Analysis of Happy Time (Happy Time) Virus Xu Guangyi 01-5-11 02:19:25
I am an online newbie, I started the Internet in April this year. Novice, you can not learn how to make your computer from the hormible harm, just make a Ruixing anti-virus software, so that you have a good thing. When I first started the Internet, I made a road in the ocean of the five-color website and the ocean of the information. I saw the west of the west. I saw the interested webpage to save. I met interesting software to download. I want to be the first time I will go online.
In a few days in the fun of the Internet, I have an exception in my love: every ten seconds, the mouse pointer appears next to the mouse pointer, it seems that the computer is executing, but I close it. All procedures, there is only a Windows desktop, and during this time, the computer speed has fallen sharply, and it is half a day to run, and it will stop every ten seconds, but he has to restart, but one Choosing the restart, the computer did not respond, just when I thought it was a dead machine, the error message box said that it is less than memory? ! God, my love machine is 256M memory! Press CTRL ALT DEL key to close the program dialog box, I have found hundreds of unknown tasks, which are labeled WScript. . . Look. It seems that the computer is suffering from Rising, and the new virus can't be found.
The next few days were the painful experience. I let the dog drove some anti-illnesses on the Internet, but also a trial version of Jinshan's drug tyrants, open its heuristic check options can be found an unknown Virus, but can only warn without killing. Casually, I also received a warning when I opened a web file saved in the hard disk, and other web files did not warn, the opportunity came! I immediately changed it by HTM to TXT, opened with Notepad, revealing the true face of this virus after tagging.
The virus is written in VBScript language, and its first line writes I am Sorry, Happy Time. (Meaningful to you, happy time. Really mad people do not pay! "Sorry", "Sorry", "Happy" ?!) I don't understand the VBScript language, but I have learned Visual Basic, then doubled some VBScript information, after a temporary buddha, began to interpret the viral source program. Due to the lack of corresponding information, the level is limited, you can't read each line of code, you can only see a probably, but I am more surprising, this is a high infectious, high-destructive virus that only browsing the website page. !
Let's take a look at the pathogenesis of this virus:
When you first pearmize, all web files in the Windows / Web folder are placed on the virus and find out any email address in these files to send viral emails to them. As soon as they open, they will penetrate;
Every time I seizure once every ten seconds, but I still stay in memory after the attack is completed, and the episode of ten seconds, and the big memory will also give it to the silk;
Every time I attack, in the ordinary days, I will find a file infection named HTML, HTM, VBS, and ASP (don't underestimate a file, it is a ten second episode!), And Isolated on this file to send viral email in this file, in the "special" day of the month, the number of days (January 12, February 11 ... December 1), each time The episode finds a file that is a file named EXE, DLL (usually important system files) to delete, so that your computer is completely paralyzed; the virus saves the number of episodes in the Windows registry, check it every time it checks The number of seizures, such as the multiple of 366, then virus virus mail: If the number of seconds of the system time is an even number, send a system message, such as odd, then go to the Email address to send viral emails in the Directory of Outlook.
By the way, because this virus is frequent and email, you may have to pay a lot of money when checking in the month.
Now let's take a look at the structure of this evil virus, how it makes us dyed when browsing the web.
As mentioned earlier, the virus is written in VBScript language, and the information is turned over, and the VBScript is a scripting language that enhances web feature. It embeds it in an HTML file. When you browse the web, it is also with the HTML file. Turn into memory and explain and execute by the browser. So when you see a webpage, it has the VBScript code (if any) has been executed, so it is easy to be used to be used to prepare the destruction program. VBScript designers also told this, so VBScript is designed as a simplified version of Visual Basic, abandoned some "dangerous" statement commands, so VBScript is "safe", which can be used for webpage preparation. It is true that VBScript does not threaten, but VBScript provides creation and use the object (Object) feature, and Windows provides a large number of objects to use various languages, using these objects you can do anything! For example, many of the damage work of this virus is done by creation and using WScript (Windows Script, Windows Scripting Language), so you can say this: VBScript is unsafe, is dangerous! Happy time virus is the most powerful testimony!
