瑞星卡卡安全论坛

首页 » 技术交流区 » 恶意网站交流 » http://www.krvkr.com/worm.htm此网求解密
xiaoqiang305 - 2009-6-11 20:31:00
hxxp://studftp.stut.edu.tw/~494j0905/index.htm 这个网
筛选出 hxxp://www.krvkr.com/worm.htm freshow时卡巴报毒 但是没发现挂马地址 求解 谢谢了:kaka4:
Log is generated by FreShow.
[wide]http://studftp.stut.edu.tw/~494j0905/index.htm
    [frame]http://www.krvkr.com/worm.htm
        [script]http://www.krvkr.com/js/general.js
            [object]http://www.searchnut.com/?domain=krvkr.com
        [frame]http://searchportal.information.com/?a_id=77321&domainname=krvkr.com&design_id=605
没找到挂马地址。。。。里面有些看似加密的没接出来

用户系统信息:Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
夲號ヱ被ジ盜 - 2009-6-11 20:42:00
你那个文件下载后打开这样
希望对你有帮助



按照上面图片的地址下载又成这个
我看着有加密的
你看看
<html>
<head>
<title>krvkr.com</title>
<script type="text/javascript" src="/js/general.js"></script>
<script type="text/javascript">
ChkRequestEnc('YToyMTp7aTowO3M6MTk6IjIwMDktMDYtMTEgMjI6NDc6MjciO2k6MTtzOjY6IjEwMDI5OCI7aToyO047aTozO3M6OTQ6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDYuMDsgV2luZG93cyBOVCA1LjE7IFNWMTsgLk5FVCBDTFIgMS4xLjQzMjI7IC5ORVQgQ0xSIDIuMC41MDcyNykiO2k6NDtzOjE6Ii8iO2k6NTtzOjEyOiI2MS4xNzkuMTI0LjIiO2k6NjtzOjE6IjMiO2k6NztzOjA6IiI7aTo4O3M6MDoiIjtpOjk7czowOiIiO2k6MTA7czowOiIiO2k6MTE7czowOiIiO2k6MTI7czoyOiIxNSI7aToxMztzOjk6ImtydmtyLmNvbSI7aToxNDtzOjc2OiJodHRwOi8vd3d3LnNlYXJjaG51dC5jb20vP2RvbWFpbj1rcnZrci5jb20mcmVnaXN0cmFyPTIxMEU0NjNBNUQmYWZmaWxpYXRlPWRwIjtpOjE1O3M6NToiNDAuMDAiO2k6MTY7czo0OiIwLjAwIjtpOjE3O3M6NDY6IlN1Ym5ldCB0ZW1wb3JhcmlseSBiYW5uZWQsIHN1c3BpY2lvdXMgdHJhZmZpYy4iO2k6MTg7TjtpOjE5O047aToyMDtOO30=');
</script>
<script type="text/javascript">
var fl = "cpx";
var u = "/" + fl + ".php";
u = u + "?enc=YToyMTp7aTowO3M6MTk6IjIwMDktMDYtMTEgMjI6NDc6MjciO2k6MTtzOjY6IjEwMDI5OCI7aToyO047aTozO3M6OTQ6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDYuMDsgV2luZG93cyBOVCA1LjE7IFNWMTsgLk5FVCBDTFIgMS4xLjQzMjI7IC5ORVQgQ0xSIDIuMC41MDcyNykiO2k6NDtzOjE6Ii8iO2k6NTtzOjEyOiI2MS4xNzkuMTI0LjIiO2k6NjtzOjE6IjMiO2k6NztzOjA6IiI7aTo4O3M6MDoiIjtpOjk7czowOiIiO2k6MTA7czowOiIiO2k6MTE7czowOiIiO2k6MTI7czoyOiIxNSI7aToxMztzOjk6ImtydmtyLmNvbSI7aToxNDtzOjc2OiJodHRwOi8vd3d3LnNlYXJjaG51dC5jb20vP2RvbWFpbj1rcnZrci5jb20mcmVnaXN0cmFyPTIxMEU0NjNBNUQmYWZmaWxpYXRlPWRwIjtpOjE1O3M6NToiNDAuMDAiO2k6MTY7czo0OiIwLjAwIjtpOjE3O3M6NDY6IlN1Ym5ldCB0ZW1wb3JhcmlseSBiYW5uZWQsIHN1c3BpY2lvdXMgdHJhZmZpYy4iO2k6MTg7TjtpOjE5O047aToyMDtOO30%3D";
var w = '690';
var h = '320';
var wV = 'scrollbars=no,resizable=yes,toolbar=no,' + 'menubar=no,status=no,location=no,height=' + h + ',width=' + w;
tW = window.open(u, "tWin", wV);
if (null !== tW)
{
tW.blur();
window.focus();
}
</script>

