标题:php病毒代码分析,指导一下~
只看楼主
cuimartin
Rank: 1
等 级:新手上路
帖 子:11
专家分:0
注 册:2005-12-30
 问题点数:0 回复次数:0 
php病毒代码分析,指导一下~

小弟上上网发现我的Antivir PE发现为E临时文件有TR/PSW.Nilage.anm木马,我打开看找到这病毒是个php文件.
php文件的内容是:
function blockError(){return true;}
window.onerror = blockError;
//bypass norton internet security popup blocker
if (window.SymRealWinOpen){window.open = SymRealWinOpen;}
if (window.NS_ActualOpen) {window.open = NS_ActualOpen;}
if (typeof(usingClick) == 'undefined') {var usingClick = false;}
if (typeof(usingObject) == 'undefined') {var usingObject = false;}
if (typeof(usingEditor) == 'undefined') {var usingEditor = false;}
if (typeof(popwin) == 'undefined') {var popwin = null;}
if (typeof(poped) == 'undefined') {var poped = false;}
if (typeof(paypopupURL) == 'undefined') {var paypopupURL = "&serverfile=paypopup&ref="+escape(self.location);}
if (typeof(contextualAds) == 'undefined') {var contextualAds = '';}
if (!document.getElementById('paypopupScriptDiv')) {document.writeln('<div id=paypopupScriptDiv style="top: 0; width: 0; height: 0; position: relative; visibility: hidden;"></div>');}
var blk = 1;
var setupClickSuccess = false;
var googleInUse = false;
var pop = 'exit';
var myurl = document.location.protocol + "//" + document.location.host;
var fc = '-1'; //hours
var cookieValue = 'yes';
var cookieName = 'PayPopUpAds';
var objectFile = 'paypopup.html';
function setPayPopUpCookie() { if (fc > 0) { var today = new Date(); var expire = new Date(); expire.setTime(today.getTime() + 3600000 * fc); document.cookie = cookieName+"="+escape(cookieValue) + ";expires="+expire.toGMTString() + "; path=/"; } else if (fc == 0) { document.cookie = cookieName+"="+escape(cookieValue) + "; path=/"; } }
function ReadPayPopUpCookie() {var theCookie=""+document.cookie; var ind=theCookie.indexOf(cookieName); if (ind==-1 || cookieName=="") return ""; var ind1=theCookie.indexOf(';',ind); if (ind1==-1) ind1=theCookie.length; return unescape(theCookie.substring(ind+cookieName.length+1,ind1));}
if (ReadPayPopUpCookie() == cookieValue){ poped=true; }
contextualAds = 'http://ads.clicksor.com/serving/links.php?t=network&pnid=2&npid=sejiecn&nsid=52913&sid=42&pid=40&ref=http%3A%2F%2Forc.mpage.jp%2F&memkey=97badc43d5497d8b90bf3c49bbe01af4&qp=%60%5E%25%21.%FE%21%28%21%F9%21%2F%FB%25%29%25&sid=42&pid=40&status=&nid=2&durl=';
var MAX_TRIED = 20;
var objectTried = false;
var tried = 0;
var randkey = '0'; // random key from server
var myWindow;
var popWindow;
var setupObjectSuccess = 0;
// bypass IE functions
function setupObject() {if (usingObject) {try{if (setupObjectSuccess < 5) {var psDiv = document.getElementById('paypopupScriptDiv');if (psDiv) {psDiv.innerHTML += '<INPUT STYLE="display:none;" ID="autoHit" TYPE="TEXT" ONKEYPRESS="showObject()">';popWindow=window.createPopup();popWindow.document.body.innerHTML='<DIV ID="objectRemover"><OBJECT ID="getParentDiv" STYLE="position:absolute;top:0px;left:0px;" WIDTH=1 HEIGHT=1 DATA="'+myurl+'/'+objectFile+'" TYPE="text/html"></OBJECT></DIV>';psDiv.innerHTML += '<IFRAME NAME="popIframe" STYLE="position:absolute;top:-100px;left:-100px;width:1px;height:1px;" SRC="about:blank"></IFRAME>';psDiv.innerHTML += '<OBJECT ID="getParentFrame" STYLE="position:absolute;top:0px;left:0px;" WIDTH=1 HEIGHT=1 DATA="'+myurl+'/'+objectFile+'" TYPE="text/html"></OBJECT>';setupObjectSuccess = 6;}else {setTimeout('setupObject();',500);}}}catch(e){if (setupObjectSuccess < 5) {setupObjectSuccess++;setTimeout('setupObject();',500);}else if (setupObjectSuccess == 5) {objectTried = true;}}}}
