The netizen encountered Trojan. DL. win32.agent. yqv and suspected it was ARP virus transmission.
EndurerOriginal
1Version
A netizen sent an email saying that when he is using a computer to browse the webpage, rising will prompt to discover the virus after a while:
/---
Virus name processing result found date path File
Trojan. DL. Script. vbs. Agent. XGPSkip the script C:/docume ~ 1/admini ~ 1/locals ~ 1/temp 2072186203104.tmp
Hack. Exploit. Script. js. bugexp.Skip the script C:/docume ~ 1/admini ~ 1/locals ~ 1/temp 2072186203104.tmp
---/
Then the system prompts you to download the file: thunder. js. After downloading the file, the following error message is displayed:Trojan. DL. js. Thunder. B,
Scanned file:Thunder. js-infected |
Thunder. js-infected by Trojan-Downloader.JS.Agent.pg
|
He sent the file as an attachment.
The function of thunder. JS is to run IE, move the window out of the display range on the screen, and open hxxp: // news.1 ** 6 ** 3-S * TV .com/page/image/downer.html to run abc1_1cmd.exe In the IE cache.
Hxxp: // news.1 ** 6*3-S * TV .com/page/image/downer.htmlContent:
/---
<SCRIPT src = "page.exe"> </SCRIPT>
---/
File Description: D:/test/page.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 23:17:31
Modification time: 23:17:42
Access time:
Size: 10596 bytes, 10.356 KB
MD5: c9ce5001e401cc796785810d9a3a91b2
Hsa1: 153c5da7a325a8c50dec9921b1816001bcb74c2b
RisingTrojan. DL. win32.agent. yqv
Scanned file:Page.exe-infected |
Page.exe-infected by Trojan-Downloader.Win32.Small.fso |
Send pe_xscan to him to scan the log and send it back for analysis. No suspicious items are found.
It is suspected that the ARP virus is in another computer on the same network as the netizen computer, which regularly adds malicious content to the webpage.Code.