endurer 原创
2006-12-15 第1版
论坛首被加入代码:
/--------
<iframe src
--------/
wm.htm 的内容为JavaScript脚本程序,功能是利用 Microsoft.XMLHTTP 和 scrīpting.FileSystemObject 下载文件 /mc/game/lpf.exe,保存为 c:/boot.exe,并利用Shell.Application 对象 的 ShellExecute 方法 来运行。
lpf.exe 采用 Borland Delphi Setup Module 制作
/-------
文件说明符 : D:/virus/lpf.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2006-12-15 20:52:52
修改时间 : 2006-12-15 20:52:54
访问时间 : 2006-12-15 0:0:0
大小 : 15872 字节 15.512 KB
MD5 : 1914ec3e09f9bca86a10034ff9b3b985
-------/
Kaspersky报为 Trojan-Downloader.Win32.Delf.ajm,瑞星报为Trojan.DL.Multi.wen。
STATUS: FINISHED
Complete scanning result of "lpf.exe", received in VirusTotal at 12.15.2006, 14:28:30 (CET).
Antivirus |
Version |
Update |
Result |
AntiVir |
7.3.0.15 |
12.15.2006 |
TR/Delphi.Downloader.Gen |
Authentium |
4.93.8 |
12.14.2006 |
Possibly a new variant of W32/SecRisk-ProcessPatcher-Sml-based!Maximus |
Avast |
4.7.892.0 |
12.15.2006 |
no virus found |
AVG |
386 |
12.15.2006 |
no virus found |
BitDefender |
7.2 |
12.15.2006 |
BehavesLike:Win32.ExplorerHijack |
CAT-QuickHeal |
8.00 |
12.14.2006 |
TrojanDownloader.Delf.ajm |
ClamAV |
devel-20060426 |
12.15.2006 |
Trojan.Downloader-51 |
DrWeb |
4.33 |
12.15.2006 |
Trojan.DownLoader.14624 |
eSafe |
7.0.14.0 |
12.14.2006 |
no virus found |
eTrust-InoculateIT |
23.73.86 |
12.15.2006 |
no virus found |
eTrust-Vet |
30.3.3252 |
12.15.2006 |
no virus found |
Ewido |
4.0 |
12.15.2006 |
Downloader.Delf.ajm |
Fortinet |
2.82.0.0 |
12.15.2006 |
no virus found |
F-Prot |
3.16f |
12.14.2006 |
Possibly a new variant of W32/SecRisk-ProcessPatcher-Sml-based!Maximus |
F-Prot4 |
4.2.1.29 |
12.14.2006 |
W32/SecRisk-ProcessPatcher-Sml-based!Maximus |
Ikarus |
T3.1.0.26 |
12.15.2006 |
no virus found |
Kaspersky |
4.0.2.24 |
12.15.2006 |
Trojan-Downloader.Win32.Delf.ajm |
McAfee |
4919 |
12.14.2006 |
Generic Delphi |
Microsoft |
1.1804 |
12.15.2006 |
no virus found |
NOD32v2 |
1923 |
12.15.2006 |
probably a variant of Win32/TrojanDownloader.Delf.NDQ |
Norman |
5.80.02 |
12.15.2006 |
W32/Delf.TWZ |
Panda |
9.0.0.4 |
12.15.2006 |
Suspicious file |
Prevx1 |
V2 |
12.15.2006 |
no virus found |
Sophos |
4.12.0 |
12.14.2006 |
no virus found |
Sunbelt |
2.2.907.0 |
11.30.2006 |
no virus found |
TheHacker |
6.0.3.132 |
12.14.2006 |
no virus found |
UNA |
1.83 |
12.14.2006 |
no virus found |
VBA32 |
3.11.1 |
12.14.2006 |
no virus found |
VirusBuster |
4.3.19:9 |
12.14.2006 |
no virus found |
Aditional Information
File size: 15872 bytes
MD5: 1914ec3e09f9bca86a10034ff9b3b985
SHA1: ad95735b4cb4ed24767801f3b3bde4823cd24281
lpf.exe会下载下列文件:
1)/mc/bao/lipengfei.exe
采用 UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo 加壳
/-------
文件说明符 : D:/virus/lipengfei.exe
属性 : A---
获取文件版本信息大小失败!创建时间 : 2006-12-15 21:2:56
修改时间 : 2006-12-15 21:2:58
访问时间 : 2006-12-15 0:0:0
大小 : 39069 字节 38.157 KB
MD5 : 8a91fe8298abe6d136e6e4a2071abb1e
-------/
瑞星报为:Trojan.PSW.QQPass.qxf
Complete scanning result of "lipengfei.exe", received in VirusTotal at 12.15.2006, 14:39:16 (CET).
Antivirus |
Version |
Update |
Result |
AntiVir |
7.3.0.15 |
12.15.2006 |
DR/Delphi.Gen |
Authentium |
4.93.8 |
12.14.2006 |
no virus found |
Avast |
4.7.892.0 |
12.15.2006 |
Win32:QQPass-EU |
AVG |
386 |
12.15.2006 |
PSW.Generic2.SUE |
BitDefender |
7.2 |
12.15.2006 |
Generic.PWStealer.A771A4B9 |
CAT-QuickHeal |
8.00 |
12.14.2006 |
no virus found |
ClamAV |
devel-20060426 |
12.15.2006 |
no virus found |
DrWeb |
4.33 |
12.15.2006 |
Trojan.PWS.Qqpass.326 |
eSafe |
7.0.14.0 |
12.14.2006 |
suspicious Trojan/Worm |
eTrust-InoculateIT |
23.73.86 |
12.15.2006 |
Win32/QQPass.Variant!Trojan |
eTrust-Vet |
30.3.3252 |
12.15.2006 |
no virus found |
Ewido |
4.0 |
12.15.2006 |
Trojan.QQPass.ra |
Fortinet |
2.82.0.0 |
12.15.2006 |
no virus found |
F-Prot |
3.16f |
12.14.2006 |
no virus found |
F-Prot4 |
4.2.1.29 |
12.14.2006 |
no virus found |
Ikarus |
T3.1.0.26 |
12.15.2006 |
Trojan-PSW.Win32.Delf.IC |
Kaspersky |
4.0.2.24 |
12.15.2006 |
Trojan-PSW.Win32.QQPass.ra |
McAfee |
4919 |
12.14.2006 |
PWS-Hook.dll |
Microsoft |
1.1804 |
12.15.2006 |
no virus found |
NOD32v2 |
1923 |
12.15.2006 |
probably a variant of Win32/PSW.QQShou.EP |
Norman |
5.80.02 |
12.15.2006 |
W32/QQPass.CHM |
Panda |
9.0.0.4 |
12.15.2006 |
Suspicious file |
Prevx1 |
V2 |
12.15.2006 |
no virus found |
Sophos |
4.12.0 |
12.14.2006 |
no virus found |
Sunbelt |
2.2.907.0 |
11.30.2006 |
no virus found |
TheHacker |
6.0.3.132 |
12.14.2006 |
Trojan/PSW.QQPass.ra |
UNA |
1.83 |
12.14.2006 |
Trojan.PSW.Win32.QQPass.6EDE |
VBA32 |
3.11.1 |
12.14.2006 |
BackDoor.Pigeon.516 |
VirusBuster |
4.3.19:9 |
12.14.2006 |
no virus found |
Aditional Information
File size: 39069 bytes
MD5: 8a91fe8298abe6d136e6e4a2071abb1e
SHA1: 6909040f888c037999d64a32f5ef90521602ab93
packers: UPX
2)/mc/pqpq.exe
采用nSPack 1.3 -> North Star/Liu Xing Ping 加壳
/-------
文件说明符 : D:/pe/virus/pqpq.exe
属性 : A---
语言 : 中文(中国)
文件版本 : 0.00.0195
说明 :
版权 :
备注 :
产品版本 : 0.00.0195
产品名称 : Xcd
公司名称 : Xcd
合法商标 :
内部名称 : 23oigj
源文件名 : 23oigj.exe
创建时间 : 2006-12-15 21:3:12
修改时间 : 2006-12-15 21:3:14
访问时间 : 2006-12-15 0:0:0
大小 : 44151 字节 43.119 KB
MD5 : 04433d91f101e7c95d5d77c1cbe1efd6
-------/
瑞星报为:Trojan.PSW.Misc.kif
Complete scanning result of "pqpq.exe", received in VirusTotal at 12.15.2006, 14:47:23 (CET).
