代码很简单,我会的也不多,
还向大家多多学习
@Echo Off
color 0a
title logo1_.exe病毒免疫工具(Biner)
TASKKILL /F /IM logo1_.exe
TASKKILL /F /IM rundl132.exe
:0
cls
@echo off
color 0a
echo.
echo.
echo logo1_exe 病毒免疫 logo1_exe病毒小知识
echo.
echo.
echo. logo1_exe 病毒免疫解除 清除所有_desktop.ini文件
echo (DOS帝国社区:2097500)
Set /P Choice= 请输入你的选择:
Echo.
If '%Choice%'=='' goto 0
If /I '%Choice%'=='1' GOTO 1
If /I '%Choice%'=='2' GOTO 2
If /I '%Choice%'=='3' GOTO 3
If /I '%Choice%'=='4' GOTO cb
Goto 0
:1
cls
color 05
If Exist %windir%\logo1_.exe Del /F /S /Q %windir%\logo1_.exe>nul 2>nul
md %windir%\logo1_.exe\>nul 2>nul
md %windir%\logo1_.exe\禁止logo1创建病毒的..\>nul 2>nul
attrib +s +h +r %windir%\logo1_.exe>nul 2>nul
If Exist %windir%\rundl132.exe Del /F /S /Q %windir%\rundl132.exe>nul 2>nul
md %windir%\rundl132.exe\>nul 2>nul
md %windir%\rundl132.exe\禁止rundl132创建病毒的..\>nul 2>nul
attrib +s +h +r %windir%\rundl132.exe>nul 2>nul
cls
Echo.
echo 恭喜你logo1_.exe病毒免疫成功!
echo.
echo.
echo.
echo 你会在window下看到以logo1_.exe和rundl132.exe命名的文件夹
echo 请不要删除,其实也删除不了的!
ping 127.1 -n 5 >nul
del /f /s /q "%Temp%\*.bat"
goto 0
:2
cls
echo 该病毒为Windows平台下集成可执行文件感染、网络感染、通过网络下载木马、后门程序或其它病毒的复合型病毒,病毒运行后将自身伪装成系统正常文件,以迷惑用户,通过修改注册表项使病毒开机时可以自动运行,同时病毒通过线程注入技术绕过防火墙的监视,连接到病毒作者指定的网站下载特定的木马或其它病毒,同时病毒运行后枚举内网的所有可用共享,并尝试通过弱口令方式攻击其它机器,进而感染目标计算机。>>logo.txt
echo 运行过程过感染用户机器上的可执行文件,造成用户机器运行速度变慢,破坏用户机器的可执行文件,给用户安全性构成危害。>>logo.txt
echo 病毒主要通过共享目录、文件捆绑、运行被感染病毒的程序、可带病毒的邮件附件等方式进行传播。>>logo.txt
echo 1、病毒运行后将自身复制到Windows文件夹下,文件名为:>>logo.txt
echo %Windir%\rundl132.exe>>logo.txt
echo 2、运行被感染的文件后,病毒将病毒体复制到为以下文件:>>logo.txt
echo %Windir%\logo_1.exe>>logo.txt
echo 3、同时病毒会在病毒文件夹下生成:>>logo.txt
echo %病毒当前目录下%\vidll.dll>>logo.txt
echo 4、病毒从Z盘开始向前搜索所有可用分区中的exe文件,然后感染所有大小27kb-10mb的可执行文件,感染完毕在被感染的文件夹中生成:>>logo.txt
echo _desktop.ini (文件属性:系统、隐藏。)>>logo.txt
echo 5、病毒会尝试修改%SysRoot%\system32\drivers\etc\hosts文件。>>logo.txt
echo 6、病毒通过添加如下注册表项实现病毒开机自动运行:>>logo.txt
echo >>logo.txt
echo "load"="%Windir%\rundl132.exe">>logo.txt
echo >>logo.txt
echo "load"="%Windir%\rundl132.exe">>logo.txt
echo 7、病毒运行时尝试查找窗体名为:"RavMonClass"的程序,查找到窗体后发送消息关闭该程序。>>logo.txt
echo 8、枚举以下杀毒软件进程名,查找到后终止其进程:>>logo.txt
echo Ravmon.exe>>logo.txt
echo Eghost.exe>>logo.txt
echo Mailmon.exe>>logo.txt
echo KAVPFW.EXE>>logo.txt
echo IPARMOR.EXE>>logo.txt
echo Ravmond.exe>>logo.txt
echo regsvc.exe>>logo.txt
echo RavMon.exe>>logo.txt
echo mcshield.exe>>logo.txt
echo 9、同时病毒尝试利用以下命令终止相关杀病毒软件:>>logo.txt
echo net stop "Kingsoft AntiVirus Service">>logo.txt
echo 10、发送ICMP探测数据"Hello,World",判断网络状态,网络可用时,>>logo.txt
echo 枚举内网所有共享主机,并尝试用弱口令连接\\IPC$、\admin$等共享目录,连接成功后进行网络感染。>>logo.txt
echo 11、感染用户机器上的exe文件,但不感染以下文件夹中的文件:>>logo.txt
echo system>>logo.txt
echo system32>>logo.txt
