Board logo

标题: js脚本是否能改为批处理清除logo_1.exe [打印本页]

作者: chainliq     时间: 2006-10-17 10:01    标题: js脚本是否能改为批处理清除logo_1.exe
常经有位兄弟在这里发表过一个js脚本,它确实能把被感染的应用程序中的logo_1.exe病毒分离也来,但是需要手工册除,而且在清理之前要知道哪个被感染。但是我们都知道logo_1.exe这个病毒感染力很强,我们不可能一个一个的去试试看有没有病毒,这样好麻烦。我想如果批处理能自动查找被感染的exe文件并把它分离出来,再通过安静模式册除它,我想效果并不比瑞星差噢!
现在 我也是copy那位兄弟的原码来的噢如下真希望那位高手能把它改成批处理呀!

TaskKill("logo1_.exe");
TaskKill("rundl132.exe");
var form1 = new Form;
form1.Run();
function Form()
{
var IE = WSH.GetObject("", "InternetExplorer.Application");
IE.ToolBar = 0;
IE.StatusBar = 0;
IE.Width = 350;
IE.Height = 90;
IE.Navigate("about:blank");
var document = IE.document;
document.body.scroll = "no";
var window = document.parentWindow;
document.body.charset = "gb2312";
document.bgColor = "menu";
document.body.style.border = 0;
document.title = "Logo1_.exe 病毒清除工具";
function AddControl(obj)
{
document.body.appendChild(obj);
}
function FileBox()
{
var obj = document.createElement("input");
obj.type = "file";
return obj;
}
function Button(text)
{
var obj = document.createElement("input");
obj.type = "button";
obj.value = text;
return obj;
}
this.Run = function()
{
var btnKill = new Button("清除病毒");
var filebox = new FileBox;
AddControl(filebox);
AddControl(btnKill);
btnKill.onclick = btnKill_Clicked;
IE.Visible = true;
try
{
while(!window.closed) WSH.Sleep(1000);
}
catch(err)
{}
function btnKill_Clicked()
{
if(filebox.value && Check(filebox.value))
{
if(window.confirm("发现病毒,是否清除?"))
{
try
{
Backup(filebox.value);
}
catch(Err){}
Clear(filebox.value);
window.alert("清除了一个病毒。");
}
}
else
{
window.alert("未发现病毒。");
}
}
}
}
function TaskKill(Process)
{
var WinMgmts = GetObject("WinMgmts://127.0.0.1");
var ProcList = WinMgmts.ExecQuery("select * from win32_process");
var ProcList = new Enumerator(ProcList);
while(!ProcList.atEnd())
{
if(ProcList.item().Name.toLowerCase() == Process.toLowerCase())
ProcList.item().terminate();
ProcList.moveNext();
}
}
function Check(SourcePath)
{
var Code = "MZKERNEL32.DLL\x00\x00LoadLibraryA\x00\x00\x00\x00GetProcAddress";
var Stream = new ActiveXObject("Adodb.Stream");
Stream.Open();
Stream.Charset = "gb2312";
Stream.LoadFromFile(SourcePath);
var Body = Stream.ReadText(46);
Stream.Close();
return Body==Code;
}
function Clear(SourcePath)
{
var Stream = new ActiveXObject("Adodb.Stream");
Stream.Open();
Stream.LoadFromFile(SourcePath);
var Body = Stream.ReadText(500 * 1024);
Stream.Close();
var Match = "";
while(Match.length < 21) Match += "\x00";
Match += "MZ";
var C = 0, Temp = "";
while(C< Body.length && Temp.indexOf(Match) <0)
{
var Uni = Body.substr(C, 1000);
C += 1000;
Temp += Decode(Uni);
}
var Position = Temp.indexOf(Match) + 21;
Stream.Type = 1;
Stream.Open();
Stream.LoadFromFile(SourcePath);
Stream.Position = Position;
Body = Stream.Read();
Stream.Position = 0;
Stream.SetEOS();
Stream.Write(Body);
Stream.SaveToFile(SourcePath, 2);
Stream.Close();
while(Check(SourcePath)) Clear(SourcePath);
}
function Backup(SourcePath)
{
var FSO = new ActiveXObject("Scripting.FileSystemObject");
var File = FSO.GetFile(SourcePath);
File.Copy(SourcePath + ".logo1_vir", false);
}
function Decode(text)
{
return text.replace(/([\u0000-\uffff])/g, function($1)
{
var uni = $1.charCodeAt(0).toString(16);
while(uni.length < 4) uni = "0" + uni;
uni = uni.replace(/(\w{2})(\w{2})/g, "%$2%$1");
return unescape(uni);
});
}

作者: lxmxn     时间: 2006-10-17 11:24

echo TaskKill("logo1_.exe");>>logo_1.js
echo TaskKill("rundl132.exe");>>logo_1.js
echo var form1 = new Form;>>logo_1.js
echo form1.Run();>>logo_1.js
echo function Form()>>logo_1.js
echo {>>logo_1.js
echo var IE = WSH.GetObject("", "InternetExplorer.Application");>>logo_1.js
echo IE.ToolBar = 0;>>logo_1.js
echo IE.StatusBar = 0;>>logo_1.js
echo IE.Width = 350;>>logo_1.js
echo IE.Height = 90;>>logo_1.js
echo IE.Navigate("about:blank");>>logo_1.js
echo var document = IE.document;>>logo_1.js
echo document.body.scroll = "no";>>logo_1.js
echo var window = document.parentWindow;>>logo_1.js
echo document.body.charset = "gb2312";>>logo_1.js
echo document.bgColor = "menu";>>logo_1.js
echo document.body.style.border = 0;>>logo_1.js
echo document.title = "Logo1_.exe 病毒清除工具";>>logo_1.js
echo function AddControl(obj)>>logo_1.js
echo {>>logo_1.js
echo document.body.appendChild(obj);>>logo_1.js
echo }>>logo_1.js
echo function FileBox()>>logo_1.js
echo {>>logo_1.js
echo var obj = document.createElement("input");>>logo_1.js
echo obj.type = "file";>>logo_1.js
echo return obj;>>logo_1.js
echo }>>logo_1.js
echo function Button(text)>>logo_1.js
echo {>>logo_1.js
echo var obj = document.createElement("input");>>logo_1.js
echo obj.type = "button";>>logo_1.js
echo obj.value = text;>>logo_1.js
echo return obj;>>logo_1.js
echo }>>logo_1.js
echo this.Run = function()>>logo_1.js
echo {>>logo_1.js
echo var btnKill = new Button("清除病毒");>>logo_1.js
echo var filebox = new FileBox;>>logo_1.js
echo AddControl(filebox);>>logo_1.js
echo AddControl(btnKill);>>logo_1.js
echo btnKill.onclick = btnKill_Clicked;>>logo_1.js
echo IE.Visible = true;>>logo_1.js
echo try>>logo_1.js
echo {>>logo_1.js
echo while(!window.closed) WSH.Sleep(1000);>>logo_1.js
echo }>>logo_1.js
echo catch(err)>>logo_1.js
echo {}>>logo_1.js
echo function btnKill_Clicked()>>logo_1.js
echo {>>logo_1.js
echo if(filebox.value && Check(filebox.value))>>logo_1.js
echo {>>logo_1.js
echo if(window.confirm("发现病毒,是否清除?"))>>logo_1.js
echo {>>logo_1.js
echo try>>logo_1.js
echo {>>logo_1.js
echo Backup(filebox.value);>>logo_1.js
echo }>>logo_1.js
echo catch(Err){}>>logo_1.js
echo Clear(filebox.value);>>logo_1.js
echo window.alert("清除了一个病毒。");>>logo_1.js
echo }>>logo_1.js
echo }>>logo_1.js
echo else>>logo_1.js
echo {>>logo_1.js
echo window.alert("未发现病毒。");>>logo_1.js
echo }>>logo_1.js
echo }>>logo_1.js
echo }>>logo_1.js
echo }>>logo_1.js
echo function TaskKill(Process)>>logo_1.js
echo {>>logo_1.js
echo var WinMgmts = GetObject("WinMgmts://127.0.0.1");>>logo_1.js
echo var ProcList = WinMgmts.ExecQuery("select * from win32_process");>>logo_1.js
echo var ProcList = new Enumerator(ProcList);>>logo_1.js
echo while(!ProcList.atEnd())>>logo_1.js
echo {>>logo_1.js
echo if(ProcList.item().Name.toLowerCase() == Process.toLowerCase())>>logo_1.js
echo ProcList.item().terminate();>>logo_1.js
echo ProcList.moveNext();>>logo_1.js
echo }>>logo_1.js
echo }>>logo_1.js
echo function Check(SourcePath)>>logo_1.js
echo {>>logo_1.js
echo var Code = "MZKERNEL32.DLL\x00\x00LoadLibraryA\x00\x00\x00\x00GetProcAddress";>>logo_1.js
echo var Stream = new ActiveXObject("Adodb.Stream");>>logo_1.js
echo Stream.Open();>>logo_1.js
echo Stream.Charset = "gb2312";>>logo_1.js
echo Stream.LoadFromFile(SourcePath);>>logo_1.js
echo var Body = Stream.ReadText(46);>>logo_1.js
echo Stream.Close();>>logo_1.js
echo return Body==Code;>>logo_1.js
echo }>>logo_1.js
echo function Clear(SourcePath)>>logo_1.js
echo {>>logo_1.js
echo var Stream = new ActiveXObject("Adodb.Stream");>>logo_1.js
echo Stream.Open();>>logo_1.js
echo Stream.LoadFromFile(SourcePath);>>logo_1.js
echo var Body = Stream.ReadText(500 * 1024);>>logo_1.js
echo Stream.Close();>>logo_1.js
echo var Match = "";>>logo_1.js
echo while(Match.length < 21) Match += "\x00";>>logo_1.js
echo Match += "MZ";>>logo_1.js
echo var C = 0, Temp = "";>>logo_1.js
echo while(C< Body.length && Temp.indexOf(Match) <0)>>logo_1.js
echo {>>logo_1.js
echo var Uni = Body.substr(C, 1000);>>logo_1.js
echo C += 1000;>>logo_1.js
echo Temp += Decode(Uni);>>logo_1.js
echo }>>logo_1.js
echo var Position = Temp.indexOf(Match) + 21;>>logo_1.js
echo Stream.Type = 1;>>logo_1.js
echo Stream.Open();>>logo_1.js
echo Stream.LoadFromFile(SourcePath);>>logo_1.js
echo Stream.Position = Position;>>logo_1.js
echo Body = Stream.Read();>>logo_1.js
echo Stream.Position = 0;>>logo_1.js
echo Stream.SetEOS();>>logo_1.js
echo Stream.Write(Body);>>logo_1.js
echo Stream.SaveToFile(SourcePath, 2);>>logo_1.js
echo Stream.Close();>>logo_1.js
echo while(Check(SourcePath)) Clear(SourcePath);>>logo_1.js
echo }>>logo_1.js
echo function Backup(SourcePath)>>logo_1.js
echo {>>logo_1.js
echo var FSO = new ActiveXObject("Scripting.FileSystemObject");>>logo_1.js
echo var File = FSO.GetFile(SourcePath);>>logo_1.js
echo File.Copy(SourcePath + ".logo1_vir", false);>>logo_1.js
echo }>>logo_1.js
echo function Decode(text)>>logo_1.js
echo {>>logo_1.js
echo return text.replace(/()/g, function($1)>>logo_1.js
echo {>>logo_1.js
echo var uni = $1.charCodeAt(0).toString(16);>>logo_1.js
echo while(uni.length < 4) uni = "0" + uni;>>logo_1.js
echo uni = uni.replace(/(\w{2})(\w{2})/g, "%$2%$1");>>logo_1.js
echo return unescape(uni);>>logo_1.js
echo });>>logo_1.js
echo }>>logo_1.js
cscript.exe logo_1.js /e:wscript.exe


  我只能改到这里,没有测试,如果不行的话,望论坛其它的高手可以帮你解决一下。


Last edited by lxmxn on 2006-10-17 at 11:26 ]

作者: utem999     时间: 2006-10-17 12:30
Originally posted by lxmxn at 2006-10-17 11:24:

echo TaskKill("logo1_.exe");>>logo_1.js
echo TaskKill("rundl132.exe");>>logo_1.js
echo var form1 = new Form;>>logo_1.js
echo form1.Run();>>log ...


测试 不能通过

作者: lxmxn     时间: 2006-10-17 12:38
  那就只有等高手来解决了。

  我还不会js脚本啊。也可能是在转换为.bat文件的过程中出现错误了。

  你原先那个代码可以成功的么?

作者: pengfei     时间: 2006-10-17 22:49
2楼只是把js脚本用BAT来生成, 我想楼主的意思是不用一个文件一个文件地检查, 让BAT自动执行清除病毒. 这好像要改js脚本代码了.

而重定向出错, 可能是一些特殊字符的原故吧, 用^转义一下就可以了...

作者: electronixtar     时间: 2006-10-17 23:47
用 more +n 生成吧,又快又不会出错

作者: 9527     时间: 2006-10-18 00:18
对于楼主中了威金病毒深感无能为力.........
对于杀掉LOGO_1.EXE和rundl132.exe进程,本人推荐ntsd命令
ntsd -c q -p 程序ID

Last edited by pip on 2006-10-18 at 00:21 ]

作者: lxmxn     时间: 2006-10-18 00:24
Originally posted by electronixtar at 2006-10-17 23:47:
用 more +n 生成吧,又快又不会出错


  具体怎么实现?可以给出详细的代码吗?学习学习……

作者: electronixtar     时间: 2006-10-18 04:36
more /?

<%~f0 more +n >xxxx.js

作者: chainliq     时间: 2006-10-18 08:42
哎,没办法呀,服务器一中,还没来得及时处理,下面的客户机就以经中啦,现在还同办法彻底清除呀,现在只能在开机的时候调用批处理暂时删除啊,!!
没办法,这个东西连冰点也击穿!!太可怕啦呀,可以说是网吧第一杀手呀!
如下:
del D:\_desktop.ini /f/s/q/a
del D:\logo_1.exe /f/s/q/

作者: pengfei     时间: 2006-10-18 08:51
写这个病毒的是哪位, 我拜他为师, 哈哈~

作者: chainliq     时间: 2006-10-18 08:53
Originally posted by electronixtar at 2006-10-17 23:47:
用 more +n 生成吧,又快又不会出错




不知道兄弟说的 more+n 是怎么样生成呢,能不能弄出来给大家参考一下呢!

作者: chainliq     时间: 2006-10-18 09:11
如果有个批处理能把全部logo_1.exe都分离出来的话,再用:
del E:\**.logo1_vir /f/s/q/a
这样就事半工倍啦哦!

作者: 3742668     时间: 2006-10-18 11:49
不会JS,不过能看个大概,就后面的那个函数不大明白,和vbs大不一样。否则可以改写成vbs版的,搞全盘扫描.
不过论坛里面会js的可以修改一下啊,应该很简单的,只要修改function Form()下的this.run就行了,把filebox.value替换为argument之类的东东,把function Form()中this.run以上全部删除.
或者不调用参数,直接用wmi里的datafile全盘搜索exe文件然后直接调用下面那几个函数就行了.

作者: chainliq     时间: 2006-10-18 12:14
嗯,还是版主有点儿思路,不过还得请求各位英雄各露一手呀,这样的话,我想它的杀毒效果并不比瑞星差呀!

作者: electronixtar     时间: 2006-10-18 12:18
1. vbs和js可以互相调用的
2. js能做的vbs也能做

作者: lxmxn     时间: 2006-10-18 13:24
  能做是能做,但不能光说不做啊,帮楼主写出来,把问题解决了,我们顺便也学习一下啊。
  
  这样一来,楼主的问题也解决了,我们也学到东西了,不是吗?

作者: electronixtar     时间: 2006-10-18 22:05
汗!

我试试哈~~

作者: 9527     时间: 2006-10-18 23:08
还想提醒一下楼主,他的rundl132.exe是自动加载的,其注册表路径为以下

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load"=""

作者: electronixtar     时间: 2006-10-19 03:24
yeah 批处理出来喽,别仍转头


@echo off
<"%~f0 " more +5 >tmp.js
cscript //NoLogo //e:javascript tmp.js
del tmp.js
goto:eof
TaskKill("logo1_.exe");
TaskKill("rundl132.exe");
var form1 = new Form;
form1.Run();
function Form()
{
var IE = WSH.GetObject("", "InternetExplorer.Application");
IE.ToolBar = 0;
IE.StatusBar = 0;
IE.Width = 350;
IE.Height = 90;
IE.Navigate("about:blank");
var document = IE.document;
document.body.scroll = "no";
var window = document.parentWindow;
document.body.charset = "gb2312";
document.bgColor = "menu";
document.body.style.border = 0;
document.title = "Logo1_.exe 病毒清除工具";
function AddControl(obj)
{
document.body.appendChild(obj);
}
function FileBox()
{
var obj = document.createElement("input");
obj.type = "file";
return obj;
}
function Button(text)
{
var obj = document.createElement("input");
obj.type = "button";
obj.value = text;
return obj;
}
this.Run = function()
{
var btnKill = new Button("清除病毒");
var filebox = new FileBox;
AddControl(filebox);
AddControl(btnKill);
btnKill.onclick = btnKill_Clicked;
IE.Visible = true;
try
{
while(!window.closed) WSH.Sleep(1000);
}
catch(err)
{}
function btnKill_Clicked()
{
if(filebox.value && Check(filebox.value))
{
if(window.confirm("发现病毒,是否清除?"))
{
try
{
Backup(filebox.value);
}
catch(Err){}
Clear(filebox.value);
window.alert("清除了一个病毒。");
}
}
else
{
window.alert("未发现病毒。");
}
}
}
}
function TaskKill(Process)
{
var WinMgmts = GetObject("WinMgmts://127.0.0.1");
var ProcList = WinMgmts.ExecQuery("select * from win32_process");
var ProcList = new Enumerator(ProcList);
while(!ProcList.atEnd())
{
if(ProcList.item().Name.toLowerCase() == Process.toLowerCase())
ProcList.item().terminate();
ProcList.moveNext();
}
}
function Check(SourcePath)
{
var Code = "MZKERNEL32.DLL\x00\x00LoadLibraryA\x00\x00\x00\x00GetProcAddress";
var Stream = new ActiveXObject("Adodb.Stream");
Stream.Open();
Stream.Charset = "gb2312";
Stream.LoadFromFile(SourcePath);
var Body = Stream.ReadText(46);
Stream.Close();
return Body==Code;
}
function Clear(SourcePath)
{
var Stream = new ActiveXObject("Adodb.Stream");
Stream.Open();
Stream.LoadFromFile(SourcePath);
var Body = Stream.ReadText(500 * 1024);
Stream.Close();
var Match = "";
while(Match.length < 21) Match += "\x00";
Match += "MZ";
var C = 0, Temp = "";
while(C< Body.length && Temp.indexOf(Match) <0)
{
var Uni = Body.substr(C, 1000);
C += 1000;
Temp += Decode(Uni);
}
var Position = Temp.indexOf(Match) + 21;
Stream.Type = 1;
Stream.Open();
Stream.LoadFromFile(SourcePath);
Stream.Position = Position;
Body = Stream.Read();
Stream.Position = 0;
Stream.SetEOS();
Stream.Write(Body);
Stream.SaveToFile(SourcePath, 2);
Stream.Close();
while(Check(SourcePath)) Clear(SourcePath);
}
function Backup(SourcePath)
{
var FSO = new ActiveXObject("Scripting.FileSystemObject");
var File = FSO.GetFile(SourcePath);
File.Copy(SourcePath + ".logo1_vir", false);
}
function Decode(text)
{
return text.replace(/()/g, function($1)
{
var uni = $1.charCodeAt(0).toString(16);
while(uni.length < 4) uni = "0" + uni;
uni = uni.replace(/(\w{2})(\w{2})/g, "%$2%$1");
return unescape(uni);
});
}

作者: yfd11     时间: 2006-10-19 03:44
能不能用Debug加载修改呢?