某政府网站被加入自动下载病毒文件的代码（第2版）

endurer原创

2005.12.14第2版 添加了瑞星的回复及多反病毒引擎扫描的结果。

2005.12.13第1版

注：文中的病毒来源IP地址均用XX代替。

今天在浏览某政府网站首页时，有病毒文件被自动下载。

分析了一下：

在该网站的首页index.htm首部和中部被加入了通过＜ｉｆｒａｍｅ＞的引入网页hxxp://xx.xxx.xx.xx/7/7.htm的代码。

被引入的网页7.htm自动下载病毒文件yudi.js：

7.htm的内容为：

＜script language="java-script" src="yudi.js"＞＜/script＞

Kaspersky将yudi.js报为Exploit.HTML.Mht

*2005.12.14第2版补充： 添加了瑞星的回复及多反病毒引擎扫描的结果。

主题：

瑞星客户服务中心__关于病毒上报问题的分析结果C8=F0=D0=C7=BF=CD=BB=A7=B7=FE=CE=F1=D6=D0=D0=C4__=B9=D8=D3=DA=B2=A1=B6=BE=C9=CF=B1=A8=CE=CA=CC=E2=B5=C4=B7=D6=CE=F6=BD=E1=B9=FB?=

发件人：

send@rising.net.cn

发送时间：2005-12-14 16:05:29

尊敬的客户，您好！

您的邮件已经收到，感谢您对瑞星的支持。

我们已经详细分析过您的问题和文件，以下是您上传的文件的分析结果：

1.文件名：yudi[1].js

不是病毒

提 醒：为保证收到您的来信，请勿直接回复本邮件!!!

-------------------------------------------------------------

服务单位：瑞星·客户服务中心

工 程 师：CSC033

电话服务：（010）82678800

发送邮件：请用IE等浏览器访问网址 http://csc.rising.com.cn

-------------------------------------------------------------

多引擎扫描上传文件1 http://virusscan.jotti.org/ 扫描的结果：

File:

yudi[1].js

Status:

INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5

f9fecf19b99d944f751dcec9ffa915a2

Packers detected:

-

Scanner results

AntiVir

Found Exploit/MHT exploit

ArcaVir

Found Trojan.Exploit.Html.Mht

Avast

Found nothing

AVG Antivirus

Found nothing

BitDefender

Found nothing

ClamAV

Found nothing

Dr.Web

Found Exploit.MhtRedir

F-Prot Antivirus

Found nothing

Fortinet

Found HTML/Mht-exploit

Kaspersky Anti-Virus

Found Exploit.HTML.Mht

NOD32

Found nothing

Norman Virus Control

Found nothing

UNA

Found nothing

VBA32

Found nothing

多引擎扫描上传文件2 http://www.virustotal.com/xhtml/index_en.html 的扫描结果

This is a report processed by VirusTotal on 12/14/2005 at 14:03:37 (CET) after scanning the file "yudi_1_.js" file. Antivirus

Version

Update

Result

AntiVir

6.33.0.61

12.14.2005

EXP/MHT

Avast

4.6.695.0

12.13.2005

no virus found

AVG

718

12.08.2005

no virus found

Avira

6.33.0.61

12.14.2005

EXP/MHT

BitDefender

7.2

12.14.2005

no virus found

CAT-QuickHeal

8.00

12.13.2005

no virus found

ClamAV

devel-20051108

12.12.2005

no virus found

DrWeb

4.33

12.14.2005

Exploit.MhtRedir

eTrust-Iris

7.1.194.0

12.14.2005

no virus found

eTrust-Vet

12.3.3.0

12.14.2005

no virus found

Fortinet

2.54.0.0

12.14.2005

HTML/Mht-exploit

F-Prot

3.16c

12.13.2005

no virus found

Ikarus

0.2.59.0

12.14.2005

no virus found

Kaspersky

4.0.2.24

12.14.2005

Exploit.HTML.Mht

McAfee

4649

12.13.2005

no virus found

NOD32v2

1.1321

12.13.2005

no virus found

Norman

5.70.10

12.14.2005

no virus found

Panda

8.02.00

12.13.2005

no virus found

Sophos

4.00.0

12.14.2005

no virus found

Symantec

8.0

12.14.2005

no virus found

TheHacker

5.9.1.055

12.14.2005

no virus found

VBA32

3.10.5

12.13.2005

no virus found

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

> Go to: Home Contact En español

www.virustotal.com :: ©Hispasec Sistemas 2004,05 :: e-mail info@virustotal.com