这个病毒是我们学校一个无聊的家伙改的别人的代码写出来的,瑞星把它定名成:"推销员变种b(Trojan.Reper.b)"。没劲,分析得很不透彻,我早就用VBS写了一个专杀,出了三个版本了。现在把代码放上来吧,也算是我的头一个原创了......

' ----------------------------------------------------------'          Damn Reper v1.2 (For Windows 2000/2003/XP)'              Code by (C) Liontooth 13/12/2004'               Dispise the author of "reper"!' ----------------------------------------------------------

L_Welcome_MsgBox_Message_Text    = "是否运行Reper专杀工具?"L_Welcome_MsgBox_Title_Text      = "Damn Reper v1.2"Call Welcome()On error resume nextSet objfso = CreateObject("Scripting.FileSystemObject")Set objNetwork = CreateObject("Wscript.Network")set sysroot=objfso.getspecialfolder(0)set sys32=objfso.getspecialfolder(1)set coldrives = objfso.drivesstrComputer = "."Set objWMIService = GetObject("winmgmts:" _    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")Set colProcessList1 = objWMIService.ExecQuery _    ("Select * from Win32_Process Where Name = 'reper.exe'")For Each objProcess in colProcessList1    objProcess.Terminate()NextSet colProcessList2 = objWMIService.ExecQuery _    ("Select * from Win32_Process Where Name = 'system.exe'")For Each objProcess in colProcessList2    objProcess.Terminate()NextSet colProcessList3 = objWMIService.ExecQuery _    ("Select * from Win32_Process Where Name = 'tsoner.exe'")For Each objProcess in colProcessList3    objProcess.Terminate()NextSet colProcessList4 = objWMIService.ExecQuery _    ("Select * from Win32_Process Where Name = 'viewer.exe'")For Each objProcess in colProcessList4    objProcess.Terminate()NextSet colProcessList5 = objWMIService.ExecQuery _    ("Select * from Win32_Process Where Name = 'N0TEPAD.EXE'")For Each objProcess in colProcessList5    objProcess.Terminate()NextSet colProcessList6 = objWMIService.ExecQuery _    ("Select * from Win32_Process Where Name = 'rund1l32.exe'")For Each objProcess in colProcessList6    objProcess.Terminate()NextSet colProcessList7 = objWMIService.ExecQuery _    ("Select * from Win32_Process Where Name = 'svchost.exe'")For Each objProcess in colProcessList7    objProcess.Terminate()NextSet colProcessList8 = objWMIService.ExecQuery _    ("Select * from Win32_Process Where Name = 'startup.pif'")For Each objProcess in colProcessList8    objProcess.Terminate()NextSet colProcessList9 = objWMIService.ExecQuery _    ("Select * from Win32_Process Where Name = 'login.pif'")For Each objProcess in colProcessList9    objProcess.Terminate()NextSet colProcessList0 = objWMIService.ExecQuery _    ("Select * from Win32_Process Where Name = 'readme.scr'")For Each objProcess in colProcessList0    objProcess.Terminate()Next

for each objdrive in coldrives    letter = objdrive.DriveLetter    If objDrive.IsReady = True Then    objFSO.DeleteFile(letter&":\reper.exe")    end ifnextfor each objdrive in coldrives    letter = objdrive.DriveLetter    If objDrive.IsReady = True Then    objFSO.DeleteFile(letter&":\system.exe")    end ifnextfor each objdrive in coldrives    letter = objdrive.DriveLetter    If objDrive.IsReady = True Then    objFSO.DeleteFile(letter&":\autorun.inf")    end ifnextobjfso.deletefile("C:\Documents and Settings\All Users\「开始」菜单\程序\启动\startup.pif")objfso.deletefile("C:\Documents and Settings\All Users\「开始」菜单\程序\启动\login.pif")objfso.deletefile("C:\Documents and Settings\All Users\桌面\readme.scr")objfso.DeleteFile(sysroot&"\viewer.exe")objfso.DeleteFile(sysroot&"\svchost.exe")objfso.deletefile(sys32&"\tsoner.exe")objfso.deletefile(sys32&"\N0TEPAD.exe")objfso.deletefile(sys32&"\rund1l32.exe")objfso.deletefile("C:\autoexec.bat")objfso.deletefile("C:\readme.txt")

strComputer = objNetwork.ComputerNameSet colAccounts = GetObject("WinNT://" & strComputer & "")colAccounts.Filter = Array("user")For Each objUser In colAccounts        objFSO.DeleteFile("c:\Documents and Settings\"&objUser.Name&"\「开始」菜单\程序\启动\login.pif")NextFor Each objUser In colAccounts        objFSO.DeleteFile("C:\Documents and Settings\"&objUser.Name&"\桌面\desktop.bat")Next

const HKEY_LOCAL_MACHINE = &H80000002strComputer = "."Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_ strComputer & "\root\default:StdRegProv")strKeyPath1 = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"strStringValueName1 = "runreper"strStringValueName2 = "RUNEXE"strStringValueName3 = "Services"oReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath1,strStringValueName1oReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath1,strStringValueName2oReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath1,strStringValueName3const HKEY_CLASSES_ROOT = &H80000000strKeyPath2 = "txtfile\shell\open\command"strValueName = ""strValue = "notepad.exe %1"oReg.SetExpandedStringValue HKEY_CLASSES_ROOT,strKeyPath2,strValueName,strValue

L_Done_MsgBox_Message_Text    = "所有的Reper病毒都已清除!"L_Done_MsgBox_Title_Text      = "Damn Reper v1.2"Call Done()L_Done_MsgBox_Message_Text    = "Copyright (C) 2004 Liontooth"L_Done_MsgBox_Title_Text      = "Damn Reper v1.2"Call Done()Sub Welcome()    Dim intWel

   intWel =  MsgBox(L_Welcome_MsgBox_Message_Text, _                      vbOKCancel + vbQuestion,    _                      L_Welcome_MsgBox_Title_Text )    If intWel = vbCancel Then        WScript.Quit    End IfEnd Sub

Sub Done()    Dim intDone

   intDone =  MsgBox(L_Done_MsgBox_Message_Text, _                      vbOKOnly + vbExclamation,    _                      L_Done_MsgBox_Title_Text )End Sub'------------code end---------------

以上内容来源于网上,可以以此理解AutoRun病毒的原理,和使用VBS操作进程,注册表,文件系统等知识。

03-15 07:08