I always wanted to write this article. I just said I had to go to work when I went to work. I didn't want to write it. I went back home and was busy playing games and lost my side. Now I have to leave my business to work out. I hope the boss will not know my blog. Haha was very interested in the HTML virus a long time ago. He was curious about how to remotely download executable files from the local machine without being allowed, I have never had the opportunity to obtain the original ASP code, so I dare not analyze it out of context. The last time I heard a friend say that when he saw a webpage, the virus firewall prompts that there was a virus and asked me to be careful (first, thanks to him). I gave a flash of thought, open FlashGet and drop the virus homepage. After reading it a bit, I found that there is an implicit floating frame in the following lines of the Home Page code. The referenced URL is not local. It seems like it is, and then FlashGet is used again. It was found that the space where the virus was put does not support ASP. The following ASP file is the source file. In this way, all files related to viruses are downloaded. Because the virus is very simple, I only excerpted some fragments. If you are really interested, I will not try to find a webpage with a virus. However, do not use IE to check the virus, download it with a flash get or another download tool, and use NotePad to open it. Otherwise, if you are lucky, don't come to me. The real virus contains three files, one is the boot file, the other is the download file, and the third is the activation file. The key part of the first boot file is that the download and activation of the two files are referenced and run as objects on the page. This is also the key to virus files being infected locally, in the referenced file, the client's Action component can be referenced without hindrance. Alas, this is the knife. The second is to download the exe virus file and then how to download the exe without a prompt box. This is a task completed by collecting and downloading files. This virus uses Microsoft. XMLHTTP component and response. contenttype = "image/gif": Download the virus file to the client's webpage cache in the image format (this is a very simple Get/BinaryWrite operation, not to mention in detail ). The third reason is that the activation process is clever. The virus first generates an hta file in c: \ with fso and writes the activation process to this file. Then run the file with WScript. Shell. In this way, the activation process requires large permissions (for example, the registry write operation. The specific operation process is as follows. Move the virus files in the web page Directory to the system file directory, and change the name to win.exe. Then, write the auto-START key to the registry so that the virus can be automatically started after the system is restarted, and then delete the hta file to complete infection and activation. This is the basic operation process of the virus (the virus damage part will not be mentioned according to the Convention), but what is the use of this virus for us? In fact, I hate this virus,, the process of downloading and activating exe is still available. For example, you must download some components from the client and activate them before using the system. This operation is certainly not a problem for people who know it, however, if you are dealing with users who are not engaged in any kind of network, I guess the system is about to get rid of your phone number before it starts to use it. If you use this method to automatically download and activate the component as permitted by the other party, it will save you a lot of trouble, right. However, this method is very convenient for small files. If you want to download files larger than 1 MB, you need to consider multi-threaded download. Of course, this is not the scope of this article. In the future, I will have the opportunity to talk about how to use ASP + XML to implement multi-threaded WEB upload and multi-thread download.
