http://gft54577.3xx2.org:6677/x/index.html 이것이 변조 된것을 오늘 찾았다.
따로 출력하는 문구가 필요없이 누구나 툴로 이용한다면 쉽게 나올수 있는 코드였다.
사이트에서 연결되는 곳은
http://gft54577.3xx2.org:6677/x/http://js.tongji.xxnezing.com/1759886/tongji.js
http://gft54577.3xx2.org:6677/x/http://www.xxnezing.com
http://gft54577.3xx2.org:6677/x/http://img.tongji.xxnezing.com/1759886/tongji.gif
http://gft54577.3xx2.org:6677/x/pps.js
이렇게 연결 되지만 별달리 찾을 점은 존재하지 않았다 !!
%u5858%u5858%u10EB%u4B5B%uC'+'933%uB96'+'6%u03B8%u34'+'80%uBD0B%uFA'+'E2%u05E'+'B%uEBE8%uFFFF%u54FF (중략) %u8adc%u8d8d%u8e93%u8f8e%u938f%ucfd2%u87da%u8b8b%u8a8a%ud092%ud092%ucbc9%ud093%udfd9%ubdbd%uEAEA%uEAEA%uEAEA%uEAEA
이런식으로 되어 있으며 '+' 만 제거한다면 간단히 최종파일 까지 나올수 있다.
최종위치 : http://adsifyanfka700.3xx2.org:6677/x/mtv.mdb
파일명만 mdb인거 같고 하는건 exe 인거 같다 !!
[바이러스 토탈]
| 검사 파일: mtv.mdb 전송 시각: 2010.07.07 08:25:52 (UTC) | |||
| 안티바이러스 | 엔진 버전 | 정의 날짜 | 검사 결과 |
| a-squared | 5.0.0.31 | 2010.07.07 | Packed.Win32.Klone!IK |
| AhnLab-V3 | 2010.07.07.00 | 2010.07.06 | - |
| AntiVir | 8.2.4.10 | 2010.07.07 | HEUR/Crypted |
| Antiy-AVL | 2.0.3.7 | 2010.07.07 | - |
| Authentium | 5.2.0.5 | 2010.07.07 | W32/OnlineGames!Generic |
| Avast | 4.8.1351.0 | 2010.07.06 | - |
| Avast5 | 5.0.332.0 | 2010.07.06 | - |
| AVG | 9.0.0.836 | 2010.07.06 | Win32/Heur |
| BitDefender | 7.2 | 2010.07.07 | Trojan.Generic.4378362 |
| CAT-QuickHeal | 11.00 | 2010.06.30 | Win32.PWS.Frethog.AJ.3 |
| ClamAV | 0.96.0.3-git | 2010.07.07 | - |
| Comodo | 5346 | 2010.07.07 | Heur.Pck.NsPacK |
| DrWeb | 5.0.2.03300 | 2010.07.07 | - |
| eSafe | 7.0.17.0 | 2010.07.06 | Suspicious File |
| eTrust-Vet | 36.1.7690 | 2010.07.07 | - |
| F-Prot | 4.6.1.107 | 2010.07.07 | W32/OnlineGames!Generic |
| F-Secure | 9.0.15370.0 | 2010.07.07 | Suspicious:W32/Malware!Gemini |
| Fortinet | 4.1.133.0 | 2010.07.04 | - |
| GData | 21 | 2010.07.07 | Trojan.Generic.4378362 |
| Ikarus | T3.1.1.84.0 | 2010.07.07 | Packed.Win32.Klone |
| Jiangmin | 13.0.900 | 2010.07.07 | Trojan/Generic.adej |
| Kaspersky | 7.0.0.125 | 2010.07.07 | Trojan-Downloader.Win32.Geral.vps |
| McAfee | 5.400.0.1158 | 2010.07.07 | New Malware.u |
| McAfee-GW-Edition | 2010.1 | 2010.07.05 | Heuristic.LooksLike.Win32.Suspicious.C |
| Microsoft | 1.5902 | 2010.07.06 | VirTool:WinNT/Rootkitdrv.LH |
| NOD32 | 5258 | 2010.07.07 | - |
| Norman | 6.05.11 | 2010.07.06 | W32/Packed_NsPack.I |
| nProtect | 2010-07-06.01 | 2010.07.07 | - |
| Panda | 10.0.2.7 | 2010.07.06 | Suspicious file |
