reper病毒vbs查杀工具


关键词

reper病毒vbs查杀工具

摘要

这个病毒是我们学校一个无聊的家伙改的别人的代码写出来的,瑞星把它定名成:"推销员变种b(Trojan.Reper.b)"。没劲,分析得很不透彻,我早就用VBS写了一个专杀,出了三个版本了。现在把代码放上来吧,也算是我的头一个原创了......


源代码:

' ----------------------------------------------------------
'          Damn Reper v1.2 (For Windows 2000/2003/XP)
'              Code by (C) Liontooth 13/12/2004
'               Dispise the author of "reper"!
' ----------------------------------------------------------

这个病毒是我们学校一个无聊的家伙改的别人的代码写出来的,瑞星把它定名成:"推销员变种b(Trojan.Reper.b)"。没劲,分析得很不透彻,我早就用VBS写了一个专杀,出了三个版本了。现在把代码放上来吧,也算是我的头一个原创了......

源代码:

' ----------------------------------------------------------
'          Damn Reper v1.2 (For Windows 2000/2003/XP)
'              Code by (C) Liontooth 13/12/2004
'               Dispise the author of "reper"!
' ----------------------------------------------------------


L_Welcome_MsgBox_Message_Text    = "是否运行Reper专杀工具?"
L_Welcome_MsgBox_Title_Text      = "Damn Reper v1.2"
Call Welcome()
On error resume next
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objNetwork = CreateObject("Wscript.Network")
set sysroot=objfso.getspecialfolder(0)
set sys32=objfso.getspecialfolder(1)
set coldrives = objfso.drives
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
   & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcessList1 = objWMIService.ExecQuery _
   ("Select * from Win32_Process Where Name = 'reper.exe'")
For Each objProcess in colProcessList1
   objProcess.Terminate()
Next
Set colProcessList2 = objWMIService.ExecQuery _
   ("Select * from Win32_Process Where Name = 'system.exe'")
For Each objProcess in colProcessList2
   objProcess.Terminate()
Next
Set colProcessList3 = objWMIService.ExecQuery _
   ("Select * from Win32_Process Where Name = 'tsoner.exe'")
For Each objProcess in colProcessList3
   objProcess.Terminate()
Next
Set colProcessList4 = objWMIService.ExecQuery _
   ("Select * from Win32_Process Where Name = 'viewer.exe'")
For Each objProcess in colProcessList4
   objProcess.Terminate()
Next
Set colProcessList5 = objWMIService.ExecQuery _
   ("Select * from Win32_Process Where Name = 'N0TEPAD.EXE'")
For Each objProcess in colProcessList5
   objProcess.Terminate()
Next
Set colProcessList6 = objWMIService.ExecQuery _
   ("Select * from Win32_Process Where Name = 'rund1l32.exe'")
For Each objProcess in colProcessList6
   objProcess.Terminate()
Next
Set colProcessList7 = objWMIService.ExecQuery _
   ("Select * from Win32_Process Where Name = 'svchost.exe'")
For Each objProcess in colProcessList7
   objProcess.Terminate()
Next
Set colProcessList8 = objWMIService.ExecQuery _
   ("Select * from Win32_Process Where Name = 'startup.pif'")
For Each objProcess in colProcessList8
   objProcess.Terminate()
Next
Set colProcessList9 = objWMIService.ExecQuery _
   ("Select * from Win32_Process Where Name = 'login.pif'")
For Each objProcess in colProcessList9
   objProcess.Terminate()
Next
Set colProcessList0 = objWMIService.ExecQuery _
   ("Select * from Win32_Process Where Name = 'readme.scr'")
For Each objProcess in colProcessList0
   objProcess.Terminate()
Next

