"Wan Valley of Flowers' website malicious virus" trap "to fix the code analysis and presentation of: Qiu Tang (chutium)
Sina Technology Report: The National Anti-Virus Emergency Treatment Center joint defense unit Beijing Jiangmin's anti-virus emergency team recently monitored people who had a beautiful and seductive website "Wan Grain" on the interconnection network. This is actually a Malicious "trap", some people can't stand the temptation, only use the mouse to gently, the computer is immediately paralyzed, this is another malicious website that uses Java's latest technology to destroy. Beijing Jiangmin Company reminds users to pay attention to the online users, encounter the website with on888.xxx, please do not click, and turn on the KVW3000 virus real-time monitoring firewall to prevent killing.
The technical characteristics of the virus:
JS / ON888 is a new ActiveX web file with harmful code, which is destroyed by a network address, and its destruction characteristics are as follows: (1) Users cannot use Windows DOS functional program; (2) users Unable to exit Windows, (3) The "Close System" on the Start menu is shielded, preventing the user from starting to start with DOS mode, shut down the DOS command, turn off the regedit command, etc. (4) Add the network address containing the harmful web code in the homepage and favorites of the IE browser. The specific expression is: A: Network address is: www.on888.xxx.xxx.com; b: Automatically add "Wanhua" shortcut to "Favorites" in IE, the network address is: "http: //96xx.xxx.com ";
Below, the author provides the analysis of the viral code, and the code to which it is repaired:
The reason why the virus is named JS / XXXXX is because it is using malicious JavaScript code in the page:
First, let's take a look at how the HTML page modifies the IE title: The reason is to use the JavaScript code to modify HKLM / Software / Microsoft / Internet Explorer / Main / and HKCU / Software / Microsoft / Internet Explorer / Main / MAIN / The key value of this button; and modify the user's IE settings, such as eliminating the Run button, eliminating the shutdown button, eliminate the logout button, hide the desktop, hidden drive letter, prohibiting the registry, etc. Is this virus Code:
