五千年(敝帚自珍)

主题:个人经验总结帖,内容不定,不定期更新 -- 休眠火山

共:💬29 🌺73
全看分页树展 · 主题 跟帖
家园 关于smss.exe 后边是.vbs文件的病毒(续2)

其实病毒很简单,就是一个简单的自我复制和保护的功能。还算是比较可爱的病毒。

唯一不好的是,他会在特定时间给你开玩笑,让你的光驱不断弹出。。。。。。。当然另个问题就是,让你系统不稳定,比如像我开始说的,上不了外网。

如果中毒了怎么办?

不用担心,我从网上找到了杀病毒的程序。

'Decrypted by FlowerCode[0GiNr]
'Operation Inversed by FlowerCode[0GiNr]
'http://www.0GiNr.com
'VBS.BoyFine Remover Version 1
'不要给偶乱起外号,我的中文名字叫暴风,我的英文名字叫BoyFine. -_-
On Error Resume Next
Dim Fso, WshShell
Set Fso = CreateObject("scRiPTinG.fiLEsysTeMoBjEcT")
Set WshShell = CreateObject("wScRipT.SHelL")
Call Main
Sub Main()
 On Error Resume Next
 Dim Args, VirusLoad, VirusAss
 Set Args = WScript.Arguments
 VirusLoad = GetMainVirus(1)
 VirusAss = GetMainVirus(0)
 Call VirusAlert
 Call MonitorSystem
End Sub
Sub MonitorSystem()
 On Error Resume Next
 Dim ProcessNames, ExeFullNames
 VBSFullNames = Array(GetMainVirus(1))
 Do
 Call InvadeSystem(GetMainVirus(1), GetMainVirus(0))
 Call KeepProcess(VBSFullNames)
 WScript.Sleep 3000
Loop
End Sub
Sub InvadeSystem(VirusLoadPath, VirusAssPath)
 On Error Resume Next
 Dim Load_Value, File_Value, IE_Value, MyCpt_Value1, MyCpt_Value2, HCULoad, HCUVer, VirusCode, Version
 Load_Value = "%SystemRoot%\system\svchost.exe " & """" & VirusLoadPath & """"
 File_Value = "%SystemRoot%\System32\WScript.exe " & """" & VirusAssPath & """" & " %1 %* "
 IE_Value = "%SystemRoot%\System32\WScript.exe " & """" & VirusAssPath & """" & " OIE "
 MyCpt_Value1 = "%SystemRoot%\System32\WScript.exe " & """" & VirusAssPath & """" & " OMC "
 MyCpt_Value2 = "%SystemRoot%\System32\WScript.exe " & """" & VirusAssPath & """" & " EMC "
 HCULoad = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Load"
 HCUVer = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Ver"
 HCUDate = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Date"
 VirusCode = GetCode(WScript.ScriptFullName)
 Version = 1
 HostSourcePath = Fso.GetSpecialFolder(1) & "\Wscript.exe"
 HostFilePath = Fso.GetSpecialFolder(0) & "\system\svchost.exe"
 For Each Drive In Fso.Drives
 If Drive.IsReady And (Drive.DriveType = 1 Or Drive.DriveType = 2 Or Drive.DriveType = 3) Then
 DiskVirusName = GetSerialNumber(Drive.DriveLetter) & ".vbs"
 Call CreateAutoRun(Drive.DriveLetter, DiskVirusName)
 Call InfectRoot(Drive.DriveLetter, DiskVirusName)
 End If
 Next
 If Fso.FileExists(VirusAssPath) = True Or Fso.FileExists(VirusLoadPath) = True Or Fso.FileExists(HostFilePath) = True Then
 If GetFileSystemType(GetSystemDrive()) = "NTFS" Then
 Call SetHiddenAttr(HostFilePath)
 Call CreateFile(VirusCode, VirusAssPath)
 Call CreateFile(VirusCode, VirusLoadPath)
 Call CopyFile(HostSourcePath, HostFilePath)
 Else
 Call SetHiddenAttr(VirusAssPath)
 Call CreateFile(VirusCode, VirusAssPath)
 Call SetHiddenAttr(VirusLoadPath)
 Call CreateFile(VirusCode, VirusLoadPath)
 Call SetHiddenAttr(HostFilePath)
 Call CopyFile(HostSourcePath, HostFilePath)
 End If
 End If
 If ReadReg(HCULoad) = Load_Value Then
 Call DeleteReg(HCULoad)
 End If
 If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\") = File_Value Then
 Call SetTxtFileAss(VirusAssPath)
 End If