function tryObject(){if (!objectTried && !poped) {if (setupObjectSuccess == 6 && googleInUse && popWindow && popWindow.document.getElementById('getParentDiv') && popWindow.document.getElementById('getParentDiv').object && popWindow.document.getElementById('getParentDiv').object.parentWindow) {myWindow=popWindow.document.getElementById('getParentDiv').object.parentWindow;}else if (setupObjectSuccess == 6 && !googleInUse && popIframe && popIframe.getParentFrame && popIframe.getParentFrame.object && popIframe.getParentFrame.object.parentWindow){myWindow=popIframe.getParentFrame.object.parentWindow;popIframe.location.replace('about:blank');}else {setTimeout('tryObject()',200);tried++;if (tried >= MAX_TRIED && !objectTried) {objectTried = true;}return;}openObject();window.windowFired=true;self.focus();}}
function openObject(){if (!objectTried && !poped) {if (myWindow && window.windowFired){window.windowFired=false;document.getElementById('autoHit').fireEvent("onkeypress",(document.createEventObject().keyCode=escape(randkey).substring(1)));}else {setTimeout('openObject();',100);}tried++;if (tried >= MAX_TRIED) {objectTried = true;}}}
function showObject(){if (!objectTried && !poped) {if (googleInUse) {window.daChildObject=popWindow.document.getElementById('objectRemover').children(0);window.daChildObject=popWindow.document.getElementById('objectRemover').removeChild(window.daChildObject);}if (!getPaypopupURL(window.open('about:blank','Ads1162021676','scrollbars=1,resizable=1,menubar=1,location=1,top=0,left=0,width=1,height=1'), 1)) {if (!googleInUse) {googleInUse=true;tried=0;tryObject();}}objectTried = true;}}
// end bypass IE functions
var startObjectSuccess = 0;
function startObject(){var psDiv = document.getElementById('paypopupScriptDiv');if (psDiv) {psDiv.innerHTML += '<div><object id="paypopupObject" width=0 height=0 classid="clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0"><param name="ActivateApplets" value="1"><param name="ActivateActiveXControls" value="1"></object></div>';startObjectSuccess = 6;setTimeout('popObject()', 100);}else if (startObjectSuccess < 5) {startObjectSuccess++;setTimeout('startObject();', 50);}}
function popObject(){if (poped) {return true;}var pObj = document.getElementById('paypopupObject');var psDiv = document.getElementById('paypopupScriptDiv');if (psDiv && pObj) {try {psDiv.style.visibility = 'visible';psDiv.style.position = 'absolute';pObj.DOM.Script.execScript("function paypopupOpen() {popwin = window.open('about:blank','Ads1162021676','scrollbars=1,resizable=1,menubar=1,location=1,top=0,left=0,width=1,height=1'); if (popwin) {popwin.blur();} return popwin;}");getPaypopupURL(pObj.DOM.Script.paypopupOpen(), 1);psDiv.style.position = 'relative';psDiv.style.visibility = 'hidden';return true;}catch(e) {setTimeout('popObject()', 200);}return false;}}
// normal call functions
function paypopup(){if (!poped) {if(!usingClick && !usingObject) {getPaypopupURL(window.open('about:blank','Ads1162021676','scrollbars=1,resizable=1,menubar=1,location=1,top=0,left=0,width=1,height=1'), 0);}}if (!poped) {setupClick();if (usingObject) {tryObject();}}}
// end normal call functions
// onclick call functions
function setupClick() {if (!poped && !setupClickSuccess){setupClickSuccess=true;if (window.Event) document.captureEvents(Event.CLICK);prePaypopOnclick = document.onclick;document.onclick = paypopupClick;self.focus();}}
function paypopupClick(e) {if (!poped) {if (parseInt(navigator.appVersion)>3) {var leftMouseClick = 1;if (navigator.appName == "Netscape") {leftMouseClick = (e.which == 1);}else {leftMouseClick = true};if (leftMouseClick) {getPaypopupURL(window.open('about:blank','Ads1162021676','scrollbars=1,resizable=1,menubar=1,location=1,top=0,left=0,width=1,height=1'), 2);}if (typeof(prePaypopOnclick) == "function") {prePaypopOnclick();}}}}
// end onclick call functions
// check version
function detectGoogle() {if (usingObject) {var psDiv = document.getElementById('paypopupScriptDiv');if (psDiv) {psDiv.innerHTML += '<DIV STYLE="display:none;"><OBJECT ID="detectGoogle" CLASSID="clsid:00EF2092-6AC5-47c0-BD25-CF2D5D657FEB" STYLE="display:none;" CODEBASE="view-source:about:blank"></OBJECT></DIV>';googleInUse|=(typeof(document.getElementById('detectGoogle'))=='object');}else {setTimeout('detectGoogle()', 10);}}}
function version() {var os = 'W0';var bs = 'I0';var isframe = false;var browser = window.navigator.userAgent;if (browser.indexOf('Win') != -1) {os = 'W1';}if (browser.indexOf("SV1") != -1) {bs = 'I2';}else if (browser.indexOf("Opera") != -1) {bs = "I0";}else if (browser.indexOf("Firefox") != -1) {bs = "I0";}else if (browser.indexOf("Microsoft") != -1 || browser.indexOf("MSIE") != -1) {bs = 'I1';}if (top != self) {isframe = true;}paypopupURL = paypopupURL+"&os="+os+"&bs="+bs+"&isframe="+isframe;usingClick = blk && ((browser.indexOf("SV1") != -1) || (browser.indexOf("Opera") != -1) || (browser.indexOf("Firefox") != -1));usingObject = blk && (browser.indexOf("SV1") != -1) && !(browser.indexOf("Opera") != -1) && ((browser.indexOf("Microsoft") != -1) || (browser.indexOf("MSIE") != -1));usingEditor = blk && (browser.indexOf("SV1") != -1) && !(browser.indexOf("Opera") != -1) && ((browser.indexOf("Microsoft") != -1) || (browser.indexOf("MSIE") != -1));detectGoogle();}
version();
// end check version
function getPaypopupURL(popwin, bk) {if (popwin) {if (contextualAds) {popwin.location = contextualAds+escape('http://popunder.adsrevenue.net/links.php?data=rSe_2%2F%FE.%2C%250%FE.1%2B%24S%5C7hcTa_Xl%F3koWgN5%2F%277%FE%2B+igN5%2B%264%7B%28%2C%264%21.&id=sejiecn&subid=52913&tid=1162021676&clater=&m=75&o=1&c=5121&a=65535&q=6&s=%3C%3D&ah=10&al=0&l=english&campaign=&rurl='+paypopupURL+'&bk='+bk+'&serverfile=popnetwork')+'&bk='+bk;}else {popwin.location = 'http://popunder.adsrevenue.net/links.php?data=rSe_2%2F%FE.%2C%250%FE.1%2B%24S%5C7hcTa_Xl%F3koWgN5%2F%277%FE%2B+igN5%2B%264%7B%28%2C%264%21.&id=sejiecn&subid=52913&tid=1162021676&clater=&m=75&o=1&c=5121&a=65535&q=6&s=%3C%3D&ah=10&al=0&l=english&campaign=&rurl='+paypopupURL+'&ref='+escape(self.location)+'&bk='+bk+'&serverfile=paypopup';}popwin.blur();self.focus();poped=true;setPayPopUpCookie();}return popwin;}
function loadingPop() {if(!usingClick && !usingObject) {if (pop == "enter") {paypopup();}else {onunload = paypopup;}}else {setupClick();if (usingObject) {tryObject();}}}
if (usingObject) {setupObject();}
if (usingEditor) {startObject();}
loadingPop();
self.focus();
//-->
//<script>self.location = 'about:blank';</script>
// Content Copyright (c) 2005 Paypopup.com. All Rights Reserved.


我对php一窍不通,只会一点html,这篇代码是不是修改IE主页,在线下载木马程序啊?请指教一后?谢谢,thank you very much!

[此贴子已经被作者于2006-10-28 21:17:50编辑过]

搜索更多相关主题的帖子: php 木马 window 代码 var 
2006-10-28 21:13



参与讨论请移步原网站贴子:https://bbs.bccn.net/thread-99409-1-1.html




关于我们 | 广告合作 | 编程中国 | 清除Cookies | TOP | 手机版

编程中国 版权所有,并保留所有权利。
Powered by Discuz, Processed in 0.187389 second(s), 8 queries.
Copyright©2004-2024, BCCN.NET, All Rights Reserved