for each objdrive in coldrives
   letter = objdrive.DriveLetter
   If objDrive.IsReady = True Then
   objFSO.DeleteFile(letter&":\reper.exe")
   end if
next
for each objdrive in coldrives
   letter = objdrive.DriveLetter
   If objDrive.IsReady = True Then
   objFSO.DeleteFile(letter&":\system.exe")
   end if
next
for each objdrive in coldrives
   letter = objdrive.DriveLetter
   If objDrive.IsReady = True Then
   objFSO.DeleteFile(letter&":\autorun.inf")
   end if
next
objfso.deletefile("C:\Documents and Settings\All Users\「开始」菜单\程序\启动\startup.pif")
objfso.deletefile("C:\Documents and Settings\All Users\「开始」菜单\程序\启动\login.pif")
objfso.deletefile("C:\Documents and Settings\All Users\桌面\readme.scr")
objfso.DeleteFile(sysroot&"\viewer.exe")
objfso.DeleteFile(sysroot&"\svchost.exe")
objfso.deletefile(sys32&"\tsoner.exe")
objfso.deletefile(sys32&"\N0TEPAD.exe")
objfso.deletefile(sys32&"\rund1l32.exe")
objfso.deletefile("C:\autoexec.bat")
objfso.deletefile("C:\readme.txt")


strComputer = objNetwork.ComputerName
Set colAccounts = GetObject("WinNT://" & strComputer & "")
colAccounts.Filter = Array("user")
For Each objUser In colAccounts
       objFSO.DeleteFile("c:\Documents and Settings\"&objUser.Name&"\「开始」菜单\程序\启动\login.pif")
Next
For Each objUser In colAccounts
       objFSO.DeleteFile("C:\Documents and Settings\"&objUser.Name&"\桌面\desktop.bat")
Next

const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath1 = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
strStringValueName1 = "runreper"
strStringValueName2 = "RUNEXE"
strStringValueName3 = "Services"
oReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath1,strStringValueName1
oReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath1,strStringValueName2
oReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath1,strStringValueName3
const HKEY_CLASSES_ROOT = &H80000000
strKeyPath2 = "txtfile\shell\open\command"
strValueName = ""
strValue = "notepad.exe %1"
oReg.SetExpandedStringValue HKEY_CLASSES_ROOT,strKeyPath2,strValueName,strValue

L_Done_MsgBox_Message_Text    = "所有的Reper病毒都已清除!"
L_Done_MsgBox_Title_Text      = "Damn Reper v1.2"
Call Done()
L_Done_MsgBox_Message_Text    = "Copyright (C) 2004 Liontooth"
L_Done_MsgBox_Title_Text      = "Damn Reper v1.2"
Call Done()
Sub Welcome()
   Dim intWel

   intWel =  MsgBox(L_Welcome_MsgBox_Message_Text, _
                     vbOKCancel + vbQuestion,    _
                     L_Welcome_MsgBox_Title_Text )
   If intWel = vbCancel Then
       WScript.Quit
   End If
End Sub

Sub Done()
   Dim intDone

   intDone =  MsgBox(L_Done_MsgBox_Message_Text, _
                     vbOKOnly + vbExclamation,    _
                     L_Done_MsgBox_Title_Text )
End Sub
'------------code end---------------

以上内容来源于网上,可以以此理解AutoRun病毒的原理,和使用VBS操作进程,注册表,文件系统等知识。

 

要饭二维码

洪哥写文章很苦逼,如果本文对您略有帮助,可以扫描下方二维码支持洪哥!金额随意,先行谢过!大家的支持是我前进的动力!

文章的版权

本文属于“洪哥笔记”原创文章,转载请注明来源地址:reper病毒vbs查杀工具:http://www.splaybow.com/post/10474707012008.html

如果您在服务器运维、网络管理、网站或系统开发过程有需要提供收费服务,请加QQ:115085382!十年运维经验,帮您省钱、让您放心!
亲,如果有需要,先存起来,方便以后再看啊!加入收藏夹的话,按Ctrl+D

« ACCESS注入攻击 ASP初学者常犯的几个错误 »

相关文章: