EndurerOriginal
1Version
Qq received the following information:
/-------
Hxxp: // www. A ** HW ** l ** Q * t.com/?1=23366}.html. Here are my photos. Let's take a look and give me a comment. Thank you.
-------/
The web page has no content, but the VBScript code in the web page uses Microsoft. XMLHTTP and SCR accept pting. fileSystemObject downloads the 123.exefile, saves it as % Temp %/svchost.exe, and then calls the custom function tcsafe1exe (M5, x9 ).
The custom function tcsafe1exe () is used to create the Shell. Application Object Xe and run % Temp %/svchost.exe using Xe's ShellExecute method.
This corresponds
Trojan. Clicker. VB. ajn, which hijacked the browser and advertised, is being spread through the Web site in QQ information.
Http://endurer.bokee.com/6074696.html
Http://www.blogcn.com/user50/endurer/blog/51870395.html
Http://blog.csdn.net/Purpleendurer/archive/2007/01/28/1496462.aspx
The VBSCRIPT script program in is similar.
/-----
File Description: D:/test/123.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 22:51:10
Modification time: 22:51:24
Access time:
Size: 43490 bytes, 42.482 KB
MD5: 25c796d526b18a2e244b93bb6074f23a
-----/
Kaspersky reports:Trojan-PSW.Win32.QQPass.qg
Rising news:Trojan. psw. qqpass. rky
Scanned file: 123.exe-infected |
123. exe-infected by Trojan-PSW.Win32.QQPass.qg
Statistics:
Known viruses: |
262925 |
Updated: |
29-01-2007 |
File size (Kb ): |
43 |
Virus bodies: |
1 |
Files: |
1 |
Warnings: |
0 |
Archives: |
0 |
Suspicious: |
0 |
|
Last night, both of them did not respond, but I was surprised to report it today ~