Since I haven't got the source code of ASP before, I dare not analyze the reason why I can download the executable file remotely to the local area without permission. Recently I heard that the virus firewall will prompt viruses when watching a web page. Now let's analyze HTML viruses.
After a little look, I found that there is an implicit floating frame in the following lines of the home page code. The URL it referenced was not local, it felt like it should be, so I used FlashGet again and went down. I actually found that the space where the virus was placed does not support ASP, and the ASP file I downloaded is the source file. After this interest came, I downloaded all the relevant documents of the virus through a few steps.
Since this virus is very simple, I only copied some clips. If you are really interested, you may not be careful to find a webpage with a virus. However, don’t use IE to read it. You should use FlashGet and other download tools to download it, and then open it with notepad. Otherwise, if you are hit, don’t come to me. OK, the main text will begin.
There are three files for real viruses, one is the boot file, one is the download file, and the third is the activation file.
The first boot file
The key part is:
This function is to refer to and run the download and activation of two files as objects of the page. This is also a key point for virus files to be infected locally. In the referenced file, it can actually reference the client's Action component without any obstacles. Oh, this is that knife.
The second is to download the exe virus file
Then how to download the exe without popping up the download prompt box. This is a task to collect and download files.
The method of this virus is to use the Microsoft.XMLHTTP component and response.contenttype = "image/gif" on the server side to download the virus file in image format to the client's web cache (this is a very simple Get/BinaryWrite operation, so I won't go into details).
The third is activation
I feel that the activation process is very clever. The virus first uses fso to generate an hta file under c:/ and writes the activation process into this file. Then use WScript.Shell to run this file. In this way, there is no problem with operations that require large permissions during the activation process (such as writing registry operations).
The specific operation process is like this. Move the virus file in the web cache directory to the system file directory and change it to win.exe. Write the self-start key into the registry so that the virus can automatically start after the system restarts, and then delete the hta file to complete infection and activation.
This is the basic operation process of the virus (I won’t mention the virus destruction part according to convention), but what is the use of this to us? In fact, I hate this virus very much, but there are still some available for downloading and activation processes. For example: The system you are working on must download some components and activate it before it can be used. This kind of operation is of course no problem for those who understand it, but if you are facing a user who has not figured out anything in the network, I guess the system will explode before it starts using your phone. If you borrow this method and automatically download the components and activate them automatically when the other party allows them, it will save you much more trouble, right?
However, this method is very convenient for small-shaped files. If you want to download files above 1m... you need to consider multi-threaded downloading. Of course, this is not the scope of this article. I will talk about how to use ASP+XML to implement WEB multi-threaded upload and multi-threaded download in the future.
The above is the entire content of this article. I hope the content of this article will be of some help to your study or work. If you have any questions, you can leave a message to communicate. Thank you for your support from the new technology channel right or wrong!