bestpika
2006-06-10, 01:36 PM
這原本是一個 hta 檔,我把副檔名改成 txt
(這個檔案的原始位置是 http:// www. wzdq. cn/ count.jsb)
麻煩各位前輩幫我看一下這裡面的內容有沒有什麼問題,因為一連結到這個 js 檔
他會自動開啟一個 count.hta 然後開啟
Microsoft (R) HTML Application host 6.0
Microsoft Corporation
C:\WINDOWS\system32\mshta.exe
這個東西,然後我聽說這個是執行 HTA 檔用的,有些病毒會利用這個來進行破壞....
所以麻煩各位前輩幫我看一下這個檔案的內容有沒有什麼問題,感謝 m(_ _)m
贊助商連結
esjustin
2006-06-10, 05:03 PM
KAV 5.0個人版掃是沒問題
並非卡巴斯基掃不到就不是病毒!!建議傳送給卡巴斯基做分析!!
bestpika
2006-06-10, 07:47 PM
並非卡巴斯基掃不到就不是病毒!!建議傳送給卡巴斯基做分析!!
我送去分析了,只是不知道結果會怎樣
sai7sai
2006-06-10, 10:43 PM
執行它之後,它會下載幾個檔案(不正常之行為,除非有正常理由):
[Added process]
C:\WINDOWS\intranet.exe
C:\WINDOWS\winlogin.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\taskmor.exe
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\explore[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\intranet[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\ntssl[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\taskmor[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\winlogin[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\count[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\tupdate[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\versioni[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\eupdate[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\iupdate[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\wupdate[1].exe
C:\Documents and Settings\Administrator\Recent\count.hta.lnk
C:\Documents and Settings\Administrator\Recent\Temp.lnk
C:\WINDOWS\eupdate.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\intranet.exe
C:\WINDOWS\iupdate.exe
C:\WINDOWS\taskmor.exe
C:\WINDOWS\tupdate.exe
C:\WINDOWS\winlogin.exe
C:\WINDOWS\wupdate.exe
[Added Registry]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Value=Explore.exe||Data=C:\WINDOWS\explore.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Value=Taskmor.exe||Data=C:\WINDOWS\taskmor.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Value=Intranet||Data=C:\WINDOWS\intranet.exe
HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run\Value=Explore.exe||Data=C:\WINDOWS\explore.exe
HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run\Value=Taskmor.exe||Data=C:\WINDOWS\taskmor.exe
趕快清除你的系統吧。
bestpika
2006-06-11, 09:14 AM
執行它之後,它會下載幾個檔案(不正常之行為,除非有正常理由):
[Added process]
C:\WINDOWS\intranet.exe
C:\WINDOWS\winlogin.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\taskmor.exe
[Added file]
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\explore[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\intranet[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\ntssl[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\taskmor[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\winlogin[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\count[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\tupdate[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\versioni[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\eupdate[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\iupdate[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SEUIMLSE\wupdate[1].exe
C:\Documents and Settings\Administrator\Recent\count.hta.lnk
C:\Documents and Settings\Administrator\Recent\Temp.lnk
C:\WINDOWS\eupdate.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\intranet.exe
C:\WINDOWS\iupdate.exe
C:\WINDOWS\taskmor.exe
C:\WINDOWS\tupdate.exe
C:\WINDOWS\winlogin.exe
C:\WINDOWS\wupdate.exe
[Added Registry]
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Value=Explore.exe||Data=C:\WINDOWS\explore.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Value=Taskmor.exe||Data=C:\WINDOWS\taskmor.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Value=Intranet||Data=C:\WINDOWS\intranet.exe
HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run\Value=Explore.exe||Data=C:\WINDOWS\explore.exe
HKU\S-1-5-21-515967899-583907252-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run\Value=Taskmor.exe||Data=C:\WINDOWS\taskmor.exe
趕快清除你的系統吧。
唔...看起來好像很嚴重
我想問一下他這些東西是從哪裡下載的(原始網址)?
而且看起來他會在系統開機執行的地方新增它下載下來的奇怪檔案,但是我檢查了登錄機碼,卻沒看到?
而且它下載的檔案是否有病毒?
sai7sai
2006-06-11, 10:59 AM
我沒有用sniffer去看, 所以不知囉,你可以自己試試看.
我是直接執行count.hta, 你可以試試.
下载的檔案很多都是用ASPack壓缩過, 這些應該有問題.
基本上 hta 檔案都不是什麼好東西。除非是可以信任的來源,不然還是少用為妙。(200x 的新增/移除程式,就是利用 hta 完成作業的)
bestpika
2006-06-11, 07:28 PM
基本上 hta 檔案都不是什麼好東西。除非是可以信任的來源,不然還是少用為妙。(200x 的新增/移除程式,就是利用 hta 完成作業的)
200x ← 不好意思...這是啥?