Antivirus |
Version |
Update |
Result |
AntiVir |
7.3.0.15 |
12.15.2006 |
TR/PSW.Lmir.44151 |
Authentium |
4.93.8 |
12.14.2006 |
Possibly a new variant of W32/Suspicious:VisualBasicMalware!Maximus |
Avast |
4.7.892.0 |
12.15.2006 |
no virus found |
AVG |
386 |
12.15.2006 |
no virus found |
BitDefender |
7.2 |
12.15.2006 |
Generic.PWSLmir.D80E5DAD |
CAT-QuickHeal |
8.00 |
12.14.2006 |
(Suspicious) - DNAScan |
ClamAV |
devel-20060426 |
12.15.2006 |
no virus found |
DrWeb |
4.33 |
12.15.2006 |
BackDoor.Generic.1482 |
eSafe |
7.0.14.0 |
12.14.2006 |
suspicious Trojan/Worm |
eTrust-InoculateIT |
23.73.86 |
12.15.2006 |
no virus found |
eTrust-Vet |
30.3.3252 |
12.15.2006 |
no virus found |
Ewido |
4.0 |
12.15.2006 |
no virus found |
Fortinet |
2.82.0.0 |
12.15.2006 |
Spy/WOWSTEAL |
F-Prot |
3.16f |
12.14.2006 |
Possibly a new variant of W32/Suspicious:VisualBasicMalware!Maximus |
F-Prot4 |
4.2.1.29 |
12.14.2006 |
W32/Suspicious:VisualBasicMalware!Maximus |
Ikarus |
T3.1.0.26 |
12.15.2006 |
Backdoor.Win32.PcClient.GV |
Kaspersky |
4.0.2.24 |
12.15.2006 |
no virus found |
McAfee |
4919 |
12.14.2006 |
no virus found |
Microsoft |
1.1804 |
12.15.2006 |
PWS:Win32/Wowsteal.gen!A |
NOD32v2 |
1923 |
12.15.2006 |
a variant of Win32/PSW.Legendmir |
Norman |
5.80.02 |
12.15.2006 |
no virus found |
Panda |
9.0.0.4 |
12.15.2006 |
Suspicious file |
Prevx1 |
V2 |
12.15.2006 |
Trojan.SystemPoser |
Sophos |
4.12.0 |
12.14.2006 |
Mal/PWS-D |
Sunbelt |
2.2.907.0 |
11.30.2006 |
VIPRE.Suspicious |
TheHacker |
6.0.3.132 |
12.14.2006 |
no virus found |
UNA |
1.83 |
12.14.2006 |
no virus found |
VBA32 |
3.11.1 |
12.14.2006 |
BackDoor.Generic.1482 |
VirusBuster |
4.3.19:9 |
12.14.2006 |
novirus:Packed/NSPack |
Aditional Information
File size: 44151 bytes
MD5: 04433d91f101e7c95d5d77c1cbe1efd6
SHA1: 26478a8cb49411d3e87132cdad2c82993bf545f2
packers: NSPACK
packers: Packed
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
3)/mc/gezi.exe 未能获取
4)/mc/dabao.exe 未能获取
5)/mc/xbao.exe 未能获取
保存为C:/Program Files/Common Files下的
1.exe
2.exe
3.exe
4.exe
5.exe
与此前发现的十分相似,不过文件的MD5不同。