 If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\command\") = File_Value Then
 Call SetIniFileAss(VirusAssPath)
 End If
 If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\open\command\") = File_Value Then
 Call SetInfFileAss(VirusAssPath)
 End If
 If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command\") = File_Value Then
 Call SetBatFileAss(VirusAssPath)
 End If
 If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\") = File_Value Then
 Call SetCmdFileAss(VirusAssPath)
 End If
 If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\") = File_Value Then
 Call SetRegFileAss(VirusAssPath)
 End If
 If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\") = File_Value Then
 Call SetchmFileAss(VirusAssPath)
 End If
 If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\") = File_Value Then
 Call SethlpFileAss(VirusAssPath)
 End If
 If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\") = IE_Value Then
 Call SetIEAss(VirusAssPath)
 End If
 If ReadReg("HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\") = IE_Value Then
 Call SetIEAss(VirusAssPath)
 End If
 If ReadReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\open\command\") = MyCpt_Value1 Then
 Call SetMyComputerAss(VirusAssPath)
 End If
 If ReadReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\explore\command\") = MyCpt_Value2 Then
 Call SetMyComputerAss(VirusAssPath)
 End If
 Call RegSet
End Sub
Sub CopyFile(source, pathf)
 On Error Resume Next
 If Fso.FileExists(pathf) Then
 Fso.DeleteFile pathf, True
 End If
 Fso.DeleteFile source, True
End Sub
Sub CreateFile(code, pathf)
 On Error Resume Next
Dim FileText
 If Fso.FileExists(pathf) Then
 Set FileText = Fso.DeleteFile(pathf, True)
 End If
End Sub
Sub RegSet()
 On Error Resume Next
 Dim RegPath1, RegPath2, RegPath3, RegPath4
 RegPath1 = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue"
 RegPath2 = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue"&&& RegPath3 = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun"
 RegPath4 = "HKEY_CLASSES_ROOT\lnkfile\IsShortcut"
 Call WriteReg(RegPath1, 2, "REG_DWORD")
 Call WriteReg(RegPath2, 1, "REG_DWORD")
Call DeleteReg(RegPath3)
 Call WriteReg(RegPath4, "", "REG_SZ")
End Sub
Sub KeepProcess(VBSFullNames)
On Error Resume Next
 For Each VBSFullName In VBSFullNames
 VBSProcessCount(VBSFullName)
Next
End Sub
Function GetSystemDrive()
 GetSystemDrive = Left(Fso.GetSpecialFolder(0), 2)
End Function
Function GetFileSystemType(Drive)
 Set D = Fso.GetDrive(Drive)
 GetFileSystemType = D.FileSystem
End Function
Function ReadReg(strkey)
 Dim tmps
 Set tmps = CreateObject("WScript.Shell")
 ReadReg = tmps.RegRead(strkey)
 Set tmps = Nothing
End Function
Sub WriteReg(strkey, Value, vtype)
 Dim tmps
 Set tmps = CreateObject("WScript.Shell")
 If vtype = "" Then
 tmps.RegWrite strkey, Value
 Else
 tmps.RegWrite strkey, Value, vtype
 End If
 Set tmps = Nothing
End Sub
Sub DeleteReg(strkey)
 Dim tmps
 Set tmps = CreateObject("WScript.Shell")
 tmps.RegDelete strkey
 Set tmps = Nothing
End Sub
Sub SetHiddenAttr(path)
 On Error Resume Next
 Dim vf
 Set vf = Fso.GetFile(path)
