008-11-13 18:53:08

[发现可能安全风险：] <W32/Heuristic-210!Eldorado (not disinfectable)> C:\Test\virus.zip->virus/1.exe->(RLPack)

[病毒样本] 台湾乐彩官网恶意程式样本+分析结果

本帖子中包含更多资源

评分

本帖子中包含更多资源

本帖子中包含更多资源

Norman Virus Control 5.99

本帖子中包含更多资源

F-Prot 4.4.4