晚上狮子报料：中国博客网www.blogcn.com似乎有毒:-(

中国博客网 www.blogcn.com 被挂盗号木马及维金help.exe 1cxxxx.exe NewInfo.dll NewInfo.bak msmsgs.exe IDrivers.pif

利用ANI漏洞下载
hxxp://www.i5460.net/admin12/help.exe
hxxp://cool.47555.com/1cxxxx.exe

1、盗号木马

C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.dll
C:\Program Files\Common Files\Microsoft Shared\MSINFO\NewInfo.bak

CLSID\{A6011F8F-A7F8-49AA-9ADA-49127D43138F}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{A6011F8F-A7F8-49AA-9ADA-49127D43138F}

2、维金蠕虫

code by xiaohui
Setup.exe
c:\Deleteme.bat
msmsgs.exe

SOFTWARE\Microsoft\Active Setup\Installed Components\{2bf41073-b2b1-21c1-b5c1-0701f4155588}
StubPath --->C:\Program Files\Web Publish\IDrivers.pif
下载：
hxxp://cool.47555.com/ccc/12.exe
hxxp://cool.47555.com/ccc/8-1a.exe
hxxp://cool.47555.com/ccc/mh.exe
hxxp://cool.47555.com/ccc/wmgj.exe
hxxp://cool.47555.com/ccc/wl.exe
hxxp://cool.47555.com/ccc/fy.exe
hxxp://cool.47555.com/ccc/1.exe
hxxp://cool.47555.com/ccc/2.exe
hxxp://cool.47555.com/ccc/3.exe
hxxp://cool.47555.com/up.asp
为C:\Program Files\Web Publish\temp[1].exe~temp[10].exe

Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
%programfiles%\Internet Explorer\IEXPLORE.EXE
Software\Microsoft\Windows\CurrentVersion\App Paths\MSMSGS.EXE
%programfiles%\Messenger\msmsgs.exe
Software\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.EXE
%programfiles%\Windows Media Player\wmplayer.EXE
SOFTWARE\TENCENT\PLATFORM_TYPE_LIST\1
TypePath-->%programfiles%\TENCENT\QQ.exe

非官方ANI补丁下载：http://www.eeye.com/html/research/tools/WindowsANIZeroDayPatchSetup.exe

http://killvir.hits.io/tools/PatchAni.zip

屏蔽 cool.47555.com 吧