这家伙做的这个程序是不是和熊猫烧香、AV终结者比较相像。
这里是这个N*下载者的说明,hxxp://www.black***.com/test.txt
【牛X强悍下载者】 功能说明
合作联系邮件:dsneon@126.com
*********************************************
[2007.06.18 更新]
删除GHOST备份文件``
锁定IE首页(说明:锁定IE后,IE选项-主页设置被禁用)(个人版本支持后台更改IE首页网址)
删除自身(说明:木马运行自动复制到隐藏目录,然后删除自身,隐藏运行)
关闭QQ医生(说明:防止QQ医生更新系统补丁)(个人版本支持自行添加关闭进程)
关闭并禁止自动更新(说明:防止WINDOWS自动更新系统补丁,禁止再次开启自动更新)
自动关闭标题栏带有"病毒"字样的IE窗口(说明:用户在百度搜索病毒 2个字,将会自动关闭IE)(个人版
本支持自行添加关键字)
优化自动播放功能(说明:通常的木马感染磁盘之后,用户无法打开磁盘目录,本程序实现了点击磁盘能
够正常打开磁盘目录)
*****************************已修正用户反馈的BUG****************************************
[2007.06.13 首次发布]
1:穿墙躲避防火墙(说明:运行后检测进程AVP.EXE判断是否存在 如果存在修改KEY造成杀毒失效)(个
人版本关闭国产杀毒瑞星功能)
2:下载指定文件(说明:通过配制地质准确下载到目标机运行)(个人版本不限制下载数量.后台管理)
3:感染盘符(说明:运行后自动判断C-Z盘是否存在相同EXE 如果没有自动复制盘符下隐藏)
4:添加自动播放(EXE被复制C-Z到盘附后添加自动播放,就是双击盘附启动程序)
5:U盘传播(自动拷贝U盘,判断U盘,5秒检测一次)
6:开机启动(开机后激活本程序EXE)
7:插入网马代码(判断D-Z的*HTM index.asp index.php conn.asp default.asp default.php插入代
码,判断最后一句不重复插入 )
|
还是让我们见识一下这个病毒生成器的真面目吧,看图。
点击这里查看最新版去了hxxp://xia888.***.net/这个站点。
查了一下hxxp://www.black***.com站的注册信息
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to hxxp://www.internic.net
for detailed information.
Domain Name: BLACK3389.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: hxxp://www.xinnet.com
Name Server: NS2.XINNET.CN
Name Server: NS2.XINNETDNS.COM
Status: ok
Updated Date: 08-jun-2007
Creation Date: 22-aug-2006
Expiration Date: 22-aug-2007
>>> Last update of whois database: Thu, 21 Jun 2007 11:11:31 UTC <<<
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
[whois.paycenter.com.cn]
The Data in Paycenter's WHOIS database is provided by Paycenter
for information purposes, and to assist persons in obtaining
information about or related to a domain name registration
record.
Paycenter does not guarantee its accuracy. By submitting
a WHOIS query, you agree that you will use this Data only
for lawful purposes and that, under no circumstances will
you use this Data to:
(1) allow, enable, or otherwise support the transmission
of mass unsolicited, commercial advertising or solicitations
via e-mail (spam); or
(2) enable high volume, automated, electronic processes that
apply to Paycenter or its systems.
Paycenter reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.
Domain Name:black3389.com
Registrant:
fang bing
bei jing
000001
Administrative Contact:
fang bing
fang bing
bei jing
bei jing Beijing 000001
China
tel: 86 010 6123456
fax: 86 010 6123456
qbbs@xinoffice.com
Technical Contact:
fang bing
fang bing
bei jing
bei jing Beijing 000001
China
tel: 86 010 6123456
fax: 86 010 6123456
qbbs@xinoffice.com
Billing Contact:
fang bing
fang bing
bei jing
bei jing Beijing 000001
China
tel: 86 010 6123456
fax: 86 010 6123456
qbbs@xinoffice.com
Registration Date: 2006-08-22
Update Date: 2006-08-22
Expiration Date: 2007-08-22
Primary DNS: ns2.xinnetdns.com 210.51.170.48
Secondary DNS: ns2.xinnet.cn 210.51.170.67
[HiChina Format]
Domain Name ..................... black3389.com
Registrant Organization ......... fang bing
Registrant Address .............. bei jing
000001
Administrative Name ............. fang bing
Administrative Organization ..... fang bing
Administrative Address .......... bei jing
bei jing Beijing 000001
China
Administrative City ............. bei
Administrative Province/State ... jing
Administrative Postal Code ...... Beijing 000001
Administrative Country Code ..... China
Administrative Phone Number ..... 86 010 6123456
Administrative Fax .............. 86 010 6123456
Administrative Email ............ qbbs@xinoffice.com
Billing Name .................... fang bing
Billing Organization ............ fang bing
Billing Address ................. bei jing
bei jing Beijing 000001
China
Billing City .................... bei
Billing Province/State .......... jing
Billing Postal Code ............. Beijing 000001
Billing Country Code ............ China
Billing Phone Number ............ 86 010 6123456
Billing Fax ..................... 86 010 6123456
Billing Email ................... qbbs@xinoffice.com
Technical Name .................. fang bing
Technical Organization .......... fang bing
Technical Address ............... bei jing
bei jing Beijing 000001
China
Technical City .................. bei
Technical Province/State ........ jing
Technical Postal Code ........... Beijing 000001
Technical Country Code .......... China
Technical Phone Number .......... 86 010 6123456
Technical Fax ................... 86 010 6123456
Technical Email ................. qbbs@xinoffice.com
Expiration Date ................. 2007-08-22
|
再查一下另一个站hxxp://xia888.***.net
正在 Ping xia888.***.net [60.172.174.31] 具有 32 字节的数据:
来自 60.172.174.31 的回复: 字节=32 时间=35ms TTL=114
来自 60.172.174.31 的回复: 字节=32 时间=34ms TTL=114
来自 60.172.174.31 的回复: 字节=32 时间=35ms TTL=114
|
WHOIS results for: 60.172.174.31
% Joint Whois
% This server accepts single ASN, IPv4 or IPv6 queries
% [whois.apnic.net node-1]
% Whois data copyright terms hxxp://www.***.net/db/dbcopyright.html
inetnum: 60.166.0.0 - 60.175.255.255
netname: CHINANET-AH
descr: CHINANET anhui province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: JW89-AP
mnt-by: APNIC-HM
mnt-routes: MAINT-CHINANET-AH
mnt-lower: MAINT-CHINANET-AH
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20040721
source: APNIC
person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: anti-spam@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: dingsy@cndata.com 20070416
mnt-by: MAINT-CHINANET
source: APNIC
person: Jinneng Wang
address: 17/F, Postal Building No.120 Changjiang
address: Middle Road, Hefei, Anhui, China
country: CN
phone: +86-551-2659073
fax-no: +86-551-2659287
e-mail: wang@mail.hf.ah.cninfo.net
nic-hdl: JW89-AP
mnt-by: MAINT-NEW
changed: wang@mail.hf.ah.cninfo.net 19990818
source: APNIC
|
分析报告:下载者生成器生成的网页木马
您的位置: 
