红软基地疑似被挂马，NIS2008成功拦截

显示全部楼层 · 发表于 2009-2-17 19:58:19

前几天上红软基地就发现有问题，这两天上去我的NIS2008就报告有病毒但已处理。

样本没捕到，图片也没截下来。大家自己去看吧。

www.rsdown.cn

显示全部楼层 · 发表于 2009-2-17 20:07:51

金山网盾~~

显示全部楼层 · 发表于 2009-2-17 20:18:36

关于:hxxp://www.rsdown.cn/解密的日志(全体输出-  48):

Level 0>http://www.rsdown.cn/
Level 1>http://web.rsdown.cn/images/time.js
Level 2>http://xxxvvvv.cn/new11/ming.htm?-2
Level 3>http://xxxvvvv.cn/new11/index.htm
Level 4>http://xxxvvvv.cn/new11/real.html
Level 5>http://xxxvvvv.cn/leng.exe  ●
Level 4>http://xxxvvvv.cn/new11/real.htm
Level 5>http://xxxvvvv.cn/leng.exe  ●
Level 4>http://xxxvvvv.cn/new11/bf.htm
Level 5>http://xxxvvvv.cn/leng.exe  ●
Level 4>http://xxxvvvv.cn/new11/office.htm
Level 5>http://xxxvvvv.cn/leng.exe  ●
Level 4>http://xxxvvvv.cn/new11/lz.htm
Level 5>http://xxxvvvv.cn/leng.exe  ●
Level 4>http://xxxvvvv.cn/new11/14.htm
Level 5>http://xxxvvvv.cn/leng.exe  ●
Level 4>http://xxxvvvv.cn/new11/flash.htm
Level 5>http://xxxvvvv.cn/new11/fbb.html
Level 6>http://xxxvvvv.cn/new11/f16.swf  ●
Level 7>http://xxxvvvv.cn/leng.exe  ●
Level 6>http://xxxvvvv.cn/new11/f28.swf  ●
Level 6>http://xxxvvvv.cn/new11/f45.swf  ●
Level 6>http://xxxvvvv.cn/new11/f47.swf  ●
Level 6>http://xxxvvvv.cn/new11/f64.swf  ●
Level 6>http://xxxvvvv.cn/new11/f115.swf  ●
Level 5>http://xxxvvvv.cn/new11/ibb.html
Level 6>http://xxxvvvv.cn/new11/i16.swf  ●
Level 7>http://xxxvvvv.cn/leng.exe  ●
Level 6>http://xxxvvvv.cn/new11/i28.swf  ●
Level 6>http://xxxvvvv.cn/new11/i45.swf  ●
Level 6>http://xxxvvvv.cn/new11/i47.swf  ●
Level 6>http://xxxvvvv.cn/new11/i64.swf  ●
Level 6>http://xxxvvvv.cn/new11/i115.swf  ●
Level 1>http://www.rsdown.cn/images_new/rsdown_logo.gif
Level 1>http://www.rsdown.cn/other/js/rsdowngood_14.js
Level 1>http://www.rsdown.cn/images_new/loading.gif
Level 1>http://www.rsdown.cn/other/js/rsdowngood_23.js
Level 1>http://www.rsdown.cn/other/js/rsdowngood_24.js
Level 1>http://www.rsdown.cn/other/js/rsdowngood_25.js
Level 1>http://unstat.baidu.com/bdun.bsc?tn=cpx2004&cv=0&cid=216647&csid=221&bgcr=ffffff&urlcr=0000ff&tbsz=250&defid=2
Level 1>http://stat.wauee.com/qm/njs/display.js
Level 1>http://www.rsdown.cn/other/js/label_1.js
Level 1>http://www.fqlook.cn/d/js/js/1231269993.js
Level 1>http://www.rsdown.cn/images_new/rss2.gif
Level 1>http://inf.rsdown.cn/d/js/js/1216023929.js
Level 1>http://www.rsdown.cn/user.asp?action=showname
Level 1>http://s17.cnzz.com/stat.php?id=938537&amp
Level 1>http://utk.baidu.com/usv/uc.sv?pe=rgpbi51dy7iehtah5os2ydmb&amp

网页分析：250662772

显示全部楼层 · 发表于 2009-2-17 20:37:58

原帖由 312612205 于 2009-2-17 20:07 发表
金山网盾~~
467958

GXGX，KST检测到了。

显示全部楼层 · 发表于 2009-2-17 23:25:07

是不是解决了？我的EAV+PCT+畅游巡警+360都没有

显示全部楼层 · 发表于 2009-2-18 10:11:13

原帖由 qiao7387 于 2009-2-17 23:25 发表
是不是解决了？我的EAV+PCT+畅游巡警+360都没有

还有病毒

显示全部楼层 · 发表于 2009-2-18 10:30:45

刚更新一下，可以查杀leng.exe了！
恶意网页，kaba miss ，to kaba kill,waiting for reply。。。

Hello,

14.htm_ - Trojan-Downloader.JS.Psyme.ani,
bf.htm_ - Trojan.JS.Agent.pg,
office.htm_ - Trojan-Downloader.JS.Agent.dpf,
real.html_ - Trojan.JS.Agent.ph,
real.htm_ - Trojan-Downloader.JS.Agent.dpg

New malicious software was found in these files. Detection will be included in the next update. Thank you for your help.

fbb.htm_, i115.swf

No malicious code were found in these files.

leng.exe_ - Worm.Win32.AutoRun.aaix

This file is already detected. Please update your antivirus bases.

Please quote all when answering.
The answer is relevant to the latest bases from update sources.

[ 本帖最后由 FLogo 于 2009-2-18 13:36 编辑 ]

显示全部楼层 · 发表于 2009-2-18 10:35:17

红伞kill

Starting the file scan:

Begin scan in 'D:\leng.exe'
D:\leng.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was deleted!

显示全部楼层 · 发表于 2009-2-18 10:47:32

原帖由 icka 于 2009-2-18 10:11 发表

还有病毒

郁闷啊！还是没有报！是不是病毒已经下载到我的电脑上了！晕1难道中病毒了？

[已鉴定] 红软基地疑似被挂马，NIS2008成功拦截

回复 3楼 250662772 的帖子