| PCTools | 7.0.3.5 | 2010.07.07 | HeurEngine.ZeroDayThreat |
| Prevx | 3.0 | 2010.07.07 | Medium Risk Malware |
| Rising | 22.55.02.04 | 2010.07.07 | Trojan.Win32.Generic.521CB05F |
| Sophos | 4.54.0 | 2010.07.07 | Mal/Packer |
| Sunbelt | 6554 | 2010.07.07 | Packer.NSAnti.Gen (v) |
| Symantec | 20101.1.0.89 | 2010.07.07 | Suspicious.Graybird.1 |
| TheHacker | 6.5.2.1.309 | 2010.07.06 | W32/Behav-Heuristic-067 |
| TrendMicro | 9.120.0.1004 | 2010.07.07 | PAK_Generic.005 |
| TrendMicro-HouseCall | 9.120.0.1004 | 2010.07.07 | - |
| VBA32 | 3.12.12.5 | 2010.07.05 | - |
| ViRobot | 2010.6.29.3912 | 2010.07.07 | Trojan.Win32.Amvo.Gen |
| VirusBuster | 5.0.27.0 | 2010.07.06 | Packed/NSPack |
| 추가 정보 | |||
| File size: 43388 bytes | |||
| MD5...: 0adddb768a57f486dffb78b038a07146 | |||
| SHA1..: 9cbf15b8e31040ca4ff8f25bd4a9056965aa9162 | |||
| SHA256: 962febb5db8cc602bd11890c47ed1ec102996d0339a440ef1e97e7d797dd098f | |||
| ssdeep: 768:HQ2lS8lybE5DlWgP2uZ41LuL4YY1P2RKrrSBKSqsnJeKFi9QR5zx4+Ds:w2f Q45D0uZ4dOEP2RK6BiiL4N | |||
| PEiD..: - | |||
| PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x23207 timedatestamp.....: 0x4c332196 (Tue Jul 06 12:29:10 2010) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .nsp0 0x1000 0x22000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .nsp1 0x23000 0xb000 0xa57c 7.98 b2b2f5849d1bf7e253a99d64ed83a57d .nsp2 0x2e000 0x8d4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e ( 4 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess > USER32.DLL: ShowWindow > ADVAPI32.DLL: LookupPrivilegeValueA > SETUPAPI.DLL: SetupDiGetINFClassA ( 0 exports ) | |||
| RDS...: NSRL Reference Data Set - | |||
| pdfid.: - | |||
| trid..: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) | |||
| sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned | |||
| <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=150CFE0D7C959B6FA9DA00AB3F2EE5008975D27C' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=150CFE0D7C959B6FA9DA00AB3F2EE5008975D27C</a> | |||
| packers (F-Prot): NSPack, PE_Patch | |||
| packers (Authentium): NSPack, PE_Patch | |||
'security > 악성코드 유포' 카테고리의 다른 글
| 휴대폰 통신사 큐x텔 악성 스크립트 삽입 !! (2) | 2010.07.09 |
|---|---|
| http://cpm2.XX66.org:88/Xo/Xi05.htm : JS:CVE-2010-0806-AK (0) | 2010.07.08 |
| TR/Bagle.trash (AntiVir) !! (2) | 2010.07.06 |
| 지난주 종합 유포지 5곳 !! (0) | 2010.07.05 |
| 아이로봇 룸바 등... 국내 50여개 사이트 제로데이 유포 !! (0) | 2010.06.22 |