</head>
<frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
  <!-- served Parked -->
  <frame src="http://www.searchnut.com/?domain=krvkr.com®istrar=210E463A5D&affiliate=dp">
<noframes>
<body bgcolor="#ffffff" text="#000000">
  <a href="http://www.searchnut.com/?domain=krvkr.com®istrar=210E463A5D&affiliate=dp">Click here to enter</a>.
</body>
</noframes>
</frameset>
</html>
幸福耗子 - 2009-6-11 20:47:00
奇怪的是 我啥也没有发现

毒霸也报了  -.-

我解密啥没有发现
kekao - 2009-6-11 20:52:00
人都被判了.网站过期了.那几个可能是与弹窗有关.
xiaoqiang305 - 2009-6-11 20:56:00
报的貌似是个横行一时的熊猫烧香呢 :kaka5:  下面是诺顿报的      W32.Fujacks!html
奇怪了 啥也没发现 卡巴报的是Worm.Win32.Fujack.a  :kaka6:

为啥尼
xiaoqiang305 - 2009-6-11 21:48:00
就是类似这堆貌似64加密的但还啥也结不出来
YToyMTp7aTowO3M6MTk6IjIwMDktMDYtMTEgMjI6NDc6MjciO2k6MTtzOjY6IjEwMDI5OCI7aToyO047aTozO3M6OTQ6Ik1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDYuMDsgV2luZG93cyBOVCA1LjE7IFNWMTsgLk5FVCBDTFIgMS4xLjQzMjI7IC5ORVQgQ0xSIDIuMC41MDcyNykiO2k6NDtzOjE6Ii8iO2k6NTtzOjEyOiI2MS4xNzkuMTI0LjIiO2k6NjtzOjE6IjMiO2k6NztzOjA6IiI7aTo4O3M6MDoiIjtpOjk7czowOiIiO2k6MTA7czowOiIiO2k6MTE7czowOiIiO2k6MTI7czoyOiIxNSI7aToxMztzOjk6ImtydmtyLmNvbSI7aToxNDtzOjc2OiJodHRwOi8vd3d3LnNlYXJjaG51dC5jb20vP2RvbWFpbj1rcnZrci5jb20mcmVnaXN0cmFyPTIxMEU0NjNBNUQmYWZmaWxpYXRlPWRwIjtpOjE1O3M6NToiNDAuMDAiO2k6MTY7czo0OiIwLjAwIjtpOjE3O3M6NDY6IlN1Ym5ldCB0ZW1wb3JhcmlseSBiYW5uZWQsIHN1c3BpY2lvdXMgdHJhZmZpYy4iO2k6MTg7TjtpOjE5O047aToyMDtOO30=');
无所谓了 就当悬疑案吧 ~~ 谢了~
幸福耗子 - 2009-6-11 22:03:00
a:21:{i:0;s:19:"2009-06-11 22:47:27";i:1;s:6:"100298";i:2;N;i:3;s:94:"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)";i:4;s:1:"/";i:5;s:12:"61.179.124.2";i:6;s:1:"3";i:7;s:0:"";i:8;s:0:"";i:9;s:0:"";i:10;s:0:"";i:11;s:0:"";i:12;s:2:"15";i:13;s:9:"krvkr.com";i:14;s:76:"http://www.searchnut.com/?domain=krvkr.com®istrar=210E463A5D&affiliate=dp";i:15;s:5:"40.00";i:16;s:4:"0.00";i:17;s:46:"Subnet temporarily banned, suspicious traffic.";i:18;N;i:19;N;i:20;N;}

这个就是对base64解密 结果
09kaka - 2009-6-12 10:42:00
不用解了 网站已经没毒了

http://www.virustotal.com/zh-cn/analisis/c3b8f7eb03588d32c687f383341d56a79ed1c36a65b94ef299c7a7d3469be5ad-1244774429
1
查看完整版本: http://www.krvkr.com/worm.htm此网求解密