A simple HTML virus analysis

I have always wanted to write this article, but when I was at work, I said I would go to work, but I didn’t write it. After I got home, I was busy playing games and threw it aside. Now I have to start writing without doing my job, hoping that my boss won’t know my blog. Haha I was very interested in HTML viruses a long time ago. I was curious about how to remotely download executable files to the local area without permission. I just didn't have the chance to get the original code of ASP, so I dared to do some analysis out of context. Recently, I heard a friend say that when he was reading a web page, the virus firewall prompted that there was a virus, and asked me to be careful (thank him first). I had a flash of thought, and opened FlashGet and downloaded the homepage of the virus. After a little look, I found that there is an implicit floating frame in the following lines of the home page code. The URL it referenced was not local, it felt like it should be, so I used FlashGet again and went down. I actually found that the space where the virus was placed does not support ASP, and the ASP file I downloaded is the source file. After this interest came, I downloaded all the relevant documents of the virus through a few steps. Since this virus is very simple, I only excerpted some clips. If you are really interested, you may not be careful to find a webpage with a virus. However, don’t use IE to read it. You should use FlashGet and other download tools to download it, and then open it with notepad. Otherwise, if you are hit, don’t come to me. OK, the main text will begin. There are three files for real viruses, one is the boot file, one is the download file, and the third is the activation file. The key part of the first boot file is: This function is to refer to and run the download and activation of two files as objects of the page. This is also a key point where the virus file can be infected locally. In the referenced file, it can actually reference the client's Action component without any obstacles. Oh, this is that knife. The second is to download the exe virus file and then how to download the exe without popping up the download prompt box. This is a task to collect and download files. The method of this virus is to use components and = "image/gif" on the server side to download the virus file in image format to the client's web cache (here is a very simple Get/BinaryWrite operation, so I won't go into details). The third one is activation. It feels that the activation process is very clever. The virus first uses fso to generate an hta file under c:\ and writes the activation process into this file. Then use it to run this file. In this way, there is no problem with operations that require large permissions during the activation process (such as writing registry operations). The specific operation process is like this. Move the virus file in the web cache directory to the system file directory and change the name to. Write the self-start key into the registry so that the virus can automatically start after the system restarts, and then delete the hta file to complete infection and activation. This is the basic operation process of the virus (I won’t mention the virus destruction part according to convention), but what is the use of this to us? In fact, I hate this virus very much, but there are still some available for downloading and activation processes. For example: The system you are working on must download some components and activate it before it can be used. This kind of operation is of course no problem for those who understand it, but if you are facing a user who has not figured out anything in the network, I guess the system will explode before it starts using your phone. If you borrow this method and automatically download the components and activate them automatically when the other party allows them, it will save you much more trouble, right? However, this method is very convenient for small-shaped files. If you want to download files above 1m... you need to consider multi-threaded downloading. Of course, this is not the scope of this article. I will talk about how to use ASP+XML to implement WEB multi-threaded upload and multi-threaded download in the future.

Latest Comments