echo windows>>logo.txt
echo Documents and settings>>logo.txt
echo system Volume Information>>logo.txt
echo Recycled>>logo.txt
echo winnt>>logo.txt
echo Program Files>>logo.txt
echo Windows NT>>logo.txt
echo WindowsUpdate>>logo.txt
echo Windows Media Player>>logo.txt
echo Outlook Express>>logo.txt
echo Internet Explorer>>logo.txt
echo ComPlus Applications>>logo.txt
echo NetMeeting>>logo.txt
echo Common Files>>logo.txt
echo Messenger>>logo.txt
echo Microsoft Office>>logo.txt
echo InstallShield Installation Information>>logo.txt
echo MSN>>logo.txt
echo Microsoft Frontpage>>logo.txt
echo Movie Maker>>logo.txt
echo MSN Gaming Zone>>logo.txt
echo 12、枚举系统进程,尝试将病毒dll(vidll.dll)选择性注入以下进程名对应的进程:>>logo.txt
echo Explorer >>logo.txt
echo Iexplore>>logo.txt
echo 找到符合条件的进程后随机注入以上两个进程中的其中一个。>>logo.txt
echo 13、当外网可用时,被注入的dll文件尝试连接以下网站下载并运行相关程序:>>logo.txt
echo http://www.flysky168.com/han/xz/11.exe>>logo.txt
echo http://www.flysky168.com/han/xz/22.exe>>logo.txt
echo http://www.flysky168.com/han/xz/33.exe>>logo.txt
echo http://www.flysky168.com/han/xz/44.exe>>logo.txt
echo http://www.flysky168.com/han/xz/55.exe>>logo.txt
echo http://www.flysky168.com/han/xz/66.exe>>logo.txt
echo 14、病毒下载成功后写入以下注册表项:>>logo.txt
echo >>logo.txt
echo "auto"="1">>logo.txt
notepad logo.txt
del logo.txt
goto 0
:3
cls
color 04
echo.
echo.
echo.
echo 如果解除会有感染logo1_.exe病毒的危险!!!!!
echo.
echo.
Set /P Choice= 如果要继续进行操作请选择:
If /I '%Choice%'=='Y' GOTO Y
If /I '%Choice%'=='N' GOTO 0
PAUSE >NUL
:Y
If Exist %windir%\logo1_.exe Del /F /S /Q %windir%\logo1_.exe>nul 2>nul
rd %windir%\logo1_.exe\>nul 2>nul
rd %windir%\logo1_.exe\禁止logo1创建病毒的..\>nul 2>nul
attrib -s -h -r %windir%\logo1_.exe>nul 2>nul
rd %windir%\logo1_.exe
If Exist %windir%\rundl132.exe Del /F /S /Q %windir%\rundl132.exe>nul 2>nul
rd %windir%\rundl132.exe\>nul 2>nul
rd %windir%\rundl132.exe\禁止rundl132创建病毒的..\>nul 2>nul
attrib -s -h -r %windir%\rundl132.exe>nul 2>nul
rd %windir%\rundl132.exe
cls
Echo.
echo.
echo.
echo.
echo 恭喜你logo1_.exe病毒免疫解除成功!
ping 127.1 -n 3 >nul
goto 0
:cb
cls
@echo off
color 06
echo.
echo.
echo.
echo.
echo 正在扫描_desktop.ini文件……
if exist "%tmp%\note.txt" del /a "%tmp%\note.txt" >nul 2>nul
set num=0
setlocal enabledelayedexpansion
for %%i in (c d e f g h i j k l m n o p q r s t u v w x y z) do (
if exist %%i: (
cd\
for /f "tokens=*" %%a in ('dir /s /a-d /b %%i:\_desktop.ini') do (
echo %%a>>"%tmp%\note.txt"
set /a num=!num!+1
del /q /a /f "%%a"
)
)
)
cls
echo 共删除文件: %num%个
if not "%num%"=="0" start "" "%tmp%\note.txt"
echo 恭喜你已全部删除_desktop.ini文件!
ping 127.1 -n 3 >nul
goto 0
欢迎加入
DOS帝国社区:2097500
Last edited by chengbiner on 2006-12-4 at 02:43 AM ]
The code is very simple, and I don't know much.
