http://bt.ktxp.com/挂马？---【0day漏洞挂马，目前已清除 By ：谁谁谁】

显示全部楼层 · 发表于 2010-11-12 01:02:01

本帖最后由谁谁谁于 2010-11-12 13:58 编辑

GDATA 的B引擎报

显示全部楼层 · 发表于 2010-11-12 01:19:23

本帖最后由 a256886572008 于 2010-11-12 01:51 编辑

Log generated by anonymous use mdecoder 0.63
[root]http://bt.ktxp.com/(?冽憤銝蝸|BT|瞍怎|?函|皜豢? - ?蔣?冽憤)
[script]http://bt.ktxp.com/javascripts/nmjui/banner.js
      [iframe]http://bt.ktxp.com/iframe/banner.html
         [exp]http://2gedajiba.2288.org:882/Xm08/index.html(Exploit.Ie0dayCVE0806.a)
            [script]http://2gedajiba.2288.org:882/Xm08/ap.js
[script]http://bt.ktxp.com/javascripts/nmjui/index_1.js
      [iframe]http://bt.ktxp.com/iframe/baidu-top-960x75.html
         [exp]http://2gedajiba.2288.org:882/Xm08/index.html(Exploit.Ie0dayCVE0806.a)
            [script]http://2gedajiba.2288.org:882/Xm08/ap.js
---------------------------------------
最終病毒
hxxp://dl.a8lm.info:86/xx/xm08.css

------------------------------------------
2010-11-12 01:21:05 C:\Documents and Settings\Roger\桌面\virus\xm8\xm08.css.exe Sandboxed As Partially Limited
2010-11-12 01:21:11 C:\Documents and Settings\Roger\Local Settings\Temp\27555953.dll Sandboxed As Partially Limited

2010-11-12 01:21:16 C:\Documents and Settings\Roger\Local Settings\Temp\27555953.dll Modify File C:\WINDOWS\fonts\pci.sys

2010-11-12 01:21:16 C:\Documents and Settings\Roger\Local Settings\Temp\27555953.dll Modify Key HKLM\SYSTEM\ControlSet???\Services\acde

2010-11-12 01:21:16 C:\Documents and Settings\Roger\桌面\virus\xm8\xm08.css.exe Modify File C:\WINDOWS\system32\27561015.exe

2010-11-12 01:21:23 C:\Documents and Settings\Roger\桌面\virus\xm8\xm08.css.exe Modify Key HKLM\SYSTEM\ControlSet???\Services\pcidump

2010-11-12 01:21:26 C:\Documents and Settings\Roger\桌面\virus\xm8\kl78a.bat Sandboxed As Partially Limited
2010-11-12 01:21:30 C:\Documents and Settings\Roger\桌面\virus\xm8\xm08.css.exe Modify File C:\WINDOWS\system32\drivers\pcidump.sys

2010-11-12 01:21:30 C:\Documents and Settings\Roger\桌面\virus\xm8\kl78a.bat Modify File C:\Documents and Settings\Roger\桌面\virus\xm8\xm08.css.exe

----------------------------------------------------------
Suspicious Actions Detected
Creates system services or drivers
Load system drivers

CIMA:
http://camas.comodo.com/cgi-bin/ ... 09b285cfb9fbde33b12

-------------------------------------------------
COMODO 報

2010-11-12 01:27:19 c:\documents and settings\Roger\local settings\Temp\27555953.dll UnclassifiedMalware@-1 Quarantine Success

-----------------------------------------------------
這隻木馬是個 downloader 下載了一堆

1:http://dl.vv01.info:86/Le01.js
1:http://dl.vv01.info:86/Le02.js
1:http://dl.vv01.info:86/Le03.js
1:http://dl.vv01.info:86/Le04.js
1:http://dl.vv01.info:86/Le05.js
1:http://dl.vv01.info:86/Le06.js
1:http://dl.vv01.info:86/Le07.js
1:http://dl.vv01.info:86/Le08.js
1:http://dl.vv01.info:86/Le09.js
1:http://dl.vv01.info:86/Le10.js
1:http://dl.vv01.info:86/Le11.js
1:http://dl.vv01.info:86/Le12.js
1:http://dl.vv01.info:86/Le13.js
1:http://dl.vv01.info:86/Le14.js
1:http://dl.vv01.info:86/Le15.js
1:http://dl.vv01.info:86/Le16.js
1:http://dl.vv01.info:86/Le17.js
1:http://dl.vv01.info:86/Le18.js
1:http://dl.vv01.info:86/Le19.js
1:http://dl.vv01.info:86/Le20.js
1:http://dl.vv01.info:86/Le26.js
1:http://dl.vv01.info:86/Le27.js

显示全部楼层 · 发表于 2010-11-12 08:30:02

枫树拦截

显示全部楼层 · 发表于 2010-11-12 10:04:32

显示全部楼层 · 发表于 2010-11-12 13:12:13

firefox报。

显示全部楼层 · 发表于 2010-11-12 13:44:06

失效

[已鉴定] http://bt.ktxp.com/挂马？---【0day漏洞挂马，目前已清除 By ：谁谁谁】