English name: vi, VBS. A
Chinese name: avira antivir (variation)
Categories: worm
Dangerous levels: level 4
Introduction: virus get. VBS. Writebin. A is a devastating virus, through VBS, camouflage system process, but the computer or server (such as Internet cafes, schools and hospitals as the main target) [including Linux] once implanted, the virus can use existing TCP and UDP connections, packaged into the process the script into local offline all the computer, the virus quickly scan local all suffix, in a short time (rar and zip, exe, HTML), and its script code into the program, program a virus will automatically trigger script virus, but start up and will have implanted file permissions to read permissions, and real-time scanning external access writable disk (U disk), and implanted into the corresponding script runs automatically after all in the infected computer to HTM, exe and DLL file suffix, add code at the end, at the same time automatically infect all mobile disk can be read, insert, establish autorun. J inf files and folder RECYCLER, virus in RECYCLER folder below file, file called random string,
The major route of transmission: software download station, the virus can lurk in the zip
Package, but stress can trigger script virus,
Brush story it is 2019-5-18 in the evening, I'm a China mobile's set-top box, and then need to download the TTL of drive, and then to a certain degree, and just find a download standing under a certain c6, a decompression 360 antivirus has been reminded has successfully intercepted, (because it is the developer of the original solid is the developer's all know that using easy language software developed by 360 would be submitted to poison), then closed the 360 decisively, next was a little late, then a computer went to sleep,
? The 2019-5-19 in the morning, I like both turned on the computer, ready to knock the code! A startup arduino ide suddenly pop up a no access, then somehow display (has stopped running), accidentally discovered 360 guards and 360 antivirus is hung up, thought it is no good, then use an administrator and compatible version running, found the same result, so I opened the remote connection log log (because before using the computer as the remote server, so firmly closed firewall incoming] [to a TCP connection, and then forgot to shut! On the peanut sticks do port mapping, didn't make any security [because it didn't set the SSL protocol module debugging stage]), found in the log log with 22 the same IP access, checked the this IP, discovery is the Italian launched [decisive conclusion hackers using external IP forwarding form black into], meanwhile, found about 3 MB/s speed under the network (and I didn't open) what software, decisive thought of hackers may I computer in monitoring, and in what computer embedded script to me, so I opened the file management (my computer), an unexpected discovery that currently has a remote desktop connection! (oh! 有搞头),于是便打开该远程桌面的属性,还是老提示(无权限访问),接下来我打算考虑把重要的文件备份下来然后重装系统(老想法),于是我插上了个8G的U盘,想着先把数据放我朋友电脑上存着,然后好用u盘做个启动盘,不料,U盘一插上我朋友电脑上,(喔)他电脑先是卡了个大概30秒左右,然后360卫士挂了,跟我电脑一样了,突然有个灵感,感觉这病毒不简单,于是网上查了一下类似于此病毒的资料,发现某度知道里有人提到过这类似的病毒,于是打开性能查看器,看到CPU占用率98%(楼主我用的I5第8代的处理器),内存80%(楼主我用的12GB运行内存),那么高的占用率(就只在桌面而已嘞),心想先尝试找到的这个进程再说(进程是被隐藏的,也可能是伪装成系统进程了),于是想起了以前写荒野行动外挂用到的在某度云上,于是赶紧去了网吧,下载了一份然后用易语言写了一个句柄搜索软件,随后先运行了句柄软件,发现跟其他软件一样,都弹出了相应的提示(已停止运行),于是想了想,现在系统肯定被病毒霸占了,于是便找朋友的软件做了个U深度启动盘,进到PE后发现每个盘里都有[autorun.inf文件和RECYCLER文件夹],用手机从网上查了一下,得出此类文件为系统回收站文件夹,心想该病毒肯定是利用此类型文件来做伪装的(伪装成类似文件在系统正常启动的状态里是没有删除的,而且此文件在系统正常启动情况下是根本看不到的[隐藏的])[心想这名黑客绝对不简单],于是我在PE环境下尝试把该文件改成txt后缀,用记事本打开(该文件),发现里面全部都是乱码的,我用某度查了一下,发现这文件原本代码就几句[是用来记录回收站的文件头的],心想感觉可以直接删掉[个人比较洁癖,所以删回收站里的文件经常清空],所以果断的给删了,因为之前查过此文件会通过vbs感染所有的exe,zip,rar,html文件,于是我找到之前我自写的一个Demo.html(自写的测试文件,就几行简单的代码),于是我改写了后缀名为txt,同样用记事本打开,发现里面被添加了很多vbs的代码[%RECYCLER%autorun.inf%],发现这绝对是病毒留下的,想想一启动的话,PE肯定会凉[不过pe是在电脑的boot内存里,是一个格外的分区,而且这电脑一关机后,PE会自动格式化],所以觉得应该没多大事,于是果断启动了此文件,发现弹出了n多个[缺少C++2008运行环境"%Sysme.win 32(x86)"],突然想起我的句柄软件还没用呢,于是插上U盘开始把句柄搜索软件[自己写的]和内存搜索软件[在网吧顺便下的,心想可能会用到],于是先启动句柄搜索软件,发现vbs进程在改写文件权限和系统权限(由于PE系统下没有c++2008的这个运行环境的原因,所以软件只能卡在最后执行步骤上),果断判断这软件依赖于C++2008的运行环境,大脑突然转出个想法(因为自己也是入门级C++的),心想先把这病毒代码读出来看看(由于之前用记事本打开是乱码的[简单的判断了一下,可能是编码不正确的原因吧](因为之前自己也做过软硬件开发的,因为硬件模块与手机通信乱码的话一定是波特率导致编码不一致的问题)),所以重新把病毒脚本打开(并进行了转码(发现居然用的是utf-16的编码)),接下来就是读代码了,发现前面用的是lua代码,后面用的都是C++代码,经过仔细观察发现他是用的lua脚本来获取系统权限,和伪装进程的,接下来为了防止病毒代码泄露,就不详细给大家说了(病毒得到权限后,首先第一步就是给usb驱动添加病毒脚本,[一但有可读设备插入自动复制病毒脚本到该设备上],接下来就扫描所有磁盘并将病毒代码逐一复制到每个磁盘下,第三步就是扫描所有后缀名为exe,zip,rar,html将病毒脚本统统植入,第四步就是关闭防火墙,各大安全软件等,然后开始扫描局域网下共享的计算机,逐一植入,第五步就是开放被感染电脑的FTP服务器,远程桌面等,)于是我跟着病毒脚本的思路改写了病毒代码(简单描述),心想这代码不用编译??? So I check again carefully, discovered in the script has called an exe file, decisive judgment this guy must be used to compile the script, so I saved change good code, run the reboot once, about a 1 minute or so, then the computer will blue screen, w I a boy, look at the blue screen fault code, found that is caused by system registry to be deleted, and only then into PE, checked the D, E, F, H disk saw that the script virus were ended, the next is the reshipment system (reshipment system would say, too simple), after loading system with kaspersky (everyone will think why not 360, I can only answer 360 is a spicy chicken advertisement, for nothing) full scan and found perfect repair!
? Computer so small make up here to tell you, cherish life, away from the station software download,
CodePudding user response:
Virus get VBS writebin a I now of the virus, killed and killed also don't know how to solveCodePudding user response:
360 first aid kit used?