这个病毒是我们学校一个无聊的家伙改的别人的代码写出来的,瑞星把它定名成:"推销员变种b(Trojan.Reper.b)"。没劲,分析得很不透彻,我早就用VBS写了一个专杀,出了三个版本了。现在把代码放上来吧,也算是我的头一个原创了......
源代码:
' ----------------------------------------------------------
' Damn Reper v1.2 (For Windows 2000/2003/XP)
' Code by (C) Liontooth 13/12/2004
' Dispise the author of "reper"!
' ----------------------------------------------------------
L_Welcome_MsgBox_Message_Text = "是否运行Reper专杀工具?"
L_Welcome_MsgBox_Title_Text = "Damn Reper v1.2"
Call Welcome()
On error resume next
Set objfso = CreateObject("Scripting.FileSystemObject")
Set objNetwork = CreateObject("Wscript.Network")
set sysroot=objfso.getspecialfolder(0)
set sys32=objfso.getspecialfolder(1)
set coldrives = objfso.drives
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcessList1 = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = 'reper.exe'")
For Each objProcess in colProcessList1
objProcess.Terminate()
Next
Set colProcessList2 = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = 'system.exe'")
For Each objProcess in colProcessList2
objProcess.Terminate()
Next
Set colProcessList3 = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = 'tsoner.exe'")
For Each objProcess in colProcessList3
objProcess.Terminate()
Next
Set colProcessList4 = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = 'viewer.exe'")
For Each objProcess in colProcessList4
objProcess.Terminate()
Next
Set colProcessList5 = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = 'N0TEPAD.EXE'")
For Each objProcess in colProcessList5
objProcess.Terminate()
Next
Set colProcessList6 = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = 'rund1l32.exe'")
For Each objProcess in colProcessList6
objProcess.Terminate()
Next
Set colProcessList7 = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = 'svchost.exe'")
For Each objProcess in colProcessList7
objProcess.Terminate()
Next
Set colProcessList8 = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = 'startup.pif'")
For Each objProcess in colProcessList8
objProcess.Terminate()
Next
Set colProcessList9 = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = 'login.pif'")
For Each objProcess in colProcessList9
objProcess.Terminate()
Next
Set colProcessList0 = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = 'readme.scr'")
For Each objProcess in colProcessList0
objProcess.Terminate()
Next
for each objdrive in coldrives
letter = objdrive.DriveLetter
If objDrive.IsReady = True Then
objFSO.DeleteFile(letter&":\reper.exe")
end if
next
for each objdrive in coldrives
letter = objdrive.DriveLetter
If objDrive.IsReady = True Then
objFSO.DeleteFile(letter&":\system.exe")
end if
next
for each objdrive in coldrives
letter = objdrive.DriveLetter
If objDrive.IsReady = True Then
objFSO.DeleteFile(letter&":\autorun.inf")
end if
next
objfso.deletefile("C:\Documents and Settings\All Users\「开始」菜单\程序\启动\startup.pif")
objfso.deletefile("C:\Documents and Settings\All Users\「开始」菜单\程序\启动\login.pif")
objfso.deletefile("C:\Documents and Settings\All Users\桌面\readme.scr")
objfso.DeleteFile(sysroot&"\viewer.exe")
objfso.DeleteFile(sysroot&"\svchost.exe")
objfso.deletefile(sys32&"\tsoner.exe")
objfso.deletefile(sys32&"\N0TEPAD.exe")
objfso.deletefile(sys32&"\rund1l32.exe")
objfso.deletefile("C:\autoexec.bat")
objfso.deletefile("C:\readme.txt")
strComputer = objNetwork.ComputerName
Set colAccounts = GetObject("WinNT://" & strComputer & "")
colAccounts.Filter = Array("user")
For Each objUser In colAccounts
objFSO.DeleteFile("c:\Documents and Settings\"&objUser.Name&"\「开始」菜单\程序\启动\login.pif")
Next
For Each objUser In colAccounts
objFSO.DeleteFile("C:\Documents and Settings\"&objUser.Name&"\桌面\desktop.bat")
Next
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
strKeyPath1 = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
strStringValueName1 = "runreper"
strStringValueName2 = "RUNEXE"
strStringValueName3 = "Services"
oReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath1,strStringValueName1
oReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath1,strStringValueName2
oReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath1,strStringValueName3
const HKEY_CLASSES_ROOT = &H80000000
strKeyPath2 = "txtfile\shell\open\command"
strValueName = ""
strValue = "notepad.exe %1"
oReg.SetExpandedStringValue HKEY_CLASSES_ROOT,strKeyPath2,strValueName,strValue
L_Done_MsgBox_Message_Text = "所有的Reper病毒都已清除!"
L_Done_MsgBox_Title_Text = "Damn Reper v1.2"
Call Done()
L_Done_MsgBox_Message_Text = "Copyright (C) 2004 Liontooth"
L_Done_MsgBox_Title_Text = "Damn Reper v1.2"
Call Done()
Sub Welcome()
Dim intWel
intWel = MsgBox(L_Welcome_MsgBox_Message_Text, _
vbOKCancel + vbQuestion, _
L_Welcome_MsgBox_Title_Text )
If intWel = vbCancel Then
WScript.Quit
End If
End Sub
Sub Done()
Dim intDone
intDone = MsgBox(L_Done_MsgBox_Message_Text, _
vbOKOnly + vbExclamation, _
L_Done_MsgBox_Title_Text )
End Sub
'------------code end---------------
以上内容来源于网上,可以以此理解AutoRun病毒的原理,和使用VBS操作进程,注册表,文件系统等知识。