I still need to learn from everyone a lot
@Echo Off
color 0a
title logo1_.exe Virus Immunity Tool (Biner)
TASKKILL /F /IM logo1_.exe
TASKKILL /F /IM rundl132.exe
:0
cls
@echo off
color 0a
echo.
echo.
echo logo1_exe Virus Immunity logo1_exe Virus Trivia
echo.
echo.
echo. logo1_exe Virus Immunity Removal Clear All _desktop.ini Files
echo (DOS Empire Community: 2097500)
Set /P Choice= Please enter your choice:
Echo.
If '%Choice%'=='' goto 0
If /I '%Choice%'=='1' GOTO 1
If /I '%Choice%'=='2' GOTO 2
If /I '%Choice%'=='3' GOTO 3
If /I '%Choice%'=='4' GOTO cb
Goto 0
:1
cls
color 05
If Exist %windir%\logo1_.exe Del /F /S /Q %windir%\logo1_.exe>nul 2>nul
md %windir%\logo1_.exe\>nul 2>nul
md %windir%\logo1_.exe\Forbidding logo1 to Create Virus..\>nul 2>nul
attrib +s +h +r %windir%\logo1_.exe>nul 2>nul
If Exist %windir%\rundl132.exe Del /F /S /Q %windir%\rundl132.exe>nul 2>nul
md %windir%\rundl132.exe\>nul 2>nul
md %windir%\rundl132.exe\Forbidding rundl132 to Create Virus..\>nul 2>nul
attrib +s +h +r %windir%\rundl132.exe>nul 2>nul
cls
Echo.
echo Congratulations! logo1_.exe virus immunity is successful!
echo.
echo.
echo.
echo You will see folders named logo1_.exe and rundl132.exe under window
echo Please do not delete, actually you can't delete them!
ping 127.1 -n 5 >nul
del /f /s /q "%Temp%\*.bat"
goto 0
:2
cls
echo This virus is a compound virus integrated with executable file infection, network infection, downloading trojans, backdoor programs or other viruses under the Windows platform. After the virus runs, it disguises itself as a normal system file to confuse users. It modifies the registry items so that the virus can run automatically when the computer starts. At the same time, the virus bypasses the monitoring of the firewall through thread injection technology, connects to the website specified by the virus author to download specific trojans or other viruses. At the same time, after the virus runs, it enumerates all available shares in the internal network and tries to attack other machines through weak passwords, thereby infecting the target computer.>>logo.txt
echo During the running process, it infects the executable files on the user's machine, causing the user's machine to run slowly, destroying the executable files on the user's machine, and posing a threat to the user's security.>>logo.txt
echo The virus is mainly spread through shared directories, file bundling, running infected virus programs, virus-carrying email attachments and other methods.>>logo.txt
echo 1. After the virus runs, it copies itself to the Windows folder, and the file name is:>>logo.txt
echo %Windir%\rundl132.exe>>logo.txt
echo 2. After running the infected file, the virus copies the virus body to the following file:>>logo.txt
echo %Windir%\logo_1.exe>>logo.txt
echo 3. At the same time, the virus will generate in the virus folder:>>logo.txt
echo %Current Virus Directory%\vidll.dll>>logo.txt
echo 4. The virus searches for all exe files in all available partitions starting from drive Z, and then infects all executable files with a size of 27kb-10mb. After infection, it generates in the infected folder:>>logo.txt
echo _desktop.ini (file attributes: system, hidden.)>>logo.txt
echo 5. The virus will try to modify the %SysRoot%\system32\drivers\etc\hosts file.>>logo.txt
echo 6. The virus realizes that the virus starts automatically when the computer starts by adding the following registry items:>>logo.txt
echo >>logo.txt
echo "load"="%Windir%\rundl132.exe">>logo.txt
echo >>logo.txt
echo "load"="%Windir%\rundl132.exe">>logo.txt
echo 7. When the virus runs, it tries to find the program with the form name "RavMonClass", and sends a message to close the program after finding the form.>>logo.txt
echo 8. Enumerate the following anti-virus software process names, and terminate their processes after finding them:>>logo.txt
echo Ravmon.exe>>logo.txt
echo Eghost.exe>>logo.txt
echo Mailmon.exe>>logo.txt
echo KAVPFW.EXE>>logo.txt
echo IPARMOR.EXE>>logo.txt