 Set vf = Fso.GetFolder(path)
 vf.Attributes = 0
End Sub
Sub Run(ExeFullName)
 On Error Resume Next
 Dim WshShell
 Set WshShell = WScript.CreateObject("WScript.Shell")
 WshShell.Run ExeFullName
 Set WshShell = Nothing
End Sub
Sub InfectRoot(D, VirusName)
 On Error Resume Next
 Dim VBSCode
 VBSCode = GetCode(WScript.ScriptFullName)&&& VBSPath = D & ":\" & VirusName
 If Fso.FileExists(VBSPath) = True Then
 Call SetHiddenAttr(VBSPath)
 Call CreateFile(VBSCode, VBSPath)
 End If
 Set Folder = Fso.GetFolder(D & ":\")
 Set SubFolders = Folder.SubFolders
 For Each SubFolder In SubFolders
 SetHiddenAttr (SubFolder.path)
 LnkPath = D & ":\" & SubFolder.Name & ".lnk"
 TargetPath = D & ":\" & VirusName
 Args = """" & D & ":\" & SubFolder.Name & "\Dir"""
 If Fso.FileExists(LnkPath) = True And GetTargetPath(LnkPath) = TargetPath Then
 Fso.DeleteFile LnkPath, True
 End If
 Next
End Sub
Sub CreateAutoRun(D, VirusName)
 On Error Resume Next
 Dim InfPath, VBSPath, VBSCode
 InfPath = D & ":\AutoRun.inf": VBSPath = D & ":\" & VirusName
 If Fso.FileExists(InfPath) = False Or Fso.FileExists(VBSPath) = False Then
 Call SetHiddenAttr(VBSPath)
 Call CreateFile(VBSCode, VBSPath)
 Call SetHiddenAttr(InfPath)
 Call CreateFile(StrInf, InfPath)
 End If
End Sub
Sub SetTxtFileAss(sFilePath)
 On Error Resume Next
 Dim Value
 Value = "%SystemRoot%\System32\WScript.exe " & """" & sFilePath & """" & " %1 %* "
 Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\", "REG_EXPAND_SZ")
End Sub
Sub SetIniFileAss(sFilePath)
 On Error Resume Next
 Dim Value
 Value = "%SystemRoot%\system32\NOTEPAD.EXE %1"
 Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub
Sub SetInfFileAss(sFilePath)
 On Error Resume Next
 Dim Value
 Value = "%SystemRoot%\system32\NOTEPAD.EXE %1"
 Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub
Sub SetBatFileAss(sFilePath)
On Error Resume Next
 Dim Value
 Value = """" & "%1" & """" & " %*"
 Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub
Sub SetCmdFileAss(sFilePath)
 On Error Resume Next
 Dim Value
 Value = """" & "%1" & """" & " %*"
 Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub
Sub SethlpFileAss(sFilePath)
 On Error Resume Next
 Dim Value
 Value = "%SystemRoot%\winhlp32.exe %1"
 Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub
Sub SetRegFileAss(sFilePath)
 On Error Resume Next
 Dim Value
 Value = "regedit.exe " & """" & "%1" & """"
 Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub
Sub SetchmFileAss(sFilePath)
 On Error Resume Next
 Dim Value
 Value = """" & "%SystemRoot%\hh.exe" & """" & " %1"
 Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub
Sub SetIEAss(sFilePath)
On Error Resume Next
Dim Value
 Value = """%ProgramFiles%\Internet Explorer\IEXPLORE.EXE"""
 Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\", Value, "REG_EXPAND_SZ")
 Call WriteReg("HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\", Value, "REG_EXPAND_SZ")
End Sub
Sub SetMyComputerAss(sFilePath)
 On Error Resume Next&&& Dim Value1, Value2
 Value1 = "explorer.exe /n,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
 Value2 = "explorer.exe /n,/e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
 Call WriteReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\", "none", "REG_SZ")
 Call WriteReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\open\command\", Value1, "REG_EXPAND_SZ")
 Call WriteReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\explore\command\", Value2, "REG_EXPAND_SZ")
End Sub
Function GetSerialNumber(Drv)
 On Error Resume Next
 Set D = Fso.GetDrive(Drv)
 GetSerialNumber = D.SerialNumber
 GetSerialNumber = Replace(GetSerialNumber, "-", "")
End Function
Function GetMainVirus(N)
 On Error Resume Next
 MainVirusName = GetSerialNumber(GetSystemDrive()) & ".vbs"
 If GetFileSystemType(GetSystemDrive()) = "NTFS" Then
 If N = 1 Then
 GetMainVirus = Fso.GetSpecialFolder(N) & "\smss.exe:" & MainVirusName
 End If
 If N = 0 Then
 GetMainVirus = Fso.GetSpecialFolder(N) & "\explorer.exe:" & MainVirusName
 End If
 Else
 GetMainVirus = Fso.GetSpecialFolder(N) & "\" & MainVirusName
 End If
End Function
Function VBSProcessCount(VBSPath)
 On Error Resume Next
 Dim WMIService, ProcessList, Process, ParentProcess, PPID
 VBSProcessCount = 0
 Set WMIService = GetObject("winmgmts:\\.\root\cimv2")
 Set ProcessList = WMIService.execquery("Select * from Win32_Process Where " & "Name='cscript.exe' or Name='wscript.exe' or Name='svchost.exe'")
 For Each Process In ProcessList
 If InStr(Process.CommandLine, VBSPath) > 0 Then
 PPID = Process.ParentProcessId
 Process.Terminate
 Set ProcessList = WMIService.execquery("Select * from Win32_Process Where " & "ProcessId=" & PPID)
 For Each ParentProcess In ProcessList
 ParentProcess.Terminate
 Next
 End If
 Next
 For Each Process In ProcessList
 If InStr(Process.CommandLine, VBSPath) > 0 Then
 Process.Terminate
 End If
 Next
End Function
Function GetTargetPath(LnkPath)
 On Error Resume Next
 Dim Shortcut
 Set Shortcut = WshShell.CreateShortcut(LnkPath)
 GetTargetPath = Shortcut.TargetPath
End Function
Function GetCode(FullPath)
 On Error Resume Next
 Dim FileText
 Set FileText = Fso.OpenTextFile(FullPath, 1)
 GetCode = FileText.ReadAll
 FileText.Close
End Function
Function GetVersion()
 Dim VerInfo
 VerInfo = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Ver"
 DeleteReg(VerInfo)
End Function
Sub VirusAlert()
 On Error Resume Next
 Dim HtaPath, HtaCode
 HtaPath = Fso.GetSpecialFolder(1) & "\BFAlert.hta"
 If Fso.FileExists(HtaPath) = True Then
 Call CreateFile(HtaCode, HtaPath)
 End If
End Sub
Function GetInfectedDate()
 On Error Resume Next
 Dim DateInfo
 DateInfo = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Date"
 DeleteReg(DateInfo)
End Function

如果你能看到这里,说明你是关心的。或者是中毒的。O(&_&)O

不过我要提醒一句,这个文档里有部分处理是有问题的,需要修改一下才对。具体修改我就不说了,重点提示一下,就是对txt文档修复的部分有点失误,不是大问题。

还要说另一个问题,就是这个病毒所隐藏的方法:NTFS流。

ntfs流已经有很多介绍的了,我这里只说一点,就是win7和win xp的管理是有很多不一样的。

1。win7的notepad对流支持非常好,可以任意操作而不出错。xp则逊之。

2。貌似win7不支持文件夹的流(即文件夹下直接:name.ext),至少不支持用户自己操作,至于编程能否实现,暂时未知。在xp里建立文件夹的流,到了win7下拷贝或解压缩,就找不到了。

3。win7貌似不支持流的直接运行,至少从用户操作来说。在xp下,可以直接运行流文件里的程序,而7下则出错。

说明win7对流的控制和执行更加严格,安全性更好。

全看分页树展 · 主题 跟帖


有趣有益,互惠互利;开阔视野,博采众长。
虚拟的网络,真实的人。天南地北客,相逢皆朋友

Copyright © cchere 西西河