还是上网这点破事。
刚关闭个IE选项卡,紧接着就弹出个淘宝页面。开始的时候,没太在意,后来又出现了几次。看到网上很多人都说是中毒了,我告诉你,你没中毒,是你刚刚关闭的页面的问题。不相信大家可以试试看,先清理掉IE临时文件和cookies,然后打开 lndns3.cncmax.cn:8080 ,新建一个选项卡,关闭第一个选项卡或者在第一个选项卡的地址栏里面输入一个网址打开。看,淘宝出现了!
查看 http://lndns3.cncmax.cn:8080/ 源码,有一段使用加密的JS代码:
<body onmousedown='stat(event)'>
<script language="javascript">
< !--document.write(unescape("%3Cscript%20language%3D%22javascript%22%3E%0D%0Avar%20val_pop_day%20%3D%201%3B%0D%0Avar%20val_pop_num%20%3D%201%3B%0D%0A%0D%0Afunction%20ext%28%29%20%0D%0A%7B%20%0D%0Aiie.launchURL%28popURL%29%3B%20%0D%0A%7D%20%0D%0A%0D%0Avar%20popURL%20%3D%20%27%68%74%74%70%3A%2F%2F%75%72%6c%2e%74%66%2e%77%6F%31%31%36%2e%63%6F%6D%2f%74%7a%2f%33%33%2e%68%74%6d%27%3B%0D%0A%0D%0Afunction%20SetCookie%28name%2C%20value%2C%20day%29%0D%0A%7B%0D%0A%20var%20exp%20%3D%20new%20Date%28%29%3B%20%0D%0A%20exp.setTime%28exp.getTime%28%29%20+%20day%20*%2060%20*%2060%20*%201000%29%3B%20%0D%0A%20document.cookie%20%3D%20name%20+%20%22%3D%22%20+%20escape%28value%29%20+%20%22%3Bexpires%3D%22%20+%20exp.toGMTString%28%29%3B%0D%0A%7D%0D%0Afunction%20getCookie%28name%29%0D%0A%7B%0D%0A%20var%20arr%20%3D%20document.cookie.match%28new%20RegExp%28%22%28%5E%7C%20%29%22%20+%20name%20+%20%22%3D%28%5B%5E%3B%5D*%29%28%3B%7C%24%29%22%29%29%3B%0D%0A%20if%20%28arr%20%21%3D%20null%29%0D%0A%20return%20unescape%28arr%5B2%5D%29%3B%0D%0A%7D%0D%0Afunction%20delCookie%28name%29%0D%0A%7B%0D%0A%20%20var%20exp%20%3D%20new%20Date%28%29%3B%20%0D%0A%20exp.setTime%28exp.getTime%28%29%20-%201%29%3B%0D%0A%20var%20cval%20%3D%20getCookie%28name%29%3B%0D%0A%20if%20%28cval%20%21%3D%20null%29%0D%0A%20document.cookie%20%3D%20name%20+%20%22%3D%22%20+%20cval%20+%20%22%3Bexpires%3D%22%20+%20exp.toGMTString%28%29%3B%0D%0A%7D%0D%0A%0D%0Afunction%20chkpopad%28n%2C%20d%29%7B%0D%0A%20var%20i%20%3D%201%3B%0D%0A%20if%20%28getCookie%28%27popnum%27%29%20%3D%3D%20null%29%7B%0D%0A%20eval%28%22window.attachEvent%28%27onbeforeunload%27%2Cext%29%3B%22%29%3B%20%0D%0A%20SetCookie%28%22popnum%22%2C%20i%2C%20d%29%3B%0D%0A%20%7D%0D%0A%0D%0A%20else%20if%20%28getCookie%28%27popnum%27%29%3Cn%29%7B%0D%0A%20eval%28%22window.attachEvent%28%27onbeforeunload%27%2Cext%29%3B%22%29%3B%20%0D%0A%20SetCookie%28%22popnum%22%2C%20parseInt%28getCookie%28%27popnum%27%29%29%20+%201%2C%20d%29%3B%0D%0A%20%7D%0D%0A%7D%0D%0Achkpopad%28val_pop_num%2Cval_pop_day%29%3B%0D%0A%3C/script%3E"));
//-->
</script>
将JS部分解密之后是这样的:
<script language="javascript">
var val_pop_day = 1;
var val_pop_num = 1;
function ext() {
iie.launchURL(popURL);
}
var popURL = 'http://url.tf.wo116.com/tz/33.htm';
function SetCookie(name, value, day) {
var exp = new Date();
exp.setTime(exp.getTime() + day * 60 * 60 * 1000);
document.cookie = name + "=" + escape(value) + ";expires=" + exp.toGMTString();
}
function getCookie(name) {
var arr = document.cookie.match(new RegExp("(^| )" + name + "=([^;]*)(;|$)"));
if (arr != null) return unescape(arr[2]);
}
function delCookie(name) {
var exp = new Date();
exp.setTime(exp.getTime() - 1);
var cval = getCookie(name);
if (cval != null) document.cookie = name + "=" + cval + ";expires=" + exp.toGMTString();
}
function chkpopad(n, d) {
var i = 1;
if (getCookie('popnum') == null) {
eval("window.attachEvent('onbeforeunload',ext);");
SetCookie("popnum", i, d);
}
else if (getCookie('popnum') < n) {
eval("window.attachEvent('onbeforeunload',ext);");
SetCookie("popnum", parseInt(getCookie('popnum')) + 1, d);
}
}
chkpopad(val_pop_num, val_pop_day);
</script>
直接打开 url.tf.wo116.com/tz/33.htm 就是那个淘宝页面了。有图为证:
本文结束。
4 Comments
Leave a comment