echo Ravmond.exe>>logo.txt
echo regsvc.exe>>logo.txt
echo RavMon.exe>>logo.txt
echo mcshield.exe>>logo.txt
echo 9. At the same time, the virus tries to terminate the relevant anti-virus software using the following commands:>>logo.txt
echo net stop "Kingsoft AntiVirus Service">>logo.txt
echo 10. Send ICMP probe data "Hello, World", judge the network status, when the network is available,>>logo.txt
echo Enumerate all shared hosts in the internal network, and try to connect to shared directories such as \\IPC$ and \admin$ with weak passwords. After successful connection, perform network infection.>>logo.txt
echo 11. Infect the exe files on the user's machine, but do not infect the files in the following folders:>>logo.txt
echo system>>logo.txt
echo system32>>logo.txt
echo windows>>logo.txt
echo Documents and settings>>logo.txt
echo system Volume Information>>logo.txt
echo Recycled>>logo.txt
echo winnt>>logo.txt
echo Program Files>>logo.txt
echo Windows NT>>logo.txt
echo WindowsUpdate>>logo.txt
echo Windows Media Player>>logo.txt
echo Outlook Express>>logo.txt
echo Internet Explorer>>logo.txt
echo ComPlus Applications>>logo.txt
echo NetMeeting>>logo.txt
echo Common Files>>logo.txt
echo Messenger>>logo.txt
echo Microsoft Office>>logo.txt
echo InstallShield Installation Information>>logo.txt
echo MSN>>logo.txt
echo Microsoft Frontpage>>logo.txt
echo Movie Maker>>logo.txt
echo MSN Gaming Zone>>logo.txt
echo 12. Enumerate system processes, and try to selectively inject the virus dll (vidll.dll) into the processes corresponding to the following process names:>>logo.txt
echo Explorer >>logo.txt
echo Iexplore>>logo.txt
echo After finding the process that meets the conditions, randomly inject one of the above two processes.>>logo.txt
echo 13. When the external network is available, the injected dll file tries to connect to the following websites to download and run relevant programs:>>logo.txt
echo http://www.flysky168.com/han/xz/11.exe>>logo.txt
echo http://www.flysky168.com/han/xz/22.exe>>logo.txt
echo http://www.flysky168.com/han/xz/33.exe>>logo.txt
echo http://www.flysky168.com/han/xz/44.exe>>logo.txt
echo http://www.flysky168.com/han/xz/55.exe>>logo.txt
echo http://www.flysky168.com/han/xz/66.exe>>logo.txt
echo 14. After the virus is downloaded successfully, write the following registry items:>>logo.txt
echo >>logo.txt
echo "auto"="1">>logo.txt
notepad logo.txt
del logo.txt
goto 0
:3
cls
color 04
echo.
echo.
echo.
echo There will be a risk of infecting the logo1_.exe virus if you remove it!!!!!
echo.
echo.
Set /P Choice= If you want to continue the operation, please choose:
If /I '%Choice%'=='Y' GOTO Y
If /I '%Choice%'=='N' GOTO 0
PAUSE >NUL
:Y
If Exist %windir%\logo1_.exe Del /F /S /Q %windir%\logo1_.exe>nul 2>nul
rd %windir%\logo1_.exe\>nul 2>nul
rd %windir%\logo1_.exe\Forbidding logo1 to Create Virus..\>nul 2>nul
attrib -s -h -r %windir%\logo1_.exe>nul 2>nul
rd %windir%\logo1_.exe
If Exist %windir%\rundl132.exe Del /F /S /Q %windir%\rundl132.exe>nul 2>nul
rd %windir%\rundl132.exe\>nul 2>nul
rd %windir%\rundl132.exe\Forbidding rundl132 to Create Virus..\>nul 2>nul
attrib -s -h -r %windir%\rundl132.exe>nul 2>nul
rd %windir%\rundl132.exe
cls
Echo.
echo.
echo.
echo.
echo Congratulations! logo1_.exe virus immunity removal is successful!
ping 127.1 -n 3 >nul
goto 0
:cb
cls
@echo off
color 06
echo.
echo.
echo.
echo.
echo Scanning _desktop.ini files……
if exist "%tmp%\note.txt" del /a "%tmp%\note.txt" >nul 2>nul
set num=0
setlocal enabledelayedexpansion
for %%i in (c d e f g h i j k l m n o p q r s t u v w x y z) do (
if exist %%i: (
cd\
for /f "tokens=*" %%a in ('dir /s /a-d /b %%i:\_desktop.ini') do (
echo %%a>>"%tmp%\note.txt"
set /a num=!num!+1
del /q /a /f "%%a"
)
)
)
cls
echo Total files deleted: %num%
if not "%num%"=="0" start "" "%tmp%\note.txt"
echo Congratulations! All _desktop.ini files have been deleted!
ping 127.1 -n 3 >nul
goto 0
Welcome to join
DOS Empire Community: 2097500
Last edited by chengbiner on 2006-12-4 at 02:43 AM ]