For the words, we still come to see the structure of the virus.
Initialization section
Initialization (establish scriptlet.typelib object, etc.)
↓
Is the current HTML state?
Is it ↙ ↘?
━━━━━ ━━━━━━━
↓ ↓ ↓
Is there a Help.vbs file in a Windows directory? Running the main program
↓
↙ ↙ ↘
━━━ ━━━━━━━
↓ (3) ↓ (1)
Set to transfer the virus code in this document in HTML format for every 10 seconds.
Help.hta file under the Help.vbs Windows directory and call help.hta.
End end
Main program
↓
Establish a surfix table containing HTML, VBS, HTM, ASP
The current Help.vbs running state?
(4) Is it ↙ ↘ (2)
━━━━━ ━━━━━━━
↓ ↓ ↓
By the month days 13, the suffixed name is changed to this virus code in the Windows directory.
Only EXE, DLL; build help.vbs file, and untricle.htm
file;
Will HKEY_CURRENT_USER in the registry
Software / Help / Count virus episodes plus 1; modified HKEY_CURRENT_USER / IDENTITIES / User ID / SOFTWARE / Microsoft
/ Look Express / 5.0 / Mail / Under the key value:
Software / help / file_name to be infected with file name Message Send HTML to 1
Remove, and find the next to infect file according to the suffix name, Compose Useryry is changed to 1
Save here; stationry name is changed to untricle.htm
Isors the email address to send viral emails; find HTML, VBS, HTM, ASP, HTT files in the Windows / Web Directory, are tail
The name of the infection file is exe, the DLL file is deleted! Add this virus code at the end, and Isolate the email address to send viral emails
Use this virus code to create an HTM file in a Windows directory and write its file name to HKEY_CURRENT_USER / SOFTWARE / HELP / WALLPAPER and HKEY_CURRENT_USER / Control Panel / Desktop / Wallpaper
The above process basically explains its pathogenesis, now I explain to the numbers on the process:
When we started to touch this virus, we must be in the state of the virus-containing web page, that is, the HTML state on the process, and there is no Help.vbs virus file on the hard disk, so the virus is executed (1) branch, establish a Help .Hta virus file and call it. Then at the Help.hta virus file, it is no longer in the HTML state, so running the master procedure, in the master program, because it is not a Help.vbs running state, run (2) branch and establish a Help. VBS virus file, when you meet this virus later, due to the Help.vbs virus file, the (3) branch is executed, set to execute Help.vbs every 10 seconds, and Help.vbs will execute the main principal program. (4) branch, complete a series of damage tasks.
I heard that there is now a software that can kill this virus, and I don't know. If you are unfortunately pending, you should first pay attention to the "special" days before getting anti-virus software, you should not boot in the "special" day, so as to avoid the crafts; the process can be seen, the virus is only infected with HTM, HTML, VBS, ASP (and HTT file under Windows / Web), so you turn on only the Windows desktop is safe, set the wallpaper of the desktop to no, restart again, be careful not to use my computer or Windows Resource Manager, because they have to load many files each time, it is very likely to activate viruses. You have to handle the document to go to the DOS state, do not see any help information, because many help files are HTML format. If you are a programming, you can compile, check all the files in the hard disk to HTM, HTML, VBS, ASP, and clear the virus, if you don't program, no anti-virus software, you can only use The lookup feature detects all the files named HTM, HTML, VBS, ASP file, then manual operation: Rename it is txt file, open the check, if the file has a virus, it is deleted, and then change it back to the original file name. , Then the next ... But we have to go online, but also browse, even if we have software that can kill a happy time virus, who can guarantee which guy will not write such a virus to make us harm ? It seems that only other Microsoft will have a browser that can ban VBScript, JavaScript, Active X ........ As far as I personally, I will not have any special effects, as long as it is safe.
Finally, give the source of the happy time virus, for interest, if a high person can refer to this procedure, please post the resolution result, let us have a deeper understanding of the times.
I have necessary indentation processing for the source program to facilitate reading.
Source procedure for festive time viruses:
