banner
阿珏酱

阿珏酱

乘上与平常相反的电车,去看看那未曾见过的风景
twitter
github
facebook
bilibili
zhihu
steam_profiles
youtube
HomeArchives友人帐留言板投喂❤关于我

Programmer Daily Virus Series

23
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article discusses a virus that infects HTML and DLL files, causing them to display a specific code. The virus injects code into the svchost.exe process, spreading to other files when opened. The author used an antivirus program to remove the virus, but had to manually delete some code. The virus does not pose a serious threat, but can cause software to be flagged as infected. The article also includes comments from readers suggesting using Tencent Security Manager for virus removal.

Tips: When you see this prompt, it means that the current article has been migrated from the original emlog blog system. The publication time of the article is too long ago, and the formatting and content may not be complete. Please understand.

Virus Series in Programmer's Daily Life

Date: 2017-5-4 Ajue Talks and Chats Views: 2947 Comments: 3


DropFileName = "svchost.exe" Problem Solution

Here's the thing, a friend sent me the source code to take a look at it. I accidentally clicked on an exe file inside, and a network request popped up. I quickly closed it, but then I found that there was an executable file disguised as a system music folder in the same directory. I felt that something was wrong, but I couldn't be sure. Later, when I tried to delete the entire folder, it prompted that a program was still using it.

I left it there for the time being and didn't pay much attention to it. Two or three hours later, I noticed that the computer was responding slower and the physical memory usage was high. So I restarted the computer.

After that, I wanted to write some code, so I opened an HTML file and found a big problem. All the HTML files on my computer were messed up (as shown in the figure below). Now I can be sure that it is indeed infected with a virus.


Then I immediately downloaded 360 again and performed a full scan and kill on the computer (don't ask me why I downloaded 360). A computer that has been running without antivirus software for a long time is bound to have one or two incidents.

After a single test, I found that 360 only deletes the virus code, but not the file itself. However, the commented-out code at the bottom will not be deleted. In the end, I still have to manually deal with it again. Although there won't be any major problems if I don't handle it, I have OCD, so it's a pain ( ╯▽╰)



Code principle (function):
This script code is a vbs language virus. After being infected with this virus, you will find that all your local HTML documents will have a string of characters like this, not only HTML documents, but also DLL documents will be infected. Of course, don't panic too much about this virus, because it only destroys files and does not have any harm such as uploading privacy or stealing accounts.
The general meaning of this code is to find the svchost.exe process and inject data to run. The injected code is the binary code behind it. What makes this virus different from other viruses is that this vbs virus has a very strong infection ability. Once an HTML file is infected, whenever the user opens an HTML document, the virus will run the code above, causing the virus to directly infect all HTML files and DLL files on the local computer.
Indeed, DLL files will also be infected, causing some software to function normally, but antivirus software will report a virus. And you will find that many commonly used software will report viruses when you run them, such as previously commonly used Thunder and Cool Dog. I was very surprised at that time. How could Thunder, which was downloaded from the official website, report a virus? So the reason here is that the vbs virus infected the DLL in the installation files of software such as Thunder, so antivirus software keeps reporting viruses, and the name of the virus reported is vbs script virus.
Note: The images in the article have been taken away by aliens.

User Comments:

image Yang Xiaojie's Blog 3 years ago (2018-05-21)
I guess you need Tencent Security Manager:
First aid kit, document guardian, vulnerability repair, and scam information query. Upgrade the four security capabilities,
Comprehensively guard security, make you fearless.
Self-developed antivirus engine, leading international capabilities, repeatedly certified by international evaluations, and crowned in hacker competitions.
Can't remove stubborn viruses? Open the manager toolbox, go to the "System" category, and find the system first aid kit.
The manager's first aid kit uses self-built virtual system technology to deeply kill stubborn viruses at the system level. The operation is simple, just restart once to get it done!
When a document is accidentally deleted, you can open the document recovery function. At this time, the file list will display the recently deleted documents. Find the file you want, check it, click start restore, then select a top export path, and click confirm restore to get it done!

image Rabbit 4 years ago (2017-08-18)
Looks very scary...

image Ajue 4 years ago (2017-08-18)
@Rabbit: Young hero, don't you leave your identity when leaving a message?

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.