I have always wanted to write this thing, just attending work, I said to work, don't write, go home and busy playing games, and I went. Now I have to do it in business, I hope that the head will not know my blog. Haha
I am very interested in HTML's virus for a long time. It is very curious to download the executable documents remote to the local, but I have no chance to get the original code of ASP, so I don't dare to break the elimination. What is analyzed. Listening to a friend, I said that he saw a webpage, the virus firewall prompts a virus, calling me carefully (thank you first), I flash my thoughts, open FlashGet to put the virus homepage.
I saw a hidden floating frame that found in the following lines below the home code. The URL address of its reference is not local, and it feels it, and then uses FlashGet again. Actually found a virus space does not support ASP, down the ASP file is the source file. In this interest, three times will cut the relevant documents of all viruses in three.
Because this virus is very simple, I only have some fragment. If I am interested, I don't want to find a viral web page, but don't use IE to see, I want to download tools with flashget. Down, use the notepad to open, otherwise, don't come to me, I have a good text.
The real virus has three files, one is a boot file, one is the download file, the third is to activate the file.
First boot file
The key part is:
This role is to reference and activate two files as the object of this page to reference and run, this is also a critical place that the viral file can be infected locally, actually unobstructed a reference client Action component in the referenced file, Hey, this is the knife.
The second is to download the exe virus file
Then how do you download the exe without popping up the download prompt box. This is the task that collects the download file to complete.
The virus is to download the virus file in the image format to the client's web cache in the server side with Microsoft.xmlhtttp components and response.contenttype = "image / gif" (here is very simple Get / binaryWrite operation, it is not detailed said).
The third is activated
The process of feeling activation is very clever, the virus is first using FSO to generate an HTA file in C: / lower, and write the activation process into this file. Then use WScript.Shell to run this file. In this way, there is no problem with the operation of the actual permissions (such as: writing registry operation) during activation.
The specific operation process is like this. The virus file will be moved to the virus file in the web cache directory to the system file directory, and then the name is Win.exe. Then write the self-started key in the registry, so that the virus can start automatically after the system is restarted, then delete the HTA file, complete infection and activation.
This is the basic operation of the virus (not mentioned in accordance with the formula virus damaged part), but what is the use of us? In fact, I hate this virus, but the downloading EXE and activation process still have available Place in the place. For example: Your system must have a client to download some components and activate it, this operation is of course not a problem, but if you face it, the kind of network is not finished. When the user of Lin, I estimate that the system has not started using your phone. If the method is borrowed, the component is automatically downloaded in the case of the other party, and it is automatically activated, then there are more people.
. However, this way is very convenient to small files. If you want to download more than 1M files .. Then consider the operation of multi-threaded downloads, of course, this is not the range of this article. I have the opportunity to talk to the ASP XML to implement the WEB multi-thread multi-thread download method.
Formula: My contact information is CODER@citiz.net, the log address is: http://blog.9cbs.net/oyiboy. Haha, I hope that everyone will keep this line according to the convention.
