|
快乐黄口狮
- 帖子:129
- 注册:
2006-08-16
- 来自:
|
发表于:
2007-04-29 10:56
|
显示全部
短消息
资料
百度和GOOGLE乱码病毒的VBS专杀
近期出现一种病毒通过ARP攻击劫持用户和正常服务器之间的会话,在其中插入病毒代码。由此造成的后果是,用户正常访问这些网站时,会被引导下载病毒和木马程序,或者被跳转到其它网页。国内已经有部分知名网站受此影响。 傍晚拿到样本,写了个VBS专杀. 把以下代码复制进一个新建的记事本,后缀改为VBS,测试过,成功.最好在断网的环境下运行. 拿了ycosxhack的模版写,我真没效率,看来这种专杀没必要的话不做为好....还是去认真学习了....... PS.修改好了....调试过了..安全模式下运行就杀干净. on error resume next
msgbox "本专杀由[G-AVR]Gryesign提供---http://hi.baidu.com/greysign",64,"搜索引擎乱码病毒专杀,请在安全模式下运行"
'-----------------病毒进程结束模块开始-----------------
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='fyso.exe'")
for each i in p
i.terminate
next
on error resume next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='jtso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='mhso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='qjso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='wgso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='wlso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='wmso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='woso.exe'")
for each i in p
i.terminate
next
set w=getobject("winmgmts:")
set p=w.execquery("select * from win32_process where name='ztso.exe'")
for each i in p
i.terminate
next
'-----------------病毒进程结束模块终止-----------------
'-----------------病毒文件删除模块开始-----------------
DIM objShell
set objShell=wscript.createObject("wscript.shell")
iReturn=objShell.Run("cmd.exe /C del %temp%\fyso.exe", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\jtso.exe", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\mhso.exe", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\qjso.exe", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\wgso.exe", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\wlso.exe", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\wmso.exe", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\woso.exe", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\ztso.exe", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\fyso0.dll", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\jtso0.dll", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\mhso0.dll", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\qjso0.dll", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\mhso0.dll", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\wgso0.dll", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\wlso0.dll", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\ztso0.dll", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\woso0.dll", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\wmso0.dll", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C attrib -a -s -h -r c:\progra~1\Intern~1\PLUGINS\BinNice.bak", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C attrib -a -s -h -r c:\progra~1\Intern~1\PLUGINS\BinNice.dll", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del c:\progra~1\Intern~1\PLUGINS\BinNice.bak", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del c:\progra~1\Intern~1\PLUGINS\BinNice.dll", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\smss.exe", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\svchost.exe", 0, TRUE)
iReturn=objShell.Run("cmd.exe /C del %temp%\IEXPLORE.EXE", 0, TRUE)
'-----------------病毒文件删除模块终止-----------------
'-----------------遍历删除各盘符根目录下病毒文件模块开始-----------------
set fso=createobject("scripting.filesystemobject")
set drvs=fso.drives
for each drv in drvs
if drv.drivetype=1 or drv.drivetype=2 or drv.drivetype=3 or drv.drivetype=4 then
set u=fso.getfile(drv.driveletter&":\autorun.inf")
u.attributes=0
u.delete
end if
next
'-----------------遍历删除各盘符根目录下病毒文件模块终止-----------------
'-----------------注册表操作模块开始-----------------
set reg=wscript.createobject("wscript.shell")
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue",1,"REG_DWORD"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\DefaultValue",2,"REG_DWORD"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue",2,"REG_DWORD"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\DefaultValue",2,"REG_DWORD"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit","C:\WINDOWS\system32\userinit.exe,"
reg.regdelete "HKEY_CLASSES_ROOT\CLSID\{06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{06E6B6B6-BE3C-6E23-6C8E-B833E2CE63B8}"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wosa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ztsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fysa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jtsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mhsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qjsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlsa"
reg.regdelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmsa"
'-----------------注册表操作模块终止-----------------
'-----------------系统文件恢复模块开始-----------------
'-----------------系统文件修复模块终止-----------------
msgbox "病毒清除成功,请重启电脑!",64,"搜索引擎乱码病毒专杀"
 2007-04-29 12:06:52
|
