HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/Advanced/ShowSuperHidden
Value: Type:REG_DWORD,Length:4,Data:0
HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Advanced/Folder/Hidden/
SHOWALL/CheckedValue
Value: Type:REG_DWORD,Length:4,Data:0
Other aspects:
Automatically copy the copy to c:/WINDOWS/%username%.vbs, c:/WINDOWS/system32/%username%.vbs every once in a while, and make the above modifications to the registry;
The entire vbs file is divided into several modules, which will disrupt and recombinate these modules when infected, and the name of the module will also change;
If there are more than 2,000 infected files, a dialog box will pop up: "You have more than 2,000 files infected! But please don't worry, this virus is easily removed! Please contact 418465***-_-!"
Monitor the following processes "ras.exe","360tray.exe","taskmgr.exe","cmd.exe","cmd.com","regedit.exe","regedit.scr","regedit.pif","regedit.com","msconfig.exe","SREng.exe","USBAntiVir.exe", and end it after discovering it;
c:/WINDOWS/system32/%GetUserName%.ini records some data, including the infection date, for future comparison.
Conclusion:
My understanding of vbs can only end here. The rest is waiting for the analysis of vbs experts (some U comes out and checks out);
Also, I wonder if this thing will be named Virus.VBS.KillAV.a by Kaba, haha! [:14:]